***if using XDA labs app, please stop, select the 3 dot menu button in the top right, and view this thread from browser because of formatting issues with the labs app. This is to help make the OP easier to follow along with. ***
**Please Read First**
This will be the main, and ONLY thread we will keep updated for the progress of root on the Snapdragon variants of these phones from here on out.
As the other few threads are multi topic and confusing for people anticipating root, as well as for us working on it trying to sift through comments to keep each other updated. Those will be cleaned up to avoid confusion as well. This will make it easier for everyone to check back to see any new progress as I will be updating the OP whenever we make movement
**First, and foremost, I would like to recognize and thank @STF_TimelessGoD for his work on the initial post R&D Carrier Switch/Root Snapdragon. Without his time and effort putting that thread together and maintaining it, there would still be a lot of unanswered questions and we probably would not be as far as we are**
That thread will still continue for the Carrier Switching and a full guide is available at this link
[HOW TO] Carrier Switch For S8 Snapdragon
---------------------------------------------------
Current Root Progress
We are currently working on 2 main possible methods for this. Refer to each method in RED below the Key Notes.
Please, if you do not know what terms are, or what files are, Google search them to avoid filling the thread with easily answered questions
*UPDATE* 1 - 6-19_2:34pm CST
We are looking for relevant files to properly flash from EDL Mode. IF anyone can get their hands on these 3 files, specific for our chipset, PLEASE let us know.
The first 2 are the main needed, as the provisioning can possibly be made from provisioning info already on the phone.
- prog_ufs_firehose_8998_ddr.elf
- prog_ufs_firehose_8998_lite.elf
- provision_samsung.xml
*UPDATE* 2 - 6-19_9:00pm CST
We have aquired the necessary Elf files from above. Now doing more research on proper ways to use them as they are qualcomm/device specific
*UPDATE* 3 - 6-22_1:34am CST
Much much time spent combing through code of these files and tools that are able to handle them. As well as the verification process andriod uses in conjunction with qualcomm between all 3 bootloaders and the Learned a lot tonight.
We learned enough to be able to begin some new tests tomorrow that is not the same as either of the methods below. However I cannot at this time divulge the method being used and for that I am sorry!
*UPDATE* 4 - 6-28_4:35pm CST
We studied up a lot on our selinux and the way that Nougat 7.0 has changed how security works and are currently working on adb permissive with *a debuggable user* kernel. Refer to Update in key notes for more info.
-METHODS UPDATED WITH METHOD 3
Key Notes
In general order of them happening/being found out.
- Pre Release Combo Firmware is only known Firm to contain Allow OEM Unlock and have SELinux set to permissive by default. However, @elliwigy went through this thoroughly and found that permissive did literally nothing to help elevate privileges as it should have, and that the OEM unlock check box didn't seem to have any effect on secureboot.
[*]- Received multiple ENG Boot files, none of them contained system write capabilities as they should have. So they were no help. Someone (leaving names out) said they had ENG Boot with full root access that he would share, but stopped all involvement in the thread and we never heard back from him. Generally, just about always, an ENG Boot has system write capabilities, as that's the point of an Engineering Kernel.
[*]- SELinux Permissive was acheived on Stock firmware by @STF_TimelessGoD but it caused the phone to not charge past 80%. Trying to get into su shell from adb says it is started as root, but doesn't actually enter root shell. @elliwigy tested this out as well with the same results. Otherwise same problems as above.
[*]- @elliwigy got ahold of an actual ENG Boot, however, trying to flash from Odin and phone returned "This is ENG binary. Please use USER binary! (boot.img)". Meaning 2 things. 1, it is a true ENG Boot with system access, and 2, Samsung really stepped up their security
[*]- Chainfire Auto root does NOT work on our devices. To be clear, Chainfire's website has a bot that auto-compiles for all new devices regardless of it being capable or not. He did take a look at our device, but decided he wasn't going to spend the mass amount of time on it that is needed, like we currently are!
[*]- Next we looked at multiple security vulnerabilities that would allow escalated privileges(access to the system) Ended up deciding against this as we do not have a dev on the project with exploit building knowledge.
[*]- I brought up EDL mode as a possibility. Which is not suppose to be supported on Samsung as it needs fastboot, normally. Without fastboot, you are suppose to use a proprietary edl cable(easily made) to force your phone into it. Which still was thought to be unaccessable on Samsung. After a lot of research on how it SHOULD be done, we had mixed results. Until @BotsOne by chance found you could get into EDL from adb command line with the phone on. So this is part of one of our methods below.
[*]- I'm looking at modifying a serial flash tool to know the partition table of our devices, to make EDL mode properly work for us. This is so we can flash individual partitions and not the whole system.
[*]*UPDATE* 2 - No need to modify a serial flash tool, as using the Elf files from earlier takes care of that work. Working with them now to fully understand and operate with them
[*]*UPDATE* 4 - With the help of a fellow dev , @akiraO1 that has much more selinux experience than us, we were able to get a foot in on changing things and making our selinux fully permissive. There is a prop setting that made it kind of tight. but changing persist.security.ams.enforcing *AND security.perf_harden* to 0 fixed most of this. But there is still much more as the fstab inside the boot.img has system set to ro. We are working on this, but things are looking up
METHOD 1
Flashing Modified Bootloader Via EDL Mode
Modify a current serial flashing tool (such as the Mi flash tool) to include our partition table and options to flash to certain partitions individually
Modifying the bootloader source code to to be unlocked, then flashing unlocked bootloader via EDL
At that point we could Odin Twrp and then flash whatever we wanted
METHOD 2
Flashing True ENG Boot Via EDL Mode
- As the first method, would need to modify a serial flashing tool for this.
- First check would be to flash the True ENG Boot to the device via EDL.
- Then check if it boots because you can't Odin the Eng Boot without it failing as stated in key notes above. Because EDL has elevated privileges, it will flash to the device, but we have to see upon starting, if it will still binary check and stop from booting.
- If it boots, we should then be able to access su shell, and run a batch to obtain system root as usual.
METHOD 3 - Update 4
Modifying Boot Parameters with SELinux
- Using the permissive boot that we figured out proper capabilities
- Gain access to proper partitions to make the phone load a custom selinux profile that allows rw to system
- Mount system r/w and install su binaries via adb
- Modify remaining parameters needed within boot.img and create a runnable script for everyone!
^^EVERYTHING ABOVE WILL BE UPDATED AS PROGRESS IS MADE, WITH EDIT DATES. JUST LOOK FOR THE WORD *UPDATE* NEAR RELEVANT AREAS.^^
All Relevant Files, Hosted Courtesy Of @Maltego
- CLICK HERE -
------------------------------------------------------------------------------------------
Current Contributors
@elliwigy
@Maltego
@STF_TimelessGoD
@BotsOne
@mweinbach
+ @akira01
+ @Harry44
**If you would like to help or contribute in any way, please message me.**
It may take a bit to get back to you, and for that I apologize
---------------------------------------------------------------------------------------------
**Please be patient with us as this is not a simple task and it is not a standard root method that has ever been used on Samsung as EDL was not previously available**
.
**reserved**
IF YOU ARE LOOKING AT THIS FROM THE XDA LABS APP, YOU WILL OF COURSE NOTICE THE LACK OF COLORS AND SLIGHTLY AWKWARD FORMATTING.
-This is an issue with the apps ability to parse bb code format. And I cannot fix that. So just try to look for the update tags or use web browser. Sorry for the inconvenience
We will keep working on root guys. Do not worry. We are as close as you will get to professionals.
Nice job claryfing where we are and seperating the 2 threads, I think this was greatly needed.
Nicely constructed thread showing our progress, good job!
Also this came to my mind, what about flashing those ENG files @elliwigy got through EDL mode?
Interceptor777 said:
Nicely constructed thread showing our progress, good job!
Also this came to my mind, what about flashing those ENG files @eliwigly got through EDL mode?
Click to expand...
Click to collapse
We thought of that. We are missing 3 files we need.
mweinbach said:
We thought of that. We are missing 3 files we need.
Click to expand...
Click to collapse
Ah, I'm assuming those are EDL programmer files?
Interceptor777 said:
Ah, I'm assuming those are EDL programmer files?
Click to expand...
Click to collapse
Correct!
Interceptor777 said:
Ah, I'm assuming those are EDL programmer files?
Click to expand...
Click to collapse
Yep. We need $3500 to get into Samsung GSPN. So we are working on alternative methods.
mweinbach said:
Yep. We need $3500 to get into Samsung GSPN. So we are working on alternative methods.
Click to expand...
Click to collapse
Not necessarily that was just that one person i got a reply from another last night waiting to see the price
STF_TimelessGoD said:
Not necessarily that was just that one person i got a reply from another last night waiting to see the price
Click to expand...
Click to collapse
well, for now. thats what we need.
Glad to know that brilliant brains are working on the root. This rooting procedure will only be for G950U/G955U, and not for the Canadian variant G950W?
sky66high said:
Glad to know that brilliant brains are working on the root. This rooting procedure will only be for G950U/G955U, and not for the Canadian variant G950W?
Click to expand...
Click to collapse
It should work for Canadian Varient. We will update everyone when we get root.
Interceptor777 said:
Ah, I'm assuming those are EDL programmer files?
Click to expand...
Click to collapse
STF_TimelessGoD said:
Correct!
Click to expand...
Click to collapse
Do EDL programmer files from same chipset is enough?
If you can get use edl programme files from msm8998 chipset we will be golden
Yay new post to follow. Thanks.
yxexy said:
Do EDL programmer files from same chipset is enough?
Click to expand...
Click to collapse
Do you have access to said files? If so please pm the op.
Interceptor777 said:
Ah, I'm assuming those are EDL programmer files?
Click to expand...
Click to collapse
I was going to add those to the OP. Spent like 4 hours on the OP because I had to scroll the original thread. And still work on everything at the same time. I got burnt out and slightly forgot. Will add those within the next few hours
sky66high said:
Glad to know that brilliant brains are working on the root. This rooting procedure will only be for G950U/G955U, and not for the Canadian variant G950W?
Click to expand...
Click to collapse
As stated above, this should theoretically be for all snapdragon variants. Minus the g9500 which is the Chinese "duo" version. As they aren't compatible with Google play *as far as I know*
Things may change and we may end up needing extra testers for verification
Acoustichayes said:
As stated above, this should theoretically be for all snapdragon variants. Minus the g9500 which is the Chinese "duo" version. As they aren't compatible with Google play *as far as I know*
Things may change and we may end up needing extra testers for verification
Click to expand...
Click to collapse
Wait what? You have something in the works that works?
Related
Hello,
I have bought a North American (Canadian, to be exact) Galaxy Gio (S5660M, with an additional "M" from the European model).
There are lots of tutorials about S5660 rooting and unlocking, but none for S5660M. There has been some reports that flashing S5660 firmware on S5660M to root and unlock made their phones unusable (randomly changing screen brightness, etc).
I tried searching on google and XDA, but could not find any relating to S5660M.
Is it too early to see any rooting/unlocking on S5660M?
Thank you very much!
Hello,
After some reading on here to compare unlock methods, I decided to take the leap into the unknown. I used the one published in this thread. (EDIT: Check out this one instead, perfectly safe.) (It turns out that the Gravity Smart, Galaxy Q, 551, 550, Mini, Ace, Fit, and Gio are siblings in a few respects. They all share Qualcomm 7x27 family SoCs.)
One deviation from the above linked thread is that SuperOneClick does not work on the 2.3.4 MUGK3 firmware. Updated versions of SuperOneClick do work with the firmware. Worst case scenario the program won't finish gracefully, but you'll have a root shell and you can work from there.
I've uploaded my modified superuser zip that'll work with the 5660M. Install through recovery mode. Removed - the superuser files within were long obsolete. Get the current ones through proper channels.
I wouldn't risk flashing the ROMs posted here until we can get a complete backup ROM, either from samfirmware.com (they don't have one yet) or through efforts here. I'll be starting another thread here for that purpose. Backup made a long time ago and SamMobile has had an official Odin image for some time as well.
There's been some issues reported with the 5660M, ranging from odd screen brightness behavior to bricking. (Many ROMs initially posted for the 5660, left "as is" also flash both the kernel and radio: not good.)
Goodbye,
Darkshado
Thank you for the reply! I have successfully rooted & unlocked using the modified zip. I am not sure if it was your's (I have done it prior to looking at your reply... ), but it worked!
thank you!
Darkshado said:
Hello,
After some reading on here to compare unlock methods, I decided to take the leap into the unknown. I used the one published in this thread. (It turns out that the Mini, Ace and Gio are siblings in a few respects.) Make extra sure to follow the steps intelligently, especially the bit right after you get your code.
One deviation from the above linked thread is that SuperOneClick does not work on the 2.3.4 MUGK3 firmware.
I've uploaded my modified superuser zip that'll work with the 5660M. Install through recovery mode.
I wouldn't risk flashing the ROMs posted here until we can get a complete backup ROM, either from samfirmware.com (they don't have one yet) or through efforts here. I'll be starting another thread here for that purpose.
There's been some issues reported with the 5660M, ranging from odd screen brightness behavior to bricking. (The ROMs posted for the 5660, left "as is" also flash both the kernel and radio: not good.)
Goodbye,
Darkshado
Click to expand...
Click to collapse
could you tell me how I could unlock my phone too.
New tonight
Just picked up a GIO here tonight.
BTW Future Shop in Canada has these on for $80 right now.
I think this is a great deal, for a very responsive 2.3 android phone.
OK,
So S5660m - is the version in canada it would seem.. I think there are going to be quite a lot of owners because of the pricing.
We should use this thread or another to setup a difinitive list of what works.
1. How to root the phone.
2. Unlocks that work - I have heard some methods brick Ms very easy. What is the best unlock method specific to the M
3. What ROMs can we use? do we need to have our own set of modified roms because of the modem portion?
4. Overclocking.. I have heard these can clock up to 1100 and run awsome!!
This is my wish list.
James
Hello James. Welcome to XDA.
Whoa there early thread starter! Use the search engine before even thinking of starting another thread. We don't have a dedicated Gio forum at the moment so things are scattered all over. Advanced search is handy as it outputs threads instead of posts.
Biker1bob said:
1. How to root the phone.
Click to expand...
Click to collapse
Same as a lot of other phones, apply a zip file through CWM. You could also flash an already rooted ROM with Odin.
2. Unlocks that work - I have heard some methods brick Ms very easy. What is the best unlock method specific to the M
Click to expand...
Click to collapse
The bml5 method is safe. I noticed I had left a link to the older and unsafe stl5 method in my post above and removed it.
And keep your unlock code accessible somewhere on the phone. This phone is known to relock itself to Bell in some specific scenarios.
3. What ROMs can we use? do we need to have our own set of modified roms because of the modem portion
Click to expand...
Click to collapse
Yes, and no. If you only flash system.rfs, and maybe boot.img, it should work based on what others have reported.
I've cooked up a ROM for the 5660M that's called ArpegGioMod if you want to have a look.
Another point to consider if you want to run your phone in French: the Eurasian ROMs may or may not have that locale, and will likely have an AZERTY keyboard instead of a QWERTY one.
Do not flash radio (AMSS) or the other bootloaders from the Euro 5660. The former will make you lose all cellphone connection, the latter is unnecessary and increases your chances of bricking.
4. Overclocking.. I have heard these can clock up to 1100 and run awsome!!
Click to expand...
Click to collapse
Where'd you get that? The only kernel mods I've seen so far for any Gio are all ramdisk modifications that left the stock kernel untouched.
Just to clairify darkshadow, by "bml5 method" you mean this ?
0) brand new locked GT-S5660M phone frome the store
1A) root the device using this zip
http://forum.xda-developers.com/showpost.php?p=16962635&postcount=2
simplest method :
1.1 To begin, download the zip file from the link above and copy it to the root of your SD card.
1.2 Power the phone off.
1.3 Boot into recovery mode by holding the middle button and pressing the power button.
1.4 Once in recovery mode, select update from sdcard and choose the update.zip that you copied to your SD card.
1.5 Let the file flash and once done, reboot your phone.
OR
1B Follow EDIT2, for temp rooting on same URL below
2. Follow exact instructions as per here:
http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334
(with the slight modification for HEX code to search specified here http://forum.xda-developers.com/showpost.php?p=17311381&postcount=358 )
Question: Does it matter if there is a SIM card in the phone when following these instructions ?
Any thoughts about "Network Lock Control Key" ?? ( ... would appear that this shows up as a separate issue for some users some time after unlocking see:
http://forum.xda-developers.com/showthread.php?t=992564 )
THANK YOU so much for confirming I got this right....I just want to make sure I am not missing anything, and these instructions are really safe as far as you know before attempting anything.
Darkshado said:
Hello James. Welcome to XDA.
Whoa there early thread starter! Use the search engine before even thinking of starting another thread. We don't have a dedicated Gio forum at the moment so things are scattered all over. Advanced search is handy as it outputs threads instead of posts.
Same as a lot of other phones, apply a zip file through CWM. You could also flash an already rooted ROM with Odin.
The bml5 method is safe. I noticed I had left a link to the older and unsafe stl5 method in my post above and removed it.
And keep your unlock code accessible somewhere on the phone. This phone is known to relock itself to Bell in some specific scenarios.
Yes, and no. If you only flash system.rfs, and maybe boot.img, it should work based on what others have reported.
I've cooked up a ROM for the 5660M that's called ArpegGioMod if you want to have a look.
Another point to consider if you want to run your phone in French: the Eurasian ROMs may or may not have that locale, and will likely have an AZERTY keyboard instead of a QWERTY one.
Do not flash radio (AMSS) or the other bootloaders from the Euro 5660. The former will make you lose all cellphone connection, the latter is unnecessary and increases your chances of bricking.
Where'd you get that? The only kernel mods I've seen so far for any Gio are all ramdisk modifications that left the stock kernel untouched.
Click to expand...
Click to collapse
so i'm pretty new here... i have a gio n my usb port is messed up.. i wiped tha phone the other day n the network lock came back on.. so seeing that i can't use any usb what should i do?
thanks in advance
IMEI: Mod Edit: IMEI # Removed...not a great idea to post them on a public forum
Let me start with things you shouldn't do:
-Resurrect two year old, stale, threads.
-Post your IMEI for everyone to see.
Exactly *how* is your USB port messed up? Just not talking to the computer or not working at all?
Are you rooted? If not, get that sorted out by using one of the exploits that worked on Gingerbread. You'll have to do it manually, no SuperOneClick for you. (Although the binaries included might come in handy.)
It is possible to do the commands to get bml5 via a terminal emulator app, and then transfer that file over wi-fi. (Samba, WebDAV, FTP, Dropbox, etc...)
I'm not sure anymore if this is possible in GB, look into using ADB over wi-fi instead of USB. I've sold my Gio months ago, and all of my current devices run 4.1+.
I believe this section is dead for the most part...
As many of you should know, those of us who took the OTA update have no way of rooting if towel root does not work... (Futex patched)
However there is hope!
I am not very knowledgable about exploits or reverse engineering...
There are two exploits that may be able to get us root when combined.
CVE-2014-7911(gets us system uid)
Cve-2014-4322(goes from system to root)
There is public poc code to do this...
However we need something...
I am working on getting the kernel symbols
When you get started please consider creating a thread in the Developers ONLY area which is heavily moderated. Good luck in this endeavor!!!
KennyG123 said:
When you get started please consider creating a thread in the Developers ONLY area which is heavily moderated. Good luck in this endeavor!!!
Click to expand...
Click to collapse
I figured that this may get more attention here....
I really do hope we can get root ASAP
I dunno if 4.3 kernel will work, I don't see why the addresses would of been changed but I am not a devloper nor an experienced hacker. (After some research this is probably incorrect)
Just need someone with stock kernel and root so we can get the addresses for cve 4322 and gg
Can you move this post or should I just create another thread in the developers section?
I'm rooted with Towelroot, on the Superliterom developed by mohammad.afaneh
http://forum.xda-developers.com/galaxy-s3-verizon/development/rom-superliterom-v1-0-i535vrudne1-t2805797
Not sure if that qualifies as stock kernel. I'd love to help as long as you can give me detailed instructions. If necessary I'm willing to go back to true stock if it helps unlock the bootloader so I can find a rom that's easier on the battery.
What do the commands yoh postes do, and what do you mean by "drop a link"? You can see I don't have much experience "under the hood".
IWellHeThanks said:
I'm rooted with Towelroot, on the Superliterom developed by mohammad.afaneh
http://forum.xda-developers.com/galaxy-s3-verizon/development/rom-superliterom-v1-0-i535vrudne1-t2805797
Not sure if that qualifies as stock kernel. I'd love to help as long as you can give me detailed instructions. If necessary I'm willing to go back to true stock if it helps unlock the bootloader so I can find a rom that's easier on the battery.
What do the commands yoh postes do, and what do you mean by "drop a link"? You can see I don't have much experience "under the hood".
Click to expand...
Click to collapse
If you're able to be on 4.4.2 that is rootable via towel root, it's not the exact kernel that I and others are on because futex is patched on the latest OTA. If you're able to boot into the stock rom (don't update if possible, may lose root?) and those commands (from my understanding) get us the addresses we need for the root on latest OTA. I remeber reading that they get randomized after every time it's compiled so it may not help. If someone more knowledgeable about this can help that would be great. No hurt in trying though. Just need you to do those commands then upload kallsyms and leave a link. Open it with a text editor and make sure it's not all 0's then words ect. Needs to be numbers then text, which is why root is required to do that... If we can get those adresses for the updated kernel we can get root on latest. I doubt we're getting lollipop....
Ok guys I have the boot.img for my device, the prepaid on nf5
I will get kernel from it when I can and then we are close...
Today I upgraded to an S5, so I can now afford to get locked into a stock rom on the S3. So if someone more knowledgeable can help me get this phone to the point wherr it gets you the data you need, I'll do it. In fact, I may be willing to send you this phone in a few weeks and you can borrow it for development if you promise to eventually return it with Cyanogenmod 10.x or another AOSP rom on it If it needs to be connected to get the latest OTA "up"grades then I'll get those going. My plan for the S3 is now to keep it as a backup. Saves me from paying for insurance on the new one.
Just to clarify on the commands; each line is a separate command, right? Right now kallsyms is 000000 textetc. . . I inputted the commands assuming each line was a separate command, hit the "enter" key after each line. It definitely accessed SU to do it as well.
I don't have a file upload account but if it's possible to upload it here or e-mail it I'm happy to do so.
What firmware build.are you on and whata your model? If you're not on a locked bl yet then don't lock it...
To clarify I am on nf5 on the I535PP. I think that after each tike tge kernel is compiled the adresses aee randomized... I have the compressed kernel binary from an update.tar.md5... I need to figure out how to decompress it... could I load in in qemu and do a ram dump? We basiclly just need the kernel symbols for the exploit to modify poc to work for our devices. The build date on mine is jul 22, futex(towelroot) is a nogo. I don't know if I535 and I535PP use the same kernel, I'll test when I get a chance.... If a mod could move this to devlopment and change the title to "NF5 root progress" or something like thay, woupd be great.
Ok guys, I am working on extracting.the kernel.then the kernel.adresses ahould.be easily obtainable, then I can build.the binary for 7911 to run as system and GG
When I get home I will begin I really hope I dont run into any issues...
Btw, I am not wanting/expencting donations/bountys nor am I promising anything other than mabey a "thanks". I am not a devloper and using publiC exploits and poc makes me nothing .special
OpenSourcererSweg said:
What firmware build.are you on and whata your model? If you're not on a locked bl yet then don't lock it...
To clarify I am on nf5 on the I535PP. I think that after each tike tge kernel is compiled the adresses aee randomized... I have the compressed kernel binary from an update.tar.md5... I need to figure out how to decompress it... could I load in in qemu and do a ram dump? We basiclly just need the kernel symbols for the exploit to modify poc to work for our devices. The build date on mine is jul 22, futex(towelroot) is a nogo. I don't know if I535 and I535PP use the same kernel, I'll test when I get a chance.... If a mod could move this to devlopment and change the title to "NF5 root progress" or something like thay, woupd be great.
Click to expand...
Click to collapse
I'm pretty sure the bootloader is locked; that's why I'm interested in what you're doing I was very disappointed to learn that I couldn't install an AOSP ROM after I repaired my phone.
When I replaced the motherboard and booted up, it was running 4.4.2 (and everything was in Spanish lol). The SKU on the sticker of the phone I got the motherboard from is SCHI535ZKB so does that make it the I535ZK? The concept of hardware version is new to me (and causing me frustration with my new S5).
I think the firmware is NE1, but as I said I've got the Superliterom, so under build number it says
SUPERLITEROM! V2.0
KOT49H.I535VRUDNE1
But as I said, if it helps you (and therefore helps me) I can flash it back to stock and take the OTA upgrades til it's at the NF5 firmware. But as you said I expect I would lose root, and then be unable to get the info you wanted. Seems like a real catch-22, at least at the skill level I'm at.
Glad you're making progress and let me know if you think there's anything I can do to help.
Don't risk losing root in a case I fail. You should be able to flash ne1 but don't flash nf5 or whatever. I don't think I will need someone who's already rooted since I am taking a diffrent approach to getting the symbols. I hate using hex editors... Especially ones from market and not on a pc....
I seem to have hit a brick wall... Great....
I don't seem to be able to decompress the kernel :/
I thought that most kernels on android used gzip but binwalk says its LOZ and some stuff about encryption... My device storage is encrypted and I did copy the update from it.....
I'm going to decrypt my phone tonight and try again tomarrow....
When you hit a brick wall, use a sledgehammer.
My phone is encrypted, too, so I guess it would have given you the same issue had you tried with it.
Well, I am taking a diffrent approach completely from what I originally thought I needed someone for.
I am trying to get the symbols from the kernel itself, I have gotten boot.img from the firmware, I have gotten zImage from boot.img. I am currently trying to get the goodies from zImage but having trouble getting at them. I am very confused because the gzip magic headers are there... When I use dd to get that saved and try to gunzip it I get an error about corruption... I need an uncompressed kernel to get the symbols for the qcom cve...
Once I get those I just plug those symbol values into poc code I found on GitHub, build the binary with ndk, then take that binary and put it In a folder from the other part of the poc, build the app using android studio, test it, then boom. Everyone with the same kernel *SHOULD* have root
If any of you devs with reverse engineering know how could point me in the direct for getting the uncompressed kernel binary, please point me in the right direction.
Google simply isn't helping at this point.
Basically, fire off cve 7911.
With system privileges, execute the binary and GG
I created a thread asking for help in the dev section, hope I get this going.
https://github.com/android-rooting-tools/libmsm_vfe_read_exploit
...
This is probably useful, going to try it later.
When did NF5 come out?
Is there a new radio I can flash?
LLStarks said:
When did NF5 come out?
Is there a new radio I can flash?
Click to expand...
Click to collapse
He's speaking of the prepaid VZW S3 not the contract version
Sent from my Nexus 5
Reversing the kernel doesn't seem possible to me at all at this point with my limited knowledge of this....However I have been digging and it may be possible to get root by taking the Odin flash able OTA, extracting the files, deleting the bootloader and recovery files, unpacking or mounting system.img and adding an SU binary (and setting permissions?), Repack, put it all together and then flashing it via Odin. If I can obtain root this way, I'll be able to get what I need to try to make a 1 click root for others on mf5(only the i535pp phones I believe) and then I can die happily.
I'm not much of a "developer" but I am determined to get this.
I have successfully built a flash able tar.md5 with a modified system.img.ext4 containing a su binary that I chowne as root under linux & chmoded
Also have supersu.apk chmoded and I'm the apps.
I am currently moving the tar.md5 to my sdcard from my pc and I am about to boot windows to see if I can no flash via Odin
If all goes well, I will be very happy indeed.
Well, I managed to soft bring my device.
I'm not entirely sure how I managed to do that...
I am about to flash stock again via odin, i should have backed up some files xD
I have tried the one click solutions and I'm getting nowhere. Even the shady ones don't work. Is there any word on rooting this tablet?
I just got my DL7006 and haven't gotten rooting to work either with the mainstream one-click root systems. Am trying to go the ADB shell route now, but I need to find the TWRP image (whatever that is). I'm a LINUX/UNIX person and I find this Android stuff REALLY frustrating.
I'm also looking for TWRP for DL8006. Unlocking the bootloader was easy.
I've unlocked the boot loader and nothing works either. I have the firmware sent to me directly from Digiland, but even with SP flash and MTK tools I can't seem to get anywhere. I'm no pro, that's a fact, but I've managed to gain root privilege on many devices that mainstream one clicks won't work on. This sucker just won't give up the ghost! If anyone can do anything with the FW I'd be happy to share it. If u make any progress all I ask is share the hell out of it!!
looking to root my DL8006 as well...
lsr992 said:
I've unlocked the boot loader and nothing works either. I have the firmware sent to me directly from Digiland, but even with SP flash and MTK tools I can't seem to get anywhere. I'm no pro, that's a fact, but I've managed to gain root privilege on many devices that mainstream one clicks won't work on. This sucker just won't give up the ghost! If anyone can do anything with the FW I'd be happy to share it. If u make any progress all I ask is share the hell out of it!!
Click to expand...
Click to collapse
If you have the opportunity to send that my way I can give it a shot because this is the tipping point of purchasing to see if it had root, and it is something i really want
Firmware
https://drive.google.com/file/d/1NXzgtfMXj_a0jZ5yrIZyQCq0fyDGpW4O/view?usp=drives
https://drive.google.com/file/d/1IASKKK_Y2yrPCZpvNIShRLxOGotfuKKE/view?usp=drivesdk
See if those work. They are the 2 digiland sent. Keep me posted please!
So there is an unofficial TWRP for one of the 2 firmwares for the dl7006 on the TWRP builder page. I submitted both boot.img files. I can't get it to work. Maybe someone else can.
lsr992 said:
I've unlocked the boot loader and nothing works either. I have the firmware sent to me directly from Digiland, but even with SP flash and MTK tools I can't seem to get anywhere. I'm no pro, that's a fact, but I've managed to gain root privilege on many devices that mainstream one clicks won't work on. This sucker just won't give up the ghost! If anyone can do anything with the FW I'd be happy to share it. If u make any progress all I ask is share the hell out of it!!
Click to expand...
Click to collapse
I figured a way to install magisk, no custom recovery required, no firmware required. Just the tablet, sp flash tools and.... HMU if interested, or just scourge hovatek
JhinCuatro said:
I figured a way to install magisk, no custom recovery required, no firmware required. Just the tablet, sp flash tools and.... HMU if interested, or just scourge hovatek
Click to expand...
Click to collapse
Please share it here. I’m not the only one looking for an answer and others could benefit from such a hack on this abandoned tablet.
mentaluproar said:
Please share it here. I’m not the only one looking for an answer and others could benefit from such a hack on this abandoned tablet.
Click to expand...
Click to collapse
I'll share the relevant guides that has helped me.
If you want me, or a personalized "guide" for your process, I'll be okay with that, un;ess you wanna totally geek out.
(There are multiple guides, depending on what your encounter, and to use some aspects of the tools)
I can already tell you that this can be a 1-3 hour process to learn and perform, and that the guides will not 100% represent all that you need to do, but 90%.
Note that you just need Wwr_MTK tool, the template for it, SP Flash TOOL and the vcdrom drivers the guide links to! Oh and, an account. That's needed to download files from hovatek.
https://forum.hovatek.com/thread-21970.html
https://forum.hovatek.com/thread-22701.html (If in following the first guide, and you encounter "DRAM FLIP TEST"
https://forum.hovatek.com/thread-526.html (Skip to step 7-21, the first guide redirects here on how to use readback. Mediatek tools no longer works, which is why you should ignore that thread mostly.)
With this, you can eventually get the boot.img of your tablet, which should then be patched with the magisk app (doesn't matter where, just get the patched boot.img), then you can use SP flash tool to flash the boot.img and get root! This can also be used to help build your own custom rom, kernel, and even recovery, with a semi automatic process.
DL8006 TWRP/Magisk
endleesss said:
I'm also looking for TWRP for DL8006. Unlocking the bootloader was easy.
Click to expand...
Click to collapse
I have a DL8006 and I rooted it with Magisk and added a TWRP port. Need these?
Dl8006 twrp
osirisale786 said:
I have a DL8006 and I rooted it with Magisk and added a TWRP port. Need these?
Click to expand...
Click to collapse
Can you please share more info? I have been struggling with one myself
osirisale786 said:
I have a DL8006 and I rooted it with Magisk and added a TWRP port. Need these?
Click to expand...
Click to collapse
interested as well Have one of these sitting around gathering dust...
osirisale786 said:
DL8006 TWRP/Magisk
I have a DL8006 and I rooted it with Magisk and added a TWRP port. Need these?
Click to expand...
Click to collapse
This is an older thread, but we're talking about an older device. Do you still have these files?
Hi Everyone,
Living in Japan, we have no official channel to purchase a OnePlus handset here.
Really wanted to get a OnePlus 7 Pro as I felt it is the best model on the market as of today.
Knowing that, I got mine on Amazon Japan from a HK online shop which had very good reputation.
Now, the problem is these phones always come already opened as they say they need to confirm operation before sending it.
I have been reading news and article about this where we see more third party companies flash their roms with malware/ransomeware already built in...
In these situation, the best way to clean the phone is to do a full re-install of the OS.
I did review a bunch of article on XDA and it seems that now, due to the A/B partition setup, we can't just use official OnePlus image to load from the fastboot easily.
We have to rely on community provided too and stock rom to be able to do so....
When I raised the question to OnePlus and Oneplus forums, they mentioned to me that installed the updated like here (Page: support.oneplus.com/app/answers/detail/a_id/4312/~/oxygen-os-for-oneplus-7-pro)would do the trick using the local update function.
What I was directed to do is use the recovery boot to delete system settings/cache and everything data user and then, run the local update. Doing so, that would do it while not using community tools.
Here are my questions and which I would hope to get your experience:
1 Is the process I did really does use a brand new clean OS and do not rely/integrate part of the OS that came with the handset originally (that was the target).
2 Is there a way for me using OnePlus only provided tools and image to fully delete the phone and install the OS (maybe I am thinking this too much like a PC which I have more experience with...)
3 The OS looks fine and no strange apps shows up at all but how can I be sure nothing dodgy is running? Is there tools I could use to confirm this?
Sorry if I sound paranoid. Ideally, I understand the best thing to do was to buy directly from Oneplus and work a way to have it shipped to Japan but thought it would be interesting for me to learn more about android.
With previous Oneplus, it was easier as they were provided this type of official file for recovery but they stopped...
Thank you again for your time and hopping to learn more about how new android setup works.
Is the bootloader locked? Is Widevine (Netflix HD) certification still there? You can check these things to see if the phone has been tampered with.
brissoukun said:
Hi Everyone,
When I raised the question to OnePlus and Oneplus forums, they mentioned to me that installed the updated like here (Page: support.oneplus.com/app/answers/detail/a_id/4312/~/oxygen-os-for-oneplus-7-pro)would do the trick using the local update function.
What I was directed to do is use the recovery boot to delete system settings/cache and everything data user and then, run the local update. Doing so, that would do it while not using community tools.
Here are my questions and which I would hope to get your experience:
1 Is the process I did really does use a brand new clean OS and do not rely/integrate part of the OS that came with the handset originally (that was the target).
2 Is there a way for me using OnePlus only provided tools and image to fully delete the phone and install the OS (maybe I am thinking this too much like a PC which I have more experience with...)
3 The OS looks fine and no strange apps shows up at all but how can I be sure nothing dodgy is running? Is there tools I could use to confirm this?
Thank you again for your time and hopping to learn more about how new android setup works.
Click to expand...
Click to collapse
Good questions. Before you start, check the model number of your device through Settings > About. I'm assuming it's the international/global/unlocked version (GM1917).
With regard to question 1, a full build downloaded from the link you provided should contain every part of the OS, and flashing it through local update should overwrite anything that was there before. Before flashing, I would perform a full data wipe through recovery like you mentioned.
Q2: There is an MSM tool that will completely flash a system image for the OP7 Pro. I don't think they're generally intended for public use but they always get leaked anyways. They write an image (in the case of OnePlus, a .ops file) to the phone using a PC and USB connection. Here is a link to a thread which contains the MSM tool:
https://forum.xda-developers.com/oneplus-7-pro/how-to/guide-mega-unbrick-guide-hard-bricked-t3934659
Download the tool for the model of your phone (probably the international, firmware GM21AA), and extract its contents into a directory. In order for the tool to work, you need the OnePlus USB drivers installed on your PC. Plug the phone into your PC with it on, and enable USB file transfer. Open File Explorer and you should see a drive labeled "OnePlus drivers" or similar. Open it and run the driver setup executable file. You'll also need ADB to make your phone reboot into a mode that will allow the tool to perform its tasks. Here is a guide to installing ADB:
https://www.xda-developers.com/what-is-adb/
Once you've set that up, make sure the phone is plugged into the PC and the MSM tool is open. Make the phone boot into edl mode by typing
Code:
adb reboot edl
and once it says Connected next to a COM port in the tool, press start. Don't interrupt the process until it completes the download and the status message turns green. The phone should automatically reboot. This method is arguably more risky than using the local upgrade option, so do it at your own risk.
Q3: Make sure that OEM unlocking is turned off in developer settings and that the bootloader is locked (if the bootloader is unlocked, you'll see a yellow warning message after you power on the device from a power off state). Without an unlocked bootloader it would be pretty difficult to make any deep modifications to the device.
Hi @Zocker1304 and @TManchu,
Please let me thank you very much first for your kind and detailed reply, this is really welcome.
@Zocker1304:
I checked using the ADB/Fastboot connection that indeed, the Bootloader is locked so, that looks good.
Also installed (using a separate Google account) DRM Info app to confirm that the Widevine is properly installed and at L1 level which indeed again, looks good.
@TManchu
Thank you again for your very detailed reply! This was exactly what I needed as information.
I did already exactly as mentioned for the #1 so, it looks I should be good now with a proper rom from OnePlus (and did a full wipe in the Recovery boot mode)
For #2, I think I will skip that since as you rightly said, with #1, it should be fine so, prefer to keep with the recommended step.
For #3, we are covering what Zocker1304 mentioned too and I could confirm it.
My only concern about #3 was that you can actually relock the bootloader but (and please correct me If I am wrong), you can only do so if you are using stock OnePlus images (to date...seems like dev teams are working to have this changed? Bootloader locked with custom firmware?) which then means the image is safe.
I suppose the last item was my only open query for your thoughts but so far, the handset looks fine.
Thanks to you and the community, I have learned about the A/B partition scheme, msm tool, Fastboot/Recovery mode and Bootloader and ADB tools.
It is always good to learn more about the tech we use (especially phones, we have so many sensitive information stored into them today).
Not being careful could potentially means quite a lot of troubles down the road with Ransomeware/data leak tools.
Of course again, I could have simply purchased a JP phone from a brick and mortar shop next to my place and be fine with it. :silly:
brissoukun said:
.
For #3, we are covering what Zocker1304 mentioned too and I could confirm it.
My only concern about #3 was that you can actually relock the bootloader but (and please correct me If I am wrong), you can only do so if you are using stock OnePlus images (to date...seems like dev teams are working to have this changed? Bootloader locked with custom firmware?) which then means the image is safe.
I suppose the last item was my only open query for your thoughts but so far, the handset looks fine.
Thanks to you and the community, I have learned about the A/B partition scheme, msm tool, Fastboot/Recovery mode and Bootloader and ADB tools.
It is always good to learn more about the tech we use (especially phones, we have so many sensitive information stored into them today).
Not being careful could potentially means quite a lot of troubles down the road with Ransomeware/data leak tools.
Of course again, I could have simply purchased a JP phone from a brick and mortar shop next to my place and be fine with it. :silly:
Click to expand...
Click to collapse
No problem! I’ve just done some reading and from what I understand, re-locking the bootloader on anything other than a completely stock ROM will result in a bricked phone. I believe this is due to the way Android handles data encryption. If what you’ve heard is true, being able to lock your bootloader on a custom ROM would be great for device security. However, should something go wrong with the ROM having a locked bootloader might make it more difficult to fix.
I know that there are ways to sign system and boot images so that you can lock the bootloader with them installed, but I think that would still show a warning though I'm not sure.
Anyways, if all the build dates and numbers in the system info are correct, the firmware should be stock and as long as the bootloader is locked too, I don't believe you can tamper with that.
Hi Gents,
Thank you very much for the answer to the thread and much appreciated.
Apologies for not getting back to you all earlier as yesterday was family day...haha!
Well, since things looked good on the OS and the build, I went ahead and started to use the phone properly setting up my accounts. It did give me some incentive to get all my sensitive accounts setup with 2FA so that in case I get hacked with my passwords in the future...they would still need the 2fa (using Google Authenticator).
I did check also all system apps/running process and didn't see anything shady.
Just for reference, here were the type of articles I was refering too for the OS being plagued with malware even out of the box:
Page_theverge.com/2019/6/6/18655755/google-android-malware-triada-ota-rom-ads-spam-oem (sorry gents, new account, cannot put links yet)
However here, it seems it is due to lax review from the maker to third party tools which were including malware...
To have the same level on the oneplus I bought from the HK shop, they would have needed access to OnePlus Dev team to inject the malware in official image (knowing anyway I have re-installed a new image from the local update).
Otherwise, I was reading on the web about the fact to relock the bootloader with a custom roam and there seems to have a lot of messages but not concrete steps. It seems it depends a lot on phone model and brand.
When you are checking
Page_gizmochina.com/2019/06/10/relock-bootloader-oneplus-7-pro/
This is where you can read at the end:
"The above method only works if OnePlus 7 Pro is running on stock recovery and stock firmware. The ability to relock devices running custom recovery is expected in the next few weeks. "
That was published last month so, not sure if they got this to work on the OnePlus 7 pro yet.
So that's it, I am now using my new device which looks to work great and hopefully, won't get any bugs down the road.
I appreciate you taking the time to get back to me and will continue to learn about android.:good:
Can someone explain what this project is and how it can help root Visible Midnight (Wingtech WTVIS01)?:
GitHub - twrpdtgen/android_device_wingtech_WTVIS01
Contribute to twrpdtgen/android_device_wingtech_WTVIS01 development by creating an account on GitHub.
github.com
Anybody?
greerdd said:
Anybody?
Click to expand...
Click to collapse
It looks like someone was going to start trying to build TWRP custom recovery for that device but they never did anything with it, the date is from 2021 and there hasn't been any progress and no coding has been posted/published/released. Whatever it was, it is long dead now.
If they had built a working TWRP and if the bootloader on the device were unlocked, TWRP could have been flashed onto the device, then it could have been used to root the device by flashing some form of modified file to inject root binaries to gain root on the device.
Droidriven said:
It looks like someone was going to start trying to build TWRP custom recovery for that device but they never did anything with it, the date is from 2021 and there hasn't been any progress and no coding has been posted/published/released. Whatever it was, it is long dead now.
If they had built a working TWRP and if the bootloader on the device were unlocked, TWRP could have been flashed onto the device, then it could have been used to root the device by flashing some form of modified file to inject root binaries to gain root on the device.
Click to expand...
Click to collapse
Thanks for the explanation.
It looks like there are a couple of binary blobs posted to this project https://github.com/twrpdtgen/androi...720.011-mp1k61v164bspP7-release-keys/prebuilt , so I thought maybe the Image.gz file does contain a prebuilt twrp image and, if so, what the state of that prebuilt image would be.
would anyone be willing to upload there super.img? I hosed mine and sadly didn't have a back-up. Finding this phone's firmware has been a hassle to say the least.
So I have an unmodified Wingtech visible midnight. If anyone can tell me how to get the .img files off of it for the purpose of sharing to this forum/ rooting/ backing up, then I'd gladly share the files with anyone that needs them.
TweakybirdsTheWord said:
So I have an unmodified Wingtech visible midnight. If anyone can tell me how to get the .img files off of it for the purpose of sharing to this forum/ rooting/ backing up, then I'd gladly share the files with anyone that needs them.
Click to expand...
Click to collapse
You can't pull the .img files from your device without rooting the device first.
oops...
Droidriven said:
TweakybirdsTheWord said:
So I have an unmodified Wingtech visible midnight. If anyone can tell me how to get the .img files off of it for the purpose of sharing to this forum/ rooting/ backing up, then I'd gladly share the files with anyone that needs them.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Droidriven said:
TweakybirdsTheWord said:
So I have an unmodified Wingtech visible midnight. If anyone can tell me how to get the .img files off of it for the purpose of sharing to this forum/ rooting/ backing up, then I'd gladly share the files with anyone that needs them.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
using mtkclient, power off.
hold Vol - & Vol + while plugging the usb-c in will put the phone into brom.
mtkclient link
GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool
MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.
github.com
if you need any help, just hit me back in the forum or via pm.
eugene373 said:
rooting the device is stupid easy, assuming somebody has rooted to be clear.
the phone is fun to play with.
I deleted my original super.img not paying attention using windows and the backup i made on my Linux was the one i hosed sadly.
Click to expand...
Click to collapse
I was just responding to them asking how to pull img files from the device in order to aid in rooting/modding the device, I was pointing out the redundancy of that statement.
On one side of the coin, if the device was already rooted, pulling files to aid in rooting would be unnecessary, on the other side of the coin, if a known rooting method exists for the device, again, pulling files to aid in rooting would be unnecessary.
Droidriven said:
I was just responding to them asking how to pull img files from the device in order to aid in rooting/modding the device, I was pointing out the redundancy of that statement.
On one side of the coin, if the device was already rooted, pulling files to aid in rooting would be unnecessary, on the other side of the coin, if a known rooting method exists for the device, again, pulling files to aid in rooting would be unnecessary.
Click to expand...
Click to collapse
no worries, i realized that after the fact and xda forum has changed since the last time i used it.
starting a new thread, figured out a few things and also fix my issue. as well getting system into rw! my issues are solved and thanks for the replies!
shedding some light on this phone
GUIDE: Visible Midnight (Wingtech WTVIS01) Backup, Restore, Root, Bootloader-unlock and making partition's read-write.
So I've became the lucky owner of two of these devices, and after hosing one and having to rebuild from scratch I want to provide some helpful information on rooting, backing up the device and general info that may or may-not be needed! So let's...
forum.xda-developers.com