Related
The Acer Iconia Toolkit is supporting following devices at the moment:
B1-A71
B1-710
B1-A710
B1-711
B1-720
A1-810
A1-811
A3-A10
Liquid S1
Only use these methods if you are sure the device cannot be rooted using a custom recovery from the following thread:
http://forum.xda-developers.com/andr...ax-b1-t2875894
Intel based devices will not be supported ever by this toolkit! Only Mediatek chips are supported!
At the moment the following features are available:
Root from scratch (Unix only / recommended)
Root with prerooted Image (see Download links at the bottom)
Unroot
Swap External <-> Internal SD
Odex ROM
Pull system.img.gz off your device
Download Acer Iconia Toolkit Latest Version
Older Versions:
v0.9.0
v0.8.5
v0.8.4
v0.8.3
v0.8.2
Thank you goes to:
FireDiamond, bullbrand, pawitp, alba81, sodaFR, MatrixDJ96, ak6, min-dfreak, Gilly10, agentdeep, nick_1964, sampod
and the testers
Acer Iconia B1-A71:
Unlock Bootloader
CWM update, that removes bloat
thx to FireDiamond
Apply the "Invalid Partition Error" fix before rooting!!!
To avoid unfixable bootloop, first apply this patch from Acer.
Install the APK, start it, click on FixG1PMT (no feedback) and uninstall afterwards. Good luck!
If you're rooting with prerooted system.img.gz here are the Downloads. Pick the one, fitting to the firmware installed on your tablet, otherwise you will get into bootloop!
RV03RC05:
Acer Firmware Update [mirror] [mirror + md5]
RV04RC04:
[system.img.gz] [mirror]
RV05RC05:
Acer Firmware Update [mirror1] [mirror2] [mirror3] [mirror4 + md5] [mirror5 + md5]
[system.img.gz]
RV02RC12:
system.img.gz
Acer Iconia B1-710 / B1-A710:
Unlock Bootloader (thx to FireDiamond and abstrkt1337)
RV04RC01:
system.img.gz [mirror1] [mirror2]
Stock system Images for B1-710 RV04RC01
Hamza91: stock, rooted
RV04RC01_PA_CA:
Stock and Rooted system image
Acer Iconia B1-711:
RV01RC04_WW_GEN1:
system.img.gz
Acer Iconia B1-720:
RV03RC01_WW_GEN1:
system.img.gz (thx to Hayastan)
RV07RC01_WW_GEN1:
system.img.gz (thx to Hayastan)
Acer Iconia A1-810:
Acer Firmwares
Modified XPosed Installer
RV03RC08:
system.img.gz
RV18RC07_WW_GEN1:
update.zip (about 4MB)
system.img.gz with /system RW workaround (MD5 = 214db984aee42ef0c05d1cfa43d193c1) (needs extra config and SuperSU instead of Superuser) [torrent] (see this post also)
RV21RC02_WW_GEN1:
update.zip
system.img.gz with /system RW workaround (needs extra config and SuperSU instead of Superuser) (see this post also)
RV21RC03_TWN:
system.img.gz with /system RW workaround (needs extra config and SuperSU instead of Superuser) (see this post also)
RV27RC02_PA_CA:
stock system.img.gz (rename to system.img.gz first!)
system.img.gz (rename to system.img.gz first!)
RV27RC03_WW_GEN1:
system.img.gz
stock system.img.gz
update.zip
RV18RC10_PA_CA:
system.img.gz with /system RW workaround (needs extra config and SuperSU instead of Superuser) (see this post also)
RV26RC06_PA_CUS1:
system.img.gz
Stock Images: (Workaround to unroot: Put the system.img.gz of your version into system_image and choose root option in toolkit)
RV03RC08:
system.img.gz
RV18RC07:
system.img.gz ( MD5=550ECDB192F5668264B11B1070F4B932 )
How to root from scratch
Acer Iconia A1-811:
RV01RC11_WW_GEN1:
Acer Firmware Update
RV02RC20:
system.img.gz rooted and stock (including xposed) (thx to konsolen!!)
RV02RC22_TWN_GEN1:
system.img.gz with /system RW workaround (needs extra config and SuperSU instead of Superuser) (see this post also)
Unbrick:
Stock Firmware RV01RC11 (copy on SD and flash from recovery)
Acer Iconia A3-A10:
A3-A10_RV05RC01_PA_CA:
stock system image
Your device not listed above?
Help us getting your device to work with the toolkit.
See this post how you can help.
Common
B1-A71 / B1-710 / B1-A710: Install this after rooting: Superuser App on Google Play Store
A1-810 / A1-811 / B1-711: Install this after rooting: SuperSU App on Google Play Store
Verify your root: Root Checker on Play Store
FAQ
Q: I'm stuck inside a bootloop after rooting!!!11
A1: The system.img.gz you applied, wasn't suiting to the firmware version installed on your tablet. Download latest Acer firmware update ( !!! if available !!!), copy it on a micro sd card, plug it into your Iconia, go to recovery by holding Volume up and Power button while device is turned off. Then choose apply update from sd card.
A2: If you cannot apply any Acer firmware, because you always get a partition error while installing, you should do a reboot after you get the error. A user reported that this made her/his device boot into Android again, showing the new version in settings -> info. Good luck
A3: If your device is really bricked you could try bring it back to life. Here you find help: link1, link2, link3, link4 (many thanks to Gilly10, drmad and Hamza91)
A4 (B1-A71, B1-710, B1-711 only): Unbrick
A5: If the A1 - A4 didn't help. Send back the device to Acer. Tell them you tried to apply an update from sd card and ended up in this bootloop. Sending device back to Acer over UPS is free. Good luck!
Q: Successfully rooted, but still no root after rebooting!
A: Have you installed Superuser App from Google Play Store?
(B1-A71 only)Q: Cannot update, always getting ERROR: - Invalid partition setting; 17: fat 238e8000:888e8000; Instalation aborted.
A: Download "Invalid Partition Error" Patch.
(B1-A71 only)Q: I applied update from RV05RC05 to RV05RC06 but still it shows RV05RC05.
A: There is no RV05RC06. It is the RV05RC05. It got on Acers Download section with a RV05RC06 named zip file. But the content is 100% equal to RV05RC05.
Q: Toolkit fails or crashes for any reason and I don't know what to do.
A: Run it again with parameter -d, e.g.: toolkit.exe -d and post the entire output here.
Q: Root from scratch on Linux doesn't work because of Error message: 'No such file or directory bin/posix/64/adb'
A: sudo apt-get install ia32-libs libstdc++6 libgcc1 zlib1g libncurses5 libsdl1.2debian
Q: Can i flash a custom recovery?
A: No, because bootloader is locked. You would brick your tablet.
Q: Are there Custom ROMs?
A: No, see answer above.
Q: Is my data wiped during root?
A: No.
Q: Do i lose root after factory reset or wipe date?
A: No.
Q: I get an error in Engineer mode entering telnet command.
A: If Swiftkey is installed / enabled try settings Google AOSP Keyboard as default.
Q: How can I start telnet server manually?
A: Try this.
What you can do with root:
Apply Supercharger V6 by zeppelinrox and significally speed up your tablet! [My small How-To]
Install Adaway, an ad-blocker for webbrowsers and apps containing ads.
Install ROM Toolbox and customize boot screen and other funny things.
Install Titanium Backup to Backup, Freeze, Uninstall any App and more.
Install Datasync to sync app data like save states between rooted devices.
What you can NOT do with root on these devices:
Change DPI
Flash Custom Recoveries
Flash Custom ROMs
Sources and Changelos @ github (thanks to nikagl)
Changelog:
v0.9.4
======
- Updated SuperSU to 2.46
- Removed Xposed APK
- Added Liquid S1 support!
v0.9.3
======
- Fix Xposed removal
- Wait longer for MTKLogger to press settings
- Add 811 and KK 810 and 811 to root from system.img
v0.9.2
======
- Removed Xposed till it works
- Add global for allatonce
v0.9.1
======
Added option to enable write access to external sdcard
Added comment for Xposed not working
Removed su delete command in invalid section
v0.9.0
======
- A1-811: Kitkat Support
- A1-xxx: Added proper su-binary
- Added timestamps
- Added descision for Superuser/Supersu
- Added selection for Xposed **not working yet**
- Added option to enable write access to external sdcard
- Added selection to continue automatically (also import the system instead of waiting for enter)
- Removed invalid quote and double exit command
- Added forward delete of characters to make sure Run command is empty
- Added some additional messages during the root process
v0.8.5
======
- A1-810: Fixed target directory for system image (no permissions for /cache directory since Kitkat)
- A1-810: Fixed root from scratch for Kitkat versions (thanks to Just_Another_N00b)
v0.8.4
======
- A1-810: Fixed root for Android Kitkat >= 4.4.2
- A1-810: Fixed abd devices id, changed sind Kitkat update
v0.8.3
======
- Fixed pulling system.img.gz from Windows
v0.8.2
======
- New: Supporting B1-720
v0.8.1
======
- A1-81x: Fixed missing read/write permissions for /system partition (thanks
to twu2!)
- All other devices: fixed missing path to su binary (thanks to arzakon.nn)
v0.8.0
======
- New: Pull system.img.gz from your tablet
- New: Supporting A3-A10
v0.7.8
======
- fixed Swap Internal to External for A1 and B1-710
v0.7.7
======
- Supporting Swap Internal to External for A1 and B1-710
- fixed bug in root from scratch: checking for /bin/su although it's not there
Full Changelog inside the Download.
Error "Permision denied"
entonjackson said:
Changelog:
v0.2.1
======
- Windows: Providing an .exe, so Python is no more needed for Windows users. But you could still use the Python script.
- Unix: Python3 compatibility fixes
v0.2.0
======
- supporting windows 64 and 32 bit (only for rooting with prerooted system.img.gz)
- Linux: added option to choose between 'Root from scratch' and 'Root from prerooted image'
- supporting all versions between python 2.7.4 and 3.3
v0.1.1
======
- supporting linux 64 AND 32bit
- instructions at the beginning
- make compatible to python 3.3
v0.1.0
======
- initial release, only supporting linux 64bit
Click to expand...
Click to collapse
Hi Thanks for your effor and sharing with us.
I got error "failed to copy system._image\system.image.gz to cache/system.image.gz , permission denied
can you give me solution.
thanks very much
cakadut said:
Hi Thanks for your effor and sharing with us.
I got error "failed to copy system._image\system.image.gz to cache/system.image.gz , permission denied
can you give me solution.
thanks very much
Click to expand...
Click to collapse
Windows or Linux?
edit: Ok i found the issue, I just fixed it and going to upload a new version this evening.
New version v0.2.2 is up.
entonjackson said:
New version v0.2.2 is up.
Click to expand...
Click to collapse
I thanks for your work.
I have one problem
failed to copy 'system_image\system.img.gz' to '/cache/system.img.gz': Permissio
n denied
Traceback (most recent call last):
File "easy_root_iconia_b1.py", line 724, in <module>
else:
File "easy_root_iconia_b1.py", line 26, in main
win_main(python3)
File "easy_root_iconia_b1.py", line 642, in win_main
out = p.stdout.readline()
File "subprocess.pyc", line 575, in check_output
subprocess.CalledProcessError: Command ' bin\windows\32\adb.exe push system_imag
e\system.img.gz /cache' returned non-zero exit status 1
Thanks for your futur help
sorry for my english
V0.2.2 still Error
entonjackson said:
New version v0.2.2 is up.
Click to expand...
Click to collapse
Dear Eaton,
after dowbload and run v0.2.2 , still found same problem.
No Progress bar during copy image.
and system shown
failed to copy 'system_image\system.img.gz' to '/cache/system.img.gz': Permissio
n denied
Traceback (most recent call last):
File "easy_root_iconia_b1.py", line 724, in <module>
else:
File "easy_root_iconia_b1.py", line 26, in main
win_main(python3)
File "easy_root_iconia_b1.py", line 642, in win_main
out = p.stdout.readline()
File "subprocess.pyc", line 575, in check_output
subprocess.CalledProcessError: Command ' bin\windows\32\adb.exe push system_imag
e\system.img.gz /cache' returned non-zero exit status 1
Note I am using windows 7.- 64 Bit
Regards,
I uploaded a new version where I added some commands that hopefully resolve the permissions issues.
The problem is, that I can't reproduce it.
Are you rooting the Iconia the first time? or did you already have root before?
Regarding the progress bar. It only appears when writing the system.img.gz
I have Windows 7 64 bit, btw.
entonjackson said:
I uploaded a new version where I added some commands that hopefully resolve the permissions issues.
The problem is, that I can't reproduce it.
Are you rooting the Iconia the first time? or did you already have root before?
Regarding the progress bar. It only appears when writing the system.img.gz
I have Windows 7 64 bit, btw.
Click to expand...
Click to collapse
Dear Enton,
Yes this is the first time B1 will rooting,
I will try again, and report to you,
Regards
cakadut said:
Dear Enton,
Yes this is the first time B1 will rooting,
I will try again, and report to you,
Regards
Click to expand...
Click to collapse
Dear Enton,
The Messages still same, I Attached the Error Pic.
Note :
Iconia B1-A71
ROM 16 GB
RAM 512 MB
Android Version : 4.1.2
Kernel Version : 3.4.0
Image Version : Acer_AV051_B1-A71_RV05RC05_WW_GEN1
Build Number : Acer_AV051_B1-A71_1.258.00_WW_GEN1
Regards,
cakadut said:
Dear Enton,
The Messages still same, I Attached the Error Pic.
Note :
Iconia B1-A71
ROM 16 GB
RAM 512 MB
Android Version : 4.1.2
Kernel Version : 3.4.0
Image Version : Acer_AV051_B1-A71_RV05RC05_WW_GEN1
Build Number : Acer_AV051_B1-A71_1.258.00_WW_GEN1
Regards,
Click to expand...
Click to collapse
I will try to fix it asap. The problem is, that I cannot reproduce it.
I assume that the chmod 777 /cache command that I do, before the adb push command fails with "Operation not permitted."
But this I still don't know how to fix. If someone knows, tell me!
error in v.0.2.3
Dear entonjackson,
thanks for your work and for the time you spend on it.
Unfortunately, I too have problems with the tool for Windows since version 0.2.0 and also with the latest version (0.2.3).
The error messages that I receive are identical (with the same line numbers) to those receiving cakadut in his last post.
I am trying to root Iconia for the first time.
I tried with Windows 7-32bit and Windows 7 64-bit.
My configuration:
Iconia B1-A71 8GB ROM, 512Mb ram
Android 4.1.2
kernel 3.4.0
Image version: Acer_AV051_B1-A71_RV04RC04_WW_GEN1
Build Number: Acer_AV051_B1-A71_1.174.00_WW_GE
I hope you can find the solution.
Thank you for sharing your work with us.
Just uploaded a new version. Could you please try again?
It's hard to fix for me, because I don't have the problem, so all I can do is try. Thanks for the patience!
****, I think i found the bug. Don't try 0.2.4 it won't work also.
foxterrier said:
Dear entonjackson,
thanks for your work and for the time you spend on it.
Unfortunately, I too have problems with the tool for Windows since version 0.2.0 and also with the latest version (0.2.3).
The error messages that I receive are identical (with the same line numbers) to those receiving cakadut in his last post.
I am trying to root Iconia for the first time.
I tried with Windows 7-32bit and Windows 7 64-bit.
My configuration:
Iconia B1-A71 8GB ROM, 512Mb ram
Android 4.1.2
kernel 3.4.0
Image version: Acer_AV051_B1-A71_RV04RC04_WW_GEN1
Build Number: Acer_AV051_B1-A71_1.174.00_WW_GE
I hope you can find the solution.
Thank you for sharing your work with us.
Click to expand...
Click to collapse
Ok, people. With pawitp's help I hopefully fixed the permissions bug.
The problem was, that i was trying to chmod the /cache directory directly from adb shell, which isn't possible. I forgot, that this needs to be done from telnet. So in 0.2.6 I'm setting permission with telnet. This should fix it!
Please report!
Good luck :fingers-crossed:
Dear ethon
hi ethon can u do tutorial video cause i can't found the directory for the "step 6 : go to go to connectivity -> CDS Inforamtion ->Network Utility " and Thnk You :good:
diskenz said:
hi ethon can u do tutorial video cause i can't found the directory for the "step 6 : go to go to connectivity -> CDS Inforamtion ->Network Utility " and Thnk You :good:
Click to expand...
Click to collapse
I will try to do a video tutorial, but it's very easy to do.
Download and install Ex Dialer & Contacts.
Launch the app.
Dial *#*#ENGMODE#*#*.
Swipe from right to left (to Connectivity). Then choose CDS Information and Network Utility.
There you paste this command: /data/local/tmp/busybox telnetd -l /system/bin/sh -p 1234
stell no thing happen maybe i must upgrade to pro version ???
diskenz said:
stell no thing happen maybe i must upgrade to pro version ???
Click to expand...
Click to collapse
No.
Try to dial *#*#3646633#*#*
Else I don't know... this should work in any case...
entonjackson said:
Ok, people. With pawitp's help I hopefully fixed the permissions bug.
The problem was, that i was trying to chmod the /cache directory directly from adb shell, which isn't possible. I forgot, that this needs to be done from telnet. So in 0.2.6 I'm setting permission with telnet. This should fix it!
Please report!
Good luck :fingers-crossed:
Click to expand...
Click to collapse
Thanks entonjackson,
unfortunately with version 0.2.6 I can not get the ADB connection with the tablet. The message it gives me is:
"Trying to Establish ADB Connection (If this hangs, ADB Connection failed. CMD Shell Close and open a new one) ..."
and remains so without making the connection.
If I run the command 'adb devices' in another command line session, the device is seen correctly (0123456789ABCDEF device),
but when I run the new version (0.2.6) of the tool, the message is what I wrote above.
Thank you for your patience.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Software root method for MediaTek MT67xx, MT816x, and MT817x!
So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I created, MTK-SU, was originally aimed at helping Amazon Fire HD owners to easily root and unlock their tablets. (Without it, most models need a hardware mod to achieve root & unlock. This tool made rooting accessible to many times the number of owners. It also made possible to root the Fire TV gen 2.) But funny story: this method actually works on virtually all of MediaTek's 64-bit chips. Many devices of various vendors have already been confirmed.
So in case it's not clear, what mtk-su does is give you a root shell to do with as you please. It's like running 'su', but without the need to have su installed. That may be a holy grail for locked devices. On some devices, it may be possible to install a root manager for permanent root using mtk-su as a springboard.
The original thread is here: Rapid Temporary Root for HD 8 & HD 10. It's a great resource for info. But please avoid posting there about non-Amazon devices. This new thread is a catchall topic for other devices and vendors.
DISCLAIMERAnything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software. There is a nonzero chance of any of these events happening as a result of using the tools or methods here.
REQUIREMENTSMastery of the Thanks button under XDA posts
A phone or tablet based on Mediatek MT67xx, MT816x, MT817x or MT6580 chipsets
Either:
A PC with ADB installed to interact with your device, or
A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
You agree to post the model name of any unconfirmed device which ran mtk-su successfully
INSTRUCTIONS FOR ADB
Make sure you meet all the requirements listed above, especially the first and last ones.
Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
arm64: 64-bit kernel and userspace
arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
Connect your device to ADB and push mtk-su to your /data/local/tmp folder
adb push path/to/mtk-su /data/local/tmp/
Open an adb shell
adb shell
Change to your tmp directory
cd /data/local/tmp
Add executable permissions to the binary
chmod 755 mtk-su
At this point keep your device screen on and don't let it go to sleep. Run the command
./mtk-su
It should only take a second or two. If the program gets stuck for more than a few seconds and your device is awake, press Ctrl+C to close it.
The -v option turns on verbose printing, which is necessary for me to debug any problems.
The output of ./mtk-su -v is similar to this:
Spoiler
Code:
$ ./mtk-su -v
param1: 0x3000, param2: 0x18040, type: 2
Building symbol table
kallsyms_addresses pa 0x40bdd500
kallsyms_num_syms 70337, addr_count 70337
kallsyms_names pa 0x40c66d00, size 862960
kallsyms_markers pa 0x40d39800
kallsyms_token_table pa 0x40d3a100
kallsyms_token_index pa 0x40d3a500
Patching credentials
Parsing current_is_single_threaded
ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
ffffffc000354868+54: ADD xd, x0, 2592
init_task VA: 0xffffffc000fa2a20
Potential list_head tasks at offset 0x340
comm swapper/0 at offset 0x5c0
Found own task_struct at node 1
cred VA: 0xffffffc0358ac0c0
Parsing avc_denied
ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
ffffffc0002f13bc+28: LDR [x0, 404]
selinux_enforcing VA: 0xffffffc001113194
Setting selinux_enforcing
Switched selinux to permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
#
Some other options:
mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.mtk-su -s: Prints the kernel symbol tablemtk-su -Z <context>: Runs shell in a new selinux context. Example: ./mtk-su -Z u:r:logd:s0If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here. When reporting a problem with a device, please post a link to the firmware and/or the kernel sources.
Please post the model of any device that works with mtk-su that's not already confirmed.
Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.
WARNING If you have a device with Android 6 or higher, it likely has dm-verity enabled. On such a device one does not simply remount the system partition as read/write. The remount command will probably fail. But if you succeed in forcing it somehow it will trigger dm-verity, which will result in a very bad day. Your device will become inoperable until you restore the stock system partition.
DOWNLOADCurrent Version
Release 23
Spoiler: Changelog
Release 23 - August 24, 2020
Add support for some early Linux 3.10 tablet firmware
Add support for kernels with some debug features enabled
Release 22 - May 8, 2020
Expand kernel support
Enable seccomp handling for Android 8
Release 21 - March 14, 2020
Add support for more devices
Fix seccomp on 3.18 arm kernels
Release 20 - Dec 28, 2019
Add support for MT6580
Add support for some MT8183 versions
Fix handling of some 32-bit 4.x kernels with stack protection
Move to NDK build
Release 19 - October 20, 2019
Add -Z option for setting custom selinux context
Fix seccomp on armv7
Fix seccomp handling on late-revision 3.18 kernels
Improve error printing for critical failures
Strip supplementary groups in root shell
Do not spawn root shell on critical failures
Release 18 - July 29, 2019
Add support for kernel address space layout randomization (KASLR)
Change status output format
Release 17 - July 13, 2019
Fix missing capabilities under adb shell in Android 9.x
Disable seccomp in app mode of Android 9.x
Add support for MT6771 on Android 8.x
Reliability improvements
Release 16 - June 9, 2019
Add support for 32 & 64-bit kernels compiled with CONFIG_KALLSYMS_BASE_RELATIVE
Add support for MT676x on Android 7.x
Speedups
Release 15 - May 29, 2019
Run shell/command in global mount namespace -- mounting from apps is now visible to the whole system
Release 14 - May 22, 2019
Remove restriction for adb shell initial run on Android 8.0+
Add support for 32-bit kernels compiled under Android 8.0+
Add initial support for MT6771 on Android 9+
Minor bug fixes
Release 13 - May 16, 2019
Improve stack protection detection -- add support for some armv7-kernel 3.x phones
Release 12 - April 26, 2019
Unify the arm and armv7-kernel binaries into one
Support Linux 4.9.x
Improve speed and possibly reliability
Fix arm64 support for phones on kernel 3.10.65
Fix stack protection workaround for armv7 kernels
Update readme file
Release 11 - April 10, 2019
Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
Improve criteria for detecting strong stack protection
Release 10 - April 7, 2019
Fix support for the latest Oreo devices
Add compatibility for kernels with stack protection (Nokia phones)
Improve reliability
Initial support for 32-bit (armv7) kernels -- needs testing
Release 9 - April 1, 2019
Confirmed support for at least some Oreo devices
Fix bugs with R8
Release 8 - March 30, 2019 (REMOVED)
Lay the groundwork for Oreo devices
Improve performance
Improve reliability
Release 7 - March 17, 2019
Add/fix support for many Linux ver. ≤ 3.18.22 devices
Fix arm binary on Fire HD 10
Release 6 - March 13, 2019
Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
Minor bug fixes
Release 5 - March 7, 2019
Support kernels with CONFIG_KALLSYMS_ALL disabled
Improve reliability
Release 4 - March 4, 2019
Improve compatibility with phones
Support Fire TV 2 new FW
Minor bug fixes
Improve reliability
Release 3 - March 1, 2019
Add support for HD 10 7th gen
Add support for 3.10 kernel layout
Add possible support for MT67xx phones
Improve reliability
Release 2 - Feb. 27, 2019
Add support for HD 8 8th gen and 32-bit only user stacks
FAQI got the error, "This firmware cannot be supported". What's up with that?
This means that your device's firmware is not prone to the mechanism used by mtk-su. It may be a new device or it may have started from a firmware update. It will not be feasible to add root support for the current or future firmware versions. Check the last supported firmware version in post 4. If the last working FW is not listed and your device used to work with mtk-su, please report the last working version and/or your current version. In those cases, it may be possible to get mtk-su support by downgrading the firmware.
I got the error, "Firmware support not implemented". What gives?
That means that mtk-su does not recognize the type of firmware on your device. While It's technically possible to add basic detection, most of the time this error happens on devices that have already blocked mtk-su access. So implementing it would only kick the can down the road and probably lead to a, "This firmware cannot be supported" message (see above). If your device has Android 10+ or a security patch level at 03-2020 or higher, or if your firmware is newer than the last compatible version in post 4, there is no need to report this error.
Will this work on my phone?
Yes, it will work on your phone, unless it doesn't. But to be serious, there is no point in asking this question. If you have the device in hand, it is much quicker to just try out the above procedure than to wait for a response. You are usually the best person to answer that question. If your device is listed among the confirmed models or, to a lesser extent, your chipset is supported, that's a good indication that mtk-su will succeed, but that is not guaranteed. You should report your success or failure in this thread, along with the requested materials if it fails.
Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
It has already been answered in the FAQ or multiple times in the thread.
Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled somehow ends up being more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.
Will this work on an MT65xx or MT8127?
There is no support for most 32-bit chips. But there may be a couple where it's possible.
Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader.
I ran mtk-su successfully, but my apps still don't have root permissions.
Mtk-su does not give apps root permissions. It is not a permanent root solution in and of itself. It opens a command shell that has root and administrative capabilities within the context of that shell. It's up to you what you want to do with it. But also, there is a way to load Magisk using this tool without the need to unlock your bootloader. Just follow this guide.
How does this tool work?
It overwrites the process credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, the tool involves making use of the vulnerability known as CVE-2020-0069.
Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.
CREDITS
Thank you to everyone who has tested and provided feedback to help me add support for the large variety of MTK-based devices out there. There are simply too many people to list.
MediaTek, Inc., who leave holes and backdoors in their OS to make software like this possible :good:
Thank you to everyone who has donated. You're the best!
INSTRUCTIONS FOR TERMINAL APPYou can optionally run mtk-su on a terminal emulator such as Terminal Emulator for Android (recommended) or Termux. The basic idea is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
Make sure you meet all the requirements from the first post, especially the first and last ones.
Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
General idea: cp path/to/mtk-su ./
For example,
cp /sdcard/mtk-su_r14/arm64/mtk-su ./
For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
Make file executable
chmod 700 mtk-su
Run the program
./mtk-su
If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and/or kernel sources, if possible.
Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cd
cp path/to/mtk-su ./
chmod 700 mtk-su
./mtk-su
PROJECTS USING THIS TEMP ROOT
Partition Backup Helper for Termux by @mrmazak
Creates a script that automatically backs up your device's partitions, which may come in handy for repairs or experimenting.
Full bootless root with Magisk (for 20.x to 21.4) by @diplomatic
Loads Magisk without modifying the firmware.
Full bootless root with Magisk for 22.x+ by @HemanthJabalpuri
Loads the latest Magisk version without modifying the firmware.
Status
NOTE: Any firmware update released after March, 2020 is bound to block this temp root. Think twice before updating your device if you would like to keep using mtk-su.
Confirmed Devices
Acer Iconia One 10 B3-A30/B3-A40/B3-A50 series
Acer Iconia One 8 B1-860 series
Acer Iconia Talk S
Alba tablet series
Alcatel 1 5033 series
Alcatel 1C
Alcatel 3L (2018) 5034 series
Alcatel 3T 8
Alcatel A5 LED 5085 series
Alcatel A30 5049 series
Alcatel Idol 5
Alcatel/TCL A1 A501DL
Alcatel/TCL LX A502DL
Alcatel Tetra 5041C
Alcatel U5 / Orange Rise 52
Alldocube iPlay10 Pro
Alldocube iPlay8
Amazon Fire 7 2019 -- up to Fire OS 6.3.1.2 build 0002517050244 only
Amazon Fire HD 8 2016 -- up to Fire OS 5.3.6.4 build 626533320
Amazon Fire HD 8 2017 -- up to Fire OS 5.6.4.0 build 636558520 only
Amazon Fire HD 8 2018 -- up to Fire OS 6.3.0.1 only
Amazon Fire HD 10 2017 -- up to Fire OS 5.6.4.0 build 636558520 only
Amazon Fire HD 10 2019 -- up to Fire OS 7.3.1.0 only
Amazon Fire TV 2 -- up to Fire OS 5.2.6.9 only
ANRY S20
ASUS ZenFone 3 Max ZC520TL
ASUS ZenFone Max Plus X018D
ASUS ZenPad 3s 10 Z500M
ASUS ZenPad Z3xxM(F) MT8163-based series
Barnes & Noble NOOK Tablet 7" BNTV450 & BNTV460
Barnes & Noble NOOK Tablet 10.1" BNTV650
Blackview A8 Max
Blackview BV9600 Pro (Helio P60)
BLU Life Max
BLU Life One X
BLU R1 series
BLU R2 LTE
BLU S1
BLU Tank Xtreme Pro
BLU Vivo 8L
BLU Vivo XI
BLU Vivo XL4
Bluboo S8
BQ Aquaris M4.5
BQ Aquaris M8
CAT S41
Coolpad Cool Play 8 Lite
Coolpad Legacy S(R)
Cubot Power
Doogee X70
Dragon Touch K10
Echo Feeling
Evercoss Genpro X Pro S50
Gionee F103 Pro
Gionee M7
Gionee S9
HiSense Infinity H12 Lite
HTC Desire 12
HomTom HT20
Huawei GR3 series
Huawei Y5II
Huawei Y6II MT6735 series
ION Gravity
Lava Iris 88S
Lenovo A5
Lenovo C2 series
Lenovo Tab E7
Lenovo Tab E8
Lenovo Tab2 A10-70F
Lenovo Tab3 10
Lenovo Vibe K5 Note
LG K8+ (2018) X210ULMA (MTK)
LG K10--K430 series
LG K10 (2017)
LG K50
LG Q7 (MTK)
LG Stylo 4 (MTK) -- up to Q710AL11k
LG Tribute Dynasty
LG X power 2/M320 series (MTK)
LG Xpression Plus 2/Harmony 3/K40 LMX420 series
Lumigon T3
Meizu M5c
Meizu M6
Meizu Pro 7 Plus
Motorola Moto C series
Motorola Moto E3 series (MTK)
Motorola Moto E4 series (MTK)
Nokia 1
Nokia 1 Plus
Nokia 3
Nokia 3.1
Nokia 3.1 Plus
Nokia 5.1
Nokia 5.1 Plus/X5
Odys PACE 10 (MT8163)
Onn 7" Android tablet
Onn 8" & 10" tablet series (MT8163) -- up to 10/2019 FW only
Oppo A59 series
Oppo A5s -- up to A.30 only
Oppo A7x -- up to Android 8.x
Oppo F5 series/A73 -- up to A.39
Oppo F7 series -- Android 8.x only
Oppo F9 series -- Android 8.x only
Oppo R9xm series
Oukitel K6
Oukitel K9
Oukitel K12
Oukitel U18
Philips E518
Protruly D7
RCA Voyager III - RCT6973W43MDN
Realme 1
Realme 3
Snopow M10 series
Sony Xperia C4
Sony Xperia C5 series
Sony Xperia L1
Sony Xperia L3
Sony Xperia M5 series
Sony Xperia XA series
Sony Xperia XA1 series
Southern Telecom Smartab ST1009X (MT8167)
Teclast M30
TECNO Spark 3 series
Umidigi F1 series
Umidigi Power
Verizon Ellipsis 10 HD QTAXIA1
Vernee Mix 2
Wiko Ride
Wiko Sunny
Wiko View3
Xiaomi Redmi 6/6A series
ZTE Blade 10 Prime
ZTE Blade A530
ZTE Blade A7 Prime
ZTE Blade D6/V6
ZTE Blade V8 Lite
ZTE Quest 5 Z3351S
ZTE Voyage 4S/Blade A611/Blade A610
Support Problematic*
Most/all Vivo phones
Most/all Huawei/Honor models with Android 8+
Most Oppo phones in app mode
Oppo F11 -- up to CPH1911EX_11_A.22 only
Most/all Samsung MTK-based phones
Supported Chipsets
Including, but not limited to: MT6735, MT6737, MT6738, MT6739, MT6750, MT6752, MT6753, MT6755, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6771, MT6779, MT6795, MT6797, MT6799, MT8163, MT8167, MT8173, MT8176, MT8183, MT6580, MT6595
* These devices typically use kernel modifications to deter root access via exploits. But this temp root method can still attain root on most of these models in theory. However, I will not be adding support for such non-standard kernels in the main release versions. A tailored version of mtk-su can be made to handle a protected kernel in a specific firmware. This is not something I'm usually motivated to do. But it's possible to make such a version if you can somehow encourage me.
Re-re-reserved
Great work mate!! I would liked to of kept secret till I got myself a new Sony L3 and backup the ta thought.
:laugh:
:highfive:
LOL... thanks!
Don't worry man, no one reads this forum
Great work. Having used both a hardware root method and this method on a pair of devices I have, mtk-su was waaaaaaay easier to work with. Big thanks!
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...
ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img
what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...
reason being that bootloader is locked and this device is on marshmallow ...
*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..
* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?
or installing mixplorer with root privileges for examle ..
KevMetal said:
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...
ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img
what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...
reason being that bootloader is locked and this device is on marshmallow ...
*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..
* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?
or installing mixplorer with root privileges for examle ..
Click to expand...
Click to collapse
@diplomatic made a good outline of the the steps to "jump" into full root. At least until rebooted.
I will add the link to the post, but keep the discussion that follows , here in this thread
*Copied from post https://forum.xda-developers.com/showpost.php?p=79348378&postcount=569
diplomatic said:
For advanced users or devs: here's a general overview for a method to get root with Magisk without having to modify your boot image.
Get a Magisk zip file and extract the magiskinit binary. Push magiskinit to your device.
Extract the magisk binary from magiskinit with ./magiskinit -x magisk
Make a symbolic link to (or a copy of) magiskinit and call it magiskpolicy.
Make a symbolic link to (or a copy of) magisk and call it su.
Make a small ext4 image of about 2 to 4MB (using something like make_ext4fs -J -l 2MB). In it, place Magisk's magisk and su binaries. The su binary could be either a link to magisk or a copy of it. (Idea borrowed from @k4y0z's unlock method.)
Get a root shell with mtk-su
Patch the running sepolicy with a magisk context using ./magiskpolicy --live --magisk 'allow magisk * * *' .
Start a temporary Magisk daemon with ./magisk --daemon
Start a temporary Magisk root shell with ./su. This may involve prompts from Magisk Manager.
Check to make sure the new root shell has the context u:r:magisk:s0. Don't proceed if it's not that context.
From the magisk context shell, mount the ext4 image to /system/xbin with
losetup /dev/block/loop0 magisk.img
mount /dev/block/loop0 /system/xbinYou may be able to combine those 2 commands into one, but I wasn't able to on my device.
Kill the temporary magisk daemon with killall magiskd. The point of this is to launch a new daemon from within the magisk se-context. Otherwise there will be problems with selinux.
Start a new daemon with magisk --daemon. Notice that there's no ./ at the start. This is to test the loopback img.
Exit the temporary ./su shell. You may get an error message, but that's fine. At this point you should be back to the mtk-su shell.
Exit the mtk-su shell.
Check if su works. You should get a prompt from Magisk Manager.
At this point, if you get a normal root shell, you can do setenforce 1.
Now all apps that want su access will have it with proper prompting.
Have some app execute steps 6 through 17 at every startup.
Steps 1-5 are done once. Step 6 onward are done at every boot session. A script would probably help. I'm sure this is missing some details, but I just wanted to convey the general idea.
EDIT: If you get this system up and running, you of course want to avoid updating Magisk binaries through MM. That's pretty important because doing so will probably stop your device from booting.
Click to expand...
Click to collapse
KevMetal said:
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...
ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img
what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...
reason being that bootloader is locked and this device is on marshmallow ...
*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..
* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?
or installing mixplorer with root privileges for examle ..
Click to expand...
Click to collapse
Cool... let us know the results of running mtk-su on that phone, as well as the full model name so I can list it.
So you're on the right track about installing permanent root. I was pretty vague about it in the OP because it's a complex topic and it's pretty risky territory. Before trying to mod your boot image with systemless root and/or verity disabled, you have to check how restrictive your BL is. It's very possible that it can accept self-signed or unsigned images without needing to unlock. You can check this in a minesweeper fashion by flashing your stock recovery with the OEM signature removed and see if it boots. If not, Android will restore the stock recovery automatically, no harm done.
If you want to flash partitions from a root shell, you can use the dd command. FlashFire is a glorified dd flasher. For example, to flash a recovery image you would do
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery
The exact path of the dev node varies by device. You should do more research about it if you're interested. To dump partitions, essentially do the reverse of if= and of=.
If you want, you can post your stock recovery image and I can modify it so you can test how restrictive your BL is. There's no need to jump ahead to TWRP yet.
diplomatic said:
If you want, you can post your stock recovery image and I can modify it so you can test how restrictive your BL is. There's no need to jump ahead to TWRP yet.
Click to expand...
Click to collapse
Most MTK's allow the boot probably due to difficulties during OTA patches indeed a lot of the OEM OTA's I have seen actually flash the recovery.img to the boot partition first then reboot do the update flash the recovery to recovery partition then reboot to recovery do the final check then reflash the boot.img back to the boot partition.
I think this is so if the OTA fails at any point they are always in recovery mode. If any of that makes sense :laugh:
Some mtk fstab's I have seen even have a flag that states verify "recoveryonly" so you can flash a TWRP recovery.img to the boot and it will boot up but it will not if flashed to the recovery of course OEM's may have other ideas and implementations so caution and a way back are definitely needed.
It's definitely a game of Russian roulette with a one in six chance of you finding the loaded chamber.
Been too secure can backfire on OEM's and cost them as with the Amazon Fire Phone I brick 3 or 4 of those suckers trying to unlock it and even they could do nothing with them so they would just give me a new one and I am convinced they actually locked themselves out on that devices and that's why it never got a version update or bootloader unlock which is a shame because it was a good phone. :silly:
bigrammy said:
Most MTK's allow the boot probably due to difficulties during OTA patches
Click to expand...
Click to collapse
OK, but I don't see how any of this would prevent cryptographic signature checking and enforcement at any OTA installation stage. Do you have any reason to believe that most devices that are not unlockable have support for unsigned images?
diplomatic said:
OK, but I don't see how any of this would prevent cryptographic signature checking and enforcement at any OTA installation stage. Do you have any reason to believe that most devices that are not unlockable have support for unsigned images?
Click to expand...
Click to collapse
Depends on oem I guess eg: Lenovo TAB2 never unlock the bootloader, Infocus Never unlocked the bootloader, All China brands various I never unlocked the bootloaders yet all rooted with custom recovery's installed although most of these were Android 6.0 so AVB used by Magisk SuperSU etc works for them.
Nokia3 I did unlock the bootloader but I beginning to think maybe I didn't need to and maybe I can test that theory soon when I get one back I loaned out.
Big brands like Sony Defo need to be unlocked but lessor brands I am not so sure about.
OK, good to know, @bigrammy
diplomatic said:
OK, good to know, @bigrammy
Click to expand...
Click to collapse
I might try flash the boot of my Sony XA1 (bootloader locked) with a TWRP recovery over the weekend and see what happens. It just means me having to boot windows to recover it if it fails and I have not done that in 18 months or more :laugh:
EDIT: Unsigned TWRP Failed to boot so now I will try with a AVB signed image and see what happens.
EDIT 2: AVB signed TWRP Failed verification check too. :laugh:
PS: Never unlocked the Lumigon T3 (my daily driver) either and that was marketed a secure device it took me about 30 min's to to make a scatter file then pull the boot with SPFlashTool ported over TWRP from my Infocus pre patched the boot with Magisk flashed them back done. Again it seems AVB sig was enough for this device too but again Android 6.0. :laugh:
OK.... it would be interesting what happens with the Sony...
It's pretty much the same deal with the Asus Zenpad series. The Z3xxM series, based on MT8163, can be flashed without unlocking the BL. On the old Android 6 FW, you needed to have an AVB signature for it go through. On Android 7, you don't even need that. However, for the high-end MT8176-based Zenpad Z500M, they locked it down so that you'd need to unlock before installing a custom boot/recovery--OEM sig support only.
bigrammy said:
EDIT: Unsigned TWRP Failed to boot so now I will try with a AVB signed image and see what happens.
EDIT 2: AVB signed TWRP Failed verification check too. :laugh:
Click to expand...
Click to collapse
LOL... I guess I'll have to stick to unlocking my Sonys before installing root.
I have a question
I have been looking ways to root redmi 6a. Xiaomi have been imposing 15d grace period one any request to unlock boot loader. Very annoyed
My question is if I manage to root it and install TWRP. can I still modify the boot loader without unlocking it?
Tia
Sent from my Redmi 6A using Tapatalk
Hi, @ahhl
If you can install and boot TWRP without unlocking the bootloader, you can almost definitely install permanent root to a boot image. The question is whether the locked BL on that phone will boot an image that is unsigned or wipe out instead. This is what bigrammy and I were just talking about above. I'd love to know if mtk-su works on that phone, btw....
i will try. but i am just novice?. i read thru the conversation between you and bigrammy, only to 30% goes thru my head?
if i manage run mtk-su, then flash twrp, if the flashing did not work, it will just reboot back using stock boot.? i do not have to worry something i need to do just like bigrammy did for 30min, just to get the phone running? as the reboot just wipe twrp? is this true?
Ok so heres the full story (It's short):
So my V20 bricked itself for no reason (I was on stock for a few days unrooted no unlock nothing)
and while going through xda I stumbled upon this:https://forum.xda-developers.com/on...eble-lineageos-15-1-treble-oneplus-3-t3830455
Treble on the oneplus 3 and 3t. Why this one you might ask
well it is because our V20 and the Oneplus are similar.
So here is what somebody who is willing to help with a h990ds or H990 (It wont brick your device don't worry)needs to do:
1.First install this modded twrp here is the Link (Made from Pheonix591's twrp): https://drive.google.com/file/d/1pBrjWnKqRFFsQ-By_ElE3pW3LbWsg9sx/view?usp=sharing
2. Boot into the TWRP and go to advanced options then select terminal
Now type Treble and wait for a few seconds (This command is taken from the trebel port for oneplus 3 @simonsh)
Next reboot to whatever rom you are using(If it doesn't boot or bootloops something went wrong retry from step 2)
After it boots successfully go back to twrp and check in wipe and advanced wipe for Vendor
Now here is the problem the partition is only about 100 megabytes which we cant really use for treble it is too small.
So I am pinging a person who might be able to help us :
@runningnak3d I need your help in making the partition larger as it is again only about 100megabytes
Edit: So Runningnak3d has stopped developing for the V20 :crying: and I had just remembered that @x86cpu might be able to help so pinging him, we want as much people as possible.
Uhh so seems like my wifi is not properly working I will upload the twrp
Mysteriouslog6 said:
Ok so heres the full story (It's short):
So my V20 bricked itself for no reason (I was on stock for a few days unrooted no unlock nothing)
and while going through xda I stumbled upon this:https://forum.xda-developers.com/on...eble-lineageos-15-1-treble-oneplus-3-t3830455
Treble on the oneplus 3 and 3t. Why this one you might ask
well it is because our V20 and the Oneplus are similar.
So here is what somebody who is willing to help with a h990ds or H990 (It wont brick your device don't worry)needs to do:
1.First install this modded twrp here is the Link (Made from Pheonix591's twrp):
2. Boot into the TWRP and go to advanced options then select terminal
Now type Treble and wait for a few seconds (This command is taken from the trebel port for oneplus 3 @simonsh)
Next reboot to whatever rom you are using(If it doesn't boot or bootloops something went wrong retry from step 2)
After it boots successfully go back to twrp and check in wipe and advanced wipe for Vendor
Now here is the problem the partition is only about 100 megabytes which we cant really use for treble it is too small.
So I am pinging a person who might be able to help us :
@runningnak3d I need your help in making the partition larger as it is again only about 100megabytes
Click to expand...
Click to collapse
Running naked moved on and stopped developing for the V20 a long time ago.
Sent from my LG-H910 using XDA Labs
cnjax said:
Running naked moved on and stopped developing for the V20 a long time ago.
Sent from my LG-H910 using XDA Labs
Click to expand...
Click to collapse
That's really sad I was hoping someone can help me with the partition problem, what about @x86cpu ?
Mysteriouslog6 said:
Ok so heres the full story (It's short):
So my V20 bricked itself for no reason (I was on stock for a few days unrooted no unlock nothing)
and while going through xda I stumbled upon this:https://forum.xda-developers.com/on...eble-lineageos-15-1-treble-oneplus-3-t3830455
Treble on the oneplus 3 and 3t. Why this one you might ask
well it is because our V20 and the Oneplus are similar.
So here is what somebody who is willing to help with a h990ds or H990 (It wont brick your device don't worry)needs to do:
1.First install this modded twrp here is the Link (Made from Pheonix591's twrp): https://drive.google.com/file/d/1pBrjWnKqRFFsQ-By_ElE3pW3LbWsg9sx/view?usp=sharing
2. Boot into the TWRP and go to advanced options then select terminal
Now type Treble and wait for a few seconds (This command is taken from the trebel port for oneplus 3 @simonsh)
Next reboot to whatever rom you are using(If it doesn't boot or bootloops something went wrong retry from step 2)
After it boots successfully go back to twrp and check in wipe and advanced wipe for Vendor
Now here is the problem the partition is only about 100 megabytes which we cant really use for treble it is too small.
So I am pinging a person who might be able to help us :
@runningnak3d I need your help in making the partition larger as it is again only about 100megabytes
Edit: So Runningnak3d has stopped developing for the V20 :crying: and I had just remembered that @x86cpu might be able to help so pinging him, we want as much people as possible.
Click to expand...
Click to collapse
Mind if I help I recently acquired a vs995 for cheap so for know at least im back. I experimented with trebe on the g5 and was able to build a treblized los 15.1 but the problem was no gsi would boot here's what I used to build it.
https://review.lineageos.org/c/LineageOS/android_device_lge_h850/+/222974
https://review.lineageos.org/c/LineageOS/android_device_lge_msm8996-common/+/221553
https://review.lineageos.org/c/LineageOS/android_kernel_lge_msm8996/+/222018
I then added this to BoardConfigCommon.mk:
# Treble
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
BOARD_VNDK_RUNTIME_DISABLE := true
BOARD_VNDK_VERSION := current
PRODUCT_FULL_TREBLE_OVERRIDE := true
I would also like to mention that a few years ago @King_lilrowrow said he was working on/achieved treble on the G5 I'd contact him as well for help.
What is 'treble' / 'treblizing'... Curious what it does.
kaluna00 said:
What is 'treble' / 'treblizing'... Curious what it does.
Click to expand...
Click to collapse
The command does this (From @simonsh thread)
Code:
/sbin/sgdisk --typecode=5:8300 /dev/block/sdf
/sbin/sgdisk --change-name=5:vendor /dev/block/sdf
It basically makes the sdf block the vendor partition (Works as nothing has interfered with the working of the phone so the partition is unused but it is too small need help with that)
kaluna00 said:
What is 'treble' / 'treblizing'... Curious what it does.
Click to expand...
Click to collapse
So treble aka project treble is something google implemented with android 8 that splits system/vendor to / system and /vendor basically it gives vendor files which are device-specific code and drivers used to interact with the phone's hardware there own separate partition. Now since /system without vendor is mostly free of device-specific code it means that the phones os can be upgraded with messing with building and modifying the device-specific code, this is were GSIs (generic system images) come in, flashing a gsi essentially means we can modify and upgrade our OS like a custom rom but instead of spending hours working on a custom rom we can just build a system image which is very fast and easy and it can do just as much as a custom rom as far as enhancing the user experience goes.
That's the best I can explain it here is an article explaining it more and as far as trebilizing goes it's just a term used when someone gets treble working on an old device that doesn't support it from the factory.
ROMSG said:
Mind if I help I recently acquired a vs995 for cheap so for know at least im back. I experimented with trebe on the g5 and was able to build a treblized los 15.1 but the problem was no gsi would boot here's what I used to build it.
https://review.lineageos.org/c/LineageOS/android_device_lge_h850/+/222974
https://review.lineageos.org/c/LineageOS/android_device_lge_msm8996-common/+/221553
https://review.lineageos.org/c/LineageOS/android_kernel_lge_msm8996/+/222018
I then added this to BoardConfigCommon.mk:
# Treble
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
BOARD_VNDK_RUNTIME_DISABLE := true
BOARD_VNDK_VERSION := current
PRODUCT_FULL_TREBLE_OVERRIDE := true
I would also like to mention that a few years ago @King_lilrowrow said he was working on/achieved treble on the G5 I'd contact him as well for help.
Click to expand...
Click to collapse
Thanks for wanting to help I will send a link for the vs995 with a custom twrp. Also isn't the BoardConfigCommon.MK in the source for lineage os I will try building it with the modifications
Mysteriouslog6 said:
Thanks for wanting to help I will send a link for the vs995 with a custom twrp. Also isn't the BoardConfigCommon.MK in the source for lineage os I will try building it with the modifications
Click to expand...
Click to collapse
Thanks, BoardConfigCommon.mk is a device tree file and specific to any rom. Here this Commit outlines one of the issues @x86cpu had with getting treble working.
@ROMSG
Thanks a bunch for the explanation. I appreciate you breaking it down I like that. I'll do some homework and check out that link after work. Take care!
Mysteriouslog6 said:
Thanks for wanting to help I will send a link for the vs995 with a custom twrp. Also isn't the BoardConfigCommon.MK in the source for lineage os I will try building it with the modifications
Click to expand...
Click to collapse
Any update on the vs995 custom twrp?
ROMSG said:
Any update on the vs995 custom twrp?
Click to expand...
Click to collapse
Sorry for the late reply I will send it tomorrow itself (Will have to somehow see if the TWRP boots or not)
Heres the link:
twrp-treble-vs995.img
drive.google.com
ROMSG said:
Any update on the vs995 custom twrp?
Click to expand...
Click to collapse
I have sent the TWRP just check the latest post
Mysteriouslog6 said:
I have sent the TWRP just check the latest post
Click to expand...
Click to collapse
Just saw it thanks
Mysteriouslog6 said:
Ok so heres the full story (It's short):
So my V20 bricked itself for no reason (I was on stock for a few days unrooted no unlock nothing)
and while going through xda I stumbled upon this:https://forum.xda-developers.com/on...eble-lineageos-15-1-treble-oneplus-3-t3830455
Treble on the oneplus 3 and 3t. Why this one you might ask
well it is because our V20 and the Oneplus are similar.
So here is what somebody who is willing to help with a h990ds or H990 (It wont brick your device don't worry)needs to do:
1.First install this modded twrp here is the Link (Made from Pheonix591's twrp): https://drive.google.com/file/d/1pBrjWnKqRFFsQ-By_ElE3pW3LbWsg9sx/view?usp=sharing
2. Boot into the TWRP and go to advanced options then select terminal
Now type Treble and wait for a few seconds (This command is taken from the trebel port for oneplus 3 @simonsh)
Next reboot to whatever rom you are using(If it doesn't boot or bootloops something went wrong retry from step 2)
After it boots successfully go back to twrp and check in wipe and advanced wipe for Vendor
Now here is the problem the partition is only about 100 megabytes which we cant really use for treble it is too small.
So I am pinging a person who might be able to help us :
@runningnak3d I need your help in making the partition larger as it is again only about 100megabytes
Edit: So Runningnak3d has stopped developing for the V20 :crying: and I had just remembered that @x86cpu might be able to help so pinging him, we want as much people as possible.
Click to expand...
Click to collapse
Hello, since Android 12 beta has released recently, i get to know that we can use the GSI image to update “any” (in terms of project treble supported) device to a newer android version without the need of building the rom per device.
So that i started to explore on a few xda threads trying to get Treble on LG V20. After digging into it, i updated my TWRP to the latest image (official TWRP 3.5.2_9 H990 which is the Official TWRP build commit based on Pheonix591's twrp build), then i saw that the /vendor shows up on mount, but not on either Wipe or Backup, which Phoenix591’s reddit post stated that this means there’s no vendor partition on it.
I followed this thread, since my TWRP is not modded (as the link in your comment does not work) I typed two sgdisk commands which the Treble command does, after a reboot, i saw a Vendor partition in Backup showed 0mb, Vendor partition DOES NOT appears on Wipe.
Next, as what i saw from @x86cpu ’s comment, he said he repartitioned and created the /vendor partition of 512mb by resizing the /system partition, unfortunately i am new to partitioning the Android device, i haven’t figured out how i can do that.
I tried to do sgdisk —print /dev/block/mmcblk0, it showed a single 64gb MBR FAT32 Partition instead of showing the system partition, it seems to be showing the micro sd card instead of the system volume, so i tried to unplug the sd card and reboot, now /dev/block/mmcblk0 is not found. I also tried to list info of /dev/block/sdf which we have wrote the partition name “vendor” to the 5th parnum of /sdf, it shows that the partition is only 4kb.
Since i have a H990N (Hong Kong version of the H990) i used the Dirty Santa patch to get TWRP installed on the device, that means the device’s bootloader is NOT fully unlocked, so the device might have difference between official unlocked device like the VS995.
Is there anything i could try ?
kwankiu said:
Hello, since Android 12 beta has released recently, i get to know that we can use the GSI image to update “any” (in terms of project treble supported) device to a newer android version without the need of building the rom per device.
So that i started to explore on a few xda threads trying to get Treble on LG V20. After digging into it, i updated my TWRP to the latest image (official TWRP 3.5.2_9 H990 which is the Official TWRP build commit based on Pheonix591's twrp build), then i saw that the /vendor shows up on mount, but not on either Wipe or Backup, which Phoenix591’s reddit post stated that this means there’s no vendor partition on it.
I followed this thread, since my TWRP is not modded (as the link in your comment does not work) I typed two sgdisk commands which the Treble command does, after a reboot, i saw a Vendor partition in Backup showed 0mb, Vendor partition DOES NOT appears on Wipe.
Next, as what i saw from @x86cpu ’s comment, he said he repartitioned and created the /vendor partition of 512mb by resizing the /system partition, unfortunately i am new to partitioning the Android device, i haven’t figured out how i can do that.
I tried to do sgdisk —print /dev/block/mmcblk0, it showed a single 64gb MBR FAT32 Partition instead of showing the system partition, it seems to be showing the micro sd card instead of the system volume, so i tried to unplug the sd card and reboot, now /dev/block/mmcblk0 is not found. I also tried to list info of /dev/block/sdf which we have wrote the partition name “vendor” to the 5th parnum of /sdf, it shows that the partition is only 4kb.
Since i have a H990N (Hong Kong version of the H990) i used the Dirty Santa patch to get TWRP installed on the device, that means the device’s bootloader is NOT fully unlocked, so the device might have difference between official unlocked device like the VS995.
Is there anything i could try ?
Click to expand...
Click to collapse
So in regards to partitioning you have to build a ROM with that partiton table in place for it too work and I have gotten treble to work (this was on myt h830) however no gsi will boot. I had to use this tool to add vender in order to flash my treble rom. I used the 800MB option in order for vender to show up.
Here are some 15.1 device tress I made for tbe VS995. I used the changes from x86cpu
GitHub - ROMSG/Treble-android_device_lge_msm8996-common
Contribute to ROMSG/Treble-android_device_lge_msm8996-common development by creating an account on GitHub.
github.com
GitHub - ROMSG/android_device_lge_vs995
Contribute to ROMSG/android_device_lge_vs995 development by creating an account on GitHub.
github.com
GitHub - ROMSG/Treble_android_device_lge_v20-common
Contribute to ROMSG/Treble_android_device_lge_v20-common development by creating an account on GitHub.
github.com
ROMSG said:
So in regards to partitioning you have to build a ROM with that partiton table in place for it too work and I have gotten treble to work (this was on myt h830) however no gsi will boot. I had to use this tool to add vender in order to flash my treble rom. I used the 800MB option in order for vender to show up.
Here are some 15.1 device tress I made for tbe VS995. I used the changes from x86cpu
GitHub - ROMSG/Treble-android_device_lge_msm8996-common
Contribute to ROMSG/Treble-android_device_lge_msm8996-common development by creating an account on GitHub.
github.com
GitHub - ROMSG/android_device_lge_vs995
Contribute to ROMSG/android_device_lge_vs995 development by creating an account on GitHub.
github.com
GitHub - ROMSG/Treble_android_device_lge_v20-common
Contribute to ROMSG/Treble_android_device_lge_v20-common development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
Thanks for your reply ! I used the tool in your comment, at first i tried take use /system space to resize a 512mb /vendor partition unfortunately this makes the /system partition only at 5gb which result in Error:7 while flashing new ROMs, so i removed the partition and did it again by adding a 512mb /vendor using space AFTER /data, i checked the partition by fdisk -l /dev/block/sda the /vendor partition is created successfully with 512gb partition size, but no “/vendor” Partition was shown on the Wipe page of TWRP (while the partition was shown in Backup and Mount), not sure whether this affect us on going Treble or not, but wiping /vendor should be possible via terminal commands.
ROMSG said:
So in regards to partitioning you have to build a ROM with that partiton table in place for it too work and I have gotten treble to work (this was on myt h830) however no gsi will boot. I had to use this tool to add vender in order to flash my treble rom. I used the 800MB option in order for vender to show up.
Here are some 15.1 device tress I made for tbe VS995. I used the changes from x86cpu
GitHub - ROMSG/Treble-android_device_lge_msm8996-common
Contribute to ROMSG/Treble-android_device_lge_msm8996-common development by creating an account on GitHub.
github.com
GitHub - ROMSG/android_device_lge_vs995
Contribute to ROMSG/android_device_lge_vs995 development by creating an account on GitHub.
github.com
GitHub - ROMSG/Treble_android_device_lge_v20-common
Contribute to ROMSG/Treble_android_device_lge_v20-common development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
One more thing, I actually misunderstood the partition yesterday that i said it was 0mb, in fact, the backup page shows 0mb is a normal behaviour as the vendor partition is empty, i didnt check how big is the partition size, but I believe it should be 100mb after running the command “Treble”. Anyways, thanks for pointing out the tools which makes it 512mb now !
I'm on stock oos 10.3.11(Rooted and have twrp 3.5.2). Today I decided to install nethunter 2021.2 on my device.
since my last try with 2021.1 was a failure Installation was complete and finished but was stuck with bootloop last time.
But this time, I stuck on installation itself. I'm getting not enough free space on /system error during the installation.
I googled for like 2 hours and found only one article about this issue but that article was about lineage os.
solution from that article is moving pre-installed apps from ‘/system/app/’ to ‘/sdcard/Documents/’ temporarily.
So i tried to move some pre installed apps using the command it provided but it's not working and little bit out dated it seems. so i tried the help function in terminal but i don't know which options i should be using in order to do that operation. I don't want to brick my device. So, if anyone know how to fix this issue, please help me out here.
nethunter dl link: https://images.kali.org/nethunter/nethunter-2021.2-oneplus6-oos-ten-kalifs-full.zip
solution for lineage os link: https://www.zerodaysnoop.com/how-to/how-to-install-nethunter-lite-part-2/
Amudhan501 said:
I'm on stock oos 10.3.11(Rooted and have twrp 3.5.2). Today I decided to install nethunter 2021.2 on my device.
since my last try with 2021.1 was a failure Installation was complete and finished but was stuck with bootloop last time.
But this time, I stuck on installation itself. I'm getting not enough free space on /system error during the installation.
I googled for like 2 hours and found only one article about this issue but that article was about lineage os.
solution from that article is moving pre-installed apps from ‘/system/app/’ to ‘/sdcard/Documents/’ temporarily.
So i tried to move some pre installed apps using the command it provided but it's not working and little bit out dated it seems. so i tried the help function in terminal but i don't know which options i should be using in order to do that operation. I don't want to brick my device. So, if anyone know how to fix this issue, please help me out here.
nethunter dl link: https://images.kali.org/nethunter/nethunter-2021.2-oneplus6-oos-ten-kalifs-full.zip
solution for lineage os link: https://www.zerodaysnoop.com/how-to/how-to-install-nethunter-lite-part-2/
Click to expand...
Click to collapse
Im getting the exact same issue with my stock OOS 10.2.12. I was able to successfully disable dm-verity and force encryption. When I got to the step of installing nethunter I ended up with
"Error: Not enough space on /system to continue!
Aborting...
Cleaning Up...
Failed to install Kali Nethunter!
Updater process ended with ERROR: 1 Error installing zip file usbstorage/Download/nethunter-2021.2-oneplus6-oos-ten-kalifs-full.zip"
I am getting the same issue on a OnePlus 6T, OOS 10.3.12
The steps I follow to install are:
Wipe data
Flash stock ROM
Flash TWRP Installer Zip
Reboot into TWRP
Flash force-decrypt
Flash magisk
I verify with Root Checker that I do indeed have root
I also verify that force-decrypt works by:
Mount vendor
cat /vendor/etc/fstab.* | grep force
No output - suggesting decryption is successful
I am using the official Oneplus 6 Kali image from:
Get Kali | Kali Linux
Home of Kali Linux, an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments.
www.kali.org
Any advice on how to fix this?
Thank you!
Hey guys,
try this
for me this works!
5K1PP3R said:
Hey guys,
try this
for me this works!
Click to expand...
Click to collapse
I tried that but it didn't work. Im not really in the mood to try the other method. I'm just going to get another phone to do it with because Im using this one for some personal stuff I dont want deleted anyway. Great post though, should help someone out for sure.
So heres the steps I used to get Nethunter up and running.
Tmobile 6T user converted to International. (So for all of you running 6, skip the next paragraph and start at Unlock bootloader).
Started fresh with a msm firehose, went back to android 9. Updated to whatever the version you had to download first to get to 10. 9.0.17 I believe. Then after that I upgraded to the very last 10 version. 10.3.12.
Unlock bootloader.
After that I install magisk, pull the payload from the 10.3.12 firmware and pull my boot.img. Patch it.
Boot into TWRP, flash the magisk boot img. Boot into OOS
Now heres the part where everyone (myself included) messes up. Install nethunter via magisk, and not via TWRP. There's just something messed up with how the storage size of system is being reported to the nethunter install script. I've had plenty of space and the script say theres not enough space 0mb free.
Installing via magisk worked just fine as far as app support goes. I haven't checked functionality beyond an apt upgrade and booting into KeX so I havent put it through its paces yet.
Edit: You can also disable system updates afterwards by running:
Code:
adb shell pm disable-user --user 0 com.oneplus.opbackup
i have had the problem o when trying to flash nethunter through twrp it always ending in error not enough space blah blah it was doing my head in but i found a solution so fdroid goto an app called smart flasher and flash it through that it will install after rebooting
This is the Android 10 recovery image by HCT (version 10.3.1) patched to skip signature checking on .zip files
Tested on MTCE_LM (Eunavi). Use at your own risk
It can be flashed from a root shell (either adb or via terminal emulator) by performing the following steps
1. upload recovery via adb
Code:
adb push hct_recovery_patched.img /sdcard/
2. flash recovery
Code:
# backup current recovery
dd if=/dev/block/by-name/recovery of=/sdcard/recovery_backup.img
# write new recovery
dd if=/sdcard/hct_recovery_patched.img of=/dev/block/by-name/recovery
NOTE: If you do not disable the "flash_recovery" service in /init.rc, AND you have a stock kernel, recovery will be restored to the original version after rebooting.
There are 3 ways to avoid this:
- Flash magisk (or a modified kernel) while in recovery. The patch will then fail to apply and recovery won't be overwritten
- Disable "flash_recovery" by doing "adb remount" and editing /init.rc (comment out the following)
Code:
service flash_recovery /system/bin/install-recovery.sh
class main
oneshot
- Neuter the service by either:
- removing /system/bin/install-recovery.sh- replacing /system/bin/install-recovery.sh with a dummy script- removing /system/recovery-from-boot.p
Woo-hoo, after hundreds of rubbish posts in the MTCD forums, we have a real development post!
Great work and thanks for sharing this, these forums need more like you.
Thanks for the kind comment!
I have to admit that it was frustrating to see the lack of information sharing on this forum, and the pervasive pay-per-use model.
I spent a lot of time just getting Android 10 installed (starting from Android 9), and i had to bring the head unit to my desk as working in the car was rather hard and all i achieved was a brick.
I unfortunately had to bring it back in the car now (can't sit on my desk forever) but, now that i figured out how to make bootable recoveries, i was wondering how hard it could be to have TWRP or at least a hassle-free recovery to install Android 10 from Android 9.
As a first step, this recovery makes it possible to install Magisk or other zip files without doing it manually within adb.
Cheers!
Your work is really good!
Thanks a lot for it.
Now you can also modify ROM's without signatur errors when installing.
Wouldn't it be good if we had an app like the ModInstaller ?
So a one click installation of the recovery without shell or adb.
I have now built an app.
And now need help.
Namely, in the app is the recovery and the script.
Unfortunately, the flash process is not started.
It always comes only the first message from the script.
The app is open source and the script and the recovery are in res/raw.
In the attach you will find the finished app and pictures.
If someone has a solution, he can write me or make a pull request on Github.
Source code:
GitHub - jamal2362/RK33XX-Custom-Recovery-Installer: Application for flashing custom recovery on Rockchip Android Head-Units.
Application for flashing custom recovery on Rockchip Android Head-Units. - GitHub - jamal2362/RK33XX-Custom-Recovery-Installer: Application for flashing custom recovery on Rockchip Android Head-Units.
github.com
The script:
RK33XX-Custom-Recovery-Installer/script at master · jamal2362/RK33XX-Custom-Recovery-Installer
Application for flashing custom recovery on Rockchip Android Head-Units. - RK33XX-Custom-Recovery-Installer/script at master · jamal2362/RK33XX-Custom-Recovery-Installer
github.com
First of all, congrats for the work!
DISCLAIMER:
I don't own ModInstaller, i have never bought a copy of it and i don't intend to do so.
Analysis is purely done from Youtube videos, open source code analysis and existing and openly available binary images.
I was working to figure out how to make a FLOSS alternative to ModInstaller.
The issues i found in all my attempts are the following:
- A6 recovery is the only one that can boot from SD Card (which can then be used to flash A9 -> A10 with the 2SD trick)
- (it took me a long time to pull these information together and unbrick my unit)- The A6 recovery is unable to directly flash A10 RKAF/RKFW images (sdupdate.img) due to the code being too old
- a failure will be observed while writing super.img. This happens because the device needs to be repartitioned, and the A6 recovery is not doing it correctly- A9 recovery is buggy. Booting it with no system installed will result in a black screen.
- it will only boot succesfully after being written by the A6 flash tool, which writes the "misc" partition with the recovery commands to run (the "hint" i get from this is that the misc partition is important)- A10 recovery can't be loaded by the A6 recovery. I always got a black screen after flash. Is it a flash issue? is it an issue with the recovery itself? hard to know
Theory: maybe the recovery could be written over the kernel partition? ("boot")
This way, the recovery will always run after being flashed instead of requiring an explicit "enter recovery" trigger (buttons, misc partition, etc.)
Besides these experiments, in parallel, i did some bug fixing to this repository: https://github.com/liftoff-sr/rockchip-tool/commits/master (i'm "smx-smx")
That allows me to unpack nad repack "sdupdate.img" , "reduced recovery images" and "full IMG files".
With those tools. i tried to swap "recovery.img" in the A6 image, but i always got the black screen upon booting from SD.
Either A9/A10 breaks sdboot or the bootloader crashes before it gets there.
Since this also happens when being flashed, this could either be a bug in the flashing program or a bug in the boot stack (which fails to run recovery perhaps due to a dirty state of the internal flash). It's hard to know for sure without having a UART connection with the board.
BUT, we have an alternative, in the form of the recovery built-in ISP flash tool.
This is the code that reads "sdupdate.img" from the SD Card and flashes it
After reading the recovery source code, i realised that this code can only be triggered correctly when booting from the SD card.
It detects this state by reading /proc/cmdline and probing for specific values (https://github.com/rockchip-android...6f72b7d3123dab27135ac41d55029/sdboot.cpp#L206)
This means the bootloader can (and will) pass those arguments under specific conditions (https://github.com/rockchip-linux/u...c873f178c/arch/arm/mach-rockchip/board.c#L358)
If you check here https://github.com/rockchip-linux/u...3f178c/arch/arm/mach-rockchip/boot_mode.c#L47 you can see the magic word that needs to be written to the "misc" partition in order to trigger that code.
Note that, besides the well known "sdboot", "usbboot" is also possible.
I'm not sure if the ROM can physically boot from USB, but the bootloader and recovery do support (according to code) passing the flag to enable flashing from USB.
So, recapping, there are these ways we can try:
a - try to overwrite "boot" with "recovery" (but it might not work due to the partitioning layout, e.g. jumping from A6 -> A10)
- note: uboot might also need to be written when doing this.
b - making a modified "sdupdate.img" that flashes recovery on top of boot, and all the other core partitions like "misc", "uboot", "trust", "vbmeta"
c - writing "misc" from android in order to triggers the "rkfwupdate" mode
d - taking a dump of the first portion of the flash in various states (A6, A8, A9, A10), and having a "dd" that writes it back to the beginning of the flash (i suspect this is how ModInstaller does it)
Considering cases "b" and "c" depend on a recovery that can write them correctly (and the A6 one is buggy), this leaves us with "a" and "d"
Considering that ModInstaller does it in one shot, and doesn't seem to matter about the partitioning layout, i believe "d" might be the most viable option...
Using the "rockchip-tool" repository i linked from github, the partition table can be dumped from any .img file
You can observe "Image/parameter.txt" from the extracted firmware
This is the partition table from A6's recovery:
[email protected](uboot)
[email protected](trust)
[email protected](misc)
[email protected](resource)
[email protected](kernel)
[email protected](dtb)
[email protected](dtbo)
[email protected](vbmeta)
[email protected](boot)
[email protected](recovery)
[email protected](backup)
[email protected](security)
[email protected](cache)
[email protected](system)
[email protected](metadata)
[email protected](vendor)
[email protected](oem)
[email protected](frp)
[email protected](userdata)
And this is the partition table from A9's recovery
[email protected](uboot)
[email protected](trust)
[email protected](misc)
[email protected](resource)
[email protected](kernel)
[email protected](dtb)
[email protected](dtbo)
[email protected](vbmeta)
[email protected](boot)
[email protected](recovery)
[email protected](backup)
[email protected](security)
[email protected](cache)
[email protected](system)
[email protected](metadata)
[email protected](vendor)
[email protected](oem)
[email protected](frp)
[email protected](userdata)
Notice how uboot, trust, misc, resource, kernel, dtb, and others live in the same space. (2000, 4000, 6000, 8000, 10000, ...)
What we could do is create a raw blob that spans that address range, and "dd" it directly to /dev/mmcblk0 at the right offset.
So i would focus on converting recovery images to raw blobs, with recovery-as-kernel so it boots straight away on the first try.
Bump a real thread.
Is it possible to convert it to a file installed by SDDiskTool?
marchnz said:
Bump a real thread.
Click to expand...
Click to collapse
I created a flashing tool to flash recovery within Android, using Rockchip's own code: https://forum.xda-developers.com/t/...chip-firmware-flash-tool-for-android.4458299/
blala said:
I created a flashing tool to flash recovery within Android, using Rockchip's own code: https://forum.xda-developers.com/t/...chip-firmware-flash-tool-for-android.4458299/
Click to expand...
Click to collapse
This file hct_recovery.patched.img does not appear to be installed via rkupdate
sadaghiani said:
Is it possible to convert it to a file installed by SDDiskTool?
Click to expand...
Click to collapse
It needs to be converted, yes
I'll take a look this afternoon
blala said:
It needs to be converted, yes
I'll take a look this afternoon
Click to expand...
Click to collapse
Is it possible to create a boot image that includes moded recovery & magisk and moded kernel ?
If by image you mean firmware image then yes, it can be done with https://github.com/liftoff-sr/rockchip-tool
But what i would recommend is the modded recovery only, with the magisk .zip to use in Recovery
Otherwise you risk flashing a kernel that doesn't match with kernel modules or is otherwise not fully compatible with the installed system
blala said:
If by image you mean firmware image then yes, it can be done with https://github.com/liftoff-sr/rockchip-tool
But what i would recommend is the modded recovery only, with the magisk .zip to use in Recovery
Otherwise you risk flashing a kernel that doesn't match with kernel modules or is otherwise not fully compatible with the installed system
Click to expand...
Click to collapse
boot.img file included recovery+magisk+kernel
Flashing a boot.img (Kernel, for example) in an Android mobile phone via adb shell
Flashing a boot.img (Kernel, for example) in an Android mobile phone via adb shell - script.sh
gist.github.com
MTCD has separate boot and recovery partitions.
Perhaps you can adapt both recovery/kernel to be in the same image but the bootloader won't know about that (and will always boot from "recovery" partition)