Hi all, I would like to inquire if it is possible to be able to root the Quest and introduce mods, launchers, optimizations and customization especially that it runs snapdragon 835 ?
Hi!
I found the security patch level of Quest is a bit old.
2017-10-05
Maybe we can use existing vulnerabilty to get root.
Hehe, i like whre this is heading.
rurie said:
Hi!
I found the security patch level of Quest is a bit old.
2017-10-05
Maybe we can use existing vulnerabilty to get root.
Click to expand...
Click to collapse
rurie said:
Hi!
I found the security patch level of Quest is a bit old.
2017-10-05
Maybe we can use existing vulnerabilty to get root.
Click to expand...
Click to collapse
With Android 7.1.1, would any of the methods here work? Has anyone tried yet?
I tried waterdrop (CVE-2019-2025), but no luck.
info:
http://blogs.360.cn/post/Binder_Kernel_Vul_EN.html
https://www.exploit-db.com/exploits/46503
$ /data/local/tmp/poc
/data/local/tmp/poc: binder_become_context_manager: Device or resource busy
We need kernel hacker. Can anyone help?
---------- Post added at 08:26 ---------- Previous post was at 08:19 ----------
In addition, I found Quest have Qualcomm's EDL mode. By pressing vul-up,down and power will boot in EDL mode.
And Quest supports fastboot on USB Update Mode. but "fastboot oem unlock" needs unlock code.
I tried the dirtycow methods but I think that was patched out before this build, no success.
I also tried just running the usual commands to bring up USB Tethering, but that seems to need root as well. All I want is better ALVR streaming
fyi Oculus is unwilling to provide bootloader unlock codes citing section 4.1 of their Terms of Service, as being in conflict with the request.
I found this to be interesting.
I've began a support request to get the boot loader unlock codes and explicitly began requesting the GPL code (parts of Android and their Linux kernel source). This should give me a few options.
They may or may not decline giving me the boot loader codes. Not the end of the world.
They are legally obligated to give me certain source code for what's running on this device. Such as the linux kernel with the modifications they've made. If they don't provide this source in it's entirety, then there's some legal implications involved there. The first response from their support was pretty ignorant. They linked me to some download section of their website that only had developer SDKs, not the sources I was requiring of them.
Anyway, once I have the kernel source, if no bootloader codes are provided, I can begin scouring it for ways to elevate to root at least.
sync.demon said:
Anyway, once I have the kernel source.
Click to expand...
Click to collapse
I believe the kernel for the oculus go is here:
https://github.com/facebookincubator/oculus-go-kernel
I can't see any published quest kernel, perhaps it's the same?
reclaimyoursenses said:
perhaps it's the same?
Click to expand...
Click to collapse
It's quite possible for the kernel to be the same. I'm going to await confirmation directly from Oculus. If it goes well, I get to unlock my bootloader on top of having the correct source. If it goes poorly, who knows. I might get to see what the legal side of the GNU GPL looks like.
I really want to audit the support for this device and software I own.
Not the same. The posted kernel for Go is Linux 3 while Quest is using Linux 4.4.21. They've built on Android, which means they're starting with a stock Linux kernel, I don't think getting their sources is going to clue us into anything that can't be known already; they'll just upload that same vanilla Linux 4 kernel source. The drivers they will use for practically everything are almost certainly closed-source. They don't have to provide their kernel configuration either.
Best of luck on getting the bootloader, though, that's the holy grail at the moment
Well, the dudes that I'm talking with finally provided kernel source:
https://github.com/facebookincubator/oculus-linux-kernel
It's the Quest Branch of the Oculus Linux Kernel. So we have something to search through for vulnerabilities.
I'm still talking with them about flashing the hardware. I'm not convinced that it's locked, because they seemed a bit confused what I was talking about. Having not touched phone boot loaders in years, I'm still doing my research into the bootloading stuff, since I'm only guessing that it involves a signature check at the moment.
Waiting for mine to be delivered, where does it store the downloaded game files?
deconfrost said:
Waiting for mine to be delivered, where does it store the downloaded game files?
Click to expand...
Click to collapse
The game files, if you mean the apk-files are generally stored on the internal sdcard and are available as movable USB storage. I don't think you even need to set it in developer mode to access the apk files. Anyway, if you set the device in the supplied developer mode it works fine. So there is no problem to load your own applications or backup downloaded games. SideQuest is a great application that simplifies this for semi-advanced users.
You can also use adb quite extensively and for example use scrcpy to dump the full screen output to a computer. Over all the Quest allows you to do most things you need.
But... The "problem" is that the Quest Android OS is locked and some things, mainly Ethernet over USB, have been disabled. You can stream video to the Quest via Wifi and play Oculus or SteamVR games that run on your computer fairly decent as it is now (using AVLR), but if Ethernet over USB was activated it could more or less replace a Oculus Rift or other wired unit completely. Oculus would likely not be happy with this since it would threaten their business/ market strategies, their segmentation of devices and the Oculus Store. But, that is why rooting the device would be interesting.
I've been finding holes to install the USB ethernet driver, but with no luck. Hope somebody will root the device so i can use either USB Tethering or a USB Ethernet device. Will even pay the person that can crack the device haha.
If I enter this CMD:
adb shell am start -a android.intent.action.VIEW -d com.oculus.tv -e uri com.android.settings/.DevelopmentSettings com.oculus.vrshell/.MainActivity
I can't even enable RNDIS manually, but that is logic since they just only added the WLAN drivers to the device.
Yesl
I just want to check that you've definitely tried plugging in a USB-C ethernet adapter? If you haven't I'm going to order one, plug in to the Quest and do lsusb.
cicada said:
I tried the dirtycow methods but I think that was patched out before this build, no success.
I also tried just running the usual commands to bring up USB Tethering, but that seems to need root as well. All I want is better ALVR streaming
Click to expand...
Click to collapse
JohanTEA said:
The game files, if you mean the apk-files are generally stored on the internal sdcard and are available as movable USB storage. I don't think you even need to set it in developer mode to access the apk files. Anyway, if you set the device in the supplied developer mode it works fine. So there is no problem to load your own applications or backup downloaded games. SideQuest is a great application that simplifies this for semi-advanced users.
You can also use adb quite extensively and for example use scrcpy to dump the full screen output to a computer. Over all the Quest allows you to do most things you need.
But... The "problem" is that the Quest Android OS is locked and some things, mainly Ethernet over USB, have been disabled. You can stream video to the Quest via Wifi and play Oculus or SteamVR games that run on your computer fairly decent as it is now (using AVLR), but if Ethernet over USB was activated it could more or less replace a Oculus Rift or other wired unit completely. Oculus would likely not be happy with this since it would threaten their business/ market strategies, their segmentation of devices and the Oculus Store. But, that is why rooting the device would be interesting.
Click to expand...
Click to collapse
Pfreaker said:
I've been finding holes to install the USB ethernet driver, but with no luck. Hope somebody will root the device so i can use either USB Tethering or a USB Ethernet device. Will even pay the person that can crack the device haha.
If I enter this CMD:
adb shell am start -a android.intent.action.VIEW -d com.oculus.tv -e uri com.android.settings/.DevelopmentSettings com.oculus.vrshell/.MainActivity
I can't even enable RNDIS manually, but that is logic since they just only added the WLAN drivers to the device.
Click to expand...
Click to collapse
guys if you use 5ghz wifi you get speeds way faster than you need anyway - I dont know why you so need to enable ethernet?
the quest has a better screen res than the rift as well. Games come up mint using ALVR
I use moonlight to stream normal non-vr games as well - also works flawlessly
however - one thing that doesnt work too well - if i am using ALVR to stream a VR game that uses a gamepad and not the controlers, i pair my XBOX gamepad via bluetooth and ALVR crashes every time.
When i use moonlight and the bluetooth gamepad it does not crash.
This means i can only play VR games which require a gamepad if i am in proximity to the PC itself and not anywhere in the house which is what i would like.
Has anyone found a solution to this "ALVR crashes with Bluetooth Gamepad connected" issue yet?
Quest Root - 90Hz possibility
With the quest link coming up and the fact that the Quest's OLED displays apparently can support up to 90Hz (Though they won't change it due to needing to verify it with the FCC), I'm hoping that that could be a reason for people to start trying to go for root! Especially with PCVR, a Rooted Quest running at 90Hz would possibly be better than the Oculus Rift S!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
one click root???
has anyone tried (one click root) to get root access
https://www.xda-developers.com/best-one-click-root-2018/
maybe the root master works or something else because android 7 was annouced in August 22, 2016 and rootmaster got last update 2017.
sry bad english.
Related
Z1 (brand unknown) is wrist watch phone with Android OS. It was first released in 4/2012 and it is Android 2.2.1. It has WiFi, AGPS, GSM/EDGE, 2 MP camera, mic, speaker, loudspeaker, capacitive touchscreen, display of 320x240, SDHC & SIM card slots etc.
As most Chinese phones it has SoC from MediaTek, MT6516 (armv5).
See my Czech review for photos: http://hodinky.blog.mobilmania.cz/2012/06/z1-hodinko-telefon-s-androidem/
Tweaks/tips for stock ROM (2.2.1)
Market/Google Play is missing in stock rom but it cam be added if you follow instructions on the page: http://www.ibuygou.com/p-z1_smart_android_2_2_watch_phone_gps_wifi_bluetooth_html-3638-usd.html (included in Clean ROM)
Default DPI is 120 however most controls are too small. Change it to 160 which will make all icons sharp. (included in Clean ROM)
Typing on tiny QWERTY soft keyboard is a pain, Flit Keyboard makes entering text much easier. (included in Clean ROM)
To enter engineering mode, dial *#*#8787#*#*
ADWLauncher EX works even better if you (see):
Disable all animations including scrolling homescreen
Disable dockbar and use swipe up instead (included in Clean ROM)
4x3 icon layout for home screen and 5x2 for drawer (included in Clean ROM)
Use something like Extended controls for toggles
Use No Lock if you don't need swipe to unlock feature.
Remove alternative Chinese markets and Chinese network account/sync providers from /system/app (included in Clean ROM)
Creating flashable dump
Use MT6516 BackUpTool for dumping your stock rom.
Use MTK_Rom_Studio_1.0.0a for converting dump into flashable format.
Flashing
Basically you need the driver: "MT6516_YuSu_USB_VCOM.inf" and flashing tool: "SP Flash Tool v1.1110". All tools can be found on the internet when searching for "MT6516 flash tools". The only necessary tools reuploaded can be found also here. (I'm not sure about the legality of these tools though.)
You have to use 32 bit Windows (I only tried XP in both VirtualBox and VMware but it could work with 32 bit Vista or 7).
Power off the watch, connect it directly to PC (no USB hub or extention cable) - new device will connect for few seconds - use it to install the driver. Unplug watch. (You may retry that few times because the watch disconnect within few seconds) Open flashing tool and select files to flash (I would recommend not to flash anything other than boot/recovery/system/data/logo), hit start and quickly connect the watch - flashing will start automatically.
Recovery
First build of ClockworkMod 5.0.2.8 seems to be working however all its features were not tested yet!
Recovery can be flashed with "SP Flash Tool" (use provided scatter file).
Rebooting to recovery from launched Android using "reboot recovery" works but I wasn't able to find working button shortcut to launch recovery directly from cold start. Please help me if you find a way!
Custom Clean ROM based on stock 2.2.1
Features
Removed alternative Chinese markets and Chinese (social) network accounts
Integration of Google apps (sync, Google Play, setup wizard etc)
DPI changed to 160 which makes the watch easier to control and the icons sharper
Preconfigured ADW Launcher, Flit keyboard
Includes root with Superuser, Busybox binaries
Minor clean-ups
So far this ROM doesn't include anything power user from XDA wouldn't be able to customize but this ROM is afford to save other users time with experiments.
Important notes:
Backing up your current ROM + data is highly recommended (use the above listed MT6516 BackUpTool)
The seller says you shouldn't do factory reset because of IMEI lost - I can't confirmed that - IMEI is kept even during factory resets so it doesn't seem to be stored in user data partition. BUT backup your current ROM anyway cause I might be wrong.
Clean ROM notes:
The first boot is slow. After the first boot, I recommend not touching the watch for 5-10 minutes because dalvik cache is rebuilding in the background and the setup wizard may lag a lot.
The default ADW launcher is configured to not have app drawer button - swipe up to open drawer
Known issue (to be fixed later): Because of DPI change - Bottom row of button in Dialer is smaller, however all buttons can be pressed
Known issue (to be fixed later): Because of DPI change - Superuser (root) confirmation dialog buttons aren't readable however the buttons are partly visible and can be pressed (press bottom left button to allow root acces)
Known issue (to be fixed later): Because of DPI change - There is small graphical glitch on the lock screen which however doesn't break anything
Flashing recovery is not needed at all. Just make sure you flash both partitions (it will erase all your data on the watch but not on SD). Follow instructions above on how to flash.
ROM download: http://www.multiupload.nl/3LHJ33CW95
or http://www.multiupload.nl/JK6NOATJ57
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
CM ROM
WIP, first build of CyanogenMod 7 (2.3.7) booted so I continue testing/evaluating. So far I only used stock kernel but I have source for MT6516 kernel.
Notes: WiFi chip - MediaTek MT5921 - no open source driver
Currently on hold.
Proofs
Flit Keyboard
moneytoo said:
Typing on tiny QWERTY soft keyboard is a pain, Flit Keyboard makes entering text much easier.
Click to expand...
Click to collapse
I actually have bought 3 Z1's and virtual keyboard is REALLY a pain..
Flit Keyboard makes entering text much easier ! !
Just Eight ( 8 ) >> Huge << Buttons Keyboard..
..that By Easily Sliding You Can Type:
>> All << Alphanumeric Characters And Symbols ! !
No More Accidentally Typing Wrong Characters ! !
Perfect 5..
(this Should Have Been THE Number One Android Keyboard..)
Thanks moneytoo ! !
ff
---------- Post added at 06:19 AM ---------- Previous post was at 06:16 AM ----------
Z1 Android Watch-Phone
From Wikipedia, the free encyclopedia:
http://en.wikipedia.org/wiki/Z1_Android_Watch-Phone
ff
Ive been thinking about buying the watch to use as a mp3 player, would you recomend it?
Sent from my NWZ-Z1000Series using xda app-developers app
Yes, I'm plugging my website, but hey, it's relevant.
I've just reviewed this device at:
http://linuxslate.com/Review_Z1_Android-2.2-Watch.html
Everything in this thread has been helpful, I just wanted to add my 2 cents.
DPI at 160 looks great. Unfortunately many apps will not fit, including keyboard, phone, and superuser prompt. Either find alternate keyboard and set superuser to auto-grant, or switch back and forth between 120 and 160 as necessary.
I like No Lock, but I find the phone wake-locking all the time until I turned No Lock off. I also like the fact that the time is there in big letters on the lock screen. It's very suitable for its watch functionality.
I did a manual backup without rooting (No need for Z4 Root)
Download and unrar MT6516 BackUpTool, but do not install anything.
On the Linux/Mac box, open the gscript folder, and open back22.sh in editor, or viewer.
Connect the watch via USB, and connect via adb shell
Cut, paste and execute each line from the back22.sh file
up to and including the last dd command in the first section - in other words
Code:
.
.
.
.
dd if=/dev/mtd/mtd11 of=/sdcard/backup_/expdb.img
Obviously, you don't do the comment lines.
exit the shell
Code:
exit
do:
Code:
adb remount
Install yaffs2image:
Code:
adb push <your_path_on_PC_to>/Install/BackUp/yaffs_back_2.2/gen/mkyaffs2image /system/bin/mkyaffs2image
Code:
adb shell chmod 4777 /system/bin/mkyaffs2image
(Again, the above is a cut and paste from the script)
Code:
adb remount
(for safety)
Code:
adb shell
Then cut and paste the remaining 3 mkyaffs2img commands.
Then:
Code:
exit
Copy the backup_ folder on the SD car to someplace safe.
If you want, you can remove mkyaffsimg:
Code:
adb remount
Code:
adb shell rm /system/bin/mkyaffs2image
Code:
adb remount
It's definitely more steps, but it leaves the system technically un-touched, un-rooted, and even returnable if you should have to.
Some more useful apps.
https://play.google.com/store/apps/details?id=com.coinsoft.android.orientcontrol
Orientation control to lock the screen in landscape mode; not free but worth it.
https://play.google.com/store/apps/details?id=itosisato.setsunasato.kokoroduyosato
Home button for soft home button in notification tray. Free.
https://play.google.com/store/apps/details?id=com.katecca.screenofflock
Off button in notification tray. Free.
https://play.google.com/store/apps/details?id=com.opera.mini.android
Opera mini has server side compression so makes best use of the slow 3g speed, but no multitouch so zooming is difficult.
m34n1ng said:
Ive been thinking about buying the watch to use as a mp3 player, would you recomend it?
Sent from my NWZ-Z1000Series using xda app-developers app
Click to expand...
Click to collapse
It can be done, but the MotoActv might be better, because the motoactv has a headphone jack so you can use any headphones you want. On the Z1, you have to use bluetooth headphones or a bluetooth headphone adapter.
I just ordered one of these last week, should have arrived today ... glad to see this exists!
Other than configuration/display-size issues, does everything work, i.e. all hardware? I noticed you had a note about the Wifi driver not being open source, but I assume that more effects if you try the MT6516 kernel. Even if it's a closed binary, I assume you could still load it and use it though. I'm not expecting any leaps and bounds in the kernel department.
As for CWM, is any part of it executed at cold boot? If so, I imagine you'd need to implement some kind of timeout menu that could optionally enter recovery before booting the watch. This is similar to what was implemented on the Kindle Fire which also doesn't have a normal stock recovery mode.
I assume you're still evaluating CM7 so you're not ready to distribute it ... but I do hope to see more from you soon, especially a HOWTO and download links!
I spent many nights trying to make GSM or WiFi working. Except few tweaks I only got the modem to start but nothing more. I have no experience with porting of binary drivers and this device has so many of them. Radio/modem and kernel modules - there are no problems with them but there are just too many dependencies on proprietary libs even from standard android native binaries.
So I'm giving up. At least for now cause I just don't have enough knowledge.
I consider making custom rom based on stock Android but I don't know if there would be any demand. Proper integration of Google apps, Chinese apps/account providers removed, tweaked launcher/drawer settings, tweaked global dpi/dpi of apps that not fit...
To have at least something, I give you very simple app "Z1 Backlight Toggle" apk (attached in 1st post) which can turn off completely display backlight. (Needs root) I use it on my bike when I have navigation running all the time cause it indeed saves battery and backlight isn't needed at all under direct sunlight, the display is readable the same.
moneytoo said:
I spent many nights trying to make GSM or WiFi working. Except few tweaks I only got the modem to start but nothing more. I have no experience with porting of binary drivers and this device has so many of them. Radio/modem and kernel modules - there are no problems with them but there are just too many dependencies on proprietary libs even from standard android native binaries.
So I'm giving up. At least for now cause I just don't have enough knowledge.
Click to expand...
Click to collapse
That's fine, I understand how frustrating these things can be. But still, can you post information about how to backup / restore the firmware and how to flash a custom ROM? I might try playing with it myself sometime and at least having the knowledge would enable further experimentation.
WTF!!!! a wrist phone with Android OS.... This is so freaking cool!!! :thumbup:
Awesome......
Sent from my GT-S7500 using xda premium
moneytoo said:
I spent many nights trying to make GSM or WiFi working. Except few tweaks I only got the modem to start but nothing more. I have no experience with porting of binary drivers and this device has so many of them. Radio/modem and kernel modules - there are no problems with them but there are just too many dependencies on proprietary libs even from standard android native binaries.
So I'm giving up. At least for now cause I just don't have enough knowledge.
Click to expand...
Click to collapse
I have an idea ... if we can get the MTK6516 kernel to build and boot, that's one step. If we can then get Android 2.2 stock to build, and then compare it against an image of the Z1's file system, we should, in theory, be able to identify all the unique areas of the watch's Android setup. If we at least know how to build an identical watch Android from source we should be able to extend that into making Cyanogen Mod work ... or something else. I think it's worth a shot anyway!
Also for an identical kernel, there shouldn't be any need to "port" binary drivers ... ideally they're built-in or load as modules, same as any other drivers.
I consider making custom rom based on stock Android but I don't know if there would be any demand.
Click to expand...
Click to collapse
You're probably right there will be very limited demand. So I ask again, if you can at least post steps about reflashing the watch, I'll give it my best shot. I just want to be sure I can restore the watch after messing around with it. Which I'm guessing you were able to since you didn't claim any permanent damage. It seems it should be able to go into a factory restore mode which I hope will override any messed up systems.
lokeshsaini94 said:
WTF!!!! a wrist phone with Android OS.... This is so freaking cool!!! :thumbup:
Awesome......
Click to expand...
Click to collapse
It really is neat. Kind of limited, but really neat. I think if we can get any amount of control over the kernel and Android version, we can really extend the abilities of the watch. It just needs a chance...
southbird said:
I have an idea ... if we can get the MTK6516 kernel to build and boot, that's one step. If we can then get Android 2.2 stock to build, and then compare it against an image of the Z1's file system, we should, in theory, be able to identify all the unique areas of the watch's Android setup. If we at least know how to build an identical watch Android from source we should be able to extend that into making Cyanogen Mod work ... or something else. I think it's worth a shot anyway!
Also for an identical kernel, there shouldn't be any need to "port" binary drivers ... ideally they're built-in or load as modules, same as any other drivers.
Click to expand...
Click to collapse
In my opinion there's no problem with kernel, modules or libraries, we can just reuse them. The real issue I think is native android binaries such as wpa_supplicant or rild. We can either use (original) already built binaries or build new ones - but this is the problem... Original binaries depend on proprietary libraries so they "do something" important with devices. Newly build binaries just don't have that unknown functionality. Yes, reusing stock binaries might work for 2.2 but my only target so far was 2.3 since that would be real benefit for us.
southbird said:
So I ask again, if you can at least post steps about reflashing the watch, I'll give it my best shot.
Click to expand...
Click to collapse
Have a look here: http://bm-smartphone-reviews.blogspot.cz/2011/02/mtk-hd2-hd9-flashing-tutorial.html
Basically you need the driver: "MT6516_YuSu_USB_VCOM.inf" and flashing tool: "SP Flash Tool v1.1110". You have to use 32 bit Windows (I only tried XP in both VirtualBox and VMware but it could work with 32 bit Vista or 7 as well).
Power off the watch, connect it directly to PC (no USB hub or extention cable) - new device will connect for few seconds - use it to install the driver. Unplug watch. Open flashing tool and select files to flash (I would recommend not to flash anything other than boot/recovery/system/data/logo), hit start and quickly connect the watch - flashing will start automatically.
moneytoo said:
To have at least something, I give you very simple app "Z1 Backlight Toggle" apk (attached in 1st post) which can turn off completely display backlight. (Needs root) I use it on my bike when I have navigation running all the time cause it indeed saves battery and backlight isn't needed at all under direct sunlight, the display is readable the same.
Click to expand...
Click to collapse
Which navigation software are you using?
adthor said:
Which navigation software are you using?
Click to expand...
Click to collapse
No idea what he's using, but I'll say that Sygic worked when NOT navigating (doing a route caused it to force close, I'm guessing possibly out of memory??) Using OsmAnd works pretty well ... of course, it's Open Street Map with all the usual limitations.
adthor said:
Which navigation software are you using?
Click to expand...
Click to collapse
I use RMaps (https://play.google.com/store/apps/details?id=com.robert.maps&hl=en) with collection of offline maps and prepared tracks for navigation.
southbird said:
No idea what he's using,
but I'll say that Sygic worked when NOT navigating
(doing a route caused it to force close, I'm guessing possibly out of memory??)
Using OsmAnd works pretty well ... of course, it's Open Street Map
with all the usual limitations.
Click to expand...
Click to collapse
Sygic 10 works nice with Z1 using 3D maps.
Sygic 12 works nice with Z1 using 2D maps.
When attempting to navigate Sygic 12 with 3D maps enabled,
the Sygic 12 crashes and Z1 returns to Home screen.
Correction..
Sygic 12 works nice with Z1 using 3D maps
only when Autozoom is turned off:
Settings > Map > Autozoom [untick]
ff
I consider making custom rom based on stock Android but I don't know if there would be any demand. Proper integration of Google apps, Chinese apps/account providers removed, tweaked launcher/drawer settings, tweaked global dpi/dpi of apps that not fit...
Click to expand...
Click to collapse
That is exactly what needs to be done! If porting the binaries is not possible at the moment, why not go ahead with building with stock android, with proper google account and apps, and removing the chinese accounts.
Once you have tweaked launcher/drawer, tweaked dpi of apps that not fit etc done, it would be almost as good as running CM7. Any improvement would be a big improvement
I sincerely hope that you continue development, the demand for a stock ROM is sure to come as the device becomes more popular, as of now, there is nobody developing for Z1, that i know of.
apurvasrishti said:
That is exactly what needs to be done! If porting the binaries is not possible at the moment, why not go ahead with building with stock android, with proper google account and apps, and removing the chinese accounts.
Once you have tweaked launcher/drawer, tweaked dpi of apps that not fit etc done, it would be almost as good as running CM7. Any improvement would be a big improvement
I sincerely hope that you continue development, the demand for a stock ROM is sure to come as the device becomes more popular, as of now, there is nobody developing for Z1, that i know of.
Click to expand...
Click to collapse
I started cooking custom ROM based on the stock two days ago and I'm very happy with it. Proper integration of setup wizard, google apps, keyboard, dpi, orientation, better preconfigured launcher, working voice search etc.
Root Transmission
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Root Transmission: the ONLY app that allows you to root other phones straight from your own device!
Inspired by Kos's p2p-adb hacking toolkit (http://hak5.org/episodes/hak5-1205), this app is a pleasant, easy way to root other phones while away from your computer! Just two buttons, Root and Unroot! Connect the cable and root away! It couldn't be simpler!
Even has its own terminal window so you can see exactly what's going on while your phone does its thing!
You will need a ROOTED device capable of USB hosting (USB On The Go), a USB OTG cable and one-click root scripts for the devices you wish to root.
Scripts and their associated files should be placed in /sdcard/RootTransmission/*devicename*/*version*/, otherwise it will not be available for use. *devicename* and *version* can be whatever you want.
Note that this is an UNSTABLE version, and you use this app at your own risk. Occasional force closes are to be expected (though they will most likely not break the phone you are trying to root). Incorrectly written scripts can permanently damage or brick both devices involved, so only use trusted 3rd party root scripts and at your own risk.
Click to expand...
Click to collapse
Screenshots
Changelog
1.01unstable
fixed bug that sometimes caused crashing when user closed app
fixed bug that caused app to crash if scripts directory did not exist
Much smaller size (166k)
made it for Android 4.0 and up (accidentally had it for 3.1 and up in Play Store, will re-add Honeycomb support if I find that it works reliably with it)
1.0unstable
initial public release
Click to expand...
Click to collapse
Planned features
Downloading scripts within the app
Nicer GUI
In-app help text
??? Suggest some!
Click to expand...
Click to collapse
Please do not mirror this apk, it is to be downloaded exclusively through the Play Store or from XDA-Developers. Failure to comply will result in the removal of this app from XDA.
I've attached a zip with the files needed to root a Verizon Galaxy S3 (SCH-I535), extract it to /sdcard/RootTransmission/ to use.
Note that since I only have one USB host-capable device (my own S3), no warranty is provided over the functionality of this zip since I am unable to fully test it. (It is a repackaged version of the DebugFS one-click root found at http://forum.xda-developers.com/showthread.php?t=1883984 and thus will only work if the device to be rooted is running ICS, which shouldn't be a problem as of yet.)
Again, this is an unstable test version. It should mostly work, but no guarantees on its functionality.
*Post reserved for future use*
*Also reserved for future use*
Awesome. I was wondering if this was possible a while ago and now it is. Good work.
Sent from my SCH-I535 using xda app-developers app
Guess its time to root the display units at verizon!!
droider137 said:
Guess its time to root the display units at verizon!!
Click to expand...
Click to collapse
+1
LOL
This is awesome.. just bought my USB on the go at Amazon.
So where can I find the One-Click-Root scripts for specific devices?
EDIT: Disregard... found them...
Very cool idea! So just to confirm this app uses DebugFS to root other devices correct? So if DebugFS does not work on the device you want to root (aka you have Jelly Bean) this app will not work as well?
Just as a note, adb sometimes fails to detect a connected phone. I would try the following steps:
- ensure USB debugging is enabled on both phones
- unplug and plug the cable on the host device
- reboot the device to be rooted
- in a terminal, run the following commands:
Code:
su
adb kill-server
adb -d wait-for-device
Then relaunch the app.
If it fails after that, then unfortunately adb is just being stupid (trying to figure out what causes this)
open1your1eyes0 said:
Very cool idea! So just to confirm this app uses DebugFS to root other devices correct? So if DebugFS does not work on the device you want to root (aka you have Jelly Bean) this app will not work as well?
Click to expand...
Click to collapse
Currently, that's the root method for a bone stock S3 (remember that the JB leaks haven't been released yet).
If the only way to acquire root is to use a proprietary program such as Odin, then this app will not be able to root. If a later one click root exploit is released, then it will work for those (and actually, I might have a universal one lying around somewhere that works up to 4.1.1).
DebugFS can be used for other devices, but it is not the only way for the app to root (for example, in the screenie I'm rooting an OG Droid using another exploit). The app's mainly a convenience/novelty way to root phones using the methods available right now. A lot of people have been asking me to root their phones (S3s included), though, and it sucks carrying around my laptop around all the time - hence why I made this app.
Is there a list of devices that this app "should" be able to root? Or a general rule to follow, such as android 4.1.1 and below should be okay to root?
Sent from my SCH-I535 using xda premium
j0hnnyn said:
Is there a list of devices that this app "should" be able to root? Or a general rule to follow, such as android 4.1.1 and below should be okay to root?
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
It should be able to root most devices running 4.0-4.1.1 (I have a script that does that). I can't guarantee all will work, but a large number should be able to be rooted.
Other than that, it becomes device specific - you will have to research the particular devices involved.
I'll look around for that universal script and include it in the app next release.
Cool. Really looking forward to seeing this app progress!
Sent from my SCH-I535 using xda premium
wireless adb_p2p??
Just wondering if you thought this would be possible via a adb over wifi?
I haven't had much time to look into the Hak5 kit, but one would think at least on a device with wifi-direct already present out of the box, we could achieve this root transmission without the hassle of USB OTG.
Again, I haven't had time to look over the code, so there may be USB specifics for this method, but I just thought I'd bring up the idea.
On one hand it would be cool, on the other hand it would probably be a pretty serious security hole. Actually I love security holes, so either way its win win for me.
Ta,
ALQI
-----------------
Seperate item:
How much of the original stuff from p2p-adb did you keep in this app? Cause there's some pretty naughty data stealing scripts in there... Fairly obvious in the names but still, a layman who just wanted to phreak or skiddie may get themselves into a spot of trouble playing with this in a mobile shop.
Just a word to the wise, is all.
Oh, also, um "Unlock" bootloader Transmission?? Future update maybe?? Hint hint. Wink Wink.
~alqi
Is there a website I can find some scripts? I'm a little confused.
Sent from my SCH-I535 using xda app-developers app
alquimista said:
Just wondering if you thought this would be possible via a adb over wifi?
I haven't had much time to look into the Hak5 kit, but one would think at least on a device with wifi-direct already present out of the box, we could achieve this root transmission without the hassle of USB OTG.
Again, I haven't had time to look over the code, so there may be USB specifics for this method, but I just thought I'd bring up the idea.
On one hand it would be cool, on the other hand it would probably be a pretty serious security hole. Actually I love security holes, so either way its win win for me.
Ta,
ALQI
-----------------
Seperate item:
How much of the original stuff from p2p-adb did you keep in this app? Cause there's some pretty naughty data stealing scripts in there... Fairly obvious in the names but still, a layman who just wanted to phreak or skiddie may get themselves into a spot of trouble playing with this in a mobile shop.
Just a word to the wise, is all.
Oh, also, um "Unlock" bootloader Transmission?? Future update maybe?? Hint hint. Wink Wink.
~alqi
Click to expand...
Click to collapse
Yeah, I thought about adding rooting over Wi-Fi as well. Unfortunately, in order to enable adb over Wi-Fi you have to either have root on the device (which wouldn't be the case here) or connect the phones together anyway over USB to force adb over Wi-Fi (and you'd have to do this every time the device rebooted). Unfortunately that's not practical.
I just kept the idea from p2p-adb really. There's no data stealing scripts in my app, and pretty much none of the stuff from p2p-adb was reused other than the idea of connecting two phones together to do stuff.
Unlocking bootloader... for the S3, it's a simple download from the Play Store, so it doesn't seem practical to me. Also, there's the potential that I might screw things up, wouldn't want that to happen now would I
andybfmv96 said:
Is there a website I can find some scripts? I'm a little confused.
Sent from my SCH-I535 using xda app-developers app
Click to expand...
Click to collapse
I'm working on making them downloadable within the app. Until then, you can search on xda in the forums for the devices you want to root, or just ask here and I'll upload the right ones if they exist.
A script for Verizon S3s is in the original post.
Updated Root Transmission to 1.01unstable.
Following changes were made:
-bugfix: app occasionally FC'd when closing app
-bugfix: app crashed if scripts directory did not exist
-smaller size (166k, old version was 1.62mb)
-made it available only for 4.0 and up (had it set to 3.1 and up by accident)
Available in first post or in the Play Store.
Keep sending in those bug reports, it really helps!
Also, if you have any new features you want to suggest, let me know.
I'm considering the following so far:
-Downloading scripts in-app
-Nicer GUI
-Help text
I have an Asus Transformer TF101 that I am trying to root with this tool (from my GNex). I can't find a correct script I need when I search. Is there a certain search string that will help get me this file or one for other devices?
Sweet! Thank you!
Sent from my SCH-I535 using Tapatalk 2
hairclog said:
I have an Asus Transformer TF101 that I am trying to root with this tool (from my GNex). I can't find a correct script I need when I search. Is there a certain search string that will help get me this file or one for other devices?
Click to expand...
Click to collapse
I searched "Asus Transformer TF101 one click root" and found this: http://forum.xda-developers.com/showthread.php?t=1689193
It's a Windows batch script, easy to convert into a Unix shell script (I'll go ahead and do it later this evening). I might post a tutorial on how to convert your own scripts as well at the same time, so stay tuned.
So I'm sure we've all heard about the ExynosAbuse exploit. If not, the original thread is here. The only proper solution is a kernel fix. This thread is only about app-based fixes.
There are various fixes available at the time of this writing, including my own. I don't mind some competition, that is not the problem. What is a problem is that some of these other app-based solutions out there have been mentioned and pushed a lot in the media (tech as well as non-tech) while they are seriously flawed (the only true solution is a kernel fix that simply removes the exploitable memory device, but that requires a non-universal device update, so we focus only on app-based fixes here that users may run immediately).
What I mean by flawed is that while they offer protection most of the time, they may leave a big gaping hole during boot that can be exploitable (as I will demonstrate) - and serious malware authors will of course include this attack vector in any serious malware - as will they include an attack vector to exploit temporary enabling of the exploit so you can use your camera (on devices where the fix breaks camera use).
Serious malware needs only a tiny hole to squeeze through once, and will attempt to leave it's own backdoor in case the hole they squeezed through is closed. Disabling the fix to use your camera only for a second with a malicious app running in the background running the exploit in a loop, and game over. I'm not even going to demo that, that flaw should be clear.
Due to unreliable fixes being mentioned by the media, a lot of people who have read online (or even print) news about this exploit may be using a fix they believe will work, but actual malware will easily bypass. Maybe some noise needs to be made about this ?
We're going to talk about three solutions here:
RyanZA's ExynosMemFix
Supercurio's Voodoo Anti ExynosMemAbuse v0.6
Chainfire's ExynosAbuse APK
The demo
What I am going to demo is running the exploit at boot, even though a fix that runs at boot is installed, on an exploitable device. After reading the rest of this article, find attached the ExynosExploitDemo APK. After installation, open the app, reboot your device, unlock your device (enter PIN, pattern, etc) and watch the screen like a hawk. Within a minute, a toast (bottom of the screen) notification will popup telling you whether the exploit worked. If it didn't work the first time, please try it at least 3 times. Once you are satisfied with the results, you should uninstall it again as it slows down the boot process.
Test setup
For each test I have completely factory reset the devices, and installed the "protection" APK before installing the exploit demo. Tests have been run on both Galaxy S3 as well as Galaxy Note 2, with and without SIMs installed. Tests were performed on December 18, 2012 with the most recent versions at that time.
BOOT_COMPLETED
Both RyanZA's as well as Supercurio's solution depend on Android launching the apps at boot (using the BOOT_COMPLETED mechanism), so they can plug the hole. This is a standard Android practise, The problem is, there is no guaranteed order in which apps are started at startup. A malicious app could also register to be started at boot (as the demo app does), and it would be a race whether the malicious exploit is run first, or the protection code. Luckily, you are more likely to have installed one of the patches before the malware, and the app that is installed first also has a better change of being run first - but is something that you cannot and should not rely on, nor does it guarantee the protection app will win the race, as explained below. The number of apps installed (and their package names, and what exactly they do at launch) may further influence which package "wins". What I'm trying to demonstrate here is that depending on this method of patching is unreliable at best.
The demo vs RyanZA's ExynosMemFix
RyanZA's is probably the least advertised/mentioned solution, which I expect is least used as well. The solution relies on BOOT_COMPLETED and "su" availability (like being rooted with SuperSU or Superuser), but does not rely on the exploit itself.
The reliance on "su" availability makes it vulnerable, it runs "su" to get the required access level to plug the hole. Even if installed before the malware and the system launches its startup code before the malware, the "su" call is an expensive one that can take an arbitrary amount of time to complete, regardless of the app having been granted permission before or not.
In my tests, even with ExynosMemFix installed before the demo, and having verified it's code launched first, it would always lose against the demo (and thus the exploit succeeds) if the root management app installed is Superuser. Due to the way the Superuser app is designed, it takes a longer time acknowledging the "su" request, giving the demo time to run the exploit. I have also seen ExynosMemFix generate an ANR error during testing a number of times, indicating that it may be calling "su" from the actual broadcast receiver (instead of a background thread), with all the problems that may cause.
When SuperSU is used, ExynosMemFix would always win against the demo in my tests (and thus the exploit fails), due to SuperSU responding much faster as it does not rely on the Android framework as Superuser does.
This solution can be somewhat secure, but even if used in combination with SuperSU, it cannot be guaranteed the malware does not launch first (I've seen it happen, but have not found the key to reproducing it yet). In combination with Superuser instead of SuperSU, the patch leaves a major hole.
The demo vs Supercurio's Voodoo Anti ExynosMemAbuse v0.6
Supercurio's is probably the most advertised/mentioned solution in general by media outlets. The solution relies on BOOT_COMPLETED and the exploit itself (but no "su" required).
The reliance on the exploit makes it vulnerable. The exploit may need to run a couple of times before it succeeds during boot, and it takes quite a few milliseconds to run. It runs the exploit to get the required access level to plug the hole. The exploit does however take some time to run, and both exploit as well as the hole-plugging-command must be completed before the malware starts, to effective block it.
In my tests, even with Voodoo Anti ExynosMemAbuse installed before the demo, and having verified it's code launched first, it would always lose against the demo (and thus the exploit succeeds). The protection code would launch before the demo code, but it would not complete (and fix the hole) before the malware was started, thus failing to block it.
Note that this specific case is probably especially sensitive to the number of apps you have installed - it may be the case that the more apps you have installed after this solution and before actual malware, the better the chance the protection will succeed before the malware is triggered. You can't possibly rely on this, though.
This solution is the least secure solution of all available options - it will leave a big hole open, you might as well not run any patch at all.
The demo vs Chainfire's ExynosAbuse APK
Mine is probably the second most advertised/mentioned solution. The solution relies on modifying /system and the exploit itself, with parts relying on "su".
This solution can root the device and install SuperSU as management app itself, though it also works with a pre-installed Superuser. It requires this to install the on-boot fix. After that patch is applied, you can unroot again (inside SuperSU: Settings --> Full unroot) - the patch will keep working. The patch itself does however modify /system, to make sure the fix is applied before any normal Android app is started with BOOT_COMPLETED, completely preventing the hole the demo app (and malware) would use to run the exploit. As such, the exploit always fails.
This solution is the most secure solution of the available options in this regard, topped only by actually fixing the exploit in the kernel.
Virus/malware/etc scanners
I have also noticed that various virus and malware scanners have updated their definitions in the past few days, and they will now detect the original ExynosAbuse exploit. Be warned however, that this specific hole can be exploited in many different ways and the example code provided by alephzain is just that: an example. I am not at all convinced that all different exploits based on this hole can even theoretically be reliably detected by these scanners - including Google's - unless every app is actually tested against in a sandbox environment (and even then ...). They may protect against those using the exploit as-is, though.
The big joke
The funny thing is, all the fixes that can actually work void warranty: mine requires modifying /system, RyanZA's requires root as well, and a proper fix requires a custom kernel.
In other words, right now you can't really protect yourself against this abuse without voiding your warranty. If there ever was a case for having laws against limitations of warranty, this is it. On a related note, any warranty denied because your system status is "modified" is also completely bogus, as a successful exploit might (outside of your knowledge) probably try to install their own backdoor in /system ... which might trigger "modified" status.
Also, if you're thinking this is complicated code, malware authors are not smart enough, etc - think again. Serious malware authors live and breathe this stuff, and the relevant code for this attack is rather trivial and only about 30 lines, including whitespace and actually showing you the exploit result.
Another joke is that I seriously doubt any major news outlet will post a correction, but hey at least I tried
Different test results
Let us please not make this thread about your test results being different. If you have read and understood all the text above, you would know that there are various factors that may throw the test outcome one way or the other. Unless your sure your different result is significant in being different, please do not clutter the thread with it.
Download
If you have a decent and updated virus scanner, it will likely scream at you for trying to download this. It is after all an exploit. You may need to turn it off if you want to test this for yourself.
2012.12.19 Update
I have a new (private, yeah) version of the demo that now beats both Supercurio's (v0.9) as well RyanZA's solution 100% of the time
--- also reserved ---
Thanks for this thread. It's so fun !
But, I have solve the problem (I think) after flashing my phone with my kernel (exynos_mem files modified).
lelinuxien52 said:
Thanks for this thread. It's so fun !
But, I have solve the problem (I think) after flashing my phone with my kernel (exynos_mem files modified).
Click to expand...
Click to collapse
Yes, as stated, the best solution is a fixed kernel
My app clearly states the limitations of the approach (inside the app itself, leaves no doubt)
But it should not loose every time against the demo exploit at boot, so I'll change for a more aggressive way to start.
Thanks Chainfire for taking the time to test.
Chains, it's not much but have an Export 33 on me mate: 8BH470706S240353D :good:
Well said.
Chainfire said:
Yes, as stated, the best solution is a fixed kernel
Click to expand...
Click to collapse
So when do you think Samsung+carriers will plausibly get around to officially fixing it?
Sounds more precarious to not try your workaround & there is reasonable deniability even if there is a warranty issue..?
Tomorrow I'd like to install the official T-Mobile SGH-T889 multi-window update followed by ExynosAbuse-v1.30.apk , anyone expect issues as this recently discovered exynos exploit is not listed as addressed in this likely tested for weeks update?:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So is ExynosAbuse-v1.30.apk now regarded as the best-easiest-fastest-safest reversible root method for stock ROM compatible devices (as it also offers a reversible exynos exploit work-around with full unroot)?
-Thanks
Tried demo app this way:
- 2 times under WiFi and I get "Exploit FAIL" and the toast shows the directory that is something like "[!] ... /exynos-...."
- 1 time under 3G regular data connection and I still get "Exploit FAIL" but in the toast I don't see any more the directory but only the message
I use Chainfire's exploit app.
Am I secure???
Sent from my GT-i9300 using TapaTalk2
Chainfire, guys, please give a try to the v0.7 version of my app, same place.
Chainfire, it would have been nice to be informed while you were preparing the article (on your early conclusions)
Just wondering, when Samsung DOES release a fix, I think it'd kinda be a catch 22 because those rooted or modified won't be able to update - or those infected won't be able to update. So Samsung will have to be lax with that rule. Or is that even possible? But regardless, I'm sure you guys will be able to get us the Samsung fix when and if they come out for us modified folks.
ThaiM said:
Just wondering, when Samsung DOES release a fix, I think it'd kinda be a catch 22 because those rooted or modified won't be able to update - or those infected won't be able to update. So Samsung will have to be lax with that rule. Or is that even possible? But regardless, I'm sure you guys will be able to get us the Samsung fix when and if they come out for us modified folks.
Click to expand...
Click to collapse
Yes, that's good thinking.
And also why I tried to provide something (even an imperfect workaround) that doesn't alter system.
I have 2 questions tho and I'll verify to get an answer to the first one.
- Is my app really not triggering the "modified" status
- If Chainfire un-do all the modifications applied by his tools, will the device return to its "un-modified" status
Or maybe the "un-modified" status can be faked, restoring the proper function of OTA updates.
maybe note worthy thing to here, in EU you dont lose your warrantly for applying fixes like this in fact you can install kernels/roms as many times as you want and you still got your warrantly. what comes to my own experience from this, my phone have been repaired 2 times because micro-usb didnt want to co-operate with me first time i had miui installed, second time had cm10 when i sent my phone to get fixed, both times got it fixed free of charge.
source: https://fsfe.org/freesoftware/legal/flashingdevices.en.html
tl;dr
if flashing original firmware dont fix issues you had on your phone, then you must have the damage covered free of charge(ie. micro-usb port goes crazy)
Chainfire, thanks for your elaborate demo.
I tested the exploit demo thrice with mobile security apps disabled; once with your app, and twice with the two "disable exploit" boxes from your app unticked. The first time, the exploit failed.
The kernel I have installed (link in my sig) seems to have fixed the problem. It uses the fix by AndreiLux that was successfully implemented by Entropy512 from the original thread.
Both times I rebooted, the exploit failed (see screenshot). I guess this is expected, but both times after boot, the checkbox "disable exploit" was enabled again without touching it.
Seems like a success story to me.
Thanks again!
SGS2 // RootBox 3.2 // Dorimanx 7.33
The 0.9 update of my app is strong now on boot (or less weak), but this is not very satisfying.
Frustrating as there's no "perfect" fix for regular users I'm thinking about right now.
I'm not really a fan of waiting, are you ?
@supercurio I was wondering the exact same thing on how may the "un-modified" status can be faked. Then again, as another user pointed out, though warranty rules and regulations maybe the same across all regions - it is their comprehension and application which is ambiguous.
I for one can attest that at my place they will simply replace the internals of your phone as long as the purchase bill you produce confirms that your device is still covered by the manufacturer warranty.
Props on the great research Chainfire, I agree with it all 100%
Personally though, malware authors target the easy and low hanging fruit - in this case, 99% of phone users who have not used any kind of fix. (99% is a very low estimate). They have no real reason to try and 'out race' mine or supercurios fix in practice, as (mine in particular) has very few users. Why bother creating a special exploit that only runs on boot, when you can just target 99%+ of all unfixed devices by just running the exploit when the app is started?
I've seen 4 malicious uses of the exploit in the wild so far, and all of them run on app start, which is blocked by all 3 'unsecure'/non-kernel fixes. Users are still VERY heavily encouraged to use any of the fixes as they currently stop all uses of the exploit in the wild. Supercurios is still the best one as it does not require root, and should definitely be advertised by the media as much as possible as it stops a real world and current threat to user security as best as it can.
Gotta say great research chainfire need of the hour indeed :thumbup:
Chainfire said:
The big joke
The funny thing is, all the fixes that can actually work void warranty: mine requires modifying /system, RyanZA's requires root as well, and a proper fix requires a custom kernel.
Click to expand...
Click to collapse
so if i understood correctly. custom kernel solves issue. :good:
i don't care about warranty
The first custom ROM for the Epic is now live! See this thread for details.
So a friend of mine got his hands on one of these, and since he asked me about flashing Gapps into the device, I was wondering if any one of you guys have been doing something just as "epic" for this children's tablet. And yes, I started this thread as a sort-of sequel/follow-up to the VTech Innotab Max thread I posted a year ago.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
TECH SPECS:
Display: 7-inch capacitive touchscreen with TN LCD display
Resolution: 1024x600
Operating System: Based on Android 4.4 (modified, of course)
Processor: Quad-core, 1.3 GHz (reported by CPU-Z as MediaTek MT8127)
Memory: 1GB RAM
Storage: 16GB; 9GB available for /sdcard partition
Micro SD Card Slot: Yes, expandable up to 32GB
Camera - Rear: 2MP
Camera - Front: 2MP
Audio: 3.5mm stereo jack with microphone
Wireless: Wi-Fi 802.11 b/g/n
Bluetooth: Bluetooth 4.0
Battery Type: Rechargeable lithium-ion
Battery Life: 6+ hours; results will vary based on usage and settings
Port: Micro USB
Sensor(s): Accelerometer
Much to my disappointment, LeapFrog didn't equip the tablet with a GPS module, and despite the potential privacy issues that may arise with including one, it could be legitimately used for certain applications like tracking the device or your son or daughter in case he/she gets lost. The usual backdoor leading to Developer Options is also disabled for some reason, though it can still be accessed through third-party utilities such as this. And maybe it's just my modded Epic, but beaming stuff from another device to an Epic using ShareIT appears to suffer from connection issues, i.e. the device is detected but the sender is unable to connect to it; a workaround for this would be sending a file or two from the Epic and then having the sender do the same from his/her device.
APKs from outside sources can be installed either through ADB or by downloading it on your device and installing as usual, not to mention that there's a semi-hidden feature (tucked away under the Parental Controls panel) that allows for the Amazon AppStore to be loaded. As for rooting, Kingoroot should do the trick from what I've read here, but you can manually install SuperSU on it if you prefer the more established root access app. ADB-wise, the latest debug and fastboot binaries should work on the device from what I can attest.
Oh, and here's a link to the Antutu test results:
http://our.antutu.net/api/?action=v5&act=benchmark&id=54239552
CPU-Z report:
Kernel sources:
Code:
https://www.dropbox.com/s/vo6u4s6b3shjrhb/epic.iso?dl=0
https://github.com/huckleberrypie/android_kernel_quanta_narnia
Mad props to RAMChYLD for volunteering to have the sources mailed to him, as I'm reluctant to have them mail the goods to me no thanks to the rather abysmal postal service here in my place.
Pre-rooted ROM dump courtesy of @epic__fail; This can only be flashed with an unlocked bootloader.
Code:
http://www.needrom.com/download/leapfrog-epic-v1-stock-rom/
Note that while the unsigned ROMs cannot be flashed directly using SP Flash Tool, you can get around this by using the hidden Write Memory option. A quick guide on how to do that can be found on page 12.
Signed ROM dumps. Can be flashed directly using SP Flash Tool v5.1744. Make sure to perform a full backup of the tablet before flashing!
Code:
Epic Academy Edition:
v1.1.95: https://androidfilehost.com/?fid=6006931924117902657
v1.8.160: https://androidfilehost.com/?fid=6006931924117908682
v1.8.804: https://androidfilehost.com/?fid=4349826312261819358
LeapPad Academy:
v1.1.171: https://androidfilehost.com/?fid=4349826312261738402
P.S.: If you're getting a signature error upon flashing, try unticking SEC_RO and then try again.
Official flashable ZIP files:
Code:
Regular:
http://lfcdownload.leapfrog.com/epic/en/KOT49H.user.1.0.124.20150709.140831-to-KOT49H.user.1.5.45.20160310.231145.zip
http://lfcdownload.leapfrog.com/epic/en/KOT49H.user.1.1.146.20150825.120621-to-KOT49H.user.1.5.45.20160310.231145.zip
http://lfcdownload.leapfrog.com/epic/en/KOT49H.user.1.2.90.20150924.150837-to-KOT49H.user.1.5.45.20160310.231145.zip
http://lfcdownload.leapfrog.com/epic/en/KOT49H.user.1.3.27.20151026.144847-to-KOT49H.user.1.5.45.20160310.231145.zip
Academy Edition:
Latest Version: "KOT49H.user.1.1.95.20171215.140555"
KOT49H.user.1.1.52.20170522.123745
URL: http://lfcdownload.leapfrog.com/epic/en/v2/KOT49H.user.1.1.52.20170522.123745_to_KOT49H.user.1.1.95.20171215.140555.zip
Patch notes: This is an incremental update from KOT49H.user.1.1.52.20170522.123745 to KOT49H.user.1.1.95.20171215.140555
KOT49H.user.1.1.62.20170627.010228
URL: http://lfcdownload.leapfrog.com/epic/en/v2/KOT49H.user.1.1.62.20170627.010228_to_KOT49H.user.1.1.95.20171215.140555.zip
Patch notes: This is an incremental update from KOT49H.user.1.1.62.20170627.010228 to KOT49H.user.1.1.95.20171215.140555
KOT49H.user.1.1.64.20170704.010259
URL: http://lfcdownload.leapfrog.com/epic/en/v2/KOT49H.user.1.1.64.20170704.010259_to_KOT49H.user.1.1.95.20171215.140555.zip
Patch notes: This is an incremental update from KOT49H.user.1.1.64.20170704.010259 to KOT49H.user.1.1.95.20171215.140555
KOT49H.user.1.1.66.20170712.151925
URL: http://lfcdownload.leapfrog.com/epic/en/v2/KOT49H.user.1.1.66.20170712.151925_to_KOT49H.user.1.1.95.20171215.140555.zip
Patch notes: This is an incremental update from KOT49H.user.1.1.66.20170712.151925 to KOT49H.user.1.1.95.20171215.140555
JSON files for the updater:
Regular:
http://lfcdownload.leapfrog.com/epic/en/NarniaSystemUpdateVersions1.json
Academy:
http://lfcdownload.leapfrog.com/epic/en/NarniaSystemUpdateVersions_epic2.json
LeapPad Academy:
http://lfcdownload.leapfrog.com/epic/en/NarniaSystemUpdateVersions_epic3.json
The above ZIPs are incremental patches used to update an existing system to a newer build; I couldn't seem to dig up a full system image, let alone a scatter file, for a bricked or bootlooping Epic to be restored back to factory condition though, but still I'm keeping this as a reference in case any one of you guys is interested in downloading them manually. Apparently "KOT49H.user.1.1.99.20150807.173011" is unique to demo units, hence why there weren't any updates available for my device when I ran the OTA utility.
Demo-to-retail conversion tutorial
A tutorial on how to convert a store demo unit into a fully-functional Epic can be found here:
https://huckleberrypie57.blogspot.com/2018/12/and-i-came-in-for-another-leapfrog-epic.html
Custom ROMs
Unofficial LineageOS 14.1 by mac2612, blakegriplingph and kai2000: https://forum.xda-developers.com/android/development/rom-lineageos-14-1-leapfrog-epic-t4161311
The modifications to the way locale is set means that Bluetooth HID like keyboards can pair but cannot work since it cannot be set to be used for input (the options to change or add keyboard layouts is disabled in the Android settings screen and instead is selected from LeapFrog's own screen which divides the world into 7 regions- US, UK, Canada, Australia, New Zealand, Ireland and Other. When you pick Other it forces the UK keyboard and locale on you, which is ridiculous since some countries uses varying combinations of either (for example, Philippines uses US English 100%, while Malaysia uses UK English but US Keyboard). However bluetooth does work with A2DP devices.
Yeah, the CPU-Z and AnTuTu benchmark are my doing. I am the friend Blake mentioned. I should add that the device ran the Project Anarchy demo in AnTuTu somewhat well, averaging at 15fps.
MTK's spec sheet mentions that the SoC also has GPS and FM Radio, but I suspect that both are disconnected on the device since Android doesn't detect them.
The option to enable installation of packages from untrusted sources is still in the android security screen in settings tho, and you will be instructed to turn it on as part of the steps to install the Amazon AppStore.
I actually emailed LeapFrog as to whether they can release a tarball to the MTK kernel sources they used, and I'm keeping my fingers crossed but since they had a history of doing so in compliance with the GPL (c.f. the links to Didj/Leapster sources on eLinux provided by none other than LF themselves), I have high hopes for custom ROM development or at least some mods for the device.
Well, my only problem with the device is that the input method and locale selection is locked down and selected by the "Device Locale" screen, instead of allowing the much more granular selection allowed from the Android settings screen itself. I have determined that the same lockdown prevents bluetooth keyboards from pairing properly with the device. Also, several apps defaulted to downloading videos from UK servers instead (ie BabyFirst TV, Fisher-Price Puppy Player and Little People Player) and thus have what I perceive as "wrong voices".
I'm still waiting for LeapFrog's reply concerning the kernel sources, and if all goes well we'll be golden.
Good luck.
Well, drat. Leapfrog's asking me for a mailing address so they can send me the source CDs. Problem is I am wary of the postal servce here at my place, so is there anyone who's willing to get the sources?
So I bought one of these leap pad epics. Got it at toys r us. It was a return so open box. They gave it to me for $70 (they retail for $169.99+tax) because the last person who owned it left their passcode on it. I can't figure out how to get it off. Any ideas??
Hang in there. I've contacted Leapfrog via Facebook and am awaiting a reply.
RAMChYLD said:
Hang in there. I've contacted Leapfrog via Facebook and am awaiting a reply.
Click to expand...
Click to collapse
Wouldn't doing the standard factory reset procedure be enough for that (as with those who ended up flinging way too many patterns on their device), or is there anything special that's needed to be done?
Okay, got a reply. Go into the parent screen to bring up the pin entry, then enter 4 1 9. Now, when your cursor is in the last textbox, hit the backspace and enter 2 7. Apparently this is a hidden backdoor that Leapfrog puts into the system for cases like these (ie improper returns).
I've tested it, entering 4 1 2 7 upfront doesn't work. It has to be 4 1 9 <backspace> 2 7.
As for doing a factory reset, well, It's a catch 22 situation- to get into the settings screen, you need to enter the password first - they actually modified the settings app. If you don't have the password, well, you're SOL unless you call Leapfrog support, who will probably give you this code anyway. If the ADB interface is up, you could probably do it from there, but I'm not sure if it is.
Hmm, now I'm wondering if there's someone who's up to doing an SP Flash Tool dump of the device.
Good news: RAMChYLD just got his hands on the source tarball, and as such he gave me a link to the ISO containing the kernel sources, ripped off the disc LeapFrog mailed to him recently:
Said link to the sources can be found on the first post, in case you guys are interested.
Actually, Blake did the bulk of the work, talking to Leapfrog and arranging the CD to be sent to me. But yeah.
RAMChYLD said:
Actually, Blake did the bulk of the work, talking to Leapfrog and arranging the CD to be sent to me. But yeah.
Click to expand...
Click to collapse
Yup, pretty much. Though to tell you one thing, I was a bit worried that the sources either wouldn't arrive in time or not at all.
RAMChYLD said:
As for doing a factory reset, well, It's a catch 22 situation- to get into the settings screen, you need to enter the password first - they actually modified the settings app. If you don't have the password, well, you're SOL unless you call Leapfrog support, who will probably give you this code anyway. If the ADB interface is up, you could probably do it from there, but I'm not sure if it is.
Click to expand...
Click to collapse
You can factory reset by holding down Power + Volume Up at boot.
Is any one of you guys here interested?
I will be. I'll be buying my son one this weekend.
alienundies said:
I will be. I'll be buying my son one this weekend.
Click to expand...
Click to collapse
If you could provide an SP Flash Tool dump of the stock ROM it'll be golden., along with a TWRP/Clockwork recovery image. I really wish that I could get my hands on one, but the local Toys R Us here sells it for like twice the price even though it's just some glorified MediaTek device made with children in mind.
XbooX08 said:
You can factory reset by holding down Power + Volume Up at boot.
Click to expand...
Click to collapse
Does that work? They even went as far as to disable the ability to screenshot with power + volume down until I installed an app to re-enable it.
blakegriplingph said:
If you could provide an SP Flash Tool dump of the stock ROM it'll be golden., along with a TWRP/Clockwork recovery image. I really wish that I could get my hands on one, but the local Toys R Us here sells it for like twice the price even though it's just some glorified MediaTek device made with children in mind.
Click to expand...
Click to collapse
+1. The Asian importers for the device are charging way more for it over here than the device sell for in the US. It's going for an insane RM1000 at Toys R Us and Hamleys here. Which imo is ridiculous given that there are vendors selling (malware-laden) Chinese tablets for less than a fifth of that.
Hi All,
How can I root a stb, running Android 6.0.1 with no access to bootloader.
I have access to recovery, but it accepts only vendor encrypted/signed update files.
Adb via usb is not available, but can connect using wifi/lan when OS has booted.
Have already tried most one-click apps.
Any crazy idea/help/suggestion is appreciated.
People interested in details, can read the long story below.
The Amazon Prime app on the settop box lags a lot many a times while Netflix and Youtube work perfectly fine. So, I thought of diagnosing the problem using adb logact and found every few seconds, few frames are getting skipped. To analyze the problem further, isolate bandwidth/resources problems vs app problem, wanted to root the device.
This is the first time, I am trying to root a device for which no existing solution is available. I have been trying to root for two weeks now, but no luck. . While the Amazon prime was the reason for this voyage, rooting will open new avenues.
About the device:
⦁ Sold by Airtel India under brand name Internet TV (Not IPTV)
⦁ Manufactured by LG Electronics. Model: SH960S-AT
⦁ LG has published the opensource components used here.
⦁ More details about the hardware here.
⦁ Android Lollypop, upgraded to Marshmallow 6.0.1
⦁ With March 2018 Android Security Update
Here is what all I have tried so far:
ADB
⦁ Device does not detect when connected using USB Male to Male cable. So, no ADB USB.
⦁ However, I can connect ADB using Wifi. (adb connect IP).
⦁ To be sure of the IP, I have configured my Router DHCP to assign a specific IP to the MAC
⦁ I found in default.prop persist.sys.usb.config=none. My assumption, airtel has disabled adb via USB connection.
Bootloader
⦁ If I do a adb reboot bootloader, system restarts but gets stuck on the vendor logo.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
⦁ In that state, I have tried many possible key combinations (power button on the box, several other buttons on the remote and usb keyboard), but it stays stuck there, until you pull the plug.
⦁ I have also tried many button combinations in power off state, no luck.
⦁ USB is still not recognized in this state, so no adb or fastboot.
Recovery
⦁ Doing adb reboot recovery restarts the system into the stock android recovery.
⦁ The same screen can be reached by following steps:
⦁ Unplug the box
⦁ Keep the power button pressed, plug in the device.
⦁ After the android logo comes, press Home from keyboard.
⦁ The following options are available:
⦁ Reboot to Bootloader: Same as above, gets stuck on vendor logo.
⦁ Apply update from Adb: Since usb connection/adb is not available, it just waits for a connection and times out. Adb using wifi/lan does not work. I assume, their drivers are not initialized in recovery.
⦁ Apply update from SD Card: I have copied the usual (su binary update.zip) to root of sd card. But it does not mount SD card properly. I have tried SD cards of different sizes, formats etc., no luck.
⦁ Apply update from USB: It was not recognized initially, but after going through recovery logs and trying several formats for the card, now it recognizes the card. I can select the zip file, but it shows Failed to map file. I assume it is not finding a vendor specific signature/encryption
One-click apps and other exploits
⦁ Have tried all the popular one-click apps, Kingroot, Framaroot, etc., no luck.
⦁ Have tried dirtycow exploit. But since the security update is March 2018, none of the known exploits work.
⦁ I am yet to find any POC for fixes in April 2018 or later android security updates.
Update service:
⦁ One system app called OtaDownloaderApp.apk is probably used by the vendor to push OTA updates.
⦁ Pulled the apk and disassembled it to find the url of the update file.
⦁ Downloaded it to understand the structure and explore any other possibility.
⦁ It does not seem like a normal .zip file and might be encrypted.
⦁ I tried the above file as Apply Update from USB from Recovery, it installed the updates
⦁ Now, could there be a way to decrypt/modify the update file to include su?
To add: Since the device is yet to be rooted, no way to extract the boot.img and patching.
Let me know if you need more clarification in any points I have mentioned.
* For some reason, I am not able to embed images in the post. You can view them here.
https://forum.xda-developers.com/album.php?albumid=15064
that's a pretty comprehensive attempt..would love to see if we could play with the os..
The link https://android.ota.airtel.in:8008/public/protected/ota/160/airtel_g1_update has many other variations like 161, 162, etc..but all the files are being downloaded in an encrypted format with different sizes..does airtel have more to android than this internet tv?
ex:
https://android.ota.airtel.in:8008/public/protected/ota/182/airtel_g1_update
https://android.ota.airtel.in:8008/public/protected/ota/181/airtel_g1_update
umair9001 said:
that's a pretty comprehensive attempt..would love to see if we could play with the os..
The link https://android.ota.airtel.in:8008/public/protected/ota/160/airtel_g1_update has many other variations like 161, 162, etc..but all the files are being downloaded in an encrypted format with different sizes..does airtel have more to android than this internet tv?
ex:
https://android.ota.airtel.in:8008/public/protected/ota/182/airtel_g1_update
https://android.ota.airtel.in:8008/public/protected/ota/181/airtel_g1_update
Click to expand...
Click to collapse
Thanks Umair, for going through the very long post. Breaks my heart, have not reached anywhere so far with it.
Yes, I have downloaded few other versions. All of them encrypted. AFAIK, Airtel does not have other products with android. 160 and 180 are different versions for the same STB: Build v 06.02.61 and 06.02.67 respectively. I assume all others will be other releases for the same STB.
Have also tried to use linkchecker to crawl through the site and explore more links. No luck, seems deliberately excluded from robot.txt.
Add: Wanted to check if the files are encrypted or just a new type of compression (e.g. Brotli). Opened few of them in a hex editor, could not find any common beginning or end. Leads me to believe, these are encrypted.
Anyone...any help/suggestion?
avisekjena said:
Anyone...any help/suggestion?
Click to expand...
Click to collapse
brother could u post airtel stb apk ?
another update
this stb Launched over 2 Years ago in France the Dual core ARM B15 BCM7252S as well
which is called the Freebox Mini 4K
Hope we can make some progress, would be nice to see android TV Oreo on this box.
Another strange thing is the remote on Airtel internet TV drain battery like anything.
rohitatiit said:
Hope we can make some progress, would be nice to see android TV Oreo on this box.
Another strange thing is the remote on Airtel internet TV drain battery like anything.
Click to expand...
Click to collapse
bluetooth remote eat more battery
sayanux said:
brother could u post airtel stb apk ?
another update
this stb Launched over 2 Years ago in France the Dual core ARM B15 BCM7252S as well
which is called the Freebox Mini 4K
Click to expand...
Click to collapse
Sorry brother, missed the notification. Are you asking for the update service/app that i mentioned above? Or the launcher/tv UI app? Let me know.
As far as Freebox is concerned, it does share the same chipset, but the end product looks different. And Airtel probably has done customizations for bootloader and OS.
rohitatiit said:
Hope we can make some progress, would be nice to see android TV Oreo on this box.
Another strange thing is the remote on Airtel internet TV drain battery like anything.
Click to expand...
Click to collapse
Well, as of now I have hit a dead-end, with no access to root.
Oreo seems a long way.
Yes! the remote does drain battery really fast. I remember observing in logs that STB tries to check the status of the remote, (such as battery percent, etc) at regular intervals. Don't remember the interval, but I wonder if this is normal/the best practice. This might be draining the battery fast.
We could look into its apk and probably try a patch, but then we wont be able to update it (assuming its a system app) without root.
On a different note, do you also face the following issues:
Remote stops working sometimes. I have to pull out and reinsert the batteries to make it work.
Voice search using the remote is so unreliable. It results in error most of the times.
Amazon Prime lags a lot, while Netflix and Youtube work smoothly. Prime app might be bandwidth hungry.
avisekjena said:
Sorry brother, missed the notification. Are you asking for the update service/app that i mentioned above? Or the launcher/tv UI app? Let me know.
As far as Freebox is concerned, it does share the same chipset, but the end product looks different. And Airtel probably has done customizations for bootloader and OS.
Click to expand...
Click to collapse
tv app apk
Can anyone help bypass the subscription check. So I can use the android without dish
I m airtel internet tv user my subscription is over now and Airtel packages are really high and without package I m not able to use anything on the box so any options to bypass the subscription check. So I can use it without dish as a normal android box. Thanks in advance.
riks4039 said:
I m airtel internet tv user my subscription is over now and Airtel packages are really high and without package I m not able to use anything on the box so any options to bypass the subscription check. So I can use it without dish as a normal android box. Thanks in advance.
Click to expand...
Click to collapse
Dump airtel dth long ago ... using MI tv box 3 (mdz 16 ab) with jio stb apk and livenet tv apk ... now am happy :victory:
ps : u cant bypass airtel internet box subscription
Dumping isn't solution for the money we paid them. And what if we get some idea to install custom ROM and m sure in custom rom we can boot it without any subscription just like a ordinary android box. at present it just works for few min and again it comes to the errors screen that my subscription is over. Don't want to give up so easily. I still have hope.
no custom rom with out money ...
thts why dumping is the solution ...
dont know your box's charachteristics but some have a pinhole push button inside the 3,5mm jack that needs to be pushed during boot to get to twrp
its Dual core ARM B15 BCM7252S soc
made by LG
Can anyone help bypass the subscription check. So I can use the android without dish
sayanux said:
no custom rom with out money ...
thts why dumping is the solution ...
Click to expand...
Click to collapse
M ready to pay for it if i get solutions. Coz oblivious someone is helping me so m ready to help them too.
i used adblink and removed all the airtel app with adb shell command and the box works as android box now.
No Subscription check no airtel launcher, just google launcher and apps as soon as it boots
jayg17 said:
i used adblink and removed all the airtel app with adb shell command and the box works as android box now.
No Subscription check no airtel launcher, just google launcher and apps as soon as it boots
Click to expand...
Click to collapse
wow <3 <3
now try to install jio android tv app
Please sent a full process how you done that thanks .. please........................
jayg17 said:
i used adblink and removed all the airtel app with adb shell command and the box works as android box now.
No Subscription check no airtel launcher, just google launcher and apps as soon as it boots
Click to expand...
Click to collapse
jakakakaksksn