Updated.
Disclaimer, I am not resposible for anything you do, and what works for me may not work for you. To start I am running Cyanogenmod 10 on a Galaxy s III sprint, rooted, busybox, and whatever else you may need.
First :Anything being done on the PC is being done on Kali Linux:
Create a custom kali.img as per http://docs.kali.org/armel-armhf/kali-linux-arm-chroot without a desktop as its not needed. I tried to make a list of packages you can use to have them get installed during the process, and have posted it here, alternatively one can run apt-get install and then copy and past the list into the command line over ADB or use the "testautokimg.sh" if you have trouble making one on your own, I'd rather have you make one than to upload one and everybody worry about rootkits and other evils. This script is setup to be used for this purpose but the img may also be used as a normal img to chroot into.
Second
Push the kali.img file to your phone, push it to "/storage/sdcard0/kali, make a folder called "/storage/sdcard0/kali" if one does not exist on your internal sdcard this is the root of your internal storage, not the root of your phone, if you don't have space on your internal sdcard you can put it an external one but a few lines of code will need to be changed in the script that is currently named "test.sh" as everything is still experimental.
I am still working on the script and will update it as often as I can.
Third
Download and move test.sh to "/system/bin/" and then make it executable
If you have trouble with this try on your phone or over ADB:
Code:
su
mount -wo remount systemfs /system
cp -i [location you pushed test.sh to] /system/bin
chmod 0755 /system/bin/test.sh
Then execute test.sh with:
Code:
test.sh
When it askes you if you would like to overwrite choose no for now. You should get a new prompt, go ahead and use the 'set' command to check your PATH variable and also 'which nmap' to make sure everything is available. You should now be able to explore the experimental Kali-Android hybrid system. Hope u Enjoy.
Please don't hesitate to improve on this with sanity checks and error handling, posting the improvments would be great. Ultimately I am going to get this all set up in the boot.img effectively making the mod persistant across reboots. As it is, a reboot will clean the changes, which is a good thing for now, some config, .rc, and other types of files clash in the etc folder but for now I havn't noticed too much harm form mounting the etc directory to androids root (again, this is my experience) but for safty's sake each device will eventually need to have those clashing files patched up to allow both systems the configurations they need to be in synch. Also the "linker" I think may not be right, to get it seamless I think the systems need to be built from scratch together. But hey, I thik this is a great place to start.
[Edit Aug 3, 2013] I finally got around to looking through the etc dir, less work then I thought with a fresh kali.img anyways. I just added a couple lines before mounting to Androids root we gotta make sure some files will still be available afterwards, this should only need to be done once as they wont get deleted off the kali.img file, but since it's interactive you can not overwrite or if Android updated you can overwrite if you choose to. Just make sure you note which files conflict and at least 'cat' their contents and see which one you want if your not going to make a new one that handles any options that are on one but not the other.
[Edit Aug 4, 2013](1) I uploaded a script to automate the kali.img creation. (2) I changed HOME="/sdcard" in test.sh
READ ME STILL DEBUGGING!
[About 'testautokimg.sh'] (1) Download (2) rename to "testautokimg.sh" (3) make executable (chmod +x ./testautokimg.sh) (4) Before exicuting make sure to rename or delete any existing ~/arm-stuff directory, run while logged in as root, and make sure debootstrap and qemu-user-static are installed.
NOTE: Because a large number of programms being installed this will take several hours, make sure you have the time to babysit things as it runs!
This will install a lot of programs and create the kali.img file in ~/arm-stuff/image directory, once complete push it to your device. I think the standard location for the img file is /storage/sdcard0/kali/kali.img if you put it on an external sdcard for whatever reason be sure to modify the mounting script "test.sh"
Updated
The List:
"""
wol-e xprobe dmitry netdiscover miranda casefile creepy jigsaw metagoofil theharvester twofi urlcrazy netmask nbtscan smtp-user-enum braa cisco-auditing-tool onesixtyone sslcaudit ssldump sslh sslscan sslsniff sslstrip sslyze stunnel4 tlssled cdpsnarf p0f tcpflow enumiax ike-scan cisco-auditing-tool bbqsql dbpwaudit hexorbase oscanner sidguesser sqlmap sqlninja sqlsus tnscmd10g bed fuzz powerfuzzer sfuzz siparmyknife lynis nikto unix-privesc-check openvas blindelephant plecost wpscan bbqsql sqlninja sqlsus ua-tester burpsuite powerfuzzer webscarab webslayer websploit wfuzz xsser paros proxystrike apache-users dirb dirbuster cadaver davtest deblaze fimap grabber joomscan padbuster proxystrike skipfish sqlmap w3af wapiti webshag websploit wpscan xsser pyrit chntpw crunch hash-identifier john johnny ophcrack-cli rsmangler samdump2 sipcrack sucrack truecrack cewl dbpwaudit findmyhash hydra medusa ncrack onesixtyone wireshark patator phrasendrescher thc-pptp-bruter zaproxy bluelog blueranger btscanner spooftooph mfcuk mfoc asleap cowpatty eapmd5pass fern-wifi-cracker giskismet kismet mdk3 wifi-honey wifitap wifite cisco-global-exploiter cisco-ocs cisco-torch yersinia ikat jboss-autopwn termineter darkstat dnschef hexinject sslsniff tcpflow fake fiked macchanger rebind sniffjoke tcpreplay iaxflood inviteflood ohrwurm protos-sip rtpbreak rtpflood sipp sipsak voiphopper driftnet ferret mitmproxy dbd intersect powersploit sbd u3-pwn cryptcat iodine miredo proxychains proxytunnel ptunnel pwnat sbd socat sslh stunnel4 webacoo weevely jad clang clang++ flasm javasnoop radare2 dhcpig inundator siege iaxflood thc-ssl-dos mdk3 reaver dex2jar smali extundelete autopsy binwalk foremost galleta sleuthkit missidentify pdgmail readpst reglookup vinetto magicrescue pasco pev recoverjpeg rifiuti2 safecopy scalpel scrounge-ntfs md5deep dc3dd dcfldd ddrescue dff chntpw pdf-parser peepdf volafox volatility casefile magictree metagoofil truecrypt cutycapt dnsenum dnsrecon dnstracer dnswalk fierce urlcrazy fragroute fragrouter arping cdpsnarf dmitry fping hping3 miranda netdiscover aircrack-ng android-sdk
"""
Bug
I created a plain jane kali.img as per the documentation at Kali's website, then I ran the 'test.sh' script and then ran the apt-get install command with the list and this is the result, I got an error at the end about PostgreSQL not working, any advice?
Code:
localhost / # apt-get install wol-e xprobe dmitry netdiscover miranda casefile creepy jigsaw maltego metagoofil theharvester twofi urlcrazy netmask nbtscan smtp-user-enum braa cisco-auditing-tool onesixtyone sslcaudit ssldump sslh sslscan sslsniff sslstrip sslyze stunnel4 tlssled cdpsnarf p0f tcpflow enumiax ike-scan cisco-auditing-tool bbqsql dbpwaudit hexorbase oscanner sidguesser sqlmap sqlninja sqlsus tnscmd10g bed fuzz powerfuzzer sfuzz siparmyknife lynis nikto unix-privesc-check openvas blindelephant plecost wpscan bbqsql sqlninja sqlsus ua-tester burpsuite powerfuzzer webscarab webslayer websploit wfuzz xsser paros proxystrike apache-users dirb dirbuster cadaver davtest deblaze fimap grabber joomscan padbuster proxystrike skipfish sqlmap w3af wapiti webshag websploit wpscan xsser pyrit chntpw crunch hash-identifier john johnny ophcrack-cli rsmangler samdump2 sipcrack sucrack truecrack cewl dbpwaudit findmyhash hydra medusa ncrack onesixtyone wireshark patator phrasendrescher thc-pptp-bruter zaproxy bluelog blueranger btscanner spooftooph mfcuk mfoc asleap cowpatty eapmd5pass fern-wifi-cracker giskismet kismet mdk3 wifi-honey wifitap wifite cisco-global-exploiter cisco-ocs cisco-torch yersinia ikat jboss-autopwn termineter darkstat dnschef hexinject sslsniff tcpflow fake fiked macchanger rebind sniffjoke tcpreplay iaxflood inviteflood ohrwurm protos-sip rtpbreak rtpflood sipp sipsak voiphopper driftnet ferret mitmproxy dbd intersect powersploit sbd u3-pwn cryptcat iodine miredo proxychains proxytunnel ptunnel pwnat sbd socat sslh stunnel4 webacoo weevely jad clang clang++ flasm javasnoop radare2 dhcpig inundator siege iaxflood thc-ssl-dos mdk3 reaver dex2jar smali extundelete autopsy binwalk foremost galleta sleuthkit missidentify pdgmail readpst reglookup vinetto magicrescue pasco pev recoverjpeg rifiuti2 safecopy scalpel scrounge-ntfs md5deep dc3dd dcfldd ddrescue dff chntpw pdf-parser peepdf volafox volatility casefile magictree metagoofil truecrypt cutycapt dnsenum dnsrecon dnstracer dnswalk fierce urlcrazy fragroute fragrouter arping cdpsnarf dmitry fping hping3 miranda netdiscover
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'libclang-common-dev' for regex 'clang+'
Note, selecting 'libclang1' for regex 'clang+'
Note, selecting 'libclang-dev' for regex 'clang+'
Note, selecting 'clang' for regex 'clang+'
Note, selecting 'libsclang1' for regex 'clang+'
reaver is already the newest version.
The following extra packages will be installed:
apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common arj
aspell aspell-en bind9-host binfmt-support bkhive blt bluez brasero
brasero-common bwidget ca-certificates-java cdrdao comerr-dev cryptsetup-bin
default-jdk default-jre default-jre-headless desktop-file-utils
dictionaries-common dmsetup dnsutils dosfstools dsniff ed eject enchant
firebird2.5-common firebird2.5-common-doc fonts-droid fonts-freefont-ttf
fonts-liberation fonts-lyx freepats freetds-common fuse gccxml gcr
geoip-database gir1.2-atk-1.0 gir1.2-clutter-1.0 gir1.2-clutter-gst-1.0
gir1.2-cogl-1.0 gir1.2-coglpango-1.0 gir1.2-evince-3.0 gir1.2-freedesktop
...[...]...[...]...
xfonts-cyrillic
Recommended packages:
firmware-mod-kit vbetool wish
The following NEW packages will be installed:
apache-users apache2 apache2-mpm-worker apache2-utils apache2.2-bin
apache2.2-common arj arping asleap aspell aspell-en autopsy bbqsql bed
bind9-host binfmt-support binwalk bkhive blindelephant blt bluelog
blueranger bluez braa brasero brasero-common btscanner burpsuite bwidget
ca-certificates-java cadaver casefile cdpsnarf cdrdao cewl chntpw
...[...]...[...]...
The following packages will be upgraded:
libgcrypt11
1 upgraded, 1049 newly installed, 0 to remove and 2 not upgraded.
2 not fully installed or removed.
Need to get 983 MB of archives.
After this operation, 2200 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://http.kali.org/kali/ kali/main libevent-2.0-5 armhf 2.0.19-stable-3 [152 kB]
Get:2 http://security.kali.org/kali-security/ kali/updates/main libgcrypt11 armhf 1.5.0-5+deb7u1 [289 kB]
Get:3 http://security.kali.org/kali-security/ kali/updates/main libgssrpc4 armhf 1.10.1+dfsg-5+deb7u1 [76.5 kB]
Get:4 http://http.kali.org/kali/ kali/main libgnutls-openssl27 armhf 2.12.20-7 [216 kB]
Get:5 http://http.kali.org/kali/ kali/main libgpm2 armhf 1.20.4-6 [34.0 kB]
Get:6 http://security.kali.org/kali-security/ kali/updates/main libkadm5clnt-mit8 armhf 1.10.1+dfsg-5+deb7u1 [60.4 kB]
Get:7 http://security.kali.org/kali-security/ kali/updates/main libkdb5-6 armhf 1.10.1+dfsg-5+deb7u1 [58.8 kB]
Get:8 http://http.kali.org/kali/ kali/main libpci3 armhf 1:3.1.9-6 [51.6 kB]
Get:9 http://http.kali.org/kali/ kali/main geoip-database all 20130213-1 [1466 kB]
Get:10 http://security.kali.org/kali-security/ kali/updates/main libkadm5srv-mit8 armhf 1.10.1+dfsg-5+deb7u1 [73.0 kB]
Get:11 http://http.kali.org/kali/ kali/main libcap2-bin armhf 1:2.22-1.2 [20.7 kB]
Get:12 http://security.kali.org/kali-security/ kali/updates/main libgbm1 armhf 8.0.5-4+deb7u2 [750 kB]
Get:13 http://http.kali.org/kali/ kali/main kismet armhf 2013.03.R1b-1kali1 [1735 kB]
Get:14 http://security.kali.org/kali-security/ kali/updates/main libegl1-mesa armhf 8.0.5-4+deb7u2 [69.4 kB]
...[...]...[...]...
Get:1033 http://http.kali.org/kali/ kali/main volatility all 2.2-1kali0 [1710 kB]
Get:1034 http://http.kali.org/kali/ kali/main w3af-console all 1.1svn5547-1kali3 [9954 kB]
Get:1035 http://http.kali.org/kali/ kali/main w3af all 1.1svn5547-1kali3 [392 kBPackage configuration
��������������������������Ĵ sslh configuration ���������������������������Ŀ
� sslh can be run either as a service from inetd, or as a standalone �
� server. Each choice has its own benefits. With only a few connection per �
� day, it is probably better to run sslh from inetd in order to save �
� resources. �
� �
� On the other hand, with many connections, sslh should run as a �
� standalone server to avoid spawning a new process for each incoming �
� connection. �
� �
� Run sslh: �
� �
� from inetd �
� standalone �
� �
� �
� <Ok> �
� �
����������������������������������������������������������������������������
(Reading database ... 55161 files and directories currently installed.)
Preparing to replace libgcrypt11:armhf 1.5.0-5 (using .../libgcrypt11_1.5.0-5+deb7u1_armhf.deb) ...
Unpacking replacement libgcrypt11:armhf ...
Selecting previously unselected package libevent-2.0-5:armhf.
Unpacking libevent-2.0-5:armhf (from .../libevent-2.0-5_2.0.19-stable-3_armhf.deb) ...
...[...]...[...]...
Selecting previously unselected package libice6:armhf.
Unpacking libice6:armhf (from .../libice6_2%3a1.0.8-2_armhf.deb) ...
Selecting previously unselected package libsm6:armhf.
Unpacking libsm6:armhf (from .../libsm6_2%3a1.2.1-2_armhf.deb) ...
Selecting previously unselected package libxt6:armhf.
Unpacking libxt6:armhf (from .../libxt6_1%3a1.1.3-1+deb7u1_armhf.deb) ...
...[...]...[...]...
Unpacking xfonts-encodings (from .../xfonts-encodings_1%3a1.0.4-1_all.deb) ...
Selecting previously unselected package xfonts-utils.
Unpacking xfonts-utils (from .../xfonts-utils_1%3a7.7~1_armhf.deb) ...
Selecting previously unselected package lmodern.
Unpacking lmodern (from .../lmodern_2.004.2-1_all.deb) ...
Selecting previously unselected package libkpathsea6.
Unpacking libkpathsea6 (from .../libkpathsea6_2012.20120628-4_armhf.deb) ...
Selecting previously unselected package luatex.
Unpacking luatex (from .../luatex_0.70.1.20120524-3_armhf.deb) ...
Selecting previously unselected package libjudydebian1.
Unpacking libjudydebian1 (from .../libjudydebian1_1.0.5-1_armhf.deb) ...
Selecting previously unselected package miredo.
Unpacking miredo (from .../miredo_1.2.3-1.1_armhf.deb) ...
Selecting previously unselected package fuse.
Unpacking fuse (from .../fuse_2.9.0-2+deb7u1_armhf.deb) ...
Processing triggers for man-db ...
Processing triggers for libglib2.0-0:armhf ...
Processing triggers for fontconfig ...
Processing triggers for hicolor-icon-theme ...
Processing triggers for initramfs-tools ...
Setting up libfuse2:armhf (2.9.0-2+deb7u1) ...
Setting up fuse (2.9.0-2+deb7u1) ...
Creating fuse group...
Adding group `fuse' (GID 111) ...
Done.
MAKEDEV not installed, skipping device node creation.
update-initramfs: deferring update (trigger activated)
Processing triggers for initramfs-tools ...
Selecting previously unselected package ntfs-3g.
(Reading database ... 61999 files and directories currently installed.)
Unpacking ntfs-3g (from .../ntfs-3g_1%3a2012.1.15AR.5-2.1_armhf.deb) ...
Selecting previously unselected package openjdk-7-jre-lib.
Unpacking openjdk-7-jre-lib (from .../openjdk-7-jre-lib_7u25-2.3.10-1~deb7u1_all.deb) ...
Selecting previously unselected package openjdk-6-jre-lib.
Unpacking openjdk-6-jre-lib (from .../openjdk-6-jre-lib_6b27-1.12.6-1~deb7u1_all.deb) ...
Selecting previously unselected package tzdata-java.
Unpacking tzdata-java (from .../tzdata-java_2013c-0wheezy1_all.deb) ...
Selecting previously unselected package java-common.
Unpacking java-common (from .../java-common_0.47_all.deb) ...
Selecting previously unselected package libnss3-1d:armhf.
Unpacking libnss3-1d:armhf (from .../libnss3-1d_2%3a3.14.3-1_armhf.deb) ...
Selecting previously unselected package openjdk-6-jre-headless:armhf.
Unpacking openjdk-6-jre-headless:armhf (from .../openjdk-6-jre-headless_6b27-1.12.6-1~deb7u1_armhf.deb) ...
Selecting previously unselected package default-jre-headless.
Unpacking default-jre-headless (from .../default-jre-headless_1%3a1.6-47_armhf.deb) ...
Selecting previously unselected package ca-certificates-java.
Unpacking ca-certificates-java (from .../ca-certificates-java_20121112+nmu2_all.deb) ...
Selecting previously unselected package openjdk-7-jre-headless:armhf.
Unpacking openjdk-7-jre-headless:armhf (from .../openjdk-7-jre-headless_7u25-2.3.10-1~deb7u1_armhf.deb) ...
Selecting previously unselected package stunnel4.
Unpacking stunnel4 (from .../stunnel4_3%3a4.53-1.1_armhf.deb) ...
...[...]...[...]...
Unpacking samba-dsdb-modules (from .../samba-dsdb-modules_2%3a4.0.6+dfsg-1kali1_armhf.deb) ...
Selecting previously unselected package samdump2.
Unpacking samdump2 (from .../samdump2_1.1.1-1.1_armhf.deb) ...
Selecting previously unselected package scalpel.
Unpacking scalpel (from .../scalpel_1.60-1_armhf.deb) ...
Selecting previously unselected package screen.
Unpacking screen (from .../screen_4.1.0~20120320gitdb59704-7_armhf.deb) ...
Processing triggers for initramfs-tools ...
Processing triggers for man-db ...
Processing triggers for ca-certificates ...
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
Processing triggers for fontconfig ...
Processing triggers for mime-support ...
Processing triggers for libglib2.0-0:armhf ...
Processing triggers for hicolor-icon-theme ...
Processing triggers for shared-mime-info ...
Processing triggers for install-info ...
Processing triggers for postgresql-common ...
supported_versions: WARNING: Unknown Debian release: Kali Linux 1.0
Building PostgreSQL dictionaries from installed myspell/hunspell packages...
en_us
insserv: warning: current start runlevel(s) (empty) of script `postgresql' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `postgresql' overrides LSB defaults (0 1 6).
insserv: warning: script '90userinit' missing LSB tags and overrides
insserv: warning: script '00banner' missing LSB tags and overrides
[....] Starting PostgreSQL 9.1 database server: main[....] The PostgreSQL server failed to start. Please check the log output: 2013-08-03 08:36:45 UTC LOG: could not create IPv6 socket: Permission denied 2013-08-03 08:36:45 UTC LOG: could not create IPv4 socket: Permission denied 2013-08-03 08:36:45 UTC WARNING: could not create listen socket for "localhost" 2013-08-03 08:36:45 UTC FATAL: could no[FAILate any TCP/IP sockets ... failed!
failed!
invoke-rc.d: initscript postgresql, action "start" failed.
dpkg: error processing postgresql-common (--unpack):
subprocess installed post-installation script returned error exit status 1
Processing triggers for gconf2 ...
Errors were encountered while processing:
postgresql-common
E: Sub-process /usr/bin/dpkg returned an error code (1)
localhost / #
Edit: It seems installing postgresql during the making of the img file works.
need to create a new group
Postgresql is looking for the aid_inet group which does not exist on the Kali Linux OS...this is why you are most likely getting a permission denied error.
You need to create the group aid_inet and do the following:
Step 1. Add aid_inet group
command -> groupadd -g 3003 aid_inet
Step 2. Install Postgresql 9.1
command -> apt-get install postgresql libpq-dev
Step 3. add user postgresq to group aid_inet
command -> sudo usermod -a -G aid_inet postgres
Then try -> "service postgresql restart" and all should work just fine.
Hope it helps...
-droidshadow
Hi,
I followed this tutorial: https://www.xda-developers.com/customize-battery-saver-mode-android-8-0/
And I have set my Battery Saver Mode settings as follows:
Code:
settings put global battery_saver_constants "animation_disabled=true,vibration_disabled=true,adjust_brightness_disabled=true,soundtrigger_disabled=true"
And this works perfectly.
Also I have found that those settings are stored in the file:
Code:
OnePlus6:/ # cat /data/system/users/0/settings_global.xml | grep '"battery_saver_constants"'
<setting id="528" name="battery_saver_constants" value="animation_disabled=true,vibration_disabled=true,adjust_brightness_disabled=true,soundtrigger_disabled=true" package="root" />
Unfortunately at some point those settings are being reset (maybe when phone battery percentage reaches 100%?).
How can I make those settings permanent? I have rooted my phone.
Update:
I have checked settings in the file at 22:01
Code:
OnePlus6:/ # ll /data/system/users/0/settings_global.xml
-rw------- 1 system system 15752 2018-07-09 22:01 /data/system/users/0/settings_global.xml
And the values were there. Two hours later, they are gone:
Code:
OnePlus6:/ # ll /data/system/users/0/settings_global.xml
-rw------- 1 system system 15655 2018-07-09 23:52 /data/system/users/0/settings_global.xml
OnePlus6:/ # cat /data/system/users/0/settings_global.xml | grep '"battery_saver_constants"'
<setting id="533" name="battery_saver_constants" package="com.google.android.gms" />
This guide will cover enabling a custom APN to support MVNO's (FreedomPop, Ting, etc) on your LG Urbane 2 for Android Wear 2.0.
Prerequisites:
Root watch (I recommend this thread)
ADB minimal and fastboot
Linux system
A little bit of SQL knowledge
Shoutouts:
zbask - Rooting the LG Urbane 2
majdinj - Dumping ROMs
hoodred - Changing APNs
Enable USB debugging on the watch
- Settings -> System -> About -> keep tapping Build Number until developer options are enabled
- Developer Options -> ADB Debugging
- Connect charger, then connect charger to computer
- Click "OK" on watch face for "Allow Debugging"
Extract /system from watch
The watch uses squashfs for /system, which is a compressed filesystem, and read-only, even if you have root. Therefore, it is not possible to directly make changes to /system through adb. However, we can dump the filesystem to an image, decompress it on a computer, modify it, and put it back on the watch.
Steps:
Code:
adb shell
su
ls -al /dev/block/platform/msm_sdcc.1/by-name
msm_sdcc.1 may be different on your watch. look for this line:
Code:
lrwxrwxrwx 1 root root 21 1970-01-02 00:25 system -> /dev/block/mmcblk0p27
The watch actually has 1GB or so of internal storage. Let's dump the system file there so we can get it with adb pull.
Code:
dd if=/dev/block/mmcblk0p27 of=/sdcard/system.img
Remember to erase this file later, since it's very large and you don't want it taking up all the internal storage on your watch.
Extract telephony database from watch
The watch's telephony database is under /data. On my watch it is /data/user_de/0/com.android.providers.telephony/databases/telephony.db. Your location might vary. I found this by going to root (cd /) and typing
Code:
find | grep telephony.db
Since this file is only accessible by root, let's copy it to the sdcard as well so we can get it off.
Code:
cp /data/user_de/0/com.android.providers.telephony/databases/telephony.db /sdcard
Copy files to computer
Code:
adb pull /sdcard/system.img
adb pull /sdcard/telephony.db
On your Linux computer - modify the telephony database
We're going to put our MVNO APN into the telephony database. The telephony database is a .db file, which is sqlite3. You'll have to install sqlite3 support on your Linux computer.
Code:
sudo apt-get install sqlite3
sqlite3 telephony.db
A useful SQLite3 command is
Code:
.schema
which shows the table structure.
Code:
sqlite> select * from siminfo;
1|890XX_MY_ICC_ID__|0|CARD 1|AT&T|0|-16746133||1|1|310|170|1|1|1|1|4|0|1|1|0|1|0|1
sqlite> select mcc,mnc from siminfo;
310|170
Take note of the MCC and MNC for your SIM card.
In my case, the carrier exists in the telephony database already as AT&T. My MVNO, Freedompop, is on the same MCC and MNC, so I am going to modify the record.
Code:
sqlite> select * from carriers where mcc = 310 and mnc = 170;
744|ATT Phone|310170|310|170|phone||||||proxy.mobile.att.net|80|http://mmsc.mobile.att.net|-1|default,mms,supl,fota,hipri|1|IPV4V6|IPV4V6|1|0|0|||-1|0|1|0|0|0|1410|0|1
Your carrier may not exist in the telephony DB. If that's the case, you'll have to insert a record with a SQL command, which is left as an exercise for the reader.
In my case, since the record exists already, just under the wrong name (AT&T), I updated its info:
Code:
sqlite> update carriers set name = 'FreedomPop', apn = 'fp.com.attz', mmsproxy = null, mmsport = null, mmsc = null where mcc = 310 and mnc = 170;
On your Linux computer - Decompress system.img
We are going to modify our /system image now. Your Linux system should have the squashfs tools installed. You can usually get these with:
Code:
sudo apt-get install squashfs-tools
Put system.img in a directory and decompress it.
Code:
sudo unsquashfs system.img
This creates a directory named squashfs-root with the contents of system.img. Modify the file squashfs-root/etc/apns-conf.xml. You will want to add your desired APN information here. You'll need to know your carrier's MCC and MNC. You can get it from the siminfo table in the prior telephony database step or look it up at http://mcc-mnc.com. My carrier is Freedompop, so I inserted this info:
Code:
<apn carrier="FreedomPop"
mcc="310"
mnc="170"
apn="fp.com.attz"
type="default,mms,supl,fota,hipri"
protocol="IPV4V6"
roaming_protocol="IPV4V6"
profile_id="0"
modem_cognitive="true"
mtu="1410"
/>
Now that apns-conf.xml is modified, it's time to recompress the file system into system.img so we can flash it back to the watch. First let's get some parameters from the original system.img:
Code:
unsquashfs -s system.img
Found a valid SQUASHFS 4:0 superblock on system.img.
Creation or last append time Fri Aug 3 20:22:45 2018
Filesystem size 333522.78 Kbytes (325.71 Mbytes)
Compression lz4
High Compression option specified (-Xhc)
Block size 131072
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are not stored
Xattrs are compressed
Duplicates are not removed
Number of fragments 0
Number of inodes 1475
Number of ids 4
Check the block size and the compression, in this case it's 131072 and lz4. Recompress using that as a parameter:
Code:
sudo mksquashfs squashfs-root system-modified.img -comp lz4 -b 131072 -no-fragments -no-duplicates -Xhc
Replace the telephony database on the watch
Code:
adb push telephony.db /sdcard/
adb shell
cp /sdcard/telephony.db /data/user_de/0/com.android.providers.telephony/databases/telephony.db
rm /sdcard/telephony.db
rm /sdcard/system.img
Flash your modified system.img
Code:
adb reboot bootloader
fastboot flash system system-modified.img
After the watch reboots, you should be able to pick the new APN.
Settings -> Connectivity -> Cellular -> Advanced -> Access Point Names
Congratulations, your watch is now on an MVNO cellular network!
How to install:
Unlock bootloader:
Boot your device into the official OS.
Go to Settings > About phone, tap the "build number" several times to enable developer settings.
Go to Settings > System > Developer Settings, enable OEM unlocking and ADB debugging.
Connect your phone to your PC and open a terminal or a command line window.
Run adb reboot bootloader on your PC (there is no way to enter bootloader directly, only possible through adb).
Once your device has finished booting run fastboot flashing unlock and comfirm unlock on device (THIS WILL WIPE ALL DATA!).
Run fastboot reboot to reboot your device and now you should see an unlocked warning during boot screen.
Disable AVB:
Download vbmeta.img from the latest release page of your device.
Connect your phone to your PC and open a terminal or a command line window.
Run adb reboot bootloader on your PC to put your device in bootloader mode.
Once your device has finished booting run fastboot flash --disable-verification --disable-verity vbmeta vbmeta.img
Then run fastboot flash --disable-verification --disable-verity vbmeta_system vbmeta.img
Also run fastboot flash --disable-verification --disable-verity vbmeta_vendor vbmeta.img
Flash recovery image:
Connect your phone to your PC and open a terminal or a command line window.
Run adb reboot bootloader on your PC to put your device in bootloader mode.
Once your device has finished booting run fastboot erase recovery. For some reason, image may be not actually flashed, even if fastboot reported success (at least over the stock recovery image), so in order make sure that the custom image is always flashed it's better to always erase the partition before flashing. After the erasing run fastboot flash recovery recovery.img
Run fastboot reboot and after the screen goes dark press volume up until you see the TWRP logo. Also you can type fastboot reboot recovery to boot to recovery mode immediately.
Please note that booting in stock ROM will bring stock recovery back.
This recovery image is built using binaries from non-european (TEE) version of Jelly 2. Theoretically it should work on european (EEA). If it won't - contact me, I'll prepare an image based on EEA binaries.
Source code https://github.com/Meetoul/twrp_device_Unihertz_Jelly2
Thanks!
This fantastic!
its work on EEA!
Meetoul said:
Source code https://github.com/Meetoul/twrp_device_Unihertz_Jelly2
Click to expand...
Click to collapse
I just received my Jelly 2. It was on 2020 and I went straight through your files. Your TWRP does not respond on my European Jelly 2. Meaning, the touch screen does not respond. But I connected an USB trackball and switched in between adb sideloads. So I finally got it working.
For some reason during reboot TWRP warns me that there is no OS installed. But LoS 18.1 (yours) booted fine. Also flashed opengapps 2707 nano.
After a reboot (phone is still restoring apps) there is a "serial console is enabled" message "performance is impacted, check bootloader". Any instructions on how to get rid of that?.
I cannot seem to mount system as R/W with GSI image from https://github.com/phhusson/treble_experimentations/releases from within TWRP. I guess that's a more general problem, though
Any ideas?
kkazakov13 said:
I cannot seem to mount system as R/W with GSI image from https://github.com/phhusson/treble_experimentations/releases from within TWRP. I guess that's a more general problem, though
Any ideas?
Click to expand...
Click to collapse
Dave you tried the latest release a suggested by Meetoul?
[ROM] [UNOFFICIAL] Lineage OS 17.1 | Unihertz Jelly 2
https://drive.google.com/drive/u/0/folders/1VSmj_-a1PYNzFWtUfbsDGWg4uIh-Tgkd This ROM is built using binaries from non-european (TEE) version of Jelly 2. Theoretically it should work on european (EEA). If it won't - contact me, I'll prepare ROW...
forum.xda-developers.com
Release Fix gt1151qm touch in recovery · Meetoul/twrp_device_Unihertz_Jelly2_TEE
Recovery image based on new kernel image with patches for both gt1x and gt1151qm touch panel drivers.
github.com
Great Job!
I have Jelly2_JP.
I tried your recovery.img for Jelly2_TEE.
It can boot my Jelly2_JP, and it can enable adb shell, but it looped the splash screen.
But I execute following command in adb shell, twrp starts gui("Keep System Read only?" screen)
Jelly2_TEE:/ # mount -o ro /dev/block/mapper/system /
Touchscreen works fine.
Next, I tried to build twrp for Jelly2_JP using your device tree.
But it has same problem. (It looped the splash screen until I mount system partition.)
Do you have any advice?
Attachments
recovery_tee.log is pulled file from /tmp/recovery.log in your twrp for Jelly2_TEE. Line 1119 is after I mount system partition by adb shell.
recovery_jp.log is pulled file from /tmp/recovery.log in my twrp for Jelly2_JP. Line 1356 is after I mount system partition by adb shell.
My build instructions
$ cd ~/twrp
$ repo init -u https://github.com/minimal-manifest-twrp/platform_manifest_twrp_omni.git -b twrp-10.0
$ vi .repo/local_manifests/roomservice.xml
$ repo sync --force-sync
$ cd device/Unihertz
$ cp -r Jelly2_TEE Jelly2_JP
$ cd Jelly2_JP
$ mv omni_Jelly2_TEE.mk omni_Jelly2_JP.mk
$ grep -l Jelly2_TEE * | xargs sed -i 's/Jelly2_TEE/Jelly2_JP/g'
$ grep -l g55v71c2k_dfl_tee * | xargs sed -i 's/g55v71c2k_dfl_tee/g55v71c2k_dfl_jp_felica/g'
$ ./extract-files.sh ~/stock_jp/extracted
$ unpack_bootimg --boot_img ~/stock_jp/recovery.img --out ~/stock_jp/recovery
$ cp ~/stock_jp/recovery/kernel prebuilt/Image.gz
$ cp ~/stock_jp/recovery/dtb prebuilt/dtb/mt6771.dtb
$ cp ~/stock_jp/recovery/recovery_dtbo prebuilt/dtbo.img
$ cd ~/twrp
$ source build/envsetup.sh
$ lunch omni_Jelly2_JP-eng
$ mka recoveryimage
$ ls out/target/product/Jelly2_JP/recovery/root/vendor
bin etc
$ cp -r vendor/Unihertz/Jelly2_JP/proprietary/reovery/root/vendor out/target/product/Jelly2_JP/recovery/root
$ mka recoveryimage
file upload again.
Sorry, I can't upload Attach files.
I clicked "Attach files" button and choose file.
I clicked "Save" button, but file link did not inserted.
I uploaded recovery.log to github.
How to get vbmeta.img
Three knife said:
How to get vbmeta.img
Click to expand...
Click to collapse
Direct Link
Google Drive: Sign-in
Access Google Drive with a Google account (for personal use) or Google Workspace account (for business use).
drive.google.com
See Also
Jelly 2 firmware made available by Unihertz
A post to let people interested in small Android phones know that the firmware of the Jelly 2 has been made available by Unihertz. Would be great if a LineageOS version of this could be made...
forum.xda-developers.com
Or
[HOWTO] Flash a blank vbmeta
Hey guys, As some of you know samsung made had a bunch of different changes since the release of Android 10. It took me a week to figure it out but it was really simple. I had to do two things: Repatch the the magisk boot image with Preserve AVB...
forum.xda-developers.com
I found the crash point in Jelly2_JP.
The crash point is CHECK() on line 772 of twrp/hardware/interfaces/keymaster/4.0/support/Keymaster.cpp.
C++:
CHECK(error == ErrorCode::OK)
<< "Failed to get HMAC parameters from " << *keymaster << " error " << error;
CHECK() is defined on line 495 of twrp/system/core/base/include/android-base/logging.h
C++:
#define CHECK(x) \
LIKELY((x)) || ABORT_AFTER_LOG_FATAL_EXPR(false) || \
::android::base::LogMessage(__FILE__, __LINE__, ::android::base::DEFAULT, \
::android::base::FATAL, _LOG_TAG_INTERNAL, -1) \
.stream() \
<< "Check failed: " #x << " "
I thought /system/bin/recovery was crashing due to a bug.
But it is not a bug.
/system/bin/recovery is programmed to abort if CHECK() fails.
Next, I compared the results of CHECK().
1. using your recovery.img for Jelly2_TEE.
Code:
$ adb shell
Jelly2_TEE:/ # uname -a
Linux localhost 4.14.141+ #15 SMP PREEMPT Wed May 19 11:04:10 CST 2021 aarch64
Jelly2_TEE:/ # mount -o ro /dev/block/mapper/vendor /vendor
Jelly2_TEE:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f /vendor/lib64/libkeymaster4.so
Jelly2_TEE:/ # umount /vendor
Jelly2_TEE:/ # md5sum /vendor/lib64/libkeymaster4.so
22ede18944c5f47daf04d699a72717b2 /vendor/lib64/libkeymaster4.so
Jelly2_TEE:/ # logcat -v brief -d -s /system/bin/recovery
E//system/bin/recovery( 324): Failed to get IAshmemDeviceService.
W//system/bin/recovery( 324): [libfs_mgr]Warning: unknown flag: resize
W//system/bin/recovery( 324): [libfs_mgr]Warning: unknown flag: resize
I//system/bin/recovery( 324): [libfs_mgr]Created logical partition product on device /dev/block/dm-0
I//system/bin/recovery( 324): [libfs_mgr]Created logical partition system on device /dev/block/dm-1
I//system/bin/recovery( 324): [libfs_mgr]Created logical partition vendor on device /dev/block/dm-2
W//system/bin/recovery( 324): DM_DEV_STATUS failed for system_image: No such device or address
W//system/bin/recovery( 324): DM_DEV_STATUS failed for vendor_image: No such device or address
W//system/bin/recovery( 324): DM_DEV_STATUS failed for product_image: No such device or address
I//system/bin/recovery( 324): fscrypt_initialize_systemwide_keys
I//system/bin/recovery( 324): List of Keymaster HALs found:
I//system/bin/recovery( 324): Keymaster HAL #1: HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default
F//system/bin/recovery( 324): Keymaster.cpp:150] Check failed: error == ErrorCode::OK Failed to get HMAC parameters from HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default error SECURE_HW_COMMUNICATION_FAILED
2. using my recovery.img for Jelly2_JP.
This is built with Jelly2_JP's kernel and /vendor/*.
Code:
$ adb shell
Jelly2_JP:/ # uname -a
Linux localhost 4.14.141+ #5 SMP PREEMPT Wed May 19 12:15:37 CST 2021 aarch64
Jelly2_JP:/ # mount -o ro /dev/block/mapper/vendor /vendor
Jelly2_JP:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f /vendor/lib64/libkeymaster4.so
Jelly2_JP:/ # umount /vendor
Jelly2_JP:/ # md5sum /vendor/lib64/libkeymaster4.so
17f162aedb3a9584e51d7f732ebbac7f /vendor/lib64/libkeymaster4.so
Jelly2_JP:/ # logcat -v brief -d -s /system/bin/recovery
E//system/bin/recovery( 327): Failed to get IAshmemDeviceService.
W//system/bin/recovery( 327): [libfs_mgr]Warning: unknown flag: resize
W//system/bin/recovery( 327): [libfs_mgr]Warning: unknown flag: resize
I//system/bin/recovery( 327): [libfs_mgr]Created logical partition product on device /dev/block/dm-0
I//system/bin/recovery( 327): [libfs_mgr]Created logical partition system on device /dev/block/dm-1
I//system/bin/recovery( 327): [libfs_mgr]Created logical partition vendor on device /dev/block/dm-2
W//system/bin/recovery( 327): DM_DEV_STATUS failed for system_image: No such device or address
W//system/bin/recovery( 327): DM_DEV_STATUS failed for vendor_image: No such device or address
W//system/bin/recovery( 327): DM_DEV_STATUS failed for product_image: No such device or address
I//system/bin/recovery( 327): fscrypt_initialize_systemwide_keys
I//system/bin/recovery( 327): List of Keymaster HALs found:
I//system/bin/recovery( 327): Keymaster HAL #1: HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default
F//system/bin/recovery( 327): Keymaster.cpp:150] Check failed: error == ErrorCode::OK Failed to get HMAC parameters from HardwareKeymasterDevice from TrustKernel SecurityLevel: TRUSTED_ENVIRONMENT HAL: [email protected]::IKeymasterDevice/default error SECURE_HW_COMMUNICATION_FAILED
They are same Error code SECURE_HW_COMMUNICATION_FAILED.
Unfortunately, my recovery.img wasn't improved from your recovery.img when used with Jelly2_JP.
I'm sorry for the continuous posting.
I solved the decryption by modifying omni_Jelly2_JP.mk as follows.
Code:
PRODUCT_NAME := omni_Jelly2_JP
PRODUCT_DEVICE := Jelly2_JP
PRODUCT_MODEL := Jelly2_JP
PRODUCT_BOARD := g55v71c2k_dfl_jp_felica
BUILD_FINGERPRINT := "Unihertz/Jelly2_JP/Jelly2_JP:10/QP1A.190711.020/root.20210422.092852:user/release-keys"
PRODUCT_BUILD_PROP_OVERRIDES += \
TARGET_DEVICE=Jelly2_JP \
PRODUCT_NAME=Jelly2_JP \
PRIVATE_BUILD_DESC="Jelly2-user 10 QP1A.190711.020 root.20210422.092852 release-keys"
My mistake was that I only replaced "Jelly2_TEE" with "Jelly2_JP".
I had to replace "Jelly2" with "Jelly2_JP".
Anyway, now I can display the decryption screen.
Next, I tried HOW-TO-PATCH.md.
However, the touch screen does not respond on the patched kernel.
Code:
$ head -n 1 symbl_tee.txt
ffffff81dd680800 T do_undefinstr
$ grep get_boot_mode symbl_tee.txt
ffffff81ddda5b30 T get_boot_mode
$ zcat twrp/device/Unihertz/Jelly2_TEE/prebuilt/Image.gz > Image
$ aarch64-linux-android-objdump -D -b binary -m aarch64 --adjust-vma=0xffffff81dd680000 --start-address=0xffffff81ddda5b30 Image| head
ffffff81ddda5b30: d0009cc8 adrp x8, 0xffffff81df13f000
ffffff81ddda5b34: b947ad09 ldr w9, [x8,#1964]
ffffff81ddda5b38: 7100093f cmp w9, #0x2
I think you are using a different technique to enable the touch screen, because "cmp w9, #0x2" is not patched to "cmp w9, #0x0".
Please teach me your technique after you are not busy with work.
谢谢你,我用的是中国的没有Google Play的版本,按照你的步骤成功了,不过在安装完recovery.img之后,内部存储有可能无法写入,需要在recovery里删除data分区,然后就可以了
Thanks for this!
I flashed this TWRP, then installed AOSP 11, v313 of this GSI: https://github.com/phhusson/treble_experimentations/releases/tag/v313
Things seem good, except:
the battery seems to drain a little quickly
no IR blaster (ZaZa remote does not recognize it)
TWRP cannot decrypt the phone's contents, so I cannot flash gapps.
Is TWRP not able to decrypt because I'm using Android 11 and the TWRP was built for 10?
@karoooo
Sorry for not responding to you, for some reason email notifications from XDA were stopped. Please tell me if you still need patched kernel, I will try to patch it explain you the technique.
zxczxc4 said:
Thanks for this!
I flashed this TWRP, then installed AOSP 11, v313 of this GSI: https://github.com/phhusson/treble_experimentations/releases/tag/v313
Things seem good, except:
the battery seems to drain a little quickly
no IR blaster (ZaZa remote does not recognize it)
TWRP cannot decrypt the phone's contents, so I cannot flash gapps.
Is TWRP not able to decrypt because I'm using Android 11 and the TWRP was built for 10?
Click to expand...
Click to collapse
Actually, data decryption on MTK SoCs is very painful thing. I'm still waiting for stable release of Android 11 from Unihertz, but they are in no hurry...
I know that beta 11 available. Unfortunately, I was not able to update using the official way. The bootloader was locked and the moment of updating, but probably the reason is that it was unlocked before (it possible to relock bootloader using SP Flash Tool). But I manager to fetch zip update package and install it via TWRP After that I even managed to make package for SP Flash Tool based on this package, so I can to flash pure FW without updating and have locked bootloader!
UPD. I see that Unihertz have published Android 11 SW package for SP Flash Tool on their Google Drive! Soon I will try to make recovery based on this package.
@Meetoul
Thank you for your response.
Yes, yes, yes!
I want to know your technique.
Best Regards.
HI.
Summary: FRONT CAMERA not working after Bootloader Unlock
I am using Jelly2_JP (on latest Android 10) and I was wondering,
has anyone has experinced the Front Camera not working after Bootloader Unlock, and possibly the three " --disable-verification --disable-verity" commands?
The stock camera app won't recognize the front camera (not front/back switch button where there should be one), and other apps cant use the front camera either.
I can confirm that the front camera worked before unlocking the bootloader.
Reflashing stock image using SP Flash Tool and relocking Bootlader did not fix the issue.
Is anyone else experiencing the same issue?
karoooo said:
@Meetoul
Thank you for your response.
Yes, yes, yes!
I want to know your technique.
Best Regards.
Click to expand...
Click to collapse
Since Unihertz has released Android 11, I think that there is no sense to work on patching the old kernel.
Btw, now I'm working on TWRP based on Android 11 binaries from the latest FW, but no luck so far, it seems that kernel doesn't even start to boot...
@Meetoul
I wanted to learn your technique so that I could work on my own when Android 11 was released.
If Android 11 is formidable, prioritize working with Android 11.
Unfortunately, Android 11 for Jelly2_JP has not been released yet.
@kendzhi
I unlocked the bootloader with Jelly2_JP, but the front camera is still working.
@karoooo
Thank you for the reply!
May I ask, was your Jelly2_JP shipped before the latest Andorid 10 update (2021051912_g55v71c2k_dfl_jp_felica), meaning did your phone come with the previous Firmware (2020101915_g55v71c2k_dfl_jp_felica)?
I have two Jelly2_JP from Japan which came preshipped with the latest andorid Andorid 10 update (there was no need for OTA update). And in both phones, upon executing "fastboot flashing unlock" (without disableling AVB & without Rooting), the the front camera stopped working (not recognized by the system).
I even went into the Debug/Diagnostic? mode that was in Chinese (Booting by Vol down + Connecting to PC via USB), and peformed a hardware test for the Front Camera and the test froze the phone.
So I'm suspecting that Jelly2_JP that was shipped to Japan with the latest Firmware has some issues with Bootloader Unlocking breaking the Front Cam...