Database Info

[GUIDE/HOW-TO] Beginner's "Getting Started" Guide :: Root, Recovery, Roms etc

[GUIDE/HOW-TO] Beginner's "Getting Started" Guide :: Root, Recovery, Roms etc
Update: Links are dead, mediafire decided to pull them without any notice. However, all important files can be found on my DevHost Account
This guide is made to help newbies get started on the basic customizations they can do to their Galaxy Fit, and with minimum possible risk of bricking it. Plus, recent update will help users to move on from being android newbies to experienced users.
Before you think of posting as ‘copied’, I want to inform you that more than 90% of the guide has been typed by me, using my own experiences with my Galaxy Fit, and has not been simply copy-pasted from anywhere.
Note: Even though care is taken to help you minimize risk of bricking your phone,
no one, except yourself, is responsible for any damage that happens to your phone.
Also, doing most of the modifications below WILL void your warranty.
Do not quote the entire post!
Quote only the part where you are facing problems...
If you completely quote the posts by me, I will not help, since I can safely assume that you are not following instructions as stated.
And do NOT pm me asking help, with regards to this thread...I will not help you there!
If you have questions/problems, ask here...I'll try my best to help you here!
Topics covered in this guide:
Most stuff related to Rooting
Backing up data using Titanium Backup Pro
Installing Stock Roms
Installing Custom Recovery
Installing Custom Roms (Continued in second post)
Creating and Deleting Sd-card Partition
Setting up and using Link2sd
Installing apk’s through “Root Explorer” method
Nandroid Backups (Continued in third post)
Overclocking
Bricked Galaxy Fit
Bootloops (Continued in fourth post)
How to reclaim warranty?
Battery Care
Android Debugging Bridge (In fifth post)
Logcats (In sixth post)
Pre-requisites:
Before you proceed, you need to have the following things ready with you:
Samsung Galaxy Fit S5670 (obviously)
Windows PC (Xp, Vista, 7)
Usb Data Cable
Samsung Usb Drivers installed on your computer (Download)
Usb Debugging Enabled (Enable it from Settings> Applications> Development> Usb Debugging)
A minimum of 50% Battery left for use
Knowledge on how to use a windows pc (optional, but recommended )
A calm mind, and plenty of patience.
Also, remember this:
a.To reboot into “recovery mode”, first shutdown your phone completely, then press and hold power + home button and wait for phone to switch on.
b.To reboot into “download mode”, first shutdown your phone completely, then press and hold power + home + volume down button and wait till phone switches on (you’ll get a yellow triangle with an android inside it, with the word “Downloading” written under it)
Edit: Since a proper "route" to installing custom roms isn't very clear, I'll just add this:-
Let's say you have a stock froyo rom, and want to try some custom rom, then
[OPTIONAL] Root Froyo, if you wish.
Then, you update to Gingerbread.
[OPTIONAL] Root GB, if you wish.
Install ClockworkMod Recovery
Then finally, install the custom rom of your choice.
Hope the "path" is now clearer ​
1. Rooting
Q) What is “rooting”? What are its advantages and disadvantages?
A) “Rooting” your device means obtaining “superuser” rights and permissions to your Android’s software. With these elevated user privileges, you gain the ability to load custom software (ROM’s), install custom themes, increase performance, increase battery life, and the ability to install software that would otherwise cost extra money (ex: Wi-Fi tethering). Rooting is essentially “hacking” your Android device.
For more info, refer Source
Though, one thing worth mentioning, YOU DO NOT NEED TO BE ROOTED IN ORDER TO INSTALL ANY CUSTOM ROM OR RECOVERY, it is optional but recommended…
People usually root beforehand as it helps them to backup their data…and you won't be able to root after you install a custom recovery, since the scripts are made only for stock Samsung recovery​
Q) Okay, now how do I root my Galaxy Fit?
A)
If you are running Froyo (android version 2.2.1), then:
Download SuperOneClick (Source Link)
Make sure your phone is connected to the computer via USB, AND your SD card is NOT mounted.
Run the app
When SuperOneClick launches, you’ll see several large buttons at the top of the screen. Make sure that the debugger can “see” it (activity will start logging).
Click “Root” in SuperOneClick.
If you are running Gingerbread (android version 2.3.x), then:
Download this update.zip file (Link)
Place it on the root of sd card (root here meaning “home directory” of your micro-sd card, i.e. the first folder which you get when you open any file explorer)
Make sure the file’s name is “update.zip” (without the “”)
Now reboot into recovery mode
Select the option: “Apply update.zip”
Wait for it to complete, and you are done!
After you have successfully rooted, you will find an app named “Superuser” in your application menu. If not, you can download it from Play Store.
Also, it is advisable to update the app (as well as the superuser binaries, option present in-app) to the latest version available.​
Q) How do I unroot my g-fit?
A) There might be various reasons why you would want to unroot your fit (the main one being to recover/reclaim your warranty)
For unrooting (in Froyo), just run SuperOneClick again, and click option “Unroot”.
For unrooting (in GB), you have a few ways: one is a sure-shot way (install/flash stock rom), another works for some and doesn’t work for some (update.zip), and one more is false un-root.
1.Sure-shot way: This method will work all the time, i.e. you will be able to unroot successfully with this method. All you’ve got to do is flash a stock rom, and you will be back to factory settings (and even get your warranty back)
2.Update.zip method: This method worked for some users, and didn’t work for some. In this, you just need to download this file, rename it to “update.zip” and install it the same way as you did to root, i.e. reboot into recovery and apply update.zip
3.False un-root: This isn’t actually unrooting, but is a little trick I used to get my warranty back.
1. First download and install Audio Manager aka Hide It Pro
2. Then use it to hide all your root-related apps (like superuser, titanium backup etc.), and done!
Note: The false un-root method isn’t actually un-rooting, as anyone with enough android knowledge will be able to tell that you still retain root access. The method only hides the notifications that you receive from superuser, when any app is requesting root access. Exercise caution when using this method, as all apps can have root access, and you wouldn’t even come to know about it.​
2. Backing up data using Titanium Backup Pro
Since you don’t need to have root access in order to install any custom recovery/rom, hence one of the major reason left to root is to backup your phone settings and data.
You can find plenty of apps on Play Store which can backup AND restore your data, but barely any other app can do it better than Titanium Backup. The free version also does quite a lot of stuff, but in this guide I’ll be explaining how to use the pro-version (v4.8.2), including how to do one-click backup as well as restore, and scheduling backups to run at a pre-defined time automatically.
First, install Titanium Backup Pro
Then, run the app.
(I recommend going through the app settings so that you can tweak it according to your preference)
Now, you can either backup apps (and their data) one-by-one or just backup all of them at once. In order to backup all of them at once, run the app, press menu button > batch > choose option “backup all apps + system data”, and then wait for the backup process to get over.
To restore backups after a data reset, run the app, press menu button > batch > choose option “restore missing app + all system data”.
Note #1: Restore all system data only if you are doing a data wipe. If you have flashed a new ROM altogether, then do not restore system data, only restore missing apps + data, else you will get force closes.
Note #2: Titanium backup automatically store its preferences/settings on your sd-card, and auto restores them after a wipe, so you do not need to bother about it again.
To set-up schedules, run the app, and then go to the “schedules” pane/tab, and then select the ones which were pre-set, or create new ones according to your need.
Titanium Backup has other uses as well (which you can find on your own), but the main important ones have been covered.
Note #3: Use some other app to backup and restore your contacts/call logs/messages...
I use GO Backup or sometimes, MyPhoneExplorer...​
3. Installing Stock Roms
First, download the stock rom of your choice from samfirmware.com
Then download beni.ops and Odin Multidownloader
Remove the sim card and memory card of your phone, and put it in download mode
Next, run Odin, and connect your phone to your windows computer. Odin should respond as detected. Then, select “Ops” as beni.ops. (Doing this would disable all other fields except “One Package”)
After this, select your desired stock rom in “One Package”.
Do not alter any other option other than those mentioned, let them remain as they are.
Make sure that the color of “COM PORT MAPPING” is yellow, and then click “Start”.
Odin will start giving different responses, and the timer in Odin would also start…now all you have to do is wait till Odin completes flashing (You will get a message “Pass”, usually within 10 minutes)
Note: Do not disconnect you phone while the process is on, and till you get that “Pass” message.
After this, it is optional but advised that you reboot into recovery mode and wipe data, otherwise you *may* face bootloops.​
4. Installing Custom Recovery
Q) I already have stock Samsung recovery. Why do I need a different recovery for?
A) The stock Samsung recovery has a very limited functionality, while other recoveries offer various other functions, and support other (better) filesystems also.
Also, to install any custom rom, you will need a custom recovery.
The most popular and commonly used recovery for Galaxy Fit is ClockworkMod Recovery v5 built by tj_style.
This recovery works with all custom roms, but it does not support backing up and restoring (Nandroid Backups) of stock roms (since samsung stock roms are of rfs filesystem).
Hence, you CAN install this recovery on stock roms, but you won’t be able to take (and restore) nandroid backups of stock roms.
However, pratyush.creed has modified this cwm5 to support backups of rfs (i.e. stock roms), you can get this from here
But for this guide, we will stick to the popular, tried and tested, cwm5 by tj_styles​
Your phone needs to be on gingerbread, as this recovery doesn’t work on Froyo.
Note: Even though rooting is not required for installing CWM, it is recommended to do so before, since you can root only from stock recovery, and CWM replaces the stock Samsung recovery.
To install this recovery:
Download the recovery file from the above link.
Also, download beni.ops and Odin Multidownloader
(Beni.ops and Odin are the same files used, so you don’t need to download them again)
Next, run Odin, and connect your phone to your windows computer. Odin should respond as detected. Then, select “Ops” as beni.ops.
Select the recovery file under “One Package”.
Do not alter any other option other than those mentioned, let them remain as they are.
Click “Start”.
Wait till odin completes flashing (might take upto 10 minutes)
Now, after your device has rebooted, restart into recovery mode to confirm that you have successfully installed ClockworkMod Recovery (CWM).

5. Installing Custom Roms
Though Samsung has possibly tried its best to create the best stock roms (compared to other manufacturers), it still has a lot of potential. Custom roms are made to achieve this potential, helping you get more returns from your Fit.​
Q) How to install custom roms?
A) Before proceeding, you will need to have any custom recovery installed, since the stock Samsung recovery cannot be used here. Preferably, use CWM5 by tj_style (the one explained above). Also, remember that your phone’s data (not the one stored on sd-card) will be erased/reset, so be sure to make a backup.
Now, download the custom rom of your choice from the Development Section of our sub-forum.
Optional: Check if the zip file you have downloaded is proper (i.e. not corrupt).
To do this, simply use WinZip (Windows) or other similar program to extract the file on your desktop. If the extraction has completed without any errors, then the file is proper, but if you get any errors while extracting, then the file is corrupt and you will have to re-download it.
Now, copy the file onto your sd-card.
Reboot into recovery mode.
Select “wipe data / reset”.
After this completes, select “wipe cache partition”.
After this, select “advanced”>”wipe dalvik cache”.
Now that you have wiped all data, select “install zip from sd” from the main recovery menu, then “choose zip from sdcard”.
[*] Optional, but recommended: Select “mounts and storage”>”format /system”.
(Important, if you are installing any variation of CyanogenMod 7 (cm7) for the first time, or are moving from a stock based custom rom to a cm based custom rom...else you will be stuck on the "android" text screen)
Now select the custom rom that you had placed on your card, and wait for it to install.
Optional: When the install completes, wipe data, cache and dalvik cache again (steps 5,6,7)
Select “reboot system now”, and be prepared to wait till the phone restarts. (Note: first boot may take upto 10 minutes, so do not panic)
Enjoy your new rom!!!
If you want to get back to your stock rom, you will have to flash the stock rom using Odin.
Also, all custom roms are pre-rooted, so you don’t have to bother with rooting again (though you might have to update superuser and its binaries)​
For your first custom ROM, I would suggest sticking to stock based custom roms...
Some sim cards aren't compatible for CM7 and CM9/10 (cm = short for CyanogenMod)...we don't know the cause and effect relationship between them, as of yet...
So, if your CM doesn't boot into the homescreen, try removing your sim card...
If it then boots up without any additional steps required, then unfortunately, you belong to the group of people who can't use CM7 with their current SIM...
The only workaround available are:
Use phone without SIM (unrealistic, since it wouldn't do the primary functions of a phone then)
Change your SIM card
Use stock based custom rom's, and forgo CM entirely
6. Creating and Deleting Sd-card Partition
Partitioning sd-card is basically virtually “dividing” your sd card into parts, so that you can use each one separately for different purposes.
So, in easy words, you can virtually increase your phone’s internal memory and ram (both of which are unsatisfactorily low in our device)
However, there is a disadvantage to partitioning, mainly a slightly slowed phone. This “slowdown” is caused mostly if you:
Have a low-speed (technical word = “class”) sd card
Have moved dalvik cache to sd partition that you have created
Have attempted to use a swap partition
But a lot of people don’t mind this slowdown a lot, since a partition allows them to have access to more apps.
Also, you will lose hot-swapability, i.e. you won’t be able to remove your card from your phone, will the phone is running.​
Before you proceed, you SHOULD backup all of your data on your card since it will be deleted, as the card will be formatted during the process.​
Q) How to create a sd partition?
A) You will need
• A good micro sd-card, with a class greater than 4
(the class is usually printed on the card itself, it’s the number inside the letter ‘C’)
• A rooted galaxy fit running android 2.3.x (preferably on a stock rom), with ClockworkMod recovery
Steps:
Backup all your data.
Reboot into CWM.
Go under “advanced”>”partition sd card”.
Select the size of your second partition (On my first try, I made a partition of 1024MB but found it too big with a lot of space unused, so I deleted the partition and made a new one of 512MB)
This is your choice, choose one depending on the total size of your card, the no. of apps/games you’ll have etc.
After selecting that, select swap size as 0MB (This one also is your choice, but I’ll explain why to take 0MB, and not anything else)
Now wait till the process is completed, and reboot.
As far as I know, CWM v5 makes a partition of EXT3 format, by default.
Q) Why to select swap size as 0MB?
A) Swap partition is made with the objective of utilizing it as VIRTUAL RAM. Now this may sound as a good thing, but in reality the ram in our fit is way faster than the average class 10 micro sd-card. So, instead of speeding up your system, it will slow down your system horribly after a certain point.
So, in short, you shouldn’t be using a swap partition, hence there is no point in creating one if you are not utilizing it.
You are still free to create a swap partition, but I shall not be providing support for that in this thread.​
Q) What if I want to delete all my partitions and get back my sd card the way it was?
A) There are a few ways to delete your partitions and reset your card, and I’ll explain the easiest one.
Backup the data on your card.
Make sure your card is in the phone’s card slot, and that your phone is booted/running.
Go into Settings>Storage, then select option “Unmount sd card”
When the card is unmounted, you will be able to select the option “Format sd card” (which you previously couldn’t)
Select the option and wait for it to complete.
If you want to delete the ext partition, I recommend doing it after a clean install of a stock rom. Else, make sure to move all your apps from the ext partition to your phone.
7. Setting up and using Link2sd
Now that you have created an ext partition, you need to make use of it (duh).
There are a lot of ways and scripts to transfer apps from your internal memory to the sd ext partition, but the most consistent method I found was Link2sd.
This method works across all roms (rooted stock and custom, both) that I’ve tried, even on all variations of CyanogenMod7 (CM7) as well as on ICS CM9 and JB CM10, and is very easy to setup and use.
However, if a custom rom already has DarkTremor's a2sd (a2sdgui app will be present) or any similar script, then DO NOT configure them.
For example: Creeds v3 has a2sdgui, and if i want to use Link2sd, then after flashing Creeds, I SHOULD NOT run a2sdgui, and directly install (and configure) Link2sd...if you run/configure a2sdgui, then it will clash with the working of Link2sd.
Similarly, if any custom rom has any memory hack already implemented, then you cannot use Link2sd...​
Steps to setup Link2sd:
Download Link2sd from Play Store (it’s a free app).
After it gets installed, run it, and allow root access.
You will get a message to select the format of your sd partition, select “ext3”.
Link2sd will then automatically create mount scripts that it requires to work, and will then tell you to reboot your phone.
Do a proper reboot, and not a ‘hot reboot’.
After rebooting, open up Link2sd, press menu then select “settings”.
Select/check the options “automatically link newly installed applications to sd”, “auto link notification”, “relink lib files at boot” (and “fast scroll”, if you want).
For “install location” option, select “internal”.
Then go to “auto link settings” and select/check all the three options (you can skip/ unselect “link dalvik-cache file” if you wish)
Done
Now, every new app that you will install will automatically be moved to your sd ext partition.​
Link2sd is also an excellent (and fast loading) app manager, with which you can freeze, uninstall, re-install…though you can move only user apps to sd-ext partition.
Also, there is no point in having your entire phone memory empty, so you probably should unlink the dex (dalvik cache) of your apps. I usually link only the apk and lib files, and leave the dex files unlinked and on the phone storage, so as to avoid any sluggishness in operation., though if your phone memory still fills up, you can link the dex of your rarely-used apps, and leave the dex of important and frequently used apps on the phone storage.​
Suppose a custom rom has s2e/app2sd pre-implemented, then after a fresh install, FREEZE the app (rather than uninstall), and then install Link2sd...
Also, if you get error "mount script not created", then choose partition as ext4 (rather than ext3 mentioned below), even though your partition might be ext3...(don't know why this happens with some roms )
If on some ROM, you get “device/resource busy”, then you need to format your SD-EXT partition from CWM (should be under “mounts and storage”)
[DO NOT confuse this with deleting and re-creating a partition]
8. Installing apk’s through root explorer method.
At times, some of your apk files won’t get installed in the normal way, so you can use this approach to install them. This method is coomonly referred to as "root explorer method".
For this, you will need:
•A rooted phone
•Root Explorer or any other file manager.
Since root explorer isn’t a free app, you can use this free File Manager (my personal preference).
If you are unable to uninstall a newer version of any app, then first uninstall the old version, and then use this method.
Steps:
Get the apk file of the app that you want to install.
Now launch Root Explorer
On the top left side, it will be written as “Mount as r/w”, click that, and allow root access. (basically mount system as read and write, if you are using other file managers)
Now place the apk file at either /data/app or /system/app (if you want it as a system file)
Now set appropriate permissions (For /data/app, the default permissions are rwx rwx rwx and for /system/app, the default permissions are rw- r-- r--)
Reboot your phone, and then check your app drawer, you will find your app installed.

12. Bootloops:
If you have flashed any custom rom/recovery/hack/kernel/update.zip, and unfortunately, have got stuck in a bootloop (i.e. you cannot reach the app launcher as the phone keeps rebooting again and again), then before asking for help, do try wiping data, cache, and dalvik cache from recovery mode...
This should stop bootloops (in lots of cases)...​
13. How to reclaim warranty?
Let's just say you need your warranty back for some reason...but have done any of the above stuff (which voids your warranty)...
Then all you got to do is flash any stock rom (preferably, of your region), and you will have your warranty back
(This, ofcourse, assumes that you had warranty, in the first place)​
14. Battery care
A lot of people have said that their battery has swollen. If this is the case, then this could be dangerous for YOUR HEALTH.
If this happens, you SHOULD replace your battery.​
Q) Why would the battery swell up?
A) My phone's battery looks safe enough, so I do not know the perfect cause. But from the users who complained about this, I did notice that most of them just leave their phones plugged in, unattended, for more than 4-5 hours at end (Usually, they just leave it to charge overnight)
So, if you do this on a regular basis, then watch out!​
Q) How do I know if its swollen?
A) To know if its swollen, just see if the battery surface is smooth or not, from all the sides. If there is any swelling, you will notice it.
Also, if you get REALLY POOR battery life, (only 3-4 on single full charge, with light usage), then this could be an indication that you have battery problems. [Just to confirm, ask other fellow users how much usage they get on that rom and baseband, since this could happen due to ROM and kernel also.]​
Q) What do I do if it's swollen?
A) There is no other option but to replace the battery with a new one. I STRONGLY ADVICE to buy them from your local Samsung Service Center. Avoid online sellers, or other 3rd party batteries, as they may not be proper.​
Q) Any precautions that can be taken?
A) Yup, DO NOT LEAVE YOUR PHONE TO CHARGE FOR LONG PERIODS, ALL THE TIME.
That's what has been deduced from the people who have complained.
Take Care!!​

9. Nandroid Backups
Q) What are Nandroid Backups?
A) Nandroid Backups are like an exact copy image of your phone’s state, saved on your sd card. It stores all your apps, data, settings, sd-ext etc. of the phone (obviously, the state when you took the backup). Nandroid Backups are a very convenient way to restore your data after something has gone wrong (or want to change between roms), and their size can be anywhere starting from 150mb+.
If you want to test some stuff from the development section (like different mods/hacks/scripts), it is advisable to make a Nandroid Backup before you proceed...​
Q) How to make Nandroid Backups?
A) Perquisites to make a nandroid backup:
•ClockworkMod Recovery (any version) on your galaxy fit.
•Plenty of free space on your sd card (this depends on how many apps you have, my backups usually average around 450-500 MB)
Steps:
Do a clean reboot into ClockworkMod Recovery (i.e. shutdown properly, then reboot into recovery mode)
Go to “backup and restore”>”backup”
Wait for the process to get completed, and you are done!
The backup that you just made has been saved to your sd-card, in a folder named clockworkmod (complete location is /mnt/sdcard/clockworkmod/backup).
Restoring:
Now, suppose, while flashing any rom, you are stuck in a never-ending bootloop, and you have wiped everything (i.e. data, cache, dalvik cache), and just want to get back the way it was, then just follow these steps to restore:
Boot into CWM
Wipe data, cache, and dalvik cache (optional, but recommended).
Go to “backup and restore”>”restore”, and then select your backup.
Wait for it to complete (time taken depends on the size of your backup, which in turn depends on the number of apps that you had installed), and reboot
You will find that you are now back to last state before you did that backup, with all your apps, settings etc. the way it was left.
If you keep more than one nandroid backup, you may find it confusing to remember which one is what…
So you can rename them in the following way:
Suppose the default name of my backup of a cm7 rom is 2012-03-29.14.04.59 , then I can rename it as cm72012-03-29.14.04.59
In this way, if you ever get a md5 mismatch error while restoring, then you can simply edit it back to the way it was.
However, if you still get an md5 mismatch error, then you can use this method suggested by fellow xda member, arhant. Though if the backup wasn’t created by you (i.e. you took it from someone else), then exercise caution while doing this.​
10. Overclocking
Q) What is overclocking?
A) Overclocking refers to running your processor above the “safe” limit set by Samsung (or the manufacturer, in general). This limit is usually set so that the battery life is extended, less overheating problems occur as well as minimum possible damage is done to the processor in the long run.​
Why to overclock:
Helps make Fit more “usable”, i.e. makes launcher smooth, games a little less laggy etc.
Why not to overclock (Most of this happens only if you don’t overclock properly):
Poor battery life
Abnormal heating of the phone
Increased instability
Q) How to overclock (oc) Galaxy Fit?
A) In order to overclock Galaxy Fit, you need to have a custom kernel, as the stock kernel doesn’t support overclocking, as well as root access.
Note: Stock roms can be overclocked! They just need another kernel, the in-built kernel cannot be overclocked.
• If you want to overclock on stock (at your own risk), you can flash any kernel from this via cwm (so, obviously you need cwm, stock recovery won’t do).
• Most custom roms have oc kernel in-built, so you usually don’t need to flash anything extra.
After you have a custom overclock-able kernel, you just need to install either No-frills CPU Control or SetCPU for Root Users (No-frills is free ) or any other such app, run them, and select the desired max frequency, governor, and i/o scheduler. (Don’t set the max frequency above 800+ mhz, unless you know what you are doing)
You have to use trial-and-error to find out the combination of governor, i/o scheduler, and max frequency, which suits your need…and you will get different results on different kernels, roms and basebands, so keep experimenting.​
11. Bricked phone
Q) What do you mean by a "bricked" phone??
A) A "bricked" phone is a phone which cannot start normally, AND cannot be rebooted into both, the recovery mode as well as the download mode...thus, effectively, it becomes just a paperweight, i.e. a brick
It is more of a "state" your phone can go into, if you do things wrong...​
If your phone can enter recovery mode OR download mode, then it is not bricked!
You can try and fix it yourself!​
If your phone can enter recovery mode, (and assuming you have a custom recovery installed), then you simply have to flash any custom rom to get your phone back in working condition.
If your phone can enter download mode, then you can install any stock rom (via odin), to get back your phone in working condition.
Note: These solutions are general in nature, i.e. they will work for the majority of cases, but may not work for some.​
HOWEVER, IF YOUR PHONE IS BRICKED,
Then there is nothing much that we can do...only the samsng service center will be able to repair it (they replace the motherboard).​

15. Android Debugging Bridge (ADB)
To put it simply, adb is two different applications - one running on your computer (Windows, Linux or Mac) and one running on your phone (which you don’t have to bother about). When your phone is connected, and USB debugging is enabled, you can issue commands and communicate with the phone using your computer screen and keyboard.
Your Android phone uses a modified Linux kernel and tools as a base. This means that quite a few Linux commands can be sent via the adb server (the one running on your computer) to the adb client (the one running on your phone) and they will be executed. – Android Central​Q) How do I setup ADB on my Windows PC?
A) With the help of my friend wilfredcool007, I have made a really simple method to use adb and also provided some tools for hassle-free logcats. This method is portable in nature (you do not have to install any untrusted application), does not need large downloads, neither the full Android SDK installation. You will just have to download a small compressed file, which is all that you require.
Thank You Wilfred!
Make sure you have the device drivers installed beforehand. If you have been following this guide since the beginning, you will have it on your computer. If not, just simply refer the beginning of this thread.
Steps:
Download this file: ADB & Logcat Tools.zip
Extract the .zip file to any suitable location, wherever you wish. I extracted it on to C:\Android Debugging Bridge just so that it’s easy to remember where it is.
Now, once you’ve extracted the zip, you will find 7 files in it [of which the 3 files named as “Logcat xxxxxx”, and “dmesg”, will be used in the later part of this guide for making logcats].
To launch ADB, just hold the “Shift” key and right click on a blank area in the folder, and in the drop down menu which follows, select the option “Open Command Window Here”.
And you’re done! Now you can use any of the adb commands that you wish! It really is this simple!
Some common ADB commands are:
Code:
adb devices – list all connected devices
adb push <local> <remote> – copy file/dir to device
adb pull <remote> [<local>] – copy file/dir from device
adb sync [ <directory> ] – copy host->device only if changed
adb shell – run remote shell interactively
adb shell <command> – run remote shell command
adb emu <command> – run emulator console command
adb logcat [ <filter-spec> ] – View device log
adb forward <local> <remote> – forward socket connections forward specs are one of: tcp:<port>
localabstract:<unix domain socket name>
localreserved:<unix domain socket name>
localfilesystem:<unix domain socket name>
dev:<character device name>
jdwp:<process pid> (remote only)
adb jdwp – list PIDs of processes hosting a JDWP transport
adb install [-l] [-r] [-s] <file> – push this package file to the device and install it
adb uninstall [-k] <package> – remove this app package from the device (‘-k’ means keep the data and cache directories)
adb bugreport – return all information from the device that should be included in a bug report.
adb help – show this help message
adb version – show version num
adb wait-for-device – block until device is online
adb start-server – ensure that there is a server running
adb kill-server – kill the server if it is running
adb get-state – prints: offline | bootloader | device
adb get-serialno – prints: <serial-number>
adb status-window – continuously print device status for a specified device
adb remount – remounts the /system partition on the device read-write
adb reboot [bootloader|recovery] – reboots the device, optionally into the bootloader or recovery program
adb reboot-bootloader – reboots the device into the bootloader
adb root – restarts the adbd daemon with root permissions
adb usb – restarts the adbd daemon listening on USB
More information regarding some common ones will come soon.
You can also refer Google’s Official Page too.​

16. Logcats
A lot of time, you'll see developers asking for logcat. Viewing a logcat is usually the best, and in some cases, the only way to diagnose a problem.
You can do it two ways:
Within the device, through apps like aLogcat or Catlog or any other application that is capable of logging (This is self explanatory, all you got to do is download and run the app, and the app will do the work. Do check out the options to tweak out the settings and other stuff. I shall not be providing help for these in this thread.)
With ADB (explained further)
Thanks to the zip provided in the previous step, it’s really easy to do so via adb.
Steps:
If you haven’t downloaded it already, do download the ADB & Logcat Tools.zip (it’s the same file mentioned above) and extract it to a suitable location.
You have two options now.
You can either run adb as explained above and use the command
Code:
adb logcat >logcat.txt
There will be no further activity on the screen, but the logging will start. Recreate the problem that you wanted, and when you need to stop the logcat, just press “Ctrl” + “C” [Hold Ctrl and press C], and then press “Y” and “Enter” key to stop logging.
You will notice that a file named logcat.txt has appeared, and when you open the file in Notepad, you shall see its contents.
Example:
Code:
--------- beginning of /dev/log/system
I/ActivityManager( 1019): Starting: Intent { flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras) } from pid 18867
D/VoldCmdListener( 891): volume shared /mnt/sdcard ums W/ActivityManager( 1019): Activity pause timeout for HistoryRecord{405690f0 com.whatsapp/.Conversation}
D/VoldCmdListener( 891): volume shared /mnt/sdcard ums
I/ActivityManager( 1019): Starting: Intent { flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras) } from pid 18867
W/InputManagerService( 1019): Starting input on non-focused client [email protected] (uid=10080 pid=18867)
D/VoldCmdListener( 891): volume shared /mnt/sdcard ums
D/VoldCmdListener( 891): volume shared /mnt/sdcard ums
D/MusicControls( 1279): Updating Music Controls Visibility
D/MusicControls( 1279): Music is not active
W/InputManagerService( 1019): Window already focused, ignoring focus gain of: [email protected]
D/MusicControls( 1279): Updating Music Controls Visibility
D/MusicControls( 1279): Music is not active
W/InputManagerService( 1019): Window already focused, ignoring focus gain of: [email protected]
D/StatusBarService( 1279): DISABLE_CLOCK: yes
D/StatusBarService( 1279): DISABLE_NAVIGATION: yes
W/ProcessStats( 1019): Skipping unknown process pid 26719
I/ActivityManager( 1019): Start proc mobi.mgeek.TunnyBrowser:DolphinNotification for service mobi.mgeek.TunnyBrowser/com.dolphin.browser.message.C2DMService: pid=26767 uid=10119 gids={3003, 1015, 1007}
I/ActivityManager( 1019): Process com.google.android.talk (pid 18915) has died.
I/ActivityManager( 1019): Process mobi.mgeek.TunnyBrowser:DolphinNotification (pid 26767) has died.
W/ProcessStats( 1019): Skipping unknown process pid 27439
I/TelephonyRegistry( 1019): notifyDataConnection: state=0 isDataConnectivityPossible=false reason=null interfaceName=null networkType=2
I/TelephonyRegistry( 1019): notifyDataConnection: state=1 isDataConnectivityPossible=true reason=null interfaceName=null networkType=2
I/ActivityManager( 1019): Start proc com.google.android.apps.uploader for broadcast com.google.android.apps.uploader/.ConnectivityBroadcastReceiver: pid=27556 uid=10005 gids={3003}
Logcats get longer the longer they run. So it is advisable that you run the logcat and immediately proceed to recreate the problem.
Also, paste the resulting logcat on sites like Pastebin and share the link to the dev!​
Now, you must be wondering what the rest of the files in the Zip were for…
Well, those files are pre-configured commands for logcats to run. All that has to be done is double click the .bat files, and logging shall start. To stop logging, as stated above, press CTRL+C, then Y and ENTER.
Remember: Do delete/rename/move the output logcat file before creating a new logcat with the following files.
Files:
Logcat 1 (Long and Detailed).bat : Normal Logcat command. Same result as the example given above.
Logcat 2 (Short and Errors only).bat : Shorter Logcat command. Omits out Verbose, Debug and Info. Displays/Filters only Warning, Error And Fatal. Useful when logcat duration is very long, as this displays only the error and fault messages. Example:
Code:
--------- beginning of /dev/log/system
11-13 12:13:40.099 1019 1019 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 12:20:34.359 1019 1360 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 12:22:31.069 1019 1045 W ActivityManager: Activity pause timeout for HistoryRecord{4085daf8 com.quoord.tapatalkxdapre.activity/.forum.ForumNavigationActivity}
11-13 12:23:42.009 1019 1402 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 12:28:36.779 1019 28921 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 12:31:20.980 1019 1402 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 12:58:05.899 1019 1057 W ProcessStats: Skipping unknown process pid 29887
11-13 13:06:11.630 1019 1045 W ActivityManager: Activity pause timeout for HistoryRecord{405d5100 com.android.phone/.InCallScreen}
11-13 13:06:14.400 1019 26640 W WindowManager: Layout repeat skipped after too many iterations
11-13 13:06:14.400 1019 26640 W WindowManager: Layout repeat skipped after too many iterations
11-13 13:06:14.400 1019 26640 W WindowManager: Layout repeat skipped after too many iterations
11-13 13:06:14.400 1019 26640 W WindowManager: Animation repeat aborted after too many iterations
11-13 13:06:14.420 1019 1211 W WindowManager: Layout repeat skipped after too many iterations
11-13 13:06:14.750 1019 1211 W WindowManager: Animation repeat aborted after too many iterations
11-13 13:06:21.069 1019 1045 W ActivityManager: Activity idle timeout for HistoryRecord{405d5100 com.android.phone/.InCallScreen}
11-13 13:17:41.240 1019 28924 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:02:27.259 1019 1328 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:06:00.389 1019 1330 W ActivityManager: Scheduling restart of crashed service com.whatsapp/.messaging.MessageService in 5000ms
11-13 14:06:03.459 1019 28922 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:09:21.689 1019 21101 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:09:23.329 1019 1330 W ActivityManager: Scheduling restart of crashed service com.jim2/.UpdateService in 5000ms
11-13 14:09:35.339 1019 1045 W ActivityManager: Launch timeout has expired, giving up wake lock!
11-13 14:09:35.399 1019 1057 W ActivityManager: Process ProcessRecord{406b4718 32036:com.imgurforandroid/10108} failed to attach
11-13 14:09:41.639 1019 1045 W ActivityManager: Activity pause timeout for HistoryRecord{4050c488 com.imgurforandroid/.activity.LaunchUploadUi}
11-13 14:09:41.679 1019 1034 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:10:23.679 1019 1033 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:11:00.629 1019 28924 W ActivityManager: startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { cmp=com.imgurforandroid/.activity.ImageDetails bnds=[0,138][240,189] (has extras) }
11-13 14:11:25.639 1019 1033 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:11:58.979 1019 1045 W ActivityManager: Activity pause timeout for HistoryRecord{408690f0 com.quoord.tapatalkxdapre.activity/.forum.ForumNavigationActivity}
11-13 14:12:26.129 1019 1360 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:13:20.449 1019 1402 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:13:53.159 1019 28922 W ActivityManager: Duplicate finish request for HistoryRecord{407186d8 com.quoord.tapatalkxdapre.activity/.forum.ForumNavigationActivity}
11-13 14:36:20.180 1019 1034 W InputManagerService: Window already focused, ignoring focus gain of: com.andr[email protected]
11-13 14:36:23.110 1019 1034 W ActivityManager: Scheduling restart of crashed service com.imgurforandroid/.ImgurUploadService in 5000ms
11-13 14:36:53.479 1019 26640 W InputManagerService: Starting input on non-focused client [email protected] (uid=1001 pid=1304)
11-13 14:36:56.649 1019 1033 W BackupManagerService: dataChanged but no participant pkg='com.android.providers.settings' uid=10092
11-13 14:36:56.799 1019 1328 W BackupManagerService: dataChanged but no participant pkg='com.android.providers.settings' uid=10092
11-13 14:37:58.840 1019 1330 W InputManagerService: Window already focused, ignoring focus gain of: [email protected]
11-13 14:43:51.779 484 509 E ActivityThread: Failed to find provider info for com.opera.branding.BrandingProvider
11-13 14:43:51.779 484 509 E ActivityThread: Failed to find provider info for com.opera.branding.BrandingProvider
11-13 14:43:51.789 484 510 E ActivityThread: Failed to find provider info for com.opera.branding.BrandingProvider
Logcat 3 (Radio related only).bat : Displays only messages related to radio (telephony). Useful whenever your developer asks for a Radio logcat. Example:
Code:
D/RILJ ( 1304): [1876]> QUERY_NETWORK_SELECTION_MODE
D/RILJ ( 1304): Serial: 1875
D/RILJ ( 1304): Error: 0
D/RILJ ( 1304): [1875]< REGISTRATION_STATE {1, 1777, 0000d72a}
D/RILJ ( 1304): Serial: 1876
D/RILJ ( 1304): Error: 0
D/RILJ ( 1304): [1876]< QUERY_NETWORK_SELECTION_MODE {0}
D/GSM ( 1304): Poll ServiceState done: oldSS=[0 home TATA DOCOMO TATA DOCOMO 405039 EDGE CSS not supported -1 -1RoamInd: -1DefRoamInd: -1EmergOnly: false] newSS=[0 home TATA DOCOMO TATA DOCOMO 405039 EDGE CSS not supported -1 -1RoamInd: -1DefRoamInd: -1EmergOnly: false] oldGprs=0 newGprs=0 oldType=EDGE newType=EDGE
D/GSM ( 1304): [DataConnection] Stop poll NetStat
D/GSM ( 1304): [DataConnection] Start poll NetStat
D/RILJ ( 1304): [1877]> SCREEN_STATE: false
D/RILJ ( 1304): Serial: 1877
D/RILJ ( 1304): Error: 0
D/RILJ ( 1304): [1877]< SCREEN_STATE
D/GSM ( 1304): [DataConnection] Stop poll NetStat
D/GSM ( 1304): [DataConnection] Start poll NetStat
D/RILJ ( 1304): [1878]> SCREEN_STATE: true
D/RILJ ( 1304): [UNSL]< UNSOL_RESPONSE_NETWORK_STATE_CHANGED
D/RILJ ( 1304): Serial: 1878
D/RILJ ( 1304): Error: 0
D/RILJ ( 1304): [1878]< SCREEN_STATE
D/RILJ ( 1304): [1879]> OPERATOR
D/RILJ ( 1304): [1880]> GPRS_REGISTRATION_STATE
D/RILJ ( 1304): [1881]> REGISTRATION_STATE
D/RILJ ( 1304): Serial: 1879
D/RILJ ( 1304): Error: 0
D/RILJ ( 1304): [1879]< OPERATOR {TATA DOCOMO, TATA DOCOMO, 405039}
D/RILJ ( 1304): [1882]> QUERY_NETWORK_SELECTION_MODE
Dmesg.bat : Prints messages from the kernel, useful as tool for debugging drivers and other kernel code. Use this whenever the developer asks to get a dmesg output. Example:
Code:
# c027ce40 : [HSIL] mdp_suspend_sub(1387) will cancel_delayed_work
<4>[34607.196686] [HSIL] mdp_suspend_sub(1391) will flush_workqueue
<4>[34607.196731] [HSIL] mdp_suspend_sub(1395) will atomic_read
<4>[34607.196773] [HSIL] mdp_suspend_sub(1400) will mdp_pipe_ctrl
<4>[34607.196816] [HSIL] mdp_suspend_sub(1402) after mdp_pipe_ctrl
<6>[34607.196854] # c03d7894 :
<6>[34607.196883] # c03d7894 :
<6>[34607.196909] # c03cb4a0 :
<6>[34607.196939] early_suspend: after calling suspend handlers
<6>[34607.205456] early_suspend: after calling sync_work_queue
<6>[34607.205508] early_suspend: abort label / before spin lock
<6>[34607.205564] early_suspend: unlocked main_wake_lock
<6>[34607.205599] early_suspend: end
<4>[34607.205636] [BACLKIGHT] : 17
<4>[34607.205668] Platform V:17, Find V:1
<4>[34607.205714] LCD Backlight re-init - wakeup time tune:1, lcd:32
<4>[34607.205926] [BACLKIGHT] : 15
<4>[34607.205956] Platform V:15, Find V:1
There you have it! Life made simpler, just double click and you are done!​
Q) What’s the difference between Logcat and Dmesg?
A) Read this for info.​

Hope this guide helped you.
I appreciate feedback and constructive criticism, but please, no “haters”/”trolls”.
Whatever questions/doubts you have regarding this guide, then please post it here itself…I don’t guarantee replying tech support questions via pm .
Do consider clicking on the “thanks” button rather than just posting thanks, and also joining us on our Facebook Group

a.cid said:
...
• If you want to overclock on stock (at your own risk), you can flash any kernel from this via cwm (so, obviously you need cwm, stock recovery won’t do)....
Click to expand...
Click to collapse
Pratyush mentioned in:
http://forum.xda-developers.com/showpost.php?p=24719114&postcount=1387
a cwm for rfs / see download-link, therefore exists in theory the possibility to oc stock-roms.

zcop said:
the first troll here hehe
What is s5670? Can i eat it?
Ok good work for newbie - who messup forum
Click to expand...
Click to collapse
Idk what s is, but 5670 are part of the number series...
You know 1 2 3 4 5 6 7 0
martin_s5670 said:
Pratyush mentioned in:
http://forum.xda-developers.com/showpost.php?p=24719114&postcount=1387
a cwm for rfs / see download-link, therefore exists in theory the possibility to oc stock-roms.
Click to expand...
Click to collapse
Ohhh sorry I totally forgot about that...will update the thread tomorrow from comp...
But I haven't tried it personally :/
And other recoveries (like the touch ones) give errors while flashing a few stuff...
Sent from my g-fit using xda premium

martin_s5670 said:
Pratyush mentioned in:
http://forum.xda-developers.com/showpost.php?p=24719114&postcount=1387
a cwm for rfs / see download-link, therefore exists in theory the possibility to oc stock-roms.
Click to expand...
Click to collapse
Ohhh wait, stock rom can be oc'ed, if you install another custom kernel...
That rfs support is for backups and restore...
The post will be clearer after I'll update it...
Sent from my g-fit using xda premium

Aspire said:
Nice, but the links aren't working.
Click to expand...
Click to collapse
Which ones??
Edit: oh okay, will fix them
Thank you
Sent from my g-fit using xda premium

Aspire said:
Nice, but the links aren't working.
Click to expand...
Click to collapse
Deleting
xn--http-fb7a//
in adress helps!

martin_s5670 said:
Deleting
xn--http-fb7a//
in adress helps!
Click to expand...
Click to collapse
Links updated...
i had typed in this in ms word, and it has messed around with the foramtting...
anyways, if you still find something wrong, do inform me
edit: added pratyush's recovery, as well as updated post to clarify...

a.cid said:
...
edit: added pratyush's recovery, ...
Click to expand...
Click to collapse
Pardon, its not pratyush's recovery, ..its of tj's !, see:
http://forum.xda-developers.com/showpost.php?p=24749890&postcount=1392

martin_s5670 said:
Pardon, its not pratyush's recovery, ..its of tj's !, see:
http://forum.xda-developers.com/showpost.php?p=24749890&postcount=1392
Click to expand...
Click to collapse
I know
The most popular and commonly used recovery for Galaxy Fit is ClockworkMod Recovery v5 built by tj_style.
This recovery works with all custom roms, but it does not support backing up and restoring (Nandroid Backups) of stock roms (since samsung stock roms are of rfs filesystem).
Hence, you CAN install this recovery on stock roms, but you wont be able to take (and restore) nandroid backups of stock roms.
However, pratyush.creed has modified this cwm5 to support backups of rfs (i.e. stock roms), you can get this from here
But for this guide, we will stick to the popular, tried and tested, cwm5 by tj_styles
Click to expand...
Click to collapse

a.cid said:
I know
...
However, pratyush.creed has modified this cwm5 to support backups of rfs
...
Click to expand...
Click to collapse
I said, not prat has modified, its tj's.

first of all I really thank you for this wonderful guide...
btw,the main reason to write this post -
what difference does it make if i select EXT4 instead of EXT3 while partitioning SD card
thnx

yzak58 said:
first of all I really thank you for this wonderful guide...
btw,the main reason to write this post -
what difference does it make if i select EXT4 instead of EXT3 while partitioning SD card
thnx
Click to expand...
Click to collapse
The cwm mentioned in my post doesn't give you the option to select ext3 or ext4
It, by default, partitions it to ext3...
Typed on a small touchscreen

Hey friend.. i m unable to root my mobile...
I have installed "GINGERBREAD.DXKT7 2.3.6"
So please say how can i root this stock rom...

akash6448 said:
Hey friend.. i m unable to root my mobile...
I have installed "GINGERBREAD.DXKT7 2.3.6"
So please say how can i root this stock rom...
Click to expand...
Click to collapse
Can you list the steps you did?
Also check if you have downloaded the update.zip correctly (simply try and extract it on your comp)...
Typed using a small touchscreen

[Q] Google Play updates, and all downloads type won't finish even after Factory Reset

Hello everyone,
I'm facing a quite strange and annoying issue on a TF700T.
No matter which ROM I'm running with, Google Play tells me updates need to be done, which is normal. When I start the updates, the downloads pause at 4% for most of them, and will never end, even after 4 days of activity.
A tablet on which you cannot download content to, or install apps is not very usefull.
The problem is the same with other download types (if I browse on the navigator, to download a ROM.zip, download starts and stops at 4%)
A friend gave me this tablet with Cromi-X insttaled on it. I first thought it was a ROM issue, so I flashed CM11 stable version, just to see.
Problem is the same.
I tried with different google accounts, I cleared Google Play cache services.
No effect.
I also flashed the ASUS original firmware using the SD card mthod, and problem is still there.
I'm short on ideas now, I've looked in XDA forum, but never found a thread with similar issues.
Tablet is currently running Android 4.1.1 WW10.4.4.25-20121228 A03 and unlocked
Thank you very much for your help or advices,
Nicolas

Hi again,
I have made progress on this strange issue.
I finally managed to get google play and downloads to work, but I have to use a vpn client so it can work.
I tried VPN Hideninja.
And, I have the issue no matter which rom/ android version I use.
So, it's a workaround, but at least it allows the tablet to be "usable".
Does someone has any ideas where the problem could come from? (bad kernel version?...)
Or, maybe someone knows a tool to check Android configuration issue, network configuration (I've searched but didnn't find something yet, but I keep trying )
Thank you for your help
Nicolas

Hi,
I installed cromi-X on the tablet and combi-kk as rom2Sd. Bith rom start, but I still have the issues with the playstore.
Does anyone know a tool to perform a hardware check?
If I want to completely clean the tablet, what would you advise ? Right now I'm trying to figure out if the problem is hardware or software.
Thank you for your help
Nicolas

nvuillem said:
Hi,
I installed cromi-X on the tablet and combi-kk as rom2Sd. Bith rom start, but I still have the issues with the playstore.
Does anyone know a tool to perform a hardware check?
If I want to completely clean the tablet, what would you advise ? Right now I'm trying to figure out if the problem is hardware or software.
Thank you for your help
Nicolas
Click to expand...
Click to collapse
Search how to do a logcat over adb and post the resulting text file. Do it after you attempted to download something.

sbdags said:
Search how to do a logcat over adb and post the resulting text file. Do it after you attempted to download something.
Click to expand...
Click to collapse
Hi Sdbags, first of all thank you for your interest.
I've made 3 logcatfiles:
#1 on the rom2sd crombi-kk before downloading. logcatkkStartUp.txt
#2 after stopping downloading as it was frozen. logcatkkDLFails.txt
#3 same as #2 but running on cromi-X on the internal memory of the pad logcatX.txt
I believe this is not looking good:
W/NetworkManagementSocketTagger( 1280): untagSocket(94) failed with errno -22
I/qtaguid ( 1280): Failed write_ctrl(u 56) res=-1 errno=22
I/qtaguid ( 1280): Untagging socket 56 failed errno=-22
Thanks again for your help,
Thank you
Nicolas

nvuillem said:
Hi Sdbags, first of all thank you for your interest.
I've made 3 logcatfiles:
#1 on the rom2sd crombi-kk before downloading. logcatkkStartUp.txt
#2 after stopping downloading as it was frozen. logcatkkDLFails.txt
#3 same as #2 but running on cromi-X on the internal memory of the pad logcatX.txt
I believe this is not looking good:
W/NetworkManagementSocketTagger( 1280): untagSocket(94) failed with errno -22
I/qtaguid ( 1280): Failed write_ctrl(u 56) res=-1 errno=22
I/qtaguid ( 1280): Untagging socket 56 failed errno=-22
Thanks again for your help,
Thank you
Nicolas
Click to expand...
Click to collapse
Well there are some hints in there. As this happens on every rom I'm going to stick my neck out and say it's nothing to do with the ROM you in stall
The below appears to be trying to update Google Street View.
Code:
I/GoogleHttpClient( 832): Falling back to old http client 0 java.lang.NoSuchMethodException: <init> [class android.content.Context, class java.lang.String, boolean]
D/SurfaceControl( 622): Excessive delay in blankDisplay() while turning screen off: 107ms
W/ActivityThread( 832): ClassLoader.loadClass: The class loader returned by Thread.getContextClassLoader() may fail for processes that host multiple applications. You should explicitly specify a context class loader. For example: Thread.setContextClassLoader(getClass().getClassLoader());
I/auditd ( 9847): Starting up
E/auditd ( 9847): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9847): Exiting
I/auditd ( 9850): Starting up
E/auditd ( 9850): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9850): Exiting
I/auditd ( 9853): Starting up
E/auditd ( 9853): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9853): Exiting
I/auditd ( 9858): Starting up
E/auditd ( 9858): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9858): Exiting
I/auditd ( 9863): Starting up
E/auditd ( 9863): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9863): Exiting
D/Finsky ( 2075): [1] DownloadQueueImpl.notifyProgress: com.google.android.street: onProgress 185420/264451 Status: 192.
D/MarketUpdateReceiver( 9689): market is downloading (0%): com.google.android.street
I/DownloadManager( 1842): Download 22 starting
D/MarketUpdateReceiver( 9689): market is downloading (0%): com.google.android.street
I/auditd ( 9871): Starting up
E/auditd ( 9871): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9871): Exiting
I/auditd ( 9876): Starting up
E/auditd ( 9876): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9876): Exiting
I/auditd ( 9879): Starting up
E/auditd ( 9879): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9879): Exiting
I/auditd ( 9882): Starting up
E/auditd ( 9882): Failed on audit_set_pid with error: Protocol not supported
I/auditd ( 9882): Exiting
D/MarketUpdateReceiver( 9689): market is downloading (0%): com.google.android.street
W/DownloadManager( 1842): Aborting request for download 22: Failed reading response: java.net.SocketTimeoutException
I/DownloadManager( 1842): Download 22 finished with status WAITING_TO_RETRY
auditd is the Selinux logging facility... Protocol not supported means Linux kernel is missing the SELinux protocol...
So possibly you are on an older bootloader that doesn't support the right kernel ....
What bootloader and version of TWRP are you on exactly?
AH WE HAVE A WINNER
Tablet is currently running Android 4.1.1 WW10.4.4.25-20121228 A03 and unlocked
You need to update your bootloader and TWRP. Flash my update package from the CROM-X first post and then follow the instructions to move to a later TWRP if you want to try a CM11 base

Hi Sdbags,
upon startup, bootloader version shows "WW_epad-10.6.1.14.4-20130329" A03, and TWRP is v2.6.3-that3.
I can atach pictures if you want.
Ciould it be that a part of the tablet has the right bootloader version, and another part d not have that correct version?
Thank you for your help
Nicolas

nvuillem said:
Hi Sdbags,
upon startup, bootloader version shows "WW_epad-10.6.1.14.4-20130329" A03, and TWRP is v2.6.3-that3.
I can atach pictures if you want.
Ciould it be that a part of the tablet has the right bootloader version, and another part d not have that correct version?
Thank you for your help
Nicolas
Click to expand...
Click to collapse
Do me a favour and flash my package and then upgrade to TWRP 2.6.3-that3. There is flashable version of that in my CROMBi-kk thread. Then we know you are on the latest bootloader and recovery.
Also you seem to be using bluetooth at the same time. That doesn't work well on these devices. Turn off bluetooth as well and let's get the wifi working.

51189868998
sbdags said:
Do me a favour and flash my package and then upgrade to TWRP 2.6.3-that3. There is flashable version of that in my CROMBi-kk thread. Then we know you are on the latest bootloader and recovery.
Also you seem to be using bluetooth at the same time. That doesn't work well on these devices. Turn off bluetooth as well and let's get the wifi working.
Click to expand...
Click to collapse
Hi,
So I went to recovery, wiped everything except external SD. transfered using adb :
cm-4.4-20140309-CROMBikk4.4.2-tf700t_Signed.zip
install it, restart to crombikk (normal installation, not in rom2SD)
restarted to Android, and made a logcat.
Rebooted to recovery and flashed twrp-2.6.3-that3_Signed 1.zip
Rebooted to android and made a logcat
Finally, rebooted to recovery, installed crombi_kkgapps_20140312_Signed.zip and reboot to Android system, connected a google account and tried to download an app from Google. Bluetooth is off (I never switched it on in my previous logcats.)
I then started the playstore application, and Android Terminal Emulator installed correctly.
I then wanted to install a Google product, Chrome Browser in the logcat attached. Download starts and freezes at 9% for 2 minutes then increases to 24% and freezes again. The download is still pending.
I'll post the logcat of the tablet when download stops by itself or it completes. (let's hope it does but it is hanging for 10 minutes now)

Try clearing data and cache on the Play Store and Google Play Services and reboot.

nvuillem said:
Hi,
So I went to recovery, wiped everything except external SD. transfered using adb :
cm-4.4-20140309-CROMBikk4.4.2-tf700t_Signed.zip
install it, restart to crombikk (normal installation, not in rom2SD)
restarted to Android, and made a logcat.
Rebooted to recovery and flashed twrp-2.6.3-that3_Signed 1.zip
Rebooted to android and made a logcat
Finally, rebooted to recovery, installed crombi_kkgapps_20140312_Signed.zip and reboot to Android system, connected a google account and tried to download an app from Google. Bluetooth is off (I never switched it on in my previous logcats.)
I then started the playstore application, and Android Terminal Emulator installed correctly.
I then wanted to install a Google product, Chrome Browser in the logcat attached. Download starts and freezes at 9% for 2 minutes then increases to 24% and freezes again. The download is still pending.
I'll post the logcat of the tablet when download stops by itself or it completes. (let's hope it does but it is hanging for 10 minutes now)
Click to expand...
Click to collapse
Are you sure it's not your router?

sbdags said:
Are you sure it's not your router?
Click to expand...
Click to collapse
Hi,
I tried to download from 3 different locations, with 3 different ISP and modems, and the problem is the same.
I also tried to Clear cache and data of Google services and PlayStore. I still have the problem.
Yesterday, when I flashed everything to reinstall the Rom and the recovery on proper basis, I noticed that some directories are not wiped.
Maybe some files are missing?
Is there any way to restore those directory? (maybe doing a wipe data from the bootloader, but I read at many places that it is not advised...
I also tried to find an application or a thread to test the hardware of the tablet without any success
Thank you for your help
Nicolas

nvuillem said:
Hi,
I tried to download from 3 different locations, with 3 different ISP and modems, and the problem is the same.
I also tried to Clear cache and data of Google services and PlayStore. I still have the problem.
Yesterday, when I flashed everything to reinstall the Rom and the recovery on proper basis, I noticed that some directories are not wiped.
Maybe some files are missing?
Is there any way to restore those directory? (maybe doing a wipe data from the bootloader, but I read at many places that it is not advised...
I also tried to find an application or a thread to test the hardware of the tablet without any success
Thank you for your help
Nicolas
Click to expand...
Click to collapse
You could try a full internal sd card format from inside twrp - warning it can take up to 2 hours to complete. Make sure you have everything you want to keep and rom.zips on external sd as well.

sbdags said:
You could try a full internal sd card format from inside twrp - warning it can take up to 2 hours to complete. Make sure you have everything you want to keep and rom.zips on external sd as well.
Click to expand...
Click to collapse
Hi,
I did the full wipe from the factory (took 90 minutes )
I reinstalled the rom, and I stil have the problem (erro 495 most of the time)
I then downloaded and installed a VPN client and it works. ( I attached the logcat.txt)
There is still something I can't figure out, as it works using a VPN, the issue is probably not related to hardware, but software, and it is not related to the Rom or recovery.
Do you know if Google checks something like device ID when apps are dowloaded from the store?
Thanks
Nicolas

nvuillem said:
Hi,
I did the full wipe from the factory (took 90 minutes )
I reinstalled the rom, and I stil have the problem (erro 495 most of the time)
I then downloaded and installed a VPN client and it works. ( I attached the logcat.txt)
There is still something I can't figure out, as it works using a VPN, the issue is probably not related to hardware, but software, and it is not related to the Rom or recovery.
Do you know if Google checks something like device ID when apps are dowloaded from the store?
Thanks
Nicolas
Click to expand...
Click to collapse
If it works on a VPN then it is more likely related to your country and / or ISP and Google servers.

P6000 General Thread - Bug fixes, FAQ, general info.

Elephone P6000
Phone reviews by @s7yler
Stock ROM (SPFlash):
from elephone servers
from needrom.com
Custom Recovery --- Touch RecoveryCourtesy of @bigrammy, @carliv and @Santhosh M​Various
Latin Paradise(拉丁乐园)(Elephone) on Baidu
P6000 Folder
OTA Updates - direct from elephone
--- both are 404 now ---
12282014 to 31012015
01092015 to 31012015
Other threads and useful sites:
http://forum.xda-developers.com/android/general/elephone-p6000-mtk6732-64-bit-4g-5-2g-t2957425
SP Flash Thread - P6000
4pda thread - translated top post is fairly concise
Check your Mobile Network/Carrier
Please use the other threads/Q&A and the thanks button - to minimise duplicate posts reporting the same issues.
I'd like this thread to be used mainly for bug fixes, tips and tricks. If someone reports a similar problem/fix/bug click the thanks button if you'd like to agree.

Bugs
Android 5.0 'Official' Release
Update Official (V3.3)
Some modifications: #186
Android 5.0 Beta
12-02-15 ROM available on needrom.com
Hardware buttons don't work
Battery doesn't draw charge
Ril related memory leak
No ADB​
Android 4.4.4 (V8.4)
Notification light - not breathing when charging
OTG only works with self-powered devices
Battery seems to jump from 100% to ~90% Soon after removing from charger
Screen jumps several pixels (30) on slow scrolling. ​Android 4.4.4 (V8.3) bugs not present in V8.4Data encryption results in a stalled boot/softbrick​
FAQ/Fixes
1. Notification light is not working in V8.4 as it was in V8.3
Try Light Manager from the play store or gravity box (xposed module)
2. Does OTG work?
It seems to work only with a powered USB hub - I've only been able to check a powered external hard-drive which wouldn't connect
3. How do you fix the screen jump issue?
There are several options here:
From @the1024 / zOrgent we have two options 1. Using a chinese tool - and 2. Using a .bat
From elephone we have TpUpgrade.apk (appears to only work with V8.4)
From lidmiloff we have P6000 Bugfixer.apk​
4. How do you restore a Stock ROM?
Download a SPFlash ROM from #1; you will need to install MediaTek USB VCOM drivers (if they aren't automatically installed); On the download page select the scatter from the ROM folder; and the page should populate with the various .img's and .bins; if it doesn't then double click on the entry and locate it manually (also useful if you wan to change boot/recovery with SPFlash). Hit download; remove the battery from the phone and connect it to the PC (you can connect the battery again). The connection will be fairly instantaneous (there may be a driver install the first time it's connected); if it doesn't connect then unplug/replug.
More details from @bigrammy found here
5. Battery jump from 100% to 90%.
Haven't really noticed this too much - download an app like Battery Monitor Widget, add widget (Battery monitor widget gauge => Content => Central value => Battery => Battery Current (mA)) which will show you the battery drain/draw and charge until the draw is close to; if not +0mA
6. Is there any touch recovery?
As of now (pre-5.0) there is no touch recovery. The recovery thread on #1 contains various recoveries - most of which boot but none have touch - this seems to be a kernel issue.
Touch recoveries can be found here. These are built for KK.
7. What about Custom ROMs?
Potential Port devices (MT6732/MT6752) and their ROMS
As there are no official sources released; for MT6732 or P6000 then custom ROMs are a no-go for now. Porting ROMs from other devices running on MT6732 (and MT6752); i.e. Ulefone Be Pro for example is theoretically possible but there doesn't appear to be any custom ROMs on these chips that offer anything different than the stock/AOSP(almost) that we have already. As other devices get released possibly running MIUI or ColorOS then Custom ROMs may be possible.
FlymeOS
8. How do you take a screenshot?
Natively pressing Volume down and power together for 1 second will take a screenshot - it may take a while to get used to - if volume mixer appears then they were too slow and need to wait for it to disappear. Over adb/terminal you can make use of screencap and screen record
9. How do you back up EVERYTHING(except preloader)?
In SPFlash Tools => readback from 0x00 to 0x3a3e000000
This is a fairly quick way to make sure you have a copy of all the partitions on the device; it will create a 14GB+ file containing all the partitions. You will need to break this block up (manually for the moment) into it's constituent parts if you want to use it to restore - using a Hex-editor (HxD for example) and a copy of the matching /proc/partinfo file and/or scatter.txt
The essential partitions to backup for a fully running device are - boot, (recovery), system, (cache) and data which can all be backed up using a custom recovery. The one other partition needed is nvram - this can be backed up with SPFlash (look at /proc/partinfo) or with dd commands. The nvram partition will only be needed to be restored if you Format All with SPFlash. If you don't have a backup you can restore/recreate the IMEI files that it contains.
10. How do you backup/restore IMEI?
Several options here:
1. MTKDroid
2. Backup NVFLASH partition via readback in SPFlash Tools (look at the scatter.txt) to restore you need to modify the scatter.txt to give the nvflash a file_name: and change it from is_Download: false to is_Download: true
3. From elephone there's a IMEI coding tool
4. Keep a copy of the /data/nvram folder
5. Create new imei files to add to nvram folder/partition with imei.exe
6. Chamelephon app from the play store
7. MTK Engineering Mode
11. Adb access with 5.0 Beta ROMs
1. Use KingoRoot
2. Add the Mediatek subsystem id (0x0e8d) to adb_usb.ini
12. Any Stock Camera fixes?
For KK-4.4.4 from @z0rgent at 4pda

FAQ/Fixes Continued
Android 5.0 V1; V1.1; V2.2 (V3.2); V3.3 #125 #186These versions seem to have gapps preinstalled and are prerooted - for everything else have a look at the 5.0 Betas section below
5.0 Modifications #186​Android 5.0 Beta1 Beta2 Beta3
To gain adb access
Linux/Windows - need to add the Mediatek subsystem id (0x0e8d) to adb_usb.ini
Linux: ~/.android/adb_usb.ini
Windows: C:/Users/${Username}/.android/adb_usb.ini​KingoRoot It won't root the device however - I believe this is due to it installing a 32bit su binary rather than a 64bit one.
Root
For root install SuperSU v2.11+
Confirmation
Custom Recovery
Recovery from @carliv - from #1; modded to boot on L (basically just the cmdline changed / initrd.gz from stock L recovery replaced with carliv's built CWM).
Carliv Port by hanuma50 on 4pda (hopefully all his work and not partially stolen to take credit)
This recovery seems to only work when the Lollipop Beta ROM is installed.
Gapps
64-bit gapps made for the Nexus 9.
My phone seems to be running a little hot after installing the gapps - but that might just all the cores kicking in.
Mirrored copy of the version I'm using.
(OP's thread has updated them and removed the previous version)
Busybox
64-bit busybox installation
Removing encrypted data (temporarily)
In recovery while in an adb shell: /sbin/make_ext4fs /dev/block/mmcblk0p19
This will allow you to restore backed up data - but it will get re-encrypted on first boot, I'll take a look at removing encryption when I get the chance - should be either secro partition or something in the boot.img​
Android 5.0 Beta Breakdown
Screenshots to come later.
Entering LKVOL UP and POWER (this no longer enters recovery)
From lk menu: entering fastboot mode and normal boot works.
Entering recovery (stock) doesn't work and I can't tell if the other normal boot options do anything different​Charging batteryFlashing a custom recovery should allow you some way to charge the battery​I haven't yet been able to install/boot any recovery. Flashing lk and boot from 4.4.4 (I took them from the 48MB OTA) seems to let you charge when powered off. Confirmed​RIL Memory leakThere seems to be a RIL/Sim related memory leak leading to random reboots - for testing purposes disable the sim card(s) or enter airplane mode
I could be wrong about the RIL and the ROM just needed time to settle; all I can say is I had reboots until I switched to airplane mode​IMEIIMEI was lost but that would be due to formatted flash memory (wiped nvflash partition) - it's a good idea to keep a backup regardless.​Antutu Scores64-bit Antutu Scores are around 28000
32-bit Scores are around 27000
Data-encrypted 4.4.4 Antutu scores are also around 28000​SensorsBacklight, sound ... can't be changed
Brightness can be fixed in MTK Engineering Mode #5​ROM is not rooted; does not have gapps installed and data is encrypted.
TL;DR The issues with the 5.0 Beta ROM, are primarily not ROM related but kernel related, they have bumped the kernel version up to 3.10.61+, and the issues that need correcting are the various kernel modules (power,sensors).
Android L kernel config

Annotated /system/build.prop
Stripped top of build.prop (build properties) due to size
# begin mediatek build properties
ro.mediatek.version.release=ALPS.KK2.MP13.V1.27
ro.mediatek.platform=MT6752
ro.mediatek.chip_ver=S01
ro.mediatek.version.branch=KK2.MP13
ro.mediatek.version.sdk=3
# end mediatek build properties
#
# from out/target/product/k01q_e/obj/CUSTGEN/config/system.prop
#
#
# system.prop for generic sdk
#
rild.libpath=/system/lib/mtk-ril.so
rild.libargs=-d /dev/ttyC0
# MTK, Infinity, 20090720 {
wifi.interface=wlan0
# MTK, Infinity, 20090720 }
# MTK, mtk03034, 20101210 {
ro.mediatek.wlan.wsc=1
# MTK, mtk03034 20101210}
# MTK, mtk03034, 20110318 {
ro.mediatek.wlan.p2p=1
# MTK, mtk03034 20110318}
# MTK, mtk03034, 20101213 {
mediatek.wlan.ctia=0
# MTK, mtk03034 20101213}
#
wifi.tethering.interface=ap0
#
ro.opengles.version=196608
wifi.direct.interface=p2p0
# dalvik.vm.heapgrowthlimit=256m
# dalvik.vm.heapsize=512m
# USB MTP WHQL
ro.sys.usb.mtp.whql.enable=0
# Power off opt in IPO
sys.ipo.pwrdncap=2
# Switching Menu of Mass storage and MTP
ro.sys.usb.storage.type=mtp #### adding ,massstorage to this gives an additional USB option but it apears to still mount as a media device (MTP) adding ,mass_storage will let you mount the microsd card
# USB BICR function
ro.sys.usb.bicr=no #### changing to yes will allow you to mount /system/mobile_toolkit/iAmCdRom.iso to PC via USB ####
# USB Charge only function
ro.sys.usb.charging.only=yes
# audio
ro.camera.sound.forced=0
ro.audio.silent=0
ro.zygote.preload.enable=0
#
# ADDITIONAL_BUILD_PROPERTIES
#
persist.gemini.sim_num=2
ro.gemini.smart_sim_switch=false
ro.gemini.smart_3g_switch=0
ro.gemini.sim_switch_policy=1
ril.specific.sm_cause=0
bgw.current3gband=0
ril.external.md=0
ro.btstack=blueangel
ro.sf.hwrotation=0
ril.current.share_modem=2
curlockscreen=1
ro.mediatek.gemini_support=true
persist.radio.fd.counter=15
persist.radio.fd.off.counter=5
persist.radio.fd.r8.counter=15
persist.radio.fd.off.r8.counter=5
persist.radio.fd.on.only.r8.network=0
drm.service.enabled=true
fmradio.driver.enable=1
ril.first.md=1
ril.flightmode.poweroffMD=1
ril.telephony.mode=0
dalvik.vm.mtk-stack-trace-file=/data/anr/mtk_traces.txt
persist.mtk.anr.mechanism=1
mediatek.wlan.chip=CONSYS_MT6752
mediatek.wlan.module.postfix=_consys_mt6752
ril.radiooff.poweroffMD=0
ro.config.notification_sound=Proxima.ogg
ro.config.alarm_alert=Alarm_Classic.ogg
ro.config.ringtone=Backroad.ogg
persist.mtk.wcn.combo.chipid=-1
ter.service.enable=0
mediatek.extmd.usbport=0
ro.lte.dc.support=0
ril.active.md=0
ro.setupwizard.mode=OPTIONAL
ro.com.google.gmsversion=4.4.4
ro.com.google.clientidbase=alps-k01q_e-{country}
ro.com.google.clientidbase.ms=alps-k01q_e-{country}
ro.com.google.clientidbase.yt=alps-k01q_e-{country}
ro.com.google.clientidbase.am=alps-k01q_e-{country}
ro.com.google.clientidbase.gmm=alps-k01q_e-{country}
wfd.dummy.enable=1
persist.sys.dalvik.vm.lib=libdvm.so #### Charnging this to libart.so appears to have no effect ####
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
# begin fota properties
ro.fota.platform=MTK6732_KK
ro.fota.type=phone
ro.fota.oem=new-bund6732_KK
ro.fota.device=k01q_e
ro.fota.version=eng.jenkins.1422677980
# end fota properties
ro.sf.lcd_density=190
#### Stock value I believe is 320; changing to >190 switches the device to phablet mode; this spoofs the screen size to be 7.73 inches (CPU-Z) enabling tablet apps in the apps store after clearing play store app data ####
qemu.hw.mainkeys=0
#### This enables softkeys ####
Annotated /custom/customprop/custom.prop
ro.product.model=Elephone P6000
ro.product.name=Elephone P6000
ro.product.brand=elephone
ro.product.manufacturer=elephone
ro.bt.name=P6000
ro.wifi.name=P6000
ro.notification.breath=yes #### This seems to not be working with V8.4 ####
ro.build.display.id=ALPS.KK2.MP13.V1.27
ro.internal.build.version=K01Q-E.ELEPHONE.vR83.E4.150109
ro.custom.build.version=Elephone_P6000_V8.4_20150109
ro.fota.device=Elephone_P6000
ro.fota.version=Elephone_P6000_V8.4_20150109202612

MTK Engineering Mode
*#*#3646633#*#* (*#*#ENGMODE#*#*)
What can be done in engineering mode
General non-specific guide
Backlight
Hardware ===> LCM ===> LCM Cycle ===> add a value between 5 and 55 ===> Hit Set.
(On L at least this value will jump to value in the millions/billions; unsure if this has any implications)
Audio
http://forum.xda-developers.com/showthread.php?t=2746861
http://forum.xda-developers.com/showthread.php?t=2248396
GPS
http://www.cnx-software.com/2013/11...ps-lock-on-mediatek-mt65xx-based-smartphones/
Orientation / GSensor
Hardware Testing ===> Sensor ===> Sensor Calibration ===> GSensor Calibration ===> Do Calibration (20% tolerance)
IMEI Restore
Command should be AT +...
Xposed Installer (or WSM Tools)
I've had no problems with any xposed modules.
You will get a warning regarding AliyunOS -
this issue is reported due to the presence of /system/framework/*.jar.jex files.
You can ignore/move/remove these *.jar.jex files without it causing any (noticable) issue.
I haven't decompiled any apps so I don't know if. jex files are used elsewhere within the ROM (in place of .jar),
so can't comment on whether the stock ROM is indeed an Aliyun OS.
I would advise backing them up so that any future OTA can complete 100%.
Any issues identified with xposed modules will be reported here.​

Very Helpful and concise
Nice one bro :good:
Subscribed

Ludmiloff's Screen fix apk version 1.2 final now works with 8.3 also. Just wanted to give you a quick update so you edit your post HypoTurtle

greekfragma said:
Ludmiloff's Screen fix apk version 1.2 final now works with 8.3 also. Just wanted to give you a quick update so you edit your post HypoTurtle
Click to expand...
Click to collapse
Still doesn't work for me on 8.3.

Nice one, i get my phone in a couple of weeks.

Hello
and Thanks for all your work ! :victory:
Can you add how save and restore imei ?

xenonism said:
Still doesn't work for me on 8.3.
Click to expand...
Click to collapse
Sorry to hear that man. Can you give more details? Are the driver version letters shown normal or "?"

greekfragma said:
Sorry to hear that man. Can you give more details? Are the driver version letters shown normal or "?"
Click to expand...
Click to collapse
Well, I tried the first methods which came out and they wouldn't work. Then I upgraded to V8.4, at the same time the Elephone APK came out, so I used it and it set the thresholds to 3 and 4. Then I decided to go back to V8.3 and since then, no method managed to make a persistent change to the values (I tried ludmiloff's works, Elephone's APK modified by me, which worked for others, and the old Russian method). At best, I get the new vaules in the "init config" portion of the configuration, never in the "real config" portion, and they are always gone after a reboot. File permissions of /proc/gt9xx_config are 660, owned by root. The config version letter is currently F and ludmiloff's app reads it correctly.
I guess that's all the info I can share.

xenonism said:
Well, I tried the first methods which came out and they wouldn't work. Then I upgraded to V8.4, at the same time the Elephone APK came out, so I used it and it set the thresholds to 3 and 4. Then I decided to go back to V8.3 and since then, no method managed to make a persistent change to the values (I tried ludmiloff's works, Elephone's APK modified by me, which worked for others, and the old Russian method). At best, I get the new vaules in the "init config" portion of the configuration, never in the "real config" portion, and they are always gone after a reboot. File permissions of /proc/gt9xx_config are 660, owned by root. The config version letter is currently F and ludmiloff's app reads it correctly.
I guess that's all the info I can share.
Click to expand...
Click to collapse
Well, time to get in here, I guess...
@xenonism, the best I could tell you is to start over with clean ROM, preferably the one listed at 4pda.ru thread about elephone P6000 (in the head section) and try again. There must be something messed up in your device. I really believe the config is independent of ROM. The secret is very simple, you must start with new version letter and at offset 184 set correct checksum. How to calculate checksum:
//cal checksum
byte checksum;
for(i=0; i<chip_cfg_len; i++) {
checksum += file_config;
}
file_config[chip_cfg_len] = (~checksum) + 1;
Where chip_cfg_len = 184
Then write the checksum and write 0x01 at offset 185.
I believe you already know where are the theshsold values - at offset 16 and 17.
If you wish, I could send you my hand crafted config, which I was an inspiration for my apk.
Good luck

Err... it looks like I am unable to install a clean ROM, or even to update the existing one. I guess I'll have to sort this issue out before I join back the discusssion.
I have a fully functionalV8.3_20141228 ROM running and carliv's CWM from the 7th of February installed. The phone offers me the OTA update and it downloads a ~23 MB update. When I agree to install it, the phone reboots to CWM and the update fails with the following messages:
E:Invalid command argument
Finding update package...
E:unknown volume for path [/storage/sdcard0/adupsfota/update.zip]
E:Can't mount /storage/sdcard0/adupsfota/update.zip
Installation aborted.
Click to expand...
Click to collapse
If I try to install the same update with ROM Manager, it also fails in CWM with the following message:
-- Installing: [FILENAME SHOWS HERE]
Finding update package...
Opening update package...
Installing update...
Installation aborted.
Click to expand...
Click to collapse
But when I reboot the phone, I get the "Android is upgrading...] Screen, saying it's optimizing 124 apps. I believe no actual update takes place, though.
And here's what I'd consider the relevant portion of the recovery.log file:
Preparing to install ROM...
about to run program [/cache/dowipedalvikcache.sh] with 1 args
mount: mounting /dev/block/platform/mtk-msdc.0/by-name/userdata on /data failed: Device or resource busy
mount: mounting /dev/block/platform/mtk-msdc.0/by-name/cache on /cache failed: Device or resource busy
mount: can't find /sd-ext in /etc/fstab
umount: can't umount /sd-ext: Invalid argument
run_program: child exited with status 1
about to run program [/sbin/chmod] with 3 args
about to run program [/tmp/recovery/11-rommanager.sh] with 2 args
mount: mounting /dev/block/platform/mtk-msdc.0/by-name/system on /system failed: Device or resource busy
about to run program [/sbin/umount] with 2 args
Click to expand...
Click to collapse
If I try to install the full 20150109 ROM with ROM Manager, it also fails in CWM, without displaying any meaningful messages in recovery. I also get the "Android is upgrading screen here".
The errors in recovery.log are the same as above.
I guess I could install the full ROM via SP Flash Tool, right?
Also... I have a couple of questions to ask, can I feel free to do it in this thread? Some might be trivial for most.

ludmiloff said:
Well, time to get in here, I guess...
@xenonism, the best I could tell you is to start over with clean ROM, preferably the one listed at 4pda.ru thread about elephone P6000 (in the head section) and try again.
Click to expand...
Click to collapse
@ludmiloff does your app require busybox to be installed?
Downloading from 4pda.ru is a bit hit and miss for me, any chance someone can post the CWMLollipop.img...
Is there any difference in the 4pda.ru ROMs and the ones on needrom.com?
Also found a fix for the backlight in Android L - in engineering mode - not sure if it will do anything useful in 4.4.4 (lower the minimum brightness?).
MTK Engineering Mode => Hardware => LCM => LCM Cycle => value between 5 and 55.
xenonism said:
Err... it looks like I am unable to install a clean ROM, or even to update the existing one. I guess I'll have to sort this issue out before I join back the discusssion.
Click to expand...
Click to collapse
Feel free to elaborate. Edit your previous post with your current setup / what you've tried - so we can turn it into a troubleshooting post.

HypoTurtle said:
Feel free to elaborate. Edit your previous post with your current setup / what you've tried - so we can turn it into a troubleshooting post.
Click to expand...
Click to collapse
Ok, thanks a lot. I will edit my post right now. The thing is... I haven't used an Android phone in 4 years and I did a lot of my tinkering on my P6000 while working or late at night so.. things got a bit messy.

@HypoTurtle,
My app does not require busybox. It simply run some commands in the shell, though.
In fact It is my first experience with android programming and I just followed some examples found here and there. I also wanted to make a Kotlin based app, but then I decided to continue with plain old java. The app might not a perfect one. Hope it worked for many of elephone owners
---------- Post added at 08:05 AM ---------- Previous post was at 07:41 AM ----------
@xenonism, you should try a clean ROM with sp flash tool. It is a bit tricky, I have tried one from needrom and as the author suggested, I did not check the preloader mark. Then my phone ended totally bricked. The ROM from 4pda worked for me. Today I'm going to reflash it again and investigate why my app does not work on it.

@ludmiloff, I ended up installing 20150109 via SP Flash Tool and then updating via OTA to the latest version. Sure enough, your app worked then. And permissions for gt9xx_config are now 666.
I am not particularly happy with the gravitybox solution for the notification issue, so I'm trying to look into it, but I am not really hopeful to achieve something.

xenonism said:
@ludmiloff, I ended up installing 20150109 via SP Flash Tool and then updating via OTA to the latest version. Sure enough, your app worked then. And permissions for gt9xx_config are now 666.
I am not particularly happy with the gravitybox solution for the notification issue, so I'm trying to look into it, but I am not really hopeful to achieve something.
Click to expand...
Click to collapse
Same I did just few minutes ago. Won't install updates and will try to make my app working on this ROM.
BTW. Russian method write a very different format to file /process/gmnodexxxxxxx where xxxxxxx is build date. I'm pretty sure if I could change the file with correct checksum and version letter it should work too.
Anyway, my intent was to fix the scroll after I applied the elephone apk. For sure the Russian method with correct version letter and checksum would work too and it is still the best flow now for phones with very stock ROM. I already explained how to calculate the checksum.

HypoTurtle said:
@ludmiloff does your app require busybox to be installed?
Downloading from 4pda.ru is a bit hit and miss for me, any chance someone can post the CWMLollipop.img..
Click to expand...
Click to collapse
I cant see any CWMLollipop.img there
They only list two recoverys my P6000CWM3.img with no links or credits of course
and carliv's CWM_Modd_2.img again no links or credits
I will be working on the lollipop soon
I am getting another phone very soon to use for daily life so I can use the P6000 for dev only purposes.

Linux ISO - Unbrick the Fire HD6/HD7 [Video] [Testers Wanted]

Testers wanted: Anyone who uses this method, let me know if you can access stock recovery after this method.
Summery
Thanks to the amazing work by our active member @bibikalka, a method was found to unbrick these devices Thread link here. The method he found was slightly tedious for some people, so I've decided to put together a Linux iso that you can boot into on your computer with everything you need to get your device running again. It uses the same methods proposed but makes things easier. This comes with all the necessary drivers, scripts to do everything you need, all the img files needed to flash, a hex editor for advanced users, and more. Before the scripts included in this OS, determining the option (A, B, or C) to take in order to unbrick the device required .part files to be evaluated manually. Now with the custom script, it can quickly evaluate what option to take.
Video Instructions
Brief Instructions
1. Download the Linux iso:
Linux ISO
2. Burn the iso to a USB drive or cd
3. Boot into the operating system
4. Type "root" at the login prompt
5. Right click on the desktop and choose file manager. Go to "aftv2-tools" folder
6. Right click on file manager and press "open in terminal"
7. From device turned off, enter command "./handshake.py", then plug in device. You may need to do this a couple times to get a connection. Try pressing volume keys & power etc to get it connected. See video if you have problems
8. After handshake is complete, run "./reader.sh"
9. After all addresses are read in, run "./determineOption.sh". You should get back a result of A, B, or C
10. Depending on the option returned (A,B,or C), run "./readerSpecialOptionA.sh", "./readerSpecialOptionB.sh", or "./readerSpecialOptionC.sh". This is an optional step but may be useful if you want to back up part files or their were no options available. Back up part files to a usb drive if you want to be safe.
11. Now the actual unbricking. Run "./unbrickOptionA.sh", "./unbrickOptionB.sh", or "./unbrickOptionA.sh" depending on your option. This can take about 40 minutes
12. hold volume up and run "./complete.sh" at the same time to get into TWRP
13. boot into your default operating system on your computer
BE VERY CAREFUL FROM NOW ON
13. We will be installing Fire OS 5.3.1. If you are not installing this ROM, make sure you know what you are doing. Download the ROM:
update-kindle-20.5.5.2_user_552153420.bin
14. Download 5.4.1_1133_stock_recovery_uboot.zip: 5.4.1_1133_stock_recovery_uboot.zip. Without this you could turn your device into a paperweight. This installs stock recovery and a uboot version that MUST be installed. This file was taken from the thread here: how-to-upgrade-to-lollipop-root-gapps
15. Rename the ROM extension from .bin to .zip
16. Transfer the two files to the Fire
17. Do a factory reset. Flash the ROM and uboot&recovery file
18. Reboot! Your device should now be working. It will take about 15 mins to boot up.
Big thanks to @bibikalka for helping work everything out and for the initial unbrick method.
Edit 10/13/21: Fixed Google Drive Link

Linux ISO Changelog
Updated 10/5/16:
*Optomized scripts
*Added "complete.sh" This reboots the device
Updated 9/27/16:
*Added script to auto-detect which unbrick option to use (determineOption.sh)
*Added scripts to write img files to correct addresses ( unbrickOptionA.sh, unbrickOptionB.sh, and unbrickOptionC.sh)
*Added scripts to read in and label part files (readerSpecialOptionA.sh, readerSpecialOptionB.sh, and readerSpecialOptionC.sh)
*Nemo open in terminal fixed
*.part files set to open with ghex by default
Updated 9/24/16:
*Nemo as default file manager
*Updated html page with instructions from forum

well, after seriously struggling with the parent thread mentioned in the OP I've managed to get to TWRP & am just waiting for my win10 machine to install it's updates before attempting to adb push the uboot & zip files for installation back to fireOS.
feels great to see the screen displaying something other than the looping amazon logo after months of frustration. I do not have the words to express my gratitude for @powerpoint45 for an excellent & well thought through tool and walkthrough. special mention also goes out to @bibikalka

gascomm said:
well, after seriously struggling with the parent thread mentioned in the OP I've managed to get to TWRP & am just waiting for my win10 machine to install it's updates before attempting to adb push the uboot & zip files for installation back to fireOS.
feels great to see the screen displaying something other than the looping amazon logo after months of frustration. I do not have the words to express my gratitude for @powerpoint45 for an excellent & well thought through tool and walkthrough. special mention also goes out to @bibikalka
Click to expand...
Click to collapse
great to hear! I hope everything works for you! After you get everything done, can you check if you can get into recovery.

after flashing both zips & rebooting I've now got my working fire (OS 5.3.1.0) back. thank you Mr PowerPoint!
i tried rebooting to recovery & it now takes me to the stock amazon recovery not TWRP..... which is unfortunate.
I did get asked if I wanted to install SuperUser which was a no-brainer YES. although I'm staying offline until I identify a functional (fast) flavour of android to flash. suggestions welcome.

gascomm said:
after flashing both zips & rebooting I've now got my working fire (OS 5.3.1.0) back. thank you Mr PowerPoint!
i be tried rebooting to recovery & it now takes me to the stock amazon recovery not TWRP..... which is unfortunate.
I did get asked if I wanted to install SuperUser which was a no-brainer YES. although I'm staying offline until I identify a functional (fast) flavour of android to flash. suggestions welcome.
Click to expand...
Click to collapse
Good to hear everything is working. Ya TWRP does not work with 5.x bootloader. Good to hear you can get into stock recovery because I had some incidents where I could not get into it. Thanks for responding. The only custom ROM ATM is CM13.

powerpoint45 said:
The only custom ROM ATM is CM13.
Click to expand...
Click to collapse
sorry to trouble you again but do you know where I can find a guide/walkthrough of how to root via adb & install twrp or cwm to allow flashing of a rom & gapps..
I can only find the kingroot method & the CM11 rom discussion. where might I find the CM13 you mentioned?
I have searched fruitlessly. I guess I just need a little guidance to avoid running straight into another brick.
cheers.

gascomm said:
sorry to trouble you again but do you know where I can find a guide/walkthrough of how to root via adb & install twrp or cwm to allow flashing of a rom & gapps..
I can only find the kingroot method & the CM11 rom discussion. where might I find the CM13 you mentioned?
I have searched fruitlessly. I guess I just need a little guidance to avoid running straight into another brick.
cheers.
Click to expand...
Click to collapse
I meant to say CM11. This guide is probably one of the best http://forum.xda-developers.com/fire-hd/general/how-to-upgrade-to-lollipop-root-gapps-t3163950/page1
This is a bit older one: http://forum.xda-developers.com/fire-hd/general/how-to-downgrade-to-4-5-3-root-device-t3139351/page1
In order to have TWRP, you must have a 4.x bootloader so CM11 would work with it.

Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1

PRInCEI7 said:
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
Click to expand...
Click to collapse
yes you should be fine doing that

Unfortunately, did not respond
I worked
MacBook-Air-2:ROOT IP$ ./handshake.py
Waiting for preloader...
Found port = /dev/cu.usbmodem1420
Handshake complete!
In the second step does not respond to the order ./reader.sh
Also tried
/.read_mmc.py 0x0000000 0x1000 0x0000000.part
Does not respond
By the way tried way on more than one device
And tried through the system Max os x and the system arch-custom-firehd67-unbrick100516.iso did not work and also the same result
MY device Amazon Fire HD 6 version 5.3.1 All functions work, but I need to work downgrade to 4.5.3
Is there a solution to my problem
[/SIZE]

@powerpoint45 thanks for the pointers. I am now the proud owned of an hd6 booting straight into cm11 & it's been well worth the wait. I am forever in your digital debt.

gascomm said:
@powerpoint45 thanks for the pointers. I am now the proud owned of an hd6 booting straight into cm11 & it's been well worth the wait. I am forever in your digital debt.
Click to expand...
Click to collapse
sweet!!!

PRInCEI7 said:
Unfortunately, did not respond
I worked
MacBook-Air-2:ROOT IP$ ./handshake.py
Waiting for preloader...
Found port = /dev/cu.usbmodem1420
Handshake complete!
In the second step does not respond to the order ./reader.sh
Also tried
/.read_mmc.py 0x0000000 0x1000 0x0000000.part
Does not respond
By the way tried way on more than one device
And tried through the system Max os x and the system arch-custom-firehd67-unbrick100516.iso did not work and also the same result
MY device Amazon Fire HD 6 version 5.3.1 All functions work, but I need to work downgrade to 4.5.3
Is there a solution to my problem
[/SIZE]
Click to expand...
Click to collapse
I am also getting the same results with my HD 7 4th gen. The handshake completes just fine, but the reader just hangs. When I'm in recovery, I get errors saying the /cache folder failed to mount. I'm thinking the memory is corrupt and there is no way to fix this.

nai1ed said:
I am also getting the same results with my HD 7 4th gen. The handshake completes just fine, but the reader just hangs. When I'm in recovery, I get errors saying the /cache folder failed to mount. I'm thinking the memory is corrupt and there is no way to fix this.
Click to expand...
Click to collapse
Unfortunately it appears that with the latest bootloader on the latest Amazon update that they have disabled these commands (such as reading and writing). Unfortunately if you can't get into recovery with (vol+ & power) then it is currently unrecoverable. Best option for an unrecoverable device would be to buy another motherboard from eBay or some place. They are pretty cheap and easy to replace. I've had to do it a couple times now.

Confused
First you say it should be OK to downgrade:
powerpoint45 said:
PRInCEI7 said:
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
Click to expand...
Click to collapse
yes you should be fine doing that
Click to expand...
Click to collapse
Although, it's unclear how, since reports indicate that sideloading older
firmware bricks the device (or, does that only apply to 5.x?).
Then, we learn that the preloader trick (from aftv2-tools) doesn't work anymore:
Code:
[[email protected] aftv2-tools]# ./handshake.py
Waiting for preloader...
Found port = /dev/ttyACM0
Handshake complete!
[[email protected] aftv2-tools]# ./reader.sh
^CTraceback (most recent call last):
File "./read_mmc.py", line 355, in <module>
if msdc_dma_status():
File "./read_mmc.py", line 146, in msdc_dma_status
return False if sdr_read32(MSDC_CFG) & MSDC_CFG_PIO else True
File "./read_mmc.py", line 82, in sdr_read32
check(dev.read(2), b'\x00\x00') # arg check
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 450, in read
ready, _, _ = select.select([self.fd, self.pipe_abort_read_r], [], [], timeout)
KeyboardInterrupt
^CTraceback (most recent call last):
File "./read_mmc.py", line 355, in <module>
if msdc_dma_status():
File "./read_mmc.py", line 146, in msdc_dma_status
return False if sdr_read32(MSDC_CFG) & MSDC_CFG_PIO else True
File "./read_mmc.py", line 82, in sdr_read32
check(dev.read(2), b'\x00\x00') # arg check
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 450, in read
ready, _, _ = select.select([self.fd, self.pipe_abort_read_r], [], [], timeout)
KeyboardInterrupt
^Z
[1]+ Stopped ./reader.sh
[[email protected] aftv2-tools]# kill %1
[[email protected] aftv2-tools]#
[1]+ Terminated ./reader.sh
[[email protected] aftv2-tools]#
The above is for a 4th gen HD7 with this device showing in 'lsusb':
Code:
Bus 001 Device 006: ID 0e8d:3000 MediaTek Inc.
powerpoint45 said:
Unfortunately it appears that with the latest bootloader on the latest Amazon update that they have disabled these commands (such as reading and writing). Unfortunately if you can't get into recovery with (vol+ & power) then it is currently unrecoverable. Best option for an unrecoverable device would be to buy another motherboard from eBay or some place. They are pretty cheap and easy to replace. I've had to do it a couple times now.
Click to expand...
Click to collapse
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader? [Please excuse my ignorance, but would this be handled
by UBOOT, TEE1, or some other component?])
So, what's the current best option for 5.3.1?
---------- Post added at 11:23 ---------- Previous post was at 10:58 ----------
draxie said:
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader?
Click to expand...
Click to collapse
OK. So, I found this post by @zeroepoch,
which makes it very clear that said exercise has been performed for the AFTV2...
No reason to believe that this would be different for the Fire HD7...

draxie said:
First you say it should be OK to downgrade:
Although, it's unclear how, since reports indicate that sideloading older
firmware bricks the device (or, does that only apply to 5.x?).
Then, we learn that the preloader trick (from aftv2-tools) doesn't work anymore:
The above is for a 4th gen HD7 with this device showing in 'lsusb':
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader? [Please excuse my ignorance, but would this be handled
by UBOOT, TEE1, or some other component?])
So, what's the current best option for 5.3.1?
---------- Post added at 11:23 ---------- Previous post was at 10:58 ----------
OK. So, I found this post by @zeroepoch,
which makes it very clear that said exercise has been performed for the AFTV2...
No reason to believe that this would be different for the Fire HD7...
Click to expand...
Click to collapse
My understanding is that you only need to worry about bricking if You are downgrading to another lollypop ROM. We found out that the device has a fuse that is set in later lollypop ROMs where it will check against the current version. But this check only seems to be on lollipop ROM's. As for the aftv2 protocol, you might be right but I don't know enough about that yet to know. Currently we have no unbrick method for latest bootloader. If you can get into recovery then you could sideload but most can't get into recovery during brick.

I've followed the steps but not into twrp, only screen amazon and reset. I'm not good at English

error trying to unbrick hd6
[[email protected] aftv2-tools]# ./complete.sh
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 468, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('read failed: {}'.format(e))
serial.serialutil.SerialException: read failed: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
[[email protected] aftv2-tools]#

kingwill101 said:
[[email protected] aftv2-tools]# ./complete.sh
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 468, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('read failed: {}'.format(e))
serial.serialutil.SerialException: read failed: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
[[email protected] aftv2-tools]#
Click to expand...
Click to collapse
You are on any version.
You can access to recovery now

Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Changelog:
v2 - Fixed the issue with the screen
Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.
This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. It's now confirmed to work on both 16GB and 32GB models.
You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.
What you need:
- a Linux installation. Since I had to rush it, this guide is only for Linux. Once I get a chance to test it on Windows I'll update the guide.
- microusb cable to connect your tablet to the PC
- some way to open the tablet (pry tool, opening picks, etc)
- something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- amonet.tar.gz
- 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I-eH3Ph0Ar10_2nioNIm0ilSnNYgOG9YPNE
- Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/releases/download/v18.0/Magisk-v18.0.zip
- finalize.zip
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".
Extract amonet.tar.gz, open a terminal and navigate to it.
You might need to run the scripts on your PC under sudo if you're getting permission errors.
0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC. Also, if you have ModemManager installed, you MUST disable or uninstall it before you begin
1. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK.
3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
6. Plug in the other end of the microusb cable.
7. You should see a new device appear on your PC
Code:
[10894.058045] usb 3-2.4.1: new full-speed USB device number 9 using xhci_hcd
[10894.239684] usb 3-2.4.1: New USB device found, idVendor=0e8d, idProduct=0003
[10894.239690] usb 3-2.4.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[10894.241330] cdc_acm 3-2.4.1:1.0: ttyACM0: USB ACM device
This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.
8. The script you ran in step 4 should now tell you to remove the short. Remove the paperclip and press Enter as instructed.
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:
Code:
[2019-01-26 23:30:02.157670] Waiting for bootrom
[2019-01-26 23:30:20.438333] Found port = /dev/ttyACM0
[2019-01-26 23:30:20.439362] Handshake
[2019-01-26 23:30:20.441693] Disable watchdog
* * * Remove the short and press Enter * * *
[2019-01-26 23:30:22.636037] Init crypto engine
[2019-01-26 23:30:22.661832] Disable caches
[2019-01-26 23:30:22.662505] Disable bootrom range checks
[2019-01-26 23:30:22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-01-26 23:30:22.693170] Send payload
[2019-01-26 23:30:23.527965] Let's rock
[2019-01-26 23:30:23.528832] Wait for the payload to come online...
[2019-01-26 23:30:24.260602] all good
[2019-01-26 23:30:24.261069] Check GPT
[2019-01-26 23:30:24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-01-26 23:30:24.596619] Check boot0
[2019-01-26 23:30:24.841858] Check rpmb
[2019-01-26 23:30:25.051079] Downgrade rpmb
[2019-01-26 23:30:25.052924] Recheck rpmb
[2019-01-26 23:30:25.949978] rpmb downgrade ok
[2019-01-26 23:30:25.950284] Flash lk-payload
[5 / 5]
[2019-01-26 23:30:26.471797] Flash preloader
[288 / 288]
[2019-01-26 23:30:44.845804] Flash tz
[6732 / 6732]
[2019-01-26 23:33:08.502134] Flash lk
[685 / 685]
[2019-01-26 23:33:23.337460] Inject microloader
[4 / 4]
[2019-01-26 23:33:23.667547] Reboot to unlocked fastboot
If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot.
9. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
10. Once the device boots to fastboot (check with "fastboot devices". You should see amazon logo on the screen.), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display.
11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.
12. We'll now upload required files to the recovery. On your PC, do:
adb push 6300.zip /sdcard
adb push Magisk-v18.0.zip /sdcard
adb push finalize.zip /sdcard
13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
14. Go to "Wipe" and do the default wipe, then reboot
15. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again
16. Hold down the power button, press Restart and hold volume down to boot into recovery.
17. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip
18. Press back, select finalize.zip and flash it
19. Once finalize.zip is flashed, press "Reboot System"
20. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
21. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.
Your device is now unlocked. You can flash a custom boot image, system image, etc. However, if you ever brick the device so bad the recovery does not boot, you will have to repeat these steps starting from the first one. Read below for what you should not do.
VERY IMPORTANT STUFF:
Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).
Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.
To revert back to stock:
- download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
- flash 6300.zip from twrp
- flash revert-stock.zip from twrp
- wipe data
- reboot to recovery; you should see amazon recovery now
- select "apply update from ADB" in the recovery menu
- run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC
Another way to fix a brick:
- Download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
- Download and unzip revert-stock.zip
- Do steps 0 to 9 from this guide (so everything until fastboot-step.sh)
- Wait for device to boot into fastboot mode (check with "fastboot devices")
- Run "fastboot flash boot boot.img" using boot.img from the revert-stock.zip
- Run "fastboot flash recovery recovery.img" using recovery.img from the from the revert-stock.zip
- Run "fastboot reboot recovery"
- Select "apply update from ADB" in the recovery menu
- Run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC
Other misc information / troubleshooting:
- If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
- If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
- If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
- To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)
Thanks to: @hwmod @firetablethelp for testing different versions of the payload.
Special thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools; the bootrom download protocol scripts are largely based on their work

GPL Notice:
- Source code for modified TWRP is available from https://github.com/xyzz/android_bootable_recovery
- Source code for amonet/brom-payload is available from https://github.com/xyzz/amonet/tree/master/brom-payload
Device tree to build TWRP: https://github.com/xyzz/android_device_amazon_karnak
Additionally, source code of the full exploit chain is available from https://github.com/xyzz/amonet
When I finish the writeup for this vulnerability, I'll update this post with a URL to the writeup.

You sir, are a marvelous wizard leet haxor ?. Thanks for this. Will this ever lead to any software solution for root on this tablet. Parden my noob questions?

beanaman said:
You sir, are a marvelous wizard leet haxor . Thanks for this. Will this ever lead to any software solution for root on this tablet. Parden my noob questions?
Click to expand...
Click to collapse
The only reason you have to open the tablet is to put the bootrom into download mode. If somebody figures out another way to do that, then yes it can be done completely in software. One way is to brick the tablet by erasing the preloader completely (both copies). However, this would require root (temporarily), and is more dangerous. Ultimately, I figured that the difficulty level here is about as much as replacing a battery (even lower) so I haven't investigated this further.

Thank you for explaining that further. It's nice to have this capability in our toolbox.

Wow! @xyz` you are a genius!
This exploit can be applied to fire 7 7th gen?

xyz` said:
Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.
This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. I've also only tested this on the 16GB version, though the 32GB one should work the same.
You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.
What you need:
- a Linux installation. Since I had to rush it, this guide is only for Linux. Once I get a chance to test it on Windows I'll update the guide.
- microusb cable to connect your tablet to the PC
- some way to open the tablet (pry tool, opening picks, etc)
- something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- amonet.tar.gz
- 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I-eH3Ph0Ar10_2nioNIm0ilSnNYgOG9YPNE
- Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/releases/download/v18.0/Magisk-v18.0.zip
- finalize.zip
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".
Extract amonet.tar.gz, open a terminal and navigate to it.
You might need to run the scripts on your PC under sudo if you're getting permission errors.
0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC.
1. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK.
3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
6. Plug in the other end of the microusb cable.
7. You should see a new device appear on your PC
This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.
8. The script you ran in step 4 should now tell you to remove the short. Remove the paperclip and press Enter as instructed.
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:
If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot.
9. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
10. Once the device boots to fastboot (check with "fastboot devices"), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display.
11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.
13. We'll now upload required files to the recovery. On your PC, do:
adb push 6300.zip /sdcard
adb push Magisk-v18.0.zip /sdcard
adb push finalize.zip /sdcard
14. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
15. Go to "Wipe" and do the default wipe, then reboot
16. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again
17. Hold down the power button, press Restart and hold volume down to boot into recovery.
18. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip, finalize.zip, in that order.
15. Press "Reboot System" once the latest zip, finalize.zip, is installed.
16. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
17. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.
Your device is now unlocked. You can flash a custom boot image, system image, etc. However, if you ever brick the device so bad the recovery does not boot, you will have to repeat these steps starting from the first one. Read below for what you should not do.
VERY IMPORTANT STUFF:
Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).
Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.
To revert back to stock:
- download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
- flash 6300.zip from twrp
- flash revert-stock.zip from twrp
- wipe data
- reboot to recovery; you should see amazon recovery now
- select "apply update from ADB" in the recovery menu
- run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC
Special thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools; the bootrom download protocol scripts are largely based on their work
Click to expand...
Click to collapse
LMFAO I can't ****ing believe this. I'm almost certain this will work on the HD 10 too. You found it before me. Absolutely brilliant. You've just proved many weeks and or months of my hard research that I've posted in more than a few threads between the fire 7 forums and here. You just happened to be a lot quicker at this and probably smarter. ACM I discovered a few weeks or months ago on the HD 10. There is a build file that has many ways to set ACM props. doing this made everything light up on my PC...new drivers were installed and being used including the preloader drivers. I set my test HD 10 to persist ACM since then, convinced it was one of the possible keys to the puzzle. If you've read anything I've done in the past several weeks and months you may have been the only one who truly believed anything I had been saying. I don't know who you are or where you came from but I can only thank you. You've made my day, my week and my year. At least now I can say I'm not crazy, hallucinating or 'don't know what I'm doing or talking about.' it will take me a few days to get started, but I'll get right to testing my test HD 10 in the next few days or so.
Edit: I was convinced it had to do with fos_flags too, which I believe is another way to unlock.
Sent from my MotoG3 using XDA Labs

Rortiz2 said:
Wow! @xyz` you are a genius!
This exploit can be applied to fire 7 7th gen?
Click to expand...
Click to collapse
The vulnerability is present on every mediatek device, so yeah. It will not work as-is because of different addresses (for the crypto device and offsets for LK). Additionally, on Fire 7 7th gen the eMMC test point is hidden behind the shield that you need to desolder, so you will probably want to find a different way to enter the bootrom download mode.

Great work!
xyz` said:
The vulnerability is present on every mediatek device, so yeah. It will not work as-is because of different addresses (for the crypto device and offsets for LK). Additionally, on Fire 7 7th gen the eMMC test point is hidden behind the shield that you need to desolder, so you will probably want to find a different way to enter the bootrom download mode.
Click to expand...
Click to collapse
This is very promising could you please elaborate, what exactly needs to be modified to port this to other MTK-hardware.
I have a fire 5th gen here and I can access brom-mode by pressing left mute button while pluging in.
tried your scripts as is (commenting out the parts that change rpmb or flash partitions) and it get's stuck at
Code:
[2019-01-28 00:01:40.973289] Disable bootrom range checks
Does the hash in load_payload.py (4dd12bdf0ec7d26c482490b3482a1b1f) need to be modified?
I do have the kernel-sources for the device and am willing to investigate correct addressing etc.
Also since this is a boot-rom exploit wouldn't it allow flashing a hacked preloader + lk which just ignore boot-signatures so we can just run a standard twrp?

k4y0z said:
This is very promising could you please elaborate, what exactly needs to be modified to port this to other MTK-hardware.
I have a fire 5th gen here and I can access brom-mode by pressing left mute button while pluging in.
tried your scripts as is (commenting out the parts that change rpmb or flash partitions) and it get's stuck at
Code:
[2019-01-28 00:01:40.973289] Disable bootrom range checks
Does the hash in load_payload.py (4dd12bdf0ec7d26c482490b3482a1b1f) need to be modified?
I do have the kernel-sources for the device and am willing to investigate correct addressing etc.
Also since this is a boot-rom exploit wouldn't it allow flashing a hacked preloader + lk which just ignore boot-signatures so we can just run a standard twrp?
Click to expand...
Click to collapse
So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)
If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.
Once all this is done, you should be able to load binary payloads and execute them in bootrom mode. You'll also need to edit brom-payload and set up proper pointers to send_dword/recv_dword/etc, these can be found by reversing your bootrom dump. At this point it should be possible to get emmc read/write.
Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.
I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.
You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.

Thanks for your quick reply.
xyz` said:
So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)
Click to expand...
Click to collapse
I'm pretty sure I'm in boot-rom, my preloader actually has direct read/write using read_mmc.py but that has been fixed in newer preloaders, so I would rather go the boot-rom route.
Have you tried if pressing left (or both) volume buttons while pluging in brings you to brom-mode as well, like it does on my device?
I'll attach a serial to check for the output.
xyz` said:
If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.
Click to expand...
Click to collapse
Any hint on how i would dump the bootrom? Also could you upload your boot-rom so I can compare once i got mine?
xyz` said:
Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.
Click to expand...
Click to collapse
Willing to put that work in
xyz` said:
I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.
Click to expand...
Click to collapse
looking forward to your writeup.
xyz` said:
You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.
Click to expand...
Click to collapse
I thought it might be possible to flash a preloader that exploits the same vulnerability, but from your explanation I assume that won't be possible.
For this device it would already be great to be able to overwrite RPMB to downgrade, since there was an LK that allowed booting into unsigned TWRP.

k4y0z said:
Thanks for your quick reply.
I'm pretty sure I'm in boot-rom, my preloader actually has direct read/write using read_mmc.py but that has been fixed in newer preloaders, so I would rather go the boot-rom route.
Have you tried if pressing left (or both) volume buttons while pluging in brings you to brom-mode as well, like it does on my device?
I'll attach a serial to check for the output.
Click to expand...
Click to collapse
Yep, I've tried and it didn't work, though it could be device-specific. There are several additional ways preloader can force you into bootrom download mode, for example if preloader has an assertion and you hold volume down, it just deletes itself from emmc and next boot you'd be in bootrom mode (this doesn't work on hd 8 though as there's a bug in how it's set up); then there's some button checks that sets up a SRAMROM_USBDL which bootrom checks (but the code for the button check isn't present on Fire preloader). So unfortunately the only option that worked for me is shorting eMMC to ground.
k4y0z said:
Any hint on how i would dump the bootrom? Also could you upload your boot-rom so I can compare once i got mine?
Click to expand...
Click to collapse
This will be in the writeup, it's too long to explain here. I'm not sure if I can share my dump since technically it's copyrighted code.
k4y0z said:
I thought it might be possible to flash a preloader that exploits the same vulnerability, but from your explanation I assume that won't be possible.
For this device it would already be great to be able to overwrite RPMB to downgrade, since there was an LK that allowed booting into unsigned TWRP.
Click to expand...
Click to collapse
Well, we only can flash preloaders signed by amazon. If you have a preloader/LK combination that doesn't have signature checks that's great, you can use that.

k4y0z said:
Any hint on how i would dump the bootrom? Also could you upload your boot-rom so I can compare once i got mine?
Click to expand...
Click to collapse
Also, here's what I used on my Fire 7:
Code:
def call_func(func):
sdr_write32(0x11010804, 3)
sdr_write32(0x11010808, 3)
sdr_write32(0x11010C00, func)
sdr_write32(0x11010400, 0)
while (not sdr_read32(0x11010800)):
pass
if (sdr_read32(0x11010800) & 2):
if ( not (sdr_read32(0x11010800) & 1) ):
while ( not sdr_read32(0x11010800) ):
pass
result = -1;
sdr_write32(0x11010804, 3)
else:
while ( not (sdr_read32(0x11010418) & 1) ):
pass
result = 0;
sdr_write32(0x11010804, 3)
return result
def hw_acquire():
sdr_write32(0x11010000, sdr_read32(0x11010000) & 0xFFFFFFF0)
sdr_write32(0x11010000, sdr_read32(0x11010000) | 0xF)
sdr_write32(0x11010004, sdr_read32(0x11010004) & 0xFFFFDFFF)
def hw_release():
sdr_write32(0x11010000, sdr_read32(0x11010000) & 0xFFFFFFF0)
sdr_write32(0x11010000, sdr_read32(0x11010000) | 0xF)
def init():
sdr_write32(0x11010C0C, 0)
sdr_write32(0x11010C10, 0)
sdr_write32(0x11010C14, 0)
sdr_write32(0x11010C18, 0)
sdr_write32(0x11010C1C, 0)
sdr_write32(0x11010C20, 0)
sdr_write32(0x11010C24, 0)
sdr_write32(0x11010C28, 0)
sdr_write32(0x11010C2C, 0)
sdr_write32(0x11010C00 + 18 * 4, [0] * 4)
sdr_write32(0x11010C00 + 22 * 4, [0] * 4)
sdr_write32(0x11010C00 + 26 * 4, [0] * 8)
def aes_read16(addr):
sdr_write32(0x11010C04, addr)
sdr_write32(0x11010C08, 0) # dst to invalid pointer
sdr_write32(0x11010C0C, 1)
sdr_write32(0x11010C14, 18)
sdr_write32(0x11010C18, 26)
sdr_write32(0x11010C1C, 26)
if call_func(126) != 0: # aes decrypt
raise Exception("failed to call the function!")
words = sdr_read32(0x11010C00 + 26 * 4, 4) # read out of the IV
data = b""
for word in words:
data += struct.pack("<I", word)
return data
def aes_write16(addr, data):
if len(data) != 16:
raise RuntimeError("data must be 16 bytes")
pattern = bytes.fromhex("6c38d88958fd0cf51efd9debe8c265a5")
# iv-xor
words = []
for x in range(4):
word = data[x*4:(x+1)*4]
word = struct.unpack("<I", word)[0]
pat = struct.unpack("<I", pattern[x*4:(x+1)*4])[0]
words.append(word ^ pat)
sdr_write32(0x11010C00 + 18 * 4, [0] * 4)
sdr_write32(0x11010C00 + 22 * 4, [0] * 4)
sdr_write32(0x11010C00 + 26 * 4, [0] * 8)
sdr_write32(0x11010C00 + 26 * 4, words)
sdr_write32(0x11010C04, 0xE680) # src to VALID address which has all zeroes (otherwise, update pattern)
sdr_write32(0x11010C08, addr) # dst to our destination
sdr_write32(0x11010C0C, 1)
sdr_write32(0x11010C14, 18)
sdr_write32(0x11010C18, 26)
sdr_write32(0x11010C1C, 26)
if call_func(126) != 0: # aes decrypt
raise Exception("failed to call the function!")
Try calling aes_read16(0) and see if it returns valid looking data (should start with "07 00 00 EA FE FF FF EA FE FF FF EA FE FF FF EA")

xyz` said:
Also, here's what I used on my Fire 7:
Try calling aes_read16(0) and see if it returns valid looking data (should start with "07 00 00 EA FE FF FF EA FE FF FF EA FE FF FF EA")
Click to expand...
Click to collapse
It seems to just hang with both aes_read16 and aes_write16.
It is probably related to the CRYPTO_BASE.
I tried finding the correct one here: https://github.com/chaosmaster/andr...ch/arm/mach-mt8127/include/mach/mt_reg_base.h
but didn't seem to find anything usefull (I tried CRYPTO_BASE = 0x1101B000, but that doesn't work either)

k4y0z said:
It seems to just hang with both aes_read16 and aes_write16.
It is probably related to the CRYPTO_BASE.
I tried finding the correct one here: https://github.com/chaosmaster/andr...ch/arm/mach-mt8127/include/mach/mt_reg_base.h
but didn't seem to find anything usefull (I tried CRYPTO_BASE = 0x1101B000, but that doesn't work either)
Click to expand...
Click to collapse
So what you can do is download a firmware update for your device, load up the preloader in IDA (or a disassembler of your choice) and search for "hw sha". You should see it used like this: https://i.imgur.com/1PcObV7.png. Then inside that function https://i.imgur.com/wvpq5Qm.png the first call is essentially hw_acquire, then hash, then hw_release. Going further https://i.imgur.com/D5Z9UoM.png. So the base in my case is 0x10210000. You should figure out at which point it hangs, if it's inside one of the while loops, make sure you call init() and hw_acquire() first (it's not always required, seems to be hw-dependent)

Porting the hack to Fire 7" 7th Generation
xyz` said:
So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)
If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.
Once all this is done, you should be able to load binary payloads and execute them in bootrom mode. You'll also need to edit brom-payload and set up proper pointers to send_dword/recv_dword/etc, these can be found by reversing your bootrom dump. At this point it should be possible to get emmc read/write.
Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.
I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.
You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.
Click to expand...
Click to collapse
That was smart of you @xyz a genial solution.
You have proven that the "chain of trust" was a joke.
Many have said that what we were trying was impossible.
Did you realize on the 7" 7th Gen there are RST and EINT pads on the back of the photo I sent ?
Can we port your method to the 7th Gen by using RST instead of CLK to stop the MCU accessing the EMMC ?
Also the "watchdog" you disabled is on the RTC device of the MT6323 PMIC chip which in turn is on the I2C bus.
I can write to the I2C bus using a Bus Pirate v4, I already tried some write and seems I can do that too as an alternative.
Again the pads for accessing the I2C bus are on the back of the PCB of 7th Gen. tablets, they are labelled SCL2 and SDA2.
In a couple of week, or less, you have shown that Lab126 didn't deserve all that money for such a fake security mechanism.
I confirm that zeroing the "preloader" in "mmcblk0boot0" also forces the MCU to enter [DL] mode.
I was sure that investing time on the the [DL] mode would have paid back.
Again congratulation for the achievement and thank you for the time you have put on this.
.:HWMOD:.

hwmod said:
Did you realize on the 7" 7th Gen there are RST and EINT pads on the back of the photo I sent ?
Can we port your method to the 7th Gen by using RST instead of CLK to stop the MCU accessing the EMMC ?
Click to expand...
Click to collapse
I haven't tried with RST. Try it and see if you get a "[DL]" message on uart, if you do then it should work.
hwmod said:
Also the "watchdog" you disabled is on the RTC device of the MT6323 PMIC chip which in turn is on the I2C bus.
I can write to the I2C bus using a Bus Pirate v4, I already tried some write and seems I can do that too as an alternative.
Again the pads for accessing the I2C bus are on the back of the PCB of 7th Gen. tablets, they are labelled SCL2 and SDA2.
Click to expand...
Click to collapse
Yeah, I haven't investigated the watchdog too much. I don't think there's anything interesting you can do with it though.
hwmod said:
In a couple of week, or less, you have shown that Lab126 didn't deserve all that money for such a fake security mechanism.
I confirm that zeroing the "preloader" in "mmcblk0boot0" also forces the MCU to enter [DL] mode.
I was sure that investing time on the the [DL] mode would have paid back.
Click to expand...
Click to collapse
To be fair to lab126 all of the fail lies solely on mediatek. The bootrom code amazon probably doesn't even have access to, and LK is likely based on mediatek sources (although, it's a really obvious bug in image loading, come on). The boot chain is reasonably secure in its design, it's only the implementation that's flawed.

xyz` said:
So what you can do is download a firmware update for your device, load up the preloader in IDA (or a disassembler of your choice) and search for "hw sha". You should see it used like this: https://i.imgur.com/1PcObV7.png. Then inside that function https://i.imgur.com/wvpq5Qm.png the first call is essentially hw_acquire, then hash, then hw_release. Going further https://i.imgur.com/D5Z9UoM.png. So the base in my case is 0x10210000. You should figure out at which point it hangs, if it's inside one of the while loops, make sure you call init() and hw_acquire() first (it's not always required, seems to be hw-dependent)
Click to expand...
Click to collapse
Sadly i don't have the IDA decompiler, so just assembler it is :/
I did however find the correct CRYPTO_BASE I believe:
Code:
CRYPTO_BASE = 0x11010000
that gives the following output with aes_read16:
Code:
b'\x07\x00\x00\xea\xfe\xff\xff\xea\xfe\xff\xff\xea\xfe\xff\xff\xea'
aes_write16 now fails with "RuntimeError: ERROR: Serial protocol mismatch".
Can i dump the boot-rom with this now?

First of all, congrats and big thanks!
So, any hope for the 2017 HD8?

k4y0z said:
Sadly i don't have the IDA decompiler, so just assembler it is :/
I did however find the correct CRYPTO_BASE I believe:
Code:
CRYPTO_BASE = 0x11010000
that gives the following output with aes_read16:
Code:
b'\x07\x00\x00\xea\xfe\xff\xff\xea\xfe\xff\xff\xea\xfe\xff\xff\xea'
aes_write16 now fails with "RuntimeError: ERROR: Serial protocol mismatch".
Can i dump the boot-rom with this now?
Click to expand...
Click to collapse
Yeah, just go through all of the bootrom memory (0 to 0x20000, just to be sure, in 16 byte increments), call aes_read16 on it, concatenate everything and you'll get your bootrom dumped. It should end with a bunch of FF bytes so that's how you can tell the actual size.