Database Info

[Q] Issues Rooting Motorola Photon 4G

http://forum.xda-developers.com/showthread.php?t=1819660 Followed instructions here, no joy. Log following.
Notes: It detects busybox is running and wants me to clean, I take option 2 as detailed in the instructions and it proceeds to run option one. When I hit the second step in the commands to run (./photon-torpedo.sh) it gives me this error:
Unfortunatly your going have to enter some shell commands here
Not to worry though it only five commands press enter after each one
1 -- Enter at the first $ cd /data/tmp
2 -- Enter at the second $ ./photon-torpedo.sh
3 -- Enter at the first # ./kill-su.sh
4 -- Enter at the second # exit
5 -- Enter at the next $ exit
Once you are done the script will finish up and reboot your phone.
$ cd /data/tmp
cd /data/tmp
$ .photon-torpedo.sh
.photon-torpedo.sh
.photon-torpedo.sh: not found
$ ./photon-torpedo.sh
./photon-torpedo.sh
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: unde
fined symbol: la_version; ignored.
Fatal server error:
Server is already active for display 0
If this server is no longer running, remove /tmp/.X0-lock
and start again.
Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
ddxSigGiveUp: Closing log
./photon-torpedo.sh: line 5: /lib/libphoton-torpedo.so: Permission denied
ERROR: ld.so: object 'libphoton-torpedo.so' cannot be loaded as audit interface:
invalid ELF header; ignored.
Fatal server error:
Server is already active for display 0
If this server is no longer running, remove /tmp/.X0-lock
and start again.
Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
ddxSigGiveUp: Closing log
$
-Fails to give root access while running the torpedo as far as I can tell.
(would post to the thread this pertains to but I do not have enough posts to do so apparently)

In addition: this was previously rooted on a older version of the firmware, which one I cannot remember. Current BusyBox is 1.17.1 su is running binary v3.0(11) permissions are -rwxr-xr-x rootshell /system/bin/su

Permission denied though uid=root

I'm trying to understand why I still get such "Permission denied" errors though I'm UID root.
I will describe my setup and particular error, but I think a proper explanation of what's happening may interest others.
I just need occasional root shell for reverse engineering sessions, and from what I know, a simple way to achieve this is to boot a modified initial ramdisk that contains a properly modified /default.prop, and/or a setuid shell, and/or some kind of su command.
I managed to successfully boot the device (Moto G) with my custom modified image using "fastboot boot custom_boot.img".
First I can verify it's actually "my initrd.img" that's in use:
Code:
[email protected]_umts:/ $ cat /default.prop
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
[I]ro.secure=0[/I]
ro.allow.mock.location=0
[I]ro.debuggable=1[/I]
This does _not_ allow me to get root shell (with "adb shell"):
Code:
[email protected]_umts:/ $ id
[I]uid=2000(shell)[/I] gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
So, I added a setuid copy of /system/bin/sh to the initial ramdisk, at "/sbin/shell0".
Code:
[email protected]_umts:/ $ ls /sbin/shell0 -l
[I]-rwsr-xr-- root shell[/I] 157424 2014-07-14 16:08 shell0
[email protected]_umts:/ $ /sbin/shell0
# id
[I]uid=2000(shell)[/I] gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
# exit
[email protected]_umts:/ $ /sbin/shell0 +p
[email protected]_umts:/ # id
[I]uid=0(root)[/I] gid=2000(shell) groups=2000(shell) context=u:r:shell:s0
[email protected]_umts:/ # ls /data/
[I]opendir failed, Permission denied[/I]
Here, it appears that I have to use the "+p" flag to prevent the shell to immediately get back to the real user id (2000), despite the suid bit is set on /sbin/shell0.
But I don't understand I don't have the permission neither to open simple directories as /data, nor to read the interesting stuff in the /proc subsystem, though I'm uid=0 (root).
I've also tried adding to the initial ramdisk a simple su command, at /sbin/test_su, that does the setuid(0)/setgid(0)/execve(...) thing (snippets available at android.googlesource.com).
But though this properly keep the supplementary groups I had lost within the previous try above, I still can't read into /data:
Code:
[email protected]_umts:/ $ ls -l /sbin/test_su
[I]-rwsr-xr-- root shell[/I] 6316 2014-07-14 17:12 test_su
[email protected]_umts:/ $ test_su
[email protected]_umts:/ # id
[I]uid=0(root) gid=0(root)[/I] groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]_umts:/ # ls /data/
[I]opendir failed, Permission denied[/I]
From a un*x point of view, it seems weird to me that the shell still answers "opendir failed, Permission denied" while I'm uid/gid 0 (root).
I will continue to investigate, notably regarding SELinux which may enforce rules I'm not aware of, but would also greatly appreciate anyone who could put some light on this issue. At least for me it's an issue, as I don't understand what's happening.
Thanks.

t0kt0ckus said:
So, I added a setuid copy of /system/bin/sh to the initial ramdisk, at "/sbin/shell0".
Click to expand...
Click to collapse
Note that making a setuid shell executable might not be 100% reliable. When I've tried this with bash, it quickly realizes that getuid() != geteuid(), and drops the root permission.
I don't see this happening in your logs, but it's something to watch out for. Typically I've just used simple wrapper programs like the attached file to guarantee that the real/effective/saved UIDs are 0/0/0.
From a un*x point of view, it seems weird to me that the shell still answers "opendir failed, Permission denied" while I'm uid/gid 0 (root).
I will continue to investigate, notably regarding SELinux which may enforce rules I'm not aware of, but would also greatly appreciate anyone who could put some light on this issue. At least for me it's an issue, as I don't understand what's happening.
Click to expand...
Click to collapse
Chainfire is probably the best person to comment on Android SELinux matters. If you look through his old G+ posts you may be able to determine which restrictions apply to your security context.
Do you see any denials logged in dmesg? (Or is that inaccessible too?)
If there is a /selinux/enforce file, does it read back '0' or '1'?

Thank you for your answer.
cernekee said:
Note that making a setuid shell executable might not be 100% reliable. When I've tried this with bash, it quickly realizes that getuid() != geteuid(), and drops the root permission.
I don't see this happening in your logs, but it's something to watch out for. Typically I've just used simple wrapper programs like the attached file to guarantee that the real/effective/saved UIDs are 0/0/0.
Click to expand...
Click to collapse
I've looked at your attached source, the main difference with my own wrapper is that you fork the process, I've tried also, behavior is the same. But, after reading your comment, I've modified my setuid/execve code, to make it more verbose about the real/effective/saved UIDs (using getresuid()).
Code:
[email protected]_umts:/ $ test_su
Initial UIDs
ruid: 2000
[B]euid: 0[/B]
suid: 0
Setting UIDs ...
New UIDs
[B]ruid: 0
[/B]euid: 0
suid: 0
[email protected]_umts:/ # ls /data/
[I]opendir failed, Permission denied[/I]
1|[email protected]_umts:/ #
It clearly appears that, POSIX speaking, all go fine until the "Permission denied" error:
the effective uid is already 0 (just after the "adb shell" command), which is expected and documented, as the content of my /default.prop prevents the shell to revert its effective uid to its real one, which would then be 2000 (shell)
after the setuid(0) call, the real uid is successfully set to 0, as expected, because the suid bit is set AND we were already privileged (if not privileged, setuid() should only change the effective uid, as for "man 2 setuid")
after execve(..), the whole prompt, "[email protected]_umts:/ #", again confirms the real uid is 0 (root)
Chainfire is probably the best person to comment on Android SELinux matters. If you look through his old G+ posts you may be able to determine which restrictions apply to your security context.
Click to expand...
Click to collapse
Yes, I definitely need to dig into the SELinux/Android stuff (see bellow), and will try to find the Chainfire posts you propose.
Do you see any denials logged in dmesg? (Or is that inaccessible too?)
If there is a /selinux/enforce file, does it read back '0' or '1'?
Click to expand...
Click to collapse
Neither dmseg (which is accessible) nor logcat shows any related error or warning.
I haven't any /selinux/enforce file, but it clearly appears from information bellow that SELinux is activated and enforced:
Code:
[email protected]_umts:/ $ getenforce
[B]Enforcing[/B]
[email protected]_umts:/ # setenforce 0
setenforce: Could not set enforcing status: Permission denied
[email protected]_umts:/ $ cat seapp_contexts
isSystemServer=true domain=system
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=_app domain=untrusted_app type=app_data_file levelFrom=none
user=_app seinfo=platform domain=platform_app type=platform_app_data_file
user=_app seinfo=shared domain=shared_app type=platform_app_data_file
user=_app seinfo=media domain=media_app type=platform_app_data_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_isolated domain=isolated_app
user=shell domain=shell type=shell_data_file
user=log domain=log_app type=system_data_file
user=sprint_extension domain=carrier_ext type=platform_app_data_file
user=smartcard domain=smartcard type=smartcard_data_file
I'm a noob at SELinux, and I may be wrong, but I think a rule policy could prevent a user, being it root, to achieve certain actions. I need to read stuff about this.
The initial boot image that I modify (just add my suid shell /sbin/test_su) is the 4.4.2 one from sbf, and I expand/repack it using standard un*x tools (gunzip,cpio,...) and abootimg. Anything wrong with that ?
I build the C files using:
Code:
$ echo $CC
<android-ndk>/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin/arm-linux-androideabi-gcc --sysroot=<android-ndk>/platforms/android-19/arch-arm
$ $CC -o test_su test_su.c
Should I use particular flags for gcc, to make it produce SELinux aware object files ?
[EDIT: stupid question, answer is no]
Again, thanks for your help and ideas.

Just for information (for thus who are as dumb as I am): acquiring uid=(euid=suid=)0 is of little or no help within a user application, you're (obviously) still constrained by capabilities you can't acquire unless involving some kind of exploit.
To get a shell that's not restricted by the SE policies (on the 4.4 branch), the main way seems to have somewhat a system daemon capable to spawn /system/bin/sh with appropriate privileges/capabilities upon su client requests: so you again need an exploit.
So, for my understanding, starting with KitKat you can't anymore get a useful adb root shell through the uid=0 thing (traditional su), you have either to flash a custom rom or involve an exploit.

Modding (removing bloatware, blocking ads, YT in background) without root/unlocked BL

Since it is now complicated and expensive to get Bootloader code for Huawei devices with EMUI 9 or newer (even EMUI 8 firmwares from July 2018 and onwards), let's discuss tips for useful modding without root:
Ads and analitycs can be blocked by dns66 app:
https://forum.xda-developers.com/android/apps-games/app-dns66-source-host-ad-blocker-root-t3487497
Dns66 can auto-update from the same hosts sources used also for updating AdAway (while AdAway requires root):
Adaway hosts
https://adaway.org/hosts.txt
StevenBlack's hosts file
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
WinHelp 2000
https://raw.githubusercontent.com/E...assets/active/filter/winhelp2002.mvps.org.txt
Dan Pollock's hosts file
https://someonewhocares.org/hosts/hosts
hpHosts’s Ad and tracking servers
https://hosts-file.net/ad_servers.txt
Long-lived malware domains
https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt
Malware domains
https://mirror.cedia.org.ec/malwaredomains/justdomains
Malware domain list
https://www.malwaredomainlist.com/hostslist/hosts.txt
Peter Lowe’s server list
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext
Hosts File
https://www.hostsfile.org/Downloads/hosts.txt
User can also define his own blacklist and whitelist - for how-to details see (in German, Chrome can automatically translate to the language of your choice):
https://www.android-hilfe.de/forum/...moeglich-ist.900205-page-3.html#post-11742906
Additionally, particular apps can be completely whitelisted from being affected by dns66 (there is no such feature in e.g. AdAway)

To block ads in Chrome (and its derivatives) with dns66 or even AdAway, following steps are additionally needed:
https://wccftech.com/how-to-fix-dns-based-ad-blockers-on-chrome/
https://www.malwarefox.com/block-ads-android-chrome/
Steps and screenshots are collected here (Chrome will automatically translate from German):
https://www.android-hilfe.de/forum/...moeglich-ist.900205-page-3.html#post-11734599

Unwanted (system) apps can be disabled or uninstalled (for default/current user) by ADB commands (again, root not required) - for complete guides, see here:
https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/
https://forum.xda-developers.com/ap...v1-universal-systemless-t3432382/post80288347
Batch script with examples of some Huawei system apps that can be disabled is given here:
Code:
ECHO OFF
CLS
adb wait-for-device devices
PAUSE
ECHO List packages
adb shell pm list packages
PAUSE
ECHO List disabled packages
adb shell pm list packages -d
PAUSE
ECHO Disable System Update
adb shell pm disable-user com.huawei.android.hwouc
PAUSE
ECHO Disable Files
REM adb shell pm disable-user com.huawei.hidisk
PAUSE
ECHO Disable HiCare
adb shell pm disable-user com.huawei.phoneservice
PAUSE
ECHO Disable HiSearch
adb shell pm disable-user com.huawei.search
PAUSE
ECHO Disable Market Feedback Agent
adb shell pm disable-user com.google.android.feedback
PAUSE
ECHO Disable Tips
adb shell pm disable-user com.huawei.tips
PAUSE
ECHO Disable Duo
adb shell pm disable-user com.google.android.apps.tachyon
PAUSE
ECHO Disable GMail
adb shell pm disable-user com.google.android.gm
PAUSE
ECHO Disable Google
adb shell pm disable-user com.google.android.googlequicksearchbox
PAUSE
ECHO Disable Google Play Music
adb shell pm disable-user com.google.android.music
PAUSE
ECHO Disable Google Play Videos
adb shell pm disable-user com.google.android.videos
PAUSE
ECHO Disable Google Photos
adb shell pm disable-user com.google.android.apps.photos
PAUSE
ECHO Disable SwiftKey
adb shell pm disable-user com.touchtype.swiftkey
adb shell pm disable-user com.swiftkey.swiftkeyconfigurator
PAUSE
ECHO Disable Facebook
adb shell pm disable-user com.facebook.appmanager
adb shell pm disable-user com.facebook.system
adb shell pm disable-user com.facebook.services
PAUSE
ECHO Disable AutoNavi
adb shell pm disable-user com.amap.android.ams
PAUSE
ECHO Disable Browser
adb shell pm disable-user com.android.browser
PAUSE
ECHO Disable E-mail
adb shell pm disable-user com.android.email
PAUSE
ECHO Disable Find my Phone
adb shell pm disable-user com.huawei.android.findmyphone
PAUSE
ECHO Disable Wallet
adb shell pm disable-user com.huawei.wallet
PAUSE
ECHO Disable Health
adb shell pm disable-user com.huawei.health
PAUSE
ECHO Disable HiBoard
adb shell pm disable-user com.huawei.intelligent
PAUSE
ECHO Disable HiPayment
adb shell pm disable-user com.huawei.android.hwpay
PAUSE
ECHO Disable HiVoice
adb shell pm disable-user com.huawei.vassistant
PAUSE
ECHO Disable Huawei IME
adb shell pm disable-user com.baidu.input_huawei
PAUSE
ECHO Disable Yellowpage
adb shell pm disable-user com.huawei.yellowpage
PAUSE
ECHO Disable SIM Toolkit
adb shell pm disable-user com.android.stk
PAUSE
ECHO Disable Smart Repair
adb shell pm disable-user com.huawei.hwdetectrepair
PAUSE
ECHO Disable SkyTone
adb shell pm disable-user com.huawei.skytone
PAUSE
ECHO Disable Android Tips
adb shell pm disable-user com.huawei.android.tips
PAUSE
ECHO Disable Weather
adb shell pm disable-user com.huawei.android.totemweatherapp
adb shell pm disable-user com.huawei.android.totemweatherwidget
adb shell pm disable-user com.huawei.android.totemweatherapp
PAUSE
ECHO Disable DayDreams
adb shell pm disable-user com.android.dreams.basic
adb shell pm disable-user com.android.dreams.phototable
PAUSE
ECHO Disable Navigation Dock
adb shell pm disable-user com.huawei.android.FloatTasks
PAUSE
ECHO Disable Digital Balance
adb shell pm disable-user com.huawei.parentcontrol
PAUSE
ECHO Disable Partner Bookmarks
adb shell pm disable-user com.android.providers.partnerbookmarks
adb shell pm disable-user com.android.partnerbrowsercustomizations.tmobile
PAUSE
ECHO List disabled packages
adb shell pm list packages -d
Pause
ECHO Re-enable HiSearch
REM adb shell pm enable com.huawei.search
PAUSE
ECHO Uninstall HiSearch
REM adb shell pm uninstall -k --user 0 com.huawei.search
PAUSE
ECHO Re-install HiSearch
REM adb shell cmd package install-existing com.huawei.search
PAUSE
Prepend corresponding lines by REM (or remove) if you want to keep FaceBook, SwiftKey, Health, etc
Of course, Developer menu and ADB debugging must be enabled (few clicks)
To find out package names for particular apps, install and use an app like AppInspector or PackageManager (from Playstore)

Some configurational properties can be also modified without root:
https://forum.xda-developers.com/showpost.php?p=79249421&postcount=3
Again, you need adb and then SetEdit app (install from Playstore).
Give write permissions to SetEdit by adb:
Code:
adb shell pm grant by4a.setedit22 android.permission.WRITE_SECURE_SETTINGS
Open SetEdit, and therefrom Secure Table,
change Hide_Pocket_Mode value from 1 to 0
I've similarly enabled setting for Virtual HD sound in calls, see screenshots

Similarly, additional statistic can be enabled in GSam Battery Monitor, with adb command instead of by granting it root permission:
Code:
adb shell pm grant com.gsamlabs.bbm.rootcompanion android.permission.BATTERY_STATS

Regarding to playing YouTube in background and blocking it ads, I've tried YouTube Vanced app, two versions v12.32.59 and the latest v14.21.54:
https://vanced.app/
YT Vanced can play in background and block ars (most important for me) and it comes with practically the same interface as standard YT applicatioon
It works almost the same as Magisk module YT Vanced, but the app does not require root and (unlike the Magisk module) it requires an additional MicroG app if you want to sign to your YT accoount.
Unfortunately, I was unable to makle it sign with MicroG 0.2.6.17455:
- If I try to Sign in from YT Vanced v14.21.54, it calls MicroG but MicroG was unable to sign to my existing YT account(s), popping out: Please Check your Network Connection, Tap to retry
(I've tested also with DNS66 switched off, to make sure it does not interfere)
- With MicroG installed, YT Vanced v12.32.59 crashes for me right away on starting (with MicroG not installed, it works fine)
There are few other replacements for the YT app like OGYouTube, TubeMate, iTube, or NewPipe, allowing download and/or playing in the background.
E.g., with iTube I was able to play in the background but also to login to the YT account (but interface is somewhat strange, user must get accustommed to)
However, ATM, I will stick with this latest YT Vanced v12.32.59, since I'm used to the very similar Vanced module on rooted phones

Logcat can be also enabled without root, install Logcat 4U from Google Play:
https://play.google.com/store/apps/details?id=com.sam.logcat
and enable it Read Logs permission:
Code:
adb shell pm grant com.sam.logcat android.permission.READ_LOGS
PIN can be also unlocked with ADB, if it e.g. happens that you by mistake remove/disable virtual keyboards (replace XXXX with your PIN):
Code:
adb shell input text XXXX

Not related to root but to (adb and) fastboot - following commands are useful when phone is bricked to read IMEI(s) and Ser num, info about Bootloader, model, cust and possibly build number from the last used stock firmware
Boot to fastboot:
- switch off
- connect to PC (e.g., Mininal ADB and Fastboot must be installed)
- press and keep pressing Vol-
- boot by Pow
And execute as bat script
Code:
fastboot devices
PAUSE
fastboot oem get-bootinfo
PAUSE
fastboot oem get-psid
PAUSE
fastboot oem get_hwnff_ver
PAUSE
fastboot oem hwdog certify begin
PAUSE
fastboot oem get-product-model
PAUSE
fastboot oem get-build-number
PAUSE
fastboot oem oeminforead-SYSTEM_VERSION
PAUSE
fastboot getvar vendorcountry
PAUSE
REM fastboot getvar rescue_enter_recovery
PAUSE
fastboot reboot

Free of charge method for updating to Approved firmwares (not received yet by OTA) by HiSuite and Firmware Finder - no root, TWRP or unlocked boot loader required.
Original XDA post:
https://forum.xda-developers.com/showpost.php?p=78850439&postcount=1334
More details (Chrome can automatically translate from German):
https://www.android-hilfe.de/forum/...s-mit-hisuite-und-firmware-finder.930081.html
Note:
This method is similar in concept to HSTool (originating from FunkyHuawei) + HiSuite method:
https://forum.xda-developers.com/mate-20-pro/how-to/manual-upgrading-mate-20-pro-bl-locked-t3905924
https://forum.xda-developers.com/honor-view-20/how-to/hstool-upgrading-firmware-bl-locked-t3948040
https://forum.xda-developers.com/huawei-p30-pro/how-to/guide-how-to-ota-update-p30-pro-wipe-t3953138
Both methods don't require unlocked Bootloader, both use patched, particular versions of HiSuite and trick the HiSuite to download/install a stock firmware but not from the Huawei server.
Differences:
- In the method here, phone must be running Firmware Finder, and FF triggers the Team MT server to provide download of selected firmware for HiSuite.
- In the HSTool method, HSTool provides the firmware to HiSuite.

Interesting:
MiXPlorer is able to read e.g. /system, /vendor and /proc partitions.
You can browse through, read textual files, copy to Internal memory.
Of course, cannot write to (delete, change, create new files, etc)
Also, it cannot read /data partition
Tested also with Terminal Emulator, it can do similar - see screenshots
Btw, even if the phone was rooted (again, it isn't, BL is locked), /system and /vendor partitions would still be read only (EMUI 9.1, EROFS) - but nevertheless, Magisk would supposedly be able to provide systemless hosts access to AdAway

Is there any way to enhance sound (like with Viper4Android or JamesDSP), without root?
Eg, Equilizer - Bass Booster is free.and does not require root:
https://play.google.com/store/apps/details?id=music.basss.booster.effect.equalizer
As equilizer it works great but If you highly boost the bass or volume, sound will deteriorate

There is even an easier way to substitute AdAway on a non-rooted device. Just define dns.adguard.com for your private DNS server - see a screenshot below
However, compared to AdAway or DNS66, here you cannot add your own blacklist and whitelist, and you have no freedom to choose between (or use several of them) hosts sources.
Be aware, I have encountered a WiFi hotspot where DNS requests outside were blocked, and as result, I was unable to resolve any domain name to IP address, and therefore unable to eg open any site in the browser - I had to disable private DNS as long as staying on that WiFi hotspot

The following way you can unlock the screen by ADB, but:
- ADB must be already enabled on the phone
- PC you are using must be already granted ADB usage
(Otherwise it would pop-up on the still locked screen where you cannot confirm)
First, verify ADB and enter the shell
Code:
adb wait-for-device devices
adb shell
At this point press Power button (if screen is ok, it would light up).
By the first command you swipe the screen (if screen is ok, you would see popup to enter the unlock pin/pass)
By the second command you enter your unlock pin/password:
Code:
input touchscreen swipe 930 880 930 380
input text <your-screen-unlock-pin-password>
At the end, exit the shell:
Code:
exit
So, I have two SIM cards (both locked by pin) and lock screen (all the same pins).
Keyevent 66 means Ok.
The following worked for me to unlock the phone on reboot - but you MUST wait to start until the MTP pops up on the PC:
Code:
adb devices
adb shell
input text 1234
input keyevent 66
input text 1234
input keyevent 66
input touchscreen swipe 930 880 930 380
input text 1234
exit
As said, on Huawei it works without root.
---
Note:
On Xiaomi, phone must be rooted and ADB must be already given root access, hence instead of
Code:
adb shell
start with
Code:
adb shell
su
Also, on Xiaomi I didn't need to wait for MTP to pop-up on the PC upon rebooting the phone - I can start right away with ADB

I am on emui 9.1 and of course Pie.
Is there any way to change your font without having to have root? Really disliking this Huawei font that doesn't have a true bold.

[GUIDE] Root + Clean up Kindle Fire HD 10 and install Google Family Link

I got a Kindle Fire HD 10 for my son and intended to have it supervised with Google Family Link. I was searching for a while how to achieve at the same time the following:
- root, debloat and remove ads ("special offers")
- have access to Play Store and all the google apps
- be logged on to Amazon account for Prime video access
- have the tablet be supervised by Google Family Link
The last part in particular wasn't working. A few discussions in Reddit and elsewhere suggested that it's not possible, as Google and Amazon don't (want to) play well together, and Family Link won't take over a tablet signed in/registered with Amazon.
After some trial and error I managed to achieve it, so I'm posting here for anyone who wants to do the same.
Here are all the steps I did:
- Follow this guide (including brick-unbrick) to unlock, install TWRP, root and debloat the tablet:
https://forum.xda-developers.com/hd8-hd10/orig-development/unlock-fire-hd-10-2017-suez-t3913639/
- From TWRP flash the ROM in this thread:
https://forum.xda-developers.com/hd8-hd10/development/rom-t3929969/amp/
- Boot and set the tablet up without registering it with Amazon, only Google.
- Set up Google Family Link. Sign in with the kid's account (approve with parent's as usual). I had to do it twice, the first time it gave me an error message, the second it registered.
- Install a launcher and set it as default. Instructions here:
https://forum.xda-developers.com/hd8-hd10/general/successfully-changed-launcher-to-nova-t3744067
- At this point everything works except Amazon apps. Do a full backup from TWRP just in case the next step kicks Google out.
- Now we need to register with Amazon. If Google Family Link is used to supervise the tablet however, it won't work. So Family Link needs to be disabled temporarily and then set up again. So we deactivate Family Link (stop monitoring the child). Then we register with Amazon, and then we activate Family Link again.
- Fingers crossed, everything should work now.

airmark said:
I got .
Click to expand...
Click to collapse
Thanks for sharing!

Questions :
1 how to debloat? edit: never mind fount it. The problem is my device is showed up as unauthorized in Ubuntu. No issue with Windows.
2 I clean flashed that deodexed fireos ROM v2 and Wi-Fi is on and off. Any fix?

Excellent thread, thankyou!
I have one issue remaining. I cannot enable developer options (for ADB) using the"press on serial number 7 times".. nothing comes up. Also if I try to enable install form unknown sources, the setting app seems to crash back to the home screen.
I'm trying to sideload an APK and have tried enabling unknown sources by altering the SQL settings.db which seemed to work (the toggle is enabled) but alas, installs from unknown sources are still restricted.
Have you come across this in your install?
EDIT / SOLUTION: I found that this could be enabled through the parent app (phew!)

airmark said:
- Boot and set the tablet up without registering it with Amazon, only Google.
- Set up Google Family Link. Sign in with the kid's account (approve with parent's as usual). I had to do it twice, the first time it gave me an error message, the second it registered.
Click to expand...
Click to collapse
Can't seem to get this to work (haven't flashed the custom ROM as I'm only after the Family Link functionality) it gets stuck after I select "This device" then select the account I want to supervise - goes to a screen that says "Checking for updates" then after a minute or so it goes back to the screen asking me to select the device again, any thoughts?
Thanks
edit: the reason for the "Checking for updates" message, I think, was that it was trying to download/install "Family Link Manager" and it probably couldn't e.g. due to permissions, so I installed it manually from the Play Store - see my post below.

I understand OPs need to use family link since the internets a scary place, but...
I dont understand why we as a people are ok after google has proven they will kill anything that doesnt make or (legally) save them money.

entombor2 said:
I understand OPs need to use family link since the internets a scary place, but...
I dont understand why we as a people are ok after google has proven they will kill anything that doesnt make or (legally) save them money.
Click to expand...
Click to collapse
Err...because they are a private business and that's the nature of capitalism. If you want a different legal framework talk to your government representative. Might bone up on the number of successful societies that assume control of private entities. History has a tale to tell.

Argh. Closer but now gets stuck on a different step!
Installed "Family Link Manager" and I can now get it to recognise the device and account I want to manage but when I get to the screen that lists the things a parent will be able to do and tap "Next" then on the popup tap "Allow" I then get a screen that says " Cancel supervision setup?" and the only buttons are "Back" (which loops back to the same screen i.e. does nothing) and "Start Again" which I obviously do not want!
I wasn't prompted to grant any permissions so I suspect this is the issue?
Has anyone got this far?
Edit: Enabled "Family Link Manager" as a device administrator and....still doesn't work. Damn.

2019 version?
Hi! Will this work in 2019 Fire HD 10? It runs Fire OS 7...
Thanks in advance!

whatever2020 said:
Hi! Will this work in 2019 Fire HD 10? It runs Fire OS 7...
Thanks in advance!
Click to expand...
Click to collapse
Depends, you can root if you are on 7.3.1.0, after that there are work arounds for most things...
unlock - No
TWRP- No
Root - Yes ( if on 7.3.1.0)
Debloat - Yes With or without root (possibly temporary but stable so far)
Launcher - Yes
Disable OTA (Likely Yes without root)
Disable Ad's (disable is working so far)
What are you looking to do?

Mostly, make Family Link work... Bloat/launcher /etc are not that important. lock screen ads I can Live with.
Thank you!

Ok, this might be a little necro, but I've got this working on a 2016 Fire HD8.
I'm factory resetting it and taking some more detailed notes, basically you need to install the mtk-su/root
Then all the google framework, play store and family link teen + family link manager....
Now I was stuck in a loop for "Also stuck on "Next, you'll activate Family Link Manager, which helps parents...".
And it kept looking between that and "Got It"...
I got an idea from a gmail crashing thread to use Link2SD to set apps as "System Apps"
This was the missing link, i got the system popup to accept new permissions which wasn't happening before and all was glorious.... now I'm not sure if there's a way to adb install as a system app, going to be looking into that as well...
I'm so excited because this actually makes the tablet usable for my kids again.

Steps confirmed for Fire HD8 2016 (Gen6):
1. Factory Reset
2. MTK-SU Root - Includes setting default permission to allow su/root
I used the batch file included from @Rortiz2 - HERE
3. I modified the MTK-SU batch file to add the following lines:
Code:
...
echo Completed! Now update the binary!
[B]echo [*] Running Custom Scripts...
echo [*] Debloating...
call debloat.bat
echo [*] Installing Google Applications
call play-store.bat[/B]
pause
...
4. Create the debloat.bat file in the same directory as MTK-SU.bat
debloat.bat
Code:
@echo off
echo Disabling Over The Air Updates...
files\adb shell "/data/local/tmp/mtk-su -c pm disable com.amazon.kindle.otter.oobe.forced.ota"
files\adb shell "/data/local/tmp/mtk-su -c pm disable com.amazon.device.software.ota"
files\adb shell "/data/local/tmp/mtk-su -c pm disable com.amazon.device.software.ota.override"
echo Removing Adds...
files\adb shell "/data/local/tmp/mtk-su -c pm disable com.amazon.kindle.kso"
echo Removing Legal Notices
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.legalsettings"
echo Removing Weather...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.weather"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.platform"
echo Removing System updates...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.settings.systemupdates"
echo Removing Kindle books...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.kindle"
echo Removing Prime video...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.avod"
echo Removing Special offers...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.kindle.kso"
echo Removing Content Management service...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.kindle.cms"
echo Removing Kindle store
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.webapp"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.tahoe"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.iris"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.audible.application.kindle"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.cloud9.kids"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.cloud9.contentservice"
echo Removing Silk browser...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.cloud9"
echo Removing Amazon app store...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.venezia"
echo Removing Amazon goodreads share...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.unifiedsharegoodreads"
echo Removing Goodreads...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.goodreads.kindle"
removing Amazon gamecircle...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.ags.app"
echo Removing Amazon Maps...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.geo.mapsv2.services"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.geo.mapsv2"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.geo.client.maps"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.windowshop"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.csapp"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 amazon.alexa.tablet"
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.dee.app"
echo Removing Amazon Music...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.mp3"
echo Removing Amazon Photos...
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.photos"
echo Disable Device Setup
files\adb shell "/data/local/tmp/mtk-su -c pm disable-user --user 0 com.amazon.kindle.otter.oobe"
5. Download the Following APKs and save them to the apps sub-directory that you extracted from the MTK-SU archive:
com.android.vending_18.9.11-all_0_PR_295870256-81891100.apk
com.buak.Link2SD_4.3.4-415_minAPI9(arm64-v8a,armeabi,armeabi-v7a,mips,x86,x86_64)(nodpi).apk
com.google.android.apps.kids.familylinkhelper_flh.release.1.23.0.E.277396481-963364_minAPI21(nodpi).apk
com.google.android.apps.kids.familylinkmanager.1.0.0.257492102.apk
com.google.android.gms_20.04.14_(020400-294335909)-200414010_minAPI21(arm64-v8a,armeabi-v7a)(nodpi).apk
com.google.android.googlequicksearchbox_10.98.9.21.arm64-301070062_minAPI21(arm64-v8a,armeabi-v7a)(nodpi).apk
com.google.android.gsf.login_5.1-1743759-22_minAPI21(nodpi).apk
com.google.android.gsf_5.1-1743759-22_minAPI22(nodpi).apk
com.google.android.launcher_1.4.large-104002_minAPI16_maxAPI25(nodpi).apk
Here's a BUNDLE!
6. create play-store.bat in the same directory as MTK-SU.bat and debloat.bat
play-store.bat
Code:
@echo off
echo Google Services / Play Store for Fire HD8
echo Thanks to diplomatic for creating "MTK-SU" and Rortiz2 for the MTK-SU.bat.
echo .
echo [*] Installing Google Framework...
files\adb.exe install "apps\com.google.android.gsf_5.1-1743759-22_minAPI22(nodpi).apk"
files\adb.exe install "apps\com.google.android.gsf.login_5.1-1743759-22_minAPI21(nodpi).apk"
files\adb.exe install "apps\com.google.android.gms_20.04.14_(020400-294335909)-200414010_minAPI21(arm64-v8a,armeabi-v7a)(nodpi).apk"
echo [*] Installing Google Play Store...
files\adb.exe install "apps\com.android.vending_18.9.11-all_0_PR_295870256-81891100.apk"
echo [*] Installing Google Application...
files\adb.exe install "apps\com.google.android.googlequicksearchbox_10.98.9.21.arm64-301070062_minAPI21(arm64-v8a,armeabi-v7a)(nodpi).apk"
echo [*] Installing Google Family Link
files\adb.exe install "apps\com.google.android.apps.kids.familylinkhelper_flh.release.1.23.0.E.277396481-963364_minAPI21(nodpi).apk"
echo [*] Installing Family Link Manager
files\adb.exe install "apps\com.google.android.apps.kids.familylinkmanager.1.0.0.257492102.apk"
echo [*] Installing Google Launcher...
files\adb.exe install "apps\com.google.android.launcher_1.4.large-104002_minAPI16_maxAPI25(nodpi).apk"
echo [*] Installing Link2SD...
files\adb.exe install "apps\com.buak.Link2SD_4.3.4-415_minAPI9(arm64-v8a,armeabi,armeabi-v7a,mips,x86,x86_64)(nodpi).apk"
echo [*] Changing Launcher...
echo [*] Disable Fire Launcher
files\adb.exe shell "/data/local/tmp/mtk-su -c pm disable com.amazon.firelauncher"
echo [*] Enable Google Launcher
files\adb.exe shell "/data/local/tmp/mtk-su -c pm enable com.google.android.launcher"
7. Update your SuperUser Binary by launching SuperUser (This is now an installed application in your app drawer). You should be prompted to update.
8. In the SuperUser application change the default SU permission to Grant vs. Prompt.
9. Reboot
10. Use Link2SD to mark all of the Google/Family Manager apps from step 6 as system apps.
- THIS IS THE MONEY - If you are stuck in activating Family Link Manager with the message: "This profile manager is required for Google Accounts managed with Family Link." This is the Fix!
- If you are unfamiliar with the application, just find the app in the main Link2SD list then hit the 3 dots on the top right, here you can choose to set as system application.
- This is the part that is kinda wonky, If someone knows a way to just install these applications as system application from ADB then I'll gladly take the Link2SD part out of here...
11. Open the Play Store and sign in through play store as kids account...
12. Authorize sign in as parent...
13 Continue to step through approval dialogue...
14 done..

Great instructions. I have already successfully performed this on a Fire HD 10. With the second, the Google Launcher does not start. If it is active, I only see a black screen with a clock and battery. When I activate the fire launcher, everything works perfectly. What can that be?

I'm wondering about the step 7 and 8, can you please provide details on how to do that ?
Thanks !

The MTK-SU Root no longer works on the latest FireOS 7.3.1.2 on Fire HD 10 (2019). So, no way to get root means no way to change Family Link to a system app means no way to activate Family Link which means no way to get a child account on the device at all. I guess the only option is to change the child's birthday to 1 day before 13 years old, wait a day, then convert the child account to an adult account and use the table with no parental controls.

I still can't get Family link to work properly but I was able to use a child's account on the Fire 10 by installing the Family Link MANAGER apk from apk mirror. I can't control the device from the parents app to the full extent, but I can still require that she gets approval for downloading any apps and the approval process works.
This was all done without root.

skybar87 said:
I still can't get Family link to work properly but I was able to use a child's account on the Fire 10 by installing the Family Link MANAGER apk from apk mirror. I can't control the device from the parents app to the full extent, but I can still require that she gets approval for downloading any apps and the approval process works.
This was all done without root.
Click to expand...
Click to collapse
skybar87, can you explain how you got this working on your HD10? Is it a specific manager APK? I am trying on an 2018 HD8, but I always end up in the loop trying to activate the family link app, both the kid and parent versions. I tried just skpping the last step. If I do that, app approvals work for a bit but then it keeps signing out of the Play Store. All I want is the ability to approve app installs...

martinbrecko said:
Great instructions. I have already successfully performed this on a Fire HD 10. With the second, the Google Launcher does not start. If it is active, I only see a black screen with a clock and battery. When I activate the fire launcher, everything works perfectly. What can that be?
Click to expand...
Click to collapse
Did you miss setting one of the Google apps as system? Maybe there is a different launcher/apk needed for that device?
Gizzzmo said:
I'm wondering about the step 7 and 8, can you please provide details on how to do that ?
Thanks !
Click to expand...
Click to collapse
This is done by launching the SuperSU application from the app drawer.
---------- Post added at 01:07 PM ---------- Previous post was at 01:05 PM ----------
skybar87 said:
I still can't get Family link to work properly but I was able to use a child's account on the Fire 10 by installing the Family Link MANAGER apk from apk mirror. I can't control the device from the parents app to the full extent, but I can still require that she gets approval for downloading any apps and the approval process works.
This was all done without root.
Click to expand...
Click to collapse
This is as far as you will get without root.
You need at least temporary root to get the google apps registered as system apps.
Without that the process will always fail.

Can someone please create an easy script from this long tutorial? It is hard to follow. I have hd 10 7th Gen 5.3.7.0

adb command to get app list

Hello, can someone help me with adb pls?
With "adb shell pm list packages -f > c:\1.txt" I get a list of my installed apps as text file, is there any way to get a list of the installed default apps? Removing an app with "adb shell pm uninstall --user 0" removes it from the user profile, but I can reinstall it and I can reset my phone to get the apps back, that means they are all still installed on other level, is there a command like "adb shell pm list packages" to see the default apps? I want to get a list of the apps, user apps and system apps installed as if I had reset the phone or start it the first time.
Also, is there maybe a command for rebuild/delete cache? Just interested, because I have no idea if that is a thing today, with old Android versions it was helping sometimes but only possible with root.

With regards to apps that get installed by user ( called 3rd-party apps in contrast to system apps ) an app always gets installed in the space that's reserved for the user who invoked app's installation: typically it's user with id 0 - the default Android user. Knowing this then it will be clear that 3rd-party-apps on multi-user Android systems get installed in different user spaces.
Hence you always should add --user <USER-ID> to any action that should taken by PM.
To get list of installed system apps belonging to specific user you run
Code:
adb shell "cmd package list-packages -s --user <USER-ID>"
To get list of installed 3rd-party apps belonging to specific user you run
Code:
adb shell "cmd package list-packages -3 --user <USER-ID>"

jwoegerbauer said:
With regards to apps that get installed by user ( called 3rd-party apps in contrast to system apps ) an app always gets installed in the space that's reserved for the user who invoked app's installation: typically it's user with id 0 - the default Android user. Knowing this then it will be clear that 3rd-party-apps on multi-user Android systems get installed in different user spaces.
Hence you always should add --user <USER-ID> to any action that should taken by PM.
To get list of installed system apps belonging to specific user you run
Code:
adb shell "cmd package list-packages -s --user <USER-ID>"
To get list of installed 3rd-party apps belonging to specific user you run
Code:
adb shell "cmd package list-packages -3 --user <USER-ID>"
Click to expand...
Click to collapse
With adb shell cmd package list-packages -s --user 0 it closed without anything
With adb shell cmd package list-packages -s --user 0 -f > c:\2.txt I get Unknown command: list-packages
Same with using "adb shell cmd package list-packages -s --user 0" and adb shell "cmd package list-packages -s --user 0" -f > c:\2.txt
What I'm doing wrong?
Also, that's not exactly what I meant, even if the command is working I don't want the list of user 0, I want a list of the default apps. I already debloat the phone, I want to see the apps I debloat, the apps that are installed on admin(?) level to see if I can reinstall something that I need.