can downgrade Fire TV OS via hardware (eMMC)? - Android Software/Hacking General [Developers Only]

Hi every one!
I have idea downgrade Fire TV OS via hardware (eMMC)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
My Fire TV Gen 2 running on Fire TV OS version 5.2.6.1. it can't root. i desolder eMMC and connect to Linux PC use Transcend USB 3.0 with SD Card Adaptor
Now i can see all partition layout via command :
- to see partition :
Code:
[COLOR="red"] - need on first time and enter your password[/COLOR]
sudo su
fdisk /dev/sda
enter "x" then enter "p"
or open Gparted to see
- to export and backup partition layout:
Code:
fdisk /dev/sda
Enter "O"
Enter name
Enter "q" to quit
Now i can dump all partition use command :
Code:
dd if=/dev/sda1 of=/home/duong/Desktop/dump/1PRO_INFO.bin
dd if=/dev/sda2 of=/home/duong/Desktop/dump/2NVRAM.bin
dd if=/dev/sda3 of=/home/duong/Desktop/dump/3TEE1.bin
dd if=/dev/sda4 of=/home/duong/Desktop/dump/4TEE2.bin
dd if=/dev/sda5 of=/home/duong/Desktop/dump/5lk.bin
dd if=/dev/sda6 of=/home/duong/Desktop/dump/6boot.img
dd if=/dev/sda7 of=/home/duong/Desktop/dump/7recovery.img
dd if=/dev/sda8 of=/home/duong/Desktop/dump/8KB.bin
dd if=/dev/sda9 of=/home/duong/Desktop/dump/9DKB.bin
dd if=/dev/sda10 of=/home/duong/Desktop/dump/10MISC.bin
dd if=/dev/sda11 of=/home/duong/Desktop/dump/11LOGO.bin
dd if=/dev/sda12 of=/home/duong/Desktop/dump/12EXPDB.bin
dd if=/dev/sda13 of=/home/duong/Desktop/dump/13system.img status=progress
dd if=/dev/sda14 of=/home/duong/Desktop/dump/14cache.img status=progress
dd if=/dev/sda15 of=/home/duong/Desktop/dump/15userdata.img status=progress
I try mount system and edit them use comand :
Code:
[COLOR="red"]- make folder "system" to root path :[/COLOR]
cd /
mkdir system
[COLOR="red"]- mount system :[/COLOR]
mount -o loop /home/duong/Desktop/dump/13system.img /system
[COLOR="Red"]- mount system to rw for modify:[/COLOR]
mount -o remount,rw /system
[COLOR="Red"]- mount system to ro:[/COLOR]
mount -o remount,ro /system
i try modify something "put manual su, supolicy" to path /system/xbin symlink "daemonsu" to "su"
put "libsupol.so" to path "/system/lib64" and remount system ro, unmount system
I can write all partition to eMMC use command:
Code:
dd if=/home/duong/Desktop/dump/1PRO_INFO.bin of=/dev/sda1
dd if=/home/duong/Desktop/dump/2NVRAM.bin of=/dev/sda2
dd if=/home/duong/Desktop/dump/3TEE1.bin of=/dev/sda3
dd if=/home/duong/Desktop/dump/4TEE2.bin of=/dev/sda4
dd if=/home/duong/Desktop/dump/5lk.bin of=/dev/sda5
dd if=/home/duong/Desktop/dump/6boot.img of=/dev/sda6
dd if=/home/duong/Desktop/dump/7recovery.img of=/dev/sda7
dd if=/home/duong/Desktop/dump/8KB.bin of=/dev/sda8
dd if=/home/duong/Desktop/dump/9DKB.bin of=/dev/sda9
dd if=/home/duong/Desktop/dump/10MISC.bin of=/dev/sda10
dd if=/home/duong/Desktop/dump/11LOGO.bin of=/dev/sda11
dd if=/home/duong/Desktop/dump/12EXPDB.bin of=/dev/sda12
dd if=/home/duong/Desktop/dump/13system.img of=/dev/sda13 status=progress
dd if=/home/duong/Desktop/dump/14cache.img of=/dev/sda14 status=progress
dd if=/home/duong/Desktop/dump/15userdata.img of=/dev/sda15 status=progress
i solder eMMC to board but not root
I believe if your device has been root and your share all dump partition, i can downgrade Fire TV OS to old version and root it
What do you think about this?
Anyone can dump and share all file? (your device need root and running on old version OS)
I will try it. thank
Sorry my English

Resolve. I can downgrade my fire tv to OS version 5.2.1.0 and root it in here :
https://forum.xda-developers.com/fire-tv/development/share-hardware-downgrade-fire-tv-gen-2-t3817059

Related

Backup | Protect | Restore - root (su)

For experienced users only.
As the thread title suggests, this is a guide to backup, protect and restore root (su) as is sometimes needed after a system upgrade, broken Superuser update, etc...
Yes, there is an app for this, but if your like me, and enjoy full control over your system and don't mind working from the terminal, than this guide is for you.
What's involved:
We will be using two Linux commands orignially for the Linux second extended file system (ext2) but also works on ext3 and ext4.
- chattr (change file attributes)
- lsattr (list file attributes)
What's needed:
1. Terminal Emulator - there is an excellent one by Jack Palevich HERE
2. BusyBox compiled with the aforementioned utils/applets - an excellent pre-built binary by Linus Yang can be found HERE
-- I've also created a flashable zip for Linus Yang's BusyBox HERE
3. Extended file system as previously mentioned
A picture is worth a 1000 words:
Let's start with that and then review below
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
su ~ we need root access rights to make changes to the system
mount -o remount ~ we remount the system rw (read/write) to make the changes
cp -p ~ we copy/backup the su binary preserving (-p) the current file attributes/permissions, i.e. [rwsr-sr-x root root]
lsattr ~ list attributes; shows the files immutable bit is unset (not protected)
chattr +i ~ the +i is to set the immutable bit on the file
lsattr ~ list attributes; shows the files immutable bit is now set (protected)
chattr -i ~ the -i is to unset the immutable bit on the file
lsattr ~ list attributes; again, shows the files immutable bit is unset (not protected)
mount -o remount,ro ~ we remount the system read-only when finished making changes (always - don't forget)
Now what:
To restore root (su), i.e. after a system upgrade, we call the (su)protected /system/su-bak from terminal and use it to restore root access rights to /system/bin/su
Code:
/system/su-bak
mount -o remount,rw /system
chown 0.0 /system/bin/su
chmod 06755 /system/bin/su
mount -o remount,ro /system
Notes:
-In all my examples above, my su binary is in the /system/bin folder, however yours may very well be in the /system/xbin folder, so handle accordingly
-As long as the upgrade (OTA) is an in-place file system update then this should work, it is essentially the same process as the OTA RootKeepers
Sources and info:
chattr:
http://en.wikipedia.org/wiki/Chattr
http://linuxcommand.org/man_pages/chattr1.html
lsattr:
http://en.wikipedia.org/wiki/Lsattr
http://linuxcommand.org/man_pages/lsattr1.html
-JR-

SAMSUNG GALAXY SIII SCH-R530M 16 digit password??

Hey fellas! Does anyone know the SAMSUNG GALAXY SIII SCH-R530M 16 digit password??
I ve been surfing the web but havent found it,any help will be appreciated..cheers!
Edited: thanks to [email protected] for posting this.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2FF811282FF9F323
Hello everyone. I too have been looking for this password. Has anyone had any luck finding it?
mrctony said:
Hey fellas! Does anyone know the SAMSUNG GALAXY SIII SCH-R530M 16 digit password??
I ve been surfing the web but havent found it,any help will be appreciated..cheers!
Click to expand...
Click to collapse
Hi,
I'm working at creating a solution for JTAG repair on the SGS III USC model and I'm in need of a SCH-R530M SBL dumps and a few other zones. I need a rooted user to simply perform the following command from a terminal on the phone, or while using ADB SHELL under the su user. Once at the command line issue this command, then simply upload the files which end up on your sdcard to me here. That's it!
Thanks in advance!
Code:
dd if=/dev/block/mmcblk0p2 of=/sdcard/sbl1 bs=4096
dd if=/dev/block/mmcblk0p3 of=/sdcard/sbl2 bs=4096
dd if=/dev/block/mmcblk0p4 of=/sdcard/sbl3 bs=4096
dd if=/dev/block/mmcblk0p5 of=/sdcard/aboot bs=4096
dd if=/dev/block/mmcblk0p6 of=/sdcard/rpm bs=4096
dd if=/dev/block/mmcblk0p7 of=/sdcard/boot bs=4096
dd if=/dev/block/mmcblk0p8 of=/sdcard/tz bs=4096
dd if=/dev/block/mmcblk0p9 of=/sdcard/pad bs=4096
dd if=/dev/block/mmcblk0p10 of=/sdcard/param bs=4096
dd if=/dev/block/mmcblk0p18 of=/sdcard/recovery bs=4096
tomy1986.nt said:
Hi,
I'm working at creating a solution for JTAG repair on the SGS III USC model and I'm in need of a SCH-R530M SBL dumps and a few other zones. I need a rooted user to simply perform the following command from a terminal on the phone, or while using ADB SHELL under the su user. Once at the command line issue this command, then simply upload the files which end up on your sdcard to me here. That's it!
Thanks in advance!
Code:
dd if=/dev/block/mmcblk0p2 of=/sdcard/sbl1 bs=4096
dd if=/dev/block/mmcblk0p3 of=/sdcard/sbl2 bs=4096
dd if=/dev/block/mmcblk0p4 of=/sdcard/sbl3 bs=4096
dd if=/dev/block/mmcblk0p5 of=/sdcard/aboot bs=4096
dd if=/dev/block/mmcblk0p6 of=/sdcard/rpm bs=4096
dd if=/dev/block/mmcblk0p7 of=/sdcard/boot bs=4096
dd if=/dev/block/mmcblk0p8 of=/sdcard/tz bs=4096
dd if=/dev/block/mmcblk0p9 of=/sdcard/pad bs=4096
dd if=/dev/block/mmcblk0p10 of=/sdcard/param bs=4096
dd if=/dev/block/mmcblk0p18 of=/sdcard/recovery bs=4096
Click to expand...
Click to collapse
hope this helps.
Jonny Wad said:
hope this helps.
Click to expand...
Click to collapse
Thanks very much for your help.
:good:
2ff811282ff9f323
funkym0nk3y said:
2ff811282ff9f323
Click to expand...
Click to collapse
Thank you. I'll give this a go and report back asap.
Sent from my SPH-L710 using XDA Premium 4 mobile app
Thank you funkym0nk3y. Worked perfectly.
Sent from my SPH-L710 using XDA Premium 4 mobile app

[CHROOT] Debian install on android with root

We need:
-debian chroot tarball or raspberry pi image (Download debian arm64 tarball)
-Magisk
-busybox (Magisk module avaible)
-GNU/Linux(for adb shell)
-Android terminal emulator (Download))
1- download tarball or image on computer
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2-push file to /sdcard/ directory
3-Open android shell. Move file to /data/ and unpack file
4- Move rootfs to /data/linux
5- now go phone and run mount.sh in terminal (AOSP terminal has issue so We need another terminal)
6- If phone doesn't have busybox You must use busybox magisk module or any busybox installer.
7-after that reboot phone and run mount.sh in terminal
8-run chroot.sh in terminal and check update
9- done
Notes:
-if you want to install gui, You can install vnc server and connect in android vnc viewers.
-You can only install arm64/arm architecture rootfs.
-if you access system directory in rootfs, You can create /data/linux/system/
-if apt doesnt have internet access, edit /data/linux/etc/passwd file and replace _apt users UID to 0
-If you have any questions, You tell me
Mount.sh
Code:
#!/bin/sh
busybox mount --bind /dev dev
busybox mount --bind /sys sys
busybox mount --bind /proc proc
busybox mount --bind /data/cache tmp
busybox mount --bind /dev/pts dev/pts
busybox mount --bind /system system #optional
busybox mount --bind /sdcard root
Chroot.sh
Code:
#!/bin/sh
export TERM=linux
export TMPDIR=/tmp
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
export USER=root
export HOME=/root
/system/bin/chroot . /bin/bash
Is chroot support present in stock kernel?
kvsjxd said:
Is chroot support present in stock kernel?
Click to expand...
Click to collapse
Yes. Just root needed.
An alternative method to do a ubuntu/debian chroot would be to install Termux and just follow the instructions on the termux-ubuntu repository on Github.
Basically you download a script and it installs everything for you.
The readme file of the repo follows:
A script to install Ubuntu chroot in Termux
You need to install wget and proot in Termux before using this script.
Code:
pkg install wget proot
The script will make its files in the current directory. So if you want your Ubuntu-filesystem at a particular location switch to that folder first and then call the script with it's relative path. Example:
Code:
mkdir -p ~/jails/ubuntu
cd ~/jails/ubuntu
wget https://raw.githubusercontent.com/Neo-Oli/termux-ubuntu/master/ubuntu.sh
bash ubuntu.sh
After running it you can run "start-ubuntu.sh" to switch into your ubuntu
Click to expand...
Click to collapse

Rooting CrossCall Core M5 ?

Hey, i'm trying to root crosscall core m5 but to no avail. Any help ?
What have you tried so far to root phone's Android 11?
jwoegerbauer said:
What have you tried so far to root phone's Android 11?
Click to expand...
Click to collapse
I have tried rooting Xiaomi Redmi 9 with success and flashed lineage os, the only thing is that the android 11 version doesn't allow read write permission to some config file i was trying to modify.
I'm now working with crossCall Core-M5 phones but i couldn't find the boot image that i need to get root access with magisk method.
I noted that Android 11 locked read only permission on / partition, tried many methods to get read write permission on files but no success.
To get RW access to folders / files you've to mount the partitions where these folders / files are located as RW.
jwoegerbauer said:
To get RW access to folders / files you've to mount the partitions where these folders / files are located as RW.
Click to expand...
Click to collapse
Yeah i did that but same error of read only
Bash:
lancelot:/ # mount -o remount,rw /dev/block/dm-1 /vendor
'/dev/block/dm-1' is read-only
Bash:
lancelot:/ # mount -o remount,rw /dev/block/dm-0 /
'/dev/block/dm-0' is read-only
these are the partitions identifiers
Bash:
adb remount
failed to remount partition dev:/dev/block/dm-0 mnt:/: Permission denied
failed to remount partition dev:/dev/block/dm-1 mnt:/vendor: Permission denied
failed to remount partition dev:/dev/block/dm-2 mnt:/product: Permission denied
remount failed
Re-mounting a partition as RW only can be applied by superuser ( AKA ROOT).
Example:
Code:
adb shell "su -c 'mount -o rw,remount <BLOCK> <MOUNTPOINT>'"
jwoegerbauer said:
Re-mounting a partition as RW only can be applied by superuser ( AKA ROOT).
Example:
Code:
adb shell "su -c 'mount -o rw,remount <BLOCK> <MOUNTPOINT>'"
Click to expand...
Click to collapse
Yes i'm root when i executed the previous commands
Bash:
su -c mount -o rw,remount -force /dev/block/dm-1 /vendor
but when i try to verify nothing happened still no write permission
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The complete command passed to su must be enquoted as I've shown it above.
Device must get re-booted so change take effect.

Shell script doesn't show any output until used "exit"

Hello
I had created a shell script for myself (just a trial lol) to extract the boot image from system. the script goes somewhat like this:
#!/system/bin/sh
#getting superuser rights with su command
su
#checking if we have su permission or not
if [ "$UID" -eq 0 ]
then
echo "you have root so you can easily backup boot image"
sleep 2
else
echo "you don't have root so you can't backup boot image using this script"
fi
#going to root directory for easy access to internal storage
cd /
#changing directory to internal storage to create folder for backup
cd sdcard
#creating folder for backup
mkdir ImageBackup
cd ImageBackup
mkdir Boot
#finally using dd command to get boot image from system
dd if=/dev/block/by-name/boot of=/sdcard/ImageBackup/Boot/boot.img
cd Boot
ls
echo "Your Boot image has been succesfully backed up and is stored in ImageBackup/Boot in your internal storage"
Click to expand...
Click to collapse
i use adb shell and then "su" command to run the script, its located in /data/local/tmp and i run it using "./boot" ("boot" is the file name). i dont get any output. as soon as i type "exit" the script starts running (screenshot attached).
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Code:
adb shell
opens an Android Terminal session - wherein shell commands like su can get applied - what finally gets closed with
Code:
exit
Take note that applying su doesn't output anything if processing it was successfull.
xXx yYy said:
Code:
adb shell
opens an Android Terminal session - wherein shell commands like su can get applied - what finally gets closed with
Code:
exit
Take note that applying su doesn't output anything if processing it was successfull.
Click to expand...
Click to collapse
I know that using commands like "su" dont give any output. Im telling that when i use "./boot" i.e. run the script, the script wont run until i use "exit" command. See in the screenshot
Again:
As soon as you execute adb shell in a Windows batch script without passing any arguments, a remote terminal session is opened in Android, which has to be closed with exit to continue with the next statement in the batch script.
In your case you have to code
Code:
adb shell "su"
instead of
Code:
adb shell
su
exit
what is senseless crap, IMO, because it simply opens a terminal session, establishes within this an elevated user ( AKA root ) and then immmediately closes this terminal session.

Categories

Resources