EDIT: For general discussion about this topic, please post in the following location (and not here): http://forum.xda-developers.com/showthread.php?t=2057818
Now find a one-click root application at http://forum.xda-developers.com/showthread.php?t=2130276. More exploits coming.
Hi,
Recently discover a way to obtain root on S3 without ODIN flashing.
The security hole is in kernel, exactly with the device /dev/exynos-mem.
This device is R/W by all users and give access to all physical memory ... what's wrong with Samsung ?
Its like /dev/mem but for all.
Three libraries seems to use /dev/exynos-mem:
/system/lib/hw/camera.smdk4x12.so
/system/lib/hw/gralloc.smdk4x12.so
/system/lib/libhdmi.so
Many devices are concerned :
Samsung Galaxy S2
Samsung Galxy Note 2
MEIZU MX
potentialy all devices who embed exynos processor (4210 and 4412) which use Samsung kernel sources.
The good news is we can easily obtain root on these devices and the bad is there is no control over it.
Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways
to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps.
Exploitation with native C and JNI could be easily feasible.
Edited
Some details :
/dev/exynos-mem seems to be used for graphic usage like camera, graphic memory allocation, hdmi.
By activating pid display in kmsg, surfaceflinger do mmap on the device (via one of the three shared libraries above ?? I have not see reference in binary to these libraires)
The operations allowed on the device are (from linux/drivers/char/mem.c) :
Code:
static const struct file_operations exynos_mem_fops = {
.open = exynos_mem_open,
.release = exynos_mem_release,
.unlocked_ioctl = exynos_mem_ioctl,
.mmap = exynos_mem_mmap,
}
and the default permissions (from linux/drivers/char/mem.c) :
Code:
#ifdef CONFIG_EXYNOS_MEM
[14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH
| S_IWOTH, &exynos_mem_fops},
#endif
ioctl request on /dev/exynos-mem permit to clean / flush L1 and L2 cache, set non cacheable page memory and set physical memory address for use with mmap.
Now the interesting part : mmap operation.
The only limit is to restrict access to lowmem (from linux/drivers/char/exynos-mem.c) :
Code:
/* TODO: currently lowmem is only avaiable */
if ((phys_to_virt(start) < (void *)PAGE_OFFSET) ||
(phys_to_virt(start) >= high_memory)) {
pr_err("[%s] invalid paddr(0x%08x)\n", __func__, start);
return -EINVAL;
}
The comment in above code could be frightening.
And an eye in Documentation/arm/memory.txt say :
Code:
Start End Use
--------------------------------------------------------------------------
PAGE_OFFSET high_memory-1 Kernel direct-mapped RAM region.
This maps the platforms RAM, and typically
maps all platform RAM in a 1:1 relationship.
In other words, this device only permit to own the physical memory including kernel code.
The question is why permissions are set to read/write for all in kernel AND in ueventd.smdk4x12.rc:
samsung developper in charge of this would lose his job
some samsung apps with basic rights need to access it (I doubt it)
a huge mistake
A simple patch could be to set permissions to 0660 or 0600 in ueventd.smdk4x12.rc, but I don't know how it would affect samsung applications/services.
In attachment, binary and source to obtain for root shell.
Removing either read or write permissions will kill the camera. I didn't see any other deterioration in anything else.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
My guess the best fix would be to limit the access to the DMA memory spaces which this thing actually needs, the definition of the different CMA areas are in /arch/arm/mach-exynos/mach-midas.c for the S3 and N2.
Front camera for example:
Code:
#ifndef CONFIG_USE_FIMC_CMA
{
.name = "fimc1",
.size = CONFIG_VIDEO_SAMSUNG_MEMSIZE_FIMC1 * SZ_1K,
#if defined(CONFIG_MACH_GC1)
.start = 0x5ec00000,
#else
.start = 0x65c00000,
#endif
},
#endif
Generally all memory areas allocated through s5p_cma_region_reserve in /arch/arm/plat-s5p/reserve_mem.c would be treated as exceptions and everything else needs to be blocked.
Update: Low-level kernel fix for developers posted here.
A kernel based fix as I posted above is the only method to fix the security hole while also not breaking the camera. In all other cases if you are not able or willing to flash a kernel, use Chainfire's application.
Very interesting. Thanks for bringing that up. (Have also flagged some Samsung engineers to read this)
Also, I'm building an APK for this to make it easy.
EDIT: APK posted here: http://forum.xda-developers.com/showthread.php?t=2050297, download, install, run, and your device is rooted with SuperSU.
EDIT#2: This app now also lets you disable the exploit
@alephzain thanks for sharing the source code of the exploit: short, elegant, efficient, to me that's art
Your short documentation and clean writing style even made easier to learn from it.
Hey curio,
No need, here is a very quickly put together app in 5 mins that lets you toggle on/off world writability to /dev/exynos-mem
So you can toggle the fix off if you want to use the camera, then toggle it back on afterwards.
Github source: https://github.com/Ryan-ZA/exynosfix
APK Download: https://github.com/Ryan-ZA/exynosfix/raw/master/exynosfix.apk
Ryan
MOD EDIT: Removed attached download, as it is out of date compared to the linked download
jcase said:
Please explain how this is a remote exploit? This looks entirely local to me. Vulns happen, every vendor gets hit with them. Google does, Apple does Motorola does, HTC does, LG does, Samsung does, ASUS does, Nvidia, Qualcomm etc etc, it is all part of the game. Hell go look at the recent qualcomm disclosures, almost every qualcomm since 2009, wide open! Sh*t happens. Any device with root on it, be it exploit or whatever is open to permanent damage from malicious, want to nuke an htc with root? dd if=/dev/zero of=/dev/block/mmcblk0p4. Pantech/LG/Mostqualcoms hit all the bootloaders. Hell system user is enough on LG phones, and most other brands to brick them.
I'm not sure about rewards, but I have reported vulns and bugs to every major vendor, and the only three who ever respond to me are Google, Samsung and Motorola. All three respond promptly and polite, and occasionally follow up if requested. Vendor not getting back to you? [email protected] is quite good at getting them to respond, just tell them the vendor is not responding. More than once they have gotten a dialog with a vendor opened with me.
Understanding update timelines is another issue, vendor updates generally have to go through development, QA at the vendor (sent back if major issues found), then in the case of Sprint and other carriers, sent to carrier QA (returned to OEM if major issues found) . Major changes to the radio? Yep off to the FCC as well! Updates can take considerable time. Not excusing the "superbrick" bug, just pointing out a few weeks (or in the case of sprint or Vernon a few months) can be expected. Want faster updates? Buy an international device, and get a GSM carrier.
Click to expand...
Click to collapse
OK, we're getting into technicalities here, but I consider anything that can be exploited by a Market app without explicit user intervention beyond installing an app (reboot cycles, ADB, etc.) to be "remote". Adam covered how easy it is to bypass Bouncer at BABBQ, so relying on that is a bad idea.
Prior to this, all exploits (restoreRoot, mempodroid, etc) for ICS on Exynos4 devices required ADB to be involved. This doesn't.
And no, you can't cause permanent damage to an HTC with root. The example you provided isn't permanent damage, it can be repaired via JTAG at a service center. Superbrick is *permanent unrecoverable damage that requires a motherboard replacement - JTAG cannot bring a device that has been damaged back to operation*. That's a difference between 0 material costs and maybe 30 minutes of labor to repair at a service center and $200-300+ in material costs and significantly more labor.
And your "updates take considerable time" is bull****. Sprint FI27 was built on September 27 (check the kernel build date), 3 weeks after Samsung had the final version of their protection patch, and was deployed on Kies a matter of *days* later. They had an update scheduled, a patch ready to go for three weeks before the update was built, and they shipped without the patch. There's no excuse for that. At that time, it was an "open source problem" because it only affected custom firmwares, and any root exploits known required ADB. Their approach was dependent on an assumption that *an exploit like this would never happen* - which is a horrible assumption.
This exploit changes things - there is no a root exploit that can be used by an app straight from the market, in the background, with little to no user intervention.
As to the negative effects of 600 permissions on operation (such as killing camera) - as an interim, setting things to 660 instead of 666 makes things somewhat better protected but not as protected as they should be. I will run some tests later today to confirm that at least any old APK can't get privilege elevation if things are set so only the graphics group can diddle with the memory regions.
RyanZA said:
Hey curio,
No need, here is a very quickly put together app in 5 mins that lets you toggle on/off world writability to /dev/exynos-mem
So you can toggle the fix off if you want to use the camera, then toggle it back on afterwards. Will update this post shortly with github source.
Ryan
Click to expand...
Click to collapse
Yes what I also started writing allows to restore permissions on /dev/exynos-mem in case you need to use camera, I agree its useful!
fards said:
Camera is insisting on 666 on some builds.
Curious how some devices using same base code are using camera with diff permissions.
Neither my N7000 or N 8010 will play nicely with 600 or 660..
Click to expand...
Click to collapse
The assumption of similar base code isn't a good one... You'd be shocked how many deltas there are between I9100/I777/N7000 stock firmware codebases that shouldn't be there given how similar the devices are.
In the region of the system we're dealing with here (graphics memory allocation), there are significant differences in operation between Exynos 4210 and 4412. There are also significant deltas between the implementations in all of Samsung Mobile's devices and the official public reference source, and frequently deltas between Samsung's implementations for various handsets/tablets that shouldn't be there as you've discovered.
For example, the official reference source does allocations from FIMC1 memory regions in gralloc to support various graphics items. Nearly all of Mobile's implementations allocate ION memory instead of FIMC1 memory even when FIMC1 memory is requested (and yes, this change affects camera operation more than anything else.)
Thanks for the headsup on N80xx, I'll def. have to do a rebuild on N8013. It's pretty frequent for us to have brokenness that doesn't exist on I9300 and vice versa.
Hmm, odd... even when chmodded 660 system.graphics, the exploit appears to succeed on CM10.1 from within an ADB shell...
I need to look more closely at this.
Seems like the shell user is a member of the graphics group...
I think AndreiLux's approach he's working on may be the best.
Has anyone tested to see what the effect of 0600 is on hwaccel video playback? (Seems to be none on CM10.1).
Looks like it's anything that wants FIMC memory that needs exynos-mem, I'll double check ION, that should have failed...
Edit: Yeah, gralloc only accesses exynos-mem when attempting to access FIMC1 memory. I think camera is the main other place where FIMC is used. Actually, in any shipped handset, gralloc should never actually access exynos-mem - gralloc will give ION memory when you ask it for FIMC1 memory, and ION memory allocation doesn't use exynos-mem (hmm, unless libsecion does... I need to check that...)
Entropy512 said:
Hmm, odd... even when chmodded 660 system.graphics, the exploit appears to succeed on CM10.1 from within an ADB shell...
I need to look more closely at this.
Seems like the shell user is a member of the graphics group...
I think AndreiLux's approach he's working on may be the best.
Click to expand...
Click to collapse
Because your shell is in graphics group.
supercurio said:
Because your shell is in graphics group.
Click to expand...
Click to collapse
I was beginning to suspect that, thanks for confirming.
dennis.l said:
if this is a Samsung kernel issue would any of the custom kernel have the same flaws? otherwise would I be able to workaround the problem by installing a CM10 ROM instead of stock?
Click to expand...
Click to collapse
Right now older custom kernels will. CM's codebase was just patched earlier today to restrict that node to system.graphics 0660
It was done in the 10.1 branch, so it won't immediately affect all devices. We're working on transitioning all exynos4 devices over to 10.1 this week - it's about halfway done.
@alephzain, when running the exploit in an adb shell, sometimes the privilege escalation fails with:
Code:
[*] s_show->seq_printf format string found at: 0xC07A70A8
[*] sys_setresuid found at 0xC00945A0
[*] patching sys_setresuid at 0xC00945E4
[!] set user root failed: Operation not permitted
And it typically succeed after 1 or 2 more attempts.
Does it ring a bell?
ExynosAbuse APK updated to v1.10
I've just updated the ExynosAbuse APK to v1.10 !
This version allows you to disable the exploit (which may break camera), re-enable the exploit (if you need the camera) and to disable the exploit at boot (before any Android app runs). These options do require root (SuperSU or Superuser) to be installed as well. This is for people who actually *want* root. If you don't want root, you should use Supercurio's solution as it doesn't depend on being rooted it for dis/reenabling the exploit.
http://forum.xda-developers.com/showthread.php?t=2050297
Voodoo Instant fix for Exynos Mem Abuse vulnerability released.
I'm glad I have a blog, because things tend to disappear here ^^
Edit: Please use the following thread to discuss this specific solution: http://forum.xda-developers.com/showthread.php?t=2051290
RyanZA said:
Hey curio,
No need, here is a very quickly put together app in 5 mins that lets you toggle on/off world writability to /dev/exynos-mem
So you can toggle the fix off if you want to use the camera, then toggle it back on afterwards.
Github source: https://github.com/Ryan-ZA/exynosfix
APK Download: https://github.com/Ryan-ZA/exynosfix/raw/master/exynosfix.apk
Ryan
Click to expand...
Click to collapse
As per requests, I added in 'fix vulnerability on boot' functionality for those who like an open source fix.
Nice work on that app, curio.
Sooooo....
Here's a low-level fix for the kernel.
Source @ https://github.com/AndreiLux/Perseus-S3/commit/fb36195dab87e002721c7d1a8294a400c6b40a71
Edit: Follow-up commit for Note 2 (Possibly N8000 too) users @ https://github.com/AndreiLux/Perseus-S3/commit/81c95f6046880be48ef377ebae4e42c791f0813e
I did what I said in the first post. The mmap function checks the given memory addresses against all of the current CMA memory spaces on the device and denies access if the space it out of bound of any of the defined blocks. Furthermore on my S3 I, for now, couldn't find anything breaking beyond the main camera. So I added an additional condition that checks that the accessed memory block is "s3c-fimc" (The camera DMA block) and ignores the other blocks. The whole thing is totally neutered if CONFIG_CMA_DMA isn't used in the device configuration (Note 2 / Exynos 4412 devices with 2GB RAM). Edit: Fix works now the same for all devices.
Defined memory spaces:
Code:
[ 0.000000] c0 cma: CMA: reserved 16 MiB at 65800000
[ 0.000000] c0 [cma_region_descriptor_add] adding [s3c-fimc] (0x65800000)-(0x00f00000)
[ 0.000000] c0 cma: CMA: reserved 40 MiB at 5c800000
[ 0.000000] c0 [cma_region_descriptor_add] adding [s3c-mfc] (0x5c800000)-(0x02800000)
....
....
[ 0.000000] c0 S5P/CMA: Reserved 0x70000000/0x00a00000 for 'fimc_is'
[ 0.000000] c0 [cma_region_descriptor_add] adding [fimc_is] (0x70000000)-(0x00a00000)
[ 0.000000] c0 S5P/CMA: Reserved 0x71700000/0x00800000 for 'fimd'
[ 0.000000] c0 [cma_region_descriptor_add] adding [fimd] (0x71700000)-(0x00800000)
[ 0.000000] c0 S5P/CMA: Reserved 0x6c300000/0x03d00000 for 'fimc0'
[ 0.000000] c0 [cma_region_descriptor_add] adding [fimc0] (0x6c300000)-(0x03d00000)
[ 0.000000] c0 S5P/CMA: Reserved 0x71600000/0x00100000 for 'srp'
[ 0.000000] c0 [cma_region_descriptor_add] adding [srp] (0x71600000)-(0x00100000)
[ 0.000000] c0 [cma_region_descriptor_add] adding [mfc-normal] (0x64000000)-(0x00400000)
[ 0.000000] c0 S5P/CMA: Reserved 0x64000000/0x00400000 for 'mfc-normal'
[ 0.000000] c0 [cma_region_descriptor_add] adding [mfc-normal] (0x64000000)-(0x00400000)
[ 0.000000] c0 S5P/CMA: Reserving 0x6800000 for secure region aligned by 0x4000000.
[ 0.000000] c0 S5P/CMA: Reserved 0x5c000000/0x06800000 for 'secure_region'
[ 0.000000] c0 S5P/CMA: Reserved 0x5c000000/0x00800000 for 'sectbl'
[ 0.000000] c0 [cma_region_descriptor_add] adding [sectbl] (0x5c000000)-(0x00800000)
[ 0.000000] c0 S5P/CMA: Reserved 0x5c100000/0x03100000 for 'mfc-secure'
[ 0.000000] c0 [cma_region_descriptor_add] adding [mfc-secure] (0x5c100000)-(0x03100000)
[ 0.000000] c0 S5P/CMA: Reserved 0x5f200000/0x02f00000 for 'ion'
[ 0.000000] c0 [cma_region_descriptor_add] adding [ion] (0x5f200000)-(0x02f00000)
Running the exploit:
Code:
[email protected]:/ $ export PATH=/data/local/bin:$PATH
[email protected]:/ $ ./exynos-abuse
[!] Error mmap: Invalid argument|00000004
Behind the scenes during that:
Code:
[ 119.290791] c1 [exynos_mem_open:50] private_data(0xd0340b80)
[ 119.290889] c1 [exynos_mem_mmap] requesting access to (0x40000000)-(0x41000000)
[ 119.290960] c1 [exynos_mem_mmap] Checking space paddr(0x65800000)-(0x66700000) from 's3c-fimc'
[ 119.291046] c1 [exynos_mem_mmap] Checking space paddr(0x5c800000)-(0x5f000000) from 's3c-mfc'
[ 119.291299] c1 [exynos_mem_mmap] Checking space paddr(0x70000000)-(0x70a00000) from 'fimc_is'
[ 119.291386] c1 [exynos_mem_mmap] Checking space paddr(0x71700000)-(0x71f00000) from 'fimd'
[ 119.291465] c1 [exynos_mem_mmap] Checking space paddr(0x6c300000)-(0x70000000) from 'fimc0'
[ 119.291545] c1 [exynos_mem_mmap] Checking space paddr(0x71600000)-(0x71700000) from 'srp'
[ 119.291631] c1 [exynos_mem_mmap] Checking space paddr(0x64000000)-(0x64400000) from 'mfc-normal'
[ 119.291711] c1 [exynos_mem_mmap] Checking space paddr(0x64000000)-(0x64400000) from 'mfc-normal'
[ 119.291801] c1 [exynos_mem_mmap] Checking space paddr(0x5c000000)-(0x5c800000) from 'sectbl'
[ 119.291888] c1 [exynos_mem_mmap] Checking space paddr(0x5c100000)-(0x5f200000) from 'mfc-secure'
[ 119.291967] c1 [exynos_mem_mmap] Checking space paddr(0x5f200000)-(0x62100000) from 'ion'
[ 119.292034] c1 [exynos_mem_mmap] invalid paddr(0x40000000)-(0x41000000), accessing outside of DMA spaces
[ 119.292798] c1 [exynos_mem_release:58] private_data(0xd0340b80)
I didn't care about the permissions set to the sysfs interface as they don't matter anymore.
I'll be deploying the fix tomorrow throughout my kernels.
The only things that needs to be checked by then is if something else breaks, as HDMI or so. I can't test any of that since I don't have a dongle. In that case anyway the kernel log will tell you what other memory space is accessed and I can open that one up too if needed.
Note: Galaxy S2 / 4210 developers may have to add cma_region_descriptor_add calls to from wherever the memory blocks are defined (Machine file definition or arch/arm/plat-s5p/reserve_mem.c). My commit will work as is on S3 and N2 sources.
I'm off to bed.
Chainfire said:
and to disable the exploit at boot (before any Android app runs).
Click to expand...
Click to collapse
supercurio said:
Cannot protect efficiently against some potential attacks (typically, on boot).
Click to expand...
Click to collapse
First, thank you both for the hard work and quick release.
The main question here is, how efficient is the current implementation in both applications, regarding the protection at start up?
As long as I understand Chainfire somehow ensures that the fix will be applied before running any other (normal) application. Is it possible to install a new application, which to put itself on top of execution chain and exploit the hole, before your application is able to do a 0600 chmod?
If I understand correctly the supercurio's app doesn't promise anything on that matter?! If that is the case, then I guess the recommended app (for rooted phones) will be the Chainfire's solution, right?
julandroid said:
First, thank you both for the hard work and quick release.
The main question here is, how efficient is the current implementation in both applications, regarding the protection at start up?
As long as I understand Chainfire somehow ensures that the fix will be applied before running any other (normal) application. Is it possible to install a new application, which to put itself on top of execution chain and exploit the hole, before your application is able to do a 0600 chmod?
If I understand correctly the supercurio's app doesn't promise anything on that matter?! If that is the case, then I guess the recommended app (for rooted phones) will be the Chainfire's solution, right?
Click to expand...
Click to collapse
Correct.
At the moment, Supercurio's method relies on Android starting it at boot, using the same method any Android app uses to launch at boot. There is no guaranteed order of these apps being launched, and as such, a malicious app could be executing malicious code before the exploit is disabled.
RyanZA's method relies on the same mechanism as well and as such is still vulnerable. Furthermore, unlike Supercurio's and my own patch, RyanZA's patch chmod's to 0600 while ours chmod to 0400 or 0000. With 0600, system user can still run the exploit, so chaining a half-exploit that only gives system user followed by ExynosAbuse may still grant an attacker root access.
My method requires proper root and modifies /system, and disabling the exploit is done before any normal Android app (like those installed from the Play store) have a chance to execute their code. As long as you tell my app to disable the exploit at boot before you install a malicious app, and providing you do not grant a malicious app root (through SuperSU), this should protect against any exploit. Also note that after enabling applying the patch at boot, you can unroot in SuperSU again (SuperSU --> Settings --> Full Unroot) and the patch will keep working, but you'll be unrooted again (if you don't want root). On some devices it takes a reboot for SuperSU to truly disappear after that, by the way.
With my patch, I do advise testing the exploit was disabled after a reboot by running ExynosAbuse again, and verifying both checkboxes next to "Disable exploit" and "Disable exploit on boot" are enabled. These auto-detect the current state, and if the patch on boot was succesful both will be checked.
Chainfire said:
Correct.
At the moment, Supercurio's method relies on Android starting it at boot, using the same method any Android app uses to launch at boot. There is no guaranteed order of these apps being launched, and as such, a malicious app could be executing malicious code before the exploit is disabled.
RyanZA's method relies on the same mechanism as well and as such is still vulnerable. Furthermore, unlike Supercurio's and my own patch, RyanZA's patch chmod's to 0600 while ours chmod to 0400. With 0600, system user can still run the exploit, so chaining a half-exploit that only gives system user followed by ExynosAbuse may still grant an attacker root access.
My method requires proper root and modifies /system, and disabling the exploit is done before any normal Android app (like those installed from the Play store) have a chance to execute their code. As long as you tell my app to disable the exploit at boot before you install a malicious app, and providing you do not grant a malicious app root (through SuperSU), this should protect against any exploit. Also note that after enabling applying the patch at boot, you can unroot in SuperSU again (SuperSU --> Settings --> Full Unroot) and the patch will keep working, but you'll be unrooted again (if you don't want root). On some devices it takes a reboot for SuperSU to truly disappear after that, by the way.
With my patch, I do advise testing the exploit was disabled after a reboot by running ExynosAbuse again, and verifying both checkboxes next to "Disable exploit" and "Disable exploit on boot" are enabled. These auto-detect the current state, and if the patch on boot was succesful both will be checked.
Click to expand...
Click to collapse
As a preliminary quick-fix the chmod could also be handled in ramfs to ensure it's applied as soon as possible in the boot process.
By the way chmodding to 600 didn't brake any of both cameras on a Samsung 4.1.2 based ROM using the old libs with an update 6 kernel on my dev. S3. Will check if it's also behaving like this on 4.1.1 later today.
JP.
Sent from my custom Paranoid Android 2.54 / Yank555.lu CM10 kernel v1.3b Aroma (Linux 3.0.56) powered Galaxy S3 i9300 using Tapatalk 2
Yank555 said:
As a preliminary quick-fix the chmod could also be handled in ramfs to ensure it's applied as soon as possible in the boot process.
By the way chmodding to 600 didn't brake any of both cameras on a Samsung 4.1.2 based ROM using the old libs with an update 6 kernel on my dev. S3. Will check if it's also behaving like this on 4.1.1 later today.
Click to expand...
Click to collapse
Correct. Modifying it in initramfs would be even quicker, but a generic app can't do that. Also chmod to 0400, not 0600.
Related
In this post, I would like to explain what kexec-hardboot patch is and also bring it to light a bit more since until now, it was only burried in MultiROM thread.
@kernel developers: I would like to ask you to merge this patch to your kernels, because it is essential part of MultiROM - it allows me to boot any kernel without changing the boot partition. I realize that it is no small request, but the patch is not big, touches relatively stable parts of kernel and should not cause any problems. Thank you.
What is kexec?
It is syscall of Linux kernel, which allows you to boot another Linux kernel without restarting the device - "Linux boots itself". The functionality is equivalent to fastboot -c *cmdline* boot zImage initrd.img, but without PC and fastboot. It is fairly known thing, so more info at wikipedia and man kexec.
Standard kexec call unfortunatelly does not work on Nexus 7. It freezes somewhere, and it is very difficult to find out where - probably some of the drivers are not shut down/re-initialized properly, it is a commong thing among Android devices, which is why kexec-hardboot was made.
What is the difference between normal and hardboot exec?
Kexec-hardboot patch adds a real device restart to that process, so that all the drivers can be properly reinitialized. It stores new kernel to RAM, reboots the device as usual, and kernel from boot partition immediately jumps to the one which was stored to RAM before reboot.
Another difference is that both kernels must be patched. The "host" kernel requires a full patch, the one which is being kexecd' requires only two small compatibility patches.
To sumarize the process:
kexec --load-hardboot.... is called and kernel it loaded into RAM.
kexec -e is called. Special info is written to memory (to area which is not overwritten on reboot) and the device is rebooted.
After reboot, very early in the boot process, kernel checks if that special info is present in RAM and if so, it loads new kernel from RAM and jumps to it.
Kexecd' kernel starts and boots.
For more info, read the original thread.
Patches:
Full kernel patch: https://gist.github.com/4558647, 4.1 kernel repo, cm 10.1 kernel repo
This is the full kernel patch. Kernels with this patch can be both "host" and "guest" kernels.
Related CONFIG options:
CONFIG_KEXEC=y
CONFIG_KEXEC_HARDBOOT=y
CONFIG_ATAGS_PROC=y
CONFIG_GROUPER_HARDBOOT_RECOVERY=n
First three options must be enabled. Last one, GROUPER_HARDBOOT_RECOVERY, specifies if the kexec call should reboot to normal mode or to recovery. This can be useful if you don't have the kernel in boot partition but only as kernel in recovery partition. You usualy want to disable this option.
Compatibility patch: https://gist.github.com/4458581
This patch only makes the kernel bootable via kexec, ie. it can't be the host kernel. This was made for Ubuntu kernel (and it was accepted), because I did not want to drag the whole patch in there. If your kernel is for Android ROMs, you should use the full patch.
Userspace kexec binary: View attachment kexec-tools.zip
That ZIP file contains kexec source, patches and README. It is from the original patch from Mike Kasick. It also contains precompiled, statically linked kexec binary, so you probably just want to use that.
Usage:
Once you have the kernel patches and kexec userspace binary in place, just run following command to boot into new kernel:
Code:
kexec --load-hardboot zImage --initrd=initrd.img --mem-min=0x85000000 --command-line="$(cat /proc/cmdline)"
kexec -e
Note the command line parameter - cmdline from bootloader is not added automatically, you have to put it there by yourself.
Currently used by:
MultiROM - I use it to boot different kernels (eg. Ubuntu).
MOSLO - Part of Plasma Active for Nexus 7, also usefull tool for every N7 developer - read more: http://ruedigergad.com/2012/12/09/nexus-7-easily-flashaccess-entire-userdata-partition/
Authors:
This patch was made by Mike Kasick for Samsung Epic 4G. Since that, it was ported to several devices, one of them is Asus Transformer TF201 - I used patch from TF201 and modified it a bit (basically just changed few SoC specific constants). People at #ubuntu-arm helped me out with that, thanks.
Hi Tasssadar,
im trying to get this to work on the HOX in order to have a shot at multiboot,
the patched applied with no problem... however on compiling i gett this error
"Adress for kexec hardboot page not defined"
ask this error naturely defined to kick in with every device beside N7 i that comment completely....
and that ended up giving me an error about KEXEC_HB_PAGE_ADDR not defined,
so i readded it, but i removed the "#if defined(CONFIG_MACH_GROUPER)"
now trying to compile it, its gets pretty close to the end... but failed with unexpected string error at line OUTPUT_ARCH(arm) in file linux/arch/arm/boot/compressed/vmlinux.lds
Code:
/*
* linux/arch/arm/boot/compressed/vmlinux.lds.in
*
* Copyright (C) 2000 Russell King
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
OUTPUT_ARCH(arm)
ENTRY(_start)
SECTIONS
{
/DISCARD/ : {
*(.ARM.exidx*)
*(.ARM.extab*)
/*
* Discard any r/w data - this produces a link error if we have any,
* which is required for PIC decompression. Local data generates
* GOTOFF relocations, which prevents it being relocated independently
* of the text/got segments.
*/
*(.data)
}
. = 0;
_text = .;
.text : {
_start = .;
*(.start)
*(.text)
*(.text.*)
*(.fixup)
*(.gnu.warning)
*(.glue_7t)
*(.glue_7)
}
.rodata : {
*(.rodata)
*(.rodata.*)
}
.piggydata : {
*(.piggydata)
}
. = ALIGN(4);
_etext = .;
.got.plt : { *(.got.plt) }
_got_start = .;
.got : { *(.got) }
_got_end = .;
_edata = .;
. = ALIGN(8);
__bss_start = .;
.bss : { *(.bss) }
_end = .;
. = ALIGN(8); /* the stack must be 64-bit aligned */
.stack : { *(.stack) }
.stab 0 : { *(.stab) }
.stabstr 0 : { *(.stabstr) }
.stab.excl 0 : { *(.stab.excl) }
.stab.exclstr 0 : { *(.stab.exclstr) }
.stab.index 0 : { *(.stab.index) }
.stab.indexstr 0 : { *(.stab.indexstr) }
.comment 0 : { *(.comment) }
}
also, im booted into windows now... so i can't provide the exact error.
I'm afraid "comment everything which doesn't work" won't work here. The KEXEC_HB_PAGE_ADDR and END_MEM is device-specific, it will most likely be different for HTC One X. You can find out what address is it supposed to be by examining /proc/iomem on your device. For example, here's memory map from grouper:
Code:
...
80000000-be9fffff : System RAM
80008000-808faba7 : Kernel text
80940000-80b8228f : Kernel data
beb00000-bebfffff : ram_console
...
So, for grouper, END_MEM is 0xbe9fffff + 1 = 0xbea00000.
KEXEC_HB_PAGE_ADDR is located 1MB before console RAM, which is in this case also immediatelly after System RAM, so for grouper, it is also 0xbea00000.
but failed with unexpected string error at line OUTPUT_ARCH(arm) in file linux/arch/arm/boot/compressed/vmlinux.lds
Click to expand...
Click to collapse
That doesn't seem to be related to this patch. Are you using correct cross-compiler?
Tasssadar said:
I'm afraid "comment everything which doesn't work" won't work here. The KEXEC_HB_PAGE_ADDR and END_MEM is device-specific, it will most likely be different for HTC One X.
Click to expand...
Click to collapse
i figured
but im walking you through what i did.
You can find out what address is it supposed to be by examining /proc/iomem on your device. For example, here's memory map from grouper:
Code:
...
80000000-be9fffff : System RAM
80008000-808faba7 : Kernel text
80940000-80b8228f : Kernel data
beb00000-bebfffff : ram_console
...
So, for grouper, END_MEM is 0xbe9fffff + 1 = 0xbea00000.
KEXEC_HB_PAGE_ADDR is located 1MB before console RAM, which is in this case also immediatelly after System RAM, so for grouper, it is also 0xbea00000.
Click to expand...
Click to collapse
Code:
7d000000-7d003fff : tegra-udc.0
7d000000-7d003fff : tegra-otg
7d000000-7d003fff : tegra-udc
7d004000-7d007fff : tegra-ehci.1
80000000-beafffff : System RAM
80008000-8094000f : Kernel text
809a8000-810b940f : Kernel data
beb00000-bebfffff : ram_console
bec00000-beffffff : fbmem
bf000000-bf7fffff : fbmem
0xbeafffff + 1 = 0xbeb00000
grrr that would put me inside the ram_console...
aaaa would it wok if i used the address before??
7d00800
Edit:
or did your ram RAM end earlier because you set you END_MEM 0xbea00000
in that case, it works out just the same with the HOX
That doesn't seem to be related to this patch. Are you using correct cross-compiler?
Click to expand...
Click to collapse
i would have guessed so, but the kernel compiled and is working before the patch.
im using the one provided by google (Android NDK r9) while it contains booth gcc 4.6/4.8 im using 4.6 (arm-linux-androideabi-)
The patch will move ram_console 1MB further, see https://gist.github.com/Tasssadar/4558647#file-n7_hardboot-diff-L387 . You'll have to modify this part of the patch, it will be in different file for your device.
Tasssadar said:
The patch will move ram_console 1MB further, see https://gist.github.com/Tasssadar/4558647#file-n7_hardboot-diff-L387 . You'll have to modify this part of the patch, it will be in different file for your device.
Click to expand...
Click to collapse
HOX is also a Tegra 3 device... so im guessing i wont need to touch a thing?
also note... that iomem provided is from an unpatched kernel (as i cant compile a patched one)
also,
im currently on freenode #htc-one-x
if you dont mind joining.
I've been looking through the kexec-hardboot patch these last few days, trying to actually understand it instead of just blindly porting it and after several hours of messing with assembler with no means to debug it, I've managed to remove the need for guest kernel to be patched. This is not really useful for grouper, since thanks to multirom and accepting kernel devs, nearly every third-party kernel has the proper patches. But, if I'll port multirom to some other device (hello, flo), it will be very useful
To know more see the changes in this commit, but you'll probably need to understand how the patch does things: https://github.com/Tasssadar/androi...mmit/2ce4130061f72430a8ddfde25346c4e528c5c30b
@mkasick: Could you please look over this? I'm afraid there's some good reason why you didn't do this in the first place, like rewriting some part of memory which shouldn't be rewritten or something like that. Thank you.
Tasssadar said:
I've been looking through the kexec-hardboot patch these last few days, trying to actually understand it instead of just blindly porting it and after several hours of messing with assembler with no means to debug it, I've managed to remove the need for guest kernel to be patched. This is not really useful for grouper, since thanks to multirom and accepting kernel devs, nearly every third-party kernel has the proper patches. But, if I'll port multirom to some other device (hello, flo), it will be very useful
To know more see the changes in this commit, but you'll probably need to understand how the patch does things: https://github.com/Tasssadar/androi...mmit/2ce4130061f72430a8ddfde25346c4e528c5c30b
@mkasick: Could you please look over this? I'm afraid there's some good reason why you didn't do this in the first place, like rewriting some part of memory which shouldn't be rewritten or something like that. Thank you.
Click to expand...
Click to collapse
Perfect timing, just finished my last exam
Edit:
Also, this applies on top of the original patch right??
Edit2:
i can't seem to get it to kexec boot, but i didn't do much testing, maybe 2morrow night!
Edit3:
fixed, it was a problem with min-addr,
changed it to 0x82000000 and it worked
One more question...
TEGRA_PMC_BASE is also device specific, ain't it???
So, for a Qualcomm device, what should I be using? I am guessing it is MSM_RPM_BASE, which I got from here: http://forum.xda-developers.com/showpost.php?p=31127486&postcount=7
Yes, it is SoC-specific. This is using some special register to reset the chip, I'm not sure if that is available on msm chips - probably yes, but in some different form. Your best chance is to examine restart sequence in arch/arm/mach-msm/restart.c and port it to assembler.
Tasssadar said:
Usage:
Once you have the kernel patches and kexec userspace binary in place, just run following command to boot into new kernel:
Code:
kexec --load-hardboot zImage --initrd=initrd.img --mem-min=0xA0000000 --command-line="$(cat /proc/cmdline)"
kexec -e
Click to expand...
Click to collapse
The address of 0xA0000000 is not necessarily the best choice going forward. It originally made perfect sense, as it is well above everything else. But now that we can boot unpatched guest kernels, we can hit the interesting situation where the guest decompression may take a full minute. At least it's when I've seen on the Ouya game console that's running the next chip after Grouper.
When I realized what's going on, I changed to 0x8E000000, as it gets me just below the 256 MB limit of cache-enabled memory that's present on a typical guest at that early decompression stage. It's enough to hold a typical 8 MB boot image kernel/ramdisk. Now the guest kernel startup is fast in all cases.
Thank you Tasssadar for continuing your work in this area, especially with finding that way to allow unpatched guests.
Indeed, that's actually what I'm using in MultiROM for flo and mako (and grouper, but it is useless 'cause not all 3rd-party kernels have been updated), I just kinda "forgot" to update these threads.
Would it work on devices with locked bootloaders (Xperias). I mean :does the idea of this patch would also work on bootloader unlock allowed :no devices?
Sent from my LT22i using xda app-developers app
I am trying to build a kexec patched kernel integrated into a ROM. I make sure that the following code is there in the defconfig:
CONFIG_KEXEC=y
CONFIG_KEXEC_HARDBOOT=y
CONFIG_ATAGS_PROC=y
The ROM works well, except that it does not boot my secondary ROMs - kexec hardboot patch missing. I have multi ROM and TWRP recovery installed
What am I missing?
Logs or it didn't happen.
Show me dmesg from normal boot into android, with MultiROM and your kernel installed.
Code:
adb shell
su
dmesg > /data/local/tmp/dmesg.txt
exit
exit
adb pull /data/local/tmp/dmesg.txt
Porting?
Tassadar which things do I need to boot kexec kernel on my device (Motorola Electrify 2) .
@Tasssadar, Sorry for picking up this kinda "old topic" but I'm sadly experiencing some problems while trying to port kexec-hardboot to the Sony Xperia Z2 (aka sirius). I applyed all needed commits (cherry-picked from a apparently working Z1 repo for stock kernel) to my CM based custom kernel (https://github.com/Myself5/android_kernel_sony_msm8974/tree/kexec-cm-12.0) and it does not boot at all. It's stuck on the Sony Logo, and it seems like I can't get any log either. I also tryed the stock cm kernel with the patch (https://github.com/Myself5/android_kernel_sony_msm8974-kexec) cause I tought it might be some incompatibility, but sadly it wasn't. Hope you have any ideas to solve my problems, cause I'm out of ideas ATM. I also checked the kexec commits for other devices (namely the One Plus One) and it seems like I got everything needed.
Thanks in Advance
Tasssadar said:
In this post, I would like to explain what kexec-hardboot patch is and also bring it to light a bit more since until now, it was only burried in MultiROM thread.
@kernel developers: I would like to ask you to merge this patch to your kernels, because it is essential part of MultiROM - it allows me to boot any kernel without changing the boot partition. I realize that it is no small request, but the patch is not big, touches relatively stable parts of kernel and should not cause any problems. Thank you.
What is kexec?
It is syscall of Linux kernel, which allows you to boot another Linux kernel without restarting the device - "Linux boots itself". The functionality is equivalent to fastboot -c *cmdline* boot zImage initrd.img, but without PC and fastboot. It is fairly known thing, so more info at wikipedia and man kexec.
Standard kexec call unfortunatelly does not work on Nexus 7. It freezes somewhere, and it is very difficult to find out where - probably some of the drivers are not shut down/re-initialized properly, it is a commong thing among Android devices, which is why kexec-hardboot was made.
What is the difference between normal and hardboot exec?
Kexec-hardboot patch adds a real device restart to that process, so that all the drivers can be properly reinitialized. It stores new kernel to RAM, reboots the device as usual, and kernel from boot partition immediately jumps to the one which was stored to RAM before reboot.
Another difference is that both kernels must be patched. The "host" kernel requires a full patch, the one which is being kexecd' requires only two small compatibility patches.
To sumarize the process:
kexec --load-hardboot.... is called and kernel it loaded into RAM.
kexec -e is called. Special info is written to memory (to area which is not overwritten on reboot) and the device is rebooted.
After reboot, very early in the boot process, kernel checks if that special info is present in RAM and if so, it loads new kernel from RAM and jumps to it.
Kexecd' kernel starts and boots.
For more info, read the original thread.
Patches:
Full kernel patch: https://gist.github.com/4558647, 4.1 kernel repo, cm 10.1 kernel repo
This is the full kernel patch. Kernels with this patch can be both "host" and "guest" kernels.
Related CONFIG options:
CONFIG_KEXEC=y
CONFIG_KEXEC_HARDBOOT=y
CONFIG_ATAGS_PROC=y
CONFIG_GROUPER_HARDBOOT_RECOVERY=n
First three options must be enabled. Last one, GROUPER_HARDBOOT_RECOVERY, specifies if the kexec call should reboot to normal mode or to recovery. This can be useful if you don't have the kernel in boot partition but only as kernel in recovery partition. You usualy want to disable this option.
Compatibility patch: https://gist.github.com/4458581
This patch only makes the kernel bootable via kexec, ie. it can't be the host kernel. This was made for Ubuntu kernel (and it was accepted), because I did not want to drag the whole patch in there. If your kernel is for Android ROMs, you should use the full patch.
Userspace kexec binary: View attachment 1653562
That ZIP file contains kexec source, patches and README. It is from the original patch from Mike Kasick. It also contains precompiled, statically linked kexec binary, so you probably just want to use that.
Usage:
Once you have the kernel patches and kexec userspace binary in place, just run following command to boot into new kernel:
Code:
kexec --load-hardboot zImage --initrd=initrd.img --mem-min=0x85000000 --command-line="$(cat /proc/cmdline)"
kexec -e
Note the command line parameter - cmdline from bootloader is not added automatically, you have to put it there by yourself.
Currently used by:
MultiROM - I use it to boot different kernels (eg. Ubuntu).
MOSLO - Part of Plasma Active for Nexus 7, also usefull tool for every N7 developer - read more: http://ruedigergad.com/2012/12/09/nexus-7-easily-flashaccess-entire-userdata-partition/
Authors:
This patch was made by Mike Kasick for Samsung Epic 4G. Since that, it was ported to several devices, one of them is Asus Transformer TF201 - I used patch from TF201 and modified it a bit (basically just changed few SoC specific constants). People at #ubuntu-arm helped me out with that, thanks.
Click to expand...
Click to collapse
I'm sorry for picking up this older topic as well, but I always played with the thought of merging kexec support into a kernel and I'm doing one right now.. But my secondary device is a LG G2 and since the era of Lollipop began, somehow MultiBoot just stopped working and nobody can figure out why. I think they even started to build some new concept now.. So before I spark a heated debated by Note 4 users I'd love to know if you have any idea if this patch is still applicable? Altough the only way to find out is to probably just try it lol.
Tasssadar said:
In this post, ....
Click to expand...
Click to collapse
Bro can you please mention on your wiki that kexec isnt supported for x64 devices? It will be great help and save developers hours! I was porting for oneplus 2 when a dev told me that kexec isnt there for x64. I was shocked
Is any alternative available for that? Please reply! Thanks.
All other devs, who cant make multirom to work (lollipop is the x64 era) stop working. Kexec isnt supported for x64. Find an alternative for it.
Can Anyone help me to port this? Here is my patched kernel (ignore arch/arm64) and this is /proc/iomem.
Code:
80000000-854fffff : System RAM
80008000-80fa43ef : Kernel code
81112000-817bf797 : Kernel data
8cb00000-9fefffff : System RAM
9ff00000-9ff3ffff : persistent_ram
9ff40000-9ff7ffff : persistent_ram
9ff80000-9fffffff : persistent_ram
a0000000-ffffefff : System RAM
For kexec_hb_page_addr the value i inseted is 85500000 coz as tasssadar said 884fffff + 1 = 85500000, but I don't know what value add for
Code:
#elif defined(CONFIG_ARCH_MSM8916)
/* Restart using the PMIC chip, see mach-msm/restart.c */
ldr r0, =MSM8916_HARDBOOT
mov r1, #0
str r1, [r0, #0]
loop: b loop
MSM8916_HARDBOOT, and if I compile the kernel it stucks on samsung logo.
Original thread by hashcode for RAZR http://forum.xda-developers.com/showthread.php?t=2181971
Here is a copy paste.
Hashcode said:
** WARNING: THIS THREAD SHOULD BE FOR KERNEL DEVELOPERS OR ROM DEVS.
Users please post questions in your ROM's support threads. **
** DEVS: If you choose to use a kexec kernel in your ROM add a "KERNEL CREDIT" for the first 4 people in the "WHO HAS WORKED ON THIS?" section below. This has been spectacular development and credit is due. **
TESTING ROMS FOR KEXEC KERNEL PROGRESS:
Droid RAZR:
[2013-03-12] cm-10.1 on v3.0.8 JB kernel:link removed for safety
GSM RAZR:
cm-10.1 on v3.0.8: link removed for safety
MAPPHONE 3.0.x KEXEC KERNEL:
For use on Motorola devices; Droid RAZR, GSM RAZR, RAZR MAXX, Bionic and Droid 4. (1 GB OMAP4 devices for now, 512MB support coming).
WHAT IS A KERNEL?
Also from Wikipedia: http://en.wikipedia.org/wiki/Kernel_%28computing%29
Summary: If you had to choose 1 binary file which connects the hardware components of your device to the OS layer whether it be Android or some other software, it would be the kernel.
WHAT IS KEXEC?
The best description is found here on Wikipedia: http://en.wikipedia.org/wiki/Kexec
Summary: kexec is a process for hot reloading a new kernel while a device is running.
WHERE DID THIS KERNEL COME FROM?
Initially the source came from Motorola. All GPL components of Android are posted on Sourceforge.net for Motorola devices:
http://sourceforge.net/motorola/
After that it's been worked on (see below) to support kexec function and work for our needs.
WHO HAS WORKED ON THIS?
Several people played a large role in making this happen:
Kholk & [MBM]: Initial development work done on the RAZR/Bionic under Gingerbread to setup kexec modules + booting kexec kernel (no 2nd cpu)
jonpry: Ported and improved Kholk/MBM's work for use on the Droid 3. Brought up 2nd CPU, fixes for audio and more.
Hashcode (myself): On going development of this kernel for flawless function on our devices.
A full kernel source history on github starting with omapzoom sources and migrating Motorola source in commit by commit
Fixes for clocks, local timers, GPMC setup, race conditions in irq's due to kexec and more.
On going development towards full support for current Android / Ubuntu Phone OS requirements (including 512MB and Droid 3 support).
Other's have also contributed code (and hopefully more will as well): kfazz(D4), jarveson(D3) and more.
WHERE IS THE SOURCE?
KERNEL SOURCES (ALL DEVICES):
https://github.com/STS-Dev-Team/kernel_mapphone_kexec
BRANCH: stock-ics-kexec
DESCRIPTION: This is a perfect copy of the ICS kernel running as kexec. For use with stock-based ROM's etc.
STATUS: Ready for use
BRANCH: jb-mr1
DESCRIPTION: Ongoing kernel branch for support of newer Android OS (Jellybean MR1 currently).
STATUS: Work-in-progress. Heavy development
KEXEC KERNEL-MODULE SOURCES FOR ICS/JB BASED DEVICES:
https://github.com/STS-Dev-Team/kernel_kexec_modules/tree/3.0.8-ics-spyder
Branch: 3.0.8-ics-spyder
Defconfig: mapphone_kexec_defconfig
KEXEC KERNEL-MODULE SOURCES FOR GB BASED DEVICES (Droid 3):
https://github.com/STS-Dev-Team/kernel_kexec_modules/tree/2.6.35-solana/
Branch: 2.6.35-solana
Defconfig: mapphone_defconfig
HOW TO KEXEC A DEVICE
1. Download kexec kernel modules + kexec binary for your base kernel version
(Most devices found here):
https://github.com/STS-Dev-Team/android_device_motorola_omap4-kexec-common/tree/cm-10.1/kexec
(Droid 3 Users need GB based modules here):
https://github.com/STS-Dev-Team/android_device_motorola_solana/tree/jb-mr1/kexec
2. Download the devtree for your device:
Droid RAZR: https://github.com/STS-Dev-Team/android_device_motorola_spyder/tree/jb-mr1/kexec
GSM RAZR: https://github.com/STS-Dev-Team/android_device_motorola_umts_spyder/tree/jb-mr1/kexec
Bionic: https://github.com/STS-Dev-Team/android_device_motorola_targa/tree/jb-mr1/kexec
Droid 4: https://github.com/STS-Dev-Team/android_device_motorola_maserati/tree/jb-mr1/kexec
Droid 3: Droid 4: https://github.com/STS-Dev-Team/android_device_motorola_solana/tree/jb-mr1/kexec
3. Need a kexec kernel binary from the above sources: renamed the zImage as "kernel".
4. Need a .gz cpio ramdisk named: ramdisk.img
**RAMDISK needs to take care of mounting related filesystems for your ROM.
Ususally Safestrap/BMM handles this in some way for rom-slots.
For easy kexec tests you can build a CWM ramdisk and use that.
Now boot up into a safe kexec point on the device be it BMM or Safestrap where you can use adb.
5. Move all of the above files onto the rootfs
6. Execute the following as a script:
Code:
# run this from a "safe" boot point (safestrap / bootmanager) where no mounts are active
cd /
chmod 755 /kexec
# you will lose USB function here till the new kernel boots -- hence the script
insmod /uart.ko
insmod /arm_kexec.ko
insmod /kexec.ko
/kexec -l /kernel --devtree=/devtree --ramdisk=/ramdisk.img
sleep 1
/kexec -e
CURRENT DEVELOPMENT ROAD MAP
Merge up to Linux Mainline v3.0.21 + Google kernel/common commits (where applicable)
Cherry-pick from TI's kernel tag 4AI.1.5 to 4.AI.1.6
Merge up to Linux Mainline v3.0.31 + Google kernel/common commits (where applicable)
Cherry-pick from TI's kernel tag 4AI.1.6 to 4.AI.1.7
Also pick up any p-android-omap-3.0 and p-android-omap-3.0-dev commits where needed
Merge up to current Linux Mainline + Google kernel/common commits (where applicable)
Click to expand...
Click to collapse
Currently, there is one kexec based rom for Atrix 2 CM10.1 by wanggjghost here.
Source Code for Atrix 2 http://sourceforge.net/projects/atrix2.motorola/files/
and http://sourceforge.net/projects/me865.motorola/files/ME865/
Other source code that can help you wanggjghost's github https://github.com/SunRain/android_device_motorola_edison
ISSUES TO BE SOLVED
The current major issue regarding Kexec is that some devices get a black screen once kexec is executed.
This thread to discuss and develop a solution for it. And once that is solved, to discuss custom kernels.
Here are a few things that might help.
kmsg when kexec boot up failed: http://www.mediafire.com/download.php?95raby988dvch74 (just open it with a text editor. It is corrupt but you can make out quite a lot.)
The dmesg for stock ics: http://www.mediafire.com/view/?z4pibf2at3u4i7e (Going through this will give you better idea as how things should be.)
And the panic msg after I soft reset it after a black screen: http://www.mediafire.com/view/?z4pibf2at3u4i7e (When I get a black sscreen, I hold vol up+ vol down+ pow for about 10 secs. that soft resets my phone and a panic msg is generated which I retrieve.)
From the kmsg, here is something interesting that appears to be the cause. (Note: I have made some edits to make it readable, not completely readable though.)
Code:
[ 2.745880,0] cannot apply mgr(lcd) on inactive device
[ 2.745971, ] omapfb omapfb: failed to apply dispc config
[ ².·46893¬0] cannot apply mgr(tv) on inactive device
[ 2.746154,0] omapfb omapfb: failed to apply dispc config
[ 2.746307,0] cannot aplly mgr(lcd2) on inactive(device
[ 2.7463¶8,0\ omapfb omapfb: failed to apply dispc config
[ 2.746520,0] DSI: dsi_fc_kmd = 0, dói_vc_video 9 1
[ 2®746582,0] DT: x_res=540 y_res=960 phy_w_mm=54 phy_h_mm=95
[ 2.·46673,0](ÄT: hfp=0 hsw=² hbp-2 vnp=0 ösw=1 vbp=1
[ 2®746795,0] DTº cìk_lanå=1 clk_pos90 d1_line=2 d1_pos=0 d2_lane=3 d2_pos=0
[ 2.746948,0](DT: d3_lane=0 d3_pos=0 d4_lane=0 d4_pos=0
[ ².747009,0] DT: panel_id= x1a000² type= 0
[ 2.747102,0] DT: regn=13 regm=230 regm3=6 regm4=6 lp_clk_div=9 lck_div=1 pck_div=4
[ 2.747222,0] DT: te_support=1, te_type=0
[ 2.747283,0] DT: number of power suppljes-±
[ 2.747436,0] DT: Supply #°, beg name=sw4, gpin=96,*gpio_en_val=1
[ 2.(43¸57,0] mmc2: card claims to support voltages below the defined range. These will be ignored.
[ 2.860656,0] omapdss DSI error: Failed to receive BTA
[ *2.861816,0] mmc2: quduing unknïwn CIS tupìe 0x99 (3 jytms)*[( 2.862792¬0] mmc2: .%w high speeä RDIG kard at address 0001
[ 2.962280,0] omapdss DSI error: Failed to receive BTA
[ 3.063781,0] omapdss DSI error: Failed to receive BTA
[ "3®091705,0] mmc0: host doås(not cupport reiding re!d-onlù switch. assuminç write-enable.
[ 3.0)5336,0] míc0: new hkgh speed SDHC cabd at address aaaa
[ 3.896496,0] mmcblk0:(mmc0:aaaa SU16G 14.8 GiB
[ 3®101·76,0] mmcblk : p1
[" 3.165374,0] omapdss DS (error: Fa)led to receire BTA
[ 3.26693',0] omapnss DSI error: Failed to rekeivm(BTA*[ ¨ 3®368538,0] kmapdss DS) ebror: Failed to receivm BTA
[ 3.<78062¬0Y omapdss DSI error: Failed to receive BTI
[ "3.571624,0] omapdss DSI error:(Failed to receive BTA
[ 3*673217,0](oma0dss DSI ezror: Failed to receive BTA
[ ³.774749,0] omapdss DSI error: Fâile` to rekeive BTA
[ 3.¸76312,0\ om!pdss SI erro2: Failed to receive BTA
[ 3.876556,0] check_mapxjone_panel_present: Faineä to recmive BTA ACK foz 10 times.
[ 3.877014,0] marphone_xanel_power_on:Paneì és not attached nò failed ðo send BTA.*[ 3.8772¸8,0] omapfb omapfb: Fáile$ to enable display 'lcd'
[ 3.¸77746,0] kmapfb omapfb: failed to inkpialize default display
[ 3.¸79821,0] omarfb omapfb: failed |o se4up omapf"Š[ 3.¸80279,0] omapfb: probe of omapfb fa)led with error -22
[ 3.882019,0] regulator_init_complete: vwlan1: disibling
[ " 3.882873,0] begulat/r_inét_complete: vrfref: dhsabling
[ 3.883544,0] renulator_init_coíphete: vbf²: disabling
Z 3.8:7145,0] regulator_check_voltage: v5sb: operation not allowed
[ 3.:91937,0] lm3532_bl_work: Display backlight(disable)
The issue appers to be regarding omapfb (frame buffers). might be an issue with the command line. wang's kernel uses
Code:
root=/dev/ram0 rw [email protected] console=null vram=10300K omapfb.vram=0:8256K,1:4K,2:2040K init=/init ip=off mmcparts=mmcblk1:p7(pds),p15(boot),p16(recovery),p17(cdrom),p18(misc),p19(cid),p20(kpanic),p21(system),p22(cache),p23(preinstall),p24(webtop),p25(userdata),p26(emstorage) mot_sst=1 androidboot.bootloader=0x0A74
However, using
Code:
root=/dev/ram0 rw [email protected] console=ttyO2,115200n8 init=/init ip=off mmcparts=mmcblk1:p7(pds),p15(boot),p16(recovery),p17(cdrom),p18(misc),p19(cid),p20(kpanic),p21(system),p22(cache),p23(preinstall),p24(webtop),p25(userdata) mot_sst=1 androidboot.bootloader=0x0A73
might solve.
Also, the following keeps repeating
Code:
PVR_K:(error):BridgedDispatchKM: Initialisation failed. Driver unusable
but PVR_K is related to display (I guess) and that again takes us back to omapfb.
Put in your thoughts as well but try to keep the thread clean.
Here's another panic log: http://pastebin.com/TdU31ERU
Regarding the "PVR_K: (Error): BridgedDispatchKM: Initialisation failed. Driver unusable." error that Ravi pointed out... and for my curiosity..
Can someone who has the kexec build running run these from a command line, please? (and post the output here):
Code:
adb shell
cat /proc/pvr/version
strings vendor/lib/egl/libGLESv2_POWERVR_SGX540_120.so | grep build
$ adb shell
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
error: device not found
$ cat /proc/pvr/version
Version SGX_DDK_Android sgxddk 19 [email protected] (release) omap4430_android
System Version String: SGX revision = 1.2.0
_POWERVR_SGX540_120.so | grep build <
OpenGL ES GLSL ES 1.00 build [email protected]
OpenGL ES 2.0 build [email protected]
$
Sent from my MB865 using xda app-developers app
---------- Post added at 04:41 PM ---------- Previous post was at 04:35 PM ----------
Is that what u need?
Sent from my MB865 using xda app-developers app
jaymccoubrey said:
$ adb shell
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
error: device not found
$ cat /proc/pvr/version
Version SGX_DDK_Android sgxddk 19 [email protected] (release) omap4430_android
System Version String: SGX revision = 1.2.0
_POWERVR_SGX540_120.so | grep build <
OpenGL ES GLSL ES 1.00 build [email protected]
OpenGL ES 2.0 build [email protected]
$
Sent from my MB865 using xda app-developers app
---------- Post added at 04:41 PM ---------- Previous post was at 04:35 PM ----------
Is that what u need?
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
Yup, thanks.. I was just chasing wild geese again..
[Edited to reduce clutter, etc.. ]
So, yea, wild goose chase...
--------------------------
Also, @Ravi - this is my current device BoardConfig:
Code:
# inherit from common
-include device/motorola/omap4-kexec-common/BoardConfigCommon.mk
# inherit from the proprietary version
-include vendor/motorola/edison/BoardConfigVendor.mk
# Processor
TARGET_BOOTLOADER_BOARD_NAME := edison
# Kernel
BOARD_KERNEL_CMDLINE := root=/dev/ram0 rw [email protected] console=null vram=10300K omapfb.vram=0:8256K,1:4K,2:2040K init=/init ip=off mmcparts=mmcblk1:p7(pds),p15(boot),p16(recovery),p17(cdrom),p18(misc),p19(cid),p20(kpanic),p21(system),p22(cache),p23(preinstall),p24(webtop),p25(userdata),p26(emstorage) mot_sst=1 androidboot.bootloader=0x0A72
BOARD_KERNEL_BASE := 0x80000000
BOARD_PAGE_SIZE := 0x4096
# Kernel Build
TARGET_KERNEL_SOURCE := kernel/motorola/omap4-kexec-common
TARGET_KERNEL_CONFIG := mapphone_1GB_defconfig
And I have the same BOARD_KERNEL_CMDLINE in the mapphone_1GB_defconfig.. but pretty sure I have other issues as well. Here's a kmsg from an attempt at booting mine: http://pastebin.com/VZzg0ALD - containing my favorite debug message ever: Bad BP 0[ID: 0x0], Is this a Phone ??
One more thing, take a look at the atags with a hex editor...
Im kimda limited on what i no how to do.. Tell me what to do and how ill do it.
Sent from my MB865 using xda app-developers app
---------- Post added at 06:32 PM ---------- Previous post was at 06:26 PM ----------
I download a hex Editor. Where do i look?
Sent from my MB865 using xda app-developers app
jaymccoubrey said:
Im kimda limited on what i no how to do.. Tell me what to do and how ill do it.
Sent from my MB865 using xda app-developers app
---------- Post added at 06:32 PM ---------- Previous post was at 06:26 PM ----------
I download a hex Editor. Where do i look?
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
Lol.. My ramblings weren't directed at you specifically.. It's just for general (possibly cluttered and useless) info.. And that last note was for Ravi actually - on the topic of board kernel command lines..
Sent from my MB865 using xda app-developers app
So do u need anything else. Ill help cause ur roms kick ass
Sent from my MB865 using xda app-developers app
jaymccoubrey said:
So do u need anything else. Ill help cause ur roms kick ass
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
Thanks.. But I'll post if I need/want to see something else from kexec running..
And this kexec and kernel stuff is new territory for me (well, android is relatively new to me still also..) - so I am just trying to learn/do what I can.. The more getting involved, the merrier.
Sent from my MB865 using xda app-developers app
I just received my dev Atrix 2 today thanks to rvalentin913.
My goal with the device is to get it running alongside our other devices (Droid3, Bionic, RAZR's and Droid 4) so that it can be merged into CM's official devices.
However there does seem to be some missing pieces so to speak in the kernel that I'll be looking to fix over the next few weeks.
I'll try and comment on what I'm seeing in the posts above:
1. "omapdss DSI error: Failed to receive BTA" This indicates that the LCD on some of the devices isn't directly supported by the kernel and/or not being setup correctly by the devtree. Also very likely the cause of a blank screen (obviously).
2. "PVR_Kerror):BridgedDispatchKM: Initialisation failed. Driver unusable" indicates that pvrsrvinit didn't complete the initialization of the SGX libs for 1 reason or another. This could many things here and possibly related to #1. I'll have to run a strace or other tests to see where it's failing.
3. I'm reverting the mem= param back to 1023M in the kexec kernels due to a bug in the way Motorola has the kernel setup. They set the SMC driver memory to 2M, but the driver itself will expand to a minimum of 3M. The way the kernel is setup this area is designated right at the very top of memory. So Motorola probably didn't understand why they were getting odd memory issues when using the 1024 setting (this effectively pushes the SMC area out of the 1GB RAM limit). So they dropped the mem= parameter to 1023 where the SMC driver would set the start of SMC memory to 1021M and drift up to 1024.
4. Also the ATAGS which point to the devtree memory location have a tendancy to be cleared out at the drop of a hat for some reason. And that causes an empty devtree to be read into memory. (IE: Bad BP 0[ID: 0x0], Is this a Phone). I'm also chasing this down to see what clears out this memory area. The first time it was an early cache setup by the SMC driver, but there's somewhere else now as well.
What makes this complicated is that the memory location for the devtree and atags is decided at the point of kexec. So it can be a bit random causing this issue to only occasionally show up.
Anyway, I'll try and post a full thread w/ full support once I get my end up and running on the Atrix 2.
I haven't decided yet how I want to boot the device into a 2nd ROM. Currently Safestrap doesn't use external SD cards for rom-slots and to use the internal area, I would need to play some tricks on the OS using the fuse daemon (treat it like an internal SD card). Personally, I think the internal area gives the best performance and I'm leaning towards this route.
But, I won't make anyone flash over their stock system. Ever.
EDIT: I just read through some of the bootlogs and I'm confused about the end of the one here:
http://www.mediafire.com/view/?z4pibf2at3u4i7e
- "init: cannot execve('/system/bin/debuggerd'): No such file or directory" This looks like an obvious missing file, but I wonder why it's being called in the first place.
- procfs_write: version magic '2.6.35.7 SMP preempt mod_unload ARMv7 ' should be '3.0.8 SMP preempt mod_unload ARMv7 '
- dirty_arm_kexec: version magic '2.6.35.7 SMP preempt mod_unload ARMv7 ' should be '3.0.8 SMP preempt mod_unload ARMv7 '
- dirty_kexec: version magic '2.6.35.7 SMP preempt mod_unload ARMv7 ' should be '3.0.8 SMP preempt mod_unload ARMv7 '
These are GB-based kernel modules built for kexec trying to execute at the end of the log? *boggle*
Hashcode said:
I just received my dev Atrix 2 today thanks to rvalentin913.
Click to expand...
Click to collapse
Nice (I was kinda hoping/guessing it was you).
Will be very glad to see you digging into this phone also. Let me (or any of us) know if you need any assistance..
And thanks again for your major efforts and contributions in general.
Sent from my MB865 using xda app-developers app
Hashcode said:
I haven't decided yet how I want to boot the device into a 2nd ROM. Currently Safestrap doesn't use external SD cards for rom-slots and to use the internal area, I would need to play some tricks on the OS using the fuse daemon (treat it like an internal SD card). Personally, I think the internal area gives the best performance and I'm leaning towards this route.
But, I won't make anyone flash over their stock system. Ever.
Click to expand...
Click to collapse
Sir, the moto guys at China have done that. They mount /data/media as internal sd. i.e., the stock me865 roms have it. I will upload the ramdisk, vold.fstab, vold.fstab.swap and the build.prop when I get to my comp. I tried using 2nd init with the changes in ramdisk, included the fstab files and made the changes in build.prop but that did help me.. let me know if anything else is required.. for bmm, we just mount data for int and the virtual systems are stored there.
And thanks again for all the work you have done..
Sent from my MB865 using Tapatalk 2
Ravikirancg said:
Sir, the moto guys at China have done that. They mount /data/media as internal sd. i.e., the stock me865 roms have it. I will upload the ramdisk, vold.fstab, vold.fstab.swap and the build.prop when I get to my comp. I tried using 2nd init with the changes in ramdisk, included the fstab files and made the changes in build.prop but that did help me.. let me know if anything else is required.. for bmm, we just mount data for int and the virtual systems are stored there.
And thanks again for all the work you have done..
Sent from my MB865 using Tapatalk 2
Click to expand...
Click to collapse
Ah, yep, the /data/media mount is managed via the fuse daemon as a simulated VFAT partition, and needs to have FUSE support in the kernel (easily done in kexec).
Any idea why there are GB kexec modules trying to execute in that log?
Hashcode said:
Ah, yep, the /data/media mount is managed via the fuse daemon as a simulated VFAT partition, and needs to have FUSE support in the kernel (easily done in kexec).
Any idea why there are GB kexec modules trying to execute in that log?
Click to expand...
Click to collapse
ah! It requires a modified kernel as well! Thank you. That was the missing piece when I tried it some months ago. Well any way, the good news is that I have managed to emulate internal sdcard on stock searet. I just need to make out all the necessary changes that need to be made in the build.prop. For now, I just used miui build.prop. So that issue is more or less solved except for att users may have to erase cid to flash the hktw boot.img
EDIT: Well a little more work needs to be done I guess.. just some fc..
regarding the GB modules, maybe I was just experimenting.. since its happening after phone is overclocked, its my doing I guess. I will try loading on stock rom again and will let you know..
and take a look at this. defy having kinda the same issue. http://mcbawse177.appspot.com/pastebin.com/31VLSvyJ
quarx might have an idea on how to solve this.. look at line 1046
alteredlikeness said:
One more thing, take a look at the atags with a hex editor...
Click to expand...
Click to collapse
that was interesting.. well, among the currently supported phones, all have that partition table except XT875. Only that has lbl and lbl_backup like our phone but it has an emstorage at p26 and p27 is sgpt. here (also take a look at the other models listed there.) I was once just trying kexec with all the devtrees and there was one devtree using which, my keypad got lighted up after kexec was executed. with all others, the keypad would turn off and stay as such. I will try them again. Oh and just for fun (if you have moto drivers software installed on comp), download the devtrees for all the devices, replace one of them, turn off phone, turn it back on with kexec enabled, connect the phone to comp and take a look at the drivers that windows install. change the devtree and do it again..
Ravikirancg said:
that was interesting.. well, among the currently supported phones, all have that partition table except XT875. Only that has lbl and lbl_backup like our phone but it has an emstorage at p26 and p27 is sgpt. here (also take a look at the other models listed there.) I was once just trying kexec with all the devtrees and there was one devtree using which, my keypad got lighted up after kexec was executed. with all others, the keypad would turn off and stay as such. I will try them again. Oh and just for fun (if you have moto drivers software installed on comp), download the devtrees for all the devices, replace one of them, turn off phone, turn it back on with kexec enabled, connect the phone to comp and take a look at the drivers that windows install. change the devtree and do it again..
Click to expand...
Click to collapse
Well, about the devtree - I found that wang added this to the finalize_release script that initializes the cmdefy bootmenu recovery (courtesy of Hashcode, apparently):
Code:
#!/sbin/sh
PATH="/system/xbin:/system/bin:/sbin:${PATH}"
DEVTREE_PARTITION=/dev/block/mmcblk1p12
KEXEC_DEVTREE=/system/etc/kexec/devtree
#For kexec boot, we need a special devtree from each phone model
#So dump a devtree
#Note /dev/block/mmcblk1p12 is the devtree partition for edison
#And 65K is enough
#Credits for Hashcode for this info
[ -f $KEXEC_DEVTREE ] && rm -r $KEXEC_DEVTREE
busybox dd if=$DEVTREE_PARTITION of=$KEXEC_DEVTREE bs=1 count=65000
I made it as a stand-alone script that I was running with my attempts at booting my kexec builds with BMM... no luck - but like I said, my current kexec build has other issues as well I think..
alteredlikeness said:
Nice (I was kinda hoping/guessing it was you).
Will be very glad to see you digging into this phone also. Let me (or any of us) know if you need any assistance..
And thanks again for your major efforts and contributions in general.
Sent from my MB865 using xda app-developers app
Click to expand...
Click to collapse
Ditto hash, great to see you grabbing a seat on A2train.
ALL ABOARD. NEXT STOP KEXEC. Please raise your trays. Lock your seat back to comfortable position, and enjoy the ride!
Any help I can bring, I am but a humble servant.
Sent from my MB865 using xda app-developers app
Hmm.. take a look at the tombstone.
http://pastebin.com/4jrTaAbF
Its just an issue with graphics driver? But it did boot up a couple of times.. and how does it boot up on some a2s?
Sent from my MB865 using Tapatalk 2
alteredlikeness said:
Well, about the devtree - I found that wang added this to the finalize_release script that initializes the cmdefy bootmenu recovery (courtesy of Hashcode, apparently):
Code:
#!/sbin/sh
PATH="/system/xbin:/system/bin:/sbin:${PATH}"
DEVTREE_PARTITION=/dev/block/mmcblk1p12
KEXEC_DEVTREE=/system/etc/kexec/devtree
#For kexec boot, we need a special devtree from each phone model
#So dump a devtree
#Note /dev/block/mmcblk1p12 is the devtree partition for edison
#And 65K is enough
#Credits for Hashcode for this info
[ -f $KEXEC_DEVTREE ] && rm -r $KEXEC_DEVTREE
busybox dd if=$DEVTREE_PARTITION of=$KEXEC_DEVTREE bs=1 count=65000
I made it as a stand-alone script that I was running with my attempts at booting my kexec builds with BMM... no luck - but like I said, my current kexec build has other issues as well I think..
Click to expand...
Click to collapse
Actually we were talking about this and it doesn't work. The devtree needs to be chopped off right at the last null in the file (where it starts turning to all "FF" in a hex editor.
I think it would be a great idea to modify this tho so that it does work.
Ravikirancg said:
Hmm.. take a look at the tombstone.
http://pastebin.com/4jrTaAbF
Its just an issue with graphics driver? But it did boot up a couple of times.. and how does it boot up on some a2s?
Sent from my MB865 using Tapatalk 2
Click to expand...
Click to collapse
This error reminds me more of when there is no gralloc.omap4.so symlink in /system/vendor/lib/hw. Doesn't look exactly kexec related.
The purpose of this thread is to provide a guide for users who have Proxyme preloaded in their device's firmware and want to find out how to use it effectively. Ideally, this will be a place to share experiences and ideas to further improve the tool and provide solutions to problems that people may have.
Introduction
Proxyme ( proc-zahym ) represents a system access solution comprised of the following components:
System service - provides access to privileged system environment
SSH daemon - provides secure shell (ssh) and file (scp) access (based on dropbear)
proxyme.apk - user interface module
This solution is offered as a preloaded option in firmware images and consequently cannot (should not) be installed as a regular app, either from the Play Store or being side loaded. The reason for pre-loading stems from the requirements of the system service component to be able to integrate at system level and not be bound by operating restrictions within the Android application and framework platform environment (Zygote and Dalvik sandbox). The Play Store has been enlisted as the primary and preferred source in providing updates to the user interface component; the actual app you will be interacting with.
Proxyme offers the following functionality through its user interface:
Installation/de-installation of the su binary to provide/remove root access
(useful only for other applications which require root level access)
The persistent behaviour of the su binary can be controlled by a one-shot switch
Register/de-register tag-along scripts for su enable and disable actions
(more details on this below)
Control availability and location of busybox toolbox
Start/Stop SSH daemon
Configure listening port for the SSH daemon
Configure user accounts for the SSH daemon
Submit and execute a shell script
SU Binary
The option to enable or disable the su binary switch (on/off) in the user interface is the equivalent of rooting and unrooting the device. When enabled, you are providing root access to apps which require it to perform correctly. Currently, Proxyme does not have built-in support for monitoring and 'policing' the actual access to root.
Auto Root @ Boot
This switch in the Proxyme app allows you to indicate whether the su binary should be installed or removed during a reboot or startup of the device. Setting it to the 'on' position will make the su binary persistent throughout reboot cycles and leave your phone permanently 'rooted'.
Registering Tag-along Scripts
Whenever you enable or disable the su binary with the on/off switch in the user interface, there exists an option to execute a user script just prior to and one unique to each action. This is possible by pre-registering a script for one of or both enable/disable actions. A script can virtually perform anything and is always executed within root context. Note that you must be very cautious about the scripts you are registering and be certain about their intentions, because a rogue script could cause irreparable damage to you device.
Each script has the option to override, and thus block, the intended action (enable or disable) by setting a system property named proxyme.override to anything but blank.
One purpose of having tag-along scripts would be to 'freeze' and 'unfreeze' specific root-shy apps, which do not 'like' rooted systems. This is one area where we can share the experience of pre-coded scripts for certain target apps and I do hope it will be put to good use.
To submit a script file, tap on one of the SU Enable Script or SU Disable Script text elements to start browsing for a file.
Busybox
Busybox is just that, busybox. Options are available to determine one of two hard-configured locations where it can be installed and to enable or disable it.
More to follow later...
SSH Daemon
The SSH daemon is based on dropbear. It has been modified to support logon accounts in Android, which are configured with the following parameters:
username
password
home directory
which shell to use
user ID
group ID
For whatever reasons, you can restrict access by specifying non-root user and group (0:0) IDs. The IDs you can choose from are derived from a system list which was used and known within Android at the moment of booting the device. If you have installed new apps in the meantime and would like to use their newly assigned IDs, then please reboot the phone to update this list.
Executing Shell Scripts
The ability to submit and execute a shell script from the user interface can be considered a convenient and quick way to get some tasks done. Take note however that your scripts are run in a privileged environment under the root account and that there are risks involved. A rogue or insufficiently tested script can cause major problems if/when it makes changes to key system partitions, which are normally mounted read only for obvious reasons.
Most rom images will include a sample de-bloating script,which removes ROM specific branding apps. The script. /sdcard/Proxyme/debloat.sh, shows how this is done and could serve as a base for more extensive clean-up of firmware components, if you so desire.
Operational Notes
Whenever a device boots from a factory reset condition (i.e. after wiping data), there will be no UID/GID list available in the user management screen. The reason for this is that the SuMeD setup process will complete before the app data store, the location where aforementioned list is stored. has been initialised. Restart the device in order to make this list available.
Behind The Scenes
For details regarding how Proxyme's system service components are integrated in a firmware image, please follow this trail...
Device Support
Before taking the next step to flash your phone/device, please be aware of the risks involved with performing such an operation. Prepare the device properly, i.e. sufficient battery charge, and be well informed of the correct flashing procedure(s) for your device's make and model. On Samsung devices, rooting will probably trigger 'custom' flag(s) and consequently render the warranty void. No matter how adventurous you may feel, it is always a bad idea to try to flash a firmware image which is not intended for your device. Having said all that, note that you will be flashing your phone at your own risk. You are solely responsible for anything you do to your phone/device, so make sure you are well informed and well prepared before deciding to flash or install anything on it.
The following list will be updated as soon as new firmware images are prepared for new and old devices.
Samsung Galaxy Note 10.1 2014
SM-P600 - (reference post)
Samsung Galaxy J
SC-02F (Docomo) - (reference thread)
SGH-N075T (Taiwan) - (reference thread)
Samsung Note 3
SM-N9005 - (reference post)
SM-N900A - (reference post - unconfirmed)
Samsung Galaxy S4
SHV-E330K - (reference thread)
SHV-E330L - (reference thread)
SHV-E330S - (reference thread)
SGH-I337 - (reference post - unconfirmed)
SC-04E - (reference post)
Samsung Galaxy Grand 2
SM-G710L - (reference post)
Samsung Galaxy S3
GT-I9300 - (reference post)
SC-03E - (reference thread)
SHV-E210K - (reference thread)
SHV-E210L - (reference thread)
SHV-E210S - (reference post)
SHW-M440S - (reference post)
Samsung Galaxy S2 LTE
SHV-E110S - (reference thread)
Samsung Galaxy S2
SHW-M250K - (reference post)
Planned Changes
built-in control of su access (much like what Superuser currently does)
choice of built-in simple file browser or use intents to initiate external app(s) for browsing and selecting files
...
Proxyme - Behind The Scenes
This section details how Proxyme's system service components are integrated in a firmware image.
If you are not up to speed with how a typical Android system is constructed, then I would like to suggest you at least make yourself familiar with this topic in order to fully understand what to do with the following text.
The system service components are integrated in the /system partition (mount point) in Android. In the case of changing a live system this will require mounting the appropriate partition read/write before applying the updates. If a static firmware image is to be updated, then extract the component which represents the /system partition from the package and apply the updates before re-packing the firmware image.
The following list describes the major system service components:
hijacker - this is a module you need to write, which has the role of initiating the system service in a privileged environment.
hjprepper - this module is started by the hijacker to prepare the environment prior to starting SuMeD
SuMeD - this one is what it's all about. The Proxyme app relies on this daemon to be up and running in order to perform any of its privileged functions
SSHD - the SSH daemon is represented by an updated implementation of dropbear on Android
Hijacker
The hijacker is a program you would normally have to write to replace an existing program in your rom, which is started during the boot process by for example initd. This part of the integration process requires your (creative) input, since you need to analyse the rom you are working on and figure out how and where to position the hijacker module. If you do find an existing module to hijack, make sure to always call that original module from your hijacker once it has managed to execute the hjprepper program. In some roms it suffices to start hjprepper from a shell script, which is run with root access... they exist, you just have to look for them.
This is what your hijacker could look like in C
Code:
#define PROP_HIJACK "proxyme.hijack.system"
#define HIJACKEE "/system/bin/original-program"
#define PREPPER "/system/xbin/hjprepper"
int main( int argc, char *argv[] )
{
char *lArgv[5];
char **lArgList;
int lArgCnt;
pid_t pid;
lArgList = (char **)malloc( sizeof(void *) * (argc + 1) );
for ( lArgCnt = 0; lArgCnt < argc; lArgCnt++ )
{
lArgList[ lArgCnt ] = argv[ lArgCnt ];
}
lArgList[ lArgCnt ] = NULL;
/* Fork parent process */
pid = fork();
if ( pid < 0 )
{
property_set( PROP_HIJACK, (char *)"Hijacker Startup... spawning failed, prep first before xfer" );
system( "/system/xbin/hjprepper" );
execv( HIJACKEE, lArgv );
exit( EXIT_SUCCESS );
}
else if ( pid > 0 )
{
property_set( PROP_HIJACK, (char *)"Hijacker startup... spawned, parent ascends phase 2" );
execv( HIJACKEE, lArgv );
exit( EXIT_SUCCESS );
}
if ( execl(PREPPER, PREPPER, (char *)NULL) < 0 )
{
property_set( PROP_HIJACK, (char *)"Hijacker startup... failed to call prepper" );
}
exit( EXIT_SUCCESS );
}
hjprepper
This program is responsible for setting up an operating environment for the SuMeD daemon. If you have full control over a rom's boot image, then include a call in your init process to start this module once during boot. If not, then use a hijacker program or look for existing and suitable scripts to initiate hjprepper.
hjprepper starts the SuMeD daemon once it completes the setup and configuration procedure.
SuMeD
This bad boy is responsible for the user requested actions through interaction with the Proxyme app.
Prebuilt Packages
To get you started, there are pre-built modules available,which you can download here. Currently, availability is limited to Android 4.3 and 4.4.2 only. The following zip archives are organized in a folder tree structure,which serves as a guide for where to place the modules within the /system path.
4.3 Prebuilts
4.4.2 Prebuilts
Filler 2
Filler 2
Filler 3
Filler 3
Please add support in latest SHV-E110S 4.1.2 rom(s)
Title says/asks it all...
Can You guide build pre-rooted rom by proxyme? Thank you very much.
linhbs said:
Can You guide build pre-rooted rom by proxyme? Thank you very much.
Click to expand...
Click to collapse
Behind The Scenes section has been added to the OP.
Can this method be used to prebuilts S3, S4, Note3 not Korea? Thanks so much.
linhbs said:
Can this method be used to prebuilts S3, S4, Note3 not Korea? Thanks so much.
Click to expand...
Click to collapse
Yes. You need to figure out how to get the SuMeD daemon started and that depends on the rom you want to integrate it in. The Behind The Scenes post highlights what areas to focus on when doing this.
Note that the first post includes 2 firmware images (both Android 4.3 and 4.4.2) for the international Note3 (SM-N9005). It's a no-brainer to copy the files from the appropriate directories to an equivalent and same level version firmware for another region of the same device.
Please add support N900A 4.4.2. Thank you very much.
linhbs said:
Please add support N900A 4.4.2. Thank you very much.
Click to expand...
Click to collapse
Has 4.4.2 been released on that device? If yes, a download link for the official stock firmware will help speed up the process. If not, then we wait or you could send a PM to davidcsv with the 10 or 11 digit s/n and he will monitor and download the latest release as soon as it becomes available...after that your new firmware image will be uploaded within a day.
Link: http://www.androidfilehost.com/?fid=23321874045862490. Thank you for your interest!
linhbs said:
Link: http://www.androidfilehost.com/?fid=23321874045862490. Thank you for your interest!
Click to expand...
Click to collapse
N900AUCECMLG (preloaded with Proxyme) (2014-01-04)
This rom implicitly performs a factory reset, so backup your data before flashing it. Unpack the zip archive and specify the resulting .tar.md5 filename in the PDA/AP section of the latest version of Odin.
Use Proxyme to execute the /sdcard/Proxyme/debloat.sh script to get rid of the k n o x messages.
mega.co.nz
torrent, mirror
Apparently, this firmware image is a pre-release/leaked image and not the final deal. It includes an updated bootloader and related components, meaning that it will not be straightforward to revert back to an older version of the firmware. If you encounter problems with this Proxyme preloaded image, then I'd suggest flashing the image from the original download link.
All feedback is welcome and will be appreciated. Enjoy!
Thank you very much. I ask you to add proxyme in I337 4.4.2 rom. Thank you very much.
Link: http://www.androidfilehost.com/?fid=23329332407566813
linhbs said:
Thank you very much. I ask you to add proxyme in I337 4.4.2 rom. Thank you very much.
Link: http://www.androidfilehost.com/?fid=23329332407566813
Click to expand...
Click to collapse
I337UCUFMLD (preloaded with Proxyme) (2014-01-02)
This rom implicitly performs a factory reset, so backup your data before flashing it. Unpack the zip archive and specify the resulting .tar.md5 filename in the PDA/AP section of the latest version of Odin.
Use Proxyme to execute the /sdcard/Proxyme/debloat.sh script to get rid of the k n o x messages.
mega.co.nz
torrent, mirror
Apparently, this firmware image is also a pre-release/leaked image and not the final deal. It too includes an updated bootloader and related components, meaning that it will not be straightforward to revert back to an older version of the firmware. If you encounter problems with this Proxyme preloaded image, then I'd suggest flashing the image from the original download link. A Google search shows that this image does have a few minor issues, so beware.
All feedback is welcome and will be appreciated. Enjoy!
Thank so much. I find the phone test. Will respond to you.
SC-04E Stock Firmware Proxyme Rooter images
Root Ready Stock Images
(Unfortunately, flashing these ROMs will trigger KNOX)
Kitkat 4.4
SC04EOMUFNI3 (Proxyme) (Build Date 2014-09-19)
This zip archive contains an Odin flashable file. It is not the complete stock image, so you MUST have OMUFNI3 already running on your phone or you will need to download it from the above reference sites, which carry complete stock firmware images, and flash it before continuing with this file. Instructions are included in the zip archive.
uploaded.net
mediafire
torrent, mirror2
I337:
- Before flash rom: I337UCUEMK2 version 4.3
- After flash rom I337UCUFMLD (preloaded with Proxyme) fail.
Good.
linhbs said:
I337:
- Before flash rom: I337UCUEMK2 version 4.3
- After flash rom I337UCUFMLD (preloaded with Proxyme) fail.
Click to expand...
Click to collapse
Please post the complete log from the message box in Odin. One more question, is your phone 16GB or 32GB model?
update: and also try again with newer version of Odin v3.09 instead of v3.07
[ROM][7.1.2][i9305]Unofficial LineageOS 14.1 by Exynos4 Team
Code:
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
What is Exynos4 Team?
The Exynos4 team is composed of the current maintainers for T0LTE/T0LTEKOR for both LineageOS and Resurrection Remix.
(@Option58, @kozmo21 and @PoisonNinja)
Difference between this and official Lineage 14.1
This is more like a bleeding edge build. Upcoming changes/fixes will show up here first, and eventually make it into Lineage official. So, if you want the latest and greatest changes for the Note 2 and than ported to the i9305, if possible, flash this instead of official.
Due to LineageOS rules, if you are switching between official and unofficial builds you will have to clean flash.
Exynos4 Team like to say thanks to:
The great developer community out there. We've had a lot of help from other people.
- the LineageOS team
- the Galaxy S3 LineageOS maintainer github.com/fourkbomb.
- the NamelessROM project github.com/namelessrom.
- xda users for testing and bug reports.
And I want to say thanks to:
PoisonNinja and Option58, who helped me a lot to set up the device tree and vendor blobs for that Exynos4 rom,
which is mainly created or grown out of the hwc idea.
and credits to @p.a.n for his work and providing his changes and patches.
Working
Graphics
Wifi
Data
RIL
Bluetooth (?!?)
Sensors
Vibration
Camera
NFC
Audio
Video Playback
Not working/Bugs/Unknown
[*]GPS is not working currently Fix is in second post!!
Bluetooth audio (may or may not work for you), please check and report back
MTP crashes when uninstalling an app
Installation
Read the FAQ to familiarize yourself with any issues that may come up
Make sure you're using the latest TWRP version
Download and copy latest rom version to the phone, preferably on internal storage
Factory reset in TWRP (Very important! Do not skip)
Format system, cache, dalvik, data
Flash unofficial LineageOS 14.1
Flash Gapps
Optional: Flash root package
Reboot
Be patient. The first boot will take between 5 - 15 minutes.
See the FAQ to avoid common issues
For updates, it's OK to dirty flash. If you experience any issues however, it is recommended that you clean flash.
Download
lineage-14.1-20170618-UNOFFICIAL-i9305-HWC.zip: June 18, 2017
6/18/2017 (i9305)
Sync with the latest Lineage sources
Hardware composer fixes
[*] Switch back to proprietary RIL 4.4 blobs
Properly fixed screencast
Lots of security patches in the kernel
Temporarily switched SELinux to permissive
XDA:DevDB Information
LineageOS 14.1 by Exynos4 Team, ROM for the Samsung SIII LTE (i9305)
Contributors
PoisonNinja, Option58, kozmo21, LineageOS team
Source Code: https://github.com/Exynos4
ROM OS Version: 7.x Nougat
Based On: LineageOS
Version Information
Status: Beta
Created 2017-06-18
Last Updated 2017-06-18
Just a few info
Root
LineageOS removed builtin root, so you need to flash the root package linked above.
Please test especially calls, incoming and outgoing, mobile data and bluetooth.
The rom/build is based on pans vendor proprietary (ril) blobs and should improve our ril and hopefully fix our reboot problem.
Kernel is set to permissive at the moment. Stickt version also ok.
Please also test bluetooth (audio transfer), because I am not sure, whether it works correct.
GPS is currently not working. Will try to fix that with one of the next builds.
Edit: previous GPS fix is working and solve the problem. Changes will be added in next update.
You can also find it here attached fixed in version: 0702
Other than the HWC and blob changes, the rom is based on pure lineageos sources/repos.
if I need another one
I'm getting bootloops with that build (it doesn't reach far enough for adb to pull the logs). I tried building a build with older blobs yesterday. My build was getting SIGSEGV caused by ks. I'll try building a non hwc version using your blobs and i9305 repository.
I also noticed some reboots, but none anymore during the last night. So I assume that the reboots could not be solved with changing the blobs and also not with that different ril sources/blobs. I doubt that the reboots will be gone with a non hwc version, but we will see. Beside of that are the other things working? Calls, mobile data etc?
Non hwc version booted ok. at_distributor is having problems :
Code:
06-19 03:06:25.941 2812 2812 F libc : CANNOT LINK EXECUTABLE "/system/bin/at_distributor": cannot locate symbol "supportExpandedNV" referenced by "/system/bin/at_distributor"...
06-19 03:06:25.941 2812 2812 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2812 (at_distributor)
but RIL works anyway (at least SMS). I'll try replacing it with stock i9305 at_distributor. I've got one reboot but I didn't launch logcat/kmsg before and had only short last_kmsg. We should try replacing the blobs with the stock i9305 ones because for now they are mixed. We could give a shot to persist.radio.apm_sim_not_pwdn=1 in system.prop too. I haven't tested anything beside RIL reboots (I'm testing it during night and hoping it will manage to reboot before next day because for daily usage I'm going back to the last stable rom).
Many thanks and when you managed to solve the mix up and your tests are ok, it would be good, if you can upload your changes to github. Think it doesn't make sense that we do all the work twice
Edit: seems to be again or still:
Code:
Kernel panic - not syncing: Fatal exception
and I think caused because of:
Code:
<6>[ 184.685341] c0 mdm_hsic_pm_notify_event: unblock request
<6>[ 184.685375] c0 notify_modem_fatal or shutdown
<6>[ 184.685403] c0 ap2mdm_status is high
<6>[ 184.685425] c0 ap2mdm_errfatal is high
<6>[ 184.685449] c0 mdm2ap_status is low
<6>[ 184.685471] c0 mdm2ap_errfatal is low
<6>[ 184.685492] c0 During shutdown, return notify_modem_fatal
rodman01 said:
Many thanks and when you managed to solve the mix up and your tests are ok, it would be good, if you can upload your changes to github. Think it doesn't make sense that we do all the work twice
Edit: seems to be again or still:
Code:
Kernel panic - not syncing: Fatal exception
and I think caused because of:
Code:
<6>[ 184.685341] c0 mdm_hsic_pm_notify_event: unblock request
<6>[ 184.685375] c0 notify_modem_fatal or shutdown
<6>[ 184.685403] c0 ap2mdm_status is high
<6>[ 184.685425] c0 ap2mdm_errfatal is high
<6>[ 184.685449] c0 mdm2ap_status is low
<6>[ 184.685471] c0 mdm2ap_errfatal is low
<6>[ 184.685492] c0 During shutdown, return notify_modem_fatal
Click to expand...
Click to collapse
Don't worry, I'll upload when I have something that's worth uploading. If you got
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
then the issue is still there.
Update
at_distributor from stock references the same function (supportExpandedNV) so the problem rather doesn't lie in the at_distributor itself but in a missing file that contains the missing function.
Update 2
Replacing ks blob with i9305 stock one alone won't work. That leads to the problem that @p.a.n had (https://forum.xda-developers.com/showpost.php?p=64395738&postcount=218) (https://forum.xda-developers.com/showpost.php?p=64448961&postcount=269)
mtr_ said:
Update 2
Replacing ks blob with i9305 stock one alone won't work. That leads to the problem that @p.a.n had (https://forum.xda-developers.com/showpost.php?p=64395738&postcount=218) (https://forum.xda-developers.com/showpost.php?p=64448961&postcount=269)
Click to expand...
Click to collapse
There is a simple solution (or hack to be more precise) to this and I believe I`ve also described it somewhere here - open the ks binary with some binary editor, find the connect string (it should be there twice) and replace it something else with the same length (I used xonnect).
This is a linker related problem, ks contains symbol connect, which replaces connect from libc (I hope it is there, if not it is some other system library), but with a totally different functionality, which causes a crash. Don`t ask me why this is happening in one environment and in other (the old one), I don`t know.
Maybe this last_kmsg looks better now?
Code:
Samsung S-Boot 4.0 for GT-I9305 (Sep 12 2014 - 13:40:58)
EXYNOS4412(EVT 1.1) / 2044MB / 0MB / Rev 2 / I9305XXUFNI3 /(PKG_ID 0xb070018)
BOOTLOADER VERSION : I9305XXUFNI3
PMIC rev = PASS2(4)
BUCK1OUT(vdd_mif) = 0x05
BUCK3DVS1(vdd_int) = 0x20
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
[mmc] capacity = 30777344
MODEL_NAME:{{GT-I9305}}
eMMC_SERIAL_NUMBER:{{1501004D4147344642F74A00ABD19F03}}
- read_bl1
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (4:0xe)
[RPMB] emmc_rpmb_open:
Get DATA success.
[RPMB] emmc_rpmb_close:
initialize_rpmb_data: usable! (GT-I9305:VERSION_-+A3)
PARAM ENV VERSION: v1.0..
set_charger_current: chg curr(3f), in curr(17)
set_charger_state: buck(1), chg(1), reg(0x05)
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
set_auto_current: ta_state(0), curr(700)
init_fuelgauge: fuelgauge power ok
init_fuelgauge: POR status
fuelgauge_por: POR start: vcell(3975), vfocv(4026), soc(79)
fuelgauge_por: update SDI M0 parameter
fuelgauge_por: RCOMP(0x0063), TEMPCO(0x0930)
fuelgauge_por: POR finish: vcell(3977), vfocv(4085), soc(73)
get_table_soc: vcell(3976) is caculated to t-soc(75.735)
init_fuelgauge: start: vcell(3976), vfocv(4081), soc(73), table soc(75)
init_fuelgauge: finish: vcell(3976), vfocv(4081), soc(73), table soc(75)
init_microusb_ic: before MUIC: CDETCTRL:0x2d
init_microusb_ic: after MUIC: CDETCTRL:0x2d
init_microusb_ic: MUIC: CONTROL1:0x00
init_microusb_ic: MUIC: CONTROL1:0x00
init_microusb_ic: MUIC: CONTROL2:0x3b
init_microusb_ic: MUIC: CONTROL2:0x3b
PMIC_ID = 0x02
PMIC_IRQSRC = 0x00
PMIC_IRQ1 = 0x02
PMIC_IRQ2 = 0x00
PMIC_IRQ1M = 0xff
PMIC_IRQ2M = 0xff
PMIC_STATUS1 = 0x13
PMIC_STATUS2 = 0x00
PMIC_PWRON = 0x01
PMIC_RTCINT = 0x11
PMIC_RTCINTM = 0x3f
s5p_check_keypad: 0x100000
s5p_check_reboot_mode: INFORM3 = 0 ... skip
s5p_check_upload: MAGIC(0xc1d0c0d6), RST_STAT(0x10000)
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
s5p_check_download: 0
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
check_pm_status: charger is not detected
check_pm_status: voltage(3978) is ok
cmu_div:1, div:7, src_clk:800000000, pixel_clk:38102400
s5p_dsim_display_config: VIDEO MODE
a2, 60, 90,
<start_checksum:481>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:483>offset:50, size:6296
<start_checksum:485>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:20
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
[mobi_drv] add: 0x43e52500, size: 3933
MobiCore INIT response = 0
MobiCore RTM has initialized!
MobiCore IDLE flag = 0
MobiCore driver address 43e52500, size = 3933
MobiCore RTM Notified back!
MobiCore Driver loaded and RTM IDLE!
MobiCore RTM has been uninitialized!
load_kernel: loading boot image from 106496..
Verify_Binary_Signature: failed.
pit_check_signature (BOOT) invalid.
Set invalid sign flag
No need to update kernel type.
SMC Num = 0x83000001
mobismc success!!! [ret = 0]
[s5p_check_sboot_version_rpmb]cur_version:VERSION_-+A3, rpmb_version:VERSION_-+A3
rpmb_version:51, cur_version:51
ATAG_CORE: 5 54410001 0 0 0
ATAG_MEM: 4 54410002 20000000 40000000
ATAG_MEM: 4 54410002 20000000 60000000
ATAG_MEM: 4 54410002 20000000 80000000
ATAG_MEM: 4 54410002 1FC00000 A0000000
ATAG_SERIAL: 4 54410006 42f74a00 abd19f03
ATAG_INITRD2: 4 54420005 42000000 17b548
ATAG_REVISION: 3 54410007 2
check_rustproof [0]
ATAG_CMDLINE: b1 54410009 'console=ram loglevel=4 androidboot.baseband=mdm sec_debug.level=0 sec_watchdog.sec_pet=5 androidboot.debug_level=0x4f4c [email protected] [email protected] [email protected] s3cfb.bootloaderfb=0x5ec00000 lcdtype=96 consoleblank=0 lpj=3981312 vmalloc=176m oops=panic pmic_info=67 cordon=471c411f44a4d1cb9c99510ec7e578a1 connie=GT-I9305_OPEN_EUR_10e569b8255514f00b8793d908e78a26 androidboot.emmc_checksum=3 androidboot.boot_salescode= androidboot.odin_download=1 androidboot.bootloader=I9305XXUFNI3 androidboot.selinux=enforcing androidboot.warranty_bit=1 androidboot.sec_atd.tty=/dev/ttySAC2 androidboot.serialno=42f74a00abd19f03 snd_soc_core.pmdown_time=1000'
ATAG_NONE: 0 0
Starting kernel at 0x40008000...
SWITCH_SEL(3)
p.a.n said:
There is a simple solution (or hack to be more precise) to this and I believe I`ve also described it somewhere here - open the ks binary with some binary editor, find the connect string (it should be there twice) and replace it something else with the same length (I used xonnect).
This is a linker related problem, ks contains symbol connect, which replaces connect from libc (I hope it is there, if not it is some other system library), but with a totally different functionality, which causes a crash. Don`t ask me why this is happening in one environment and in other (the old one), I don`t know.
Click to expand...
Click to collapse
Thanks for hint, I know that you don't work on i9305 anymore. Isn't that connect that comes internally in ks used somewhere ? After all they had to have a reason to place an internal function like that. After you left the development, it seems that the current ks that is being used in LineageOS based roms seems to be taken from other device. The current situation is as follows: the modem crashes from time to time, ks during that crash is having issues during SAHARA protocol file transfer. I don't know whether it is the modem that causes the ks crash, or ks that causes modem crash.
rodman01 said:
Maybe this last_kmsg looks better now?
Click to expand...
Click to collapse
The pasted log contains only what happened after reboot. It shows the next boot. If you wanted to show a crash, it isn't saved. It could be truncated, because last_kmsg has limited buffer (for most of the modem issues it was just too small to show everything). You can use the methods to capture logs I posted somewhere else.
yes I noticed this too after pulling another one.
But with my current used blobs I do not have that:
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
anymore, but still reboots and:
Code:
<6>[ 1581.571051] c0 mdm_subsys_powerup: mdm modem restart timed out.
<0>[ 1581.571210] c0 Kernel panic - not syncing: subsystem_restart_wq_func[eac9d720]: Failed to powerup external_modem!
rodman01 said:
yes I noticed this too after pulling another one.
But with my current used blobs I do not have that:
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
anymore, but still reboots and:
Code:
<6>[ 1581.571051] c0 mdm_subsys_powerup: mdm modem restart timed out.
<0>[ 1581.571210] c0 Kernel panic - not syncing: subsystem_restart_wq_func[eac9d720]: Failed to powerup external_modem!
Click to expand...
Click to collapse
Still not good. Have you tried modyfing the stock ks as @p.a.n wrote ? I think that the blobs can be swapped on already installed Android, without recompiling everything. Doing adb push should work too. Something like: adb root, adb remount, adb push, reboot.
I know that this is not good.
No I haven't, I have no such editor and haven't searched for it. Have you tried that already?
rodman01 said:
I know that this is not good.
No I haven't, I have no such editor and haven't searched for it. Have you tried that already?
Click to expand...
Click to collapse
Any hex editor should be enough (for Windows you could try https://mh-nexus.de/en/hxd/ ). I haven't tried yet, I returned to stock rom.
mtr_ said:
Thanks for hint, I know that you don't work on i9305 anymore. Isn't that connect that comes internally in ks used somewhere ? After all they had to have a reason to place an internal function like that. After you left the development, it seems that the current ks that is being used in LineageOS based roms seems to be taken from other device. The current situation is as follows: the modem crashes from time to time, ks during that crash is having issues during SAHARA protocol file transfer. I don't know whether it is the modem that causes the ks crash, or ks that causes modem crash.
Click to expand...
Click to collapse
I actually do work on it, just don`t publish, since I was under impression that the official version is fine and the problem you are describing here is caused by old version of modem. I didn`t want to change it, so I solved the problem by using the KitKat RIL with the modification I mentioned.
As far as I know the connect symbol in the ks binary is used only internaly (and shouldn`t be exported at all). It seems like a simple name colision, which was handled differently in KitKat. I`ve been using the modified ks for a long time and it doesn`t seem to have any negative side effect.
I`ll try to put together all the changes against the official code I have and publish again some of my builds. LineageOS 14.1 is quite stable on my device, so I hope this will help you. I just cannnot promise, when this will be, since I am pretty bussy now (more I`ve ever been).
I am uploading at the moment a new test build, where in my logcat no at distributor error and no SIGABRT error or message is to be seen at the moment. Maybe someone is around who is willing to test it....?!?
New test build is uploaded now.
Its based on todays leos sources and nameless/crazyweasel 3.0 vendor/blobs.
Download
lineage-14.1-20170621-UNOFFICIAL-i9305-hwc.zip: https://www.androidfilehost.com/?fid=673368273298966239
Please report back about reboots and or any other error or bug.
GPS is fixed and should work now.
p.a.n said:
I actually do work on it, just don`t publish, since I was under impression that the official version is fine and the problem you are describing here is caused by old version of modem. I didn`t want to change it, so I solved the problem by using the KitKat RIL with the modification I mentioned.
Click to expand...
Click to collapse
Lucky. It seems that by doing that you avoided the RIL problems (and thus saved time ). The thing worth mentioning is that there are quite new stock releases available (I9305XXSFQ series).
rodman01 said:
New test build is uploaded now.
Its based on todays leos sources and nameless/crazyweasel 3.0 vendor/blobs.
Please report back about bootloops and or any other error or bug.
GPS is fixed and should work now.
Click to expand...
Click to collapse
Tested, unfortunately bootloops. Did you try it after a dirty flash or a clean one ?
I made a non hwc build with https://github.com/CrazyWeasel/proprietary_vendor_samsung/tree/n-3.0/i9305 and modified ks from https://github.com/p-an/android_device_samsung_i9305/blob/cm-14.1/proprietary/system/bin/ks . ks works, at_distributor doesn't whine about missing symbol, but that it can't connect to ATD.
Code:
06-22 04:24:28.916 5290 5290 V AT_Distributor_diag: can't connect to atd socket
06-22 04:24:29.046 5293 5293 V AT_Distributor_diag: ConnectToATD
I was running the build for an hour, so not long enough to tell whether the modem issue appears. 4:50 AM, time to get back to stock
I had a reboot during the night too. And now, since the last half an hour, several reboots again. So I would say, this test version is almost unusable at the moment. Did a clean flash after changing to crazyweasel blobs.
Code:
[I]DISCLAIMER[/I]
All information and files — both in source and compiled form — are provided on an as is basis. No guarantees or warranties are given or implied. The user assumes all risks of any damages that may occur, including but not limited to loss of data, damages to hardware, or loss of business profits. Please use at your own risk. Note that unless explicitly allowed by the warranty covering your device, it should be assumed that any warranty accompanying your device will be voided if you tamper with either the system software or the hardware.
Introduction
This is my unofficial build of LineageOS 14.1 for the ZTE Blade S6 aka P839f30.
This is a beta release, so just some basic functions will be given.
I have tested this version with my AS variant device. Other variants have to be tested.
Click to expand...
Click to collapse
Features
working:
ril: calls, sms, data.
wifi: good.
sensors
gps
sound: clear and loud.
camera: rear and front.
torch
headphone detection
flash is working in new test builds.
not working:
We have to test to find more.
Click to expand...
Click to collapse
Installation instructions
It is best to have installed the latest stock rom beforehand, so modem and all other vendor stuff is up to date.
If you like you can use this mod to have a unified data partition, please proceed with caution.
You will need TWRP or any other custom recovery.
Reboot into recovery and do a nand backup.
Do a factory format.
Download Rom and put it on your phone or use adb sideload.
Install the rom and then clear cache and dalvik cache.
optional: install su and/or gapps.
optional: install your favourite kernel tool and set the cpu governor to interactive for example - do not use performance it will drain your battery, while you are using your device - not for the new test builds.
Click to expand...
Click to collapse
Changelog:
11.10.2018 - test build:
update los sources, security patch level 05.09.
04.03.2018:
make flashlight work.
integrate headphone detection.
update los sources, security patch level 05.02.
14.06.2018 - test build:
flashlight works also in stock camera.
governor are set by the system, no need to set them.
cores are managed by the system, shuting down and launching them one by one. This should save energy.
back and menu button can be toggled in the settings -> additional buttons.
Using stock venus files, video recording is working also hd playback should be fine.
Update sensor hub firmware to version 2.8.
update los sources, security patch level 05.06.
13.02.2018:
rebasing lots of things like kernel and device tree and using different vendor blobs.
Thus wifi signal is great and the microphone is better.
update los sources, security patch level 05.01.
22.11.2017:
reboot to recovery, download mode and power off should work fine now.
update los sources, security patch level 06.11.
19.10.2017:
device reboot fixed, no reboot if the device attempts to suspend.
wifi signal strength is better now.
5GHz wifi support is activated - to be tested.
remove nfc things.
Click to expand...
Click to collapse
Downloads
test build - 11.10.2018:
Google Drive
beta version - 04.03.2018:
Google Drive
If you want root use the lineage addon package found here - download arm version.
Install it after flashing the rom or download your favourite root package and install it.
Sources
device
vendor
kernel
Click to expand...
Click to collapse
FAQ
Here you will find some answers to common question which could arise.
Q: How to give root access to an app or adb?
A: First install the su extra package from Lineage OS or any other su tool you like. Then go into settings and about device, click there multiple times on the build number until you unlocked the developer options. Go to developer options and look for root access.
Q: I thing I found an issue, what to do now?
A: Do a logcat or grab a dmesg while having the issue, otherwise we can't say what is happening. Report as much info as possible. Quote your stock rom your device shipped with or which device variant you possess.
Click to expand...
Click to collapse
XDA:DevDB Information
Unofficial LineageOS 14.1 [NJH47F] P839F30, ROM for all devices (see above for details)
Contributors
lightwars
ROM OS Version: 7.x Nougat
ROM Kernel: Linux 3.10.x
Based On: LineageOS 14.1
Version Information
Status: Beta
Current Beta Version: NJH47F
Beta Release Date: 2018-10-11
Created 2017-09-21
Last Updated 2018-10-11
Awesome, lightwars. Thank you for this Rom and the work you put into it.
I installed it on my EU Blade S6 and can confirm your points on working / non-working.
A couple additional points I discovered so far:
- phone reboots regulary after a couple of minutes (I did a couple of tests cycles with phone going to standby after 1 m inute and switching the phone "off"):
- reboots after 1.5, 2 and 3 minutes with phone going to standby after 1 minute
- reboots after 8.5 and 9 minutes if phone is switched off (standby)
- not able to turn phone off, shutdown and reboot both trigger reboot (with shutdown phone seems to stay "off" a little bit longer than with reboot)
- Wifi has weak signal, but works.
- Wifi only available for 2.4 Ghz, I haven't used the phone for a while, but believe it Supports 5 Ghz as well. Maybe that is connected to the weak 2.4 Ghz signal as well.
- could not get any GPS lock, even location using WLAN and mobile broadcast did not work.
- Screen Mirroring not working, I believe connected to the Wifi issues as well.
- NFC is shown in Settings, but not possible to activate (does the S6 even has NFC?)
Apart from that everything it working great. The phone feels way faster than in stock Rom, videos play smoothly in 720p, 3d performance seemed ok (only tried Google earth, that was way better than in stock rom).
Only issue preventing me from using the phone are the reboots.
Again thank you very much for your great work. Please let me know, if I can help with anything.
xris99 said:
I installed it on my EU Blade S6 and can confirm your points on working / non-working.
A couple additional points I discovered so far:
- phone reboots regulary after a couple of minutes (I did a couple of tests cycles with phone going to standby after 1 m inute and switching the phone "off"):
- reboots after 1.5, 2 and 3 minutes with phone going to standby after 1 minute
- reboots after 8.5 and 9 minutes if phone is switched off (standby)
- not able to turn phone off, shutdown and reboot both trigger reboot (with shutdown phone seems to stay "off" a little bit longer than with reboot)
- Wifi has weak signal, but works.
- Wifi only available for 2.4 Ghz, I haven't used the phone for a while, but believe it Supports 5 Ghz as well. Maybe that is connected to the weak 2.4 Ghz signal as well.
- could not get any GPS lock, even location using WLAN and mobile broadcast did not work.
- Screen Mirroring not working, I believe connected to the Wifi issues as well.
- NFC is shown in Settings, but not possible to activate (does the S6 even has NFC?)
Click to expand...
Click to collapse
It's good to hear, that this rom also work for the EU variant. Before,we have used different kernels...
Sadly I had discovered the reboots also. Thanks for doing some more testing.:good:
Will get some logs to see,if we could do something easily about it. Thought that it coul be related to just some kernel config mismatches, but it don't have to...
NFC is just left over from the starting point... It will be removed, but a little bit curious, that some variants have NFC support activated in the kernel config...
Out of curiousity, have you checked the GPS.conf? I've always had trouble with GPS on this phone but have got it mostly working after lots of fiddling, so I could post if that would be helpful.
xris99 said:
Awesome, lightwars. Thank you for this Rom and the work you put into it.
I installed it on my EU Blade S6 and can confirm your points on working / non-working.
A couple additional points I discovered so far:
- phone reboots regulary after a couple of minutes (I did a couple of tests cycles with phone going to standby after 1 m inute and switching the phone "off"):
- reboots after 1.5, 2 and 3 minutes with phone going to standby after 1 minute
- reboots after 8.5 and 9 minutes if phone is switched off (standby)
- not able to turn phone off, shutdown and reboot both trigger reboot (with shutdown phone seems to stay "off" a little bit longer than with reboot)
- Wifi has weak signal, but works.
- Wifi only available for 2.4 Ghz, I haven't used the phone for a while, but believe it Supports 5 Ghz as well. Maybe that is connected to the weak 2.4 Ghz signal as well.
- could not get any GPS lock, even location using WLAN and mobile broadcast did not work.
- Screen Mirroring not working, I believe connected to the Wifi issues as well.
- NFC is shown in Settings, but not possible to activate (does the S6 even has NFC?)
Apart from that everything it working great. The phone feels way faster than in stock Rom, videos play smoothly in 720p, 3d performance seemed ok (only tried Google earth, that was way better than in stock rom).
Only issue preventing me from using the phone are the reboots.
Again thank you very much for your great work. Please let me know, if I can help with anything.
Click to expand...
Click to collapse
Willing you on for success with this.
I have an EU model which I'd like to install this on once it's functional enough (my regular daily phone).
I also have an old AS model that I may be able to revive for testing purposes (backlight failing intermittently after I dropped it, possibly a loose connection).
Thank you for trying lightwars. You are the only one who work for zte blade s6. I hope you build a stable version soon.
; Wow, many thanks @lightwars !!!
Hopefully soon you'll be have a stable on, that's my hope from ID version...
Regards,
Killermonk
Ok guys i want to install this rom but i cant. I cant find a tutorial here how to root the device. I try to install the recovery [RECOVERY][p839f30 / ZTE Blade S6] UNOFFICIAL TWRP [3.1.0-0] first but i failed too. There is a full guide how to do this? And if I install this there is a way back to the stock rom. Thanks.
@lagos911, rooting is easy. Just use Mobilego like in this video https://www.youtube.com/watch?v=dPDbAdm7B1c
Installing recovery isn't hard either. http://konstakang.com/devices/blades6/TWRP/
It is possible that the adress of the sdcard is different. (For example: sdcard0 in stead of sdcard), use the correct adress.
i install the rom at my phone (eu version) I get black screen after the install for 3 minites and then the device is shuting down.
What I do wrong? I wipe the device and I install the rom from my external sdcard.
lagos911 said:
i install the rom at my phone (eu version) I get black screen after the install for 3 minites and then the device is shuting down.
What I do wrong? I wipe the device and I install the rom from my external sdcard.
Click to expand...
Click to collapse
After installing the rom and you push reboot system, if the black screen (download mode probably) appears, hold the power button until the phone vibrates and reboots.
Now the ZTE splash screen should come up and the phone should boot hopefully.
lightwars said:
After installing the rom and you push reboot system, if the black screen (download mode probably) appears, hold the power button until the phone vibrates and reboots.
Now the ZTE splash screen should come up and the phone should boot hopefully.
Click to expand...
Click to collapse
Yes I do that some times from the second time and after because i didnt want to wait. But black screen continues to appear.
I rewipe (all king of wipes) and reinstall the rom 5 times but nothing happend.
I install the old rom because i was needed the phone. Phone start to loop reboot when I found out the bootfix and now its OK.
Maybe I try lineageOS 14.1 again at the weekend.
So I try to install the rom yesterday. I keep get the black screen after the I reboot the phone. This time I install the fix boot EU from the cyanogen rom. I reboot the phone and I saw the animation boot logo. I think I did it but the animation never go away. I let the phone for 30 minites but i never saw the menu of the new android.
lagos911 said:
So I try to install the rom yesterday. I keep get the black screen after the I reboot the phone. This time I install the fix boot EU from the cyanogen rom. I reboot the phone and I saw the animation boot logo. I think I did it but the animation never go away. I let the phone for 30 minites but i never saw the menu of the new android.
Click to expand...
Click to collapse
Ok, so we've got some problems with EU devices... maybe there are more variants, I'm think of EU, DE, UK, ES, PT and who knows... Could be small differences have an impact here...
To say it clearly to install the boot EU fix from the CM-12.1 thread has installed an other boot image for your phone which have kernel which will not work with nougat.
But anyway I believe I know why the device reboots itself, cause it can't suspend itself in the right manner. Let me show you a kernel log, how it should be:
Code:
<6>[ 189.766084] PM: suspend entry 2017-10-13 04:49:15.725432575 UTC
<6>[ 189.767479] mmc1: Starting deferred resume
<6>[ 189.767983] mmc0: Starting deferred resume
<6>[ 189.861591] mmc0: Deferred resume completed
<6>[ 189.907006] mmc1: Deferred resume completed
<6>[ 189.766118] PM: Syncing filesystems ... done.
<3>[ 189.999154] Error: returning -512 value
<6>[ 189.998043] Freezing user space processes ... (elapsed 0.008 seconds) done.
<6>[ 190.006568] Freezing remaining freezable tasks ... (elapsed 0.005 seconds) done.
<6>[ 190.011790] Suspending console(s) (use no_console_suspend to debug)
<6>[ 190.018262] [AK4375] ak4375_suspend(1402)
<6>[ 190.025845] [TP:CORE]Enter fb_notifier_callback.
<6>[ 190.025845]
<6>[ 190.025892] [TP:CORE]Enter fb_notifier_callback.
<6>[ 190.025892]
<7>[ 190.034218] --CWMCU--CWMCU_suspend
<6>[ 190.046580] PM: suspend of devices complete after 33.038 msecs
<6>[ 190.048343] PM: late suspend of devices complete after 1.737 msecs
<6>[ 190.053764] PM: noirq suspend of devices complete after 5.409 msecs
<6>[ 190.053774] Disabling non-boot CPUs ...
<6>[ 190.081114] CPU0:msm_cpu_pm_enter_sleep mode:3 during suspend
...
<6>[ 400.663545] Enabling non-boot CPUs ...
<6>[ 400.664692] CPU1 is up
<6>[ 400.665735] CPU2 is up
<6>[ 400.666779] CPU3 is up
<6>[ 400.668230] CPU4 is up
<6>[ 400.669120] CPU5 is up
<6>[ 400.670027] CPU6 is up
<6>[ 400.670974] CPU7 is up
<6>[ 400.671561] PM: noirq resume of devices complete after 0.570 msecs
<6>[ 400.672983] PM: early resume of devices complete after 0.796 msecs
<7>[ 400.679137] --CWMCU--CWMCU_resume
<6>[ 400.689515] PM: resume of devices complete after 16.510 msecs
<6>[ 400.690769] runin_work:BatteryTestStatus_enable = 0 chip->usb_present = 0
<6>[ 400.690573] Restarting tasks ... done.
<6>[ 400.696613] PM: suspend exit 2017-10-13 05:59:11.279104088 UTC
But at the moment the device hangs up while trying to freeze the user space processes and fails.
I found that there is a problem with the device tree image of the kernel, so using the stock one everything is well.
I will make changes and a new version will appear soon.
In the meantime please try out flashing this bootimages after installing LOS-14.1:
Boot - LOS-14.1 standard image(AS)
Boot EU -LOS-14.1
Hopefully one of these works and the reboot issue shouldn't happen also.
lightwars said:
Ok, so we've got some problems with EU devices... maybe there are more variants, I'm think of EU, DE, UK, ES, PT and who knows... Could be small differences have an impact here...
To say it clearly to install the boot EU fix from the CM-12.1 thread has installed an other boot image for your phone which have kernel which will not work with nougat.
But anyway I believe I know why the device reboots itself, cause it can't suspend itself in the right manner. Let me show you a kernel log, how it should be:
Code:
<6>[ 189.766084] PM: suspend entry 2017-10-13 04:49:15.725432575 UTC
<6>[ 189.767479] mmc1: Starting deferred resume
<6>[ 189.767983] mmc0: Starting deferred resume
<6>[ 189.861591] mmc0: Deferred resume completed
<6>[ 189.907006] mmc1: Deferred resume completed
<6>[ 189.766118] PM: Syncing filesystems ... done.
<3>[ 189.999154] Error: returning -512 value
<6>[ 189.998043] Freezing user space processes ... (elapsed 0.008 seconds) done.
<6>[ 190.006568] Freezing remaining freezable tasks ... (elapsed 0.005 seconds) done.
<6>[ 190.011790] Suspending console(s) (use no_console_suspend to debug)
<6>[ 190.018262] [AK4375] ak4375_suspend(1402)
<6>[ 190.025845] [TP:CORE]Enter fb_notifier_callback.
<6>[ 190.025845]
<6>[ 190.025892] [TP:CORE]Enter fb_notifier_callback.
<6>[ 190.025892]
<7>[ 190.034218] --CWMCU--CWMCU_suspend
<6>[ 190.046580] PM: suspend of devices complete after 33.038 msecs
<6>[ 190.048343] PM: late suspend of devices complete after 1.737 msecs
<6>[ 190.053764] PM: noirq suspend of devices complete after 5.409 msecs
<6>[ 190.053774] Disabling non-boot CPUs ...
<6>[ 190.081114] CPU0:msm_cpu_pm_enter_sleep mode:3 during suspend
...
<6>[ 400.663545] Enabling non-boot CPUs ...
<6>[ 400.664692] CPU1 is up
<6>[ 400.665735] CPU2 is up
<6>[ 400.666779] CPU3 is up
<6>[ 400.668230] CPU4 is up
<6>[ 400.669120] CPU5 is up
<6>[ 400.670027] CPU6 is up
<6>[ 400.670974] CPU7 is up
<6>[ 400.671561] PM: noirq resume of devices complete after 0.570 msecs
<6>[ 400.672983] PM: early resume of devices complete after 0.796 msecs
<7>[ 400.679137] --CWMCU--CWMCU_resume
<6>[ 400.689515] PM: resume of devices complete after 16.510 msecs
<6>[ 400.690769] runin_work:BatteryTestStatus_enable = 0 chip->usb_present = 0
<6>[ 400.690573] Restarting tasks ... done.
<6>[ 400.696613] PM: suspend exit 2017-10-13 05:59:11.279104088 UTC
But at the moment the device hangs up while trying to freeze the user space processes and fails.
I found that there is a problem with the device tree image of the kernel, so using the stock one everything is well.
I will make changes and a new version will appear soon.
In the meantime please try out flashing this bootimages after installing LOS-14.1:
Boot - LOS-14.1 standard image(AS)
Boot EU -LOS-14.1
Hopefully one of these works and the reboot issue shouldn't happen also.
Click to expand...
Click to collapse
I try to install the boot but file is corrupted
lagos911 said:
I try to install the boot but file is corrupted
Click to expand...
Click to collapse
I downloaded both files and they install just fine.
You have to switch from ZIP installing to image installing at the install dialog from twrp the button at the bottom right.
lightwars said:
I downloaded both files and they install just fine.
You have to switch from ZIP installing to image installing at the install dialog from twrp the button at the bottom right.
Click to expand...
Click to collapse
Yea i didnt know that with the image flashing. Thanks.
Actually I did it and I install the rom with your boot EU fix. No big diffrents at the interface from the 12.1 cm.
I dont working a lot with lineageOS but many thinks dont work. I enable wifi and disable automatic. Flashlight and some other thinks.
I hope you build a stable rom.
P.S. Now i have install the CM12.1 and when I try to enter the bootloader the device stuck.
Also I try to delete some system apps with ES explorer PRO and I get that my device its not rooted.
I have done something wrong with the rooting?
lagos911 said:
P.S. Now i have install the CM12.1 and when I try to enter the bootloader the device stuck.
Also I try to delete some system apps with ES explorer PRO and I get that my device its not rooted.
I have done something wrong with the rooting?
Click to expand...
Click to collapse
I am not sure I can follow your description... What means stuck? bootloader displays just a black screen.
Normally you can activate root in the developer settings, which are displayed after clicking serveral times on the build number. There you will find an option to enable/disable root for apps and adb.
Or if you prefer other tools like supersu install it first, then try again.
Remember to ask question for CM12.1 inside the appropriate thread.
Sorry for the wrong topic. I didint know that the bootloader appearing a black screen. Usually they have a menu.
I forgot to mention that the option for root explorer at ES explorer PRO you can activated from here.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Please help :/
I've installed this onto my zte blade s6 but my internet doesn't turn on on the phone and I flashed the eu fix by lightwars on my recovery so now i don't have a recovery and my phone isn't rooted. PLEASE HELP.