I am sharing a full stock ROM for SGP BP2 (Blackphone 2) which I got directly from Silent Circle support.
This ROM is not rooted because it's original, would be awesome if someone will be able to root it before i do that
Kernel: 3.10.49-gc6cf2ab
OS: Silent OS 2.0.8 RC4
Based on: Android Lollipop 5.1.1 (r1) and contains some Cyanogenmod files.
AOSP build: LMY47V
AOSP branch: android-5.1.1_r1
Here is a Google Drive folder with ROM files: https://drive.google.com/open?id=0BybUUdJE1dSZeUkxbE8wZUEtcHc
Folder contents:
BP2-OTA-2.0.8-RC4-candidate-ROW-1460729363.zip
This is a full stock ROM for models that contain letters 'RW' in their model name.
Example: BP2H001RW1 - letters "RW" indicate you should use that .zip
RW (ROW) means 'Rest of World'.
build.prop contents: http://paste.debian.net/901606/
BP2-OTA-2.0.8-RC4-candidate-NA-1460729363.zip
This is a full stock ROM for models that contain letters 'NA' and 'AM' in their model name.
Example: BP2H001AM1 - letters "AM" indicate you should use that .zip
NA means 'North America', AM means 'America'; probably the models being sold in that region are slightly different.
build.prop contents: http://paste.debian.net/901680/
boot.img
I've extracted 'boot.img' from the .zip and uploaded aside, in case someone is looking only for kernel and initrd.
boot.img is same in both NA and ROW roms.
recovery.img
It's a stock android recovery image, I've got it with dd after flashing the BP2-OTA-2.0.8-RC4-candidate-ROW-1460729363.zip
md5sum:
Code:
afb4c7a26608d113b1b54da167fc0255 BP2-OTA-2.0.8-RC4-candidate-NA-1460729363.zip
180021957910afc484c76f4a2246c491 BP2-OTA-2.0.8-RC4-candidate-ROW-1460729363.zip
9e42e33b39244e8bfa6f250424c15270 boot.img
9c872f08f69a2b6cad93214c1089b03d recovery.img
sha1sum:
Code:
8164772318414d49389168495f732afb46467c1c BP2-OTA-2.0.8-RC4-candidate-NA-1460729363.zip
14010e518725146a8ebe52caf4723be4c69c3c9a BP2-OTA-2.0.8-RC4-candidate-ROW-1460729363.zip
a9bf9ce0a6f5b31860e228464fd3abbd9f232a57 boot.img
c76ea5c0ca330bf6dc2191d9db0bead1cac6d4c7 recovery.img
Known issues
Device name case mismatch ('bp2' vs 'BP2')
I wasn't able to reflash my device without modifying one file in a .zip
It may give you this error when you start updating:
Code:
This package is for "BP2" devices; this is a "bp2".
In that case you need to:
1) unpack a .zip file
2) find the file updater-script in the META-INF/com/google/android/ folder, which looks like:
PHP:
get_device_compatible("BP2") == "OK" || abort("This package is for \"BP2\" devices; this is a \"" + getprop("ro.product.device") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat");
show_progress(0.050000, 5);
package_extract_file("boot.img", "/dev/block/bootdevice/by-name/boot");
show_progress(0.200000, 10);
3) change the letters 'BP2' to 'bp2', so the first line will look like this:
PHP:
get_device_compatible("bp2") == "OK" || abort("This package is for \"BP2\" devices; this is a \"" + getprop("ro.product.device") + "\".");
4) Pack everything back into a .zip file
5) Apply the update using a new .zip file using stock recovery.
System image format
If you have a TWRP recovery instead of stock, you won't be able to flash the ROM from .zip (for some unknown reason it just doesn't flash a system partition)
You will need to extract the ROM .zip and use sdat2img tool to convert lollipop's system.new.dat format to system.img (raw format), after that you can flash system.img directly using TWRP or dd.
Follow this manual for Linux: http://forum.xda-developers.com/showpost.php?p=57635842&postcount=2
For Windows: http://forum.xda-developers.com/android/help/extract-dat-marshmallow-lollipop-easily-t3334117
Alternatively, you can flash stock recovery.img that I listed above, boot it and flash .zip from it directly.
Mounting /system with read-write using TWRP causes a bootloop
Thread: http://forum.xda-developers.com/android/help/blackphone-2-bootloop-rw-mount-using-t3516862
Security vulnerabilities
This ROM is vulnerable for these attacks according to QuadRooter Scanner:
CVE-2016-2059 - "QuadRooter"
CVE-2016-2504 - Elevation of privilege vulnerability in Qualcomm GPU driver
You may need to upgrade to the latest Silent OS version using OTA updater in order to mitigate these.
On the other hand, you may root your device using one of these vulns before upgrading, whether there is a root method that using QuadRooter exploit (I believe there will be one soon).
Oh c'mon Silent Circle, you made it annoying, just let us use root privileges peacefully, we are aware of damn risks!
Useful information
/proc/mounts
Code:
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=1481408k,nr_inodes=182626,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
none /var tmpfs rw,seclabel,relatime,size=1481408k,nr_inodes=182626,mode=770,gid=1000 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,size=1481408k,nr_inodes=182626,mode=750,gid=1000 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,size=1481408k,nr_inodes=182626,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,size=1481408k,nr_inodes=182626,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
/dev/block/dm-0 /system ext4 ro,seclabel,relatime,discard,data=ordered 0 0
/dev/block/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/modem /firmware vfat ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/dm-1 /data ext4 rw,seclabel,nosuid,nodev,relatime,discard,noauto_da_alloc,data=ordered 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/shell/emulated/0 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/proc/partitions
Code:
major minor #blocks name
179 0 30539776 mmcblk0
179 1 512 mmcblk0p1
179 2 512 mmcblk0p2
179 3 1024 mmcblk0p3
179 4 1024 mmcblk0p4
179 5 512 mmcblk0p5
179 6 512 mmcblk0p6
179 7 512 mmcblk0p7
179 8 512 mmcblk0p8
179 9 512 mmcblk0p9
179 10 512 mmcblk0p10
179 11 1024 mmcblk0p11
179 12 1024 mmcblk0p12
179 13 1536 mmcblk0p13
179 14 1536 mmcblk0p14
179 15 1 mmcblk0p15
179 16 8 mmcblk0p16
179 17 10240 mmcblk0p17
179 18 10240 mmcblk0p18
179 19 65536 mmcblk0p19
179 20 32 mmcblk0p20
179 21 65536 mmcblk0p21
179 22 1536 mmcblk0p22
179 23 16 mmcblk0p23
179 24 32768 mmcblk0p24
179 25 1966080 mmcblk0p25
179 26 32768 mmcblk0p26
179 27 917504 mmcblk0p27
179 28 32768 mmcblk0p28
179 29 1024 mmcblk0p29
179 30 512 mmcblk0p30
179 31 512 mmcblk0p31
259 0 32 mmcblk0p32
259 1 27162575 mmcblk0p33
179 32 4096 mmcblk0rpmb
179 64 3855360 mmcblk1
179 65 3851264 mmcblk1p1
254 0 1950564 dm-0
254 1 27162575 dm-1
This is great
drivers for blackphone 2
I recently purchased a blackphone2. IT had TWRP recovery installed and some version of lollypop and the phone was not rooted. I tried to install the stock rom which the silent circle supplied. But while flashing through TWRP it always generated error 6 or 7. I even tried OS 1 and 2 all gave the same error. Then I saw the info from your thread. I flashed the stock recovery and was successful in flashing it however the stock rom installation always get stuck at "patching system image unconditionally". One more thing my blackphone is not recognized by any PC. May be I do not have the drivers. I think I had to flash the boot.image file also which I missed . Now stuck in the stock recovery how can I flash the boot image file, whereas I dont have the usb drivers also. Please help.
mansoor
cmegmhi said:
[...]
I flashed the stock recovery and was successful in flashing it however the stock rom installation always get stuck at "patching system image unconditionally".
Click to expand...
Click to collapse
A "patching system image unconditionally" step may take some time because it's extracting a big image.
Can you try flashing one of .zip's from the google folder I published in this thread using a stock recovery?
Also, make sure you do "wipe data/factory reset" and "wipe cache partition" before flashing the .zip
Also, you can use a 'reboot to bootloader' option and boot or flash any image using fastboot
In order to get your phone recognized via USB, you need adb and fastboot installed on your computer and the appropriate drivers, search this forum to get HOW-TO's on that, there are many.
polartux said:
A "patching system image unconditionally" step may take some time because it's extracting a big image.
Can you try flashing one of .zip's from the google folder I published in this thread using a stock recovery?
Also, make sure you do "wipe data/factory reset" and "wipe cache partition" before flashing the .zip
Also, you can use a 'reboot to bootloader' option and boot or flash any image using fastboot
In order to get your phone recognized via USB, you need adb and fastboot installed on your computer and the appropriate drivers, search this forum to get HOW-TO's on that, there are many.
Click to expand...
Click to collapse
I have flashed the boot image as well as the recovery image from the above mentioned links. However from the recovery as I said earlier system flashing using the zip file does not complete and stuck for ever. I can boot to bootloader through recovery but how to flash the image file of rom as I have the zip file. How can I convert the zip file to image file. Any idea
A bundle of thanks for the help
cmegmhi said:
I have flashed the boot image as well as the recovery image from the above mentioned links. However from the recovery as I said earlier system flashing using the zip file does not complete and stuck for ever. I can boot to bootloader through recovery but how to flash the image file of rom as I have the zip file. How can I convert the zip file to image file. Any idea
A bundle of thanks for the help
Click to expand...
Click to collapse
The ROM posted above occupies more than 1.7 GB in the system partition, whereas the system partition I got on my phone is around 1.48 GB. Could this be the reason for the phone to get stuck during the rom installation "patching the system image unconditionally". If so the way out could be the resizing of the system partition. Based on this idea I have been looking around on the internet for a system resizing app for blackphone 2 without any success. Please guide me in this matter
Thanks in advance
How to Verifty Which One is letters "RW" Or 'NA' and 'AM'
I have unlocked bootloader and phone in bootloop no way to rescue it? bootloader and recovery works)
I have twrp and unlocked bootloader
how I do this? "sdat2img tool to convert lollipop's system.new.dat format to system.img"
How to root this phone and remove google apps? Many thanks
You probably should just flash a new rom and start over?
Silent OS 3.0.8 update disables cellular network in Blackphone 2 (unlicensed device)
Blackphone 2 not bought from Silent Circle or an approved vendor of Silent Circle will become an unlicensed device
after installation of Silent OS 3.0.8.
I bought my phone from coolicool.com. Cellular network connections didn't work after the update.
I contacted Silent Circle's support but they didn't want to help me because the phone was bought from
a non-approved vendor.
This Android 5.1.1 ROM re-enabled the cellular connectivity in my phone. Thank you!
Silent Circle will become an unlicensed device
I'm in the same case as you. At least I have a phone again, although the version of android is older.
Thanks!!!
akikoo said:
Blackphone 2 not bought from Silent Circle or an approved vendor of Silent Circle will become an unlicensed device
after installation of Silent OS 3.0.8.
I bought my phone from coolicool.com. Cellular network connections didn't work after the update.
I contacted Silent Circle's support but they didn't want to help me because the phone was bought from
a non-approved vendor.
This Android 5.1.1 ROM re-enabled the cellular connectivity in my phone. Thank you!
Click to expand...
Click to collapse
akikoo said:
Blackphone 2 not bought from Silent Circle or an approved vendor of Silent Circle will become an unlicensed device
after installation of Silent OS 3.0.8.
I bought my phone from coolicool.com. Cellular network connections didn't work after the update.
I contacted Silent Circle's support but they didn't want to help me because the phone was bought from
a non-approved vendor.
This Android 5.1.1 ROM re-enabled the cellular connectivity in my phone. Thank you!
Click to expand...
Click to collapse
Yeah me too, bought from an online store in Malaysia. Not only they disabled the SIM module, also ALL GOOGLE SERVICES as well..
This sucks so bad....
Silent Circle support's reply
Here's the reply I got from Silent Circle's support. I sent them the serial number and IMEI of the phone.
Like the online shop would be able to do anything for the f*cking OTA update...
------------------------------------------------------------------------------------------------------------------------------------------
Hello,
Upon review of the IMEI number (XXXXXXXXXXXXXXX) you provided, it has been determined this device
is not a genuine Silent Circle Blackphone2. This device was not sold by Silent Circle or
an approved vendor of Silent Circle and therefore we are unable to provide any further assistance.
We recommend you contact the original vendor directly for further assistance.
To purchase a Silent Circle genuine device please visit the following URL:
Sincerely,
Silent Circle Technical Support
------------------------------------------------------------------------------------------------------------------------------------------
Hello, I bought this phone from myefox and I'm waiting. So if I followed the upgrade I lose all network functionality ?. Or the phone can still work?
bastard81 said:
Hello, I bought this phone from myefox and I'm waiting. So if I followed the upgrade I lose all network functionality ?. Or the phone can still work?
Click to expand...
Click to collapse
When I first received the phone, OTA upgraded the phone to Silent OS 3.0.7, everything works fine.
Just don't go to 3.0.8
---------- Post added at 01:52 PM ---------- Previous post was at 01:27 PM ----------
akikoo said:
Here's the reply I got from Silent Circle's support. I sent them the serial number and IMEI of the phone.
Like the online shop would be able to do anything for the f*cking OTA update...
------------------------------------------------------------------------------------------------------------------------------------------
Hello,
Upon review of the IMEI number (XXXXXXXXXXXXXXX) you provided, it has been determined this device
is not a genuine Silent Circle Blackphone2. This device was not sold by Silent Circle or
an approved vendor of Silent Circle and therefore we are unable to provide any further assistance.
We recommend you contact the original vendor directly for further assistance.
To purchase a Silent Circle genuine device please visit the following URL:
Sincerely,
Silent Circle Technical Support
------------------------------------------------------------------------------------------------------------------------------------------
Click to expand...
Click to collapse
It's kinda sad and frustrating that this kind of attitude exist, I mean, c'mon.. How can you say it's not genuine???
It's obviously GENUINE SILENT CIRCLE BLACK PHONE 2! It's just that it someone else got their hands on the stock and sell it!
PLUS, I bet Silent Circle themself leaked out the so-called "unlicensed" devices to test the market.
That explains why there weren't any "license checking" prior to version 3.0.8!!
Good thing there's the stock ROM, and I bought the phone cheap around USD 130.
Any idiot would know! how can an original blackphone listed on their SC's website at $600 still, be sold at $130? furthermore, this is through chinese website, sending you from china.
---------- Post added at 04:01 PM ---------- Previous post was at 03:49 PM ----------
Btw, coolicool and efox. they are the same owner from china!
...
...
akikoo said:
Blackphone 2 not bought from Silent Circle or an approved vendor of Silent Circle will become an unlicensed device
after installation of Silent OS 3.0.8.
I bought my phone from coolicool.com. Cellular network connections didn't work after the update.
I contacted Silent Circle's support but they didn't want to help me because the phone was bought from
a non-approved vendor.
This Android 5.1.1 ROM re-enabled the cellular connectivity in my phone. Thank you!
Click to expand...
Click to collapse
That's what i went so... I bought my phone from antelife.com.
How to install this ROM? Someone please describe step by step! Thanks!
How to install the Android 5.1 update rom from this thread
kovikee said:
That's what i went so... I bought my phone from antelife.com.
How to install this ROM? Someone please describe step by step! Thanks!
Click to expand...
Click to collapse
Copy the zip file BP2-OTA-2.0.8-RC4-candidate-ROW-1460729363.zip from the first post to your sd card. I renamed it to update.zip.
Power off your phone.
Put the sd card into the sd card/sim card tray.
Press volume up and power button until your phone turns on. Keep the volume up button pressed down until you land in the recovery menu. From there you can select the menu entry that says something like apply update from sd card.
Related
Hi.. I can't post in dev thread yet, so I'm posting this in general forum...
I tried to root and install CWM using instruction posted by garyd9 in this thread: http://forum.xda-developers.com/showthread.php?t=1392348
I have a GT7+ (GT-P6200L) bought in Chile, Wifi+3G+Ir. I thought that installing that P6200 version would work, but Android System recovery <3e> says
Code:
ERROR: This should only be installed on a Samsung GT-P6200
called abort ()
E:Error in /tmp/sideload/package.zip
(Status 7)
Instalation aborted
I know this tablet is very new and the community aroung it is growing slowly... so maybe more people will come with this problem/error. Maybe garyd9 can help us and create a version for this exact model, I can provide him more information about it. I also have a LG O1 with CM7 so this is not my first time using modded zips/roms... I also use a linux distro, so that can help, sadly I can't write a line of code... :-(
Thanks for your help!
Wow another tab+ variant. Try the one for 6210 or the t869
Wouldnt recommend trying anyone elses recoveries. You could permanetly overwrite yours. PM garyd im sure hes willing to help one way or another when he can.
The CWM recovery packages I put together check for the existing model number to ensure the proper one gets installed. Yes, I'm paranoid. You should be too.
I haven't built for the P6200L, as I never even heard of it before today. Is it a region specific model?
Here's what I need to get started (instructions vague on purpose - there's risk being the first person with a model to try this stuff and if you aren't comfortable with my poor instructions, then it'd be best to not risk bricking the device.):
output from the 'mount' command run as root, and output from "cat /proc/partitions" (or maybe that's just /proc/partition) command also run as root. Once I have that, I'll need dumps from one or two partitions to ensure things are how I think they are, and to pull stuff from the ramdisk from the recovery partition. Then the kernel source (which I can get directly from samsung), and so -on...
Take care
Gary
garyd9 said:
The CWM recovery packages I put together check for the existing model number to ensure the proper one gets installed. Yes, I'm paranoid. You should be too.
Click to expand...
Click to collapse
Sure I am. I found that your work with CWM+root was easier to install and safer. I don't want to install CWM using Rom Manager until it is confirmed stable/working with 3g+phone.
garyd9 said:
I haven't built for the P6200L, as I never even heard of it before today. Is it a region specific model?
Click to expand...
Click to collapse
It seems to be. More specifications:
Model: GT-P6200L
Functions: GSM+WiFi+3g+Ir
Other features: 16GB + white back case
Android version: 3.2
Baseband version: P6200LUBKK2
Kernl version: 2.6.36-P6200LUBKK2-CL586434 [email protected] #3
Compilation number: HTJ85B.UBKK2 P6200LUBKK2
Picture of the box attached below
garyd9 said:
Here's what I need to get started (instructions vague on purpose - there's risk being the first person with a model to try this stuff and if you aren't comfortable with my poor instructions, then it'd be best to not risk bricking the device.):
Click to expand...
Click to collapse
I finally used bdigitalstudio method to root my tab, and it's working OK.
garyd9 said:
output from the 'mount' command run as root, and output from "cat /proc/partitions" (or maybe that's just /proc/partition) command also run as root.
Click to expand...
Click to collapse
$ su
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered,discard 0 0
/dev/block/mmcblk0p10 /data ext4 rw,nosuid,nodev,noatime,barrier=1,data=ordered,noauto_da_alloc 0 0
/dev/block/mmcblk0p7 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p1 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p4 /mnt/.lfs j4fs rw,relatime 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0
/dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
tmpfs /mnt/sdcard/extStorages tmpfs ro,relatime,mode=755,gid=1000 0 0
/dev/block/vold/179:17 /mnt/sdcard/extStorages/SdCard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1023,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
# cat /proc/partitions
major minor #blocks name
179 0 15388672 mmcblk0
179 1 20480 mmcblk0p1
179 2 1280 mmcblk0p2
179 3 1280 mmcblk0p3
179 4 8192 mmcblk0p4
179 5 8192 mmcblk0p5
179 6 8192 mmcblk0p6
179 7 204800 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 786432 mmcblk0p9
179 10 13791232 mmcblk0p10
179 11 524288 mmcblk0p11
179 12 8192 mmcblk0p12
179 16 1927168 mmcblk1
179 17 1927100 mmcblk1p1
garyd9 said:
Once I have that, I'll need dumps from one or two partitions to ensure things are how I think they are, and to pull stuff from the ramdisk from the recovery partition. Then the kernel source (which I can get directly from samsung), and so -on...
Click to expand...
Click to collapse
Was my first time dumping images, but finally I did dumps from system (mmcblk0p9, factoryfs.rfs, +800MB) and recovery (mmcblk0p6, recovery.bin, 8.4MB). I don't know if my work could also be useful as a firmware version for the proper thread in development section. If you need those dumps I can upload them to megaupload or another sharing service.
Thanks for your help!
Interesting. Please run the following two commands as root on the tablet. This will create two files that you should transfer to your PC, zip up, and upload somewhere:
Code:
dd if=/dev/block/mmcblk0p5 of=/sdcard/partition5.img bs=4096
dd if=/dev/block/mmcblk0p6 of=/sdcard/partition6.img bs=4096
(No personal information is stored in either of these partitions.)
The resulting files, partition5.img and partition6.img contain, I hope, your normal boot kernel and recovery boot kernel. (I can't be sure which is which until I see them.) Use your favorite method to get them zip'd up and uploaded somewhere - and send me a PM with a URL where I can download.
I should be able to put together a recovery either early Friday (US Eastern Time) or late Saturday. (I'll be getting drunk Friday night and will hopefully be hungover early Sat.)
Take care
Gary
garyd9 said:
The resulting files, partition5.img and partition6.img contain, I hope, your normal boot kernel and recovery boot kernel. (I can't be sure which is which until I see them.)
Click to expand...
Click to collapse
partition6 (mmcblk0p6) is recovery, according to last_log file in /cache
Code:
[collecting table information]
recovery filesystem table
=========================
0 '/tmp' 'ramdisk' '(null)' '(null)' 0
1 '/efs' 'ext4' '/dev/block/mmcblk0p1' '(null)' 0
2 '/boot' 'emmc' '/dev/block/mmcblk0p2' '(null)' 0
3 '/recovery' 'emmc' '/dev/block/mmcblk0p6' '(null)' 0
4 '/cache' 'ext4' '/dev/block/mmcblk0p7' '(null)' 0
5 '/system' 'ext4' '/dev/block/mmcblk0p9' '(null)' 0
6 '/data' 'ext4' '/dev/block/mmcblk0p10' '(null)' -16384
7 '/preload' 'ext4' '/dev/block/mmcblk0p11' '(null)' 0
8 '/sdcard' 'vfat' '/dev/block/mmcblk1p1' '/dev/block/mmcblk1
' 0
no info about kernel on that file.
garyd9 said:
Use your favorite method to get them zip'd up and uploaded somewhere - and send me a PM with a URL where I can download.
Click to expand...
Click to collapse
Thank you again!
My wife wasn't in the mood, so I threw this together instead. Please read your PM, test, and let me know if it works. If so, I'll post it in the dev subforum.
Yes I also got P6200L here in Thailand (for 3G-850MHz)
ps000000 said:
Yes I also got P6200L here in Thailand (for 3G-850MHz)
Click to expand...
Click to collapse
I put together a recovery for testing on the 'L' variant and sent it to the OP, but he never got back to me on it...
any updates on the root and cwm for p6200L...???
i used the other method to root and then download superuser, busybox and rom manager from market. Then used rom manager to install cwm for s2.
Anyone have any idea if it'd be ok if i flash any p6200 stock rom my p6200l??
Edit: NVM just flashed with Russian p6200 Stock Rom and everything works fine including garyd9 root method. Rom changes Device Name to p6200..
Thankx Garyd9 for your root + cwm method...
you can connect to 3g?
pratik.np said:
any updates on the root and cwm for p6200L...???
i used the other method to root and then download superuser, busybox and rom manager from market. Then used rom manager to install cwm for s2.
Anyone have any idea if it'd be ok if i flash any p6200 stock rom my p6200l??
Edit: NVM just flashed with Russian p6200 Stock Rom and everything works fine including garyd9 root method. Rom changes Device Name to p6200..
Thankx Garyd9 for your root + cwm method...
Click to expand...
Click to collapse
you install the russian rom and still can connect to 3g ?
I'll try it
garyd9 said:
I put together a recovery for testing on the 'L' variant and sent it to the OP, but he never got back to me on it...
Click to expand...
Click to collapse
I have also a p6200l and if you send me the cwm you made i'll be more than happy to try it.
I've been looking around and there is no cwm available for this tab so you are our only shot.
cheers
sebarg said:
I have also a p6200l and if you send me the cwm you made i'll be more than happy to try it.
I've been looking around and there is no cwm available for this tab so you are our only shot.
cheers
Click to expand...
Click to collapse
So, have you tested?
hi there, another one here from Chile with the 6200L variant ...
still looking for a CMW for my tablet that works ... any results arround here?
garyd9 hasn´t answered me so i haven't tried it yet
The first person never got back to me. Some time after that, another person asked and I asked them to remind me on a Friday (so I'd have the time to pull the stuff together again.) They never got back to me.
At this point, I've purged the stuff from my hard drive (actually, it's more accurate to say that I replaced that HDD and didn't bother to copy that stuff over from the old one.) So, I'd have to recreate everything...
I'd suggest just hanging on until ICS shows up. As sarcastic as I might be about it, it really should make an appearance in the next 4-5 weeks... (I hope..)
Take care
Gary
OK, let's wait then, lol, especially the ICS update.
Root works using this method: http://forum.xda-developers.com/showthread.php?t=1367249
Now we need CWM.
confirmado que funciona!
This version of ClockworkMod recovery has been produced by Milaq
There's currently a github repository for the device/lenovo/a1 folder in the Cyanogenmod Android tree at https://github.com/gmarkall/android_device_ideapad_a1
Current status: CWM v6.0.1.2 by Milaq
Download: http://milaq.exnet.me/downloads/android/a107/cwm-6.0.1.2-ideapad-a1.zip
What appears to work: backing up, erasing and restoring /system, /data, /cache and /sd-ext. Installing zips from internal and external SD cards. Touchscreen calibration. Partitioning the external SD card. Installing OTA packages also works, but they will wipe out this recovery
What's not supported: backup/restore of the x-loader, u-boot, kernel or ramdisks.
Installation of 6.0.1.2 from the stock recovery
WARNING/DISCLAIMER: Although the recovery has now been tested by several people and there have been no problems reported, there is still a small risk of damage or problems due to unforeseen issues. The unlikely worst case scenario is that your A1 will be bricked. In the event that something goes wrong, I will do my best to help recover the situation, but I am not liable for any damage incurred. It is up to you to decide if you want to take this risk. If you are not comfortable with the risk, then do not attempt to install the recovery!
Now that's out of the way, and if you're willing to take the risk, the following steps should be taken to install the recovery:
1. Download the file "cwm-6.0.1.2-ideapad-a1.zip" from the hosting page.
2. Copy this file to the root of the internal SD card and rename it to update.zip (so the full path should be /sdcard/update.zip)
3. Power down the Ideapad.
4. Hold down volume down and turn the power back on, keeping volume down held until the tablet boots up to an image of an arrow out of a box with an android (this is the stock recovery).
5. Wait whilst Clockworkmod recovery installs. The progress bar should fill up.
6. Once the installation has finished, you should see a green tick in a green triangle and the ideapad will power down.
7. You can now power on as normal to get back to Android, or power on with volume down held to get into Clockworkmod recovery
8. Please post your experiences, and any issues you encounter in responses to this thread - feedback will be really helpful to smooth out any issues, and/or to gain confidence that the recovery is working properly.
Installation from an older version of Clockworkmod
If you have installed a previously released version of of this CWM, you can install the latest version in the usual way in which zips are installed in CWM.
Going back to stock
You can install the stock-a1-recovery.zip file using Clockworkmod to go back to the stock recovery.
IRC Channel
#ideapad-a1 on irc.freenode.net
Thanks to
Milaq, who built the recovery
Henge, for providing me with information before I got my Ideapad
Spiegeleixxl, for information about the bootloader and how to produce a bootable SD card
Imritechere, Otti17, and Mikerizzo97 for testing out the recovery
Xbdesign, for translating installation instructions into German, and testing the 5.0.2.8 recovery and MBR
Kryszan, for translating installation instructions into Polish
Monsefito, for Spanish translation of instructions
Great job. Thank you in advance for your hard work
Gesendet von meinem A1_07 mit Tapatalk
Yes! All the best for your endeavor!
Hmm, let's see...
Code:
$ cat /proc/emmc
/proc/emmc: No such file or directory
Maybe this helps...?
Code:
$ cat /proc/partitions
major minor #blocks name
179 0 15388672 mmcblk0
179 1 292969 mmcblk0p1
179 2 195312 mmcblk0p2
179 3 1953125 mmcblk0p3
179 4 34180 mmcblk0p4
179 5 12856445 mmcblk0p5
179 16 3872768 mmcblk1
179 17 3872737 mmcblk1p1
Hi Henge,
Thanks for that! I didn't realise there would be no /proc/emmc - perhaps it had a /proc/mtd instead...
Would you be able to show me the output of the mount command as well please? Then I should be able to figure out which of those partitions is which of system, data, etc..
Many thanks for your help!
No, no /proc/mtd either.
Here's the output of mount:
Code:
$ mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
/dev/block/mmcblk0p1 /system ext3 ro,relatime,errors=continue,barrier=0,data=writeback 0 0
/dev/block/mmcblk0p2 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=writeback 0 0
/dev/block/mmcblk0p3 /data ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=writeback 0 0
/dev/block/mmcblk0p4 /.secure ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=writeback 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
debugfs /debug debugfs rw,relatime 0 0
/dev/block/mmcblk0p5 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:17 /mnt/sdcard/removable_sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:17 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /mnt/sdcard/removable_sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
Hey.
with cat /proc/mtd is the same
Henge,
Thanks for this - I'll put together a recovery.fstab based on this for now!
Glad if I could help!
Nice to see someone working on this. Thank you! There is a somewhat active community of users at this link on XDA that I'm sure are going to be pleased to see this thread.
Keep us updated on your efforts please and thanks a ton in advance! Looking forward to your progress!
Gesendet von meinem A1_07 mit Tapatalk
I updated the recovery.fstab according to the information that Henge provided and rebuilt the recovery. I think one piece of information that I'm currently missing is the erasesize for the emmc, but I'm not sure what command should be used to find out what it is since there was not /proc/emmc or /proc/mtd.
I've also been examining the OTA update to see how it flashes partitions. It appears as if there is a utility included called "fuse" that writes partition images. It looks as though the fuse binary isn't on the system partition in the OTA, but my present thinking is that it might still work for flashing the recovery ramdisk. I've made the fuse binary available on the download page linked from the github repository, but I'd still recommend against trying to flash the recovery unless you're really sure you know what you're doing, as I haven't been able to test it yet.
Happy to help when you get to the CM stage. Post or PM if there's anything I can do. At the moment, I've got the ear of a Lenovo customer advocate who is working on getting the code properly published. I'll ping him after the holiday and report back.
Hi Sinanju,
Thanks! When I posted the message on the Lenovo forum I mentioned that I was personally after the Linux kernel sources - however, subsequently I noticed that the tablet also uses the u-boot bootloader, which I believe is also GPLed and the sources may be helpful - have you heard any mention about this?
I have not. When I ping the Lenovo guy I'll add it to the list of source they'll need to release.
Update: Email sent.
This CWM has been a long time comming thanks for the effort. Keep us informed
The Nook Color uses almost the same hardware (but no gps and camera).
It has a really good working CM7 build. So maybe this would be a good starting point.
It also uses u-boot and has a includes a modified one in CM7 (booting from sd or internal).
Thank you for this effort!
Hi TDO,
Thanks - I had noticed the CM7 for the Nook Color - I've been using it to guide me so far in building the recovery. I had also seen that it includes the modified u-boot but I wasn't sure what the purpose of it was.
Edit: Apologies, I misunderstood your post at first. Re-reading it, I understand that the purpose of the modified u-boot is to allow booting from the internal or external SD card.
Since I'm not a new user anymore, I can now post links to the repository and hosting for the built recovery:
Repository: https://github.com/gmarkall/android_device_ideapad_a1
Hosting: http://www.doc.ic.ac.uk/~grm08/ideapad/
(I still wouldn't recommend attempting to try out the recovery yet, but it's there if anyone has any other purpose for it).
FYI - rumor, fake or truth, who knows - but there's a youtube video showing ICS on an Ideapad A1 which is said to have been leaked on a chinese website and that there's news from Lenovo they will release Android 4.0 for A1 later.
So a year or so ago I flashed up to 4.1.2 (FIDO) on the phone and all worked fine.
Now the phone wont boot, all I get is Encryption Unsuccessful screen. I have tried reFlashing FIDO, and Stock 4.0.4 but RSDlite just throws a message saying "FAIL" - I think is due to a Partition problem. I have access to the Boot menu (10.9B), I have tried wiping the Cache and factory reset - Nothing.
Any Ideas how I can fix the partition and re Flash a ROM?
Have a came error too.
is0lde said:
So a year or so ago I flashed up to 4.1.2 (FIDO) on the phone and all worked fine.
Now the phone wont boot, all I get is Encryption Unsuccessful screen. I have tried reFlashing FIDO, and Stock 4.0.4 but RSDlite just throws a message saying "FAIL" - I think is due to a Partition problem. I have access to the Boot menu (10.9B), I have tried wiping the Cache and factory reset - Nothing.
Any Ideas how I can fix the partition and re Flash a ROM?
Click to expand...
Click to collapse
Waiting for an answer too.
---------- Post added at 11:13 AM ---------- Previous post was at 10:48 AM ----------
KisL said:
Waiting for an answer too.
Click to expand...
Click to collapse
cat /proc/partitions
major minor #blocks name
179 0 15388672 mmcblk0
179 1 102400 mmcblk0p1
179 2 1500 mmcblk0p2
179 3 1500 mmcblk0p3
179 4 512 mmcblk0p4
179 5 256 mmcblk0p5
179 6 140 mmcblk0p6
179 7 192 mmcblk0p7
179 8 512 mmcblk0p8
179 9 4 mmcblk0p9
179 10 1500 mmcblk0p10
179 11 2048 mmcblk0p11
179 12 1500 mmcblk0p12
179 13 500 mmcblk0p13
179 14 500 mmcblk0p14
179 15 512 mmcblk0p15
179 16 1632 mmcblk0p16
179 17 3072 mmcblk0p17
179 18 3072 mmcblk0p18
179 19 2048 mmcblk0p19
179 20 640 mmcblk0p20
179 21 8 mmcblk0p21
179 22 8192 mmcblk0p22
179 23 8 mmcblk0p23
179 24 3072 mmcblk0p24
179 25 1024 mmcblk0p25
179 26 512 mmcblk0p26
179 27 3072 mmcblk0p27
179 28 128 mmcblk0p28
179 29 4096 mmcblk0p29
179 30 512 mmcblk0p30
179 31 10240 mmcblk0p31
259 0 10240 mmcblk0p32
259 1 8192 mmcblk0p33
259 2 138754 mmcblk0p34
259 3 786432 mmcblk0p35
259 4 1523712 mmcblk0p36
259 5 153600 mmcblk0p37
259 6 12608751 mmcblk0p38
179 64 4096 mmcblk0boot1
179 32 4096 mmcblk0boot0
df
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 421180 48 421132 0% /dev
~ # cat /proc/mounts
cat /proc/mounts
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
~ # mount /system
mount /system
~ # cat /proc/mounts
cat /proc/mounts
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 rw,relatime,user_xatt
r,barrier=1,data=ordered 0 0
mount /data
mount: mounting /dev/block/platform/msm_sdcc.1/by-name/userdata on /data failed:
Invalid argument
please help
KisL said:
Waiting for an answer too.
---------- Post added at 11:13 AM ---------- Previous post was at 10:48 AM ----------
cat /proc/partitions
major minor #blocks name
179 0 15388672 mmcblk0
179 1 102400 mmcblk0p1
179 2 1500 mmcblk0p2
179 3 1500 mmcblk0p3
179 4 512 mmcblk0p4
179 5 256 mmcblk0p5
179 6 140 mmcblk0p6
179 7 192 mmcblk0p7
179 8 512 mmcblk0p8
179 9 4 mmcblk0p9
179 10 1500 mmcblk0p10
179 11 2048 mmcblk0p11
179 12 1500 mmcblk0p12
179 13 500 mmcblk0p13
179 14 500 mmcblk0p14
179 15 512 mmcblk0p15
179 16 1632 mmcblk0p16
179 17 3072 mmcblk0p17
179 18 3072 mmcblk0p18
179 19 2048 mmcblk0p19
179 20 640 mmcblk0p20
179 21 8 mmcblk0p21
179 22 8192 mmcblk0p22
179 23 8 mmcblk0p23
179 24 3072 mmcblk0p24
179 25 1024 mmcblk0p25
179 26 512 mmcblk0p26
179 27 3072 mmcblk0p27
179 28 128 mmcblk0p28
179 29 4096 mmcblk0p29
179 30 512 mmcblk0p30
179 31 10240 mmcblk0p31
259 0 10240 mmcblk0p32
259 1 8192 mmcblk0p33
259 2 138754 mmcblk0p34
259 3 786432 mmcblk0p35
259 4 1523712 mmcblk0p36
259 5 153600 mmcblk0p37
259 6 12608751 mmcblk0p38
179 64 4096 mmcblk0boot1
179 32 4096 mmcblk0boot0
df
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 421180 48 421132 0% /dev
~ # cat /proc/mounts
cat /proc/mounts
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
~ # mount /system
mount /system
~ # cat /proc/mounts
cat /proc/mounts
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 rw,relatime,user_xatt
r,barrier=1,data=ordered 0 0
mount /data
mount: mounting /dev/block/platform/msm_sdcc.1/by-name/userdata on /data failed:
Invalid argument
Click to expand...
Click to collapse
Any ideas? In Russia no Motorola service. I read about this problem on another phones. It can be crashed internal storage, but why in ADB i can see partitions? How to format all internal storage and parted it like a stock?
My FIDO XT925 also had this problem suddenly. From what I have found so far I have tried to use the stock recovery (hold vol +/- then power button,white menu will pop up, follow the instructions and select recovery with vol +), to update to Jelly bean but that is not working. I have also tried RSD Lite 6 and the flash process always fails to verify even after I modified the xml file. I'm pretty stuck at this point as well, hoping someone can help.
Bumping this. Just happened to my XT925 a day ago. Was working fine, last thing I noticed was googleservices crashing (with the OK button that was stuck in an infinite loop) so I had to hard-shut it off..
Was rooted since last year, but nothing odd happening recently, seemed totally random.. Also did the above, nothing seems to be working, is it bricked?
Also, any way to recover the internal SD card contents?
Weaponx525 said:
My FIDO XT925 also had this problem suddenly. From what I have found so far I have tried to use the stock recovery (hold vol +/- then power button,white menu will pop up, follow the instructions and select recovery with vol +), to update to Jelly bean but that is not working. I have also tried RSD Lite 6 and the flash process always fails to verify even after I modified the xml file. I'm pretty stuck at this point as well, hoping someone can help.
Click to expand...
Click to collapse
Gloomfrost said:
Bumping this. Just happened to my XT925 a day ago. Was working fine, last thing I noticed was googleservices crashing (with the OK button that was stuck in an infinite loop) so I had to hard-shut it off..
Was rooted since last year, but nothing odd happening recently, seemed totally random.. Also did the above, nothing seems to be working, is it bricked?
Also, any way to recover the internal SD card contents?
Click to expand...
Click to collapse
i dont know if i can help, but partition errors need to be fixed with moto fastboot. no other solution will work.
there are a couple of ways to go about this.
1. get moto fastboot and your stock file (if it doesnt contain a partition file your stuck, some do some dont)
flash each partition manually with mfastboot command starting with the partition file (important you flash the partition file first).
2. grab my "script" from the dev forum. make sure you get the "gpt fix" version. DO NOT USE THE SCRIPT AS IS, IT IS FOR 926 ONLY.
you can either:
A. run your commands from that folder as it already has the required moto fastboot.
or
B. delete all the 926 files from that folder
drop in all of your phones files and edit the "win batch file" file to fix any file name mismatches (you only need to flash the partitions i have listed, dont bother adding any more)
i dont recall if i left the "-w" command in there. that is the data wipe command. remove this line entirely if you want to try and keep data.
not sure if this will help, but if you have partition issues, these are the only ways to fix it.
bweN diorD said:
i dont know if i can help, but partition errors need to be fixed with moto fastboot. no other solution will work.
there are a couple of ways to go about this.
1. get moto fastboot and your stock file (if it doesnt contain a partition file your stuck, some do some dont)
flash each partition manually with mfastboot command starting with the partition file (important you flash the partition file first).
2. grab my "script" from the dev forum. make sure you get the "gpt fix" version. DO NOT USE THE SCRIPT AS IS, IT IS FOR 926 ONLY.
you can either:
A. run your commands from that folder as it already has the required moto fastboot.
or
B. delete all the 926 files from that folder
drop in all of your phones files and edit the "xml" file to fix any file name mismatches (you only need to flash the partitions i have listed, dont bother adding any more)
i dont recall if i left the "-w" command in there. that is the data wipe command. remove this line entirely if you want to try and keep data.
not sure if this will help, but if you have partition issues, these are the only ways to fix it.
Click to expand...
Click to collapse
Thanks, can I run some links by you to make sure I'm using the right stuff?
Moto fastboot: http://forum.xda-developers.com/showthread.php?t=1953948
Stock file: http://sbf.droid-developers.org/phone.php?device=6 - Should I use 4.0.4 or 4.1.2? I was on 4.1.2 OTA.
How do you mean flash each partition manually?
2. http://forum.xda-developers.com/showthread.php?t=2474393, downloading the "GPT error fix - Mirror 1" correct?
Is it step 1 OR step 2? Seems like you said you already have the moto fastboot in your link.. Also, what XT926 files are there to delete?
Gloomfrost said:
Thanks, can I run some links by you to make sure I'm using the right stuff?
Moto fastboot: http://forum.xda-developers.com/showthread.php?t=1953948
Stock file: http://sbf.droid-developers.org/phone.php?device=6 - Should I use 4.0.4 or 4.1.2? I was on 4.1.2 OTA.
How do you mean flash each partition manually?
2. http://forum.xda-developers.com/showthread.php?t=2474393, downloading the "GPT error fix - Mirror 1" correct?
Is it step 1 OR step 2? Seems like you said you already have the moto fastboot in your link.. Also, what XT926 files are there to delete?
Click to expand...
Click to collapse
m fastboot (check)
stock file (you have to use one = to or higher than the one currently installed. so 404 is a no)
flash manually (open a command prompt where you have mfastboot saved, connect your phone in fastboot, also make sure you have all of your stock files in the same dir as mfastboot, flash each partition using the mfastboot command and your correct file name. it would be easier if you look at the win batch file file in my gpt script for the proper commands to send rather than me trying to explain it. you will send the commands exactly as i have them in the batch file only correcting for file names and wait for each to finish, make sure its finished some take a bit of time like system.)
gpt utility (check)
step 1 or 2 (some people are lazy (not you obviously and wont go find mfastboot, so i only mentioned it is in my script for convenience)
what 926 files (just delete everything but the mfastboot.exe and the batch file file. all the other files you wont need or can use.
if you want, i can quickly upload the batch file file so you dont have to dl all that just for one file, and you can get the mfastboot from the other thread you posted.
---------- Post added at 06:05 PM ---------- Previous post was at 06:03 PM ----------
Gloomfrost said:
Thanks, can I run some links by you to make sure I'm using the right stuff?
Moto fastboot: http://forum.xda-developers.com/showthread.php?t=1953948
Stock file: http://sbf.droid-developers.org/phone.php?device=6 - Should I use 4.0.4 or 4.1.2? I was on 4.1.2 OTA.
How do you mean flash each partition manually?
2. http://forum.xda-developers.com/showthread.php?t=2474393, downloading the "GPT error fix - Mirror 1" correct?
Is it step 1 OR step 2? Seems like you said you already have the moto fastboot in your link.. Also, what XT926 files are there to delete?
Click to expand...
Click to collapse
OMG, i think my head is up my arse.
you dont want the xml file, you want the windows batch file. let me go edit those post grrrrr
---------- Post added at 06:11 PM ---------- Previous post was at 06:05 PM ----------
Gloomfrost said:
Thanks, can I run some links by you to make sure I'm using the right stuff?
Moto fastboot: http://forum.xda-developers.com/showthread.php?t=1953948
Stock file: http://sbf.droid-developers.org/phone.php?device=6 - Should I use 4.0.4 or 4.1.2? I was on 4.1.2 OTA.
How do you mean flash each partition manually?
2. http://forum.xda-developers.com/showthread.php?t=2474393, downloading the "GPT error fix - Mirror 1" correct?
Is it step 1 OR step 2? Seems like you said you already have the moto fastboot in your link.. Also, what XT926 files are there to delete?
Click to expand...
Click to collapse
ok here are the exact commands (just fix your file name as needed)
mfastboot flash partition gpt_main0.bin
mfastboot flash system system.img.ext4
mfastboot flash boot boot.img
mfastboot -w (this can be omitted if you want to try and save data)
mfastboot flash modem NON-HLOS.bin
mfastboot erase modemst1
mfastboot erase modemst2
mfastboot flash fsg fsg.mbn
mfastboot reboot
bweN diorD said:
m fastboot (check)
stock file (you have to use one = to or higher than the one currently installed. so 404 is a no)
flash manually (open a command prompt where you have mfastboot saved, connect your phone in fastboot, also make sure you have all of your stock files in the same dir as mfastboot, flash each partition using the mfastboot command and your correct file name. it would be easier if you look at the win batch file file in my gpt script for the proper commands to send rather than me trying to explain it. you will send the commands exactly as i have them in the batch file only correcting for file names and wait for each to finish, make sure its finished some take a bit of time like system.)
gpt utility (check)
step 1 or 2 (some people are lazy (not you obviously and wont go find mfastboot, so i only mentioned it is in my script for convenience)
what 926 files (just delete everything but the mfastboot.exe and the batch file file. all the other files you wont need or can use.
if you want, i can quickly upload the batch file file so you dont have to dl all that just for one file, and you can get the mfastboot from the other thread you posted.
---------- Post added at 06:05 PM ---------- Previous post was at 06:03 PM ----------
OMG, i think my head is up my arse.
you dont want the xml file, you want the windows batch file. let me go edit those post grrrrr
---------- Post added at 06:11 PM ---------- Previous post was at 06:05 PM ----------
ok here are the exact commands (just fix your file name as needed)
mfastboot flash partition gpt_main0.bin
mfastboot flash system system.img.ext4
mfastboot flash boot boot.img
mfastboot -w (this can be omitted if you want to try and save data)
mfastboot flash modem NON-HLOS.bin
mfastboot erase modemst1
mfastboot erase modemst2
mfastboot flash fsg fsg.mbn
mfastboot reboot
Click to expand...
Click to collapse
Okay thanks. I downloaded your GPT fix, deleted everything inside except mfastboot.exe and the batch file. Then I downloaded the 4.1.2 from sbf and extracted everything inside your utility folder. However, I'm not seeing file extensions.. what's up with that? Like, no bin, no .ext4? I downloaded the Android 4.1.2
Blur_Version.98.21.122002.XT925.RCI.en.CA
I'm going to assume it won't work unless they have file extensions..
Also, if I'll be running mfastboot manually using cmd prompt, why do I need the batch file? --EDIT: Nevermind, you want me to replace what it says with what you wrote here. Gotcha. What do you mean then by 'just fix your file name as needed' - You mean like if the 4.1.2 thing has 'fsg_signed' I should use that in the batch file correct?
Btw sorry, new user limits, have to wait 5 min before edits heh.. =|
Gloomfrost said:
Okay thanks. I downloaded your GPT fix, deleted everything inside except mfastboot.exe and the batch file. Then I downloaded the 4.1.2 from sbf and extracted everything inside your utility folder. However, I'm not seeing file extensions.. what's up with that? Like, no bin, no .ext4? I downloaded the Android 4.1.2
Blur_Version.98.21.122002.XT925.RCI.en.CA
I'm going to assume it won't work unless they have file extensions..
Also, if I'll be running mfastboot manually using cmd prompt, why do I need the batch file?
Click to expand...
Click to collapse
i dont know actually, it might work. you could try going to control panel/folder option/view/hide extensions for known file types and check or uncheck and see if it fixes the issue.
you dont, it was more of a guide assuming you didnt know the sequence and proper commands. but since i posted that, there is no reason if you want to do it manually.
---------- Post added at 06:29 PM ---------- Previous post was at 06:24 PM ----------
Gloomfrost said:
Okay thanks. I downloaded your GPT fix, deleted everything inside except mfastboot.exe and the batch file. Then I downloaded the 4.1.2 from sbf and extracted everything inside your utility folder. However, I'm not seeing file extensions.. what's up with that? Like, no bin, no .ext4? I downloaded the Android 4.1.2
Blur_Version.98.21.122002.XT925.RCI.en.CA
I'm going to assume it won't work unless they have file extensions..
Also, if I'll be running mfastboot manually using cmd prompt, why do I need the batch file? --EDIT: Nevermind, you want me to replace what it says with what you wrote here. Gotcha. What do you mean then by 'just fix your file name as needed' - You mean like if the 4.1.2 thing has 'fsg_signed' I should use that in the batch file correct?
Btw sorry, new user limits, have to wait 5 min before edits heh.. =|
Click to expand...
Click to collapse
no problem
yea if you want to use the batch file and have it do everything for you automatically, you likely would need to fix some file names as the ones in your stock file might not match the ones i have.
for instance
our partition file is: mfastboot flash partition gpt_main0.bin
but your file may be called partition.bin so you would have to change that line to
mfastboot flash partition partition.bin
bweN diorD said:
i dont know actually, it might work. you could try going to control panel/folder option/view/hide extensions for known file types and check or uncheck and see if it fixes the issue.
you dont, it was more of a guide assuming you didnt know the sequence and proper commands. but since i posted that, there is no reason if you want to do it manually.
---------- Post added at 06:29 PM ---------- Previous post was at 06:24 PM ----------
no problem
yea if you want to use the batch file and have it do everything for you automatically, you likely would need to fix some file names as the ones in your stock file might not match the ones i have.
for instance
our partition file is: mfastboot flash partition gpt_main0.bin
but your file may be called partition.bin so you would have to change that line to
mfastboot flash partition partition.bin
Click to expand...
Click to collapse
Okay so this is what I have now in the batch file, along with brackets for clarifications:
mfastboot flash partition partition_signed.bin
mfastboot flash system system_signed.img.ext4 (what extension should this have?)
mfastboot flash boot boot_signed.img
mfastboot -w
mfastboot flash modem_signed.bin
mfastboot erase modemst1 (leave this in even though I don't have any files like that in the package?)
mfastboot erase modemst2 (same as above?)
mfastboot flash fsg fsg_signed.mbn
mfastboot reboot
Should I take out all the extensions in the bat since that package file has none, or add them to the files as per above?
Gloomfrost said:
Okay so this is what I have now in the batch file, along with brackets for clarifications:
mfastboot flash partition partition_signed.bin
mfastboot flash system system_signed.img.ext4 (what extension should this have?) dont put an extension if your file states none, i think it will be fine
mfastboot flash boot boot.img
mfastboot -w delete this line if you want to try and save any data, i doubt either option will effect the success or failure of this mission but i would leave it in if you can
mfastboot flash modem NON-HLOS.bin (don't have anything like this in that package - should i remove this line?) doubt the modems were encrypted so delete this line
mfastboot erase modemst1 (left this in) delete this or you may have no modems, only because we arent re-writing them
mfastboot erase modemst2 (left this in) same as above
mfastboot flash fsg fsg_signed.mbn
mfastboot reboot
Should I take out all the extensions since that package file has none? no, just omit any that dont have extensions in your stock file. if we need to drop back and try another route, i would like to know that we tried the file names as you see them.
Click to expand...
Click to collapse
ok im going to go out on a limb here and make some edits above in red
bweN diorD said:
ok im going to go out on a limb here and make some edits above in red
Click to expand...
Click to collapse
Sorry I edited my previous message again - I have modem_signed. Leave that in instead of NON-HLOS?
Gloomfrost said:
Sorry I edited my previous message again - I have modem_signed. Leave that in instead of NON-HLOS?
Click to expand...
Click to collapse
thats kind of a catch 22, yea lets put that in but still remove the erase lines below it as you are writing the same modem.
bweN diorD said:
thats kind of a catch 22, yea lets put that in but still remove the erase lines below it as you are writing the same modem.
Click to expand...
Click to collapse
sending 'partition' (32 KB)...
OKAY [ 0.022s]
writing 'partition'...
This may take a few seconds, if a
different partition table is being
flashed since we need to backup
and restore a few partitions
Failed to program partition table
FAILED (remote failure)
finished. total time: 0.338s
sending 'system' (30720 KB)...
OKAY [ 2.348s]
writing 'system'...
Failed to erase partition
FAILED (remote failure)
finished. total time: 4.030s
sending 'boot' (10240 KB)...
OKAY [ 0.796s]
writing 'boot'...
Failed to erase partition
Failed to flash partition boot
FAILED (remote failure)
finished. total time: 1.544s
erasing 'userdata'...
Failed to erase partition
FAILED (remote failure)
finished. total time: 0.057s
unknown partition 'modem_signed'
error: cannot determine image filename for 'modem_signed'
sending 'fsg' (2849 KB)...
OKAY [ 0.236s]
writing 'fsg'...
Failed to erase partition
Failed to flash partition fsg
FAILED (remote failure)
finished. total time: 0.383s
rebooting...
finished. total time: 0.005s
Gloomfrost said:
sending 'partition' (32 KB)...
OKAY [ 0.022s]
writing 'partition'...
Click to expand...
Click to collapse
yea, that sucks.
im having the same problem over here.
i made this other user the same updated (not published) script, just because he has a 926, and i can share the script with anyone who needs it. (just to say, i know this is the only method, you are in a bad spot!)
anyways, its the same as you just made with the same results.
have a look to see if maybe one of the simple fixes (not yet confirmed or denied) helped this member.
I really appreciate the efforts here. When I can wrap my head around this I will try as well as post my results. I felt I had hit a brick wall last night and email Motorola Canada for tech support help..
Sent from my SM-N900W8 using Tapatalk
Weaponx525 said:
I really appreciate the efforts here. When I can wrap my head around this I will try as well as post my results. I felt I had hit a brick wall last night and email Motorola Canada for tech support help..
Sent from my SM-N900W8 using Tapatalk
Click to expand...
Click to collapse
Keep me posted on this if you don't mind - after maybe 18 hours at this, I'm going to give up
I find it interesting that I managed to unlock my bootloader (even though it still threw a FAILED (remote failure), but going into fastboot DOES say 'Unlocked Status Code: 3'
I also found some chinese forum where people were posting how to do stuff with fastboot oem codes, but if I do fastboot oem anything it just says 'Restricted oem code'. Meh.
Any new phone suggestions? Something that will hopefully last 2 days with battery like this one did.
Gloomfrost said:
Keep me posted on this if you don't mind - after maybe 18 hours at this, I'm going to give up
I find it interesting that I managed to unlock my bootloader (even though it still threw a FAILED (remote failure), but going into fastboot DOES say 'Unlocked Status Code: 3'
I also found some chinese forum where people were posting how to do stuff with fastboot oem codes, but if I do fastboot oem anything it just says 'Restricted oem code'. Meh.
Any new phone suggestions? Something that will hopefully last 2 days with battery like this one did.
Click to expand...
Click to collapse
I am personally trying harder than usual to fix this phone because the battery life is so awesome. It's still a great deal. I hear the Moto X gets pretty great battery life and its cheaper than Nexus 5 right now. Personally I would wait for the Nexus 6, which is rumored to be be built by Motorola.
I am trying to fix this phone for my wife. Personally I am using a Note 3: great big battery and screen but no loyalty to Samsung. If the Nexus 6 pops up I may not be able to resist
---------- Post added at 05:46 AM ---------- Previous post was at 05:39 AM ----------
I'm trying to keep this phone stock. However I am curious if using Fastboot to unlock and installing custom recovery can work with the partition as screwed up as it is. If so maybe with custom recovery we can properly format the partitions. Thoughts?
Weaponx525 said:
I am personally trying harder than usual to fix this phone because the battery life is so awesome. It's still a great deal. I hear the Moto X gets pretty great battery life and its cheaper than Nexus 5 right now. Personally I would wait for the Nexus 6, which is rumored to be be built by Motorola.
I am trying to fix this phone for my wife. Personally I am using a Note 3: great big battery and screen but no loyalty to Samsung. If the Nexus 6 pops up I may not be able to resist
---------- Post added at 05:46 AM ---------- Previous post was at 05:39 AM ----------
I'm trying to keep this phone stock. However I am curious if using Fastboot to unlock and installing custom recovery can work with the partition as screwed up as it is. If so maybe with custom recovery we can properly format the partitions. Thoughts?
Click to expand...
Click to collapse
After everything sane failed (trying to save the userdata, trying to keep stock), I tried flashing random stuff, including sideloading. Nothing worked. Even the 'unlock' like I said threw an error, though the device does say unlocked. If you manage to successfully install custom recovery please post back how.
So I recently got a Lenovo A2010, and I've been looking for ways to root it in as to have better access to settings and features it currently doesn't offer (like making the Mass Storage mode available when connecting to a PC, instead of the annoying MTP, grr). Searcing around the 'net has insofar been useless finding only a thread here on XDA that's for a different model from Lenovo (A6000 Plus, the thread is here), and it recommends using a app which I wouldn't trust, and which bricked some people's phones. So I wanted to ask you guys if there's any (other) way of rooting this phone, preferably with the ability to update the OS. The phone itself has Mediatek MT6735M as chipset and runs on Android version 5.1.
Also I wanted to ask you guys (and I hope I'm not rude for asking this...) if you could assess whether or not it would be worth the time to build a CM rom for this phone. Are there any similar phones to this one that could ease the task? Again, searching around for the chipset's "compatibility" with CM (as advised by the starting guide for building CM on the wiki) didn't turn up much. I'm not much of a developer, I know only rudimentary stuff, like compiling source codes on linux, but if building the ROM for this phone isn't that complicated (as the wiki suggested it might be in some cases), I would like to try.
*bump*...
+1
Reason, why I want it too is, that I also own a Lenovo A2010-a (notice the "a", but I personally don't think that there are any differences). Having AT LEAST Android Open Source Project (AOSP) ROM would be nice.
I am also giving sourcecode for the phone: Lenovo A2010-a.
I hope that someone will start the project. Personally, I tried to do at least hardware mod. My intention was to swap cameras for more convenient QR code scanning.
Therefore I wanted to open a category for it, but I am not a developer.
Mine's with an "-a" at the end too in the manual.
The problem is that nobody is interested in low-end phones. I think that A2010-a can run Marshallow too, just what we need is CWM and how to set & pack ROM.
I have managed to perform cat cpuinfo, so I am posting it here.
Code:
Processor : ARMv7 Processor rev 4 (v7l)
processor : 0
BogoMIPS : 7.24
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : MT6735M
Revision : 0000
Serial : 0000000000000000
Also, same for /proc/mounts:
Code:
rootfs / rootfs ro,seclabel 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
tmpfs /mnt/media_rw tmpfs rw,seclabel,relatime,mode=755,uid=1000,gid=1000 0 0
tmpfs /storage/usbotg tmpfs rw,seclabel,relatime,mode=755,uid=1000,gid=1000 0 0
tmpfs /storage/emulated tmpfs rw,seclabel,relatime,mode=755,uid=1023,gid=1023 0 0
/dev/block/platform/mtk-msdc.0/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,resuid=10010,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/by-name/protect1 /protect_f ext4 rw,seclabel,nosuid,nodev,noatime,nodelalloc,noauto_da_alloc,commit=1,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/by-name/protect2 /protect_s ext4 rw,seclabel,nosuid,nodev,noatime,nodelalloc,noauto_da_alloc,commit=1,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/by-name/nvdata /nvdata ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/loop0 /mnt/cd-rom iso9660 ro,relatime 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,relatime 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /storage/sdcard0 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:129 /mnt/media_rw/sdcard1 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:129 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
I will try to work futher to get more information about this device. I hope that someone will be interested in this device, tell me what to do and I will try to gather more data.
@kossieh: Did you root your phone?
And similarly to kossieh, if anyone needs any intel on the phone, I'd be happy to provide it.
Ok, just a major update:
I have downloaded some files from this website and it seems that this file has some kind of script, that could be used to make bootable ROM.
Actually, it is a updater-script, which (AFAIK) is also used anywhere else. According to my cat /proc/cpuinfo, the only thing that needs to be done is to compile "su" binary for the platform and then it could be used to flash the SU (understand it as create a ROOT and UNROOT zips to do the job). Then install some kind of root app (SuperSU or Superuser, depends - probably) and then it could be done.
Question is about CWM, if the bootloader permits to load a tempovary CWM (as I did on my S5830i - just a note) and then install any, now modded, ROM into device.
I presume that managing partitions and filesystems would be tricky, so I WOULD LIKE to ask anyone, who is interested in futher developing. I would like to also contribute, because it makes sense. Maybe we'll be good enough to create CyanogenMod 12 (or 13?) - just to match Marshallow. Or, we can stick to 5.1 (which is good anyway) and make a clean Android ROM (personally I would appreciate that).
As promised, here is updater-script for information:
Code:
getprop("ro.product.device") == "A2010-a" || abort("This package is for \"A2010-a\" devices; this is a \"" + getprop("ro.product.device") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat");
show_progress(0.050000, 5);
assert(package_extract_file("boot.img", "/tmp/boot.img"),
write_raw_image("/tmp/boot.img", "bootimg"),
delete("/tmp/boot.img"));
assert(package_extract_file("mobicore.bin", "/tmp/tee1.img"),
write_raw_image("/tmp/tee1.img", "tee1"),
delete("/tmp/tee1.img"));
show_progress(0.200000, 10);
apply_sig(package_extract_file("sig/boot.sig"), "bootimg");
I was also surprised that this is for Lenovo A2010-a. Maybe there is only device, just A2010-a.
Also, I'm posting a "scatter.txt", I don't understand clearly, what it is, probably a flashing tool specific config? Or is it a map for the device storage?
My opinion is, that it could be a map of the device storage system, including intervals, where the storage ends and partitioning.
Code:
preloader 0x0
pgpt 0x0
proinfo 0x80000
nvram 0x380000
protect1 0x880000
protect2 0x1280000
lk 0x1c80000
para 0x1d00000
boot 0x1d80000
recovery 0x2d80000
logo 0x3d80000
expdb 0x4580000
seccfg 0x4f80000
oemkeystore 0x5000000
secro 0x5200000
keystore 0x5800000
tee1 0x6000000
tee2 0x6500000
frp 0x6a00000
nvdata 0x6b00000
metadata 0x8b00000
system 0xb000000
cache 0xab000000
userdata 0xc4000000
flashinfo 0xFFFF0084
sgpt 0xFFFF0004
The last is "type.txt", which has just one thing inside, and that is just "1". To be correct regarding to xda dev forums, also in code:
Code:
1
The package itself also contains 2 extra files (i digged directly from update.zip!) and they're:
Credits.txt
How to flash OTA file.txt
...where "How to flash OTA file.txt" contains just a description:
Code:
Copy the update.zip file to the phone SD and flash it through the stock recovery mode.
Or
Copy the update.zip file to the phone SD and flash it through the Settings > About > Check Update (only if your device support this method).
Instruction by androidxda.com.
I also downloaded all files (3 gigs in total) and I will investigate when I will have time. My wish is to call for someone who would help us with development. As stated before, I am ready to help, as well as I am sure that original author of this thread (andoruB) probably wants too...
here is something in russia.
hxxp://4pda.ru/forum/lofiversion/index.php?t688416.html
Isn't that the original stock ROM?
Also... *bump* in hope that someone gets interested in porting CM or to give any of us build instructions.
Another A2010-a owner here, would be really interested in having more control and making USB OTG work on the phone (seems there is some support reported, but no drivers get loaded when I connect a mouse or a pendrive).
Also, in the Developer options, there is an "OEM unlocking" option with the description "Allow the bootloader to be unlocked." Contrary to what I've read in forums, where unlocking and then locking again would brick phones, I turned it on and off again (between reboots) and nothing bad happened.
What does that feature actually do?
andoruB said:
What does that feature actually do?
Click to expand...
Click to collapse
According to step 9 in http://www.droid-life.com/2013/11/04/how-to-unlock-the-nexus-5-bootloader/ , where they unlock the bootloader of the Nexus 5:
"9. Your bootloader is now unlocked and ready for root, ROMs, recovery, etc."
However, they go on to say that:
" 11. During reboot, your phone will go through a factory reset."
And I remember reading somewhere that unlocking the bootloader of an Android phone can break future system updates because of some checksum failure, thus bricking the phone, but this might be a bug (or a feature) of a particular model, don't know...
Seeing as there aren't any proper custom ROMs for this device, any idea how to root the phone?
andoruB said:
Seeing as there aren't any proper custom ROMs for this device, any idea how to root the phone?
Click to expand...
Click to collapse
This is taken from the Russian forum, the link to which was given in post #9 above.
I'll try to explain the procedure here in English:
1. Download the file UPDATE-SuperSU-v2.46.zip from here: yadi.sk/d/TFXtd56Ekx5Yi and copy it to the SD card in your phone (or download it directly with the phone).
2. Download a custom Recovery like TWRP: yadi.sk/d/0WaK6e4Mkx5cx and the program SP Flash Tool: yadi.sk/d/9xDmAavuiX4Ce.
Run SP Flash Tool to install the custom Recovery.
(at least in my case, there was no need to toggle the "OEM unlock" option in "Developer Options", the bootloader seems to be unlocked anyway)
3. Reboot to Recovery by holding the Volume Up button pressed while the phone is booting.
In the boot menu that appears, move the selection cursor to the [Recovery Mode] option, by using the Volume Up button, then press the Volume Down button to select that option.
You should now get into TWRP Recovery, that you flashed in step 2.
4. From TWRP Recovery, install the previously downloaded file (UPDATE-SuperSU-v2.46.zip).
5. Reboot. Your phone is now rooted.
Ohhhh? Is this working? I am scared to brick my phone. Can someone test this one?
Executable000 said:
Ohhhh? Is this working? I am scared to brick my phone. Can someone test this one?
Click to expand...
Click to collapse
I tested it the next day after I got the phone and it's working. A lot of other people rooted their phone by this method too, so far I haven't heard of anyone bricking their phone.
At the moment, as far as I know, this is the only working method for rooting Lenovo A2010.
...
By the way, besides the files in my first post above, if you are using Windows, you obviously need to have the proper MTK drivers installed too, so that SP Flash Tool can connect to the phone.
If you are a Linux user, see this post http://forum.xda-developers.com/general/rooting-roms/tutorial-how-to-setup-spflashtoollinux-t3160802
W60 said:
I tested it the next day after I got the phone and it's working. A lot of other people rooted their phone by this method too, so far I haven't heard of anyone bricking their phone.
At the moment, as far as I know, this is the only working method for rooting Lenovo A2010.
...
By the way, besides the files in my first post above, if you are using Windows, you obviously need to have the proper MTK drivers installed too, so that SP Flash Tool can connect to the phone.
If you are a Linux user, see this post http://forum.xda-developers.com/general/rooting-roms/tutorial-how-to-setup-spflashtoollinux-t3160802
Click to expand...
Click to collapse
Thank you very much for your response. My lenovo has an -a at the end. Hope this one will work. I'll try it later. I am just new with android smart phones.
Can I send you a pm anytime when I am having a trouble rooting this phone?
Executable000 said:
My lenovo has an -a at the end.
Click to expand...
Click to collapse
Mine too.
Executable000 said:
Can I send you a pm?
Click to expand...
Click to collapse
Yes.
Thanks. Searching for the proper MTK driver but failed. Where can I find them?
--
Ot. Anyone who also experienced this? Lenovo a2010 has 8gb phone storage. But after applying an update, it became 4.02gb in the file manager. The other 4gb were consumed by the system files.
Software root method for Mediatek MT816x, MT817x and MT67xx!
A tool that gives you a temporary root shell with Selinux permissive to do with as you please
STATUS
Confirmed Working
Fire HD 8 8th gen (2018) (thanks @xyz`) -- up to Fire OS 6.3.0.1 only
Fire HD 8 7th gen (2017) -- up to Fire OS 5.6.4.0 build 636558520 only
Fire HD 8 6th gen (2016) (thanks @bibikalka) -- up to Fire OS 5.3.6.4 build 626536720
Fire HD 10 7th gen (2017) (thanks @bibikalka) -- up to Fire OS 5.6.4.0 build 636558520 only
Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to Fire OS 5.2.6.9 only
Fire 7 9th gen (2019) (thanks @Michajin) -- up to Fire OS 6.3.1.2 build 0002517050244 only
Fire HD 10 9th gen (2019) -- up to Fire OS 7.3.1.0 only
Various phones and tablets up to Android 9.x (see link below for full list)
Note that for Fire OS 5, OS version 5.3.x.x is newer than 5.6.x.x.
Amazing Temp Root for MediaTek ARMv8: expanded thread covering all compatible MTK devices
DISCLAIMER
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.
REQUIREMENTS
Proficiency with the Thanks button under XDA posts
A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
Either:
A PC with ADB installed to interact with your device, or
A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
INSTRUCTIONS
Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
arm64: 64-bit kernel and userspace
arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
The arm64 one is suitable for most devices. The notable devices that need the arm version are the Fire HD 8 2018, Fire 7, and Fire HD 10 2019.
Connect your device to ADB and push mtk-su to your /data/local/tmp folder
Code:
adb push path/to/mtk-su /data/local/tmp/
Open an adb shell
Code:
adb shell
Change to your tmp directory
Code:
cd /data/local/tmp
Add executable permissions to the binary
Code:
chmod 755 mtk-su
At this point keep your tablet screen on and don't let it go to sleep. Run the program
Code:
./mtk-su
If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
The -v option turns on verbose printing, which is necessary for me to debug any problems.
It will take several seconds, but using the -v option, you should see output similar to this (with id command added):
Code:
$ ./mtk-su -v
param1: 0x3000, param2: 0x18040, type: 2
Building symbol table
kallsyms_addresses pa 0x40bdd500
kallsyms_num_syms 70337, addr_count 70337
kallsyms_names pa 0x40c66d00, size 862960
kallsyms_markers pa 0x40d39800
kallsyms_token_table pa 0x40d3a100
kallsyms_token_index pa 0x40d3a500
Patching credentials
Parsing current_is_single_threaded
ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
ffffffc000354868+54: ADD xd, x0, 2592
init_task VA: 0xffffffc000fa2a20
Potential list_head tasks at offset 0x340
comm swapper/0 at offset 0x5c0
Found own task_struct at node 1
cred VA: 0xffffffc0358ac0c0
Parsing avc_denied
ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
ffffffc0002f13bc+28: LDR [x0, 404]
selinux_enforcing VA: 0xffffffc001113194
Setting selinux_enforcing
Switched selinux to permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
#
Some other options:
mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.mtk-su -s: Prints the kernel symbol tableIf you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here.
Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.
If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5.
FIRE OS 5 AND ANDROID 5 USERS: There's an automated SuperSU loader by @Rortiz2 that makes jumpstarting SuperSU quick and easy.
WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.
DOWNLOAD
Current Version
Release 23
Past releases & change log live at Amazing Temp Root for MediaTek ARMv8
FAQ
I got the error, "This firmware cannot be supported". What do I do?
This means that your device's firmware is not prone to the mechanism used by mtk-su. Check the firmware version and build number of the OS on your device. If your version is higher than that next to your device on the list above, then mtk-su will no longer work on your device. There may be other ways to achieve root. Check elsewhere on the forum.
Will this work on the Fire 7?
No, it is very doubtful this method can be used on the MT8127 chipset. The same also goes for the Fire TV stick.
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.
Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.
How does this tool work?
It overwrites the process's credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, I don't think I should discuss that as of yet.
Will this work on the Fire TV Stick 4K?
Unfortunately, no. While it has a 64-bit chip, the required vulnerabilities are not present in its OS.
Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.
Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
It has already been answered in the FAQ or multiple times in the thread.
Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
CREDITS
@Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
Thank you to everyone who has donated. You're the best!
I want to thank you again for your efforts on this! I was ill the days before, so I didn't get much time to test SuperSU, and I'm trying to make a script now. Good luck to everyone who tries this!
EDIT: Oops, sorry for the reserve post.
How to use without a PC
INSTRUCTIONS FOR TERMINAL APP
You can optionally use mtk-su from a terminal emulator such as Termux or Terminal Emulator for Android (my preference). The gist of the process is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
General idea: cp path/to/mtk-su ./
For example,
Code:
cp /sdcard/mtk-su_r14/arm64/mtk-su ./
For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
Make file executable
Code:
chmod 700 mtk-su
Run the program
Code:
./mtk-su
If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and kernel sources, if possible.
Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cd
cp path/to/mtk-su ./
chmod 700 mtk-su
./mtk-su
Great work!
So could this theoretically work for any Mediatek device? Or do specific modifications need to be done for another model chip?
What do you think is likely the worst to happen if this is tried as-is on another device? Will it just not work? Or explode the device?
I have an Acer B3-A40 that has an MT8167 chip that I wouldn't mind rooting.
@cybersaga, yes, it's very possible it will work on an mt8167 device. Although I can't 100% guarantee it won't damage your device, I would just go ahead and try it. The risk is very minimal. It will print some error if it fails. I think realistically, I would need to tweak some parameters or make a workaround if there's a problem.
The method should be applicable to most 64-bit platforms. There are newer 4.x kernels where the necessary hole is not present, though. But time will tell what devices this ultimately will be compatible with.
That's super neat. I'll probably give it a try sometime this week.
Very cool from what I can see, however it doesn't work on HD8 2018 because there's no 64-bit userspace (only the kernel is 64-bit), could you recompile it for arm?
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...
diplomatic said:
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...
Click to expand...
Click to collapse
Maybe you can just compile it as a static binary instead if that's easier.
Awesome! I just rooted my HD8 2017
Try the automated script by @Rortiz2
Previous instructions:
For anyone that is confused by the process of manually installing SuperSu, I did the following...
IMPORTANT: This is for FireOS 5 devices such as HD8 2017. Do not attempt this on HD8 2018
Install SuperSu from Playstore
Download SuperSu and unzip somewhere
adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
mount -o remount -rw /system
cp /data/local/tmp/su /system/xbin/su
cp /data/local/tmp/su /system/xbin/daemonsu
cp /data/local/tmp/supolicy /system/xbin/
cp /data/local/tmp/libsupol.so /system/lib/
cp /data/local/tmp/libsupol.so /system/lib64/
chmod 0755 /system/xbin/su
chcon ubject_r:system_file:s0 /system/xbin/su
chmod 0755 /system/xbin/daemonsu
chcon ubject_r:system_file:s0 /system/xbin/daemonsu
at this point, running su should work and show a root shell
daemonsu --auto-daemon
Open SuperSu app and allow it to update the su binary
My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems less error-prone
@diplomatic
Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!
I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.
Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.
Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.
My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #
Edit: Despite my super careful SuperSu injection into FireOS 5.3.6.4 system image, I still could not get SuperSu to work after I restored this image using FlashFire. Regardless, the method from this thread also rooted 5.3.6.4 in no time! Awesome!
dutchthomas said:
Awesome! I just rooted my HD8 2017
For anyone that is confused by the process of manually installing SuperSu, I did the following:
Install SuperSu from Playstore
Download SuperSu and unzip somewhere
adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
mount -o remount -rw /system
cp /data/local/tmp/su /system/xbin/su
cp /data/local/tmp/su /system/xbin/daemonsu
cp /data/local/tmp/supolicy /system/xbin/
cp /data/local/tmp/libsupol.so /system/lib/
cp /data/local/tmp/libsupol.so /system/lib64/
at this point, running su should work and show a root shell
daemonsu --auto-daemon
Open SuperSu app and allow it to update the su binary
My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.
Click to expand...
Click to collapse
Thanks for this! I'm not sure if I'm doing it correctly, but everything works fine until I get to #11. Do I just type su? When I do, it says permission denied.
EDIT: Just tried the new commands you edited and it worked. My FireHD 8 7th gen is now rooted.
diplomatic said:
Software root method found for Mediatek MT8163, MT8173 and MT67xx!
Click to expand...
Click to collapse
Great work!
bibikalka said:
Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.
Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.
Click to expand...
Click to collapse
If you want to zero out preloader, you should do it this way:
Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.
bibikalka said:
@diplomatic
Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!
I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.
Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.
Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.
My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #
Click to expand...
Click to collapse
Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.
dutchthomas said:
Awesome! I just rooted my HD8 2017
For anyone that is confused by the process of manually installing SuperSu, I did the following:
Install SuperSu from Playstore
Download SuperSu and unzip somewhere
adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
mount -o remount -rw /system
cp /data/local/tmp/su /system/xbin/su
cp /data/local/tmp/su /system/xbin/daemonsu
cp /data/local/tmp/supolicy /system/xbin/
cp /data/local/tmp/libsupol.so /system/lib/
cp /data/local/tmp/libsupol.so /system/lib64/
at this point, running su should work and show a root shell
daemonsu --auto-daemon
Open SuperSu app and allow it to update the su binary
My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.
Click to expand...
Click to collapse
Oh, nice, thanks for this... This is more straightfoward than doing it "offline". I just realized Chainfire has instructions specifically for dealing with exploits here.
diplomatic said:
Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.
Click to expand...
Click to collapse
Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.
LOL
Very nice!
Awesome work @diplomatic
If you had discovered it before, I would not have asked you to compile TWRP for the BQ M8 and I would not have bothered you. By the way I I prefer to have TWRP. (thanks!)
I have reinstalled stock in my BQ M8 and the script has worked! If you want you can add it to the list of devices...
On Fire 7 7th Gen it not worked.. But we have TWRP.
EDIT: I have tried again and now I get this error
Code:
130|[email protected]_M8:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40a43000
kallsyms_num_syms 49221, addr_count 49221
kallsyms_names_pa 0x40aa3400
Size of kallsyms_names 602609 bytes
kallsyms_markers_pa 0x40b36600
kallsyms_token_table_pa 0x40b36c00
warning: token_count 1
kallsyms_token_index_pa 0x40b36d00
Patching credentials
__ksymtab_init_task not found
New UID/GID: 2000/2000
Setting selinux permissive
find_selinux_enforce_var() returned -1
starting /system/bin/sh
k4y0z said:
Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.
Click to expand...
Click to collapse
diplomatic said:
... For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.
Click to expand...
Click to collapse
Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.
k4y0z said:
If you want to zero out preloader, you should do it this way:
Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.
Click to expand...
Click to collapse
OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?
For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.
Fire HD8 2016:
Code:
major minor #blocks name
179 0 15388672 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 500 mmcblk0p6
179 7 16268 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 6144 mmcblk0p9
179 10 512 mmcblk0p10
179 11 8192 mmcblk0p11
179 12 10240 mmcblk0p12
179 13 1024 mmcblk0p13
179 14 5120 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 40320 mmcblk0p16
179 17 1024 mmcblk0p17
179 18 1024 mmcblk0p18
179 19 1653024 mmcblk0p19
179 20 434176 mmcblk0p20
179 21 512 mmcblk0p21
179 22 16384 mmcblk0p22
179 23 4320 mmcblk0p23
179 24 13138927 mmcblk0p24
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
Fire HD8 2018:
Code:
major minor #blocks name
179 0 15267840 mmcblk0
179 1 3072 mmcblk0p1
179 2 4608 mmcblk0p2
179 3 1024 mmcblk0p3
179 4 1024 mmcblk0p4
179 5 1024 mmcblk0p5
179 6 5120 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 40448 mmcblk0p8
179 9 512 mmcblk0p9
179 10 8192 mmcblk0p10
179 11 16384 mmcblk0p11
179 12 20480 mmcblk0p12
179 13 3177472 mmcblk0p13
179 14 230400 mmcblk0p14
179 15 512000 mmcblk0p15
179 16 11240431 mmcblk0p16
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
@diplomatic - awesome work - just had to give it a go for myself...
Factory reset my HD8 (2017) (root originally via @t0x1cSH "Fire hd8 2017 root, debrick" post) and followed your post plus the 'speedy SU install' from @dutchthomas - post 10.
One difficulty: mtk-su seemed to run fine and UID= 0 was shown - but I did have trouble getting the the 'mount -o remount -rw /system' command to work at first - it needed a few attempts.
And then, using the work-through from post 10, I couldn't get full root (i.e. 'su' accepted at command prompt) until I changed permissions on each of the copied SU components (su, daemonsu etc) to those prescribed in @<br />'s awesome Hardmod post.
Bit strange? I was using Fire OS 5.3.6.0 - I wonder if version makes any difference? Got there eventually tho' :good:
bibikalka said:
Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.
OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?
For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.
Fire HD8 2016:
Code:
major minor #blocks name
179 0 15388672 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 256 mmcblk0p5
179 6 500 mmcblk0p6
179 7 16268 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 6144 mmcblk0p9
179 10 512 mmcblk0p10
179 11 8192 mmcblk0p11
179 12 10240 mmcblk0p12
179 13 1024 mmcblk0p13
179 14 5120 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 40320 mmcblk0p16
179 17 1024 mmcblk0p17
179 18 1024 mmcblk0p18
179 19 1653024 mmcblk0p19
179 20 434176 mmcblk0p20
179 21 512 mmcblk0p21
179 22 16384 mmcblk0p22
179 23 4320 mmcblk0p23
179 24 13138927 mmcblk0p24
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
Fire HD8 2018:
Code:
major minor #blocks name
179 0 15267840 mmcblk0
179 1 3072 mmcblk0p1
179 2 4608 mmcblk0p2
179 3 1024 mmcblk0p3
179 4 1024 mmcblk0p4
179 5 1024 mmcblk0p5
179 6 5120 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 40448 mmcblk0p8
179 9 512 mmcblk0p9
179 10 8192 mmcblk0p10
179 11 16384 mmcblk0p11
179 12 20480 mmcblk0p12
179 13 3177472 mmcblk0p13
179 14 230400 mmcblk0p14
179 15 512000 mmcblk0p15
179 16 11240431 mmcblk0p16
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 1024 mmcblk0boot0
179 33 2 mmcblk0boot0p1
179 34 2 mmcblk0boot0p2
179 35 256 mmcblk0boot0p3
179 36 747 mmcblk0boot0p4
Click to expand...
Click to collapse
When you execute that command, simply turn off the tablet and when you connect it to the PC it will detect it in BootROM Mode. Checked in Fire 7 2017.
Wait, will this work for a mt6753 chipset?