i bought sony z5 dual e6683 mobile phone on amazon. when i received it, i found out that it holds a custom and harmful rom. thus, i decided to flash it with the original firmware.
in order to do so, i had to unlock the bootloader. that's what i did:
1. visited sony developer website and got my unlock code.
2. made sure that _enable usb debugging_, and _enable oem unlock_ are on in _developer options_.
3. i tried to get the device into _recovery mode_ by turning it off, and while holding the volume down button, i connected the device to the usb cable, which was attached to my computer on the other end. though after 10 tries, i understood that it is not working (maybe the one that installed the custom rom, tries to insure that the rom will not be replaced). thus, i decided to give it another try by executing
Code:
adb restart recovery
, but it didn't help, the phone only rebooted, and did not got into recovery mode. worth to mention that when i execute
Code:
adb devices
, my device appears in the list.
here is more information:
Code:
$ adb shell uname -a
Linux localhost 3.10.84-perf-g19d6d92 #1 SMP PREEMPT Mon Jan 25 22:47:42 2016 aarch64
$ adb shell getprop ro.build.version.sdk
23
$ adb shell getprop ro.build.version.release
6.0
$ adb shell getprop ro.build.id
32.1.A.1.185
$ adb shell getprop ro.build.fingerprint
Sony/E6683/E6683:6.0/32.1.A.1.185/3574277109:user/release-keys
$ adb shell cat /proc/version
Linux version 3.10.84-perf-g19d6d92 ([email protected]) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Mon Jan 25 22:47:42 2016
1. does the kernel version, i.e.
Code:
[email protected]
, seems ok? (seems wierd to me)
2. where can i find the original\stock rom\firmware, and not build it myself?
3. how can i resolve the issue, and get into recovery mode to unlock the bootloader?
what is it you are trying to do?
if you want to flash a new FW from sony,u can use xperifirm to DL the FW you need and flash it using flash tool.
xperifirm: http://forum.xda-developers.com/cro...xperifirm-xperia-firmware-downloader-t2834142
flashtool: http://www.flashtool.net/index.php
pay special attention to the model of your phone before DL and flashing your phone.
as for recovery,unless you have custm recovery installed,you cannot get into it.
Here is a guide for Flashtool and XperiFirm
http://www.xperiablog.net/2016/03/12/install-xperia-marshmallow-using-flashtool-and-xperifirm-guide/
It can flash a stock rom to your phone with locked bootloader. (you need to unlock it when flashing any custom kernel only)
and there's no stock recovery in all Xperia device. for more information, read this http://forum.xda-developers.com/crossdevice-dev/sony/noob-guide-to-sony-ericsson-xperia-t3209012
y0ppy said:
i bought sony z5 dual e6683 mobile phone on amazon. when i received it, i found out that it holds a custom and harmful rom. thus, i decided to flash it with the original firmware.
in order to do so, i had to unlock the bootloader. that's what i did:
1. visited sony developer website and got my unlock code.
2. made sure that _enable usb debugging_, and _enable oem unlock_ are on in _developer options_.
3. i tried to get the device into _recovery mode_ by turning it off, and while holding the volume down button, i connected the device to the usb cable, which was attached to my computer on the other end. though after 10 tries, i understood that it is not working (maybe the one that installed the custom rom, tries to insure that the rom will not be replaced). thus, i decided to give it another try by executing
Code:
adb restart recovery
, but it didn't help, the phone only rebooted, and did not got into recovery mode. worth to mention that when i execute
Code:
adb devices
, my device appears in the list.
here is more information:
Code:
$ adb shell uname -a
Linux localhost 3.10.84-perf-g19d6d92 #1 SMP PREEMPT Mon Jan 25 22:47:42 2016 aarch64
$ adb shell getprop ro.build.version.sdk
23
$ adb shell getprop ro.build.version.release
6.0
$ adb shell getprop ro.build.id
32.1.A.1.185
$ adb shell getprop ro.build.fingerprint
Sony/E6683/E6683:6.0/32.1.A.1.185/3574277109:user/release-keys
$ adb shell cat /proc/version
Linux version 3.10.84-perf-g19d6d92 ([email protected]) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Mon Jan 25 22:47:42 2016
1. does the kernel version, i.e.
Code:
[email protected]
, seems ok? (seems wierd to me)
2. where can i find the original\stock rom\firmware, and not build it myself?
3. how can i resolve the issue, and get into recovery mode to unlock the bootloader?
Click to expand...
Click to collapse
are u sure about correct command?
Code:
adb [B]reboot [/B]recovery
:good:
You said you're unlocking the bootloader, but why are you pressing volume down to boot into flash mode? You need to unlock it in fastboot mode, volume up.
Sent from my E6653 using Tapatalk
Related
This is an FAQ for the Huawei Ideos as there have been many questions on how to do the same things. Hopefully this should help. There are other FAQs but this one tries to compile as many as it can into one FAQ.
Feel free to reply to this if there are any questions or if you want me to make any additions. The FAQ won't be complete to begin with but I will add as I get time.
One thing I will say is that I WON'T TAKE RESPONSIBITY IF YOU DAMAGE YOUR PHONE. I AM PROVIDING THE INFORMATION AND WILL TRY TO HELP YOU IF SOMETHING BAD HAPPENS BUT I CAN'T TAKE ANY RESPONSIBILITY
1. How to root the IDEOS
This can be done quite simply by adapting what quail wrote:
There is a couple away you can go about gaining root access with this phone I have tested all 3 ways but only had success with 2 of them.
a) You can download 'z4root' from here (WORKS)
b) Search the XDA forums for 'SuperOneClick' which requires mono to work on Linux. I have read people that have had success with 'SuperOneClick' but that was not the case for me. (HAVEN'T CHECKED)
c) My preferred method: (HAVEN'T CHECKED)
Prerequisite:
knowledge of Linux and Terminal
knowledge of ADB (guide available in forums)
I did all this using Debian (testing) 64bit, Android SDK.
Creating correct permissions to access the phone via USB:
i) create
Code:
/etc/udev/rules.d/51-android.rules
ii) in the file put
Code:
SUBSYSTEM=="usb", ATTR{idVendor}=="12d1", MODE="0666"
iii) then
Code:
chmod a+r /etc/udev/rules.d/51-android.rules
iv) restart udev or reboot
Downloading and/or Installing required software:
1) Downloading and installing the android-sdk from: developer.android.com/sdk/index.html
2) Downloading and extracting 'SuperOneClick' (you will only need these 5 files: rageagainstthecage, sqlite3, su, busybox and superuser.apk)
3) Copy rageagainstthecage, sqlite3, su, busybox and superuser.apk into the platform-tools directory of android-sdk. Put phone in debug mode.
4) From a terminal (command line) change to the android/platform-tools directory and carefully do these steps.
Check to see if adb can see your phone properly:
Code:
./adb devices
You should see the serial number of you device, if you see bunch of '?' you have done something wrong.
Now for the fun part rooting the phone: <= no phun intended hehe
Code:
./adb push rageagainstthecage /data/local/tmp/rageagainstthecage
Code:
./adb shell
Code:
cd /data/local/tmp
Code:
chmod 0755 rageagainstthecage
Code:
./rageagainstthecage
5) Now wait until you get kicked out from adb before you do the following:
Code:
./adb shell
If everything worked now you should see a "#" instead of the "$" you saw previously in the adb shell which means you shouldn't get "permission denied" in the following steps:
Code:
mount -o rw,remount /dev/block/mdtblock4 /system
Code:
exit
Code:
./adb push su /system/bin/su
Code:
./adb push busybox /system/bin/busybox
Code:
./adb push sqlite3 /system/bin/sqlite3
Code:
./adb push Superuser.apk /system/app/Superuser.apk
Code:
./adb shell
Code:
cd /system/bin
Code:
chmod 4755 su
Code:
chmod 4755 busybox
Code:
chmod 4755 sqlite3
Code:
./adb reboot
Now you should be able to use apps like 'Cache Cleaner NG', 'Root Explorer', 'SetCPU' etc that require root access to work correctly.
Enjoy
2. How to flash the Ultrakiller Recovery Image
Now this has been covered many times but there have been a lot of problems with the BSOD on the IDEOS. A few days ago Ultrakiller came up with a solution that works regardless of the LCD type. Now this was distributed as an IMG file so many people were confused so here is a link to one with everything you need included. All I did was remove the amon'ra image and copied the Ultrakiller recovery IMG to the folder and edited the scripts to point to the new file.
After you download the file:
* Put your device in bootloader mode - turn it off, then press the power button while holding the 'Volume Down' and 'End (Red)' keys (Yes, bootloader is just the IDEOS logo) WHILE YOUR DEVICE IS PLUGGED IN
* WINDOWS - double click 'install-recovery-windows.bat'
* MAC - Open a terminal window to the directory containing the files, and type 'chmod +x install-recovery-mac.sh' followed by './install-recovery-mac.sh'
* LINUX - Open a terminal window to the directory containing the files, and type 'chmod +x install-recovery-linux.sh' followed by './install-recovery-linux.sh'
See Q3 if you have Windows and the prompt hangs on "Waiting for Device"
3. How to solve problems with drivers on Windows in bootloader mode?
1. Unplug your phone
2. Download and install PDANet from here - at the end of the setup it will tell you to plug in your phone - do that
3. Put the phone into bootloader (See Q2 above)
4. Go to device manager and right click on "Android 1.0" and click "Update drivers"
5. Click "No, not this time" and Next
6. When it asks you where to look for drivers point it to PDANet's install location
7. Hopefully it should find the driver and prompt you to install it - it will take some time
8. You can now access your device in bootloader!
Thanks to the following people:
Quail for the base of the guide and the ROM I'm using - it's amazing BTW
Ultrakiller for the recovery image
Changelog:
21/01/2010: Initial writeup
22/01/2010: Added Q3 and made some minor changes
i unfortunately deleted a system app and upon restarting my phone it wont boot.....it keeps hanging at the startup and reboots.. help me how to system restore...
Hi - the Ultrakiller recovery IMG in the ZIP from the Link above is "Ultrakiller.img.img". Dunno if it didnt work cause of this - sry didnt test, just downloaded new Ultrakillers "UltraJack-Recovery_v4.6.2.img", saved into that folder and changed the .bat to "fastboot-windows.exe flash recovery UltraJack-Recovery_v4.6.2.img" and it worked for me Even superuser.apk didnt work for usb-root but z4root does it perfect and DroidExplorer showing files now .
Thanks so far to all investing their time here
P.S.: the HUAWEI background of Ultrakillers recovery is very delicious
General guide to Flash ROM
Can you please provide a detailed guide for flashing Huawei Ideos. Because it is super guide. So it must contain this topic also.
I want to flash official ROM on following link:
http://forum.xda-developers.com/wiki/index.php?title=Huawei_U8150_IDEOS
Waiting for your response
yrnehukuht said:
i unfortunately deleted a system app and upon restarting my phone it wont boot.....it keeps hanging at the startup and reboots.. help me how to system restore...
Click to expand...
Click to collapse
Dear have u find out the solution of this problem?? COZ im also suffering from this if u find it then plz tell me [email protected]
I have downloaded a rom from xda-developers wiki from this link
http://forum.xda-developers.com/wiki/index.php?title=Huawei_U8150_IDEOS
then updated my device software by going in to update mode(press vol up + end key + power button) .
This step returned me my original recovery.
But I am not going to recommend it bcoz i am facing problems like my cd drive which is automatically displayed has become inaccessible.
I am having problem to copy files to sd card.
My upgrade mode is not working now.
all these things were working immediately after the above mentioned process but I am now stuck with these things.
I think it is because i have flashed lower version number of rom on phone.
If you want to recover recovery mode only then I have successfully flashed UltraJack-Recovery 5.2.1 from this link
http://forum.xda-developers.com/showthread.php?t=860189&page=24
Inform about your progress
Thanx. Very useful
Hi guys. I am in a lot of trouble with my ideos.
Tried installing a custom ROm using ROM manager and it failed, although the original ROM is still there and its booting up and working perfectly.
However, when i try to boot into recovery, only the lit blackscreen shows.
I have tried everything from running ULTRAjack recovery on windows(which only shows 'waiting for device' on cmd, with the pdanet drivers installed) to ubuntu(which shows 'waiting for device' on Amon-ra recovery and permission denied on ULTRAjack).
Could it be i didnt root the device properly since i used z4 root?
Any more ideas?
900/2100 or 850/1700/1900/2100
Hello, How do I tell which sub-model my U8150 is please? Either HSDPA 900 / 2100 / AWS or HSDPA 850 / 1900 / 2100 / 1700. baseband = 22201003; build no.= U8150V100R001C183B825; IMEC = 355093040562676; IMEC-SV = 39.
Check out your fcc id suffix. I have heard there is a b version and a d version.
hi do flashing many roms affects my ideos mobile?
netskink said:
Check out your fcc id suffix. I have heard there is a b version and a d version.
Click to expand...
Click to collapse
All I got is a U8510-1, no letter... any thoughts?
Unlock u8150
Hello.
i have a T-Mobile Ideos u8150, also known as Comet.
it is locked to T-Mobile and requests a pin code when using another sim card.
is there a way to unlock the phone?
please help me...
thank you.
Enable USB Debugging & One Click Root with Unlock Root Tool
Hi, I'm Japanese developer.
Please excuse my poor English.
I introduce the root acquisition these steps.
Take full responsibility for your actions.
Please download here and extract it.
root.7z: j.mp/fRq6Nr mirror: j.mp/eok7vq
Require: superuser.apk
Prepare:
Code:
$adb push install.tar.gz /sqlite_journals
$adb push busybox_s /sqlite_journals
$adb shell chmod 0755 /sqlite_journals/busybox_s
$adb shell
$cd /sqlite_journals
$./busybox_s tar xvzf install.tar.gz
Step1: Get root.
from IS01 Android Terminal,
Code:
$cd /sqlite_journals/install
$sh install.sh
Input install step [1/2/3/4/update/uninstall] : 1
If you become superuser, the dollar sign should change to a hash (or sharp) sign.
Success: $ → #
Step2: Install hack binaries at "/sqlite_journals/root".
from IS01 Android Terminal,
Code:
$cd /sqlite_journals/install
$sh install.sh
Input install step [1/2/3/4/update/uninstall] : 2
Enable iptables?[Y/n] : n
Enable samba?[Y/n] : n
Enter to reboot : Enter
Step3: Write Hacked kernel in recovery area.
from IS01 Android Terminal,
Code:
$/sqlite_journals/install/au
↑You have to get root.
Code:
#cd /sqlite_journals/install
#sh install.sh
Input install step [1/2/3/4/update/uninstall] : 3
Write kernel?[y/N] : y
Enter to reboot recovery
*UPDATE
You're free to do so. XD
Step4: Create symbolic links in system.
and replace libshsecure_jni.so.
from IS01 Android Terminal,
Code:
$/sqlite_journals/install/au
↑You have to get root.
Code:
#cd /sqlite_journals/install
#sh install.sh
Input install step [1/2/3/4/update/uninstall] : 4
Q. What is hacked kernel?
A. This kernel is release of the NAND lock.
You can write after mount system.
Q. What is /sqlite_journals/install/au?
A. It is su binary. But it became impossible to use the market when it was a name of su, it changed on purpose to the name of au.
Q. Why don't you write it at boot area?
A. Also there is no way to repair broken IS01 because blocked fastboot(cant use fastboot).
Q. So boot area?
A. NV softs built recovery_kit image.
recovery_kit_v130.7z: j.mp/hXEp7C mirror: j.mp/f4SHCq
Code:
$adb push recovery_kit.img /data/recovery_kit.img
from IS01 Android Terminal,
Code:
$/sqlite_journals/install/au
↑You have to get root.
Code:
#cd /sqlite_journals/install
#flash_image boot_wr /data/recovery_kit.img
Q. How to use recovery_kit?
A. When mirror recovery image is hidden, you input "Home+Power".
But if your PC is Windows, unplug USB cable.
Code:
HotKey:
Boot recovery partition: Home+Back
Boot boot partition: Home+Menu
Enable QXDM: Alt+Q
Start adbd recovery: Alt+A
Start recovery utility: Alt+R
Support command:
sh
toolbox
busybox
mount_system: Mount system partision to /system2
mount_data: Mount data partision to /data
Thanks, love_marijuana@twitter, MobileHackerz@twitter, goroh_kun@twitter, gcd_org@twitter, nvsofts@twitter, Yukto8492@twitter and more.
Wrote by DevRenax@twitter. j.mp/g0pDZz
P.S I am transplanting CM6 for IS01.
[: permission denied
Took the plunge and tried this...
Got stuck at step 1:
$ sh install.sh
sh install.sh
IS01 root installer ver0.1.0
Input install step [1/2/3/4/update/uninstall] : 1
1
[: permission denied
Install STEP1
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={1856, 1856}
[*] Searching for adb ...
[+] Found adb as PID 31307
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
[: permission denied
Shut down terminal and reexecute this script!
$
xxolloxx said:
Took the plunge and tried this...
Got stuck at step 1:
$ sh install.sh
sh install.sh
IS01 root installer ver0.1.0
Input install step [1/2/3/4/update/uninstall] : 1
1
[: permission denied
Install STEP1
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={1856, 1856}
[*] Searching for adb ...
[+] Found adb as PID 31307
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
[: permission denied
Shut down terminal and reexecute this script!
$
Click to expand...
Click to collapse
hmm...
ok, tell me the results
1: What is your baseband version?
2:
Code:
$adb shell uname -a
3: from android terminal. Try running a few times, about 10times?
Code:
$/sqlite_journals/install/rageagainstthecage
4: after running Step1: Get root,
from android terminal.
Code:
$id
Baseband: 1.00.05
adb shell uname -a
uname: permission denied
$id
id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011
(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
I ran
$/sqlite_journals/install/rageagainstthecage
...about 7 times, $ changed to #
Then I got stuck at:
$ cd /sqlite_journals/install
cd /sqlite_journals/install
$ sh install.sh
sh install.sh
IS01 root installer ver0.1.0
Unable to chmod ./busybox: Operation not permitted
Input install step [1/2/3/4/update/uninstall] : 1
1
[: permission denied
Install STEP1
Unable to chmod ./rageagainstthecage: Operation not permitted
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={1856, 1856}
[*] Searching for adb ...
[+] Found adb as PID 8052
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
[: permission denied
Baseband: 1.00.05
Click to expand...
Click to collapse
No problem.
I ran
$/sqlite_journals/install/rageagainstthecage
...about 7 times, $ changed to #
Click to expand...
Click to collapse
You got root. Next, run this command after reboot Android Term.
Code:
$/sqlite_journals/install/su
If you got root and installed superuser.apk, it will auto start superuser.apk.
triangle and exclamation point on boot
I did the steps above and I see it boot the recovery image, then it transitions into a boot screen that has a triangle with exclamation point. What do I do now?
Thanks in advance
I got to the recovery screen and enabled adb recovery, but adb states the device is offline. How do I get it online or push a new image.
plenpak said:
I did the steps above and I see it boot the recovery image, then it transitions into a boot screen that has a triangle with exclamation point. What do I do now?
Thanks in advance
Click to expand...
Click to collapse
you, too.
Sorry, I did not explain qxdm...
Code:
from hacked kernel
#echo 1 > /sys/devices/platform/msm_hsusb_periphera/qxdm_enable
or
recovery_kit -> Enable QXDM
And recovery_kit is unstabled. Try running a few times.
Be all about timing.
ScreenShot(recovery_kit) j.mp/hbHiL9
Thanks. You were right. Timing was everything. I now have a rooted device. I did have to modify the install.sh script. It wasnt working for me intially.
Have you tried to load Froyo or Gingerbread on it yet? Have you tried Cyanogen mod? I have Cyanogen mod 7 running on my N1, and would like to attempt a port to the IS01.
I did have to modify the install.sh script. It wasnt working for me intially.
Click to expand...
Click to collapse
Actually, I did not created it, and I have not tried. XD
this script was created by love_marijuana@twitter.
If that's ok, upload modified scripts please?
Have you tried to load Froyo or Gingerbread on it yet? Have you tried Cyanogen mod? I have Cyanogen mod 7 running on my N1, and would like to attempt a port to the IS01.
Click to expand...
Click to collapse
Wow, you have nice device!
I transplanting CM6.
I have github acount. -> github.com/CM4IS01
But this rom is very buggy.
Not work:
Bluetooth, GPS, Accelerator Sensors, 3D Acceleration, Sound and more...
Sharp IS01
Hi Sharp IS01 users....don t waist your time with this device.....AU launch this month 04/2011...a HTC EVO 4G...with HDMI and WIMAX router mode for acess a internet from a notebook or others devices....GOOD DEAL...
Help me pls,
I'm stuck at Step1, too
$cd /sqlite_journals/install
$sh install.sh
IS01 root installer ver0.1.0
Unable to chmod .busybox: Operation not permitted
Input install step [1/2/3/4/update/uninstall] :
My phone's build number: 01.00.02
Model number: SH-01B
(Docomo)
Thanks much
@ DevRenax, I can't find this file, CM6byDevRenax-06242011-IS01.7z . Are you still working on it? I'd like to try it for my SH-10B device, base band 01.00.02. Could you post another link to it? Thanks
plenpak said:
I did the steps above and I see it boot the recovery image, then it transitions into a boot screen that has a triangle with exclamation point. What do I do now?
Thanks in advance
Click to expand...
Click to collapse
I skip all the way to flash recovery_kit.img since I didnt use the steps to get root. Now I am stuck at the triangle with exclamation point screen. How did you bypass it?
Edit: ok, the recovery_kit works with the hotkeys but, it still won't let my SH-10B boot the system. Does anyone have the ADB usb driver for win7-64? The one that came with the cd-rom and from Sharp's webite doesn't install on my computer. If I can use adb, I could probably fix this.
I'm very new to do rooting
I try to understand your description.
But i don't know how to start.
I have already download and try to use superuser but i don't know how to write the command line as you shown.
What program i need for writing command?
Actually I just want my LYNX SH-10B to read another language beside Jap and Eng.
If you have another easier way pls help......
BEN
Ok, I believe I know what screwed my system from booting. This;
Code:
#cd /sqlite_journals/install
#flash_image boot_wr /data/recovery_kit.img
From this code that I use the recovery_kit was flash to my boot partition and replaced the boot.img. That is why it goes from recovery-kit boot screen to recovery mode screen and does not start android as mentioned in my previous post. It should have been: flash_image recovery. So I've lost my boot.img for the stock android 1.6. Can anyone who has the device post it so I may flash it back on and get my SH-10B running again. Thanks
Hello. I'm developing a custom Android image for Nexus 6P from AOSP source code.
So I built Android after some modification and flashed those images which I built on my Nexus device.
But it could not boot normally and just repeated Google logo and warning for bootloader unlock.
Following is my build history:
1. I modified some parts in kernel and built it.
2. I replace $AOSP/device/huawei/angler-kernel/Image.gz-dtb with my binary that I made in step 1, where $AOSP is root of AOSP source code.
3. I built AOSP source code like below:
Code:
$ source build/envsetup.sh
$ lunch aosp_angler-userdebug
$ make -j8
4. I flash the result on the device:
Code:
$ fastboot flashall -w
5. After flashing process, the Nexus 6P have trapped in the booting loop.
Then, how can I get some information why the device cannot boot normally?
Because, in the state(booting loop), I cannot use fastboot or adb, it is hard to know what is going on.
I wait for any reply.
Thanks!
Can you boot into a recovery and then get the previous kernel messages like so:
adb shell cat /proc/last_kmsg > last_kmsg
Hth
Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
Current version: amonet-suez-v1.1.2.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @retyre for porting the bootrom-exploit and for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks also to @bibikalka and everyone who donated
Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.
Unbricking
If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.
If your device shows one of the following symptoms:
It doesn't show any life (screen stays dark)
You see the white amazon logo, but cannot access Recovery or FireOS.
If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
Make sure the device is powered off, by holding the power-button for 20+ seconds
Start bootrom-step.sh
Plug in USB
In all other cases you will have to open the device and partially take it apart.
Follow this guide by @retyre until (including) step 8..
At Step 6. you will replace
Code:
sudo ./bootrom.sh
with
Code:
sudo ./bootrom-step.sh
Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).
If the script succeeded, put the device back together.
When you turn it on, it should start in hacked fastboot mode.
You can now use
Code:
sudo ./fastboot-step.sh
This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.
Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.
dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
Changelog
Version 1.1.2 (26.03.2019)
Fix regenerating GPT from temp GPT
Version 1.1.1 (26.03.2019)
Fix unbricking procedure
Version 1.1 (25.03.2019)
Update TWRP-sources to twrp-9.0 branch
TWRP uses kernel compiled from source
Add scripts to use handshake2.py to enter fastboot/recovery
Features.
Uses 5.6.3 LK for full compatibility with newer kernels.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (no patching needed)
TWRP protects from downgrading PL/TZ/LK
For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
Source code:
https://github.com/chaosmaster/amonet/tree/mt8173-suez
https://github.com/chaosmaster/android_device_amazon_suez
https://github.com/chaosmaster/android_kernel_amazon_suez
https://github.com/chaosmaster/android_bootable_recovery
First unreserved !!!
bibikalka said:
First unreserved !!!
Click to expand...
Click to collapse
You are quick
Now we need custom kernels and/or roms, any advice where to start?
Murcielagoz99 said:
Now we need custom kernels and/or roms, any advice where to start?
Click to expand...
Click to collapse
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
---------- Post added at 09:04 PM ---------- Previous post was at 08:58 PM ----------
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!
sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?
BRAVO!! Fantastic work, my friend! I'm looking forward to the customization and ROMs that will soon follow.
Rortiz2 said:
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
Click to expand...
Click to collapse
Or start with the (minimal) TWRP device tree I linked to.
Rortiz2 said:
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!
Click to expand...
Click to collapse
I just forgot to update the Readme fixed it.
Michajin said:
sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?
Click to expand...
Click to collapse
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?
k4y0z said:
Or start with the (minimal) TWRP device tree I linked to.
I just forgot to update the Readme fixed it.
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?
Click to expand...
Click to collapse
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....
Michajin said:
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....
Click to expand...
Click to collapse
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.
k4y0z said:
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.
Click to expand...
Click to collapse
SuperSU Pro v 2.82
Michajin said:
SuperSU Pro v 2.82
Click to expand...
Click to collapse
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.
k4y0z said:
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.
Click to expand...
Click to collapse
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes
Michajin said:
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes
Click to expand...
Click to collapse
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.
k4y0z said:
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.
Click to expand...
Click to collapse
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).
Michajin said:
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).
Click to expand...
Click to collapse
Great you got it to work. Not sure why it didn't in Ubuntu.
Did you end up using mtk-su or SuperSu?
Magisk 18.1 is working fine for me, what FireOS-Version are you on?
k4y0z said:
Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
I have only tested it on the 32GB-model, but it should also work on the 64GB-model ....
Click to expand...
Click to collapse
Outstanding 'win' presented with clarity and humility. Not to mention timely given the short time you've had the target hardware. A fantastic ROI for those who underwrote the device and for uncounted others who will benefit from your work (along with those of several others noted in your full post) for years to come.
:good:
The novel CAT S22 Flip was released in September, and is pretty much the only of its kind. It actually has an unlocked bootloader, and I was excited to try to root it. However, there's no version of TWRP designed specifically for it! Having never rooted anything before, does anyone know my options in this case to get TWRP for this phone? (Or another method of root I'm not aware of would also be fine.) Thanks!
Shoitah said:
The novel CAT S22 Flip was released in September, and is pretty much the only of its kind. It actually has an unlocked bootloader, and I was excited to try to root it. However, there's no version of TWRP designed specifically for it! Having never rooted anything before, does anyone know my options in this case to get TWRP for this phone? (Or another method of root I'm not aware of would also be fine.) Thanks!
Click to expand...
Click to collapse
Hey. I'm in the same boat. I need to add su binary but looks like the only way to do it is with TWRP. Have you succeeded? I keep trying to find a way to do it, so far no luck.
TWRP isn't needed at all to push ( suitable ) SU binary onto Android's filesystem: you achieve this by means of ADB, too
jwoegerbauer said:
TWRP isn't needed at all to push ( suitable ) SU binary onto Android's filesystem: you achieve this by means of ADB, too
Click to expand...
Click to collapse
Sweet!!! How does it look like?
I just tried adb sideload <file.zip> while in recovery mode and i'm getting this
adb: sideload connection failed: closed
adb: trying pre-KitKat sideload method...
adb: pre-KitKat sideload connection failed: closed
When check adb devices its shows that device is unauthorized. But it's only unauthorized in recovery mode.
Actually looks like I have a problem with recovery mode. Instead I'm getting "No command" screen. It's not even getting into recovery
To perform a ADB Sideload - what is used to flash a Stock ROM - phone must get booted into Sideload mode at 1st
Code:
adb devices
adb reboot sideload
adb sideload <STOCK-ROM-ZIP>
adb reboot
Oh cool. Didn't know that I could reboot stratight to sideload and bypass initial recovery menu. Thank you!
As for my previous issue with "No command" error on recovery boot, I managed to resolve it. When It's gets to "No command" screen, you need to hold Power + Volume Down just long enough to tap Volume Up. And then recovery menu will appear. So Press Power + Volume Down and then tap Volume Up.
When I tried to sideload su binary with
Code:
adb sideload <file.zip>
On the mobile screen i'm getting this error
Code:
E:failed to verify whole-file signature. Update package verification took 0.5 s ( result 1)
E:Signature verification failed
E: error: 21
Looks like recovery not allowing to install unsigned packages. Is there a way around it? Do I need to source another su binary or there is a way to sign it?
Ok. I think I'm getting closer to the core issue. I thought that I rooted the device, but I only unlocked the bootloader. So device is not rooted. As per original thread topic, looks like there is still no TWRP yet and boot.img is not accessible to modify. Tried to get boot.img directly from the device, but getting - permission denied.
Any other walkarounds i should try?
SU binary isn't a signed package. It's a ~110KB file you have to push onto Android OS, preferred to /data/local/tmp directory and afterwards have to make it executable.
I've downloaded Chainfire SuperSu Zip packages, unpacked it and got a su file from arm64 folder. As you mentioned, su file is 108.5KB =)
I've pushed it to /data/local/tmp and made it executable
Code:
S22FLIP:/ $ ls -la /data/local/tmp
total 114
drwxrwxrwx 2 shell shell 3488 2022-12-22 09:36 .
drwxr-x--x 4 root root 3488 1970-01-01 12:15 ..
-rwxrwxrwx 1 shell shell 108496 2008-02-29 03:33 su
Maybe I'm missing something, I still get
Code:
S22FLIP:/ $ su
/system/bin/sh: su: inaccessible or not found
You must tell Android where the SU binary is located
Code:
cd /data/local/tmp & su
or
Code:
/data/local/tmp/su
jwoegerbauer said:
You must tell Android where the SU binary is located
Code:
cd /data/local/tmp & su
or
Code:
/data/local/tmp/su
Click to expand...
Click to collapse
Hi. I am trying to root the phone. I tried with QFIL to get the boot.img file with no luck.... I am trying now with su. I put the su binary where you said and execute it.
Now what should I do? If you can help me, I will be grateful
IMO you can't root a phone ( a conglomerat of hardware pieces ) but only enable Android OS to run system commands as root ( will say with elevated rights if those are required ) by means of su.
Knowing this you would open a terminal window in Android and type out
Code:
<FULLPATH-TO-SU-BINARY-HERE>/su -c "<SHELL-COMMAND-THAT-REQUIRES-ELEVATED-RIGHTS-HERE>"
Example:
Code:
/data/local/tmp/su -c "mount -o remount,rw -t auto /system"
jwoegerbauer said:
IMO you can't root a phone ( a conglomerat of hardware pieces ) but only enable Android OS to run system commands as root ( will say with elevated rights if those are required ) by means of su.
Knowing this you would open a terminal window in Android and type out
Code:
<FULLPATH-TO-SU-BINARY-HERE>/su -c "<SHELL-COMMAND-THAT-REQUIRES-ELEVATED-RIGHTS-HERE>"
Example:
Code:
/data/local/tmp/su -c "mount -o remount,rw -t auto /system"
Click to expand...
Click to collapse
Doesn't work. It looks like the su binary doesn't grant system commands root
I really don't know what to do......