Hey all, i accidentally formatted the partitions on the tf700. it was unlocked/rooted and i have TWRP installed.
i do not have access to fastboot. i can use adb and adb shell.
i have tried the options 1a & 1b for the prime tf201 unbrick with no luck.
in the terminal if i write the command "df" it shows that the only partition i have is TMPFS, and it is 499732 1K blocks - mounted on /dev
since the card is showing up as TMPFS it is basically a ramdisk and it will be erased on a reboot, so no matter what changes i make, or rom i install it will always be erased.
if i try to mount the /data /system /cache partitions they all return E:Unable to mount '/system' (tw_mount)
( '/system' changes with '/data' and '/cache')
if i go to /dev/block the only things i see are loop0 - loop7 and mmcblk0p3
im thinking that all i need to do is somehow format the internal memory to reinstall a rom and i should be good to go, but i dont know what the partitions need to be, but i could also be way off.
im hoping someone has some insight. i would hate to have a brick
pbcustom98 said:
Hey all, i accidentally formatted the partitions on the tf700. it was unlocked/rooted and i have TWRP installed.
Click to expand...
Click to collapse
How did you do that?
pbcustom98 said:
if i go to /dev/block the only things i see are loop0 - loop7 and mmcblk0p3
Click to expand...
Click to collapse
Looks like your GPT got damaged - this may not be easy to repair (AFAIK the original GPT is nowhere in the Asus firmware download), but as long as you can boot TWRP and use adb, there is hope.
First of all, what does "cat /proc/partitions" say? For comparison, here is my output:
Code:
# cat /proc/partitions
major minor #blocks name
179 0 62087168 mmcblk0
179 1 786432 mmcblk0p1
179 2 438272 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 835584 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 59976192 mmcblk0p8
179 32 4096 mmcblk0boot1
179 16 4096 mmcblk0boot0
179 48 31166976 mmcblk1
179 49 31162880 mmcblk1p1
_that said:
How did you do that?
Looks like your GPT got damaged - this may not be easy to repair (AFAIK the original GPT is nowhere in the Asus firmware download), but as long as you can boot TWRP and use adb, there is hope.
First of all, what does "cat /proc/partitions" say? For comparison, here is my output:
Code:
# cat /proc/partitions
major minor #blocks name
179 0 62087168 mmcblk0
179 1 786432 mmcblk0p1
179 2 438272 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 835584 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 59976192 mmcblk0p8
179 32 4096 mmcblk0boot1
179 16 4096 mmcblk0boot0
179 48 31166976 mmcblk1
179 49 31162880 mmcblk1p1
Click to expand...
Click to collapse
out of stupidity
cat /proc/partitions shows the following:
# cat /proc/partitions
major minor #blocks name
under it though, there is nothing there
pbcustom98 said:
out of stupidity
Click to expand...
Click to collapse
If you can describe what you did, maybe it is easier to find out what exactly happened.
I assume you don't have an nvflash backup, right?
pbcustom98 said:
under it though, there is nothing there
Click to expand...
Click to collapse
OK. What is the output if you run:
Code:
dmesg|grep mmcblk0
?
_that said:
If you can describe what you did, maybe it is easier to find out what exactly happened.
I assume you don't have an nvflash backup, right?
OK. What is the output if you run:
Code:
dmesg|grep mmcblk0
?
Click to expand...
Click to collapse
I was unlocking the tablet, installing TWRP and then wiping the data, i misread the options and went too far by doing the format data option.
no backup. i do not have access to fastboot/APX now, and i did not create one before.
C:\Users\Daniel>adb shell
~ # ←[6ndmesg|grep mmcblk0
dmesg|grep mmcblk0
~ # ←[6n^C
C:\Users\Daniel>
also, the only way i have seen to get the other mmcblk0 partitions to show up (0p3, 0p4 etc) is to run the commands for the tf201 unbrick (option 1a/b)
dd if=/dev/zero of=/dev/block/mmcblk0p4 bs=100 count=1
dd if=/dev/zero of=/dev/block/mmcblk0p3 bs=16 count=1
i was thinking that all i needed to do was to somehow format the data so the tablet can write to the partition instead of it just acting as a ramdisk. i even tried running fdisk -H 1 /dev/block/mmcblk0 and tried to format the data but i'm not familiar with the partition table of this tablet to redo it.
i have also tried doing those commands above and then running a live usb gparted disk to see if it shows up, but it hasnt worked yet
pbcustom98 said:
C:\Users\Daniel>adb shell
~ # ←[6ndmesg|grep mmcblk0
dmesg|grep mmcblk0
~ # ←[6n^C
C:\Users\Daniel>
Click to expand...
Click to collapse
Strange, it should at least output the line about detecting the card. Please reboot your tablet into recovery (to restart the kernel log), then do from your computer
Code:
adb shell dmesg > dmesg.txt
and put the resulting file on pastebin or attach it here.
pbcustom98 said:
I was unlocking the tablet, installing TWRP and then wiping the data, i misread the options and went too far by doing the format data option.
no backup. i do not have access to fastboot/APX now, and i did not create one before.
C:\Users\Daniel>adb shell
~ # ←[6ndmesg|grep mmcblk0
dmesg|grep mmcblk0
~ # ←[6n^C
C:\Users\Daniel>
also, the only way i have seen to get the other mmcblk0 partitions to show up (0p3, 0p4 etc) is to run the commands for the tf201 unbrick (option 1a/b)
dd if=/dev/zero of=/dev/block/mmcblk0p4 bs=100 count=1
dd if=/dev/zero of=/dev/block/mmcblk0p3 bs=16 count=1
i was thinking that all i needed to do was to somehow format the data so the tablet can write to the partition instead of it just acting as a ramdisk. i even tried running fdisk -H 1 /dev/block/mmcblk0 and tried to format the data but i'm not familiar with the partition table of this talet to redo it.
i have also tried doing those commands above and then running a live usb gparted disk to see if it shows up, but it hasnt worked yet
Click to expand...
Click to collapse
That's odd, format data will not and shouldn't do that. I did this all the time. Do you have the lastest TWRP and was on JB? if you do, go back to "WIPE" option and do the wipe format again. This should reformat with ext4. After that do factory reset, wipe system, internal storage then try to reflash Cleanrom. TWRP may some how corrupted your partition, but not what you did.
_that said:
Strange, it should at least output the line about detecting the card. Please reboot your tablet into recovery (to restart the kernel log), then do from your computer
Code:
adb shell dmesg > dmesg.txt
and put the resulting file on pastebin or attach it here.
Click to expand...
Click to collapse
i cannot post outside links until about 10 posts.
Here is the pastebin attachedView attachment dmesg.txt
pbcustom98 said:
also, the only way i have seen to get the other mmcblk0 partitions to show up (0p3, 0p4 etc) is to run the commands for the tf201 unbrick (option 1a/b)
dd if=/dev/zero of=/dev/block/mmcblk0p4 bs=100 count=1
dd if=/dev/zero of=/dev/block/mmcblk0p3 bs=16 count=1
Click to expand...
Click to collapse
If the partitions are not already there, then these commands simply create files that are named like the block devices that are missing. Not what you want at all, but harmless.
pbcustom98 said:
i was thinking that all i needed to do was to somehow format the data so the tablet can write to the partition instead of it just acting as a ramdisk. i even tried running fdisk -H 1 /dev/block/mmcblk0 and tried to format the data but i'm not familiar with the partition table of this tablet to redo it.
Click to expand...
Click to collapse
Do not try to to use fdisk, it does not support GPT.
pbcustom98 said:
i have also tried doing those commands above and then running a live usb gparted disk to see if it shows up, but it hasnt worked yet
Click to expand...
Click to collapse
How would you run a live disk on the tablet?
---------- Post added at 05:53 PM ---------- Previous post was at 05:46 PM ----------
pbcustom98 said:
i cannot post outside links until about 10 posts.
Here is the pastebin attachedView attachment 1456337
Click to expand...
Click to collapse
The important part is here:
Code:
<6>[ 9.067211] [mmc]:mmc_read_ext_csd:259 ext_csd.sectors 0x766c000 prod_name HYNIX BOOT_SIZE_MULTI 0x20
<4>[ 9.109988] mmc0: switch to bus width 1 ddr 0 failed
<3>[ 9.116163] mmc0: error -110 whilst initialising MMC card
The recovery kernel cannot initialize the MMC card. So there is no point in trying to run partitioning tools at this time, first you need to gain access to the eMMC. It cannot be completely broken, otherwise it could not boot the recovery.
Next step: find out what error -110 is and how to fix it.
btw, this thread seems to describe the same situation (read the post from MysticMgcn): http://forum.xda-developers.com/showthread.php?t=1917304
_that said:
If the partitions are not already there, then these commands simply create files that are named like the block devices that are missing. Not what you want at all, but harmless.
Do not try to to use fdisk, it does not support GPT.
How would you run a live disk on the tablet?
Click to expand...
Click to collapse
i ran gparted live usb on my laptop and tried connecting the tablet via usb after i had the partitions created.
pbcustom98 said:
i ran gparted live usb on my laptop and tried connecting the tablet via usb after i had the partitions created.
Click to expand...
Click to collapse
I still don't understand - where did you create those partitions? On your laptop?
Anyway, your TF700 is bricked until someone finds out how to make the TWRP kernel initialize the eMMC correctly in your situation. Without that, your internal storage is inaccessible, so any fix attempt at that level will fail.
Unfortunately there is still very little public information how the bootloader interacts with the kernels, so I cannot help you further. You may try asking in the thread I linked in my last post if anyone was able to recover from this.
_that said:
I still don't understand - where did you create those partitions? On your laptop?
Anyway, your TF700 is bricked until someone finds out how to make the TWRP kernel initialize the eMMC correctly in your situation. Without that, your internal storage is inaccessible, so any fix attempt at that level will fail.
Unfortunately there is still very little public information how the bootloader interacts with the kernels, so I cannot help you further. You may try asking in the thread I linked in my last post if anyone was able to recover from this.
Click to expand...
Click to collapse
i ran these two commands via adb shell:
dd if=/dev/zero of=/dev/block/mmcblk0p4 bs=100 count=1
dd if=/dev/zero of=/dev/block/mmcblk0p3 bs=16 count=1
then once i saw them in /dev/block, i rebooted my laptop into gparted hoping that they would show up as a partition i can make changes to, but they didnt.
i will ask in the thread you linked, and thanks for all your help.
Related
Which partition is the dock sdcard?(for example, internal is mmcblk0p7), i searched all threads about partitions, but didnt find it.
When its plugged in use the ls command as super user. I've fixed many partition issues with this.
ls /dev/block/
Sent from my Transformer TF101 using xda premium
kenshin1388 said:
When its plugged in use the ls command as super user. I've fixed many partition issues with this.
ls /dev/block/
Sent from my Transformer TF101 using xda premium
Click to expand...
Click to collapse
I mean, which /dev/block/mmcblk0p? is it? (number instead of the ? )
Not sure as I don't have a dock myself. This is the printout of my block list. Might help you track it down. If it doesn't appear ty starting the tablet with it already inserted.
loop0
loop1
loop2
loop3
loop4
loop5
loop6
loop7
mmcblk0
mmcblk0p1
mmcblk0p2
mmcblk0p3
mmcblk0p4
mmcblk0p5
mmcblk0p6
mmcblk0p7
mmcblk1
mmcblk1p1
platform
vold
Sent from my Transformer TF101 using xda premium
mmcblk0 = internal SD
mmcblk1 = microsd
You'd think mmcblk2 would be the dock SD... but no. I have no idea why it's this way, but it's something in /dev/block/vold/
I use adb it's easier to work with, so... make sure the card is inserted and accessible in the device and do this (possibly as root):
mount |grep sdcard2
You'll get something like this:
[email protected]:/ # mount |grep sdcard2
/dev/block/vold/8:1 /storage/sdcard2 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
Dock SD card would be /dev/block/vold/8:1 and you can confirm this by removing the card and running the command again, you should get no results.
Note that this may change from rom to rom... I have no clue how they individually handle mounts but I know it's different from stock to 4.2.1. This is on TeamEOS's 4.2.1 rom.
SL 101 with cwm. on ICS.
I have tried over and over and many different ways to figure this out.... here is what's happening.
"power on" is stuck in splash screen and WILL NOT recognize on my PC as a device or in ADB
"power + vol down" grants me recovery mode which WILL recognize.
SD card will not mount to device. (i purchased brand new)
Cannot seem to push any files to internal storage... this is what my CMD looks like.
---------------------------------------
adb devices =
list of devices attached
0123456789abcdef recovery
C:\Users\me\Desktop\Android>adb push C:\Users\me\Desktop\US_epad-user-9.2.1.27.1.zip /sdcard/Download/
---------------------------------------
When I hit enter it does nothing but go to the space below and won't let me type anything.
I have tried PERI which didn't work because when it starts rebooting my device it just boots to the splash screen where it won't recognize on my PC
PLEASE any help I'm ripping my hair out here!
I have got the same problem, which is mentioned here: http://forum.xda-developers.com/showthread.php?t=2244728
Now I am trying to discover which of the mounting points are internal sdcard and data, so I would be able to format them and I hope that this will fix my problem.
You are also unlucky because Slider and TF101G versions of the tablet doesn't support NVflash: http://forum.xda-developers.com/showthread.php?t=1688447
They support but ASUS hasn't provided developers with the keys: http://androidroot.mobi/technical/tf-secure-boot-key/
Sincerely,
Žiga
ZigaG said:
I have got the same problem, which is mentioned here: http://forum.xda-developers.com/showthread.php?t=2244728
Now I am trying to discover which of the mounting points are internal sdcard and data, so I would be able to format them and I hope that this will fix my problem.
But since you have got the TF101 version (not G or slider) of the tablet, you can try to use NVflash: http://forum.xda-developers.com/showthread.php?t=1688447
Sincerely,
Žiga
Click to expand...
Click to collapse
I do have the slider and would prefer to find help pertaining to that but it seems there are way more guides on the TF101 not SL101
It specifically says you cannot use the NVflash for sl101....
Sorry, I misread it. I fixed my post.
ZigaG said:
I have got the same problem, which is mentioned here: http://forum.xda-developers.com/showthread.php?t=2244728
Now I am trying to discover which of the mounting points are internal sdcard and data, so I would be able to format them and I hope that this will fix my problem.
You are also unlucky because Slider and TF101G versions of the tablet doesn't support NVflash: http://forum.xda-developers.com/showthread.php?t=1688447
They support but ASUS hasn't provided developers with the keys: http://androidroot.mobi/technical/tf-secure-boot-key/
Sincerely,
Žiga
Click to expand...
Click to collapse
So does that mean I'm stuck until something comes out? Or is there an alternative route.
chchas said:
So does that mean I'm stuck until something comes out? Or is there an alternative route.
Click to expand...
Click to collapse
You can check the file /proc/mtd and /proc/mounts and upload it here, so I can see if we are dealing with the same problem. You can try to mount external sdcard.
While in ADB use:
Code:
adb pull /proc/mtd backup/
adb pull /proc/mounts backup/
This will copy this 2 files to folder backup.
Žiga
ZigaG said:
You can check the file /proc/mtd and /proc/mounts and upload it here, so I can see if we are dealing with the same problem. You can try to mount external sdcard.
While in ADB use:
Code:
adb pull /proc/mtd backup/
adb pull /proc/mounts backup/
This will copy this 2 files to folder backup.
Žiga
Click to expand...
Click to collapse
remote object '/proc/mtd' does not exist
remote object '/proc/mounts' not a file or directory
chchas said:
remote object '/proc/mtd' does not exist
remote object '/proc/mounts' not a file or directory
Click to expand...
Click to collapse
Strange!? What is outputted if you write:
Code:
adb shell ls
ZigaG said:
Strange!? What is outputted if you write:
Code:
adb shell ls
Click to expand...
Click to collapse
cache ---- init.rc ---- sys
data ---- proc ---- system
default.prop ---- res ---- tmp
dev ---- root --- ueventd.goldfish.rc
etc --- sbin --- ueventd.rc
fstab.ventana --- sdcard--- ueventd.ventana.rc
init --- staging---
chchas said:
cache ---- init.rc ---- sys
data ---- proc ---- system
default.prop ---- res ---- tmp
dev ---- root --- ueventd.goldfish.rc
etc --- sbin --- ueventd.rc
fstab.ventana --- sdcard--- ueventd.ventana.rc
init --- staging---
Click to expand...
Click to collapse
OK, do you have busybox installed?
Can you post files: (-> adb pull... or you can insert external SDCARD and copy the files on it)
- /etc/fstab? -> here is written which partition is mounted as sdcard, system, data...
- /proc/partitions -> here are listed all the partitions that you have on the tablet.
Sincerely,
Žiga
ZigaG said:
OK, do you have busybox installed?
Can you post files: (-> adb pull... or you can insert external SDCARD and copy the files there)
- /etc/fstab? -> here is writted which partition is mounted as sdcard, system, data...
- /proc/partitions -> here are listed all the partitions that you have on tablet
Sincerely,
Žiga
Click to expand...
Click to collapse
I do not have busy box. and cannot install any new apps on tablet as far as I know... unless downloading on my computer will send it to my tablet? still wouldn't be able to open anything.
I'm a little confused about
Can you post files: (-> adb pull... or you can insert external SDCARD and copy the files there)
-/etc/fstab -> here is writted which partition is mounted as sdcard, system, data...
- /proc/partitions -> here are listed all the partitions that you have on tablet
should i write in cmd adb pull /etc/fstab/ ?
Sorry I feel like i need someone to hold my hand while i do this. I am so frustrated with the millions of different ways I've tried but it seems I have a very unique problem that doesn't have many helps vids/threads out there.
chchas said:
I do not have busy box. and cannot install any new apps on tablet as far as I know... unless downloading on my computer will send it to my tablet? still wouldn't be able to open anything.
I'm a little confused about
Can you post files: (-> adb pull... or you can insert external SDCARD and copy the files there)
-/etc/fstab -> here is writted which partition is mounted as sdcard, system, data...
- /proc/partitions -> here are listed all the partitions that you have on tablet
should i write in cmd adb pull /etc/fstab/ ?
Sorry
Click to expand...
Click to collapse
You can try, but without / at the end of fstab since fstab is not directory but file.
Code:
PULL usage: adb pull "file on tablet" "copy to remote machine"
adb pull /etc/fstab backup/fstab
adb pull /proc/partitions backup/partitions
If this doesn't work, you can insert micro SD in tablet and use adb shell to write linux commands.
Sincerely,
Žiga
ZigaG said:
You can try, but without / at the end of fstab since fstab is not directory but file.
Code:
PULL usage: adb pull "file on tablet" "copy to remote machine"
adb pull /etc/fstab backup/fstab
adb pull /proc/partitions backup/partitions
If this doesn't work, you can insert micro SD in tablet and use adb shell to write linux commands.
Sincerely,
Žiga
Click to expand...
Click to collapse
fstab gave me
17 kb/s <108 bytes in 0.006s>
proc/partitions
60 kb/s <374 bytes in 0.006s>
not sure where i'll need to go to figure out which linux commands would need to be done...
chchas said:
fstab gave me
17 kb/s <108 bytes in 0.006s>
proc/partitions
60 kb/s <374 bytes in 0.006s>
not sure where i'll need to go to figure out which linux commands would need to be done...
Click to expand...
Click to collapse
OK, I see. This is only time needed for transfer.
Go to your folder, where you have got adb.exe (you can search with windows). There is created new folder backup, where you can find fstab and partitions. Upload the files or open them with notepad++ or regular notepad and paste the content of files here (it is the best to use #-tag in the editor of the post so the code is easier to read.)
Sincerely,
Žiga
ZigaG said:
OK, I see. This is only time needed for transfer.
Go to your folder, where you have got adb.exe (you can search with windows). There is created new folder backup, where you can find fstab and partitions. Upload the files or open them with notepad++ or regular notepad and paste the content of files here (it is the best to use #-tag in the editor of the post so the code is easier to read.)
Sincerely,
Žiga
Click to expand...
Click to collapse
fstab -
#-tag /dev/block/mmcblk0p2 /cache ext4 rw
/dev/block/mmcblk0p7 /data ext4 rw
/dev/block/mmcblk0p1 /system ext4 rw
partitions
#-tag major minor #blocks name
179 0 15097856 mmcblk0
179 1 524288 mmcblk0p1
179 2 542208 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 542208 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 13457920 mmcblk0p7
179 8 15558144 mmcblk1
179 9 15554048 mmcblk1p1
chchas said:
fstab -
#-tag /dev/block/mmcblk0p2 /cache ext4 rw
/dev/block/mmcblk0p7 /data ext4 rw
/dev/block/mmcblk0p1 /system ext4 rw
partitions
#-tag major minor #blocks name
179 0 15097856 mmcblk0
179 1 524288 mmcblk0p1
179 2 542208 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 542208 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 13457920 mmcblk0p7
179 8 15558144 mmcblk1
179 9 15554048 mmcblk1p1
Click to expand...
Click to collapse
OK thank you, I will analyse and compare the files with mine and from other TF's. But so far, I discovered, that TF's don't have special partition for data as on other Android devices and this probably causes problem.
For posting code, you can use [ CODE ] You write here code [ /CODE ] - write CODE in brackets without spaces. In post editor there is a sign # for indicating code.
You can try mounting /dev/block/mmcblk0p7 to a folder:
Code:
adb shell
mkdir NEW
mount /dev/block/mmcblk0p7 NEW
It probably won't work and this will indicate, that we are issuing the same problem.
Sincerely,
Žiga
ZigaG said:
OK thank you, I will analyse and compare the files with mine and from other TF's. But so far, I discovered, that TF's don't have special partition for data as on other Android devices and this probably causes problem.
For posting code, you can use [ CODE ] You write here code [ /CODE ] - write CODE in brackets without spaces. In post editor there is a sign # for indicating code.
You can try mounting /dev/block/mmcblk0p7 to a folder:
Code:
adb shell
mkdir NEW
mount /dev/block/mmcblk0p7 NEW
It probably won't work and this will indicate, that we are issuing the same problem.
Sincerely,
Žiga
Click to expand...
Click to collapse
Code:
adb shell mount/dev/block/mmcblk0p7
/sbin/sh: adb not found
chchas said:
Code:
adb shell mount/dev/block/mmcblk0p7
/sbin/sh: adb not found
Click to expand...
Click to collapse
Use commands as I wrote them:
This will connect to your tablet and access tablet's terminal commands
Code:
adb shell
You need to create new folder to which you will mount partition
Code:
mkdir /NEW
Now you only need to mount the partition
Code:
mount /dev/block/mmcblk0p7 /NEW
Did you have external sdcard attached, when you uploaded file partitions?
ZigaG said:
Use commands as I wrote them:
This will connect to your tablet and access tablet's terminal commands
Code:
adb shell
You need to create new folder to which you will mount partition
Code:
mkdir /NEW
Now you only need to mount the partition
Code:
mount /dev/block/mmcblk0p7 /NEW
Did you have external sdcard attached, when you uploaded file partitions?
Click to expand...
Click to collapse
I don't remember partitioning the SD card. I did not have an SD card when I rooted.
I followed the code lines and it only came back as ~ #
chchas try this http://forum.xda-developers.com/showthread.php?t=2244728.
If you have any questions feel free to ask.
Have a nice day,
Žiga
Hello!
I need enlightenment and help from all of you, I spent hours looking for information and solutions but I wasn't able to find a situation similar to mine, rather small pieces from different scenarios.
Here's my situation:
After installing lj50036's pre-nightly OmniROM and setting it up, I decided to reboot and "clean" it. My BIG mistake was that for some reason (probably sleep-deprivation effects) I thought that doing a format in TWRP was a good idea...yeah, messed up.
I will try my best to describe the current situation and the solutions that I tried...
Currently, I am able to access fastboot and ADB sideload., even able to flash the recovery. The problem lies with not being able to install a ROM properly. What I can't do is access TWRP after a reboot, I must first flash it via fastboot in order to be able to access it, then of course it will reset after a reboot. TWRP will just keep being stuck in a loop if I don't go to fastboot. Whenever I try to install a ROM, it will fail not long after due to errors like : "Unable to mount data, system,cache etc."
I tried the following:
-The 'Repair' option in the advanced menu.
-Formatting using the 'ADB shell..." commands (I'm trying to find the correct command, as soon I arrive to my desktop, I'll update this post). What I did noticed is after entering that command, it would return strange characters. According to some posts, it could be some color formatting but I'm not sure.
-'sideloading' recoveries and ROMs.
INFO:
-Bootloader is 10.6.1.14.10
-Recovery is TWRP 2.8.6.0
From what I read, my guess is to correct the partition errors. Any tips on how to achieve this?
Could this be fixed by flashing a new bootloader or would it make it worse? I don't want to risk it further until I get some professional advice
Any assistance is greatly appreciated, Thank you all!
razgrizpr said:
Hello!
Here's my situation:
After installing lj50036's pre-nightly OmniROM and setting it up, I decided to reboot and "clean" it. My BIG mistake was that for some reason (probably sleep-deprivation effects) I thought that doing a format in TWRP was a good idea...yeah, messed up.
Click to expand...
Click to collapse
Why was doing a format a BIG mistake ???
Thx Josh
lj50036 said:
Why was doing a format a BIG mistake ???
Thx Josh
Click to expand...
Click to collapse
Doesn't formatting via TWRP erase all the data including the OS?
razgrizpr said:
Doesn't formatting via TWRP erase all the data including the OS?
Click to expand...
Click to collapse
Depends what partitions you formatted. The OS is in /system; your data is in /data.
_that said:
Depends what partitions you formatted. The OS is in /system; your data is in /data.
Click to expand...
Click to collapse
Makes sense. So I guess I erased them all? I honestly don't know since I left it formatting and returned a few hours later only to find it turned off. When I booted it, I experienced the mentioned issues. Battery was full as well. So maybe something went wrong during the formatting?
Is there a way to diagnose the partitions?
Did you try this?
http://forum.xda-developers.com/showpost.php?p=54521117&postcount=10
berndblb said:
Did you try this?
http://forum.xda-developers.com/showpost.php?p=54521117&postcount=10
Click to expand...
Click to collapse
Yes, I tried that. Upon entering 'make_ext4fs /dev/block/mmcblk0p8' I get the message 'Need size of file system'.
Found a similar thread where the issue was not being able to mount /data. It appears that for some people 'this' helped them although I'm not sure if I should try it. Others have mentioned 'downgrading' the bootloader and then go through all the process again with success.
razgrizpr said:
Yes, I tried that. Upon entering 'make_ext4fs /dev/block/mmcblk0p8' I get the message 'Need size of file system'.
Found a similar thread where the issue was not being able to mount /data. It appears that for some people 'this' helped them although I'm not sure if I should try it. Others have mentioned 'downgrading' the bootloader and then go through all the process again with success.
Click to expand...
Click to collapse
From recovery run this and post the output ....
Code:
adb pull /proc/partitions
You will get a file called 'partitions' in the current directory.....
Thx Josh
lj50036 said:
From recovery run this and post the output ....
Code:
adb pull /proc/partitions
You will get a file called 'partitions' in the current directory.....
Thx Josh
Click to expand...
Click to collapse
Thank you lj50036, I'm at work at the moment so I will try that as soon I get home and report back.
lj50036 said:
From recovery run this and post the output ....
Code:
adb pull /proc/partitions
You will get a file called 'partitions' in the current directory.....
Thx Josh
Click to expand...
Click to collapse
Here are the results:
Code:
major minor #blocks name
179 0 31039488 mmcblk0
179 32 2048 mmcblk0boot1
179 16 2048 mmcblk0boot0
179 48 31166976 mmcblk1
179 49 24901600 mmcblk1p1
razgrizpr said:
Here are the results:
Code:
major minor #blocks name
179 0 31039488 mmcblk0
179 32 2048 mmcblk0boot1
179 16 2048 mmcblk0boot0
179 48 31166976 mmcblk1
179 49 24901600 mmcblk1p1
Click to expand...
Click to collapse
Code:
major minor #blocks name
179 0 31039488 mmcblk0
179 1 786432 mmcblk0p1
179 2 438272 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 835584 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 28924416 mmcblk0p8
179 9 8192 mmcblk0p9
179 10 8192 mmcblk0p10
179 32 2048 mmcblk0boot1
179 16 2048 mmcblk0boot0
That is what it should look like ....
So if you still have fastboot flash the pt.blob will give you these partition back ....
After you flash the pt.blob boot back into recovery and run the same command and see it matches mine ...
Thx Josh
lj50036 said:
Code:
major minor #blocks name
179 0 31039488 mmcblk0
179 1 786432 mmcblk0p1
179 2 438272 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 835584 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 28924416 mmcblk0p8
179 9 8192 mmcblk0p9
179 10 8192 mmcblk0p10
179 32 2048 mmcblk0boot1
179 16 2048 mmcblk0boot0
That is what it should look like ....
So if you still have fastboot flash the pt.blob will give you these partition back ....
After you flash the pt.blob boot back into recovery and run the same command and see it matches mine ...
Thx Josh
Click to expand...
Click to collapse
Thank you so much lj50036!
Looks like correcting the partitions did the trick. After flashing the file, I managed to flash the ROM successfully.
All is good now, thank you all!
razgrizpr said:
Thank you so much lj50036!
Looks like correcting the partitions did the trick. After flashing the file, I managed to flash the ROM successfully.
All is good now, thank you all!
Click to expand...
Click to collapse
Great to see you up and running ....
Can you add 'SOLVED' to the thread tittle ...... :good:
Thx Josh
So, I just managed to get the Bootloader unlocked, flashed CWRM and then accidentally hit the factory reset button from the system settings menu, and am now stuck in the reset recovery screen.
I have access to adb but not fastboot. I have not done anything with NVFLASH
Am I permanently screwed for this motherboard or can I still be recovered?
ls -l /dev/block/mmc*
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
brw------- 1 root root 179, 0 Aug 29 02:23 /dev/block/mmcblk0
brw------- 1 root root 179, 16 Aug 29 02:23 /dev/block/mmcblk0boot0
brw------- 1 root root 179, 32 Aug 29 02:23 /dev/block/mmcblk0boot1
brw------- 1 root root 179, 1 Aug 29 02:23 /dev/block/mmcblk0p1
brw------- 1 root root 179, 10 Aug 29 02:23 /dev/block/mmcblk0p10
brw------- 1 root root 179, 2 Aug 29 02:23 /dev/block/mmcblk0p2
brw-rw---- 1 root system 179, 3 Aug 29 02:23 /dev/block/mmcblk0p3
brw-rw---- 1 root system 179, 4 Aug 29 02:23 /dev/block/mmcblk0p4
brw------- 1 root root 179, 5 Aug 29 02:23 /dev/block/mmcblk0p5
brw------- 1 drm drm 179, 6 Aug 29 02:23 /dev/block/mmcblk0p6
brw-rw---- 1 root system 179, 7 Aug 29 02:23 /dev/block/mmcblk0p7
brw------- 1 root root 179, 8 Aug 29 02:23 /dev/block/mmcblk0p8
brw------- 1 root root 179, 9 Aug 29 02:23 /dev/block/mmcblk0p9
Click to expand...
Click to collapse
Code:
adb shell
~ #cd sys
/sys # ls
ls
block class devices fs module tf_driver
bus dev firmware kernel power
/sys #cd block
/sys/block # ls
ls
loop0 loop2 loop4 loop6 mmcblk0 mmcblk0boot1
loop1 loop3 loop5 loop7 mmcblk0boot0 zram0
can I use this to edit something and unbrick?
Stephenopolos said:
Code:
adb shell
~ #cd sys
/sys # ls
ls
block class devices fs module tf_driver
bus dev firmware kernel power
/sys #cd block
/sys/block # ls
ls
loop0 loop2 loop4 loop6 mmcblk0 mmcblk0boot1
loop1 loop3 loop5 loop7 mmcblk0boot0 zram0
can I use this to edit something and unbrick?
Click to expand...
Click to collapse
If you reboot by long pressing the power button, does it boot straight back to recovery?
If so you can try these commands to clear the Wipe Data command from the misc partition:
Code:
adb shell
dd if=/dev/zero of=/dev/block/mmcblk0p3 bs=64 count=1
reboot
Good luck!
Thanks for the quick response. Yes it does drop immediately into the recovery/reset wipe data screen on reboot.
It's pretty late and I want to avoid making any mistakes in typing commands so I'm going to try that in the morning.
Also, while i'm not the best at the command line side, I am comfortable opening things up, so if it doesn't work I'm not entirely opposed to just buying a replacement MB and swapping it out. Hopefully it'll work though.
Stephenopolos said:
Thanks for the quick response. Yes it does drop immediately into the recovery/reset wipe data screen on reboot.
It's pretty late and I want to avoid making any mistakes in typing commands so I'm going to try that in the morning.
Also, while i'm not the best at the command line side, I am comfortable opening things up, so if it doesn't work I'm not entirely opposed to just buying a replacement MB and swapping it out. Hopefully it'll work though.
Click to expand...
Click to collapse
If you use Wipe Data from the bootloader or the Factory reset from Settings a command gets written to misc to start the recovery and wipe data.
Problem is, custom recoveries don't really "get" the command and do not execute it so the command does not get erased from misc and you're stuck in booting to recovery because the bootloader executes that command on each boot.
If your recovery is CWM you can try just leaving it on the wipe data screen for a few hours. With past CWM versions that usually worked and it eventually finished the wipe. Not with TWRP though.
Connect the tab to power and leave it on the wipe data screen until tomorrow. Then you can still try to clear the command with dd.
Copy and paste it. You don't want to have any typos with a dd command...
berndblb said:
Problem is, custom recoveries don't really "get" the command
Click to expand...
Click to collapse
Only if your recovery kernel is too old to work with the bootloader, in which case it can't access any partitions.
berndblb said:
If your recovery is CWM you can try just leaving it on the wipe data screen for a few hours. With past CWM versions that usually worked and it eventually finished the wipe. Not with TWRP though.
Click to expand...
Click to collapse
TWRP should do its "Factory Reset" (which doesn't clear /sdcard). I've never tried it because I don't want to restore everything from a backup.
ran command this morning, and it hung in the shell... just sits there without finishing the command.
frustrating... I thought i'd read everything and triple read it again, but the main thread for custom recoveries for this tablet, didn't really mention anything about avoiding factory reset from device.
oh well. found a MB on ebay cheap i'll try the command again in a bit and if it doesn't work then next week i'll be installing a mb myself.
Code:
adb shell dd if=/dev/zero of=/dev/block/mmcblk0p3 bs=64 count=1
1+0 records in
1+0 records out
64 bytes (64B) copied, 402.164494 seconds, 0B/s
I'm assuming this means success...
will see in a bit... tablet is now claiming it has a low battery after I told it to reboot.
Hallelujah! it worked! berndblb You're my new favorite person in the world today.
_that said:
Only if your recovery kernel is too old to work with the bootloader, in which case it can't access any partitions.
TWRP should do its "Factory Reset" (which doesn't clear /sdcard). I've never tried it because I don't want to restore everything from a backup.
Click to expand...
Click to collapse
I have never tried it either. Just seen users reporting that with CWM installed the command eventually went through if you left it alone long enough. That doesn't seem to work with TWRP. But that's just hearsay....
Stephenopolos said:
Hallelujah! it worked! berndblb You're my new favorite person in the world today.
Click to expand...
Click to collapse
Very good!
But you have to thank @_that ^^^ for the command. He's the one I stole it from
berndblb said:
I have never tried it either. Just seen users reporting that with CWM installed the command eventually went through if you left it alone long enough. That doesn't seem to work with TWRP. But that's just hearsay....
Very good!
But you have to thank @_that ^^^ for the command. He's the one I stole it from
Click to expand...
Click to collapse
... you got to me first though...
Anyway, I had difficulty getting CM11 and CM12 to install eventually managed to get zombipop to install by dropping it onto a USB stick and using the keyboard dock. Had to flash a new recovery image as well.. apparently the one I put on there the first time around was screwy.
Stephenopolos said:
... you got to me first though...
Anyway, I had difficulty getting CM11 and CM12 to install eventually managed to get zombipop to install by dropping it onto a USB stick and using the keyboard dock. Had to flash a new recovery image as well.. apparently the one I put on there the first time around was screwy.
Click to expand...
Click to collapse
Luck for you that I was here first. _that would have made you pull all kinds of logs before giving you the same command :laugh: :cyclops:
berndblb said:
Luck for you that I was here first. _that would have made you pull all kinds of logs before giving you the same command :laugh: :cyclops:
Click to expand...
Click to collapse
The required logs in this case are already in the OP. But thank you for taking over first level support.
Software root method for Mediatek MT816x, MT817x and MT67xx!
A tool that gives you a temporary root shell with Selinux permissive to do with as you please
STATUS
Confirmed Working
Fire HD 8 8th gen (2018) (thanks @xyz`) -- up to Fire OS 6.3.0.1 only
Fire HD 8 7th gen (2017) -- up to Fire OS 5.6.4.0 build 636558520 only
Fire HD 8 6th gen (2016) (thanks @bibikalka) -- up to Fire OS 5.3.6.4 build 626536720
Fire HD 10 7th gen (2017) (thanks @bibikalka) -- up to Fire OS 5.6.4.0 build 636558520 only
Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to Fire OS 5.2.6.9 only
Fire 7 9th gen (2019) (thanks @Michajin) -- up to Fire OS 6.3.1.2 build 0002517050244 only
Fire HD 10 9th gen (2019) -- up to Fire OS 7.3.1.0 only
Various phones and tablets up to Android 9.x (see link below for full list)
Note that for Fire OS 5, OS version 5.3.x.x is newer than 5.6.x.x.
Amazing Temp Root for MediaTek ARMv8: expanded thread covering all compatible MTK devices
DISCLAIMER
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.
REQUIREMENTS
Proficiency with the Thanks button under XDA posts
A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
Either:
A PC with ADB installed to interact with your device, or
A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
INSTRUCTIONS
Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
arm64: 64-bit kernel and userspace
arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
The arm64 one is suitable for most devices. The notable devices that need the arm version are the Fire HD 8 2018, Fire 7, and Fire HD 10 2019.
Connect your device to ADB and push mtk-su to your /data/local/tmp folder
Code:
adb push path/to/mtk-su /data/local/tmp/
Open an adb shell
Code:
adb shell
Change to your tmp directory
Code:
cd /data/local/tmp
Add executable permissions to the binary
Code:
chmod 755 mtk-su
At this point keep your tablet screen on and don't let it go to sleep. Run the program
Code:
./mtk-su
If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
The -v option turns on verbose printing, which is necessary for me to debug any problems.
It will take several seconds, but using the -v option, you should see output similar to this (with id command added):
Code:
$ ./mtk-su -v
param1: 0x3000, param2: 0x18040, type: 2
Building symbol table
kallsyms_addresses pa 0x40bdd500
kallsyms_num_syms 70337, addr_count 70337
kallsyms_names pa 0x40c66d00, size 862960
kallsyms_markers pa 0x40d39800
kallsyms_token_table pa 0x40d3a100
kallsyms_token_index pa 0x40d3a500
Patching credentials
Parsing current_is_single_threaded
ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
ffffffc000354868+54: ADD xd, x0, 2592
init_task VA: 0xffffffc000fa2a20
Potential list_head tasks at offset 0x340
comm swapper/0 at offset 0x5c0
Found own task_struct at node 1
cred VA: 0xffffffc0358ac0c0
Parsing avc_denied
ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
ffffffc0002f13bc+28: LDR [x0, 404]
selinux_enforcing VA: 0xffffffc001113194
Setting selinux_enforcing
Switched selinux to permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
#
Some other options:
mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.mtk-su -s: Prints the kernel symbol tableIf you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here.
Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.
If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5.
FIRE OS 5 AND ANDROID 5 USERS: There's an automated SuperSU loader by @Rortiz2 that makes jumpstarting SuperSU quick and easy.
WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.
DOWNLOAD
Current Version
Release 23
Past releases & change log live at Amazing Temp Root for MediaTek ARMv8
FAQ
I got the error, "This firmware cannot be supported". What do I do?
This means that your device's firmware is not prone to the mechanism used by mtk-su. Check the firmware version and build number of the OS on your device. If your version is higher than that next to your device on the list above, then mtk-su will no longer work on your device. There may be other ways to achieve root. Check elsewhere on the forum.
Will this work on the Fire 7?
No, it is very doubtful this method can be used on the MT8127 chipset. The same also goes for the Fire TV stick.
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.
Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.
How does this tool work?
It overwrites the process's credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, I don't think I should discuss that as of yet.
Will this work on the Fire TV Stick 4K?
Unfortunately, no. While it has a 64-bit chip, the required vulnerabilities are not present in its OS.
Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.
Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
It has already been answered in the FAQ or multiple times in the thread.
Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
CREDITS
@Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
Thank you to everyone who has donated. You're the best!
I want to thank you again for your efforts on this! I was ill the days before, so I didn't get much time to test SuperSU, and I'm trying to make a script now. Good luck to everyone who tries this!
EDIT: Oops, sorry for the reserve post.
How to use without a PC
INSTRUCTIONS FOR TERMINAL APP
You can optionally use mtk-su from a terminal emulator such as Termux or Terminal Emulator for Android (my preference). The gist of the process is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
General idea: cp path/to/mtk-su ./
For example,
Code:
cp /sdcard/mtk-su_r14/arm64/mtk-su ./
For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
Make file executable
Code:
chmod 700 mtk-su
Run the program
Code:
./mtk-su
If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and kernel sources, if possible.
Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cd
cp path/to/mtk-su ./
chmod 700 mtk-su
./mtk-su
Great work!
So could this theoretically work for any Mediatek device? Or do specific modifications need to be done for another model chip?
What do you think is likely the worst to happen if this is tried as-is on another device? Will it just not work? Or explode the device?
I have an Acer B3-A40 that has an MT8167 chip that I wouldn't mind rooting.
@cybersaga, yes, it's very possible it will work on an mt8167 device. Although I can't 100% guarantee it won't damage your device, I would just go ahead and try it. The risk is very minimal. It will print some error if it fails. I think realistically, I would need to tweak some parameters or make a workaround if there's a problem.
The method should be applicable to most 64-bit platforms. There are newer 4.x kernels where the necessary hole is not present, though. But time will tell what devices this ultimately will be compatible with.
That's super neat. I'll probably give it a try sometime this week.
Very cool from what I can see, however it doesn't work on HD8 2018 because there's no 64-bit userspace (only the kernel is 64-bit), could you recompile it for arm?
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...
diplomatic said:
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...
Click to expand...
Click to collapse
Maybe you can just compile it as a static binary instead if that's easier.
Awesome! I just rooted my HD8 2017
Try the automated script by @Rortiz2
Previous instructions:
For anyone that is confused by the process of manually installing SuperSu, I did the following...
IMPORTANT: This is for FireOS 5 devices such as HD8 2017. Do not attempt this on HD8 2018
Install SuperSu from Playstore
Download SuperSu and unzip somewhere
adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
mount -o remount -rw /system
cp /data/local/tmp/su /system/xbin/su
cp /data/local/tmp/su /system/xbin/daemonsu
cp /data/local/tmp/supolicy /system/xbin/
cp /data/local/tmp/libsupol.so /system/lib/
cp /data/local/tmp/libsupol.so /system/lib64/
chmod 0755 /system/xbin/su
chcon ubject_r:system_file:s0 /system/xbin/su
chmod 0755 /system/xbin/daemonsu
chcon ubject_r:system_file:s0 /system/xbin/daemonsu
at this point, running su should work and show a root shell
daemonsu --auto-daemon
Open SuperSu app and allow it to update the su binary
My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems less error-prone
@diplomatic
Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!
I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.
Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.
Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.
My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #
Edit: Despite my super careful SuperSu injection into FireOS 5.3.6.4 system image, I still could not get SuperSu to work after I restored this image using FlashFire. Regardless, the method from this thread also rooted 5.3.6.4 in no time! Awesome!
dutchthomas said:
Awesome! I just rooted my HD8 2017
For anyone that is confused by the process of manually installing SuperSu, I did the following:
Install SuperSu from Playstore
Download SuperSu and unzip somewhere
adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
mount -o remount -rw /system
cp /data/local/tmp/su /system/xbin/su
cp /data/local/tmp/su /system/xbin/daemonsu
cp /data/local/tmp/supolicy /system/xbin/
cp /data/local/tmp/libsupol.so /system/lib/
cp /data/local/tmp/libsupol.so /system/lib64/
at this point, running su should work and show a root shell
daemonsu --auto-daemon
Open SuperSu app and allow it to update the su binary
My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.
Click to expand...
Click to collapse
Thanks for this! I'm not sure if I'm doing it correctly, but everything works fine until I get to #11. Do I just type su? When I do, it says permission denied.
EDIT: Just tried the new commands you edited and it worked. My FireHD 8 7th gen is now rooted.
diplomatic said:
Software root method found for Mediatek MT8163, MT8173 and MT67xx!
Click to expand...
Click to collapse
Great work!
bibikalka said:
Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.
Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.
Click to expand...
Click to collapse
If you want to zero out preloader, you should do it this way:
Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.
bibikalka said:
@diplomatic
Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!
I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.
Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.
Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.
My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #
Click to expand...
Click to collapse
Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.
dutchthomas said:
Awesome! I just rooted my HD8 2017
For anyone that is confused by the process of manually installing SuperSu, I did the following:
Install SuperSu from Playstore
Download SuperSu and unzip somewhere
adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
mount -o remount -rw /system
cp /data/local/tmp/su /system/xbin/su
cp /data/local/tmp/su /system/xbin/daemonsu
cp /data/local/tmp/supolicy /system/xbin/
cp /data/local/tmp/libsupol.so /system/lib/
cp /data/local/tmp/libsupol.so /system/lib64/
at this point, running su should work and show a root shell
daemonsu --auto-daemon
Open SuperSu app and allow it to update the su binary
My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.
Click to expand...
Click to collapse
Oh, nice, thanks for this... This is more straightfoward than doing it "offline". I just realized Chainfire has instructions specifically for dealing with exploits here.
diplomatic said:
Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.
Click to expand...
Click to collapse
Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.
LOL
Very nice!
Awesome work @diplomatic
If you had discovered it before, I would not have asked you to compile TWRP for the BQ M8 and I would not have bothered you. By the way I I prefer to have TWRP. (thanks!)
I have reinstalled stock in my BQ M8 and the script has worked! If you want you can add it to the list of devices...
On Fire 7 7th Gen it not worked.. But we have TWRP.
EDIT: I have tried again and now I get this error
Code:
130|[email protected]_M8:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40a43000
kallsyms_num_syms 49221, addr_count 49221
kallsyms_names_pa 0x40aa3400
Size of kallsyms_names 602609 bytes
kallsyms_markers_pa 0x40b36600
kallsyms_token_table_pa 0x40b36c00
warning: token_count 1
kallsyms_token_index_pa 0x40b36d00
Patching credentials
__ksymtab_init_task not found
New UID/GID: 2000/2000
Setting selinux permissive
find_selinux_enforce_var() returned -1
starting /system/bin/sh
k4y0z said:
Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.
Click to expand...
Click to collapse
diplomatic said:
... For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.
Click to expand...
Click to collapse
Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.
k4y0z said:
If you want to zero out preloader, you should do it this way:
Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.
Click to expand...
Click to collapse
OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?
For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.
Fire HD8 2016:
Code:
major minor #blocks name
179 0 15388672 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 500 mmcblk0p6
179 7 16268 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 6144 mmcblk0p9
179 10 512 mmcblk0p10
179 11 8192 mmcblk0p11
179 12 10240 mmcblk0p12
179 13 1024 mmcblk0p13
179 14 5120 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 40320 mmcblk0p16
179 17 1024 mmcblk0p17
179 18 1024 mmcblk0p18
179 19 1653024 mmcblk0p19
179 20 434176 mmcblk0p20
179 21 512 mmcblk0p21
179 22 16384 mmcblk0p22
179 23 4320 mmcblk0p23
179 24 13138927 mmcblk0p24
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
Fire HD8 2018:
Code:
major minor #blocks name
179 0 15267840 mmcblk0
179 1 3072 mmcblk0p1
179 2 4608 mmcblk0p2
179 3 1024 mmcblk0p3
179 4 1024 mmcblk0p4
179 5 1024 mmcblk0p5
179 6 5120 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 40448 mmcblk0p8
179 9 512 mmcblk0p9
179 10 8192 mmcblk0p10
179 11 16384 mmcblk0p11
179 12 20480 mmcblk0p12
179 13 3177472 mmcblk0p13
179 14 230400 mmcblk0p14
179 15 512000 mmcblk0p15
179 16 11240431 mmcblk0p16
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
@diplomatic - awesome work - just had to give it a go for myself...
Factory reset my HD8 (2017) (root originally via @t0x1cSH "Fire hd8 2017 root, debrick" post) and followed your post plus the 'speedy SU install' from @dutchthomas - post 10.
One difficulty: mtk-su seemed to run fine and UID= 0 was shown - but I did have trouble getting the the 'mount -o remount -rw /system' command to work at first - it needed a few attempts.
And then, using the work-through from post 10, I couldn't get full root (i.e. 'su' accepted at command prompt) until I changed permissions on each of the copied SU components (su, daemonsu etc) to those prescribed in @<br />'s awesome Hardmod post.
Bit strange? I was using Fire OS 5.3.6.0 - I wonder if version makes any difference? Got there eventually tho' :good:
bibikalka said:
Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.
OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?
For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.
Fire HD8 2016:
Code:
major minor #blocks name
179 0 15388672 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 500 mmcblk0p6
179 7 16268 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 6144 mmcblk0p9
179 10 512 mmcblk0p10
179 11 8192 mmcblk0p11
179 12 10240 mmcblk0p12
179 13 1024 mmcblk0p13
179 14 5120 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 40320 mmcblk0p16
179 17 1024 mmcblk0p17
179 18 1024 mmcblk0p18
179 19 1653024 mmcblk0p19
179 20 434176 mmcblk0p20
179 21 512 mmcblk0p21
179 22 16384 mmcblk0p22
179 23 4320 mmcblk0p23
179 24 13138927 mmcblk0p24
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
Fire HD8 2018:
Code:
major minor #blocks name
179 0 15267840 mmcblk0
179 1 3072 mmcblk0p1
179 2 4608 mmcblk0p2
179 3 1024 mmcblk0p3
179 4 1024 mmcblk0p4
179 5 1024 mmcblk0p5
179 6 5120 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 40448 mmcblk0p8
179 9 512 mmcblk0p9
179 10 8192 mmcblk0p10
179 11 16384 mmcblk0p11
179 12 20480 mmcblk0p12
179 13 3177472 mmcblk0p13
179 14 230400 mmcblk0p14
179 15 512000 mmcblk0p15
179 16 11240431 mmcblk0p16
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
Click to expand...
Click to collapse
When you execute that command, simply turn off the tablet and when you connect it to the PC it will detect it in BootROM Mode. Checked in Fire 7 2017.
Wait, will this work for a mt6753 chipset?