Related
Rules:
Do not post in here unless you have something constructive to say. "Thanks", "Hey this is wonderful", and any other comments like that are not wanted. They take up space and make it more difficult to find information. I'm requesting that this thread be heavily moderated. In order to work efficiently, information density must be kept high. We are all guilty of adding in a few off-topic sentances from time-to-time, but this thread is strictly business and I expect the moderators to moderate me as well.
What is this?
This is the place where we can research and develop a method to unlock the bootloader of the Verizon Galaxy SIII. Hopefully, this will be development at its finest.
Why not just buy a developer edition
GTFO! Not a single person got started developing by buying a developer phone. They started developing because they were unhappy with the features of their device and wanted something better. They wanted something more. This developer phone is a tax on developer innovation. We do not stand for that. We will break the security and we will enable XDA-Developers to do what they do best.
Until security is broken and available for everyone, this device will get updates last, users will be unhappy because there are no additional features and Samsung violates the spirit of Open Source and copyright laws. Take a look at the bottom line of GPL-Violations.org FAQ located here: http://gpl-violations.org/faq/sourcecode-faq.html
What are the goals?
Attain a bootloader recovery - 75% JTAG (the extra 25% will be for a user-friendly method)
The Galaxy S3 is bootable from SDCard. In case of emergency this is needed. We need to verify that this works on the Verizon GS3 to bring up Odin. This will set up infrastructure for research.
Attain a full stock restoration via Odin or Heimdall - 90%
For use with Odin3.
Bootloader - BOOTLOADER_I535VRALF2_618049_REV09_user_low_ship.tar.md5 - 1.97 MB - Thanks nbsdx
PDA - SCH-I535_VZW_1_20120705143513_fti2qg2lmf.zip
NEED CSC PACKAGE (MODEM, PARAMS and Other Miscellaneous partitions). This is enough to recover a device though.
To include bootloaders and recovery to a working and stock condition with the EMMC wiped entirely. Heimdall is a work in progress for this device. This will complete the infrastructure needed for research.
Collect information
This will be the longest and most difficult part of this development. The information provided by Qualcomm is not readily available. Samsung is notoriously secretive about their bootloaders. Mainly we, as a community, will generate information. Please post any relevant datasheets, theory-of-operation, or manuals which you can find.
Provide a way to remove security checks from Odin3.] 100% - insecure aboot.img which may break in the future
By removing security checks from Odin3 on the computer or the Loki daemon on the device we can flash anything through Odin or Heimdall.
Provide a way to bypass security checks within bootloaders. 200% we have two exploits, only one has been released.
This is the ultimate goal. Once we can bypass the security checks, kernels can be flashed giving us the control required to develop
Initial information
[BOOTLOADER] Locked bootloader research and news: http://forum.xda-developers.com/showthread.php?t=1756919
My own research
SBL1 is the first booting partition. Qualcomm provides the Modem partition so it comes first on the EMMC. SBL1 is the first bootloader and that is specified by Qualcomm standards. Qualcom mmake sthe primitive bootloader and allows their customers (Samsung) to make a Secondary bootloader. Samsung chose to use three secondary bootloaders.
The following 0p* are located in /dev/block/mmcblk*
0p1 = modem
Built by se.infra
HUDSON_GA_D2_USA-VZW-HARDKEY-PROD-USER
I take this to mean this Qualcomm modem was built in Hudson Georgia.
I was not able to find signatures on this block . This does NOT mean that there are no signatures on this block. The file is 33 megs. The file is unencrypted.
The modem uses the BLAST Kernerl ver : 02.04.02.02.00 Unfortunately we need someone who speaks French(???) to understand how this works http://blast.darkphpbb.com/faq.php
Judging by the contents of this file, it is an operating system of it's own including keyboard, mouse and a lot of debugging information. We need to find out more about the BLAST Kernel and this partition.
Samsung Proprietary partitions SBL1,2,3
Overall I'm not entirely familiar with this new 3 SBL setup. If someone could help me out, that would be great. This 3 SBL setup looks like they tried to adapt (slopily) their IBL+PBL+SBL setup to the Qualcomm and added overhead.
op2=sbl1
This block is signed by Samsung, we will not be able to modify it.
Some Strings we expect to see on UART are:
0p3=sbl2
This block is signed by Samsung, we will not be able to modify it.
Some of the strings we may see over UART are:
Code:
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
0p4=sbl3
This block is signed by Samsung, we will not be able to modify it.
Possibly useful information:
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
This block appears to be a full OS of its own. I'm not sure of its purpose.
op5= aboot
This block is signed by Samsung, we will not be able to modify it
This block contains HTML information. It would appear that it is possible to put the device into a mode where it will provide a webserver which displays state information.
This block appears to be a complete operating system
This block contains the Loke Daemon which communicates with Odin3.
0p6= rpm
This block is signed by Samsung we will not be able to modify it
0p7= boot
This is the kernel. There are several things we can do here... I belive this package itself is not signed, but the zImage itself is... here is the bootimg.cfg file
Code:
[email protected]:~/Desktop/VZWGS3$ cat ./bootimg.cfg
bootsize = 0xa00000
pagesize = 0x800
kerneladdr = 0x80208000
ramdiskaddr = 0x81500000
secondaddr = 0x81100000
tagsaddr = 0x80200100
name =
cmdline = console=null androidboot.hardware=qcom user_debug=31
It may be possible to use that cmdline variable as an exploit.
0p8= tzTrust Zone
0p9= pad
0p10= param -boot mode parameters - this could be a potential exploitation point.
0p11= efs -serial numbers
I've honestly got no clue about most of the following partitions.
0p12= modemst1
0p13= modemst2
0p14= system - Android stuff
0p15= userdata - App Stuff
0p16= persist
0p17= cache - Storage for updates
0p18= recovery - recovery partition
0p19= fota
0p20= backup
0p21= fsg
0p22= ssd
0p23= grow
External UART log from initial power up:
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174515] rdev_init_debugfs: Error-Bad Function Input
[ 0.174881] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176957] sec_debug_init: enable=0
[ 0.177475] ec_debug_nit: restrt_reason: 0xdf0085c
[ .216358] msm8960_iit_cam:292]settingdone!!
[ 0.25006] i2c 2c-14: Inalid 7-bi I2C addrss 0x00
0.25237] i2c ic-14: Can' create evice at x00
[ 0.252220]i2c i2c-1: Failed o registeri2c clien cmc624 t 0x38 (-6)
[ .252250] 2c i2c-19:Can't crete deviceat 0x38
0.25433] rdevinit_debufs: Error-ad Functin Input
0.25222] max892 19-006: DVS mode disabledbecause VD0 and VI1 do not ave prope control.
[ 0.79536] ms_etm msm_tm: ETM tacing is ot enable beacaussec_debug s not enaled!
[ 0.284449 smd_chanel_probe_orker: alocation tble not iitialized
[ 0.38766] pm_untime: fil to wak up
[ 0.362032]hdmi_msm dmi_msm.1 externalcommon_stte_create sysfs grup de39e68
[ 0362673] Iside writback_drivr_init
[ 0.36275] Insidewritebackprobe
[ 1.244803] TZCOM: unable to get bus clk
[ 1.431680] cm36651_setup_reg: initial proximity value = 3
[ 1.549671] msm_otg msm_otg: request irq succeed for otg_power
[ 1.566702] mms_ts 3-0048: [TSP] ISC Ver [0xbb] [0x20] [0x20]
[ 1.571341] mms_ts 3-0048: [TSP] fw is latest. Do not update.
[ 1.583488] [__s5c73m3_probe:3818] S5C73M3 probe
[ 1.587089] [s5c73m3_sensor_probe_cb:3793] Entered
[ 1.591942] [s5c73m3_i2c_probe:3675] Entered
[ 1.596123] [s5c73m3_init_client:3381] Entered
[ 1.600579] [s5c73m3_i2c_probe:3695] Exit
[ 1.604608] [s5c73m3_sensor_probe:3726] Entered
[ 1.609095] [s5c73m3_spi_init:226] Entered
[ 1.613154] [s5c73m3_spi_probe:191] Entered
[ 1.617335] [s5c73m3_spi_probe:201] s5c73m3_spi successfully probed
[ 1.623561] [s5c73m3_sensor_probe : 3749] Probe_done!!
[ 1.672638] mmc0: No card detect facilities available
[ 1.682984] aat1290a_led_probe : Probe
[ 1.693850] msm_soc_platform_init
[ 1.697298] msm_afe_afe_probe
[ 1.843064] msm_asoc_pcm_new
[ 1.849748] msm_asoc_pcm_new
[ 2.023134] set_dload_mode <1> ( c00176d4 )
[ 2.052220] cypress_touchkey 16-0020: Touchkey FW Version: 0x06
[ 2.123851] init: /init.qcom.rc: 466: invalid command '/system/bin/log'
[ 2.129620] init: /init.qcom.rc: 573: ignored duplicate definition of service 'sdcard'
[ 2.137402] init: /init.qcom.rc: 586: ignored duplicate definition of service 'ftm_ptt'
[ 2.145490] init: /init.target.rc: 73: ignored duplicate definition of service 'thermald'
[ 2.154677] init: could not open /dev/keychord
[ 2.239951] init: Device Encryption status is (0)!!
[ 2.243705] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p15 (ext4):::::
[ 2.251823] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p15
[ 2.588921] init: [disk_config] ext_check ->ok
[ 2.611597] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p17 (ext4):::::
[ 2.617762] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p17
[ 2.655333] init: [disk_config] ext_check -> ok
[ 2.664947] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p11 (ext4):::::
[ 2.671081] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p11
[ 2.704532] init: [disk_config] ext_check -> ok
[ 3.259056] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
[ 3.270471] init: cannot find '/system/bin/dmbserver', disabling 'dmb'
External UART log from battery-pull and reinsert
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174484] rdev_init_debugfs: Error-Bad Function Input
[ 0.174851] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176926] sec_debug_init: enable=0
[ 0.177445] sc_debug_iit: restat_reason 0xdf0086c
[ 0216206] [sm8960_int_cam:299]setting one!!
[ 0.217915 select_req_plan:ACPU PVS:Nominal
0.25206] i2c ic-14: Invaid 7-bit 2C addres 0x00
[ 0.25207] i2c i2-14: Can'tcreate deice at 0x0
[ 0252250] 2c i2c-19 Failed t register 2c clientcmc624 at0x38 (-16
[ 0252250] ic i2c-19: an't creae device t 0x38
[ 0.25243] rdev_iit_debugs: Error-Bd Functio Input
[ 0.25292] max895 19-0060:DVS modesdisabled ecause VI0 and VID do not hve propercontrols.
[ 0.29536] msmetm msm_em: ETM trcing is nt enable!
[ 0.35797] pm_rntime: fal to wakeupllcation tale not intialized
[ .362093] dmi_msm hmi_msm.1:external_ommon_stae_create:sysfs grop de39e60
[ 0.62734] Inide writeack_driverinit
[ 0.36285] Inside riteback_robe
[ 1.244803] TZCOM: unable to get bus clk
possible exploitations
Possible entry point MODEM - Someone with a JTAG setup test viability of modifying a single byte on /dev/block/mmcblk0p1
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Possible entry point BOOT - Modify CMDLINE parameter to load information from another location.
Possible entry point BOOT - We may be able to shove an insecure bootloader into memory, boot into that, and then use the recovery partition as our kernel partition. Bauwks 2nd U-Boot. U-Boot is available for the Exynos 4412, we need to find one for Qualcomm.
Possible entry point SYSTEM - It may be possible to use a 2nd init hack from this partition to load custom kernels into memory and reboot the kernel.
Current tasks
What do all of these partitions do?
Do we have a SDCard based recovery?
Where can we find an Odin3 CSC Flash?
Testing methods above is required
You may want to try using google translate for the French website. I gave it a shot and it translates pretty well. See attached (sorry, I'm not a developer, but am trying to help in anyway I can). You can also try this url, but you may need to re-enter yourself
http://translate.google.com/transla...tf=1&u=http://blast.darkphpbb.com/faq.php#f42
What I am looking into is the upload mode available in Odin. It has no signature checks from what I can tell. Also do you mean a stock Odin file which we do have.
Sent from my SCH-I535 using Tapatalk 2
Adam, appreciate you keeping us up to date. As an electrical/systems engineer the journey is great learning experience for me and all.
I'm not sure if you've come across this document. It talks about the MSM7xxx series security capabilities. I couldn't find one for the MSM8xxx, but this may give some insight into how Qualcomm approaches security.
MSM7xxx
Edit: Looks like you are aware of the concepts from your reference about IBL,PBL,SBL.
Not sure if this will be any help, but found this regarding the blast kernel:
http://www.anyclub.org/2012/06/how-to-add-more-physical-ram-memory.html
how to add more physical RAM memory section to Blast Kernel in the MDM9200/MDM9600
Blast Kernel has the capability to take more than one contiguous physical RAM space (section) and use it for its own system memory. In order to add more RAM mem section to Blast, the customer need to modify blast_config.c file.
Here is the example of adding 4MB additional RAM mem section.
In blast_config.c,
struct phys_mem_pool_config pool_configs[] __attribute__((weak)) = {
{"DEFAULT_PHYSPOOL", //name
{
{0x00c00000, 0x02f00000}, // 47MB, the first mem section
{0x00700000, 0x00400000} // adding 4MB, QC default value is {0}
}
},
In this example, additional 4MB is added starting from 0x700000 physical address offset.
Please note the start address has to be physical address.
By adding the second mem section, the Blast Kernel can now use 51MB in total, while it used only 47MB before adding the 4MB mem section
Click to expand...
Click to collapse
Found this http://code.google.com/p/blastkernel/ (locked down though, I couldn't get access) which was linked from here (also in french but translated through google) but I'm unsure as to if it is related to the blastkernel you are looking for as all the links for the source code are now broken.
Also, while looking through the vz source I found that the person responsible for a lot the vzw specific code also helped to develop this http://www.uclinux.org/ so maybe some of that source might be of some help too.
There are relatively large pins between the processor and the other larger chip on the back side of the board. I'm not sure what I'm looking at, but it's definitely communications of some kind. These were taken with the battery out of the device when plugged into USB. Each set starts a new unplug-plugin sequence.
Code:
:�0�0�0
�0
�0
�0
�0��0
�0
�0��0
�0��0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0��0�0
�0
�0
�0
�0
�0
�0 x
:�0�0�0
�0
�0
�0
�0��0
�0��0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0��0
�0
�0 z
�0
p
:�0�0�0
�0
�0
�0��0
�0�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0 �
�0�
This is from another pin on the back. As soon as plugged in, a series of 2's come out at 115200BPS:
Code:
22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
Here's another one:
Code:
2"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""�
All of these were located between the processor and SDCard. I must examine these bettter. In particular, there are two points at the corner of the processor just above where my needle is located in this picture.
Code:
U��UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU�UUU��JUU��UUUU��UUU��Z���UUUU���UUUUU���UUUUUU���UUUU���UUUUUUٙ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
These points seem to be what I'm looking for. as far as UART.. Especially that last one. It moves just as you'd expect start-up checks to move, random strings of characters... While not intelligable in the above, after figuring out the bitrate I'm sure something will come through.
I need to analyze the bitrate at this point. I'm quitting for the night though.
I am at the wrong baud rate, but I think I pulled up some valuable boot data from the processor.
Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.
Rebellos said:
Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.
Click to expand...
Click to collapse
You're right about the 2's.. it's probly a sync signal or something....ie...
Code:
00000010
However, I don't believe the UART is all consistant. Here's my reasoning. Samsung does not control the processor or the initial bootloader on the processor. I've spoken to some engineers and they are frustrated because things must be sent to Qualcomm to get work done on the bootloaders. It's highly likely that they simply change the bps of the UART to match the Samsung standard.
Thanks to Josh Groce at MobileTechVideos for the heads up on this trick: I was able to mount the Qualcomm Modem partition which I also belive to be the PBL as a FAT partition
Code:
[email protected]:~/Desktop/VZWGS3$ sudo mount ./0p1 ./p1
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1
total 16
drwxr-xr-x 2 root root 16384 Jul 5 2011 image
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1/image
total 42464
-rwxr-xr-x 1 root root 244 Jun 15 08:33 dsps.b00
-rwxr-xr-x 1 root root 160 Jun 15 08:33 dsps.b01
-rwxr-xr-x 1 root root 147456 Jun 15 08:33 dsps.b02
-rwxr-xr-x 1 root root 31872 Jun 15 08:33 dsps.b03
-rwxr-xr-x 1 root root 6220 Jun 15 08:33 dsps.b04
-rwxr-xr-x 1 root root 13824 Jun 15 08:33 dsps.b05
-rwxr-xr-x 1 root root 404 Jun 15 08:33 dsps.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 dxhdcp2.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 dxhdcp2.b01
-rwxr-xr-x 1 root root 135168 Jun 15 07:50 dxhdcp2.b02
-rwxr-xr-x 1 root root 2100 Jun 15 07:50 dxhdcp2.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 dxhdcp2.mdt
-rwxr-xr-x 1 root root 308 Jun 15 08:33 modem.b00
-rwxr-xr-x 1 root root 6600 Jun 15 08:33 modem.b01
-rwxr-xr-x 1 root root 21960368 Jun 15 08:33 modem.b02
-rwxr-xr-x 1 root root 4962049 Jun 15 08:33 modem.b03
-rwxr-xr-x 1 root root 1358104 Jun 15 08:33 modem.b04
-rwxr-xr-x 1 root root 72208 Jun 15 08:33 modem.b06
-rwxr-xr-x 1 root root 707124 Jun 15 08:33 modem.b07
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f1.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f1.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f1.b02
-rwxr-xr-x 1 root root 954800 Jun 15 08:25 modem_f1.b03
-rwxr-xr-x 1 root root 575208 Jun 15 08:25 modem_f1.b04
-rwxr-xr-x 1 root root 246484 Jun 15 08:25 modem_f1.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f1.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f1.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f1.b08
-rwxr-xr-x 1 root root 9548 Jun 15 08:25 modem_f1.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f1.b10
-rwxr-xr-x 1 root root 113468 Jun 15 08:25 modem_f1.b13
-rwxr-xr-x 1 root root 164412 Jun 15 08:25 modem_f1.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f1.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f1.b22
-rwxr-xr-x 1 root root 19136 Jun 15 08:25 modem_f1.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f1.b25
-rwxr-xr-x 1 root root 49740 Jun 15 08:25 modem_f1.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f1.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f1.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f1.mdt
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f2.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f2.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f2.b02
-rwxr-xr-x 1 root root 955792 Jun 15 08:25 modem_f2.b03
-rwxr-xr-x 1 root root 579032 Jun 15 08:25 modem_f2.b04
-rwxr-xr-x 1 root root 239892 Jun 15 08:25 modem_f2.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f2.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f2.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f2.b08
-rwxr-xr-x 1 root root 9580 Jun 15 08:25 modem_f2.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f2.b10
-rwxr-xr-x 1 root root 116188 Jun 15 08:25 modem_f2.b13
-rwxr-xr-x 1 root root 158012 Jun 15 08:25 modem_f2.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f2.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f2.b22
-rwxr-xr-x 1 root root 19200 Jun 15 08:25 modem_f2.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f2.b25
-rwxr-xr-x 1 root root 49756 Jun 15 08:25 modem_f2.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f2.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f2.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f2.mdt
-rwxr-xr-x 1 root root 6908 Jun 15 08:33 modem.mdt
-rwxr-xr-x 1 root root 276 Jun 15 08:24 q6.b00
-rwxr-xr-x 1 root root 6580 Jun 15 08:24 q6.b01
-rwxr-xr-x 1 root root 3447760 Jun 15 08:24 q6.b03
-rwxr-xr-x 1 root root 1653278 Jun 15 08:24 q6.b04
-rwxr-xr-x 1 root root 757840 Jun 15 08:24 q6.b05
-rwxr-xr-x 1 root root 14472 Jun 15 08:24 q6.b06
-rwxr-xr-x 1 root root 6856 Jun 15 08:24 q6.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 tzapps.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 tzapps.b01
-rwxr-xr-x 1 root root 503808 Jun 15 07:50 tzapps.b02
-rwxr-xr-x 1 root root 452 Jun 15 07:50 tzapps.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 tzapps.mdt
-rwxr-xr-x 1 root root 212 Jun 15 07:44 wcnss.b00
-rwxr-xr-x 1 root root 140 Jun 15 07:44 wcnss.b01
-rwxr-xr-x 1 root root 8360 Jun 15 07:44 wcnss.b02
-rwxr-xr-x 1 root root 1778532 Jun 15 07:44 wcnss.b04
-rwxr-xr-x 1 root root 352 Jun 15 07:44 wcnss.mdt
[email protected]:~/Desktop/VZWGS3$
tz - is the trustzone, normal qualcomm
cache - should not be the dalvik cache, dalvik cache should be on teh userdata partition now on. (Could be wrong, dont have the device). Cache should be almost strictly for updates and recovery use now.
boot itself is signed, not the zImage.
I believe hopping on the developer device is a better option, not only is it made for such, it's also not purchasing a phone within Verizon's sales network (my favorite part of it all)
But google slapped on the GPLv3 i believe. And since GPL allows multiple licenses then the TIVO clause would still apply. Correct me if I am wrong.
Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2
In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware. Makes me think that there might be something there that could be captured. I wonder where it is confirming the fw is updated.
This might not be useful, but it seems interesting.
Sent from my SCH-I535 using Xparent ICS Tapatalk 2
Why not try the Samsung flash utility instead of Odin.
Sent from my SCH-I535 using Tapatalk 2
tpike said:
In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware.
Click to expand...
Click to collapse
Usually the firmware is loaded and checked in modem by modem RTOS kernel. But I don't know what modem (BP/CP) is used in the Verizon S3...
Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)
AdamLange said:
Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)
Click to expand...
Click to collapse
Many people on the forums here have stated IMEI information is stored in a file within /efs (at least on GSM models?) but I can't confirm myself.
There are several threads about attempting to restore lost IMEIs that might have more info.
papi92 said:
Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
That's just the public key VZW uses to sign updates. Not of use to us.
I was playing around with Odin3. I'm a Linux guy so this was exploration for me.... I was able to make my own Odin package with signed Samsung images under Linux and flash it with Odin3 under Windows.
Code:
[email protected]:~/Desktop/Untitled Folder$ tar -cf OdinCustom.tar recovery.img boot.img
[email protected]:~/Desktop/Untitled Folder$ md5sum -t OdinCustom.tar >> OdinCustom.tar
[email protected]:~/Desktop/Untitled Folder$ mv ./OdinCustom.tar ./OdinCustom.tar.md5
[email protected]:~/Desktop/Untitled Folder$
The first command create a TAR (Tape ARchive format) of a recovery.img and a boot.img in a file called OdinCustom.tar. Then appends the MD5 to the end of the package. The third command renames it to OdinCustom.tar.md5. The resulting file is flashable by Odin.
This could prove useful if we can find another Qualcomm device which has a bootloader signed by Samsung.
Also, Odin3 has a cool inf file which can be modified to change the title and characteristics of Odin3 http://i49.tinypic.com/352q7t0.png
I found something in the qualcomm bootloader (first partition which is a fat32 and appears to be unsigned) in the tzapps.b02 file which may or may not be of use. apparently they are looking for something called "/file/file.dat" and it contains dummy data for executive test suite. May be a possible exploit.
Also, this is a very important excerpt from the Qualcomm manual mentioned earlier... http://www.scribd.com/doc/51789612/80-V9038-15-APPLICATION-NOTE-MSM7XXX-QFUSES-AND-SECURITY
Code:
The PBL performs the following functions during a cold boot:
■Performs the minimal hardware setup required for PBL execution
■Reads off-chip boot configuration data from the flash memory
■Processes configuration data setting up clocks and memory access based on this data
■Loads the QCSBL image from the flash memory into the RAM
■Authenticates the QCSBL image if authentication is enabled
■Branches execution to the QCSBL image
Reads off-chip boot configuration data from the flash memory!
I spent a lot of time tonight looking at the individual files on the MODEM partition. I got nowhere except to possibly add a test file I mentioned above. It was alot of data to go through. that MODEM is 60 megs!
So, I started loooking at the SBL1 file. Now, it appears that this file runs linearly and tells a story as it goes through...
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p2|head -n 200
: 2q
: 4q
`" 2q
: 4q
: 4q
(R '
(R '
(R '
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
/!(
/!(0
/!(0
/!(
SDCC4 HAL v2.0.1
boot_error_handler.c
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config.c
boot_config.c
*Image Loaded by %s, Start on 0x%x
Data Abort
boot_mc.c
boot_error_handler.c
*BOOT
SCL_SBL1_STACK_BASE-SCL_SBL1_STACK_SIZE
boot_error_handler.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
boot_flash_target.c
boot_flash_trans_sdcc.c
*[email protected]
boot_flash_trans_sdcc.c
boot_fota_restore_partition, Start
boot_fota_restore_partition, Delta
boot_fota_restore_partition, Start
restore_fota_partition fail
boot_fota_restore_partition, Delta
boot_error_handler.c
boot_error_handler.c
boot_loader.c
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_pbl_v1.c
boot_pbl_v1.c
boot_pbl_v1.c
Prefetch Abort
boot_error_handler.c
boot_rollback_version.c
boot_flash_dev_sdcc.c
boot_error_handler.c
Undefined
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_sdcc_hotplug.c
EFI PART
%sp%lu
%sh%d
%s%c%lu
*[email protected]
boot_sdcc_hotplug.c
boot_sdcc_hotplug.c
read fail
*hdev open fail: fota
hdev open fail: dest
size fail: src
size fail: too big
read fail: src
read fail: dest
write fail: signature clear
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*|@-
boot_sdcc_hotplug.c
%sp%lu
*[email protected]
*[email protected]
SBL1, End
SBL1, Delta
*[email protected]
sbl1_check_device_temp, Start
sbl1_check_device_temp, Delta
sbl1_hw.c
sbl1_hw_init, Start
sbl1_hw_init, Delta
*SBL1, Start
scatterload_region && ram_init, Start
*scatterload_region && ram_init, Delta
sbl1_mc.c
sbl1_mc.c
*[email protected]
*[email protected]
*[email protected]
*{%u}
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
[email protected]
[email protected]
SBL2 Image Loaded, Delta
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
HAL_SBI_SSBI_V2_PMIC_ARBITER
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
........
Particularly "boot_fota_restore_partition, Start". It looks like one of the first things the GS3 does is check for information to be updated on FOTA partition. Whatever it choses to do, it performs security checks on the size, and a few other things.
I believe it then loads SBL2 as the rest of the partitions do not have this message.. "SBL2 Image Loaded, Delta".
SBL2:
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p3
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
[email protected]
K{DiF
K{DiF
D(b(F
hu)AF
019Ud
3F*[email protected]
G [email protected]
&_F F
h/F F
fJF)F F&`NF
F 9"
pJpO
: 4q
: 6q
: 8q
! 6q
`" 2q
: 4q
pG hJ
G [email protected]
bNE
G [email protected]
G [email protected]
j8D b F
02:Ud
3F*[email protected]
CreT
#L|D
!L|D
F)F F
5EC/
x0(
02bUm
#\b\cTI
FAF F
F!h
b h
G jv
G [email protected]
G [email protected]
,pp
2F!F
G [email protected]
1JzD
2FhF
2FiF
: 4q
: 6q
: 8q
bF9FN
RAIAK
bF9FN
RAIAK
bF9FN
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
! 3[B
[email protected]
[email protected]
SDCC4 HAL v2.0.1
pGxG
.boot_error_handler.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.boot_auth_if.c
.boot_auth_if.c
.boot_sbl_authenticator.c
.boot_clobber_prot.c
.boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config_data_table_init, Start
.boot_config_data_table_init, Delta
.boot_config.c
.boot_config.c
.Image Loaded by %s, Start on 0x%x
Data Abort
Ufw}3{
O*2PC~
[email protected]
.boot_mc.c
.0:ALL
.boot_error_handler.c
.BOOT
SCL_SBL2_STACK_BASE-SCL_SBL2_STACK_SIZE
.boot_error_handler.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
.boot_flash_target.c
.boot_flash_trans_sdcc.c
[email protected]
.boot_flash_trans_sdcc.c
.boot_hash.c
.boot_hash_if.c
.boot_hash_if.c
.boot_sys_loader.c
.boot_error_handler.c
.boot_error_handler.c
.boot_loader.c
.boot_loader.c
.boot_logger_ram.c
[email protected]
[email protected]
BRPMSignal SBL1 to Jump to RPM FW
.boot_sys_loader.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
Prefetch Abort
.boot_error_handler.c
.boot_rollback_version.c
.boot_sbl_authenticator.c
.boot_flash_dev_sdcc.c
[email protected]
.boot_ddr_info.c
.boot_sbl_authenticator.c
.boot_error_handler.c
Undefined
[email protected]
[email protected]
[email protected]
[email protected]
RDDL
Testing DDR Read/Write.
.Testing DDR Read/Write: Memory map.
Testing DDR Read/Write: Data lines.
Testing DDR Read/Write: Address lines.
Testing DDR Read/Write: Own-address algorithm.
Testing DDR Read/Write: Walking-ones algorithm.
Testing DDR Deep Power Down.
Testing DDR Deep Power Down: Entering deep power down.
Testing DDR Deep Power Down: In deep power down.
Testing DDR Deep Power Down: Exiting deep power down.
Testing DDR Deep Power Down: Read/write pass.
Testing DDR Self Refresh.
.Testing DDR Self Refresh: Write pass.
Testing DDR Self Refresh: Read pass.
Testing DDR Self Refresh: Entering self refresh.
Testing DDR Self Refresh: In self refresh.
Testing DDR Self Refresh: Exiting self refresh.
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
[email protected]
.CDT
.Error: Platform ID EEPROM is not programmed
boot_config_data.c
.boot_sdcc_hotplug.c
[email protected]
EFI PART
%sp%lu
%sh%d
%s%c%lu
[email protected]
.boot_sdcc_hotplug.c
.boot_sdcc_hotplug.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.|@-
.boot_sdcc_hotplug.c
%sp%lu
[email protected]
[email protected]
[email protected]
0!0
[email protected]
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
.sbl2_mc.c
[email protected]
.sbl2_config.c
[email protected]
.boot_hash.c
[email protected]
[email protected]
[email protected]
[email protected]
.SHA256
[email protected]
LOGM
.{%u}
Tz Execution, Start
Tz Execution, Delta
pG B
0pGO
!pGO
sbl2_ddr_init
DalEnv
TargetCfg
SHA1
DEBUG
SW_ID
HW_ID
OEM_ID
SHA256
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
DEV_SDC1
DEV_SDC2
DEV_SDC3
DEV_SDC4
CHAN_SDC1
CHAN_SDC2
CHAN_SDC3
CHAN_SDC4
[email protected]
[email protected]
SBL3 Image Loaded, Delta
RPM Image Loaded, Delta
TZ Image Loaded, Delta
boot_auth
boot_hash
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
AT24C128BN
:Hg~
D{L0
*gRn
0D,l}
b=Fe-+
gW6y
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
120614224636Z
320609224636Z0
KR1!0
Samsung Attestation CERT1
Suwon City1
Samsung Corporation1
South Korea1
04 0000 OEM_ID1%0#
[email protected]
05 0001E0C8 SW_SIZE1
06 0000 MODEL_ID1
07 0001 SHA2561"0
01 0000000000000005 SW_ID1"0
02 006B10E100000000 HW_ID1"0
03 0000000000000000 DEBUG0
y$_$
[OLW'}
Q^<T
&#xk#
z0x0:
3010/
)http://crl.qdst.com/crls/qctdevattest.crl0
6p5o
%e>I`
<dQ=#
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
&bMb
%pWj\
`0^0
#7ie
?f{M
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
U)_|e}f
^AZp
<0:0
v)BT
zd0u
=j[P
As for SBL2. It looks like it starts up, performs security checks, then it can jump to "RPM" partition ", "RPM loading is successful.
cancel RPM loading!, .BRPM", "Signal SBL1 to Jump to RPM FW", This may be Odin, or some other undiscovered mode I'm not sure yet and it looks like "ABOOT" is actually Odin's partition... What is RPM?
It then executes "TZ" or "Trust Zone" which I need to do some reading on...
More to come later. It's late and I need to get some rest.
{i} PARAMS
AdamOutler said:
possible exploitations
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Click to expand...
Click to collapse
The PARAMS partition (from an adb dump) contains almost all 0's. Here are the first 32 bytes
(layed out in hex offsets of 0x00000000 && 0x00000010):
Code:
00000000 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
00000010 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
From what I understand, each occurance of 01 indicates a boot_mode variable that the SBL reads*. The rest of the file, about 10,485,739bytes of data, can contain information for other variables such as debug_level and switch_sel and maybe more, but I have too look more into dissembling the SBL patition image (sbl2.img) to see what other variables there are. I'll report back as soon as I have any more info on that.
*See this link for more info on the param.blk:
http://epiccm.blogspot.com/p/stock-firmware.html
I think its interesting that from an adb dump, BOOT, EFS, FOTA and PARAMS are all the same size. Only BOOT and PARAMS contain any data though. EFS and FOTA must be loaded from the BOOT partition depending on the boot variables loaded in the PARAMS partition, but I may be wrong on that.
As for booting from SDcard here's a link on how it was done with the Epic 4G:
http://epiccm.blogspot.com/2012/01/multiboot-android-for-debuggingtesting.html
The instructions seem like they should work, especially since they had to use kexec to load from the SDcard and the SGS3 will have to do the same for now. I haven't built this yet, but I will give it a go as soon as I have a spare moment.
EDIT: this might be what you're looking for as far as booting from SD --> http://forum.xda-developers.com/showthread.php?t=1774795 END EDIT
I am currently manually going through each hex offset in IDA and seaching for commands to disassemble aboot.img, I haven't gotten very far as this is extremely time intensive.
I can post any dissasm DB's that anyone wants. They can get rather large though.
On a side note, I'm using IDAPro6.1 for disassembly of the adb dumped partitions. If you have any pointers on using IDA for debugging/disassembling android partitions, that would be fantastic. I have an arm toolchain, but beyond that IDA I've only had experience poking at Window$ crap.
Ta,
ALQI
recovery kernel log
The recovery kernel log is in this path:
/data/log/recovery_kernel_log.txtI'd post it in a code section here but it's just too long.
There's a few other interesting logs in that path as well.
As I understand it, this seems to be the log from the kernel loaded during the bootloader/Odin mode boot. Could reveal some of the variables set in the params partition. Plus it has juicy hex offsets for all kinds of things.
It's quite verbose.
K sleepy time now.
Ta,
ALQI
I need app like framaroot to root my zenfone c. I tried all version framaroot in this section but none is working..
Root Zenfone C ZC451CG
Can someone help me how to root new Zenfone C ? thx in advanced.
khairul_azzeli said:
I need app like framaroot to root my zenfone c. I tried all version framaroot in this section but none is working..
Click to expand...
Click to collapse
As of now, there is no way to root Zenfone C.
Root Asus Zenfone C (Z007) help me!
Root Asus Zenfone C....help?
I don't know whether it will work or not...
But why don't you try IRoot ?
http://www.mgyun.com/en/getvroot
See HERE
Already tried
1. Framaroot
2. Kingo Root
3. One Click Root
4. Root Master
5. Vroot/iRoot
6. SRSRoot
without any success
abhis3k said:
See HERE
Already tried
1. Framaroot
2. Kingo Root
3. One Click Root
4. Root Master
5. Vroot/iRoot
6. SRSRoot
without any success
Click to expand...
Click to collapse
Try this then after reboot install supersu from market and select normal.
This is towelroot version 1 and it roots the padfone s, x & mini.
tjsooley said:
Try this then after reboot install supersu from market and select normal.
This is towelroot version 1 and it roots the padfone s, x & mini.
Click to expand...
Click to collapse
It stucks on "make it rain" a while and then reboots. I installed supersu. Supersu saying no "su" binary installed.
I guess they patch the vulnerability in the kernel. Hence no root for us.
abhis3k said:
It stucks on "make it rain" a while and then reboots. I installed supersu. Supersu saying no "su" binary installed.
I guess they patch the vulnerability in the kernel. Hence no root for us.
Click to expand...
Click to collapse
Guys, I have collected some info about Zenfone C. I was also able to extract build.prop and /proc/partitions but unable to make a system dump of partitions. If someone can assist me in this we might be able to compile a CWM/TWRP for us and that will be the best way to root and do development as fastboot flashing is available readily.
I have attached the files to these post. I will try to extract more. Please help me so we can do this together.
Code:
[email protected]_Z007:/ $ cat /proc/partitions
cat /proc/partitions
major minor #blocks name
179 0 7626752 mmcblk0
179 1 131072 mmcblk0p1
179 2 8192 mmcblk0p2
179 3 32768 mmcblk0p3
179 4 8192 mmcblk0p4
179 5 32768 mmcblk0p5
179 6 716800 mmcblk0p6
179 7 196608 mmcblk0p7
179 8 32768 mmcblk0p8
179 9 2097152 mmcblk0p9
259 0 4362220 mmcblk0p10
179 40 4096 mmcblk0rpmb
179 30 8192 mmcblk0gp0
179 20 4096 mmcblk0boot1
179 10 4096 mmcblk0boot0
179 50 7761920 mmcblk1
179 51 7757824 mmcblk1p1
Code:
[email protected]_Z007:/ $ cat /proc/mounts
cat /proc/mounts
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/media_rw tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/secure tmpfs rw,seclabel,relatime,mode=700 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/intel/by-label/factory /factory ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
/dev/block/platform/intel/by-label/system /system ext4 ro,seclabel,noatime,data=ordered 0 0
/dev/block/platform/intel/by-label/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,journal_checksum,journal_async_commit,data=ordered 0 0
/dev/block/platform/intel/by-label/config /config ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
/dev/block/platform/intel/by-label/data /data ext4 rw,seclabel,nosuid,nodev,noatime,discard,journal_checksum,journal_async_commit,noauto_da_alloc,data=ordered 0 0
/dev/block/platform/intel/by-label/ADF /ADF ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime,mode=755 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
/dev/block/mmcblk0p7 /APD ext4 rw,seclabel,noatime,data=ordered 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:51 /mnt/media_rw/MicroSD vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,
iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:51 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocha
rset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/fuse /storage/MicroSD fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
[email protected]_Z007:/ $
root zenfone c for anyone :
download file https://app.box.com/s/qtgr8masflf589d6kw472nzelr4mns27
or https://www.dropbox.com/s/tfs0q9hcpy3umm3/AsusIntelRootKit.rar?dl=0
installed full driver for devices
extract file download
( can u check driver by run checkbeforeaction.bat)
run root.bat
enjoy !!!!
Need help unbricking sofrbricked Asus Zenfone C!
my zenfone c is stuck on bootloop [asus logo].
cud u plz provide me with the backup of the stock rom from ur zenfone c.
i cant find a stock rom/firmware/flash file for the zenfone c.
plz guyz.
in return i'd help u for anything.
plz.
thnx a ton in regards.
waiting fr ur response.
superuser.pm said:
root zenfone c for anyone :
download file https://app.box.com/s/qtgr8masflf589d6kw472nzelr4mns27
installed full driver for devices
extract file download
( can u check driver by run checkbeforeaction.bat)
run root.bat
enjoy !!!!
Click to expand...
Click to collapse
Can you please tell me the Source and How you obtained the recovery.img?
superuser.pm said:
root zenfone c for anyone :
download file https://app.box.com/s/qtgr8masflf589d6kw472nzelr4mns27
installed full driver for devices
extract file download
( can u check driver by run checkbeforeaction.bat)
run root.bat
enjoy !!!!
Click to expand...
Click to collapse
I can now confirm the method perfectly works!!
Code:
D:\>cd D:\Backup\Asus Zenfone\AsusIntelRootKit\files
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>dir
Volume in drive D is DATA
Volume Serial Number is C2AF-5C92
Directory of D:\Backup\Asus Zenfone\AsusIntelRootKit\files
21-12-2014 09:35 AM <DIR> .
21-12-2014 09:35 AM <DIR> ..
21-12-2014 09:30 AM 819,200 adb.exe
21-12-2014 09:30 AM 1,354,900 adb.mac
21-12-2014 09:30 AM 96,256 AdbWinApi.dll
21-12-2014 09:30 AM 60,928 AdbWinUsbApi.dll
01-12-2014 09:11 PM 1,419,448 busybox
21-12-2014 09:30 AM 538,123 fastboot.exe
21-12-2014 09:30 AM 13,603,840 fastboot.img
21-12-2014 09:30 AM 213,220 fastboot.mac
21-12-2014 09:27 AM 4,511 installer
01-12-2014 09:11 PM 6,296 magic
21-12-2014 09:30 AM 41,984 sleep.exe
01-12-2014 09:11 PM 1,173,158 supersu.tgz
21-12-2014 09:29 AM 3,082 uninstaller
13 File(s) 19,334,946 bytes
2 Dir(s) 13,680,824,320 bytes free
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot devices
F1AZB700X034 fastboot
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/resize2
fs magic
target reported max download size of 611439957 bytes
sending '/system/bin/resize2fs' (6 KB)...
OKAY [ 0.344s]
writing '/system/bin/resize2fs'...
OKAY [ 0.453s]
finished. total time: 0.797s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/tune2fs
busybox
target reported max download size of 611439957 bytes
sending '/system/bin/tune2fs' (1386 KB)...
OKAY [ 0.485s]
writing '/system/bin/tune2fs'...
OKAY [ 0.470s]
finished. total time: 0.955s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/partlin
k supersu.tgz
target reported max download size of 611439957 bytes
sending '/system/bin/partlink' (1145 KB)...
OKAY [ 0.453s]
writing '/system/bin/partlink'...
OKAY [ 0.472s]
finished. total time: 0.925s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/cp inst
aller
target reported max download size of 611439957 bytes
sending '/system/bin/cp' (4 KB)...
OKAY [ 0.335s]
writing '/system/bin/cp'...
OKAY [ 0.469s]
finished. total time: 0.804s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot oem backup_factory
...
OKAY [ 1.552s]
finished. total time: 1.552s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot reboot
rebooting...
finished. total time: 0.224s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>
I have manually tried the method using the fastboot commands provided in the root.bat file and it works.
Zenfone C finally rooted and can also be unrooted easily in the same way.
Thanks a Lot!! You made my day!!:laugh:
abhis3k said:
I can now confirm the method perfectly works!!
Code:
D:\>cd D:\Backup\Asus Zenfone\AsusIntelRootKit\files
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>dir
Volume in drive D is DATA
Volume Serial Number is C2AF-5C92
Directory of D:\Backup\Asus Zenfone\AsusIntelRootKit\files
21-12-2014 09:35 AM <DIR> .
21-12-2014 09:35 AM <DIR> ..
21-12-2014 09:30 AM 819,200 adb.exe
21-12-2014 09:30 AM 1,354,900 adb.mac
21-12-2014 09:30 AM 96,256 AdbWinApi.dll
21-12-2014 09:30 AM 60,928 AdbWinUsbApi.dll
01-12-2014 09:11 PM 1,419,448 busybox
21-12-2014 09:30 AM 538,123 fastboot.exe
21-12-2014 09:30 AM 13,603,840 fastboot.img
21-12-2014 09:30 AM 213,220 fastboot.mac
21-12-2014 09:27 AM 4,511 installer
01-12-2014 09:11 PM 6,296 magic
21-12-2014 09:30 AM 41,984 sleep.exe
01-12-2014 09:11 PM 1,173,158 supersu.tgz
21-12-2014 09:29 AM 3,082 uninstaller
13 File(s) 19,334,946 bytes
2 Dir(s) 13,680,824,320 bytes free
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot devices
F1AZB700X034 fastboot
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/resize2
fs magic
target reported max download size of 611439957 bytes
sending '/system/bin/resize2fs' (6 KB)...
OKAY [ 0.344s]
writing '/system/bin/resize2fs'...
OKAY [ 0.453s]
finished. total time: 0.797s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/tune2fs
busybox
target reported max download size of 611439957 bytes
sending '/system/bin/tune2fs' (1386 KB)...
OKAY [ 0.485s]
writing '/system/bin/tune2fs'...
OKAY [ 0.470s]
finished. total time: 0.955s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/partlin
k supersu.tgz
target reported max download size of 611439957 bytes
sending '/system/bin/partlink' (1145 KB)...
OKAY [ 0.453s]
writing '/system/bin/partlink'...
OKAY [ 0.472s]
finished. total time: 0.925s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot flash /system/bin/cp inst
aller
target reported max download size of 611439957 bytes
sending '/system/bin/cp' (4 KB)...
OKAY [ 0.335s]
writing '/system/bin/cp'...
OKAY [ 0.469s]
finished. total time: 0.804s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot oem backup_factory
...
OKAY [ 1.552s]
finished. total time: 1.552s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>fastboot reboot
rebooting...
finished. total time: 0.224s
D:\Backup\Asus Zenfone\AsusIntelRootKit\files>
I have manually tried the method using the fastboot commands provided in the root.bat file and it works.
Zenfone C finally rooted and can also be unrooted easily in the same way.
Thanks a Lot!! You made my day!!:laugh:
Click to expand...
Click to collapse
Unfortunately I have to revert to unroot the device as while updating the SuperSu from Play Store, the device becomes unresponsive and reboot randomly. I will check it later. For now, this method of rooting is unusable.
Zenfone C bricked
Guys my new Zenfone bricked cuz of a stupid reason, if anyone can please post the Data.img or help me how to sideload the firmware.zip through ADB, would be most welcome. Many thanks.
dj4v1n45h said:
my zenfone c is stuck on bootloop [asus logo].
cud u plz provide me with the backup of the stock rom from ur zenfone c.
i cant find a stock rom/firmware/flash file for the zenfone c.
plz guyz.
in return i'd help u for anything.
plz.
thnx a ton in regards.
waiting fr ur response.
Click to expand...
Click to collapse
Can any one plz give me the link of any custom recovery for asus zenfone c.....i badly need it plz help me...thnks in advance.....plz give me..and tell me how to flash it.....
Want recovery
If you guyz want a custom recovery for this model , all you have to do is provide me the default/original "recovery.img".
I can make a twp or cwm recovery, whatever you want. or both.
BUT BE AWARE THAT FLASHING/REPLACING A RECOVERY OR WITHOUT UNLOCKING BOOTLOADER CAN EVEN HARDBRICK YOU PHONE.
IF YOU ARE ABLE TO UNLOCK BOOTLOADER USING UNLOCKPHONE , DO INFORM ME THROUGH PM OR BY QUOTING.
:good:
how to install cwm to zenfone c
apologize in advance my bad english
I want to ask how to install cwm for Asus Zenfone c z007 without using pc
Preshak said:
If you guyz want a custom recovery for this model , all you have to do is provide me the default/original "recovery.img".
I can make a twp or cwm recovery, whatever you want. or both.
BUT BE AWARE THAT FLASHING/REPLACING A RECOVERY OR WITHOUT UNLOCKING BOOTLOADER CAN EVEN HARDBRICK YOU PHONE.
IF YOU ARE ABLE TO UNLOCK BOOTLOADER USING UNLOCKPHONE , DO INFORM ME THROUGH PM OR BY QUOTING.
:good:
Click to expand...
Click to collapse
waw cool.. where i can use your cwm.. so if anithyng can happen u will guide us am i right? ?
---------- Post added at 07:39 PM ---------- Previous post was at 07:35 PM ----------
superuser.pm said:
root zenfone c for anyone :
download file https://app.box.com/s/qtgr8masflf589d6kw472nzelr4mns27
or https://www.dropbox.com/s/tfs0q9hcpy3umm3/AsusIntelRootKit.rar?dl=0
installed full driver for devices
extract file download
( can u check driver by run checkbeforeaction.bat)
run root.bat
enjoy !!!!
Click to expand...
Click to collapse
i use your method,, but su binary need to update issue,, i try flashing the newest su from P.S but its fails,, since i havent cwm yet,, but i tried kingiuser,, it updated su,, but not binary,, what a shame,, now im stuck on binaries issue,, can u help me in advance
fierdhauz said:
waw cool.. where i can use your cwm.. so if anithyng can happen u will guide us am i right?
---------- Post added at 07:39 PM ---------- Previous post was at 07:35 PM ----------
i use your method,, but su binary need to update issue,, i try flashing the newest su from P.S but its fails,, since i havent cwm yet,, but i tried kingiuser,, it updated su,, but not binary,, what a shame,, now im stuck on binaries issue,, can u help me in advance
Click to expand...
Click to collapse
yes you are right.. just provide me ur "recovery.img". Will work with you after Sunday. :good:
whastapp me +917503703203.
Hello,
I'm trying flash zImage, but get some erros:
$ fastboot flash zimage zImage
target didn't report max-download-size
sending 'zimage' (4370 KB)...
OKAY [ 0.427s]
writing 'zimage'...
FAILED (remote: partition table doesn't exist)
finished. total time: 0.482s
How to solve it?
Tks,
Demiank
demiank said:
Hello,
I'm trying flash zImage, but get some erros:
$ fastboot flash zimage zImage
target didn't report max-download-size
sending 'zimage' (4370 KB)...
OKAY [ 0.427s]
writing 'zimage'...
FAILED (remote: partition table doesn't exist)
finished. total time: 0.482s
How to solve it?
Tks,
Demiank
Click to expand...
Click to collapse
Which device is this? Also some theories.
- zimage isn't the name of the actual partition, cd to /dev/block/platform/xxxxx/by-name/ to see your list of partitions
- the image you're flashing doesn't have correct syntax. To fast via flashboot, the syntax is... fastboot flash (partition) (image) . So an example would be fastboot flash recovery twrp.img . You need to remember the file extension such as .img or whatever it is for your image. Also make sure you specify the directory such as fastboot flash recovery C:\Users\xxx\Downloads\twrp.img if you aren't in the current directory.
demiank said:
Hello,
I'm trying flash zImage, but get some erros:
$ fastboot flash zimage zImage
target didn't report max-download-size
sending 'zimage' (4370 KB)...
OKAY [ 0.427s]
writing 'zimage'...
FAILED (remote: partition table doesn't exist)
finished. total time: 0.482s
How to solve it?
Tks,
Demiank
Click to expand...
Click to collapse
zImage is a kernel file and it is in the boot.img. you have to unpack your boot.img and replace the existing zImage with new one and repack boot.img again.
Then flash through fastboot mode by "fastboot flash boot boot.img"
So, you want to flash it in boot partition.
The device is LG e615 (2012/2013 device). This don't have a boot partition. I just found a boot.img in cwm backup. The command " fastboot boot zImage" generate a boot.img file.
demiank said:
The device is LG e615 (2012/2013 device). This don't have a boot partition. I just found a boot.img in cwm backup. The command " fastboot boot zImage" generate a boot.img file.
Click to expand...
Click to collapse
$ fastboot boot zImage
creating boot image...
creating boot image - 4478976 bytes
Downloading 'boot.img' OKAY [ 0.416s]
booting OKAY [ 0.159s]
Finished. Total time: 0.650s
Device don't boot and lost fastboot connection;
[email protected]:/ $ cat /proc/partitions
major minor #blocks name
179 0 3817472 mmcblk0
179 1 20 mmcblk0p1
179 2 1003 mmcblk0p2
179 3 1024 mmcblk0p3
179 4 1 mmcblk0p4
179 5 4096 mmcblk0p5
179 6 4096 mmcblk0p6
179 7 4096 mmcblk0p7
179 8 24576 mmcblk0p8
179 9 8192 mmcblk0p9
179 10 4096 mmcblk0p10
179 11 4096 mmcblk0p11
179 12 28672 mmcblk0p12
179 13 28672 mmcblk0p13
179 14 624640 mmcblk0p14
179 15 8192 mmcblk0p15
179 16 102400 mmcblk0p16
179 17 8192 mmcblk0p17
179 18 8192 mmcblk0p18
179 19 12288 mmcblk0p19
179 20 2823168 mmcblk0p20
179 21 4096 mmcblk0p21
179 22 1024 mmcblk0p22
179 23 16384 mmcblk0p23
179 32 7761920 mmcblk1
179 33 7760896 mmcblk1p1
[email protected]:/ $ ls /
acct
cache
config
d
data
default.prop
dev
etc
fstab.m4ds
init
init.goldfish.rc
init.lge.early.rc
init.lge.rc
init.lge.usb.sh
init.m4ds.rc
init.m4ds.usb.rc
init.qcom.class_core.sh
init.qcom.class_main.sh
init.qcom.rc
init.qcom.ril.path.sh
init.qcom.sh
init.qcom.usb.rc
init.qcom.usb.sh
init.rc
init.target.rc
lgdms.fota.rc
lgdms.fota_update.rc
mnt
mpt
persist
persist-lg
proc
res
root
sbin
sdcard
storage
sys
system
ueventd.goldfish.rc
ueventd.m4ds.rc
ueventd.qcom.rc
ueventd.rc
vendor
[email protected]:/ # cat fstab.m4ds
# Android fstab file.
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
#TODO: Add 'check' as fs_mgr_flags with data partition.
# Currently we dont have e2fsck compiled. So fs check would failed.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
#LGE chage partition
#/dev/block/platform/msm_sdcc.3/by-num/p12 /system ext4 ro,barrier=1 wait
#/dev/block/platform/msm_sdcc.3/by-num/p13 /data ext4 nosuid,nodev,barrier=1,noauto_da_alloc wait
#LGE_CHANGE_S [[email protected]] 20120926:Adding /data partition
/dev/block/platform/msm_sdcc.3/by-num/p14 /system ext4 ro,barrier=1,noatime wait
/dev/block/platform/msm_sdcc.3/by-num/p20 /data ext4 nosuid,nodev,noatime,barrier=1,noauto_da_alloc,errors=continue check
Where is my stock zImage or boot.img? How to flash this zImage after compile it following the LG readme.txt:
"2. Kernel Build
- Untar opensource packages of kernel.tar.gz using following command at the android folder
a)$tar xvzf kernel.tar.gz
- When you compile the kernel source code, you have to add google original prebuilt source(toolchain)
into the android folder.
- cd kernel
- export ARCH=arm
- export CROSS_COMPILE=../prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
- make m4-rev11_defconfig
- make zImage
3. After Build, You Can find the build image at arch/arm/boot"
Tks for all replies, but i don't understand how to flash my new kernel compiled by me.
Magisk is no more...
I present a new fool proof method of flashing su to Android 10_Q and above!!
I ranted and ranted about variant=user/user-debug/eng builds that I got no-where... people thinkin am dissin john wu, nah, I respect what I've learnt from his app forcing me to connect online, I want su without connecting, in order to secure my own fone.
Introducing proof!!
Simple. Instead of flashing boot.img
Flash boot-debug.img from stock.
This address's the lack of adb root.
Logs:
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash vbmeta vb
lankmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (4 KB) OKAY [ 0.000s]
Writing 'vbmeta' OKAY [ 0.000s]
Finished. Total time: 0.016s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.404s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
MyTwrp.img
Sending 'recovery' (26086 KB) OKAY [ 0.718s]
Writing 'recovery' OKAY [ 0.406s]
Finished. Total time: 1.139s
D:\0\AdbStation>fastboot reboot-recovery
Rebooting into recovery OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
adbd is already running as root
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # mount -o remount,rw /system_root
mount: '/system_root' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /system
mount: '/system' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /
'/dev/block/dm-1' is read-only
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd apex
Armor_X5_Q:/apex # ls
com.android.apex.cts.shim [email protected]
[email protected] com.android.resolv
com.android.conscrypt [email protected]
[email protected] com.android.runtime
com.android.media [email protected]
com.android.media.swcodec com.android.tzdata
[email protected] [email protected]
Armor_X5_Q:/apex # exit
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.577s]
Writing 'recovery' OKAY [ 0.312s]
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # exit
------------------------
Pay attention, the first part above, I flashed a twrp...
Below, I flash stock images... without closing adb window.
--------------------------------------------------------------
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.499s]
Finished. Total time: 1.373s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.484s]
Writing 'recovery' OKAY [ 0.328s]
Finished. Total time: 0.811s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # exit
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # cd /system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
Edit'd not relevant.. too long the things we can do list pissed one off...
Armor_X5_Q:/system/bin #
No MORE MAGISK!!!
It'a a feature of Android 10 and over lol... says so in the android docs....
who needs su when you have root?
SYSTEM_AS_ROOT
Voila...
it's in the understanding.
YouRoot
1) what is this
2) you could've pastebin'd the log files bruh
{Mod edited language - Regards Oswald Boelcke}
I dont use pastebin. I wanted to post my proof here. My call. thanks for the suggestion though, I mean, why send a good hack to another site when I would not have found it if it were not for comin here?
Surely xda deserve some credit, which I give by posting my flashing log here...
I know all will find what I posted will work to write a ro system.
Su and Magisk ARE dead, john wu says so...
I say this is why.
Flash boot-debug.img instead of boot.img gives
adb root
adb shell
# <- the point of root!!!
Ps, I may be a bro to my 3 sister's, but I aint no bro... :O
I find what they cant see, because they gave away the sight to see, what I see, they no longer can
Until I light the way....
Pachacouti said:
I dont use pastebin. I wanted to post my proof here. My call. thanks for the suggestion though, I mean, why send a good hack to another site when I would not have found it if it were not for comin here?
Surely xda deserve some credit, which I give by posting my flashing log here...
I know all will find what I posted will work to write a ro system.
Su and Magisk ARE dead, john wu says so...
I say this is why.
Flash boot-debug.img instead of boot.img gives
adb root
adb shell
# <- the point of root!!!
Ps, I may be a bro to my 3 sister's, but I aint no bro... :O
I find what they cant see, because they gave away the sight to see, what I see, they no longer can
Until I light the way....
Click to expand...
Click to collapse
1. ROOT su binary is already included in GSI builds (original author is phhusson and not topjhonwu) since the begining of the project. It's not a new thing. Here Magisk came to Hide this feature !
2. Magisk doesn't give only ROOT ... but the "systemless option" for the dynamic modules that is the half part of the whole package !
3. Have you tested SafetyNet ???
4. TWRP is already a root method since you can access to /data partition and other partitions too !
5. Oh yeah, it looks like you have an old device without dynamic partitions (aka SUPER) ...
Cheers
im not using gsi, i'm using stock ma man, stock!
it's actually genuine root with stock!
Allbeit different from what we used to call root, it is ultimately a rooted boot-debug, as in:
#
Oh, for the record everyone, I'm on an A-only arm64-v8a Armor x5, the mt6762 which also claims to be mt6765, running lates updated Android 10_Q, no, NOT PIE. System-as-Root
and I would not be writtng in the system_1.32 thread if I did not have a super.img partition...
which I am currently flashing using nothing more than replacing my stock boot.img with the stock boot-debug.img, though I had to unlock bootloader to do this...
couldn't chmod the system_1.32 if the # did not show, true or false?
No Magisk... No su... the secret is in adb root not being available in user OR production builds, so use boot-debug.img to be able to type adb root to type adb shell to get #
No twrp. Stock recovery is not available, using boot-debug.img, so I flash twrp anyway.
Beat that!!!
You CANT, cause it's true... following magisk makes you think you need root when you were already given it in stock rom, (only viable if you see boot-debug.img beside your boot.img in stock folder), now if this is true, and obviously it is, then why did john wu not notice?
too busy waiting on me...
Time for a BIG update from magisk then? Not. (needed, pmsl)
Selfie Clappin Syndrome has left the buiding...
Ps, attempting magisk on boot-debug.img kills all adb and root access gained by not doing so.
I can and do flash my twrp, and have done so now, from lopstom into recovery, since normal stock recovery does NOT show when using boot-debug.img, and system_1.32 has just given me rw access in twrp, so systemrw actually works with no su or magisk installed.
On with testing...
And for the record, this is where I found out what you now know:
VTS testing with debug ramdisk | Android Open Source Project
source.android.com
works on Android 10_q stock, NOTE THIS IS FOR GSI ON ANDROID 11
Im on stock. nuff said.
Oh, look... debug vendor... debug... yum yum
Oh, and safety net pass's, because the debug is legit (stock boot-debug.img) lol, oh look, no magisk...
The downside is... I'm sitting with a completely rooted fone... with no root apps.
busybox is replaced with, yup, you guessed it, toybox! not by me, but comes as stock...
last I heard before discovering this was toybox IS the new busybox...
It's actually like linux without the 'custom' - in adb shell lol...
And it is indeed the desktop launcher kicking us out of writing to system in the first place, when rooting, since the desktop launcher cannot run root commands,, as it has no root rights. forcing PIE and earlier roots simply wont cut it...
I have to say it folks... upgrade...
And write some updated apps that dont hold us back!!
Oh, and I'd forget a ro system, cause even with systemrw, it's only in twrp it's of use to me, but cant save anything TO it, so kinda pointless to me for now... then I remind myself this is written for pie lol...
Edit, and I'll add this:
With only one phone to work on, so no experience in a/b partitioning, I'll assume (bein the mother of all f'up's lol) that the reason a/b partitions exist is because a pie bootloader is 2 bootloader's, split into 2 when remixed into android 10, seperating the pie users access to variant=eng being available, to having to flash boot-debug.img since windows 10.
Here's the kicker... I have yet ot flash any cusstom rom.
From stock I flash boot-debug.img, and twrp recovery, followed by the backup super_fixed.bin created by system_1.32, reboot into twrp and can instantly mount system/vendor as is expected of system_1.32, the script is only required once, if you make a back up that is...
Yet I cannot load any custom rom the usual way... twrp may show mounting system, but even when fastbooting TO system, in adb or twrp, I have to reflash a super, so forget writing overlay file systems pandering to big companies, write a writable system knowing it's all contained in a SUPER image using boot-debug as root scource.
I can however, flash a super and load an entirely different OS, rw across the board... if I flash a super.img
The kicker is having a completely new root that comes with the fone and how it works...
su is pointless, as is magisk, you are already root.
Get it?
magisk takes this away.
so if your on android 10 and over... forget magisk, load your boot-debug, and take control of your new root tool.
magisk cant see the countless other mount points made for each file for each app for each gif for each bit of binary, each has it's own mount point lol...
it's gettin that way
Final point. Open a folder, go INTO it, and run any exe. While exe is running, attempt to delete folder exe is contained in. Now you know why you cant write a ro system. Close the exe, and viola!!
You cant mount a folder you already occupy in gui of fone. Ahem.. remount /system.
It's like typing su to get #
forget su
#
The greatest trick is convincin people of security when there is in fact none when it comes to software.
Their greatest security is their idiocy.
The PARTITIONS of history have taught us not to doubt insanity and it's virtues...
And for problems mounting systemrw, no problem, no root!!
Android OverlayFS Integration with adb Remount
Thank you for your efforts in a root solution.
Usin the above convoluted method, I can indeed rw the ro system.
I deleted childspace apk as test. It worked.
Using only this order:
Place stock boot.img, recovery.img and boot-debug.img in the adb folder.
Also place your 'here's one I made earlier' magisk_patched_bootloader.img here.
Now the nippage:
1: Unlock stock bootloader. Reboot into bootloader, after granting adb keys.
2: Flash boot-debug - NOTHING ELSE.
3: Reboot into fone gui.
4: adb root
adb disable-verity
adb reboot - (boot into bootloader)
5: Flash magisk'd boot.img
6 (optional, I did this) Flash backed up Super_fixed.bin (had to rename to img)
7: flash twrp...
Now you can do what you want.
After this I removed the magisk'd bin, returned to my debug and the childspace app I removed stayed removed from a ro system.
So yeah, there's your door, blank vbmetas prevent rw access using this method. Use your real vbmeta when flashing boot-debug, boot debug will NOT work with magisk installed, I tried every utha way... all we really need is a nu su app that works using this method instead of simlinkin the heck out of ...
Now how to do this without the magisk step, and keep it..?
user-debug (are not user or debug img's, but the third lol)
Now they ARE hard to find, need to make one, not my cup of tea...
something to add..
Busybox 1.31 Install error on Android 9 -- SOLVED · Issue #93 · meefik/busybox
OK, I managed to solve the installation issue with Android 9 on the Samsung Galaxy Tab S6. Here's how I did it: root the tablet by installing twrp, dm_verity and magisk boot into Android install ro...
github.com
Hi Pachacouti. Thanks for your interest in my SystemRW project. I hope it was helpful to you.
Pachacouti said:
Oh, and safety net pass's, because the debug is legit (stock boot-debug.img) lol, oh look, no magisk...
Click to expand...
Click to collapse
Where can I find this stock boot-debug.img file that you're talking about? I can't find it inside my stock Xiaomi firmware (MIUI).
Pachacouti said:
system_1.32 has just given me rw access in twrp, so systemrw actually works with no su or magisk installed.
Click to expand...
Click to collapse
Yes that's true my SystemRW script should work regardless of whether Magisk is installed yet or not. All you need for it to work is a root shell in recovery.
Have fun!
lebigmac said:
Hi Pachacouti. Thanks for your interest in my SystemRW project. I hope it was helpful to you.
Where can I find this stock boot-debug.img file that you're talking about? I can't find it inside my stock Xiaomi firmware (MIUI).
Yes that's true my SystemRW script should work regardless of whether Magisk is installed yet or not. All you need for it to work is a root shell in recovery.
Have fun!
Click to expand...
Click to collapse
To answer your first question, take the boot-debug.img from here, the first you see, and try it. if it is the same size, it will most likely work
Be aware that this is a 32mb in size bootloader, others are 64mb, they obviously wont work.
This is not to say a 64mb boot-debug.img will NOT work, it simply wont FIT.
Then be aware of a/b or a-only.
If you check the first post, from where I flashed all stock, I flashed the boot-debug.img to boot, NOT recovery. I am attempting to create a working twrp'd version for my fone, but I'm too slow for the instant gratificationist in me lol... using stock vbmeta... in otherwords, it would work, cause it's all legit, and how android 10, 11, and 12 actually work.
I find your script is a perfect find to see if we can indeed write to anything, now how to move what access you have in twrp to include mounting these 3 partitions dm-1, 2, 3, while in the actual gui...
Again, if you cant get into recovery, flash twrp to recovery after flashing boot-debug.img, It does work, but I think settings in recovery are not needed when booted to boot-debug, so the recovery is actually not necessary, but we're used to it, so NEED...
Edit, here's my boot-debug, thought I was in another thread lol..
And FFS, DONT try magisk with this, root is destroyed when doing so, this is not me dissin john wu, it's google fighting back... respect da john wu saaaa
Ps, enjoy this misunderstanding:
I flashed and ran systemrw_1.32 with NO root, no twrp, no recovery, I did it all in adb using nothing but boot-debug.img flashed to boot, with legit vbmeta.
In user builds, flashing blank vbmetas is what actually cause's the inability to manipluate ro system.
At least since PIE. Android 10_q and over... different ball game.
Pachacouti said:
And for problems mounting systemrw, no problem, no root!!
Android OverlayFS Integration with adb Remount
Click to expand...
Click to collapse
forreal
Did you know....
A few years back, when alcohol 120% came out, I downloaded a dvd that turned out to be corrupt. The image supplied by Alcohol 120% always came with an mdf file, and the disk image itself. Mdf is actually the md5 hash of the dvd.
When attempting to burn disk, I accidently chose the mdf, (md5 hash) instead of the actual disk image, and it turned out that the mdf hash reproduced the disk image byte for byte.
In otherwords, the 4.7gig dvd image was never necessary. That's 4.7gig reproducable from an md5 hash of say 100kb in size.
Now imagine this in fones. Dont store the file, store it's hash.
The CIA hate me now...
Anyway, here is the process so far:
Grab the boot-debug.img below, if it works for you good.
From stock, unlocked bootloader, set adb keys:
fastboot flash boot boot-debug.img
fastboot reboot <- just to see what we got
adb root
adb disable-verity <- the proper way to disable verity. No blank vbmetas required.
adb reboot
adb wait-for-device
adb root
adb remount <- wont work, because boot-debug.img is not a user-debug version of boot-debug.img, so I need to use a magisk'd boot to gain 'other' access.. later...
Note: adb shell avbctl disable-verification is only available in user-debug builds, so instead of boot-debug.img, prob look like user-debug.img. Notice how I disable it below.
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img 2>nul >nul <- Notice how I flash genuine vbmeta, including the end part '2>nul >nul' to flash twrp to recovery. This clears the way to flash super without flashing blank vbmetas... this will reset when flashing stock boot, so no problem to a dev...
fastboot flash recovery MyTwrp.img (rebooted after just to make sure the recovery stayed after typing '2>nul >nul' after the vbmeta) -it stayed.
fastboot flash super super_fixed.img <- Same test as above, now reboot into twrp to test rw capabilities. Mine all working.
fastboot reboot-recovery <- Go immediately to mount, tick system and vendor, if tick stays, voila, mine stays ticked...
Do twrp test using adb:
adb shell
# mount -o rw,remount rootfs /
Find way to install su lol, this is where I'm at now.
Dont say install the killer of su...
I then do:
Armor_X5_Q:/ # ls -l `which su`
total 1608
dr-xr-xr-x 4 root root 0 2021-09-27 13:00 acct
drwxr-xr-x 2 root root 40 2021-09-27 13:00 apex
lrwxrwxrwx 1 root root 11 2021-09-10 01:30 bin -> /system/bin
lrwxrwxrwx 1 root root 50 2021-09-10 01:30 bugreports -> /data/use
r_de/0/com.android.shell/files/bugreports
drwxrwx--- 6 system cache 4096 2010-01-01 00:03 cache
lrwxrwxrwx 1 root root 19 2021-09-10 01:30 charger -> /system/bin/
charger
drwxr-xr-x 4 root root 0 1970-01-01 00:00 config
lrwxrwxrwx 1 root root 17 2021-09-10 01:30 d -> /sys/kernel/debug
drwxrwx--x 55 system system 4096 2021-09-27 12:25 data
drwxr-xr-x 2 root root 0 2021-09-10 01:30 debug_ramdisk
lrwxrwxrwx 1 root root 12 2021-09-10 01:30 default.prop -> prop.de
fault
drwxr-xr-x 19 root root 3540 2021-09-27 13:00 dev
lrwxrwxrwx 1 root root 11 2021-09-10 01:30 etc -> /system/etc
drwxrwxrwx 13 root root 32768 1970-01-01 00:00 external_sd
-rw-r--r-- 1 root root 46380 2021-09-10 01:34 file_contexts
-rw-r--r-- 1 root root 865607 2021-09-10 01:30 file_contexts.bin
lrwxrwxrwx 1 root root 16 2021-09-10 01:30 init -> /system/bin/ini
t
-rwxr-x--- 1 root root 7073 2021-09-10 01:30 init.rc
-rwxr-x--- 1 root root 103 2021-09-10 01:30 init.recovery.hlthchrg.
rc
-rwxr-x--- 1 root root 58 2021-09-10 01:30 init.recovery.ldconfig.
rc
-rwxr-x--- 1 root root 312 2021-09-10 01:30 init.recovery.logd.rc
-rwxr-x--- 1 root root 8824 2021-09-10 02:14 init.recovery.microtrus
t.rc
-rwxr-x--- 1 root root 3686 2021-09-10 02:00 init.recovery.mt6762.rc
-rwxrwx--- 1 root root 854 2021-08-28 14:20 init.recovery.prepdecry
pt.rc
-rwxr-x--- 1 root root 213 2021-09-10 01:30 init.recovery.service.r
c
-rwxr-x--- 1 root root 7862 2021-09-10 01:30 init.recovery.usb.rc
drwxr-xr-x 3 root root 0 2021-09-10 01:30 license
drwxr-xr-x 5 root system 100 2021-09-27 13:00 mnt
drwxrwx--x 6 system system 4096 2021-01-01 09:33 nvcfg
drwxrwx--x 8 root system 4096 2021-01-01 08:06 nvdata
drwxr-xr-x 2 root root 0 2021-09-10 01:30 odm
-rw-r--r-- 1 root root 0 2021-09-10 01:30 odm_file_contexts
-rw-r--r-- 1 root root 0 2021-09-10 01:30 odm_property_contexts
drwxr-xr-x 2 root root 0 2021-09-10 01:30 oem
drwxrwx--x 5 system system 4096 2021-01-01 09:33 persist
-rw-r--r-- 1 root root 32079 2021-09-10 01:30 plat_file_contexts
-rw-r--r-- 1 root root 9476 2021-09-10 01:30 plat_property_contexts
dr-xr-xr-x 359 root root 0 1970-01-01 00:00 proc
drwxr-xr-x 12 root root 4096 2009-01-01 00:00 product
-rw-r--r-- 1 root root 0 2021-09-10 01:30 product_file_contexts
-rw-r--r-- 1 root root 0 2021-09-10 01:30 product_property_contex
ts
lrwxrwxrwx 1 root root 24 2021-09-10 01:30 product_services -> /sy
stem/product_services
-rw-r--r-- 1 root root 7414 2021-09-10 01:48 prop.default
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_f
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_s
-rw-r--r-- 1 root root 0 2021-09-10 01:30 relink_binaries-timesta
mp
-rw-r--r-- 1 root root 0 2021-09-10 01:30 relink_libraries-timest
amp
drwxr-xr-x 3 root root 0 2021-09-10 01:30 res
drwx------ 2 root root 0 2020-06-05 06:41 root
drwxr-x--- 2 root root 0 2021-09-10 01:30 sbin
drwxrwx--- 13 media_rw media_rw 4096 2021-09-27 13:06 sdcard
-rw-r--r-- 1 root root 465178 2021-09-10 01:30 sepolicy
drwxr-xr-x 2 root root 0 2021-09-27 13:00 sideload
drwxr-x--x 2 root root 0 2021-09-10 01:30 storage
dr-xr-xr-x 14 root root 0 2021-09-27 13:00 sys
drwxr-xr-x 7 root root 0 2021-09-27 13:09 system
drwxr-xr-x 21 root root 4096 2009-01-01 00:00 system_root
drwxrwxr-x 2 root shell 120 2021-09-27 13:07 tmp
drwxr-xr-x 5 root root 0 2021-09-10 01:55 twres
-rw-r--r-- 1 root root 0 2021-09-10 01:30 twrp_ramdisk-timestamp
-rw-r--r-- 1 root root 5900 2021-09-10 02:03 ueventd.mt6762.rc
-rw-r--r-- 1 root root 2969 2021-09-10 02:02 ueventd.rc
drwxrwxrwx 2 root root 0 2021-09-27 13:01 usbotg
drwxr-xr-x 14 root shell 4096 2009-01-01 00:00 vendor
-rw-r--r-- 1 root root 7759 2021-09-10 01:30 vendor_file_contexts
-rw-r--r-- 1 root root 218 2021-09-10 01:30 vendor_property_context
s
-rw-r--r-- 1 root root 0 2021-09-10 01:30 vendor_service_contexts
Armor_X5_Q:/ #
Edit:
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_f
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_s
Why dm-1, 2, 3, cant be mounted even in root.
Pachacouti said:
Magisk is no more...
I present a new fool proof method of flashing su to Android 10_Q and above!!
I ranted and ranted about variant=user/user-debug/eng builds that I got no-where... people thinkin am dissin john wu, nah, I respect what I've learnt from his app forcing me to connect online, I want su without connecting, in order to secure my own fone.
Introducing proof!!
Simple. Instead of flashing boot.img
Flash boot-debug.img from stock.
This address's the lack of adb root.
Logs:
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash vbmeta vb
lankmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (4 KB) OKAY [ 0.000s]
Writing 'vbmeta' OKAY [ 0.000s]
Finished. Total time: 0.016s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.404s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
MyTwrp.img
Sending 'recovery' (26086 KB) OKAY [ 0.718s]
Writing 'recovery' OKAY [ 0.406s]
Finished. Total time: 1.139s
D:\0\AdbStation>fastboot reboot-recovery
Rebooting into recovery OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
adbd is already running as root
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # mount -o remount,rw /system_root
mount: '/system_root' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /system
mount: '/system' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /
'/dev/block/dm-1' is read-only
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd apex
Armor_X5_Q:/apex # ls
com.android.apex.cts.shim [email protected]
[email protected] com.android.resolv
com.android.conscrypt [email protected]
[email protected] com.android.runtime
com.android.media [email protected]
com.android.media.swcodec com.android.tzdata
[email protected] [email protected]
Armor_X5_Q:/apex # exit
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.577s]
Writing 'recovery' OKAY [ 0.312s]
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # exit
------------------------
Pay attention, the first part above, I flashed a twrp...
Below, I flash stock images... without closing adb window.
--------------------------------------------------------------
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.499s]
Finished. Total time: 1.373s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.484s]
Writing 'recovery' OKAY [ 0.328s]
Finished. Total time: 0.811s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # exit
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # cd /system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
Edit'd not relevant.. too long the things we can do list pissed one off...
Armor_X5_Q:/system/bin #
No MORE MAGISK!!!
It'a a feature of Android 10 and over lol... says so in the android docs....
who needs su when you have root?
SYSTEM_AS_ROOT
Voila...
it's in the understanding.
YouRoot
Click to expand...
Click to collapse
So, your bootloader is unlocked and your bootimage-debug gives root to you and the entire world. In other words, here is the key to my house, and by the way, there is no lock. And by another way, there will be nothing left in the house soon. Nice.
optimumpro said:
So, your bootloader is unlocked and your bootimage-debug gives root to you and the entire world. In other words, here is the key to my house, and by the way, there is no lock. And by another way, there will be nothing left in the house soon. Nice.
Click to expand...
Click to collapse
Oi... EVERY rooted fone has an unlocked bootloader, your point being?
Oh... I'm taking away profit from some... never noticed until you came along.. {Mod edit}
And you trust magisk... {Mod edit}
That would not tell you of THIS exploit:
{Mod edit: Disrespectful behaviour removed - Regards Oswald Boelcke}
Edit:
(Do all this offline... )
Flash magisk'd boot, but in gui, dont update internet, in fact, dont run it.
Install busybox-1.31.1-46.apk (do all this offline) but u cant install it yet, because magisk has no internet, but busybox will give you an option to install to, or edit the install.sh to say install dir / instead of /system, it did install what it could to the required directory, and if magisk'd bootloader grants su to busybox...
(it did in mine...) Reboot back into bootloader
Then reflash boot-debug.img, flash stock recovery, and reboot again, wot no magisk?
Now see:
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb remount
/system/bin/remount exited with status 2
remount failed
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
Armor_X5_Q:/ #
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb remount
/system/bin/remount exited with status 2
remount failed
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
Armor_X5_Q:/ # ^C
130|Armor_X5_Q:/ #
130|Armor_X5_Q:/ #
Notice it said nothing of user build or production build, and oh, you need to cntrl/c to exit this... then type exit... but notice who is logged in before :/
Su working in my fone, now to try with boot.img
Rememer: All stock
As the thread starter state's...
Android 10 'System-As-Root' was never supposed to be released. Google it.
It never was. Nothing wrong with my fone. boot-debug.img IS the system-as-root, it just isnt a root app.
User-debug will be tied to your account, so dont expect to see them ever again...
So many naysayers saying my fone company got it wrong, that my fone is fecked up...
Na.. System-As-Root = root, as good as it's ever gonna be in the open, provided by boot-debug.
You have root but cant flash a dynamic /system. Magisk KILL's Developer/Feature Flags. With stock boot, feature flags is seen, but shows 'experimental' nothing else. With boot-debug, all feature flags are shown. First thing you'll do is flash magisk. Why does magisk remove this access? In particular for YOU is 'settings-dynamic-system' (used to overlay your gsi - needed to flash gsi). Without these feature flags to set, how will your magisk'd fone boot gsi on system-as-root a-only? It cant. Uninstall magisk... but magisk leaves traces on the fone that prevent earlier versions of magisk being installed, so how can we test earlier versions? That we know worked before?
Magisk'd boot removes the feature flags section from developer menu in Android 10_Q. Why?
This is needed to mount any gsi on an 'a-only' 'system-as-root', by mounting to 'upper' partition, which wipes when re-flashing stock boot.img. Do the work in the upper (like we do in twrp) reflash to the lower after 'sync' will retain your work before reflashing stock boot.img, so no root app needed, but we need one to cut down on how tedious it all is now.. at least they keep you at home... safe lol...
Magisk is only using overlay because it works in pie... in fact, all using magisk are using PIE exploits that dont work in android 10 system as root!! (just a noticed warning )
SystemRW works in PIE, even works in my system-as-root but useless, cause the point, being able to write system while in fone gui, is negated by the fact that system is ro, in about 20 different locations, in about a billion different mount points and well... right down to file sizes for each file in each partition contained within the super.img, but what I dont get is why it works in twrp, yet not in the gui.. (i'm in the directory so cant mount it when using fone, duh...)
As for the other tool to create rw in the super partition, I'll say this:
Pie is dying. Re-write your apps to work with the android 10 super, which is NOT the same as PIE super.img... (this is not a super.img ring any bell's?)
Both rw tool authors stuck on them damn pie's.. I'd swap parted to get the auto resize of space on the fly, I'd give my 10 cents worth, but you know better... if they kill all fones previous to android 10... google win.
They gave us root.
Overlay your own tools!
In a system-as-root booted fone. Feck safety net, I use my nokia 8310 to this day..
And for the naysayers...
D:\0\AdbStation>adb reboot download
D:\0\AdbStation>fastboot flashing unlock_critical
(bootloader) Start unlock flow
OKAY [ 4.196s]
Finished. Total time: 4.196s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.420s
D:\0\AdbStation>fastboot -w
Erasing 'userdata' OKAY [ 0.452s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6311931 4k blocks and 1581056 inodes
Filesystem UUID: aa3b871c-2496-11ec-9dd6-d71d0c30be37
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'userdata' (180 KB) OKAY [ 0.016s]
Writing 'userdata' OKAY [ 0.047s]
Erasing 'cache' OKAY [ 0.016s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 110592 4k blocks and 110592 inodes
Filesystem UUID: aa63fe86-2496-11ec-99f6-f719dec4c630
Superblock backups stored on blocks:
32768, 98304
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'cache' (68 KB) OKAY [ 0.016s]
Writing 'cache' OKAY [ 0.031s]
Erasing 'metadata' OKAY [ 0.016s]
Erase successful, but not automatically formatting.
File system type raw data not supported.
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb disable-verity
Error getting verity state. Try adb root first?
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # whoami
root
Armor_X5_Q:/ # mount -o rw,remount /
'/dev/block/dm-3' is read-only
Armor_X5_Q:/ # mount -o rw,remount /sys
Armor_X5_Q:/ # cd sys
Armor_X5_Q:/sys # ls
block bus dev firmware kernel mtk_rgu
bootinfo class devices fs module power
Armor_X5_Q:/sys # bootinfo
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # bootinfo --help
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # devices
/system/bin/sh: devices: inaccessible or not found
127|Armor_X5_Q:/sys # cd dev
Armor_X5_Q:/sys/dev # ls
block char
Armor_X5_Q:/sys/dev # cd /
Armor_X5_Q:/ # cd /
Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
AudioSetParam hwclock printenv
abb hwservicemanager printf
acpi i2cdetect procrank
adbd i2cdump profman
aee i2cget ps
aee_aed i2cset pwd
aee_aed64 iconv racoon
aee_archive id readlink
aee_core_forwarder idmap realpath
aee_dumpstate idmap2 reboot
am idmap2d recovery-persist
apexd ifconfig renice
app_process ime requestsync
app_process32 incident resize.f2fs
app_process64 incident_helper resize2fs
applypatch incidentd restorecon
appops init rm
appwidget inotifyd rmdir
art_apex_boot_integrity input rmmod
ashmemd insmod rss_hwm_reset
atrace install rtt
audioserver install-recovery.sh run-as
auditctl installd runcon
awk ionice schedtest
badblocks iorapd screencap
base64 iorenice screenrecord
basename ip sdcard
batterywarning ip-wrapper-1.0 secdiscard
bc ip6tables secilc
bcc ip6tables-restore sed
blank_screen ip6tables-save sendevent
blkid ip6tables-wrapper-1.0 sensorservice
blockdev iptables seq
bmgr iptables-restore service
boot_logo_updater iptables-save servicemanager
bootstat iptables-wrapper-1.0 setenforce
bootstrap keystore setprop
bpfloader keystore_cli_v2 setsid
bu kill settings
bugreport killall sgdisk
bugreportz kpoc_charger sh
bunzip2 lbs_dbg sha1sum
bzcat lcdc_screen_cap sha224sum
bzip2 ld.mc sha256sum
cal librank sha384sum
cameraserver linker sha512sum
cat linker64 showmap
charger linker_asan simpleperf
chcon linker_asan64 simpleperf_app_runner
chgrp lmkd sleep
chmod ln sload_f2fs
chown load_policy sm
chroot locksettings sort
chrt log split
cksum logcat ss
clatd logd sspm_log_writer
clear loghidlsysservice st_factorytests
cmd logname start
cmp logwrapper stat
comm losetup statsd
connsyslogger lpdump stop
content lpdumpd storaged
cp ls strings
cpio lshal stty
crash_dump32 lsmod surfaceflinger
crash_dump64 lsof svc
cut lspci swapoff
dalvikvm lsusb swapon
dalvikvm32 make_f2fs sync
dalvikvm64 md5sum sysctl
date mdlogger tac
dd mdnsd tail
debuggerd media tar
defrag.f2fs mediadrmserver taskset
device_config mediaextractor tc
devmem mediametrics tc-wrapper-1.0
dex2oat mediaserver tcpdump
dexdiag met-cmd tee
dexdump met_log_d telecom
dexlist microcom terservice
dexoptanalyzer migrate_legacy_obb_data.sh thermald
df mini-keyctl time
diff mkdir timeout
dirname mke2fs tombstoned
dmctl mkfifo toolbox
dmesg mkfs.ext2 top
dnsmasq mkfs.ext3 touch
dos2unix mkfs.ext4 toybox
dpm mknod tr
drmserver mkswap traced
du mktemp traced_probes
dumpstate mobile_log_d trigger_perfetto
dumpsys modemdbfilter_client true
e2fsck modinfo truncate
e2fsdroid modprobe tty
echo monkey tune2fs
egrep more tzdatacheck
emdlogger1 mount ueventd
emdlogger2 mountpoint uiautomator
emdlogger3 move_widevine_data.sh ulimit
emdlogger5 mtkbootanimation umount
env mtpd uname
expand mv uncrypt
expr nc uniq
fallocate ndc unix2dos
false ndc-wrapper-1.0 unlink
fgrep netcat unshare
file netd unzip
find netdiag uptime
flags_health_check netstat usbd
flock netutils-wrapper-1.0 usleep
fmt newfs_msdos uudecode
free nfcstackp uuencode
fsck.f2fs nice uuidgen
fsck_msdos nl vdc
fsverity_init nohup viewcompiler
fsync notify_traceur.override.sh vintf
gatekeeperd notify_traceur.sh vmstat
getconf nproc vold
getenforce nsenter vold_prepare_subdirs
getevent oatdump vr
getprop od vtservice
gpuservice oem-iptables-init.sh wait_for_keymaster
grep paste watch
groups patch watchdogd
gsi_tool perfetto wc
gsid pgrep which
gunzip pidof whoami
gzip ping wificond
head ping6 wm
heapprofd pkill xargs
hid pm xxd
hostname pmap yes
hw pppd zcat
Armor_X5_Q:/system/bin # getenforce
Enforcing
Armor_X5_Q:/system/bin # setenforce 0
Armor_X5_Q:/system/bin # get enforce
/system/bin/sh: get: inaccessible or not found
127|Armor_X5_Q:/system/bin # getenforce
Permissive
Armor_X5_Q:/system/bin # root mofo's, System-As-Root! boot-debug rocks!
> ^C
130|Armor_X5_Q:/system/bin # Who needs su
/system/bin/sh: Who: inaccessible or not found
127|Armor_X5_Q:/system/bin # whoami
root
Armor_X5_Q:/system/bin #