Related
Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally include signed boot images. Of course this does not mean that all signed boot images are using AVB, many OEMs have their own signature verification scheme.
Note: AOSP is moving towards the use of avbtool (taken from Brillo), the following is the old way for signing boot images.
Bootloaders might or might not accept unsigned boot images, and might or might not accept boot images signed with our own keys (rather than the OEM's keys). This depends on the device, bootloader version, and bootloader unlock state.
For example, with the bootloader unlocked, the Google Pixel (and XL) devices accepted unsigned boot images up to (but not including) the May 2017 release. From the May 2017 release onwards, the boot images must be signed if flashed (booted works without), but may be signed with your own key rather than the OEM's.
Note: The situation changes when you re-lock the bootloader. I have not tested this, but documentation implies that (one of) the keys used in the current boot image must be used for future flashes until it is unlocked again.
Generating custom signing keys
The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.
Code:
# private key
openssl genrsa -f4 -out verifiedboot.pem 2048
openssl pkcs8 -in verifiedboot.pem -topk8 -outform DER -out verifiedboot.pk8 -nocrypt
# public key
openssl req -new -x509 -sha256 -key verifiedboot.pem -out verifiedboot.x509.pem
openssl x509 -outform DER -in verifiedboot.x509.pem -out verifiedboot.x509.der
For future signings, you do not need the .pem files, and they can safely be deleted once the .pk8 and .der files are generated. In AOSP's implementation, they were never even written to disk in the first place.
Security-wise, documentation states it is advisable to use a different set of keys for each device you support; though obviously this doesn't matter much if the device is running with the bootloader in unlocked state.
Signing the boot image
Download the attached BootSignature.jar file (built from AOSP sources), and sign the boot image using the keys generated above with the following commands:
Code:
java -jar BootSignature.jar /boot boot.img verifiedboot.pk8 verifiedboot.x509.der boot_signed.img
java -jar BootSignature.jar -verify boot_signed.img
Instead of /boot, /recovery and other values may be used. Their use should be obvious.
From Android
Attached is also BootSignature_Android.jar, which is a version ProGuard-reduced against SDK 21 and then dexed. Provided /system is mounted as is usual on Android (on the Pixel (XL), TWRP mounts this differently by default!), it can be used like this:
Code:
dalvikvm -cp BootSignature_Android.jar com.android.verity.BootSignature /boot boot.img verifiedboot.pk8 verifiedboot.x509.der boot_signed.img
dalvikvm -cp BootSignature_Android.jar com.android.verity.BootSignature -verify boot_signed.img
The base command can be extended as follows to make it able to run without any precompiled files present on the device:
Code:
/system/bin/dalvikvm -Xbootclasspath:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/bouncycastle.jar -Xnodex2oat -Xnoimage-dex2oat -cp BootSignature_Android.jar com.android.verity.BootSignature ...
Flashable ZIP
Attached is also VerifiedBootSigner.zip, this is a flashable ZIP for FlashFire/TWRP/etc that signs the currently flashed boot image, if it isn't signed already. You can simply flash this after installing a SuperSU version or custom boot image or whatever that doesn't sign the boot image itself already.
I've tried to make it very portable (borrowing ample script from the SuperSU ZIP, as well as its signing keys), but I have only tested it on my Pixel XL.
Note that it does depend on Android files in the system partition, so if (aside from the unsigned boot image) your system isn't functional, the ZIP may not work either.
If the boot image is already signed when you flash the ZIP, it will offer to abort or force re-sign.
If you place custom.pk8 and custom.x509.der files inside the ZIP, these keys will be used for flashing instead of SuperSU's default keys. Additionally, /tmp/avb/custom.pk8 and /tmp/avb/custom.x509.der will override any keys from the ZIP.
There is some more documentation in the update-binary file inside the ZIP as well.
Note: If you're using TWRP's manual slot selection on the Pixel (XL), you must be using TWRP-v3.1.0-RC2 or newer, or it will not work as expected.
Todo
- test what happens when the bootloader is re-locked on multiple devices supporting AVB
- test what happens when dm-verity is kept enabled on a custom/modified boot image with a different image signature than dm-verity signature
-reserved-
*finally my dream come true, btw, nice job on doing this, keep it up man*
Super great
Great write up! So I take it we can no longer distribute kernel images without first integrating them into the boot image and then signing it? That negates the whole point of being able to flash the kernel individually with fastboot!
thank God Chanifire hasnt left us entirely!!!
This gives me hope my Pixel isn't dev dead. Thank you, CF!
@Chainfire you not going to reply but still, you are responsible i have faith in Android... Development is most of the times happens because of you ....It always revolves around you ... One man army i would say. Thank you for all your works. We all owe you a lot...
Is it possible to create the signature for boot bundle with openssl alone (i.e. without this BootSignature.jar ) ?
Wasn't self-signing boot images already kind of possible?
cr2 said:
Is it possible to create the signature for boot bundle with openssl alone (i.e. without this BootSignature.jar ) ?
Click to expand...
Click to collapse
Not just with openssl, no. How the boot signature works is not properly documented, but of course you could read the source in AOSP and make your own version.
mirhl said:
Wasn't self-signing boot images already kind of possible?
Click to expand...
Click to collapse
Apart from both of these things talking about signatures, they are unrelated. However, self-signing images has been supported for quite a while on several devices, it just wasn't required. CopperheadOS - as far as I know - is the only project that has actively been using it until now.
is it possible to sign the boot image in recovery?
Hi @Chainfire ! Thank you for this great find (and for everything else what you have done for us during the last years )!!
I would like to ask one question... Do you think it would be possible to sign the boot image on the fly in recovery? For example when changing the recovery image, before flashing the boot image back?
Your instructions use "dalvikvm" on android, and I ran the command successfully under a running android system. But what about recovery ?
I would be interested in your thoughts on this
Or am I completely wrong, and images "dumped" via dd can't be signed and flashed back?
I would really appreciate if you could point me in the right direction, how it could be possible to do this. (create an executable instead of the BootSignature.jar file? leave this, because it is not possible? start a java vm under recovery? ....)
Thanks in advance!
gubacsek said:
Hi @Chainfire ! Thank you for this great find (and for everything else what you have done for us during the last years )!!
I would like to ask one question... Do you think it would be possible to sign the boot image on the fly in recovery? For example when changing the recovery image, before flashing the boot image back?
Your instructions use "dalvikvm" on android, and I ran the command successfully under a running android system. But what about recovery ?
I would be interested in your thoughts on this
Or am I completely wrong, and images "dumped" via dd can't be signed and flashed back?
I would really appreciate if you could point me in the right direction, how it could be possible to do this. (create an executable instead of the BootSignature.jar file? leave this, because it is not possible? start a java vm under recovery? ....)
Thanks in advance!
Click to expand...
Click to collapse
Yes, this is possible - I have already tested this on my PIxel XL. SuperSU ZIP will do exactly this in a future update, and @Dees_Troy is also aware of all of this, so I assume TWRP will be updated to do this sooner or later as well.
If I can find the time I'll make a ZIP that does this.
Chainfire said:
Yes, this is possible - I have already tested this on my PIxel XL. SuperSU ZIP will do exactly this in a future update, and @Dees_Troy is also aware of all of this, so I assume TWRP will be updated to do this sooner or later as well.
If I can find the time I'll make a ZIP that does this.
Click to expand...
Click to collapse
Okay! I am very curious about how you solve it... Until then, I'll experiment a bit further
Can't wait to see your result!
Thanks! And have a very nice weekend!
I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.
gubacsek said:
Okay! I am very curious about how you solve it... Until then, I'll experiment a bit further Can't wait to see your result!
Click to expand...
Click to collapse
Chainfire said:
I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.
Click to expand...
Click to collapse
Thank you so much, it worked beautifully on my VZW Pixel with the May update.
:good: working fine on the May update with May bootloader, FK, TWRP and SuperSU
Outstanding as usual!
Chainfire said:
I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.
Click to expand...
Click to collapse
I almost got it I could install TWRP and root but only by signing the boot images on my laptop...
I had a few errors (mounting /system did create a /system/system mount point, and I tried to copy the dalvikvm binary to the zip ), and I wouldn't ever have thought of clearing LD_LIBRARY_PATH
Thank you very much for this solution, and your time spent on this! I learnt a lot today
Nice job!
Chainfire said:
Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally include signed boot images. Of course this does not mean that all signed boot images are using AVB, many OEMs have their own signature verification scheme.
Note: AOSP is moving towards the use of avbtool (taken from Brillo), the following is the old way for signing boot images.
Bootloaders might or might not accept unsigned boot images, and might or might not accept boot images signed with our own keys (rather than the OEM's keys). This depends on the device, bootloader version, and bootloader unlock state.
For example, with the bootloader unlocked, the Google Pixel (and XL) devices accepted unsigned boot images up to (but not including) the May 2017 release. From the May 2017 release onwards, the boot images must be signed if flashed (booted works without), but may be signed with your own key rather than the OEM's.
Note: The situation changes when you re-lock the bootloader. I have not tested this, but documentation implies that (one of) the keys used in the current boot image must be used for future flashes until it is unlocked again.
Generating custom signing keys
The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.
For future signings, you do not need the .pem files, and they can safely be deleted once the .pk8 and .der files are generated. In AOSP's implementation, they were never even written to disk in the first place.
Security-wise, documentation states it is advisable to use a different set of keys for each device you support; though obviously this doesn't matter much if the device is running with the bootloader in unlocked state.
Signing the boot image
Download the attached BootSignature.jar file (built from AOSP sources), and sign the boot image using the keys generated above with the following commands:
Instead of /boot, /recovery and other values may be used. Their use should be obvious.
From Android
Attached is also BootSignature_Android.jar, which is a version ProGuard-reduced against SDK 21 and then dexed. Provided /system is mounted as is usual on Android (on the Pixel (XL), TWRP mounts this differently by default!), it can be used like this:
Flashable ZIP
Attached is also VerifiedBootSigner.zip, this is a flashable ZIP for FlashFire/TWRP/etc that signs the currently flashed boot image, if it isn't signed already. You can simply flash this after installing a SuperSU version or custom boot image or whatever that doesn't sign the boot image itself already.
I've tried to make it very portable (borrowing ample script from the SuperSU ZIP, as well as its signing keys), but I have only tested it on my Pixel XL.
Note that it does depend on Android files in the system partition, so if (aside from the unsigned boot image) your system isn't functional, the ZIP may not work either.
Todo
- test what happens when the bootloader is re-locked on multiple devices supporting AVB
- test what happens when dm-verity is kept enabled on a custom/modified boot image with a different image signature than dm-verity signature
Click to expand...
Click to collapse
So are Samsungs latest devices now using this. Reason I ask is because in the S8 and Tab S3 stock firmware there is a META-DATA folder in the AP firmware tar. Inside is a fota.zip containing various folders with all sorts of utilities and files, one of which is BootSignature.jar.
It seems it is required to flash the META-DATA folder with the boot.img in ODIN or it will not boot. So I'm guessing the boot.img is being signed as part of the flashing process?
ashyx said:
So are Samsungs latest devices now using this. Reason I ask is because in the S8 and Tab S3 stock firmware there is a META-DATA folder in the AP firmware tar. Inside is a fota.zip containing various folders with all sorts of utilities and files, one of which is BootSignature.jar.
It seems it is required to flash the META-DATA folder with the boot.img in ODIN or it will not boot. So I'm guessing the boot.img is being signed as part of the flashing process?
Click to expand...
Click to collapse
Possibly. Which S8 are you talking about? I thought there was already working TWRP for S8 Exynos that didn't require anything special?
Chainfire said:
Possibly. Which S8 are you talking about? I thought there was already working TWRP for S8 Exynos that didn't require anything special?
Click to expand...
Click to collapse
New S8. Qualcomm Snapdragon 835 MSM8998 bootloader locked versions.
It's got an eng kernel available, but it's a no go with your s7 script due to no adb write access.
https://forum.xda-developers.com/galaxy-s8/how-to/rd-carrier-switch-root-snapdragon-t3597473/page54
Blu G90 device shipped from factory with Android 10
as with other devices from blu they do not have a public download of there roms. So here is the stock rom pulled from the device with SP-Flash tool.
Both the shipped rom build fingerprint
Code:
ro.bootimage.build.fingerprint=BLU/G90/G0310WW:10/QP1A.190711.020/1585383273:user/release-keys
And the ota update from June fingerprint
Code:
ro.system.build.fingerprint=BLU/G90/G0310WW:10/QP1A.190711.020/1592848714:user/release-keys
are in android file host flash-able with spflash tool, if needed.
I know the first thing to have before modifying android is the method to recover from bad edits. So here they are.
Other works will be stored in this same folder.
https://www.androidfilehost.com/?w=files&flid=315927
First stock rom is Dumped to github, If you need or want specific files, without needing to download whole rom.
https://github.com/mrmazakblu/blu_g0310ww_dump
Stock kernel source:
https://github.com/mrmazakblu/Blu_G90_G0310WW_stock_kernal
Device INFO
*******Above links are pulled firmware. Below is an official firmware file, w/ verified images.********
https://www.mediafire.com/folder/ocmvgrcd73bqy/G90
**
.
Bootloader unlock is same as past devices.
1. enable develper options
2. enable OEM unlock , from inside developer options
3. Reboot to bootloader (adb reboot bootloader, or button combo)
4. fastboot flashing unlock
5. Select confirm on device
6. fastboot reboot (causes factory reset)
Flashing GSI
few more steps than Pie devices, but not too complicated.
You will need recent fastboot tools as tested these steps were done with V30.0.4
https://developer.android.com/studio/releases/platform-tools
Verified boot is enabled on device. The verity key is stored into 3 section.
vbmeta.img
vbmeta_system.img
vbmeta_vendor.img
All found in stock rom. Shared in first post.
1. Unlock bootloader. (see last post)
2. Reboot to bootloader to disable verity
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
fastboot --disable-verity --disable-verification flash vbmeta_system vbmeta_system.img
fastboot --disable-verity --disable-verification flash vbmeta_vendor vbmeta_vendor.img
3. Reboot from bootloader to fastboot(new interface for android 10)
Code:
fastboot reboot fastboot
4. flash sysem from "fastbootd"
Code:
fastboot flash system **gsi-system.img**
Use 64 bit AB GSI
5. Wipe data so the new system will work
Code:
fastboot -w
ROOT::
Not yet confirmed yet. Magisk patched_boot has not provided root as of yet.
Currently looking into pre-rooting the system.img, but not success yet.
TWRP;;
https://forum.xda-developers.com/android/development/twrp-twrp-3-4-0-0-blu-g90-g0310ww-t4163497
.
I have been able to edit the stock /system and flash it back to phone.
--I have added adaway host file
--Removed the SIMO app
-- Removed the IGNITE adware app (dti.blu)
--Removed The Verizon Remote SIM lock app
--Removed Blu-Privacy app
--Removed Opera browser app
--Deodexed Rom (rom would not boot past splash screen without this)
Uploaded edited sysem.img to device folder listed in OP.
Flash with same instructions as How to flash GSI
--Attempting to add SU binary makes rom fail to boot. So still no stock rooted.
Maybe soon.
/
Blu released kernel source today. 8-27. The tar.hz is dated April, eh, whatever.
I added the source files to the wip twrp tree, it compiles without error. (Not my normal experience , on first time out with Blu kernel).
But as mentioned before, the twrp will not pack the image correctly. Because of the need for new dtb commands that twrp 9.0 build environment does not accept.
And when building in the twrp 10.0-wip tree, the results have not booted for me yet. (I'm on build attempt 12, or so)
I'm rambling, sorry.
When I repack the twrp using the built kernel, twrp has only blank screen, and adb is active. So kernel is slightly off.
Build did not output separate dtb or dtbo.
Well I confirmed it, the screen on this phone is not the one the kernel is building for.
I compared the defconfig from source, the one that matches the name in build prop, to the one I pulled from /proc. And they are different, and the kernel errors out during build when using right defconfig. So, waiting again for Blu to provide the files.
There does not appear to be any interest in this phone, other than my own.
Well maybe it will catch on
It's been advertised on many mm ore locations than the average BLU phone.
Amazon
Ebay
Walmart
Newegg
Best buy
B&H photo
Time will tell.
mrmazak said:
Well I confirmed it, the screen on this phone is not the one the kernel is building for.
I compared the defconfig from source, the one that matches the name in build prop, to the one I pulled from /proc. And they are different, and the kernel errors out during build when using right defconfig. So, waiting again for Blu to provide the files.
Click to expand...
Click to collapse
Any luck with Blu providing the correct kernel files?
Ivisibl3 said:
Any luck with Blu providing the correct kernel files?
Click to expand...
Click to collapse
Not yet. They acknowledged my email, but as yet have not updated there posted source.
Root is half way achieved.
Factory rom was found. It included a boot-debug.img
When this image is used in boot partition, adb root is allowed.
It is only limited root. Example: blockdev command , used to allow remount / to rw, is not permitted. Bit is start.
Factory flashtool rom shared on Blu developers mediafire page.
Will add link to debug-boot.img soon
added to device folder listed in OP
google information on debug-boot.img
https://source.android.com/compatibility/vts/vts-on-gsi
if you have the stock boot.img, and magisk manager, why cant you patch the boot.img and then disable dm-verity by flashing vbmeta.img/vbmeta_system.img/vbmeta_vendor.img and then flash the boot.img via sp flash tool to give you root access?
aryanhington said:
if you have the stock boot.img, and magisk manager, why cant you patch the boot.img and then disable dm-verity by flashing vbmeta.img/vbmeta_system.img/vbmeta_vendor.img and then flash the boot.img via sp flash tool to give you root access?
Click to expand...
Click to collapse
because magisk init is not starting on a patched image. have no sign on magisk in the any of the logs.
the issue is posted on magisk github issue tracker. no solution as of yet.
mrmazak said:
because magisk init is not starting on a patched image. have no sign on magisk in the any of the logs.
the issue is posted on magisk github issue tracker. no solution as of yet.
Click to expand...
Click to collapse
why this that occurring, because for umidigi devices on android 10 work fine https://community.umidigi.com/forum.php?mod=viewthread&tid=19114 and they also use a mediatek chipset?
aryanhington said:
why this that occurring, because for umidigi devices on android 10 work fine https://community.umidigi.com/forum.php?mod=viewthread&tid=19114 and they also use a mediatek chipset?
Click to expand...
Click to collapse
different brand, so built differant. just like ther are redmi (xiamoi) devices with mtk, but fastboot unlock doe not work, it needs redmi app to unlock. and flash tool not work on all devices with MTK, like amazon fire device , they have mtk and do not work with fastboot unlock, or spflash.
mrmazak said:
I have been able to edit the stock /system and flash it back to phone.
--I have added adaway host file
--Removed the SIMO app
-- Removed the IGNITE adware app (dti.blu)
--Removed The Verizon Remote SIM lock app
--Removed Blu-Privacy app
--Removed Opera browser app
--Deodexed Rom (rom would not boot past splash screen without this)
Uploaded edited sysem.img to device folder listed in OP.
Flash with same instructions as How to flash GSI
--Attempting to add SU binary makes rom fail to boot. So still no stock rooted.
Maybe soon.
/
Click to expand...
Click to collapse
which steps did you take to modify the stock /system?
aryanhington said:
which steps did you take to modify the stock /system?
Click to expand...
Click to collapse
used superr script to unpack stock super.img and continued to extract system.img
manually went through the extracted system/system/app folder and deleated the aps I did not want (adware// bloate)
used the rom tools option / deodex
then repacked the system.img
aryanhington said:
why this that occurring, because for umidigi devices on android 10 work fine https://community.umidigi.com/forum.php?mod=viewthread&tid=19114 and they also use a mediatek chipset?
Click to expand...
Click to collapse
This is not entirely true.
Many Umidigi phones have been upgraded from 9 to 10. So the partitions would be very similar and considerably easy to root.
But for new phones coming with 10 the story changes. Read the last pages of your link's article. In addition, I know why and effect on Umidigi Power 3 still has limitations on root.
So this BLU G90 is not very different and depends on a lot of experimentation and tests. I believe that the OP is doing a great job mainly taking everything to github and trying to compile the kernel and firmware.
DragonPitbull said:
This is not entirely true.
Many Umidigi phones have been upgraded from 9 to 10. So the partitions would be very similar and considerably easy to root.
But for new phones coming with 10 the story changes. Read the last pages of your link's article. In addition, I know why and effect on Umidigi Power 3 still has limitations on root.
So this BLU G90 is not very different and depends on a lot of experimentation and tests. I believe that the OP is doing a great job mainly taking everything to github and trying to compile the kernel and firmware.
Click to expand...
Click to collapse
can you elaborate what you mean by this?
repacksuper
===========
Copyleft uluruman 2021-2022
(for LINUX/WSL only)
This is the minimalistic set of tools + a script for Linux for the automated
ground-up repacking and flashing of the Samsung Galaxy super.img, replacing
the stock Android system with something much less intrusive and obtrusive
(e.g. LineageOS). Or just some other GSI (Generic System Image).
Additional included scripts (since v1.1) simplify flashing of stock firmware or
separate image files under Linux using Heimdall.
Theoretically should work for any Samsung A-series phones, and may be even for
some others. Tested on SM-A127F/DSN made in India and Vietnam and SM-A325F/DS
made in India, on Debian Linux 11 x64. There are reports of successful flashing
of SM-A127M, SM-A032M and SM-A226B.
Why this method?
----------------
Repacking of super.img is the only method which allows changing of the phone's
operating system without screwing up the Verified Boot (VB) protection
mechanism. Keeping the VB allows you to be sure that everything besides the
platform was indeed compiled by Samsung and wasn't tampered with, no matter from
where you downloaded your stock firmware.
The other reason is that although there are alternative methods of changing the
OS, for phones with dynamic partitioning and no working version of TWRP
available they may be even more complicated than repacking of super.img
externally by this script.
Requirements
------------
Install the following tools from the official repositories of your Linux distro:
simg2img xz-utils lz4 unzip gzip jq file
Basic instructions
------------------
repacksuper.sh: main script for changing your phone's operating system
heimdall_flash_stock.sh: script for flashing stock firmware under Linux
heimdall_flash.sh: script for flashing any custom image file under Linux
Just run a script without any arguments to see help.
Extra tools used (x64 binaries and sources included)
----------------------------------------------------
GitHub - LonelyFool/lpunpack_and_lpmake: android super.img tools
android super.img tools. Contribute to LonelyFool/lpunpack_and_lpmake development by creating an account on GitHub.
github.com
GitHub - amo13/Heimdall: Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy devices. This is a fork of the original repository with a few crucial pull requests merged.
Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy devices. This is a fork of the original repository with a few crucial pull requests merged....
github.com
Additional notes
----------------
The included binaries for the lpunpack, lpmake and Heimdall were compiled for
the x86_64 architecture. If your PC architecture is different (e.g. x86 32-bit
or ARM) you have to compile these tools yourself. The full source code is
included (or otherwise available on GitHub).
Spoiler: Changelog
0.9: Initial release
0.91: Non-sparse new system is now correctly moved into the super dir
0.91a: Bug in the new system file format checking fixed
0.91b: Better support for spaces in paths
0.92: Added checking for system requirements and an optional parameter for
setting of the final tar archive name.
0.92a: Fixed file ownership issues inside the tar distribution archive
0.93: Added support for SM-A325F. Several minor improvements.
0.94: Added support for gzip-packed GSI images. Packing into .tar is now done
without question if the command line parameter is given. Tar parameter
now can include the full path. Without the full path the default tar
location is now the same as the GSI. Several other minor changes.
1.0: Finally added working native Linux flashing using Heimdall (HUGE thanks
to amo13 and Benjamin Dobell). Two new options: using empty product.img
and silent (non-interactive) mode. Colored text. Bugfixes and minor
changes.
1.01: Option to specify the SUPER partition name manually (needed for flashing
SM-A127F with Heimdall). Now it is possible to place output .img and .tar
files in any directory and give them any name. Text terminology a bit
clarified, help text expanded. Done many internal optimizations,
additional sanity checks and minor changes.
1.02: Support for SM-A032F/M and similar firmwares with non-packed super.img.
Support for firmwares with/without additional partitions. Support for
arbitrary partition group names. Very experimental option to use empty
system_ext.img for additional privacy (applicable to some phone models/
regions). Lots of minor fixes.
1.03: Multiple .img files are now supported in GSI archive files (one of them
should be system.img in that case), e.g. Android AOSP zip files are now
supported directly. The logic of flashing with Heimdall now includes more
complex cases, such as flashing in two steps with a reboot. Unnecessary
code in GZ unpacking removed. Some other small fixes and optimizations.
1.1: New scripts heimdall_flash_stock.sh and heimdall_flash.sh added.
Lots of refactoring in repacksuper.sh (because of that there may be some
bugs left), improved and clarified UI logic, changes in where the files are
now placed (see help for details), direct work with stock Zip firmware
files, lots of minor changes.
1.11: Colored text now should be correctly displayed in almost any shell that
supports it except if it's explicitly disabled with NO_COLOR.
1.11.1: heimdall_flash.sh now can flash Super partitions unconditionally in one
step when using both the -s parameter and manually specifying parition
name (e.g. SUPER for SM-A127F).
1.12: The heimdall_flash_stock.sh script was significantly upgraded with lots of
new features. Now it theoretically allows upgrading of stock firmware
without erasing user data, keeping the GSI and custom recovery, etc.
(although it's not that straightforward, read the help for details).
A couple of fixes in the other scripts.
1.12.1: changed unlz4 to lz4 -d, as some distros don't have the needed symlink
1.13: In repacksuper.sh support added for the Vendor DLKM and ODM DLKM
partitions, as well as the experimental -v option to add or replace Vendor
DLKM with a custom image. A couple of minor fixes.
1.14: Greatly improved logic of heimdall_flash.sh, now it's possible to specify
both or either custom partition name and custom file name, and acquiring
PIT from device is done only when it's needed. Versioning scheme of the
scripts was unified: the script that was updated receives the updated
version number of the whole pack, the rest retain the old numbers.
1.15: up_param_tool.sh script was added: it allows altering of the boot
sequence images (logo, "not official" warning, etc.), as well as the
Recovery and Download internal graphics. Happy hacking, but please pay
attention to the warning displayed after extracting the JPEG files.
A couple of minor fixes in the other scripts.
1.15.1: Bug with failing LZ4 uncompression fixed in repacksuper.sh and
heimdall_flash_stock.sh.
1.15.2: Added the Ctrl+C trap in heimdall_flash_stock.sh, so now the temporarily
renamed files are correctly renamed back in case of flashing being
aborted with Ctrl+C. Upgraded Heimdall with the git pull requests, but
it seems those still do not cure the relatively rare issue when flashing
specific files gets completely stuck at some point.
1.15.3: The "file" tool used to identify PIT files was replaced with direct
reading of the file header as the first method proved to be unreliable.
1.15.4: Fixed a bug in heimdall_flash.sh (missing g flag in sed)
1.15.5: Fixed the compatibility issue with the older LZ4 compressors
1.15.6: Fixed compatibility issues with systems where /bin/sh is Bash, such as
ArchLinux
1.15.7: repacksuper.sh: fixed using the existing "repacksuper" dir as source,
also in this mode you can now specify "-" as new system image to reuse
everything inside the "super" subdir. New experimental -w parameter.
All scripts: the Ctrl+C trap now switched on and off the correct way.
Several other fixes.
1.15.8: Fixed using the heimdall_flash_stock dirs as source for repacksuper.sh.
A couple of other fixes.
1.15.9: heimdall_flash_stock.sh: fixed skipping of duplicate partitions (e.g.
vbmeta) for some shells; fixed upgrade-flashing of Galaxy A32 (default
behavior).
Spoiler: Known issues
During the script run you can see several "Invalid sparse file format at header
magic" warnings, just ignore them.
For some firmware files Heimdall may not work at all (freeze indefinitely or
exit with an error), in that case you have to resort to Odin. In many cases
Heimdall freezes when uploading files for some time, but that does not mean it
is completely frozen, just be patient.
In LineageOS, Dot OS and some other GSIs I tried on SM-127F the touch screen
remains not responsive for about 6 seconds after waking up. The problem is not
present at least with SM-127F/DSN phones made in India, but present at least in
those made in Vietnam. Another problem in the most, if not all, GSIs is that the
MTP USB file transfer does not work (at least on Linux) because of the "wrong"
(Samsung's instead of Google's) default MPT driver used by the kernel.
Both of the aforementioned problems can be solved by installing the fixed and
recompiled kernel.
For the last problem alternative solutions include using apps such as
Warpinator, Syncthing or ftpd.
Spoiler: Food for thought
When choosing a GSI to install I really don't recommend using ones which include
GApps and therefore use any of the Google services. Don't let corporations
gather your data. You bought the phone and from now on it should be all yours,
with all of its data, like a PC in the good old days. You own your device, and
nobody has the right to stick their nose into how you use your phone, gather any
statistics and push you any ads. You always have a choice to turn down
privacy-unfriendly stuff, the price of that "inconvenience" is actually
ridiculous. From my point of view, there is simply no point in using non-stock
systems if they are still littered with the privacy-unfriendly bloatware.
For the step-by-step guide (slightly outdated) read this and this post. Also be sure to read this post concerning the importance of optics.img. Concerning the up_param_tool.sh be sure to read this post.
The included binaries for the lpunpack, lpmake and Heimdall were compiled for the x86_64 architecture. If your PC architecture is different (e.g. x86 32-bit or ARM) you have to compile these tools yourself. The full source code is included (or otherwise available on GitHub).
Latest stable combinations of stock firmware and LineageOS (updated February 5, 2023):
SM-A127F: A127FXXU7BVI4 + LineageOS 20.0-td 20230115 arm64 bvS
SM-A325F: A325FXXU2CVK3+ LineageOS 20.0-td 20230115 arm64 bvS
Some recommendations (updated February 5, 2023):
If you are a newbie and don't know how to do unlock the bootloader and other such stuff, here is a good guide by LAST_krypton (follow the "Unlocking the booloader" section) or a shorter guide by cldkrs.
First flash the phone with the whole set of stock firmware using the heimdall_flash_stock.sh (Linux only) script with the -d parameter: the latter forces flashing the unsafe partitions, which are needed for complete re-flashing.
If you're on Windows use Odin instead. Although there is a "leaked" Linux version of Odin, it's still closed-source (of course), so I don't recommend using it on your main Linux PC. For using the Windows version of Odin on Linux you have to either use Windows in QEMU (tested and works) or probably Wine (untested). When using QEMU remember to add the SUBSYSTEM=="usb", ATTRS{idVendor}=="04e8", ATTRS{idProduct}=="685d", MODE:="0666" line to the udev rules (e.g. /etc/udev/rules.d/30-qemu.rules) to enable the write access to the phone.
Sometimes Heimdall cannot flash the stock firmware and gets stuck at some particular file. Although you can successfully flash such a firmware using Odin, I recommend to better to find another firmware, may be one release older, because that may indicate some sort of incompatibility with your particular version of the phone.
The stock firmware comes in different revision numbers (also known as the baseband version), which are upgraded about once a year. Generally it should be beneficial to use the latest revision, but note that once you have upgraded it to a later revision there is no way back (at least known to me). In case you want to experiment with flashing of special kernels and other flavors provided by the XDA developers, if possible, you should probably stick to the very first revision.
If you already have the bootloader unlocked (OEM unlock) then after flashing the stock firmware there is no need to set up the Android, just go straight into the download mode again and flash the repacked super.img.
When downloading LineageOS or any other GSI select the normal arm64 bvS version, not vndklite version.
After flashing the OS go into the Recovery mode (hold volume up and power when rebooting) straight away and do the Factory reset. If you cannot get into the Recovery mode be sure to connect the USB cable before trying to.
If flashing with Heimdall completely freezes at some point make sure you've downloaded and repacked the correct arm64 b or a/b GSI and not arm and not a or a-only variant. If "sw rev check fail" message appears on the screen at some point just ignore it.
You can forcefully reboot your phone at any time, even if it seems bricked, by holding the volume down and power buttons for several seconds.
To upgrade your system to the recent version of the same OS just repackage it again using the same script and flash it normally. If the phone does not boot, get into the Recovery mode and try wiping the Cache partition (all your apps and settings should remain intact).
Most probably you don't need TWRP or any other 3rd party recovery tool at all, as the stock recovery tool works fine for just the factory reset after flashing the super file.
Try to avoid using Magisk if you just want to install another OS and nothing else. It is also not needed for LineageOS bvS version as it already has the su utility integrated, you just need to install the additional Superuser app by Pierre-Hugues HUSSON from the F-Droid store (although it's very old it works just fine).
It's possible that SM-127F/DSN internally is not A12 but actually M12, at least most of the tools and kernels made for M12 work on SM-127F/DSN while those made specifically for SM-125 and even other SM-127 versions do not. Therefore you can find more relevant info and tools in the corresponding XDA thread (my script is still remains relevant though).
I should test this for a127f
Bugs fixed: v0.91 & v0.91a
Bug fixed: v0.91b
Added the "file" utility to the list of requirements, updated readme.txt.
Thanks A LOT, this works! I am finally able to run LineageOS on my phone!
For Windows 10+ users: WSL runs this script just fine with a few additional steps.
1. Install WSL 2 and any Linux distribution from Microsoft Store
2. Run the distribution to finish setup
3. Install the required packages from the post (sudo apt install for Ubuntu/Debian)
4. Shift + Right Click in the folder where you have the script, the AP and the GSI packages
5. Open Linux shell there
6. Unpack & run script as stated in its help
Voila!
Wow ! Great job! I want to try it, but i'm getting many "Invalid sparse file format at header magic" while running the script, is it OK to flah the super.tar anyway?
jadfa said:
Wow ! Great job! I want to try it, but i'm getting many "Invalid sparse file format at header magic" while running the script, is it OK to flah the super.tar anyway?
Click to expand...
Click to collapse
It is totally OK
jadfa said:
Wow ! Great job! I want to try it, but i'm getting many "Invalid sparse file format at header magic" while running the script, is it OK to flah the super.tar anyway?
Click to expand...
Click to collapse
Yes, it is fine. These are just warnings produced by lpmake, they can not be suppressed. I could only suppress all the stdout/stderr from lpmake but it's no good in case of more serious warnings.
Updated to v0.92 with a couple of minor improvements.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What should I do next with the raw file?
"Unknown super file format" is this how it should be?
ANDARXapi said:
View attachment 5490897What should I do next with the raw file?
"Unknown super file format" is this how it should be?
Click to expand...
Click to collapse
Of course not. The format of each file is checked using the "file" utility, it should return the string "Android super image". Try to run file /home/toor/APfilles/super.stock.raw . What is the response? And try doing it all without sudo. There is no need in root privileges.
uluruman said:
Of course not. The format of each file is checked using the "file" utility, it should return the string "Android super image". Try to run file /home/toor/APfilles/super.stock.raw . What is the response? And try doing it all without sudo. There is no need in root privileges.
Click to expand...
Click to collapse
The raw file opens as a picture
uluruman said:
Of course not. The format of each file is checked using the "file" utility, it should return the string "Android super image". Try to run file /home/toor/APfilles/super.stock.raw . What is the response? And try doing it all without sudo. There is no need in root privileges.
Click to expand...
Click to collapse
run without sudo: 168: ./lpunpack_and_lpmake/lpunpack: Permission denied Cannot correctly unpack the super file. Exiting ...
I managed to fix the script, you just need to give chmod +x rights to the files in the folder "lpunpack_and_lpmake": lpunpack, lpmake, lpflash, lpdump, lpadd
ANDARXapi said:
I managed to fix the script, you just need to give chmod +x rights to the files in the folder "lpunpack_and_lpmake": lpunpack, lpmake, lpflash, lpdump, lpadd
Click to expand...
Click to collapse
Hmmm. I have updated it, may be it'll help. Could you please test the latest version (v0.92a)? I want to work it out of the box for everyone, without sudo or any tweaks.
uluruman said:
Hmmm. I have updated it, may be it'll help. Could you please test the latest version (v0.92a)? I want to work it out of the box for everyone, without sudo or any tweaks.
Click to expand...
Click to collapse
Okay, I'll test it tomorrow, today I want to relax at the computer all day
uluruman said:
Hmmm. I have updated it, may be it'll help. Could you please test the latest version (v0.92a)? I want to work it out of the box for everyone, without sudo or any tweaks.
Click to expand...
Click to collapse
Checked, it works right away
Is there a way to install magisk and root?
This is the Android 10 recovery image by HCT (version 10.3.1) patched to skip signature checking on .zip files
Tested on MTCE_LM (Eunavi). Use at your own risk
It can be flashed from a root shell (either adb or via terminal emulator) by performing the following steps
1. upload recovery via adb
Code:
adb push hct_recovery_patched.img /sdcard/
2. flash recovery
Code:
# backup current recovery
dd if=/dev/block/by-name/recovery of=/sdcard/recovery_backup.img
# write new recovery
dd if=/sdcard/hct_recovery_patched.img of=/dev/block/by-name/recovery
NOTE: If you do not disable the "flash_recovery" service in /init.rc, AND you have a stock kernel, recovery will be restored to the original version after rebooting.
There are 3 ways to avoid this:
- Flash magisk (or a modified kernel) while in recovery. The patch will then fail to apply and recovery won't be overwritten
- Disable "flash_recovery" by doing "adb remount" and editing /init.rc (comment out the following)
Code:
service flash_recovery /system/bin/install-recovery.sh
class main
oneshot
- Neuter the service by either:
- removing /system/bin/install-recovery.sh- replacing /system/bin/install-recovery.sh with a dummy script- removing /system/recovery-from-boot.p
Woo-hoo, after hundreds of rubbish posts in the MTCD forums, we have a real development post!
Great work and thanks for sharing this, these forums need more like you.
Thanks for the kind comment!
I have to admit that it was frustrating to see the lack of information sharing on this forum, and the pervasive pay-per-use model.
I spent a lot of time just getting Android 10 installed (starting from Android 9), and i had to bring the head unit to my desk as working in the car was rather hard and all i achieved was a brick.
I unfortunately had to bring it back in the car now (can't sit on my desk forever) but, now that i figured out how to make bootable recoveries, i was wondering how hard it could be to have TWRP or at least a hassle-free recovery to install Android 10 from Android 9.
As a first step, this recovery makes it possible to install Magisk or other zip files without doing it manually within adb.
Cheers!
Your work is really good!
Thanks a lot for it.
Now you can also modify ROM's without signatur errors when installing.
Wouldn't it be good if we had an app like the ModInstaller ?
So a one click installation of the recovery without shell or adb.
I have now built an app.
And now need help.
Namely, in the app is the recovery and the script.
Unfortunately, the flash process is not started.
It always comes only the first message from the script.
The app is open source and the script and the recovery are in res/raw.
In the attach you will find the finished app and pictures.
If someone has a solution, he can write me or make a pull request on Github.
Source code:
GitHub - jamal2362/RK33XX-Custom-Recovery-Installer: Application for flashing custom recovery on Rockchip Android Head-Units.
Application for flashing custom recovery on Rockchip Android Head-Units. - GitHub - jamal2362/RK33XX-Custom-Recovery-Installer: Application for flashing custom recovery on Rockchip Android Head-Units.
github.com
The script:
RK33XX-Custom-Recovery-Installer/script at master · jamal2362/RK33XX-Custom-Recovery-Installer
Application for flashing custom recovery on Rockchip Android Head-Units. - RK33XX-Custom-Recovery-Installer/script at master · jamal2362/RK33XX-Custom-Recovery-Installer
github.com
First of all, congrats for the work!
DISCLAIMER:
I don't own ModInstaller, i have never bought a copy of it and i don't intend to do so.
Analysis is purely done from Youtube videos, open source code analysis and existing and openly available binary images.
I was working to figure out how to make a FLOSS alternative to ModInstaller.
The issues i found in all my attempts are the following:
- A6 recovery is the only one that can boot from SD Card (which can then be used to flash A9 -> A10 with the 2SD trick)
- (it took me a long time to pull these information together and unbrick my unit)- The A6 recovery is unable to directly flash A10 RKAF/RKFW images (sdupdate.img) due to the code being too old
- a failure will be observed while writing super.img. This happens because the device needs to be repartitioned, and the A6 recovery is not doing it correctly- A9 recovery is buggy. Booting it with no system installed will result in a black screen.
- it will only boot succesfully after being written by the A6 flash tool, which writes the "misc" partition with the recovery commands to run (the "hint" i get from this is that the misc partition is important)- A10 recovery can't be loaded by the A6 recovery. I always got a black screen after flash. Is it a flash issue? is it an issue with the recovery itself? hard to know
Theory: maybe the recovery could be written over the kernel partition? ("boot")
This way, the recovery will always run after being flashed instead of requiring an explicit "enter recovery" trigger (buttons, misc partition, etc.)
Besides these experiments, in parallel, i did some bug fixing to this repository: https://github.com/liftoff-sr/rockchip-tool/commits/master (i'm "smx-smx")
That allows me to unpack nad repack "sdupdate.img" , "reduced recovery images" and "full IMG files".
With those tools. i tried to swap "recovery.img" in the A6 image, but i always got the black screen upon booting from SD.
Either A9/A10 breaks sdboot or the bootloader crashes before it gets there.
Since this also happens when being flashed, this could either be a bug in the flashing program or a bug in the boot stack (which fails to run recovery perhaps due to a dirty state of the internal flash). It's hard to know for sure without having a UART connection with the board.
BUT, we have an alternative, in the form of the recovery built-in ISP flash tool.
This is the code that reads "sdupdate.img" from the SD Card and flashes it
After reading the recovery source code, i realised that this code can only be triggered correctly when booting from the SD card.
It detects this state by reading /proc/cmdline and probing for specific values (https://github.com/rockchip-android...6f72b7d3123dab27135ac41d55029/sdboot.cpp#L206)
This means the bootloader can (and will) pass those arguments under specific conditions (https://github.com/rockchip-linux/u...c873f178c/arch/arm/mach-rockchip/board.c#L358)
If you check here https://github.com/rockchip-linux/u...3f178c/arch/arm/mach-rockchip/boot_mode.c#L47 you can see the magic word that needs to be written to the "misc" partition in order to trigger that code.
Note that, besides the well known "sdboot", "usbboot" is also possible.
I'm not sure if the ROM can physically boot from USB, but the bootloader and recovery do support (according to code) passing the flag to enable flashing from USB.
So, recapping, there are these ways we can try:
a - try to overwrite "boot" with "recovery" (but it might not work due to the partitioning layout, e.g. jumping from A6 -> A10)
- note: uboot might also need to be written when doing this.
b - making a modified "sdupdate.img" that flashes recovery on top of boot, and all the other core partitions like "misc", "uboot", "trust", "vbmeta"
c - writing "misc" from android in order to triggers the "rkfwupdate" mode
d - taking a dump of the first portion of the flash in various states (A6, A8, A9, A10), and having a "dd" that writes it back to the beginning of the flash (i suspect this is how ModInstaller does it)
Considering cases "b" and "c" depend on a recovery that can write them correctly (and the A6 one is buggy), this leaves us with "a" and "d"
Considering that ModInstaller does it in one shot, and doesn't seem to matter about the partitioning layout, i believe "d" might be the most viable option...
Using the "rockchip-tool" repository i linked from github, the partition table can be dumped from any .img file
You can observe "Image/parameter.txt" from the extracted firmware
This is the partition table from A6's recovery:
[email protected](uboot)
[email protected](trust)
[email protected](misc)
[email protected](resource)
[email protected](kernel)
[email protected](dtb)
[email protected](dtbo)
[email protected](vbmeta)
[email protected](boot)
[email protected](recovery)
[email protected](backup)
[email protected](security)
[email protected](cache)
[email protected](system)
[email protected](metadata)
[email protected](vendor)
[email protected](oem)
[email protected](frp)
[email protected](userdata)
And this is the partition table from A9's recovery
[email protected](uboot)
[email protected](trust)
[email protected](misc)
[email protected](resource)
[email protected](kernel)
[email protected](dtb)
[email protected](dtbo)
[email protected](vbmeta)
[email protected](boot)
[email protected](recovery)
[email protected](backup)
[email protected](security)
[email protected](cache)
[email protected](system)
[email protected](metadata)
[email protected](vendor)
[email protected](oem)
[email protected](frp)
[email protected](userdata)
Notice how uboot, trust, misc, resource, kernel, dtb, and others live in the same space. (2000, 4000, 6000, 8000, 10000, ...)
What we could do is create a raw blob that spans that address range, and "dd" it directly to /dev/mmcblk0 at the right offset.
So i would focus on converting recovery images to raw blobs, with recovery-as-kernel so it boots straight away on the first try.
Bump a real thread.
Is it possible to convert it to a file installed by SDDiskTool?
marchnz said:
Bump a real thread.
Click to expand...
Click to collapse
I created a flashing tool to flash recovery within Android, using Rockchip's own code: https://forum.xda-developers.com/t/...chip-firmware-flash-tool-for-android.4458299/
blala said:
I created a flashing tool to flash recovery within Android, using Rockchip's own code: https://forum.xda-developers.com/t/...chip-firmware-flash-tool-for-android.4458299/
Click to expand...
Click to collapse
This file hct_recovery.patched.img does not appear to be installed via rkupdate
sadaghiani said:
Is it possible to convert it to a file installed by SDDiskTool?
Click to expand...
Click to collapse
It needs to be converted, yes
I'll take a look this afternoon
blala said:
It needs to be converted, yes
I'll take a look this afternoon
Click to expand...
Click to collapse
Is it possible to create a boot image that includes moded recovery & magisk and moded kernel ?
If by image you mean firmware image then yes, it can be done with https://github.com/liftoff-sr/rockchip-tool
But what i would recommend is the modded recovery only, with the magisk .zip to use in Recovery
Otherwise you risk flashing a kernel that doesn't match with kernel modules or is otherwise not fully compatible with the installed system
blala said:
If by image you mean firmware image then yes, it can be done with https://github.com/liftoff-sr/rockchip-tool
But what i would recommend is the modded recovery only, with the magisk .zip to use in Recovery
Otherwise you risk flashing a kernel that doesn't match with kernel modules or is otherwise not fully compatible with the installed system
Click to expand...
Click to collapse
boot.img file included recovery+magisk+kernel
Flashing a boot.img (Kernel, for example) in an Android mobile phone via adb shell
Flashing a boot.img (Kernel, for example) in an Android mobile phone via adb shell - script.sh
gist.github.com
MTCD has separate boot and recovery partitions.
Perhaps you can adapt both recovery/kernel to be in the same image but the bootloader won't know about that (and will always boot from "recovery" partition)
Here is a few boot.img files (tarred for Odin and zipped) intended to be used together with GSI systems (e.g. LineageOS) which suffer from the non-functional touchscreen after the wake-up and the non-functional MTP (USB file transfer). The boot.img files contain the recompiled stock kernel taken from Samsung Open Source with only a couple of the most necessary fixes. 99.9% unaltered, 100% open-source
All credits for the touchscreen fix go to manteiga25, he's done an amazing job on figuring this all out, still from his solution which includes additional performance tweaks I've taken the absolute bare minimum so that the problem is no longer present. Also huge thanks to Osvaldo Costa for the wonderful bootimgtool.
NOTE: If you did not yet flash any non-stock boot.img or recovery.img you may get the bootloop after flashing of any of these files (except for the orig's). That bootloop is caused by bootloader refusing to boot the VB-unsigned kernel together with the rest of the VB-signed components. The only solution (unfortunately) is the full factory reset, so you'll have to lose your user data; everything else, including the GSI will remain intact, but you'll have to set it up from scratch.
UPDATE 01/09/23: added the version based on A127FXXU7CVL2 (Android 13) version of the kernel.
UPDATE 01/11/23: added the fixed kernels for SM-A125F.
UPDATE 03/16/23: added the version based on A127FXXU5BVF3 (Android 12) version of the kernel.
Files for SM-A127F:
boot_sm-a127f-u4_fixed.zip: A127FXXU4AUK1-based kernel, Ilitek ili9881x fix, MTP fix
boot_sm-a127f-u5_fixed.zip: A127FXXU5BVF3-based (Android 12) kernel, Ilitek ili9881x fix, MTP fix
boot_sm-a127f-u7_fixed.zip: A127FXXU7CVL2-based (Android 13) kernel, Ilitek ili9881x fix, MTP fix
orig_boot_sm-a127-u4.zip: the original unaltered A127FXXU4AUK1 boot.img for undo
orig_boot_sm-a127-u5.zip: the original unaltered A127FXXU5BVF3 boot.img for undo
orig_boot_sm-a127-u7.zip: the original unaltered A127FXXU7CVL2 boot.img for undo
src_sm-a127f_fix.zip: all the altered source files
Files for SM-A125F:
boot_sm-a125f-u2_fixed_v1.zip: A125FXXU2BVB4-based kernel, Ilitek ili9881x fix, MTP fix
boot_sm-a125f-u2_fixed_v2.zip: A125FXXU2BVB4-based kernel, Ilitek ili9881x fix, Novatek nt36525 fix, MTP fix
orig_boot_sm-a125-u2.zip: the original unaltered A125FXXU2BVB3 boot.img for undo
src_sm-a127f-fix_v2.zip: all the altered source files
v1 should be easy on battery, but v2 will probably eat more because it basically disables the power saving features of the touchscreen chip (unfortunately that's the only solution at the kernel side).
If you don't trust me or if you're in desperate need of a more recent kernel, here are the steps how to rebuild it all yourself (for SM-A127F on Debian 11):
Download the kernel source from Samsung Open Source (A127FXXU3AUJ5)
Unpack SM-A127F_RR_Opensource.zip and Kernel.tar.gz inside
Unpack SM-A127F_RR_Opensource_A127FXXU4AUK1.zip into the same dir (overwriting the files)
Unpack the attached source.tar.gz, it contains only the changed files and build.sh facilitating compilation
From root: apt install clang-9 gcc-9-aarch64-linux-gnu
Remove any other versions of clang. Then cd /usr/bin; ln -s clang clang-9; ln -s clang++ clang++-9; ln -s clang-cpp clang-cpp-9
Back in the Kernel dir, run build.sh and wait for the kernel to compile
Download bootimgtool and compile it (just "make")
Download the stock firmware
Extract boot.img from AP_A127FXX[...].tar.md5 (unpack using tar, ignore the .md5) to the root dir of your Kernel
bootimgtool disassemble boot.img
cp Kernel/arch/arm64/boot/Image kernel
bootimgtool create -o boot.img
Flash boot.img as is using Heimdall or pack into .tar and flash using Odin
For SM-A125F you'll need to use the Google's patched Clang and GCC instead, and there is no way around that except for lots and lots of additional include paths for the Mediatek drivers (and even that does not guarentee that it will be compiled successfully).
uluruman said:
Here is the boot.img (tarred for Odin) intended to be used together with GSI systems (e.g. LineageOS). It contains the recompiled stock U4 kernel taken from Samsung Open Source with only a couple of the most necessary fixes, namely the freezing touchscreen and the non-functional MTP. 99.9% unaltered, 100% open-source.
All credits for the touchscreen fix go to manteiga25, he's done an amazing job on figuring this all out, still from his solution which includes additional performance tweaks I've taken the absolute bare minimum so that the problem is no longer present. Also huge thanks to Osvaldo Costa for the wonderful bootimgtool.
If you don't trust me here are the steps how to rebuild it all yourself (on Debian 11):
Download the kernel source from Samsung Open Source (A127FXXU3AUJ5)
Unpack SM-A127F_RR_Opensource.zip and Kernel.tar.gz inside
Unpack SM-A127F_RR_Opensource_A127FXXU4AUK1.zip into the same dir (overwriting the files)
Unpack the attached source.tar.gz, it contains only the changed files and build.sh facilitating compilation
From root: apt install clang-9 gcc-9-aarch64-linux-gnu
Remove any other versions of clang. Then cd /usr/bin; ln -s clang clang-9; ln -s clang++ clang++-9; ln -s clang-cpp clang-cpp-9
Back in the Kernel dir, run build.sh and wait for the kernel to compile
Download bootimgtool and compile it (just "make")
Download the stock firmware
Extract boot.img from AP_A127FXX[...].tar.md5 (unpack using tar, ignore the .md5) to the root dir of your Kernel
bootimgtool disassemble boot.img
cp Kernel/arch/arm64/boot/Image kernel
bootimgtool create -o boot.img
Flash boot.img as is using Heimdall or pack into .tar and flash using Odin
Click to expand...
Click to collapse
Amazing work. Love to see developers still working on this device. Does it work with SM-A125F?
Allehandro said:
Amazing work. Love to see developers still working on this device. Does it work with SM-A125F?
Click to expand...
Click to collapse
You can try, it may work, but most likely will bootloop. SM-A125F is based on a Mediatek SoC, SM-A127F is based on Exynos, which has a different kernel config.
uluruman said:
You can try, it may work, but most likely will bootloop. SM-A125F is based on a Mediatek SoC, SM-A127F is based on Exynos, which has a different kernel config.
Click to expand...
Click to collapse
I don't want to risk it as it is my main device and don't want to have to restore the device later on. Thanks though.
I've finally managed to compile the SM-A125F kernel (A125FXXU2BVB4 - SM-A125F_EUR_RR): somehow it turned out to be MUCH harder than that for SM-A127F, as nearly everything there is designed for only one specific toolchain, plus the non-Samsung s_mtp driver did not compile, so I had to take it from A127F's source. Anyway, I've ported the same fixes and here is the experimental boot.img. As I don't have SM-A125F I cannot test it, so I need someone to test it. Also attached is the original U2 boot.img: in case it does not work you just flash the original.
Amazing bro! Mad respect!!!!
I will soon put this baby to the test and see what's made of!!!
I can flash this using ODIN (PDA) directly over the current LOS GSI right?
Also, do you plan to include this kernel in your gsi building script so that the boot img of the gsi will be this one?
One other issue that I seemed to also have in my phone was the proximity sensor was not working e.g. when I was in call the screen would remain on....
axy_david said:
Amazing bro! Mad respect!!!!
I will soon put this baby to the test and see what's made of!!!
I can flash this using ODIN (PDA) directly over the current LOS GSI right?
Also, do you plan to include this kernel in your gsi building script so that the boot img of the gsi will be this one?
One other issue that I seemed to also have in my phone was the proximity sensor was not working e.g. when I was in call the screen would remain on....
Click to expand...
Click to collapse
Yes, flash using Odin. GSI should not be affected in any way. If anything does wrong I've also attached the original A127FXXU4AUK1 boot.img, so that you could revert the changes.
Currently I'm struggling to make the same fixed boot.img for my second phone, which is SM-A325F, and I cannot: even if I just unpack and repack back the same boot.img using any tool, including the Google's official mkbootimg, it causes the bootloop. So all of this is currently experimental.
uluruman said:
Currently I'm struggling to make the same fixed boot.img for my second phone, which is SM-A325F, and I cannot: even if I just unpack and repack back the same boot.img using any tool, including the Google's official mkbootimg, it causes the bootloop. So all of this is currently experimental.
Click to expand...
Click to collapse
This issue is sorted out: one cannot flash a custom boot.img over the signed stock one and don't do the full factory reset afterwards. Only after the factory reset the system boots with the unsigned boot partition. Interestingly enough, Download allows flashing such an image without any warnings (in contrast to flashing up_param.bin) but the system just refuses to boot.
uluruman said:
This issue is sorted out: one cannot flash a custom boot.img over the signed stock one and don't do the full factory reset afterwards. Only after the factory reset the system boots with the unsigned boot partition. Interestingly enough, Download allows flashing such an image without any warnings (in contrast to flashing up_param.bin) but the system just refuses to boot.
Click to expand...
Click to collapse
is it possible to fix the proximity sensor?
axy_david said:
is it possible to fix the proximity sensor?
Click to expand...
Click to collapse
There is no physical proximity sensor in this phone, but with the latest firmware you can normally use the Phone app. Now it normally reacts on touching the top part of the screen with your ear and blanks the screen. The screen does not blank on approaching the screen but only on touching it.
uluruman said:
Here is the boot.img (tarred for Odin) intended to be used together with GSI systems (e.g. LineageOS). It contains the recompiled stock U4 kernel taken from Samsung Open Source with only a couple of the most necessary fixes, namely the freezing touchscreen and the non-functional MTP. 99.9% unaltered, 100% open-source.
If the fixed boot.img does not work for you for some reason, I've also attached the original U4 boot (taken from the SM-A127F_NPB_A127FXXU4AUK1 firmware) so you could revert the changes.
All credits for the touchscreen fix go to manteiga25, he's done an amazing job on figuring this all out, still from his solution which includes additional performance tweaks I've taken the absolute bare minimum so that the problem is no longer present. Also huge thanks to Osvaldo Costa for the wonderful bootimgtool.
If you don't trust me or if you're in desperate need of a more recent kernel, here are the steps how to rebuild it all yourself (on Debian 11):
Download the kernel source from Samsung Open Source (A127FXXU3AUJ5)
Unpack SM-A127F_RR_Opensource.zip and Kernel.tar.gz inside
Unpack SM-A127F_RR_Opensource_A127FXXU4AUK1.zip into the same dir (overwriting the files)
Unpack the attached source.tar.gz, it contains only the changed files and build.sh facilitating compilation
From root: apt install clang-9 gcc-9-aarch64-linux-gnu
Remove any other versions of clang. Then cd /usr/bin; ln -s clang clang-9; ln -s clang++ clang++-9; ln -s clang-cpp clang-cpp-9
Back in the Kernel dir, run build.sh and wait for the kernel to compile
Download bootimgtool and compile it (just "make")
Download the stock firmware
Extract boot.img from AP_A127FXX[...].tar.md5 (unpack using tar, ignore the .md5) to the root dir of your Kernel
bootimgtool disassemble boot.img
cp Kernel/arch/arm64/boot/Image kernel
bootimgtool create -o boot.img
Flash boot.img as is using Heimdall or pack into .tar and flash using Odin
P.S.: the U5 kernel sources are suspicously segregated between RR (rest of the world), EUR, CIS and CIS-SER (Russia). It's quite interesting what are the differences?
Click to expand...
Click to collapse
Can you make one for A127F/DSN U7? (I don't have linux)
just tested on my phone latest U7 or s7???? nevertheless it bootloops
axy_david said:
just tested on my phone latest U7 or s7???? nevertheless it bootloops
Click to expand...
Click to collapse
it only works for u4 currently.
TheWorldYT said:
Can you make one for A127F/DSN U7? (I don't have linux)
Click to expand...
Click to collapse
I will, hold on.
just tested on my phone latest U7 or s7???? nevertheless it bootloops
TheWorldYT said:
it only works for u4 currently.
Click to expand...
Click to collapse
damn, and I can't downgrade, im using A127FXXS7BVK1 the latest update for europe really
axy_david said:
just tested on my phone latest U7 or s7???? nevertheless it bootloops
damn, and I can't downgrade, im using A127FXXS7BVK1
Click to expand...
Click to collapse
same thing.
also:
uluruman said:
I will, hold on.
Click to expand...
Click to collapse
axy_david said:
just tested on my phone latest U7 or s7???? nevertheless it bootloops
damn, and I can't downgrade, im using A127FXXS7BVK1 the latest update for europe really
Click to expand...
Click to collapse
uluruman said he will create one.
axy_david said:
just tested on my phone latest U7 or s7???? nevertheless it bootloops
damn, and I can't downgrade, im using A127FXXS7BVK1 the latest update for europe really
Click to expand...
Click to collapse
Done! ) See the update in the first post.
I've used the A127FXXU7CVL2 version source but it should work anyway because it's also U7-based (anyway there is no alternative - Samsung provides only that U7-based kernel). The only thing that theoretically can be needed is the factory reset: at least with my SM-A325F that was the case of the weird boot loop - the Verified Boot protection being voided (the warranty void bit being set) caused the bootloader to refuse loading the kernel.
uluruman said:
Done! ) See the update in the first post.
I've used the A127FXXU7CVL2 version source but it should work anyway because it's also U7-based (anyway there is no alternative - Samsung provides only that U7-based kernel). The only thing that theoretically can be needed is the factory reset: at least with my SM-A325F that was the case of the weird boot loop - the Verified Boot protection being voided (the warranty void bit being set) caused the bootloader to refuse loading the kernel.
Click to expand...
Click to collapse
Thank you!
uluruman said:
I've finally managed to compile the SM-A125F kernel (A125FXXU2BVB4 - SM-A125F_EUR_RR): somehow it turned out to be MUCH harder than that for SM-A127F, as nearly everything there is designed for only one specific toolchain, plus the non-Samsung s_mtp driver did not compile, so I had to take it from A127F's source. Anyway, I've ported the same fixes and here is the experimental boot.img. As I don't have SM-A125F I cannot test it, so I need someone to test it. Also attached is the original U2 boot.img: in case it does not work you just flash the original.
Click to expand...
Click to collapse
Can u make flashable zip for fix touch and mtp for a125f cause i think it dndt work after flashing only boot.img in twrp,still i found out that the baseband version is still bv5 instead of bv4 i hope you fix that bro because i want to install gsi
uluruman said:
Here is the boot.img (tarred for Odin) intended to be used together with GSI systems (e.g. LineageOS). It contains the recompiled stock U4 kernel taken from Samsung Open Source with only a couple of the most necessary fixes, namely the freezing touchscreen and the non-functional MTP. 99.9% unaltered, 100% open-source.
If the fixed boot.img does not work for you for some reason, I've also attached the original U4 boot (taken from the SM-A127F_NPB_A127FXXU4AUK1 firmware) so you could revert the changes.
All credits for the touchscreen fix go to manteiga25, he's done an amazing job on figuring this all out, still from his solution which includes additional performance tweaks I've taken the absolute bare minimum so that the problem is no longer present. Also huge thanks to Osvaldo Costa for the wonderful bootimgtool.
UPDATE 01/09/23: added the version based on A127FXXU7CVL2 (Android 13) version of the kernel.
If you don't trust me or if you're in desperate need of a more recent kernel, here are the steps how to rebuild it all yourself (on Debian 11):
Download the kernel source from Samsung Open Source (A127FXXU3AUJ5)
Unpack SM-A127F_RR_Opensource.zip and Kernel.tar.gz inside
Unpack SM-A127F_RR_Opensource_A127FXXU4AUK1.zip into the same dir (overwriting the files)
Unpack the attached source.tar.gz, it contains only the changed files and build.sh facilitating compilation
From root: apt install clang-9 gcc-9-aarch64-linux-gnu
Remove any other versions of clang. Then cd /usr/bin; ln -s clang clang-9; ln -s clang++ clang++-9; ln -s clang-cpp clang-cpp-9
Back in the Kernel dir, run build.sh and wait for the kernel to compile
Download bootimgtool and compile it (just "make")
Download the stock firmware
Extract boot.img from AP_A127FXX[...].tar.md5 (unpack using tar, ignore the .md5) to the root dir of your Kernel
bootimgtool disassemble boot.img
cp Kernel/arch/arm64/boot/Image kernel
bootimgtool create -o boot.img
Flash boot.img as is using Heimdall or pack into .tar and flash using Odin
P.S.: the U5 kernel sources are suspicously segregated between RR (rest of the world), EUR, CIS and CIS-SER (Russia). It's quite interesting what are the differences?
Click to expand...
Click to collapse
Please create working flashable zip file for twrp for a125f cause i dont have pc i cant use odin,thank you