[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 10 2017 (suez) - Fire HD 8 and HD 10 Original Android Development

Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
Current version: amonet-suez-v1.1.2.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @retyre for porting the bootrom-exploit and for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks also to @bibikalka and everyone who donated
Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.

Unbricking
If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.
If your device shows one of the following symptoms:
It doesn't show any life (screen stays dark)
You see the white amazon logo, but cannot access Recovery or FireOS.
If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
Make sure the device is powered off, by holding the power-button for 20+ seconds
Start bootrom-step.sh
Plug in USB
In all other cases you will have to open the device and partially take it apart.
Follow this guide by @retyre until (including) step 8..
At Step 6. you will replace
Code:
sudo ./bootrom.sh
with
Code:
sudo ./bootrom-step.sh
Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).
If the script succeeded, put the device back together.
When you turn it on, it should start in hacked fastboot mode.
You can now use
Code:
sudo ./fastboot-step.sh
This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.
Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.
dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00

Changelog
Version 1.1.2 (26.03.2019)
Fix regenerating GPT from temp GPT
Version 1.1.1 (26.03.2019)
Fix unbricking procedure
Version 1.1 (25.03.2019)
Update TWRP-sources to twrp-9.0 branch
TWRP uses kernel compiled from source
Add scripts to use handshake2.py to enter fastboot/recovery
Features.
Uses 5.6.3 LK for full compatibility with newer kernels.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (no patching needed)
TWRP protects from downgrading PL/TZ/LK
For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock

Source code:
https://github.com/chaosmaster/amonet/tree/mt8173-suez
https://github.com/chaosmaster/android_device_amazon_suez
https://github.com/chaosmaster/android_kernel_amazon_suez
https://github.com/chaosmaster/android_bootable_recovery

First unreserved !!!

bibikalka said:
First unreserved !!!
Click to expand...
Click to collapse
You are quick

Now we need custom kernels and/or roms, any advice where to start?

Murcielagoz99 said:
Now we need custom kernels and/or roms, any advice where to start?
Click to expand...
Click to collapse
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
---------- Post added at 09:04 PM ---------- Previous post was at 08:58 PM ----------
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!

sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?

BRAVO!! Fantastic work, my friend! I'm looking forward to the customization and ROMs that will soon follow.

Rortiz2 said:
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
Click to expand...
Click to collapse
Or start with the (minimal) TWRP device tree I linked to.
Rortiz2 said:
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!
Click to expand...
Click to collapse
I just forgot to update the Readme fixed it.
Michajin said:
sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?
Click to expand...
Click to collapse
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?

k4y0z said:
Or start with the (minimal) TWRP device tree I linked to.
I just forgot to update the Readme fixed it.
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?
Click to expand...
Click to collapse
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....

Michajin said:
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....
Click to expand...
Click to collapse
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.

k4y0z said:
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.
Click to expand...
Click to collapse
SuperSU Pro v 2.82

Michajin said:
SuperSU Pro v 2.82
Click to expand...
Click to collapse
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.

k4y0z said:
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.
Click to expand...
Click to collapse
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes

Michajin said:
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes
Click to expand...
Click to collapse
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.

k4y0z said:
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.
Click to expand...
Click to collapse
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).

Michajin said:
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).
Click to expand...
Click to collapse
Great you got it to work. Not sure why it didn't in Ubuntu.
Did you end up using mtk-su or SuperSu?
Magisk 18.1 is working fine for me, what FireOS-Version are you on?

k4y0z said:
Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
I have only tested it on the 32GB-model, but it should also work on the 64GB-model ....
Click to expand...
Click to collapse
Outstanding 'win' presented with clarity and humility. Not to mention timely given the short time you've had the target hardware. A fantastic ROI for those who underwrote the device and for uncounted others who will benefit from your work (along with those of several others noted in your full post) for years to come.
:good:

Related

Recommended rooting procedure under Linux

Since the link about rooting the TF101 in the reference thread is broken, I would like to ask what is the cleanest way to root the TF101. I'm coming from a stock B80* device at the latest OTA update.
I'm working under Linux. I want to root my device, install a custom ROM and Ubuntu as well (for the last part I think this guide http://forum.xda-developers.com/showthread.php?t=1537566 is the one to follow).
So now I need a pointer to the "reference" rooting guide (I've done a bit of search but apart from 1-click tools to be used under Win platforms I couldn't tell what is the latest "manual" procedure.
Another question: I read on the XDA wiki that to install Ubuntu on SBK2 devices Wheelie is needed in order to access the nvflash mode, but in the XDA guide I linked above Wheelie isn't mentioned at all. What am I missing?
What is the "cleanest" way to go through this?
Thank you in advance.
Under Linux, I think the easiest is to use Wolf's method 3 from here: http://forum.xda-developers.com/showthread.php?t=1622628
You will need the adb executable for Linux. I am not sure if it is included, or if you have to get it from the Android SDK tools here: http://dl.google.com/android/android-sdk_r21.1-linux.tgz
You will need a recovery blob saved on the internal memory of your TF101. I would use TWRP recovery, download the TWRP recovery blob here: http://techerrata.com/file/twrp2/tf101/openrecovery-twrp-2.3.2.3-tf101.blob I would rename this to recovery.blob and save it in the /sdcard/ for easy reference.
Also, save this copy of SuperSU that can be flashed through recovery in the /sdcard/: http://forum.xda-developers.com/attachment.php?attachmentid=1210576&d=1342793670
Next, connect your TF101 to your Linux machine via the charger cable. Go to Settings - Developer Options and enable USB Debugging.
Open a terminal window where you can execute adb and type the following:
Code:
adb devices
It should show one device connected. If so, proceed. If not, you will want to wait for a Linux guru to come along and assist.
Next, execute the following commands:
Code:
[B]adb shell[/B]
[email protected]# [B]mv /data/local/tmp /data/local/tmp.bak[/B]
[email protected]#[B] ln -s /dev/block/mmcblk0p4 /data/local/tmp[/B]
[email protected]#[B] exit[/B]
[B]adb reboot[/B]
Once you see the Asus loading screen, you should be able to use ADB again. If you want to wait until it is fully booted, that is fine.
Execute the following:
Code:
[B]adb shell[/B]
[email protected]# [B]dd if=/sdcard/recovery.blob of=/dev/block/mmcblk0p4[/B]
8860+1 records in
8860+1 records out
4536396 bytes transferred in 1.718 secs (2640509 bytes/sec)
[email protected]# [B]exit[/B]
[B]adb reboot[/B]
Note, the numbers for records in and out will vary, but as long as it completes it should be fine.
Upon reboot you should see a progress indicator on the bottom of the Asus screen. This is when it updates the recovery to the custom one you dd'd.
After it boots, you can then boot to recovery by holding the VOL DOWN and POWER button on the tablet (not the keyboard dock) for about 12-15 seconds. When you see the white text, release both and tap VOL UP before the white text disappears.
You should boot to the custom recovery (if you get a dead android, you still have stock recovery)
Once in custom recovery, tap Install and choose the SuperSU flashable located in the /sdcard/. Once that completes, you are rooted.
As far as installing Linux on a SBK2, I am not sure on that one. I have been reluctant to mess with Linux on my TF101.
Here I am, the procedure worked flawlessly. Thank you
Awesome!

[Q] Fastboot Linux

Ive been trying to get TWRP loaded on to my TF300T on 4.2.1 using this guide but on the fastboot its stuck on waiting for device. The device is recognised in the Terminal but have no luck flashing the recovery. Is there any other methods for flashing a recovery I can use on linux or advice.
Im running Xubuntu 13.04
mackay508 said:
Ive been trying to get TWRP loaded on to my TF300T on 4.2.1 using this guide but on the fastboot its stuck on waiting for device. The device is recognised in the Terminal but have no luck flashing the recovery. Is there any other methods for flashing a recovery I can use on linux or advice.
Im running Xubuntu 13.04
Click to expand...
Click to collapse
Is your OS 32 or 64-bit? If it's 64, you may need to have both ia32-libs and ia32-libs-dev installed for fastboot to work properly. Also, did you get the android-tools packages from the repos? I'm not sure about the *buntus, but on Debian, they're in the unstable repos. Make sure you have the newest versions (trust me; it matters).
If you want to do it via ADB, you could do this:
Code:
adb shell
su
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p4
Make sure the recovery image is on your internal storage if you do it that way.
I recommend trying to get fastboot working, and use ADB as a last resort.
Its 32-bit, I used fastboot for my N4 so unsure why its not working just now. I tried the method you said but think i may ahve done it wrong it completed the operation but got the Android on its back with the red triangle :/
First time i got :-
1|[email protected]:/ # dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p4
12896+0 records in
12896+0 records out
6602752 bytes transferred in 5.185 secs (1273433 bytes/sec)
Then after that i got :-
127|[email protected]:/ $ dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p4
/dev/block/mmcblk0p4: cannot open for write: Permission denied
ry.img’: No such file or directory <
/system/bin/sh: dd:: not found
127|[email protected]:/ $ dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p4
/dev/block/mmcblk0p4: cannot open for write: Permission denied
1|[email protected]:/ $
mackay508 said:
Its 32-bit, I used fastboot for my N4 so unsure why its not working just now. I tried the method you said but think i may ahve done it wrong it completed the operation but got the Android on its back with the red triangle :/
First time i got :-
1|[email protected]:/ # dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p4
12896+0 records in
12896+0 records out
6602752 bytes transferred in 5.185 secs (1273433 bytes/sec)
Then after that i got :-
127|[email protected]:/ $ dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p4
/dev/block/mmcblk0p4: cannot open for write: Permission denied
ry.img’: No such file or directory <
/system/bin/sh: dd:: not found
127|[email protected]:/ $ dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p4
/dev/block/mmcblk0p4: cannot open for write: Permission denied
1|[email protected]:/ $
Click to expand...
Click to collapse
Stupid question probably, but is your tablet unlocked?
Also, for the second one, you weren't logged in as root. You need to be root to write the image.
Linux 101:
- If you see a dollar sign ($) in the terminal, you're a normal, unprivileged user
- If it's a pound sign (#), you're root.
Also, like I said before, the version of Fastboot matters. Way back in August, I soft-bricked my tablet, and fastboot gave me the same problem it's giving you, even though I had used fastboot on my tablet before that. Months later, I found the fastboot in the Debian repos. I'm not sure what the difference was between the versions, but the new one from the repos worked perfectly, and I was able to get my tablet working again.
EndlessDissent said:
Stupid question probably, but is your tablet unlocked?
Also, for the second one, you weren't logged in as root. You need to be root to write the image.
Linux 101:
- If you see a dollar sign ($) in the terminal, you're a normal, unprivileged user
- If it's a pound sign (#), you're root.
Also, like I said before, the version of Fastboot matters. Way back in August, I soft-bricked my tablet, and fastboot gave me the same problem it's giving you, even though I had used fastboot on my tablet before that. Months later, I found the fastboot in the Debian repos. I'm not sure what the difference was between the versions, but the new one from the repos worked perfectly, and I was able to get my tablet working again.
Click to expand...
Click to collapse
Yeah I unlocked it using the unlocker app and have the this device is unlocked at the boot screen. Forgot the su part :/ what i get for using the up button haha. Yeah it came up with grant superuser access on my tablet, I deleted and reinstalled fastboot the other day to see if it would help but it didnt. Might have to wait until i can access a Windows laptop :/
Sorry I couldn't help. Those are the most common problems/solutions I've seen and personally experienced. And I have no idea why dd didn't work in ADB Shell. I would check the recovery image and try again. Check out adb --help to see if there are any other options available. I'm not overly familiar with ADB.
You could also flash the recovery while booted into Android using Terminal Emulator. That's how I usually flash recoveries. Just use the dd method from the ADB Shell instructions. Just skip the first command, starting ADB Shell, and start at su.
Oh, and I completely missed it earlier, but make sure that the recovery you're using ends in -42.img or - 42.blob. If you use one with -JB, you could brick your tablet. I don't know why the guy giving instructions in your link said to use -JB, but there have literally been dozens of bricked tablet threads here because people flashed a -JB recovery on a 4.2 bootloader. -JB recoveries should only be used with the 4.1 bootloader.
EndlessDissent said:
Sorry I couldn't help. Those are the most common problems/solutions I've seen and personally experienced. And I have no idea why dd didn't work in ADB Shell. I would check the recovery image and try again. Check out adb --help to see if there are any other options available. I'm not overly familiar with ADB.
You could also flash the recovery while booted into Android using Terminal Emulator. That's how I usually flash recoveries. Just use the dd method from the ADB Shell instructions. Just skip the first command, starting ADB Shell, and start at su.
Oh, and I completely missed it earlier, but make sure that the recovery you're using ends in -42.img or - 42.blob. If you use one with -JB, you could brick your tablet. I don't know why the guy giving instructions in your link said to use -JB, but there have literally been dozens of bricked tablet threads here because people flashed a -JB recovery on a 4.2 bootloader. -JB recoveries should only be used with the 4.1 bootloader.
Click to expand...
Click to collapse
Thanks for the help anyway, yeah just glad i read up on the recoveries before hand incase it worked and i got bricked. Ill try using the terminal and see if that works

Samsung XCover3 Development Thread [4.4.4/5.1.1/6.0.1] [Root, TWRP, Mods and ROMS]

Preface: I'm currently using this device and really like it, and as you all may have realised, that this device is considered as a low activity device on XDA, and no developers that I know of have taken a crack at this phone. This thread is to consolidate all information pertaining to the device.
If some area are empty, they will have more content in the future as we progress with this awesome device.
Feel free to post any mods that have worked (preferably in systemless mode)
Table of Contents:
Post 1) Rooting, TWRP and useful Links
Post 2) Info for Developers
Post 3) Roms & Mods
Post 4) Reserved
Useful Links:
My Github (Matt07211) containing kernel source code, to keep with the GPL licenses.
Samsung Kernel Source Code 4.4.4/5.1.1 and 6.0.1
Firmware Samsung xCover 3 and Samsung xCover 3 Value Edition
TWRP for Samsung xCover3 (Kit Kat)
TWRP for Samsung xCover3 Value Edition Credits: @Heledir for the link
SuperSU
Prerequisites:
ADB Installed
USB Debugging Enabled
Samsung USB Drivers Installed
Samsung ODIN (Preferably Odin3_v3.10.7 or above)
A Brain that can use common sense, or Google
Disclaimer:
Anything you do with your own phone is done at your own risk. Don't complain if you accidentally brick your phone. Fix it by using Google, flash back stock firmware or post on XDA for help.
Knox will probably be voided, and so will your warranty.
We cannot say what works for us, may or may not work for you.
Good luck
Using ODIN:
1) Enable USB Debugging, and OEM Unlock (If available), these can be reached from the developer menu. The develpoer menu can be activated by taping "Build Number" 7 times in the about section.
Don't disable OEM Unlock (Ever) once modifing your phone, because FRP (Factoy Reset Protection) will be activated, and then you will be forced into reinstalling stock firmware, aalnd losing all your data in the process.
2) Turn phone off, boot into download mode (Power + Volume Down + Home) and then press Volume Up to use download mode when greeted with a yellow warning.
3) Launch ODIN, and plug phone into Computer. You should see some text like this "ID:COM" in blue.
4) Click the AP button (If it says PDA then you have an older version of ODIN, and are recommended to use a newer version) and Select the file that will be flashed. E.g. TWRP or a Boot.img. Making sure the only options ticked are "F.Reset Time" and "Auto-Reboot". If you are flashing a recovery (E.g. TWRP) then make sure "Auto-Reboot" is unticked, and when ODIN says successful flash then you'll have to then reboot the phone your self(Either by holding any combination of Volume Keys (Any one) + Power + Home or Removing the Battery and Placing back in) and reboot straight into recovery (at least once, else the stock recovery will replace TWRP on a normal boot bu a script called "install-recovery.sh").
5) If "Auto-Reboot is ticked, then the phone will automatically reboot once flashing has been completed.
Root:
SM-G388f:
KitKat:
1) Enable USB Debugging
2) Download the Newest TWRP from the above TWRP Link (the one marked with KitKat), making sure you download the file with the .img.tar extension.
3) Download the Newest SuperSu and place on the internal phone memory.
4) Flash the downloaded TWRP file, make sure "Auto-Reboot" is unticked (Refer to "Using ODIN" if needed). Click Start
5) Once flashed, reboot into recovery (Power + Volume Up + Home) straight away and Flash SuperSu.zip via the Flash Zip section.
Congrats you got root on KitKat
Lollipop:
Installation:
1) Make sure you have the prerequisites installed, and "xcover3-lollipop-root.zip"
unzipped. Then type
Code:
adb devices
to make sure adb recognises the phone and that its authorized.
2) Type (or copy) exaclty as below. *Please be paitent, as the first command
takes about 20 seconds to complete.
Code:
adb push su.img /data/local/tmp
adb install Superuser.apk
3) Once thats completed, turn off the device and then boot into download
mode (Volume Down + Home + Power).
4) Open the ODIN program, click "AP" then navigate to the "boot.tar.md5"
file that is in the "xcover3-lollipop-root: folder, then click open/okay.
Click start to flash.
5) The phone should auto-reboot. Once its fully booted, reboot once more
(perferabbly twice), this is to allow the script placed in the ramdisk to
move the su.img to /data.
6) Profit? Yay you've now got root. You can go and test it out by downloading
terminal emulator and typing "su", you then should be prompted to grant root
permissions to the app. Once granted, the "$" symbol will change to "#" to
signify root.
Thanks to:
@akuhak Thanks for build the custom tools necessary to modify the boot.img
@proguru Thanks for compiling a custom kernel for me, (for testing purposes) allowing me to test various things.
@kniederberger Thanks for providing the boot.img and su.img from the Value edition of the phone, allowing me to base my work around what was done on the value editon.
SM-G389f:
Marshmallow:
*Verified by @Heledir and @kniederberger
A user has uploaded a YouTube video HERE in case anyone wants a video tutorial.
1) Enable "OEM UNLOCK" and "USB Debugging" in developer settings (This can be found by tapping build number 7 times, then developer mode will be activated) then procedded to Flash TWRP.
2) Flash the Value Edition version of TWRP, Link at the top of this thread, making sure it has ".img.tar" extension (Refer to "Using ODIN" if needed).
3) Flash SuperSu.zip inside of TWRP via the Flash Zip section
Update to Newer Firmware while rooted:
Note: You'll lose root (re-root via relevant method) and modifications done to /system, but you're Apps and Data (/data and internal storage) will remain untouched.
0)Although you won't lose any apps/data, it's always recommended to make a backup. Perferrable a Nandroid backup or the backup of apps and data via the means of Titanium Backup and such.
1) Download Newest firmware matching the phones region and carrier (basically if the phone is from one country, dont download the firmware intended for a different country. Links at top of OP/Thread.
2) Out phone into download more, launch Odin and Flash the firmware package Downloaded. (Refer to the Using Odin section as needed.)
3) Give it some time for the inital reboot, and allow it to get setup and booted.
Optional) Re-root via relevant methods.
Un-root Samsung XCover 3 Devices:
1) Click un-root from SuperSu APP
*5.1.1 and 6.0.1: Flash Stock boot.img (Found in stock firmware) (Will post a Link for stock boot.tar.md5 soon, or read on in the next post to figure out how to create your own boot.tar.md5 file)
TWRP:
KitKat: Working
Lollipop: Not Working (I'm looking into it) The is a hacked together version of TWRP HERE, in case people want to flash files. I wouldn't recommend it for anything else other then flashing, as i would perfer to build a proper working TWRP for lollipop.
Note: You'll have to hold, Volume Up + Home + Power buttons straightafter flashing from Odin, keep hold of the key combo untill you see the TWRP logo (2 reboots).
Marshmallow: Working
Flash Stock Firmware:
1) Download the stock firmware from above links, making sure the version and region matches your phone
2) As with the other steps, boot into download mode and connect it to Odin, click the AP button and click on the stock firmware. Then Click Start. (Refer to "Using ODIN" if needed)
3) Give it some time after flashing (Max 10mins) to boot and setup for the first time, if it doesn't after a long time, re-flash the stock firmware again.
FAQ:
- Where is a ROM/Custom Kernel/ TWRP(for lollipop) for our devices? I currently can't provide/make these due to internet limitations, and no access to a 64 bit computer(of course these may change for me in the future). Feel free to build and provide these, and they can get linked to one of the opening pots for easy access.
- What is this thread? It aims to bring all the current work being done on this device into a single thread, so its easily accessible for everyone
- XYZ App doesn't detect root (systemless root)? These apps haven't been updated to work with systemless root, and therefor require SuperSu compatibility mode to be enabled to work with systemless root. Refer to the Troubleshooting section below to fix.
- My Device is sluggish/slow at each boot, how can I fix this? I have noticed that certain apps when used, E.g. CF.Lumen, Livebootetc. require patching the sepolicy at each boot, and this is a memory intensive task. This may not be the only cause for sluggishness, other things can include alot of apps checking for notifcations by pinging their servers, or alot of apps auto starting at boot. There are two different ways about fixing this, one, uninstall offending apps (or disbale their automatic launch), or two, live with it, just wait a couple of minutes after booting before unlocking and using the phone, becuse by then their tasks should be done and android should have cleared up some RAM.
- I keeping getting notifications that my device is unsafe/had unautorized actions have taken place, how to stop this notification/warning? Refer to the Troubleshooting section below to fix.
Troubleshooting:
- XYZ App doesn't detect root (systemless root):
For Value Edition (Android 6.0.1):
1) Type "(or paste)
Code:
echo "BINDSYSTEMXBIN=TRUE" >> /data/.supersu[/CODE
2) Reflash the latest SuperSu.zip via TWRP][/INDENT]
[INDENT][B]For the Normal/Original xCover 3[/B] [I](Android 5.1.1., using my root method)[/I]:
Note: This fix is for the root developed by me, once/if we get a working TWRP for lollipop, then the above instructions should suffice. These 2 scripts creates and mounts a folder to xbin, allowing for apps that check for system root to work properly with systemless. Also daemonsu should mount the folder at boot automatically, but I was having problems with it, so that's why I have a second script to automatically mount the needed folder. Now to the instructions :)
1) Download the "systemless-compatability-fix-lollipop.tar.gz" onto the device and unzip it
2) Using a file explorer that works with systemless root, E.g. Solid Explorer, Copy and paste the 2 files inside the "/su/su.d" directory, making sure it's permissions is "0700" or "700", if the permissions are incorrect you can use the file explorer or terminal emulator and "chmod 0700" on both of the files, Refer to both of the files below for reference.
[img]http://forum.xda-developers.com/attachment.php?attachmentid=3948945&d=1480154633[/img]
[img]http://forum.xda-developers.com/attachment.php?attachmentid=3948946&d=1480154633[/img][/INDENT]
Now all root apps should work (I'm loooking at you Secure Settings and ES File Explorer Pro)
- I keeping getting notifications that my device is unsafe/had unauthorized actions have taken place, how to stop this notification/warning:
I haven't formmaly looked into the cause of this problem as of yet, but some users reported that disabling/removing "SecurityLogAgent" and/or "Smart Manager" Fixs the problem. This can be achieved using Titanium Backup (or similar apps).
[I][B]Planned Work:[/B][/I]
[HIDE]
- Do the next post write up on how to modify the boot.img (or other files) of the devices.
- Get working TWRP on Lollipop
- Get Magisk v9 working
- Look it what is need to flash MM from the xCover 3 Value Edition devices onto the Normal xCover 3 Most users have. (Might be difficult, as they have different hardware)
- Get some ROM creators onto this device [/HIDE]
Anything else?
Development for the xCover3
By Matt07211
This post aims to cover some relevant info for developers, aspiring developers, or tinkers that are missing a crucial piece or knowledge need for it to work on this device (xCover3). This thread will be more bias towards the Original xCover 3 running Lollipop, this just means my knowledge might be lacking in some areas due to differences in hardware (They have different chip-sets)therefor a difference in procedure. This Post assumes your using Linux and is biased towards Ubuntu, as its easiest for anyone to setup.
These post will be split up into categories, and when needed will indicate a difference in procedure between the devices.
Table of Contents:
1) General Setup (Dependices and Tools)
2) Boot and Recovery Modifications
3) System image modification (Also applicable to cache and hidden images found in firmware package)
4) Miscellaneous
Links:
- XCover3:
android_device_samsung_xcover3ltexx(To be added)
platform_manifest (To be added)
local_manifests (To be added)
android_kernel_samsung_xcover3ltexx
proprietary_vendor_samsung(To be added)​
- XCover3 Value Edition:
android_device_samsung_xcover3ltexxve(To be added)
platform_manifest (To be added)
local_manifests (To be added)
android_kernel_samsung_xcover3ltexxve(To be added)
proprietary_vendor_samsung(To be added)​
- General Setup
# Installing dependices (assuming Ubuntu >=15.04).
A 64-bit Operating system is needed when compiling ROMS, Kernels or Recoverys.
The dependices used are gathered from Android Establishing a Build Enviromentpage and Android Image Repack tools thread.
Code:
sudo apt-get update
sudo apt-get install git git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev libncurses5-dev x11proto-core-dev libx11-dev lib32z-dev ccache libgl1-mesa-dev libxml2-utils xsltproc unzip openssl libsdl-dev libesd0-dev valgrind libreadline6-dev x11proto-core-dev libz-dev gawk texinfo automake libtool cvs libsdl-dev
# Create Working Directory
It is also recommended to create a working directory for when working with android, keeping everything centeralized is helpful.
Code:
cd ~
mkdir android
# Compiling Android Image Repack Tools: Android Image Repack Tools is a kit of utilites for unpack/repack of android ext4 and boot images(Useful for working with android).
Refer to the thread linked above on different examples/instructions on using the binary files.
Note: I've provdided a copy of the precompiled binary files, compiled agianst android-5.1.1 branch on a 32-bit machine (meaning compatabile with 64/32 bit machines).
For Marshmallow:
Code:
cd ~/android
git clone https://github.com/ASdev/android_img_repack_tools
cd android_img_repack_tools
git checkout android-6.0.1
chmod +x configure
./configure
make
This creates the directory, downloads the source code, and creates the binary files.
For Lollipop (@AkuHaks version, extra tools included for the SM-G388F):
Code:
cd ~/android
git clone https://github.com/AkuHAK/android_img_repack_tools
cd android_img_repack_tools
chmod +x configure
./configure
make
# mkbootimg_tools, from xiaolu (Use for Value edition)
Code:
cd ~/android
git clone https://github.com/xiaolu/mkbootimg_tools
- Boot and Recovery Modifications
# Unpack boot and recovery
For Marshmallow:
Code:
cd ~/android/mkbootimg_tools
mkdir boot
./mkboot boot.img boot
usage: mkboot
unpack boot.img & decompress ramdisk:
mkboot [output dir]
[/INDENT]
Example output:
[CODE]
dt.img
img_info
kernel
ramdisk
ramdisk.cpio.gz
[/CODE]
For [B]Lollipop[/B]:
[CODE]
cd ~/android/android_img_repack_tools
mkdir boot
./pxa1088-unpackbootimg -i boot.img -o boot -p 2048
[/CODE]
Example output:
[CODE]
boot.img-base
boot.img-cmdline
boot.img-dt
boot.img-pagesize
boot.img-ramdisk.gz
boot.img-ramdisk_offset
boot.img-second
boot.img-second_offset
boot.img-signature
boot.img-tags_offset
boot.img-uImage
boot.img-unknown
[/CODE]
# Repack boot and recovery
For [B]Marshmallow[/B][I](Example, substitute names as necessary)[/I]:
[B]Note:[/B] I have yet to try a repacked boot.img on a Value Edition Variant
[CODE]
cd ~/android/mkbootimg_tools
./mkboot boot boot-new.img
[/CODE]
usage: mkboot
Use the unpacked directory repack boot.img(img_info):[INDENT]
mkboot [unpacked dir] [newbootfile]
[/INDENT]
For [B]Lollipop[/B][I](Example, substitute names as necessary)[/I]:
[CODE]
cd ~/android/android_img_repack_tools
./pxa1088-mkbootimg --kernel boot.img-uImage --ramdisk ramdisk-custom-supersu.cpio.gz --dt boot.img-dt --signature boot.img-signature --unknown 0x3000000 -o ../boot-supersu.img
[/CODE]
usage: mkbootimg [INDENT]
--kernel <filename>
[ --ramdisk <filename> ]
[ --second <2ndbootloader-filename> ]
[ --cmdline <kernel-commandline> ]
[ --board <boardname> ]
[ --base <address> ]
[ --pagesize <pagesize> ]
[ --dt <filename> ]
[ --ramdisk_offset <address> ]
[ --second_offset <address> ]
[ --tags_offset <address> ]
[ --id ]
[ --signature <filename> ]
-o|--output <filename>
[/INDENT]
# Ramdisk Unpack/Repack
Unpack
[CODE]
mkdir ramdisk
cd ramdisk
gunzip -c ../ramdisk.cpio.gz | cpio -i
[/CODE]
Repack
For [B]Marshmallow[/B]:
[B]Note:[/B] I have yet to repack the Value-edition/Marshmallow ramdisk so cannot verify it works (unlike lollipop), so if any errors please contact me. Feel free to try and unpack/repack the Value editon ramdisk/boot.img with lollipop instructions, if below doesn't work.
[CODE]
find . | cpio -o -H -R 0.0 newc | gzip > ../ramdisk-new.cpio.gz
[/CODE]
For [B]Lollipop[/B]:
[CODE]
./mkbootfs ramdisk-directory-name | ./minigzip > ramdisk-new.cpio.gz
[/CODE]
# Compile Kernel
Assumes kernel source is like "~/android/kernel" adapt paths as necessary.
For [B]Marshmallow[/B]:
[CODE]
cd ~/android
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9
export CROSS_COMPILE=~/android/arm-linux-androideabi-4.9/bin/arm-linux-androideabi-
cd kernel
make ARCH=arm xcover3velte_eur_defconfig
# You can run "make menuconfig" now if you want to customize the config file. E.g. Adding driver support, enable other features etc.
make ARCH=arm -j<number-of-cpus>
# E.g. "make ARCH=arm -j4"
[/CODE]
[B]Note:[/B] Replace the "<number-of-cpus>" in "-j<number-of-cpus>" with the number of processors you have plus one. For example if you have 4 cores then enter 5. If your getting errors then rebuild it with "-j1" then scroll up till you found the source of the error.
If the compile succeded the you should see "kernel: arch/arm/boot/zImage is ready"
For [B]Lollipop[/B]:
[CODE]
cd ~/android
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.8
export CROSS_COMPILE=~/android/aarch64-linux-android-4.8/bin/aarch64-linux-android-
cd kernel
make ARCH=arm64 pxa1908_xcover3lte_eur_defconfig
# You can run "make menuconfig" now if you want to customize the config file. E.g. Adding driver support, enable other features etc.
make ARCH=arm64 -j<number-of-cpus>
# E.g. "make ARCH=arm64 -j4"
[/CODE]
[B]Note:[/B] Replace the "<number-of-cpus>" in "-j<number-of-cpus>" with the number of processors you have plus one. For example if you have 4 cores then enter 5. If your getting errors then rebuild it with "-j1" then scroll up till you found the source of the error.
If the compile succeded the you should see "kernel: arch/arm64/boot/Image.gz is ready"
# Package Kernel into uImage (SM-G388F ONLY)
[CODE]
mkimage -A arm64 -O linux -T kernel -C gzip -a 01000000 -e 01000000 -d Image.gz -n "pxa1928dkb linux" "boot.img-uImage.new"
[/CODE]
# Generate kernel Specific device tree table (From Kernel Sources, Post-Compile)
[B]NOTE:[/B] This shouldn't need to be done as stock dt.img is the same, so use that. This is only here for educational purposes.
This assumes ~/android/kernel/ is you kernel source code directory. Substite paths as neccessary
For [B]Marshmallow[/B]:
Place either dtbTool or dtbToolCM (Depending on what your using), into ~/android/kernel/scripts and run the binary files from there.
If unable to create use the below binarys then try the lollipop instructions.
dtbTool
[CODE]
cp ~/android/mkbootimg_tools/dtbTool ~/android/kernel/scripts
cd ~/android/kernel
scripts/dtbTool -s 2048 -o arch/arm/boot/dt.img -p scripts/dtc/ arch/arm/boot/
[/CODE]
usage: DTB combiner:
Output file must be specified
dtbTool [options] -o <output file> <input DTB path>
options:
--output-file/-o output file
--dtc-path/-p path to dtc
--page-size/-s page size in bytes
--verbose/-v verbose
--help/-h this help screen
OR
dtbToolCM (support dt-tag & dtb v2/3)
[CODE]
cp ~/android/mkbootimg_tools/dtbTool ~/android/kernel/scripts
cd ~/android/kernel
scripts/dtbToolCM -s 2048 -d "htc,project-id = <" -o arch/arm/boot/dt.img -p scripts/dtc/ arch/arm/boot/
[/CODE]
For [B]Lollipop[/B]:
[CODE]
cd ~/android/android_img_repack_tools
./pxa1088-dtbTool -o boot.img-dt-new -p kernel/scripts/dtc kernel/arch/arm64/boot/dts/
[/CODE]
# Repack as Flashable Odin File (Substitute name as neccessary)
tar -H ustar -c boot.img > boot.tar
md5sum -t boot.tar >> boot.tar
mv boot.tar boot.tar.md5
[/CODE]
[/HIDE]
- System image modifcation
[HIDE]
<To be ADDED>
[/HIDE]
- Miscellaneous
[HIDE]
<To be ADDED>
[/HIDE]​
Kernels:
- MyKernel - Custom power kernel series ! (SM-G389f) (Originally called: Devhost97 Kernel's ....) @Devhost97
-DiXCOVERy kernel (SM-G388f) @IXgnas
Roms:
- Flint & Steel ROM (Modded Firmware), planned realse is hopefully at beginning of next year. Follow its progress at the post HERE . Creator is @Matt07211 (Me)
Recommended Mods:
- Xposed using wanam's framework (Lollipop & Marshmallow),HERE, and use the newest XposedInstaller apk from, HERE. Flash the framework via TWRP.
- Arise Sound Mod, HERE. Flash via TWRP.
Recommend Root Apps, by Matt07211:
- Liveboot
- CF.Lumen
- Titanium Backup
- Adaway
- Kernel Auditor
- Terminal Emulator
Recommend Xposed Apps, by Matt07211
- <To be added>
Miscellaneous:
- Debloater Thread by @Sonof8Bits
<Reserved for Future Use>
<Reserved for Future Use>
Problem
Matt07211 said:
Preface: I'm currently using this device and really like it, and as you all may have realised, that this device is considered as a low activity device on XDA, and know developers I know of have taken a crack at this phone. This is where I come in, I like hacking into stuff for the challenge it presents, and I have set myself the challenge that is this device. This is a continuous learning experience for me and all, so I am by far not considered an expert.
If some area are empty, they will have more content in the future as we progress with this awesome device.
Feel free to post any mods that have worked (preferably in systemless mode)
Table of Contents:
Post 1) Root and TWRP
Post 2) Mods (Mostly Systemless versions)
Post 3) Roms
Post 4) --Reserved for future use--
Useful Links:
My Github (Matt07211) to keep with the GPL licences I will upload evrything onto my github (Also its a shameless plug )
My Github Pages Blog for guide on how I manually applied systemless update to boot.img (To be linked)
Samsung Kernel Source Code 4.4.4/5.1.1 and 6.0.1
Firmware Samsung xCover 3 and Samsung xCover 3 Value Edition
TWRP
SuperSU
Prerequisites:
ADB Installed
USB Debugging Enabled
Samsung USB Drivers Installed
Samsung ODIN
A Brain that can use common sense or google
Disclaimer:
Anything you do with your own phone is done at your own risk. Don't complain if accidentally brick your phone, use google, flash back stock firmware or post on XDA for help.
Knox will probably be voided, and so will your warranty.
We cannot say what works for use may work for you.
Good luck
Root:
KitKat:
1) Download the Newest TWRP from the above links, making sure you download the file with the .img.tar extension
2) Download the Newest SuperSu and place on the internal phone memory
3) Turn on USB Debugging
4) Turn phone off, boot into download mode (Power + Volume Down + Home) and then press Volume Up for use when greeted with a yellow warning.
5) Launch ODIN, and plug phone into Computer. You should see some text like this "ID:COM" in green
6) Click the AP button and Select the Downloaded TWRP file, make sure "re-partition" is unticked. Click Start
7) Once flashed, reboot into recovery and Flash SuperSu.zip
Congrats you got root on KitKat
Lollipop (Systemless Root) (EXPERIMENTAL, USE WITH CAUTION):
NOTE: This is currently in the experimental phase as I need users to test and verify that this works
1) Turn on USB Debugging and Download "xCover3-Lollipop-Root-Matt07211.zip" from here.
2) Turn phone off, boot into download mode (Power + Volume Down + Home) and then press Volume Up for use when greeted with a yellow warning.
5) Launch ODIN, and plug phone into Computer. You should see some text like this "ID:COM" in green
6) Click the AP button and Select the Downloaded ".tar.md5, make sure "re-partition" is unticked. Click Start
7) Once flashed, reboot the phone normally, making sure USB Debugging is turned on
8) Copy over "su.img", "Superuser.apk" and "xCover3-root.bat" (For Windows Users) or "xCover3-root.sh" (For Linux Users) into your ADB directory (E.g. android-sdk\platform-tools)
9) Open up a command prompt in the ADB Directory and type either "xCover-root.bat" for windows and for Linux run "xCover-root.sh"
10) Your Device should reboot, and you should have root. Now get an app and verify its existence
NOTE: This is EXPERIMENTAL so this might not work, or will take a few trys to get working, please post if this has worked for you.
Marshmallow:
*To Be looked into, please be patient
Un-root Lollipop and Marshmallow Devices:
1) Click un-root from SuperSu APP
2) Flash Stock Firmware or Stock boot.img (Will post a Link for stock boot.tar.md5 soon)
TWRP:
KitKat: Working
Lollipop: Not Working (I'm looking into it)
Marshmallow: Not Working (I'm looking into it)
Flash Stock Firmware:
1) Download the stock firmware from above links, making sure the version matches your phone
2) As with the other steps, boot into download mode and connect it to Odin, click the AP button and click on the stockfirmware. Then Click Start
3) Give it some time (Max 10mins) to boot and setup for the first time, if it doesn't after a long time, reflash the stockfirmware again.
Now look at the next post
Click to expand...
Click to collapse
When I click on AP in Odin and choose boot_systemless_root_matt07211.tar.md5 ,it just says md5 error binary is invalid. (tested on ODIN 3.12.3 and 3.10)
Oh sorry you said its not working nvm
EzChillzz said:
When I click on AP in Odin and choose boot_systemless_root_matt07211.tar.md5 ,it just says md5 error binary is invalid. (tested on ODIN 3.12.3 and 3.10)
Oh sorry you said its not working nvm
Click to expand...
Click to collapse
I tryed the root for Lollipop. Odin will no flash the tar.md5. There is one mistake by md5. If you rename the file to *.tar odin accept the file. if try to flash odin hang of with outprint analyse file. i wait on this for 10 min nothing goes happen.
I can try to flash with heimdall. for this i need the *img file
sorry for my bad english
EzChillzz said:
When I click on AP in Odin and choose boot_systemless_root_matt07211.tar.md5 ,it just says md5 error binary is invalid. (tested on ODIN 3.12.3 and 3.10)
Oh sorry you said its not working nvm
Click to expand...
Click to collapse
yy1 said:
I tryed the root for Lollipop. Odin will no flash the tar.md5. There is one mistake by md5. If you rename the file to *.tar odin accept the file. if try to flash odin hang of with outprint analyse file. i wait on this for 10 min nothing goes happen.
I can try to flash with heimdall. for this i need the *img file
sorry for my bad english
Click to expand...
Click to collapse
Well I'm stupid when I created it I was pretty tired, so I only included the md5 hash of the .tar file but not the .tar file itself as @yy1 has stated, it should be reuploaded in a couple of minutes. It should all work then, and now you have the file to flash and an md5 hash to compare it to make sure it isn't courrupt. Good luck and please report back to me of it was succesful @yy1 and @EzChillzz
Try to flash your boot.img. Reboot stop with KERNEL IS NOT SEANDROID ENFORCING (Android 5.1.1.)
yy1 said:
Try to flash your boot.img. Reboot stop with KERNEL IS NOT SEANDROID ENFORCING (Android 5.1.1.)
Click to expand...
Click to collapse
The question is does it boot up? If so then that message can be ignored, if not then I will look into it. Just flash original boot.img or firmware to go back to a useable phone. Thanks for testing
Did you get a message with both these sentences in or just the first sentence"KERNEL IS NOT SEANDROID ENFORCING. Custom binary blocked by FRP Lock" ???
It doesn't boot up. Black screnn with boot logo and red warning on top. i flash the original boot.img anything okay.
what means fap lock?
yy1 said:
It doesn't boot up. Black screnn with boot logo and red warning on top. i flash the original boot.img anything okay.
what means fap lock?
Click to expand...
Click to collapse
Was ment to FRP not FAP, autocorrect strikes again. FRP = Factory Rest Protection.Google it if you want more info, basically another barrier to stop thieves. As I reading up on this user's are stating (in a sepolicy patch thread) that when flashing boot.img via odin their phone wouldn't boot up, but said flashing bootmimg via TWRP works.
Questions:
1) When you flash the custom boot.img, does it freeze and nothing happens? Or does it reboot automatically?
2) are you using heimdall or Odin?
Tasks:
1) Flash the boot.img via Heimdall (if you've been using odin) and report back if it was a succes.
2) if possible, if adb is running, can you pull the dmesg off the device before restoring the original boot.img as this will help in debugging this problem.
E.G. "G:\" is the hard drive plugged into my computer, adjust as necessary.
Code:
adb shell dmesg >> G:\dmesg.txt
3) ALSO TRY, after you flash the custom boot.img can you try booting into recovery (Volume Up + Home + Power Button) and try wiping cache before trying to properly boot the phone. Maybe you could also when in recovery tell me what the log files say? @yy1
Still currently searching what is blocking the custom boot.img from booting the phone.
I really appreciate the help
Flash your boot.img via heimdall once again. with no reboot option. go to recovery and wipe cache. after start the phone boot anytime in recovery. flash via heimdall original boot img anyhing okay.
adb not work. there are logfiles in recovery but i don't know they way to put that from phone to pc. Sorry for that.
yy1 said:
Flash your boot.img via heimdall once again. with no reboot option. go to recovery and wipe cache. after start the phone boot anytime in recovery. flash via heimdall original boot img anyhing okay.
adb not work. there are logfiles in recovery but i don't know they way to put that from phone to pc. Sorry for that.
Click to expand...
Click to collapse
I won't be able to look into it today as i have important stuff happening. Will post back later with some more info, sorry about the wait then. Thanks for the help
===================================
Can you try this, as it will greatly help in diagnosing the problem.
Flash the custom boot.img, don't boot the phone yet. Then can you run
Code:
adb start-server
In a terminal/command prompt, then turn on the phone with the adb dmesg command from the previous post already in the terminal for you to hit enter when needed.
Turn on the phone now, and hit enter to run the above command before the phone stops and reboots itself.
Thanks.
Edit 2: When devloping the boot.img, I had to use chainfires supolicy binary to patch the sepolicy in boot.img, with one of it tasks is to patch the recovery from enforcing to permissive mode.
So in an educated geuss, and with information in other forms (user reported that they are unable to flash a custom boot.img via odin but able to via TWRP), that we may be able to flash the boot.img via recovery. See instructions for testing this below.
1) Download both the 3.0.2-1 and 2.0.8-* version of twrp (.img.tar) as we should try both of them <Linked in original post>
2) Flash my custom boot.img and then the twrp files with auto reboot turned off
3) once they both flash, boot into recovery (give it 5-10 mins, if nothig happens then it didn't work)
4) if it actually worked and booted into recovery, flash the custom boot.img in TWRP and try rebooting normally
5) If it managed to get this far, then continue from my original post by tuning either the root script/bat file
Please Report how far you got in this process or if it worked.
===================================
I am currently trying different versions of my boot.img, will post once I have it working properly
No way for me to give you adb log-file, because adb find no device if phone in download- or recovery-mode.
try the second way. Flash boot.img and recovery.img (TWRP) start the phone in recovery-mode. red warning on top RECOVERY IS NOT SEANDROID ENFORCING.
wait 5 minutes phone starts automatic in normal-mode.
yy1 said:
No way for me to give you adb log-file, because adb find no device if phone in download- or recovery-mode.
try the second way. Flash boot.img and recovery.img (TWRP) start the phone in recovery-mode. red warning on top RECOVERY IS NOT SEANDROID ENFORCING.
wait 5 minutes phone starts automatic in normal-mode.
Click to expand...
Click to collapse
Yea thanks for that, I had been trying a bunch of combinations yesterday with none of them working. And when trying to find what blocks custom boot.img from booting up, all I come across is stuff staying to flash back stock firmware, but nothing for the reasons why.
But I have some stuff to look in to and will replie back when done (if I'm succesful or not)
These include:
- looking more into pains secure download mode and what it does
- having a go with exploiting a bug that had happend with stock recovery. Running 4.0 (we are not running this version of android) and recovery version 3e(our stock recovery version ) where you could flash updates.zip signed with testkeys instead of the manufacturers keys
- OR try getting TWRP to run on lollipop (probably have to rebuild it) this leaves us with two options in twrp. 1) Flash SuperSu and get system install (probably won't be able to unpack the boot.img) or then flash my customized boot.img for the Systemless version of root.
Either way it may be a little while before lolipop root is working.
I have important exams coming up so this project is gonna have to be out onto the backburner for about 4 weeks or so, meaning I won't be putting much effort into this for a while, but will continue it after the exams. @yy1
- '
@yy1 I belive I have found out why the phone won't boot when using the custom boot.img
I belive it has to do with the unpacking/repacking of the ramdisk.cpio.gz file. When ever I try to boot an image with a repacked ramdisk the phone won't boot.
I know that the phone can boot custom boot.img 's as I removed the word "SEANDORID" from the original and flashed it to my phone. My phone booted up, even when the red text (KERNEL IS NOT SEANDROID ENFORCING) was shown at the top of my phone.
So once I got it got it booting I will post back here.
My previous post, was somewhat on par. What I mean by this is yes, the ramdisk was a reason why it was not boot, but not for any reasons like permissions, ownership or the like, it was in fact that when unpacking and repacking the cpio archive increase the size, and from what I have reduced from my trial and errors is when the boot.img size is changed by even one byte in size it won't boot. But you are able to modify its contents with a hex editor, E.G. Zeroing out the word SEANDROIDENFORCING at the bottom of the raw image file, would still let the phone boot fully with the text show "KERNEL is not SEANDROIDENFORCING" and it showing up as a custom binary in Download more. I belive it may be becuse of some outside security verifying the boot.img. maybe download mode (it's in secure mode, haven't looked into it yet) or some script, I am not sure. And its all most impossible to get any errors logs or dmesg via adb or otherwise, with my only way to read them is via stock recovery, which is a bit impractical and inelegant reading as it speeds past lines you want to read when trying to scroll down (if anyone knows how to pull these logs from cache without a custom recovery or root, please tell me.
Now when I try to replace the ramdisk in boot.img via hex editor the size increase and thus unable to boot. When I try to repack it with various versions of mkbootimg, including Google's python script, other bi nary compiled versions of it by various people and mkbootimg's binary modified to also with with Device Tree Files which get appended onto the boot.img. I have analysed and reverse enginered the boot.img file, and analyzed the other files included with the stock firmware downloadable from sites like sammobile, sam-firmware etc.
I will be updating one of the is original post with all the information that I have uncovered, I'm great detail and when my internet situation allows (my mobile data is running low, lol), upload the reversed enginered files of boot.img for anyone else to inspect and have a crack at creating their own custom kernel/boot.img.
TL;DR: Uploading detailed information and reverse enginered files of boot.img. Any of my custom boot.img's won't boot if the size changes at the minimum one byte from the original boot.img, but the phone can boot a custom version if the size of the file size deos not change a single byte.
Hi;
TWRP is ready for SM-G389F :
https://twrp.me/devices/samsunggalaxyxcover3ve.html
Heledir said:
Hi;
TWRP is ready for SM-G389F :
https://twrp.me/devices/samsunggalaxyxcover3ve.html
Click to expand...
Click to collapse
This currently only works for Kit Kat, after I unpacked it I read the files at it was aimed at android 4.4.4. I am, after I have my exams in the next few weeks I am gonna try and get TWRP working on lollipop (after I got root )
Software for Samsung Galaxy Xcover 3 VE (SM-G389F) is Android 6.0, so I think it's for MM. The links:
- Device Tree / files
https://github.com/TeamWin/android_device_samsung_xcover3velte
Say its Android 6.0 branch.
I've install it yesterday with Odin and it works fine on my SM-G389F.
But i haven't find root for SM-G389F and MM.

Fire hd8 2017 root, debrick

Tested only on 2017 hd8
This post is outdated please refer to: https://forum.xda-developers.com/hd8-hd10/orig-development/unlock-fire-hd-8-2017-douglas-t3962846
1 - Open your fire hd 8 7th gen, now you need to access the pads under the board(be very careful there is a lot of glue), specifically we need the pad TP28 which is the clk signal of the emmc
2 - Get yourself a wire (I recommend one with only one conductor in the plastic shroud) or something conductive
3 - Now on a linux machine/vm (if you use a vm, do usb passthrough) go in the amonet folder and do:
Code:
sudo ./bootrom-step.sh
4 - When you see:
Code:
[2019-02-07 14:35:59.478924] Waiting for bootrom
short TP28 to ground (there is a big pad near TP28, its ground so you can use it) and plug the usb
5 - If the operation is successful you should be prompted to remove the short and press enter
6 - Wait until the script end if it's succesfull you will see:
Code:
[2019-02-07 12:11:05.621357] Reboot to unlocked fastboot
in case of any error probably you should start again from step 4
7 - now the device should reboot and go automatically in fastboot mode (if not, try unplug and plug back the usb), you can reflash any partition ex:
Code:
sudo fastboot flash <partition-name> <image-file.img>
The boot partition need to be flashed on the device in order to recover from the first part of the guide so:
Code:
sudo fastboot flash boot boot.img
You can extract boot.img from the ota archive
Becouse there is no system partition check on th 7th gen you can flash a modified system.img (a rooted one)
i will link the ota where i've extracted the .img (sorry i can't upload mine becouse my up speed is trash, 512kbit/s)
8 - Now, again on al linux machine/vm go in the folder amonet-res and run again:
Code:
sudo ./bootrom-step.sh
the steps are the same as from 3 to 6
9 - your table should reboot into FireOS
Recover from flashing the 8th gen exploit
in step 7, when you get into fastboot mode do:
Code:
sudo fastboot flash boot boot.img
with the boot.img from an ota then proceed with the other step
Ready to flash rooted system
Instead of make your own modified system image, you can flash this (thanks to @JJ2017) https://mega.nz/#F!G7pn3SCS!TWhEmzSFNctoil626IbF3A
download both boot and system from the mega link then, once you get in the fastboot mode in step 7, run from the directory where the downloaded system.img and boot.img are:
Code:
sudo fastboot flash system system.img
sudo fastboot flash boot boot.img
This method require you to install the SuperSu app (download an apk from a site like APKmirror)
Make your own system.img
Download this : https://raw.githubusercontent.com/xpirt/sdat2img/master/sdat2img.py
(assuming debian or ubuntu distro) install android-tools-fsutils
1 - get yourself an ota archive
2 - extract it
3 - put sdat2img.py in the same directory as the extracted ota
4 - do
Code:
python2 sdat2img.py system.transfer.list system.new.dat system.img
5 - now do
Code:
mkdir system && sudo mount system.img system
6 - now you can modify the image and for example install SuperSU (Install SuperSu on system.img section of the thread)
7 - unmount the image
8 - do
Code:
img2simg system.img system-a.img
9 - in fastboot mode do:
Code:
sudo fastboot flash system system-a.img
sudo fastboot flash boot boot.img
run the commands in the same folder as the .img
Install SuperSu on system.img
Coming soon. for now you can refer to Building the system image section of this post (thanks to @cybersaga) https://forum.xda-developers.com/showpost.php?p=78864228&postcount=31
Or try this script for creating a rooted system.img (thanks to @SirausKen) https://forum.xda-developers.com/showpost.php?p=78868608&postcount=39
My terminal output while i'm flashing rooted system.img
https://pastebin.com/hn2Rhk87
Thanks
- xyz' for the amonet exploit chain
- <br > for the emmc pinout
- xpirt for sdat2img
looks like I got something to try this evening.
Thanks!
NFSP G35 said:
looks like I got something to try this evening.
Thanks!
Click to expand...
Click to collapse
Please post your results
Ok, I'm gathering the required stuff to try this out.
I'm going to go through your method exactly, but I'm curious... (and this is probably a stupid question that's already been answered somewhere else) why can't we flash TWRP?
Is it just me, or is the process of manually applying SuperSU to the system image a huge pain?
Got to put it on pause for tonight. Any tips or suggestions are welcome though!
NFSP G35 said:
Is it just me, or is the process of manually applying SuperSU to the system image a huge pain?
Got to put it on pause for tonight. Any tips or suggestions are welcome though!
Click to expand...
Click to collapse
Yeah I feel like step 6 could be expanded into, like, 5 steps. I'm not sure how that's done either.
Can confirm working....
Awesome work @t0x1cSH.... after many an hour.... yes, your method successfully root Fire HD8 (2017)
Pretty much followed your guide - managed the 'SU' injection with help from the method description @ <br /> Hardmod Root (https://forum.xda-developers.com/hd...ot-hardmod-root-amazon-fire-hd-8-7th-t3851617)
Actually, not too difficult compared to the Hardmod - when fully written up this will be a game-changer
Many thanks: :good::good::good:
BTW: used Fire OS 5.3.6.4 (most recent)
I'll probably give it a try this weekend. Where did you get the OTA update from?
Update: Nevermind, I found it: https://www.amazon.ca/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=202144610
I'm not great at Linux commands. Would anyone be kind enough to tell me how to modify the system image to include root?
I'll try this weekend as well.
niggabyte said:
I'm not great at Linux commands. Would anyone be kind enough to tell me how to modify the system image to include root?
Click to expand...
Click to collapse
See the previous post (or more to the point, see the section "Writing SuperSU" in <br />'s thread...
JJ2017 said:
... managed the 'SU' injection with help from the method description @ <br /> Hardmod Root (https://forum.xda-developers.com/hd...ot-hardmod-root-amazon-fire-hd-8-7th-t3851617)
Click to expand...
Click to collapse
Also, thanks @JJ2017 for pointing out that thread had the steps for manually patching in SuperSU.
I thought I remembered seeing it before, but couldn't remember where and majorly failed at finding it (meanwhile it's hiding out right under my nose LOL) Probably just too tired.
Anyone who does this successfully could share their patched system.img (preferably just a stock-rooted)
NFSP G35 said:
See the previous post (or more to the point, see the section "Writing SuperSU" in <br />'s thread...
Click to expand...
Click to collapse
Rather embarrassingly, I don't know what commands are required in terminal for copying, moving, and applying permissions to files...
niggabyte said:
I'm not great at Linux commands. Would anyone be kind enough to tell me how to modify the system image to include root?
Click to expand...
Click to collapse
niggabyte said:
Rather embarrassingly, I don't know what commands are required in terminal for copying, moving, and applying permissions to files...
Click to expand...
Click to collapse
No problem. Linux can be intimidating at first... Believe me, I've been there!
Fortunately, it's not hard to come up to speed and quite a rewarding experience.
Grab yourself a Linux cheat-sheet: https://www.google.com/search?q=linux+cheat+sheet&tbm=isch
I believe cp and chmod are mainly what you'll need.
NFSP G35 said:
See the previous post (or more to the point, see the section "Writing SuperSU" in <br />'s thread...
Also, thanks @JJ2017 for pointing out that thread had the steps for manually patching in SuperSU.
I thought I remembered seeing it before, but couldn't remember where and majorly failed at finding it (meanwhile it's hiding out right under my nose LOL) Probably just too tired.
Anyone who does this successfully could share their patched system.img (preferably just a stock-rooted)
Click to expand...
Click to collapse
I was about to ask the same thing, if someone want to share their rooted and preferably stock system images (like a MEGA link) i will put them on the main thread (with credits of course)
With my internet connection, upload my system.img will take forever
JJ2017 said:
BTW: used Fire OS 5.3.6.4 (most recent)
Click to expand...
Click to collapse
Their site says that 5.6.3.0 is the most recent: https://www.amazon.ca/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=202144610
Are we looking at the same thing?
I'm wondering because I just went through this process and now the tablet won't boot. It's stuck at the "fire" logo.
So where did you get your OTA file?
cybersaga said:
Their site says that 5.6.3.0 is the most recent: https://www.amazon.ca/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=202144610
Are we looking at the same thing?
I'm wondering because I just went through this process and now the tablet won't boot. It's stuck at the "fire" logo.
So where did you get your OTA file?
Click to expand...
Click to collapse
my guess is that you probably created a wrong symbolic link for app_process, the command should be something like:
Code:
ln -s system/xbin/daemonsu bin/app_process
t0x1cSH said:
my guess is that you probably created a wrong symbolic link for app_process, should be something like:
Code:
ln -s system/xbin/daemonsu bin/app_process
Click to expand...
Click to collapse
I did create that. I kept track of all the commands I typed. But I remounted the image to check and it's there:
Code:
[email protected]:~/Desktop# ls -l system/bin/app_process
lrwxrwxrwx 1 root root 13 Feb 8 17:09 system/bin/app_process -> xbin/daemonsu
cybersaga said:
I did create that. I kept track of all the commands I typed. But I remounted the image to check and it's there:
Code:
[email protected]:~/Desktop# ls -l system/bin/app_process
lrwxrwxrwx 1 root root 13 Feb 8 17:09 system/bin/app_process -> xbin/daemonsu
Click to expand...
Click to collapse
Should be (straight from the device)
t0x1cSH said:
Should be (straight from the device)
Click to expand...
Click to collapse
That makes a whole lot of sense! I'll try again.
---------- Post added at 06:47 PM ---------- Previous post was at 06:10 PM ----------
Hrm... now it's stuck at the Amazon logo. That's a step back.
I'll retrace my steps.
cybersaga said:
That makes a whole lot of sense! I'll try again.
---------- Post added at 06:47 PM ---------- Previous post was at 06:10 PM ----------
Hrm... now it's stuck at the Amazon logo. That's a step back.
I'll retrace my steps.
Click to expand...
Click to collapse
try to clear the cache from the recovery (power + volume down) and remember to flash boot.img from the recovery, if you forgot it the tablet will hang on the amazon logo

[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2017 (douglas)

Read this whole guide before starting.
This is for the 7th gen Fire HD8 (douglas).
Current version: amonet-douglas-v1.2.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-douglas-v1.1.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on a firmware newer than 5.6.4.0, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
WARNING: Do not use bootrom-step-minimal.sh if you bricked using brick(-9820).sh!
You will need to use bootrom-step.sh.
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-douglas-return-to-stock.zip" into the same folder where you extracted "amonet-douglas-v1.0.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
sudo fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.4.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks to @t0x1cSH and @breakfastofsecrets for testing.
Reserved #1
Changelog
Version 1.2 (15.10.2019)
Increase boot.hdr size to avoid crashes with leftovers of boot.img
Version 1.1 (02.09.2019)
Add system_image to TWRP
Add serialno to GPT-folder to avoid mixups between 16G and 32G
Add scripts to fix GPT
Features.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (no patching needed)
TWRP protects from downgrading PL/TZ/LK
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
Reserved #3
Awesome!
if you can't get in the recovery by long pressing the volume buttons and power button simultaneously, during the boot keep both the volume buttons and fastly tap the power button
i had some problems getting by long pressing in the recovery and this worked every time
ty k4y0z
Works perfectly. Thank you very very much!
On a rooted device with a locked bootloader, if I back up system and data only with Flashfire, will I be able to restore these partitions with TWRP after unlocking? Presumably I wouldn't restore the boot partition?
MontysEvilTwin said:
On a rooted device with a locked bootloader, if I back up system and data only with Flashfire, will I be able to restore these partitions with TWRP after unlocking? Presumably I wouldn't restore the boot partition?
Click to expand...
Click to collapse
I think that you can. TWRP supports flashfire backups but as you say don't restore boot.img neither recovery.img.
MontysEvilTwin said:
On a rooted device with a locked bootloader, if I back up system and data only with Flashfire, will I be able to restore these partitions with TWRP after unlocking? Presumably I wouldn't restore the boot partition?
Click to expand...
Click to collapse
Rortiz2 said:
I think that you can. TWRP supports flashfire backups but as you say don't restore boot.img neither recovery.img.
Click to expand...
Click to collapse
Haven't tested, but should work fine, also boot.img should give no issues when restoring.
Only userdata is erased during unlocking, so it should be enough to restore userdata.
k4y0z said:
Haven't tested, but should work fine, also boot.img should give no issues when restoring.
Only userdata is erased during unlocking, so it should be enough to restore userdata.
Click to expand...
Click to collapse
Doesn't the unlock procedure include a factory reset which will wipe settings and apps? By 'userdata' do you mean 'data' or data plus internal storage (user files and photos etc.) or just internal storage?
MontysEvilTwin said:
Doesn't the unlock procedure include a factory reset which will wipe settings and apps? By 'userdata' do you mean 'data' or data plus internal storage (user files and photos etc.) or just internal storage?
Click to expand...
Click to collapse
Yes it does wipe data/userdata including the internal storage.
But it doesn't touch the system-partition.
Everything went super smooth. Many thanks for this, and all your unlocks.
Also, I was able to flash my flashfire system and usedata backups in TWRP with no issues.
Kctucka said:
Everything went super smooth. Many thanks for this, and all your unlocks.
Also, I was able to flash my flashfire system and usedata backups in TWRP with no issues.
Click to expand...
Click to collapse
How do you flash Flashfire backups? I now am unlocked and have TWRP installed, but when I try to restore, TWRP can see the backup folders but does not see any backed-up partitions.
---------- Post added at 10:49 AM ---------- Previous post was at 10:36 AM ----------
OK. I've got it figured out. You have to install the relevant 'twrp.zip' archives from the Flashfire backups.
dear friends
I make backup with twrp ( just system ) and transfer it to other device but when restore system the device stock on amazon i try to flash system by hacked BL flash success but when reboot also stock on amazon logo
deathlessster said:
dear friends
I make backup with twrp ( just system ) and transfer it to other device but when restore system the device stock on amazon i try to flash system by hacked BL flash success but when reboot also stock on amazon logo
Click to expand...
Click to collapse
Maybe you need to do a wipe of userdata and flash the latest boot.img.
thank you Rortiz2 i will try
---------- Post added at 03:36 PM ---------- Previous post was at 03:30 PM ----------
k4y0z said:
Read this whole guide before starting.
This is for the 7th gen Fire HD8 (douglas).
Current version: amonet-douglas-v1.0.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-douglas-v1.0.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on a firmware newer than 5.6.4.0, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-douglas-return-to-stock.zip" into the same folder where you extracted "amonet-douglas-v1.0.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.4.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks to @t0x1cSH and @breakfastofsecrets for testing.
Click to expand...
Click to collapse
I do this method on windows 10 with linux shell and i get success thank you very much
I have unlocked three tablets now. It is very easy, thanks @k4y0z for making it that way. The only problem I had was with my first try on step 1, but that was because my adb and fastboot drivers needed updating.
Is a similar unlock planned for the HD 8, 2016/ 6th gen. Giza?
I still have problem in twrp restore my device now stock on amazon logo please help me
[email protected]:/mnt/c/Users/aimya/Downloads/Compressed/amonet-douglas-v1.0_2/amonet$ sudo ./step-1.sh
[sudo] password for aimyafi:
* daemon not running; starting now at tcp:5037
* daemon started successfully
Stuck at there! What's the problem?

Categories

Resources