Magisk is no more...
I present a new fool proof method of flashing su to Android 10_Q and above!!
I ranted and ranted about variant=user/user-debug/eng builds that I got no-where... people thinkin am dissin john wu, nah, I respect what I've learnt from his app forcing me to connect online, I want su without connecting, in order to secure my own fone.
Introducing proof!!
Simple. Instead of flashing boot.img
Flash boot-debug.img from stock.
This address's the lack of adb root.
Logs:
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash vbmeta vb
lankmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (4 KB) OKAY [ 0.000s]
Writing 'vbmeta' OKAY [ 0.000s]
Finished. Total time: 0.016s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.404s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
MyTwrp.img
Sending 'recovery' (26086 KB) OKAY [ 0.718s]
Writing 'recovery' OKAY [ 0.406s]
Finished. Total time: 1.139s
D:\0\AdbStation>fastboot reboot-recovery
Rebooting into recovery OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
adbd is already running as root
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # mount -o remount,rw /system_root
mount: '/system_root' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /system
mount: '/system' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /
'/dev/block/dm-1' is read-only
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd apex
Armor_X5_Q:/apex # ls
com.android.apex.cts.shim [email protected]
[email protected] com.android.resolv
com.android.conscrypt [email protected]
[email protected] com.android.runtime
com.android.media [email protected]
com.android.media.swcodec com.android.tzdata
[email protected] [email protected]
Armor_X5_Q:/apex # exit
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.577s]
Writing 'recovery' OKAY [ 0.312s]
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # exit
------------------------
Pay attention, the first part above, I flashed a twrp...
Below, I flash stock images... without closing adb window.
--------------------------------------------------------------
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.499s]
Finished. Total time: 1.373s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.484s]
Writing 'recovery' OKAY [ 0.328s]
Finished. Total time: 0.811s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # exit
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # cd /system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
Edit'd not relevant.. too long the things we can do list pissed one off...
Armor_X5_Q:/system/bin #
No MORE MAGISK!!!
It'a a feature of Android 10 and over lol... says so in the android docs....
who needs su when you have root?
SYSTEM_AS_ROOT
Voila...
it's in the understanding.
YouRoot
1) what is this
2) you could've pastebin'd the log files bruh
{Mod edited language - Regards Oswald Boelcke}
I dont use pastebin. I wanted to post my proof here. My call. thanks for the suggestion though, I mean, why send a good hack to another site when I would not have found it if it were not for comin here?
Surely xda deserve some credit, which I give by posting my flashing log here...
I know all will find what I posted will work to write a ro system.
Su and Magisk ARE dead, john wu says so...
I say this is why.
Flash boot-debug.img instead of boot.img gives
adb root
adb shell
# <- the point of root!!!
Ps, I may be a bro to my 3 sister's, but I aint no bro... :O
I find what they cant see, because they gave away the sight to see, what I see, they no longer can
Until I light the way....
Pachacouti said:
I dont use pastebin. I wanted to post my proof here. My call. thanks for the suggestion though, I mean, why send a good hack to another site when I would not have found it if it were not for comin here?
Surely xda deserve some credit, which I give by posting my flashing log here...
I know all will find what I posted will work to write a ro system.
Su and Magisk ARE dead, john wu says so...
I say this is why.
Flash boot-debug.img instead of boot.img gives
adb root
adb shell
# <- the point of root!!!
Ps, I may be a bro to my 3 sister's, but I aint no bro... :O
I find what they cant see, because they gave away the sight to see, what I see, they no longer can
Until I light the way....
Click to expand...
Click to collapse
1. ROOT su binary is already included in GSI builds (original author is phhusson and not topjhonwu) since the begining of the project. It's not a new thing. Here Magisk came to Hide this feature !
2. Magisk doesn't give only ROOT ... but the "systemless option" for the dynamic modules that is the half part of the whole package !
3. Have you tested SafetyNet ???
4. TWRP is already a root method since you can access to /data partition and other partitions too !
5. Oh yeah, it looks like you have an old device without dynamic partitions (aka SUPER) ...
Cheers
im not using gsi, i'm using stock ma man, stock!
it's actually genuine root with stock!
Allbeit different from what we used to call root, it is ultimately a rooted boot-debug, as in:
#
Oh, for the record everyone, I'm on an A-only arm64-v8a Armor x5, the mt6762 which also claims to be mt6765, running lates updated Android 10_Q, no, NOT PIE. System-as-Root
and I would not be writtng in the system_1.32 thread if I did not have a super.img partition...
which I am currently flashing using nothing more than replacing my stock boot.img with the stock boot-debug.img, though I had to unlock bootloader to do this...
couldn't chmod the system_1.32 if the # did not show, true or false?
No Magisk... No su... the secret is in adb root not being available in user OR production builds, so use boot-debug.img to be able to type adb root to type adb shell to get #
No twrp. Stock recovery is not available, using boot-debug.img, so I flash twrp anyway.
Beat that!!!
You CANT, cause it's true... following magisk makes you think you need root when you were already given it in stock rom, (only viable if you see boot-debug.img beside your boot.img in stock folder), now if this is true, and obviously it is, then why did john wu not notice?
too busy waiting on me...
Time for a BIG update from magisk then? Not. (needed, pmsl)
Selfie Clappin Syndrome has left the buiding...
Ps, attempting magisk on boot-debug.img kills all adb and root access gained by not doing so.
I can and do flash my twrp, and have done so now, from lopstom into recovery, since normal stock recovery does NOT show when using boot-debug.img, and system_1.32 has just given me rw access in twrp, so systemrw actually works with no su or magisk installed.
On with testing...
And for the record, this is where I found out what you now know:
VTS testing with debug ramdisk | Android Open Source Project
source.android.com
works on Android 10_q stock, NOTE THIS IS FOR GSI ON ANDROID 11
Im on stock. nuff said.
Oh, look... debug vendor... debug... yum yum
Oh, and safety net pass's, because the debug is legit (stock boot-debug.img) lol, oh look, no magisk...
The downside is... I'm sitting with a completely rooted fone... with no root apps.
busybox is replaced with, yup, you guessed it, toybox! not by me, but comes as stock...
last I heard before discovering this was toybox IS the new busybox...
It's actually like linux without the 'custom' - in adb shell lol...
And it is indeed the desktop launcher kicking us out of writing to system in the first place, when rooting, since the desktop launcher cannot run root commands,, as it has no root rights. forcing PIE and earlier roots simply wont cut it...
I have to say it folks... upgrade...
And write some updated apps that dont hold us back!!
Oh, and I'd forget a ro system, cause even with systemrw, it's only in twrp it's of use to me, but cant save anything TO it, so kinda pointless to me for now... then I remind myself this is written for pie lol...
Edit, and I'll add this:
With only one phone to work on, so no experience in a/b partitioning, I'll assume (bein the mother of all f'up's lol) that the reason a/b partitions exist is because a pie bootloader is 2 bootloader's, split into 2 when remixed into android 10, seperating the pie users access to variant=eng being available, to having to flash boot-debug.img since windows 10.
Here's the kicker... I have yet ot flash any cusstom rom.
From stock I flash boot-debug.img, and twrp recovery, followed by the backup super_fixed.bin created by system_1.32, reboot into twrp and can instantly mount system/vendor as is expected of system_1.32, the script is only required once, if you make a back up that is...
Yet I cannot load any custom rom the usual way... twrp may show mounting system, but even when fastbooting TO system, in adb or twrp, I have to reflash a super, so forget writing overlay file systems pandering to big companies, write a writable system knowing it's all contained in a SUPER image using boot-debug as root scource.
I can however, flash a super and load an entirely different OS, rw across the board... if I flash a super.img
The kicker is having a completely new root that comes with the fone and how it works...
su is pointless, as is magisk, you are already root.
Get it?
magisk takes this away.
so if your on android 10 and over... forget magisk, load your boot-debug, and take control of your new root tool.
magisk cant see the countless other mount points made for each file for each app for each gif for each bit of binary, each has it's own mount point lol...
it's gettin that way
Final point. Open a folder, go INTO it, and run any exe. While exe is running, attempt to delete folder exe is contained in. Now you know why you cant write a ro system. Close the exe, and viola!!
You cant mount a folder you already occupy in gui of fone. Ahem.. remount /system.
It's like typing su to get #
forget su
#
The greatest trick is convincin people of security when there is in fact none when it comes to software.
Their greatest security is their idiocy.
The PARTITIONS of history have taught us not to doubt insanity and it's virtues...
And for problems mounting systemrw, no problem, no root!!
Android OverlayFS Integration with adb Remount
Thank you for your efforts in a root solution.
Usin the above convoluted method, I can indeed rw the ro system.
I deleted childspace apk as test. It worked.
Using only this order:
Place stock boot.img, recovery.img and boot-debug.img in the adb folder.
Also place your 'here's one I made earlier' magisk_patched_bootloader.img here.
Now the nippage:
1: Unlock stock bootloader. Reboot into bootloader, after granting adb keys.
2: Flash boot-debug - NOTHING ELSE.
3: Reboot into fone gui.
4: adb root
adb disable-verity
adb reboot - (boot into bootloader)
5: Flash magisk'd boot.img
6 (optional, I did this) Flash backed up Super_fixed.bin (had to rename to img)
7: flash twrp...
Now you can do what you want.
After this I removed the magisk'd bin, returned to my debug and the childspace app I removed stayed removed from a ro system.
So yeah, there's your door, blank vbmetas prevent rw access using this method. Use your real vbmeta when flashing boot-debug, boot debug will NOT work with magisk installed, I tried every utha way... all we really need is a nu su app that works using this method instead of simlinkin the heck out of ...
Now how to do this without the magisk step, and keep it..?
user-debug (are not user or debug img's, but the third lol)
Now they ARE hard to find, need to make one, not my cup of tea...
something to add..
Busybox 1.31 Install error on Android 9 -- SOLVED · Issue #93 · meefik/busybox
OK, I managed to solve the installation issue with Android 9 on the Samsung Galaxy Tab S6. Here's how I did it: root the tablet by installing twrp, dm_verity and magisk boot into Android install ro...
github.com
Hi Pachacouti. Thanks for your interest in my SystemRW project. I hope it was helpful to you.
Pachacouti said:
Oh, and safety net pass's, because the debug is legit (stock boot-debug.img) lol, oh look, no magisk...
Click to expand...
Click to collapse
Where can I find this stock boot-debug.img file that you're talking about? I can't find it inside my stock Xiaomi firmware (MIUI).
Pachacouti said:
system_1.32 has just given me rw access in twrp, so systemrw actually works with no su or magisk installed.
Click to expand...
Click to collapse
Yes that's true my SystemRW script should work regardless of whether Magisk is installed yet or not. All you need for it to work is a root shell in recovery.
Have fun!
lebigmac said:
Hi Pachacouti. Thanks for your interest in my SystemRW project. I hope it was helpful to you.
Where can I find this stock boot-debug.img file that you're talking about? I can't find it inside my stock Xiaomi firmware (MIUI).
Yes that's true my SystemRW script should work regardless of whether Magisk is installed yet or not. All you need for it to work is a root shell in recovery.
Have fun!
Click to expand...
Click to collapse
To answer your first question, take the boot-debug.img from here, the first you see, and try it. if it is the same size, it will most likely work
Be aware that this is a 32mb in size bootloader, others are 64mb, they obviously wont work.
This is not to say a 64mb boot-debug.img will NOT work, it simply wont FIT.
Then be aware of a/b or a-only.
If you check the first post, from where I flashed all stock, I flashed the boot-debug.img to boot, NOT recovery. I am attempting to create a working twrp'd version for my fone, but I'm too slow for the instant gratificationist in me lol... using stock vbmeta... in otherwords, it would work, cause it's all legit, and how android 10, 11, and 12 actually work.
I find your script is a perfect find to see if we can indeed write to anything, now how to move what access you have in twrp to include mounting these 3 partitions dm-1, 2, 3, while in the actual gui...
Again, if you cant get into recovery, flash twrp to recovery after flashing boot-debug.img, It does work, but I think settings in recovery are not needed when booted to boot-debug, so the recovery is actually not necessary, but we're used to it, so NEED...
Edit, here's my boot-debug, thought I was in another thread lol..
And FFS, DONT try magisk with this, root is destroyed when doing so, this is not me dissin john wu, it's google fighting back... respect da john wu saaaa
Ps, enjoy this misunderstanding:
I flashed and ran systemrw_1.32 with NO root, no twrp, no recovery, I did it all in adb using nothing but boot-debug.img flashed to boot, with legit vbmeta.
In user builds, flashing blank vbmetas is what actually cause's the inability to manipluate ro system.
At least since PIE. Android 10_q and over... different ball game.
Pachacouti said:
And for problems mounting systemrw, no problem, no root!!
Android OverlayFS Integration with adb Remount
Click to expand...
Click to collapse
forreal
Did you know....
A few years back, when alcohol 120% came out, I downloaded a dvd that turned out to be corrupt. The image supplied by Alcohol 120% always came with an mdf file, and the disk image itself. Mdf is actually the md5 hash of the dvd.
When attempting to burn disk, I accidently chose the mdf, (md5 hash) instead of the actual disk image, and it turned out that the mdf hash reproduced the disk image byte for byte.
In otherwords, the 4.7gig dvd image was never necessary. That's 4.7gig reproducable from an md5 hash of say 100kb in size.
Now imagine this in fones. Dont store the file, store it's hash.
The CIA hate me now...
Anyway, here is the process so far:
Grab the boot-debug.img below, if it works for you good.
From stock, unlocked bootloader, set adb keys:
fastboot flash boot boot-debug.img
fastboot reboot <- just to see what we got
adb root
adb disable-verity <- the proper way to disable verity. No blank vbmetas required.
adb reboot
adb wait-for-device
adb root
adb remount <- wont work, because boot-debug.img is not a user-debug version of boot-debug.img, so I need to use a magisk'd boot to gain 'other' access.. later...
Note: adb shell avbctl disable-verification is only available in user-debug builds, so instead of boot-debug.img, prob look like user-debug.img. Notice how I disable it below.
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img 2>nul >nul <- Notice how I flash genuine vbmeta, including the end part '2>nul >nul' to flash twrp to recovery. This clears the way to flash super without flashing blank vbmetas... this will reset when flashing stock boot, so no problem to a dev...
fastboot flash recovery MyTwrp.img (rebooted after just to make sure the recovery stayed after typing '2>nul >nul' after the vbmeta) -it stayed.
fastboot flash super super_fixed.img <- Same test as above, now reboot into twrp to test rw capabilities. Mine all working.
fastboot reboot-recovery <- Go immediately to mount, tick system and vendor, if tick stays, voila, mine stays ticked...
Do twrp test using adb:
adb shell
# mount -o rw,remount rootfs /
Find way to install su lol, this is where I'm at now.
Dont say install the killer of su...
I then do:
Armor_X5_Q:/ # ls -l `which su`
total 1608
dr-xr-xr-x 4 root root 0 2021-09-27 13:00 acct
drwxr-xr-x 2 root root 40 2021-09-27 13:00 apex
lrwxrwxrwx 1 root root 11 2021-09-10 01:30 bin -> /system/bin
lrwxrwxrwx 1 root root 50 2021-09-10 01:30 bugreports -> /data/use
r_de/0/com.android.shell/files/bugreports
drwxrwx--- 6 system cache 4096 2010-01-01 00:03 cache
lrwxrwxrwx 1 root root 19 2021-09-10 01:30 charger -> /system/bin/
charger
drwxr-xr-x 4 root root 0 1970-01-01 00:00 config
lrwxrwxrwx 1 root root 17 2021-09-10 01:30 d -> /sys/kernel/debug
drwxrwx--x 55 system system 4096 2021-09-27 12:25 data
drwxr-xr-x 2 root root 0 2021-09-10 01:30 debug_ramdisk
lrwxrwxrwx 1 root root 12 2021-09-10 01:30 default.prop -> prop.de
fault
drwxr-xr-x 19 root root 3540 2021-09-27 13:00 dev
lrwxrwxrwx 1 root root 11 2021-09-10 01:30 etc -> /system/etc
drwxrwxrwx 13 root root 32768 1970-01-01 00:00 external_sd
-rw-r--r-- 1 root root 46380 2021-09-10 01:34 file_contexts
-rw-r--r-- 1 root root 865607 2021-09-10 01:30 file_contexts.bin
lrwxrwxrwx 1 root root 16 2021-09-10 01:30 init -> /system/bin/ini
t
-rwxr-x--- 1 root root 7073 2021-09-10 01:30 init.rc
-rwxr-x--- 1 root root 103 2021-09-10 01:30 init.recovery.hlthchrg.
rc
-rwxr-x--- 1 root root 58 2021-09-10 01:30 init.recovery.ldconfig.
rc
-rwxr-x--- 1 root root 312 2021-09-10 01:30 init.recovery.logd.rc
-rwxr-x--- 1 root root 8824 2021-09-10 02:14 init.recovery.microtrus
t.rc
-rwxr-x--- 1 root root 3686 2021-09-10 02:00 init.recovery.mt6762.rc
-rwxrwx--- 1 root root 854 2021-08-28 14:20 init.recovery.prepdecry
pt.rc
-rwxr-x--- 1 root root 213 2021-09-10 01:30 init.recovery.service.r
c
-rwxr-x--- 1 root root 7862 2021-09-10 01:30 init.recovery.usb.rc
drwxr-xr-x 3 root root 0 2021-09-10 01:30 license
drwxr-xr-x 5 root system 100 2021-09-27 13:00 mnt
drwxrwx--x 6 system system 4096 2021-01-01 09:33 nvcfg
drwxrwx--x 8 root system 4096 2021-01-01 08:06 nvdata
drwxr-xr-x 2 root root 0 2021-09-10 01:30 odm
-rw-r--r-- 1 root root 0 2021-09-10 01:30 odm_file_contexts
-rw-r--r-- 1 root root 0 2021-09-10 01:30 odm_property_contexts
drwxr-xr-x 2 root root 0 2021-09-10 01:30 oem
drwxrwx--x 5 system system 4096 2021-01-01 09:33 persist
-rw-r--r-- 1 root root 32079 2021-09-10 01:30 plat_file_contexts
-rw-r--r-- 1 root root 9476 2021-09-10 01:30 plat_property_contexts
dr-xr-xr-x 359 root root 0 1970-01-01 00:00 proc
drwxr-xr-x 12 root root 4096 2009-01-01 00:00 product
-rw-r--r-- 1 root root 0 2021-09-10 01:30 product_file_contexts
-rw-r--r-- 1 root root 0 2021-09-10 01:30 product_property_contex
ts
lrwxrwxrwx 1 root root 24 2021-09-10 01:30 product_services -> /sy
stem/product_services
-rw-r--r-- 1 root root 7414 2021-09-10 01:48 prop.default
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_f
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_s
-rw-r--r-- 1 root root 0 2021-09-10 01:30 relink_binaries-timesta
mp
-rw-r--r-- 1 root root 0 2021-09-10 01:30 relink_libraries-timest
amp
drwxr-xr-x 3 root root 0 2021-09-10 01:30 res
drwx------ 2 root root 0 2020-06-05 06:41 root
drwxr-x--- 2 root root 0 2021-09-10 01:30 sbin
drwxrwx--- 13 media_rw media_rw 4096 2021-09-27 13:06 sdcard
-rw-r--r-- 1 root root 465178 2021-09-10 01:30 sepolicy
drwxr-xr-x 2 root root 0 2021-09-27 13:00 sideload
drwxr-x--x 2 root root 0 2021-09-10 01:30 storage
dr-xr-xr-x 14 root root 0 2021-09-27 13:00 sys
drwxr-xr-x 7 root root 0 2021-09-27 13:09 system
drwxr-xr-x 21 root root 4096 2009-01-01 00:00 system_root
drwxrwxr-x 2 root shell 120 2021-09-27 13:07 tmp
drwxr-xr-x 5 root root 0 2021-09-10 01:55 twres
-rw-r--r-- 1 root root 0 2021-09-10 01:30 twrp_ramdisk-timestamp
-rw-r--r-- 1 root root 5900 2021-09-10 02:03 ueventd.mt6762.rc
-rw-r--r-- 1 root root 2969 2021-09-10 02:02 ueventd.rc
drwxrwxrwx 2 root root 0 2021-09-27 13:01 usbotg
drwxr-xr-x 14 root shell 4096 2009-01-01 00:00 vendor
-rw-r--r-- 1 root root 7759 2021-09-10 01:30 vendor_file_contexts
-rw-r--r-- 1 root root 218 2021-09-10 01:30 vendor_property_context
s
-rw-r--r-- 1 root root 0 2021-09-10 01:30 vendor_service_contexts
Armor_X5_Q:/ #
Edit:
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_f
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_s
Why dm-1, 2, 3, cant be mounted even in root.
Pachacouti said:
Magisk is no more...
I present a new fool proof method of flashing su to Android 10_Q and above!!
I ranted and ranted about variant=user/user-debug/eng builds that I got no-where... people thinkin am dissin john wu, nah, I respect what I've learnt from his app forcing me to connect online, I want su without connecting, in order to secure my own fone.
Introducing proof!!
Simple. Instead of flashing boot.img
Flash boot-debug.img from stock.
This address's the lack of adb root.
Logs:
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash vbmeta vb
lankmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (4 KB) OKAY [ 0.000s]
Writing 'vbmeta' OKAY [ 0.000s]
Finished. Total time: 0.016s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.404s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
MyTwrp.img
Sending 'recovery' (26086 KB) OKAY [ 0.718s]
Writing 'recovery' OKAY [ 0.406s]
Finished. Total time: 1.139s
D:\0\AdbStation>fastboot reboot-recovery
Rebooting into recovery OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
adbd is already running as root
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # mount -o remount,rw /system_root
mount: '/system_root' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /system
mount: '/system' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /
'/dev/block/dm-1' is read-only
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd apex
Armor_X5_Q:/apex # ls
com.android.apex.cts.shim [email protected]
[email protected] com.android.resolv
com.android.conscrypt [email protected]
[email protected] com.android.runtime
com.android.media [email protected]
com.android.media.swcodec com.android.tzdata
[email protected] [email protected]
Armor_X5_Q:/apex # exit
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.577s]
Writing 'recovery' OKAY [ 0.312s]
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # exit
------------------------
Pay attention, the first part above, I flashed a twrp...
Below, I flash stock images... without closing adb window.
--------------------------------------------------------------
D:\0\AdbStation>adb reboot bootloader
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.499s]
Finished. Total time: 1.373s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.484s]
Writing 'recovery' OKAY [ 0.328s]
Finished. Total time: 0.811s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # exit
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # cd /system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
Edit'd not relevant.. too long the things we can do list pissed one off...
Armor_X5_Q:/system/bin #
No MORE MAGISK!!!
It'a a feature of Android 10 and over lol... says so in the android docs....
who needs su when you have root?
SYSTEM_AS_ROOT
Voila...
it's in the understanding.
YouRoot
Click to expand...
Click to collapse
So, your bootloader is unlocked and your bootimage-debug gives root to you and the entire world. In other words, here is the key to my house, and by the way, there is no lock. And by another way, there will be nothing left in the house soon. Nice.
optimumpro said:
So, your bootloader is unlocked and your bootimage-debug gives root to you and the entire world. In other words, here is the key to my house, and by the way, there is no lock. And by another way, there will be nothing left in the house soon. Nice.
Click to expand...
Click to collapse
Oi... EVERY rooted fone has an unlocked bootloader, your point being?
Oh... I'm taking away profit from some... never noticed until you came along.. {Mod edit}
And you trust magisk... {Mod edit}
That would not tell you of THIS exploit:
{Mod edit: Disrespectful behaviour removed - Regards Oswald Boelcke}
Edit:
(Do all this offline... )
Flash magisk'd boot, but in gui, dont update internet, in fact, dont run it.
Install busybox-1.31.1-46.apk (do all this offline) but u cant install it yet, because magisk has no internet, but busybox will give you an option to install to, or edit the install.sh to say install dir / instead of /system, it did install what it could to the required directory, and if magisk'd bootloader grants su to busybox...
(it did in mine...) Reboot back into bootloader
Then reflash boot-debug.img, flash stock recovery, and reboot again, wot no magisk?
Now see:
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb remount
/system/bin/remount exited with status 2
remount failed
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
Armor_X5_Q:/ #
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb remount
/system/bin/remount exited with status 2
remount failed
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
Armor_X5_Q:/ # ^C
130|Armor_X5_Q:/ #
130|Armor_X5_Q:/ #
Notice it said nothing of user build or production build, and oh, you need to cntrl/c to exit this... then type exit... but notice who is logged in before :/
Su working in my fone, now to try with boot.img
Rememer: All stock
Related
Seems Telstra users got a 1.89 OTA update today :highfive:
I'll see if an RUU is available, but I think this makes it the newest official ROM version of the One X / XL so far?
Changes?
the_scotsman said:
Seems Telstra users got a 1.89 OTA update today :highfive:
I'll see if an RUU is available, but I think this makes it the newest official ROM version of the One X / XL so far?
Click to expand...
Click to collapse
Yepity yep.
Questions- Do we know the changes? Release notes?
Seems quicker to load up apps.....although that could just be because it rebooted for the first time since I bought it.... :laugh:
the_scotsman said:
Seems Telstra users got a 1.89 OTA update today :highfive:
I'll see if an RUU is available, but I think this makes it the newest official ROM version of the One X / XL so far?
Click to expand...
Click to collapse
indeed
it got to be just pushing out this afternoon, it wasn't available this morning
Anyone tried rooting the new OTA after updating?
doesn't work
Code:
$ ./root-linux.sh
Don't touch the device or unplug while rooting!
Push files
error: protocol fault (no status)
* daemon not running. starting it now *
* daemon started successfully *
rm failed for /data/local/installbusybox, No such file or directory
rm failed for /data/local/installbusybox2, No such file or directory
rm failed for /data/local/root, No such file or directory
rm failed for /data/local/root2, No such file or directory
rm failed for /data/local/sysro, No such file or directory
rm failed for /data/local/sysro2, No such file or directory
rm failed for /data/local/sysrw, No such file or directory
rm failed for /data/local/sysrw2, No such file or directory
rm failed for /data/local/unroot, No such file or directory
rm failed for /data/local/unroot2, No such file or directory
rm failed for /data/local/busybox, No such file or directory
rm failed for /data/local/su, No such file or directory
rm failed for /data/local/Superuser.apk, No such file or directory
failed to copy 'busybox' to '/data/local/busybox': Permission denied
failed to copy 'su' to '/data/local/su': Permission denied
failed to copy 'Superuser.apk' to '/data/local/Superuser.apk': Permission denied
Unable to chmod /data/local/busybox: No such file or directory
Unable to chmod /data/local/su: No such file or directory
Unable to chmod /data/local/Superuser.apk: No such file or directory
failed on '/data/local/tmp' - Permission denied
link failed File exists
rm failed for /data/local.prop, No such file or directory
Reboot
/system/bin/sh: cannot create /data/local.prop: Permission denied
Reboot again...
mount: Operation not permitted
mount: Operation not permitted
/system/bin/sh: cannot create /system/xbin/busybox: Read-only file system
Unable to chmod /system/xbin/busybox: No such file or directory
/system/bin/sh: /system/xbin/busybox: not found
/system/bin/sh: busybox: not found
/system/bin/sh: busybox: not found
Unable to chmod /system/xbin/su: No such file or directory
Unable to chmod /system/xbin/su: No such file or directory
Unable to chmod /system/app/Superuser.apk: No such file or directory
rm failed for /data/local.prop, No such file or directory
rm failed for /data/local/tmp, Permission denied
failed on '/data/local/tmp.bak' - No such file or directory
Reboot one last time...
erasen1 said:
doesn't work
Code:
$ ./root-linux.sh
Don't touch the device or unplug while rooting!
Push files
error: protocol fault (no status)
* daemon not running. starting it now *
* daemon started successfully *
rm failed for /data/local/installbusybox, No such file or directory
rm failed for /data/local/installbusybox2, No such file or directory
rm failed for /data/local/root, No such file or directory
rm failed for /data/local/root2, No such file or directory
rm failed for /data/local/sysro, No such file or directory
rm failed for /data/local/sysro2, No such file or directory
rm failed for /data/local/sysrw, No such file or directory
rm failed for /data/local/sysrw2, No such file or directory
rm failed for /data/local/unroot, No such file or directory
rm failed for /data/local/unroot2, No such file or directory
rm failed for /data/local/busybox, No such file or directory
rm failed for /data/local/su, No such file or directory
rm failed for /data/local/Superuser.apk, No such file or directory
failed to copy 'busybox' to '/data/local/busybox': Permission denied
failed to copy 'su' to '/data/local/su': Permission denied
failed to copy 'Superuser.apk' to '/data/local/Superuser.apk': Permission denied
Unable to chmod /data/local/busybox: No such file or directory
Unable to chmod /data/local/su: No such file or directory
Unable to chmod /data/local/Superuser.apk: No such file or directory
failed on '/data/local/tmp' - Permission denied
link failed File exists
rm failed for /data/local.prop, No such file or directory
Reboot
/system/bin/sh: cannot create /data/local.prop: Permission denied
Reboot again...
mount: Operation not permitted
mount: Operation not permitted
/system/bin/sh: cannot create /system/xbin/busybox: Read-only file system
Unable to chmod /system/xbin/busybox: No such file or directory
/system/bin/sh: /system/xbin/busybox: not found
/system/bin/sh: busybox: not found
/system/bin/sh: busybox: not found
Unable to chmod /system/xbin/su: No such file or directory
Unable to chmod /system/xbin/su: No such file or directory
Unable to chmod /system/app/Superuser.apk: No such file or directory
rm failed for /data/local.prop, No such file or directory
rm failed for /data/local/tmp, Permission denied
failed on '/data/local/tmp.bak' - No such file or directory
Reboot one last time...
Click to expand...
Click to collapse
Damn, thanks for letting us know.
EDIT: Those errors looks like an issue with the root install process. Obviously your phone was connected and you have the drivers installed? It looks like it's not seeing the phone at all.
the phone is connected, there was an adb instance in another terminal thats why you see script starts adb-mac at the top.
I tried some commands in the script it looks the update changed file permissions
Code:
$ adb push su /data/local/su
failed to copy 'su' to '/data/local/su': Permission denied
$ adb shell
1|[email protected]:/ $ mv /data/local/tmp /data/local/tmp.bak
failed on '/data/local/tmp' - Permission denied
someone on stock 1.81 can compare
Code:
[email protected]:/ $ mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
/dev/block/mmcblk0p33 /system ext4 ro,relatime,user_xattr,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p35 /data ext4 rw,nosuid,nodev,relatime,user_xattr,barrier=1,data=ordered,discard 0 0
/dev/block/mmcblk0p34 /cache ext4 rw,nosuid,nodev,relatime,user_xattr,barrier=1,data=ordered,discard 0 0
/dev/block/mmcblk0p26 /devlog ext4 rw,nosuid,nodev,relatime,user_xattr,barrier=1,data=ordered,discard 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p17 /firmware_radio vfat ro,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/mmcblk0p18 /firmware_q6 vfat ro,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/mmcblk0p19 /firmware_wcnss vfat ro,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
tmpfs /data/secure/data tmpfs rw,relatime,mode=755,gid=1000 0 0
htcfs /data/htcfs fuse.htcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
DxDrmServerIpc /data/DxDrm/fuse fuse.DxDrmServerIpc rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
/dev/block/vold/179:36 /mnt/sdcard vfat rw,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro,discard 0 0
/dev/block/vold/179:36 /mnt/secure/asec vfat rw,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro,discard 0 0
tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
[email protected]:/ $
[email protected]:/ $ ls -la
drwxr-xr-x root root 2012-07-13 22:44 acct
drwxrwx--- system cache 2012-07-13 21:13 cache
dr-x------ root root 2012-07-13 22:44 config
-rw-r--r-- root root 1387 1970-01-01 10:00 cwkeys
lrwxrwxrwx root root 2012-07-13 22:44 d -> /sys/kernel/debug
drwxrwx--x system system 2012-07-13 17:06 data
-rw-r--r-- root root 118 1970-01-01 10:00 default.prop
drwxr-xr-x root root 2012-07-13 22:44 dev
drwx------ root root 2012-07-13 22:45 devlog
lrwxrwxrwx root root 2012-07-13 22:44 etc -> /system/etc
drwxrwx--x system system 2012-07-13 22:44 firmware_dsps
drwxrwxrwx root root 1970-01-01 10:00 firmware_q6
drwxrwxrwx root root 1970-01-01 10:00 firmware_radio
drwxrwxrwx root root 1970-01-01 10:00 firmware_wcnss
-rwxr-x--- root root 111620 1970-01-01 10:00 init
-rwxr-x--- root root 19133 1970-01-01 10:00 init.elite.rc
-rwxr-x--- root root 2344 1970-01-01 10:00 init.goldfish.rc
-rwxr-x--- root root 13114 1970-01-01 10:00 init.qcom.rc
-rwxr-x--- root root 9588 1970-01-01 10:00 init.qcom.sh
-rwxr-x--- root root 22080 1970-01-01 10:00 init.rc
-rwxr-x--- root root 3314 1970-01-01 10:00 init.target.rc
-rwxr-x--- root root 7760 1970-01-01 10:00 init.usb.rc
drwxrwxr-x root system 2012-07-13 22:44 mnt
dr-xr-xr-x root root 1970-01-01 10:00 proc
drwx------ root root 2012-06-19 18:46 root
drwxr-x--- root root 1970-01-01 10:00 sbin
lrwxrwxrwx root root 2012-07-13 22:44 sdcard -> /mnt/sdcard
drwxr-xr-x root root 2012-07-13 22:44 sys
drwxr-xr-x root root 2012-07-13 20:04 system
drwxrwx--x system system 2012-07-13 22:44 tombstones
-rw-r--r-- root root 272 1970-01-01 10:00 ueventd.goldfish.rc
-rw-r--r-- root root 8451 1970-01-01 10:00 ueventd.rc
drwxrwx--x system system 2012-07-13 22:44 vendor
[email protected]:/ $
I smell an ATT update and possibly kernel source release soon
Sent from my HTC One X using xda app-developers app
Im ganna wait till there is a rooted deodexed version of this before I let it update, but Im hoping this means source code finally!
Sent from my HTC One XL using Tapatalk 2
Yes I did an OTA update to 1.89 from my stock 1.81. Worked fine even though i'm in UK atm. I don't see any differences from playing with the phone today.
I wonder if we can sniff out the 1.89 RUU some how. Is it possible to see where the OTA itself is downloading from? Maybe that site hosts RUU too?
juicejuice said:
Yes I did an OTA update to 1.89 from my stock 1.81. Worked fine even though i'm in UK atm. I don't see any differences from playing with the phone today.
I wonder if we can sniff out the 1.89 RUU some how. Is it possible to see where the OTA itself is downloading from? Maybe that site hosts RUU too?
Click to expand...
Click to collapse
I am in contact with someone who has access to the RUUs. This new one isn't yet available.
I don't know if this is of any help but here's the downloaded update file (even though I can't apply it I can still download it ad nauseum)
https://www.dropbox.com/s/wxsqmdhwc...81.841.1_R_release_266785ap9qro3i4pvkmhv0.zip
ethantarheels123 said:
I smell an ATT update and possibly kernel source release soon
Sent from my HTC One X using xda app-developers app
Click to expand...
Click to collapse
I spoke to a high up tech at HTC and they said AT&T will have a maintenance update within 3 weeks. Not sure if it's the same. He told me wifi will be 99.99% fixed and blutooth radio will be optimized. I asked him about jellybean and he just laughed. I guess they haven't even discussed jellybean yet.
OP - Did you notice better multi-tasking? Better battery life?
I just got the update also. I had to manually check for it. I haven't noticed the font changing it messages yet. Although messages did crash on me once. I'll see how my battery goes today and report back. Where is the changelog. Can't seem to find it anywhere
Sent from my HTC One XL using xda app-developers app
Some version info for people.
1.81.841.1 -> 1.89.841.9
Kernel
3.0.8-01145 -> 3.0.8-01159
Radio
17a.32.09.03_2_10.85.32.16L -> 18c.32.09.01_10.93a.32.20L
hboot
1.09.0000 -> 1.11.0000
OpenDSP
v25.1.0.32.0405 -> 28.1.0.32.0504
Apr(I forgot to write the rest) -> Jun 7 2012,13:10:34
karan1203 said:
I spoke to a high up tech at HTC and they said AT&T will have a maintenance update within 3 weeks. Not sure if it's the same. He told me wifi will be 99.99% fixed and blutooth radio will be optimized. I asked him about jellybean and he just laughed. I guess they haven't even discussed jellybean yet.
OP - Did you notice better multi-tasking? Better battery life?
Click to expand...
Click to collapse
Isn't Wifi a hardware issue? Will this be another "fix" like what Asus did with Prime tablets? Heh.
Anyone who has applied this update, do you lose root and if so can you get it back easy enough. Also I've not unlocked the bootloader, is this still possible after upgrading HBOOT?
Never actually used an official update, got sick of waiting for telstra to bring froyo when I had my Desire and never looked back.
hmm i couldnt do the update.
i think cause my phone has been rooted.
anyone experience the same problem?
Itaintrite said:
Isn't Wifi a hardware issue? Will this be another "fix" like what Asus did with Prime tablets? Heh.
Click to expand...
Click to collapse
Why do you think it is hardware based?
Some of the issues people report are:
-auto 2.4/5ghz doesnt work (cant obtain IP aka no data flow). Must force 2.4ghz
-wifi does not disconnect when out of range. Must turn wifi off/on
-wifi does not reconnect when in range. Must turn wifi off/on
I think the general understanding is all of these are likely just a software issue.
---------- Post added at 08:08 AM ---------- Previous post was at 08:06 AM ----------
dejapanda said:
hmm i couldnt do the update.
i think cause my phone has been rooted.
anyone experience the same problem?
Click to expand...
Click to collapse
I believe you need stock recovery for it to work. Maybe also require locked bootloader.
I personally locked the bootloader, flashed Telstra RUU and then installed the update. Followed by unlocking bootloader and replacing recovery again
twistedddx said:
I believe you need stock recovery for it to work. Maybe also require locked bootloader.
I personally locked the bootloader, flashed Telstra RUU and then installed the update. Followed by unlocking bootloader and replacing recovery again
Click to expand...
Click to collapse
Did you try rooting again after the update?
***It worked for me, but I make no guarantee of invariable results. I therefore, claim no responsibility and offer no warranty. If it does brick your phone, please pm me with the subject "SuperSU without Kingroot" so we can figure out where we went wrong.***
MetroPCS (lgms330) and the T-Mobile (lgk330) models.
The TWRP method: It's easier than the old method in post 3 which did mess up a couple of peoples phones for some reason. The method in post 3 is still relevant for those who don't want to use TWRP for whatever reason.
You will need:
computer, usb cord, and *adb/fastboot installed
*A note to those who don't know what adb or fastboot is:
There are plenty of tutorials out there explaining how to install and use adb and fastboot.
If you are unfamiliar with these tools you may want to check out this forum.
Part 1: enable developer mode / unlock boot loader
Developer options
On your phone, open settings do the following
Enable Developer mode
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Enable oem unlock (LG was nice enough to enable us to unlock our bootloader from the "developer options")
Enable adb debug
Plug your phone into your computer and run
Code:
adb devices
you will be prompted to Allow USB debugging?
Part 2: installing the Team Win Recovery Project.
I can confirm that the following technique works for the T-Mobile k330 too.
Abridged quoted instructions from this thread / partial copy from post #42 Senior Member: starkly_raving
Prerequisites:
1. unlocked bootloader
2. knowledge of fastboot commands.
First, connect your phone to the computer and run
Code:
adb reboot bootloader
Next, if you want to test but not replace your recovery
Code:
fastboot boot Twrp_m1_v2.img
Instead, if you want to replace your recovery partition with TWRP
Code:
fastboot flash recovery twrp-image-3.img
DOWNLOADS:
New forum has a version of TWRP with a button combination to boot into recovery.
Beta1:
twrp-image-3.img I hope you don't mind me mirroring [MENTION=805681]reemobeens19
Part 3: Installing SuperSu, Xposed framework, and Xposed installer
At the time of this writing these are the latest versions:
Xposed framework: sdk22/arm/xposed-v86-sdk22-arm.zip
Xposed installer: XposedInstaller_3.0-alpha4.apk
SuperSU: Version 2.76
Xposed uninstaller <- You need to flash this in order to completely uninstall the Xposed framework if you don't want it anymore or you want to upgrade with a newer version.
On our phone booting into TWRP can be done with the physical button combinations. If you don't feel like doing finger gymnastics you can use
Code:
adb reboot recovery
Tap install, choose the zip file(s) you downloaded, and the rest is fairly self explanatory.
If I made any errors or omissions feel free to mention it. I really hope this helps.
Xposed Follow up
Now that you have the Xposed Framework installed, you need to install the "Xposed installer" app in order to use it.
You need to go into settings -> security -> and check the box that says "Unknown sources"
If you have downloaded the XposedInstaller_3.0_alpha4.apk onto you phone, then you can use the "File Manager" app already installed on the phone; navigate to the XposedInstaller_3.0_alpha4.apk (probably in your "Download" folder); and tap on it. It will ask if you want to install it so tap install.
Xposed installer needs root access so grant it when prompted. The first time I ran the actual app it threw an error message. Either restart your phone or restart the app (I cannot remember which I did) then it should work.
OBSOLETE
Here are the old instructions for postarity. It worked for quite a few people
***I have followed this exact procedure with a 100% success rate in linux; however, I make no guarantee invariable results. I therefore, claim no responsibility and offer no warranty. If it does brick your phone, please pm me with the subject "SuperSU without Kingroot" so we can figure out where we went wrong.***
These custom system images come with SuperSu and the appropriate Xposed framework (sdk22/arm/xposed-v86-sdk22-arm.zip) baked right in.
So many people have bricked their LG K7's trying to replace kingroot with the superb SuperSu by chainfire. I have seen many that have bricked their phones trying to flash the latest Xposed framework as well. This method will hopefully be easy enough to deter people relying on kingroot all together. (Feel free to leave feedback in the comments if there is a step that need further elaboration or isn't working)
This tutorial will work for both the MetroPCS (lgms330) and the T-Mobile (lgk330) models.***This will wipe your device***
You will need:
computer, usb cord, *adb/fastboot installed, the appropriate system image, and serious patience.
MetroPCS Download:
ms330_root_system.img
T-Mobile Download:
k330_root_system.img
*A note to those who don't know what adb or fastboot is:
There are plenty of tutorials out there explaining how to install and use adb and fastboot.
If you are unfamiliar with these tools you may want to check out this forum.
Developer options
On your phone, open settings do the following
Enable Developer mode
Enable oem unlock (LG was nice enough to enable us to unlock our bootloader from the "developer options")
Enable adb debug
Plug your phone into your computer and run
Code:
adb devices
you will be prompted to Allow USB debugging?
Someone who is proficient in Windows please verify that fastboot "sees" the device. I was having trouble getting my Windows 7 64bit machine to recognize it. It worked every time in linux though. Thanks.
ADB/Fastboot commnads
On the computer (in windows you may have to replace adb with adb.exe and fastboot with fastboot.exe)
Code:
adb reboot bootloader
Code:
fastboot oem unlock
Don’t worry about the message it returns:
Code:
FAILED (remote: Already unlocked)
or
Code:
OKAY [ 0.040s]
Let's be OCD and make certain the bootloader is unlock.
Code:
fastboot getvar unlocked
The result should be
Code:
unlocked: yes
finished. total time: 0.001s
Get ready to wait a loooooong time. Flash the correct system image for your device carrier.
DON’T PANIC!!! When you run the fastboot command to flash the system image, it will return something like “Invalid sparse file format at header magi” and hangs for what seems like an eternity. This is normal. The next message it returns is “erasing 'system'...” and then you wait another eternity for the system to be overwritten. Mine took over 6 minutes to complete.
MetroPCS
Code:
fastboot flash system ms330_root_system.img
T-Mobile
Code:
fastboot flash system k330_root_system.img
Wait forever for it to get to the “Android is starting…” screen by running
Code:
fastboot reboot
I have no problem with kingroot as a concept. I just want to help people avoid bricking their phones.
It says cannot load 'ms330_root_system.img'
When I did the fastboot getvar unlocked it showed, "unlocked: yes; finished total time 0.000"
IEatFood said:
It says cannot load 'ms330_root_system.img'
When I did the fastboot getvar unlocked it showed, "unlocked: yes; finished total time 0.000"
Click to expand...
Click to collapse
I assume you are on the step where you issue the fastboot command to flash the system image. I'm guessing you don't have the system image in the same directory as you are executing the fastboot command. i.e. If you downloaded the 'ms330_root_system.img' into your Downloads folder you need to change into that directory in the command prompt
Windows cmd
Code:
C:\Windows\system32>
C:\Windows\system32> cd C:\Users\IEatFood\Downloads
C:\Users\IEatFood\Downloads> fastboot flash system ms330_root_system.img
Alternitavly, you could copy/paste the 'ms330_root_system.img' into the same directory as the fastboot.exe
Linux terminal
Code:
~/ $
~/ $ cd Downloads/
~/Downloads $ fastboot flash system ms330_root_system.img
ledzepman71 said:
I assume you are on the step where you issue the fastboot command to flash the system image. I'm guessing you don't have the system image in the same directory as you are executing the fastboot command. i.e. If you downloaded the 'ms330_root_system.img' into your Downloads folder you need to change into that directory in the command prompt
Windows cmd
Code:
C:\Windows\system32>
C:\Windows\system32> cd C:\Users\IEatFood\Downloads
C:\Users\IEatFood\Downloads> fastboot flash system ms330_root_system.img
Alternitavly, you could copy/paste the 'ms330_root_system.img' into the same directory as the fastboot.exe
Linux terminal
Code:
~/ $
~/ $ cd Downloads/
~/Downloads $ fastboot flash system ms330_root_system.img
Click to expand...
Click to collapse
Alright, 'I got the invalid sparse file format at header magi'
finished. total time: 0.002s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash system ms330_root
_system.img
target reported max download size of 268435456 bytes
Invalid sparse file format at header magi
erasing 'system'...
OKAY [ 0.034s]
sending sparse 'system' 1/9 (257070 KB)...
OKAY [ 8.874s]
writing 'system' 1/9...
FAILED (remote: size too large)
finished. total time: 8.915s
Now it bricked my phone.
It keeps loading Bootloader STATE: Bootloader Unlock!!
IEatFood said:
Now it bricked my phone.
It keeps loading Bootloader STATE: Bootloader Unlock!!
Click to expand...
Click to collapse
My phone is doing the exact same thing after following the tutorial
CompFreak89 said:
My phone is doing the exact same thing after following the tutorial
Click to expand...
Click to collapse
Did it run successfully? If so sometimes you have to do the factory restet. Power off. Hold Vol down and power button. When the screen comes on keep holding down the vol down button let go of the power button and then push the power button again.
If it didn't run successfully please pm be with all the details including your phone model and all the output from the command line. Don't worry we'll get you squared away.
I updated the op to use an easier more standard way with TWRP.
tried it!
can't get past the step where you fastboot it, it get's stuck on the LG logo with small letters at the top
any ideas why?
I am on K330 by the way
To everyone. Please do research before flashing anything. Somebody had an lg Stylo tot. Trying to pass it off as a MS330! Wrong. Please research.
https://www.facebook.com/Czarsuperstar/
azureee said:
can't get past the step where you fastboot it, it get's stuck on the LG logo with small letters at the top
any ideas why?
I am on K330 by the way
Click to expand...
Click to collapse
If your problem hasn't been resolved, can you please describe in further detail what happened. Were you using the obsolete instructions in post 3? Were you on the step where you reboot into the bootloader? If you're really stuck please feel free to pm me.
[email protected] said:
To everyone. Please do research before flashing anything. Somebody had an lg Stylo tot. Trying to pass it off as a MS330! Wrong. Please research.
https://www.facebook.com/Czarsuperstar/
Click to expand...
Click to collapse
Hello, I appreciate your concern. On the topic of research, I was once told "a week in the lab can save you an hour in the library." I absolutely agree and would also encourage everyone to look deeper before plunging in head first.
If you are doubting the authenticity of my efforts and files allow me to elaborate on my method. As you will see, all the files were pulled directly off my personal phone and are not second hand impostors.
First, I looked up the partition table in adb using
Code:
ls -al /dev/block/platform/*/by-name
which output:
Code:
lrwxrwxrwx root root 1970-01-10 18:59 DDR -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 1970-01-10 18:59 aboot -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 1970-01-10 18:59 abootbak -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 1970-01-10 18:59 boot -> /dev/block/mmcblk0p33
lrwxrwxrwx root root 1970-01-10 18:59 cache -> /dev/block/mmcblk0p38
lrwxrwxrwx root root 1970-01-10 18:59 config -> /dev/block/mmcblk0p21
lrwxrwxrwx root root 1970-01-10 18:59 devinfo -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 1970-01-10 18:59 drm -> /dev/block/mmcblk0p28
lrwxrwxrwx root root 1970-01-10 18:59 eksst -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 1970-01-10 18:59 encrypt -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 1970-01-10 18:59 factory -> /dev/block/mmcblk0p35
lrwxrwxrwx root root 1970-01-10 18:59 fota -> /dev/block/mmcblk0p23
lrwxrwxrwx root root 1970-01-10 18:59 fsc -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 1970-01-10 18:59 fsg -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 1970-01-10 18:59 grow -> /dev/block/mmcblk0p40
lrwxrwxrwx root root 1970-01-10 18:59 keystore -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 1970-01-10 18:59 laf -> /dev/block/mmcblk0p32
lrwxrwxrwx root root 1970-01-10 18:59 misc -> /dev/block/mmcblk0p30
lrwxrwxrwx root root 1970-01-10 18:59 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 1970-01-10 18:59 modemst1 -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 1970-01-10 18:59 modemst2 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 1970-01-10 18:59 mpt -> /dev/block/mmcblk0p36
lrwxrwxrwx root root 1970-01-10 18:59 persist -> /dev/block/mmcblk0p31
lrwxrwxrwx root root 1970-01-10 18:59 raw_resources -> /dev/block/mmcblk0p26
lrwxrwxrwx root root 1970-01-10 18:59 raw_resourcesbak -> /dev/block/mmcblk0p27
lrwxrwxrwx root root 1970-01-10 18:59 rct -> /dev/block/mmcblk0p24
lrwxrwxrwx root root 1970-01-10 18:59 recovery -> /dev/block/mmcblk0p34
lrwxrwxrwx root root 1970-01-10 18:59 rpm -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 1970-01-10 18:59 rpmbak -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 1970-01-10 18:59 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 1970-01-10 18:59 sbl1bak -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 1970-01-10 18:59 sec -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 1970-01-10 18:59 sns -> /dev/block/mmcblk0p29
lrwxrwxrwx root root 1970-01-10 18:59 spare1 -> /dev/block/mmcblk0p22
lrwxrwxrwx root root 1970-01-10 18:59 spare2 -> /dev/block/mmcblk0p25
lrwxrwxrwx root root 1970-01-10 18:59 ssd -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 1970-01-10 18:59 system -> /dev/block/mmcblk0p37
lrwxrwxrwx root root 1970-01-10 18:59 tz -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 1970-01-10 18:59 tzbak -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 1970-01-10 18:59 userdata -> /dev/block/mmcblk0p39
As you can see, "/dev/block/mmcblk0p37" is the block device for the system partition. From there you simply duplicate the data into a raw image by doing
Code:
dd if=/dev/block/mmcblk0p37 bs=2048 of=/storage/external_SD/system.img
To elaborate on what the command does, the input file is the system block mmcblk0p37 and the output file is created as "system.img" on the external sd card. From the man page, "bs=BYTES read and write up to BYTES bytes at a time." So it just means that the dd operation can read and write up to 2048 bytes at a time.
This process was simply repeated using a stock k330, rooted k330, stock ms330, and rooted ms330. After all the raw images were created I systematically flashed them to my personal phone using the instructions verbatim from my op to ensure that they indeed work.
I hope explaining my process sheds further light on the matter. If you want to investigate further on your own you can mount the raw image in linux. Assuming that the system.img file is in your home directory and you have the directory /mnt/tmp , simply run as root
Code:
mount -o ro ~/system.img /mnt/tmp
and you will then be able to see the contents of the image (build prop, preinstalled apps, and the like) in the /mnt/tmp folder.
If you have any further comments or questions I will happily oblige.
The whole point of my effort was to aid people in rooting there phones while mitigating the risk of bricking. I want to make the process as bullet proof as possible so all feedback is welcome. This includes testimonials from those whom this process worked. I guess the next step would be to post the TWRP backup zips to further automate of the process.
unbrick method
@azureee, I am so happy to hear that you found a solution to your problem. Thank you for sharing that link as well. I am sure it will help many people here. If you need any further explanation on installing xposed I would be happy to help.
Please update this forum to have lg-k7 tag and to have newest twrp with button combo. That way this will be on the LG K7 forum and have best TWRP. Also "fastboot boot" is only way it works, flashing will get overwritten by system. And then when you want to get to recovery it will factory reset phone. You can flash after you root.
Billybobjoe13245 said:
Please update this forum to have lg-k7 tag and to have newest twrp with button combo. That way this will be on the LG K7 forum and have best TWRP. Also "fastboot boot" is only way it works, flashing will get overwritten by system. And then when you want to get to recovery it will factory reset phone. You can flash after you root.
Click to expand...
Click to collapse
Thank you for the heads up about TWRP. I keep trying to add that tag, but it refuses to stick.
Edit: I had to delete the tag that wasn't showing up and readd it.
ledzepman71 said:
I updated the op to use an easier more standard way with TWRP.
Click to expand...
Click to collapse
Hi, thank you for the tutorial.
I do have a noob question: After unlocking the bootloader, flashing twrp and flashing supersu from within twrp will the phone be rooted? No need to install Kingroot or similar?
Thanks!
101...
saphta said:
Hi, thank you for the tutorial.
noob question: After unlocking the bootloader, flashing twrp and flashing supersu from within twrp will the phone be rooted?
Click to expand...
Click to collapse
Just go to the Play Store and download a "Root Checker" to get your answer...
Time To Learn How To Run With The *Big Dogs* if you are going to Root..
RaiderWill said:
Just go to the Play Store and download a "Root Checker" to get your answer...
Time To Learn How To Run With The *Big Dogs* if you are going to Root..
Click to expand...
Click to collapse
Thanks! I'll do that!
Code:
*** Disclamer
* Your warranty is now void.
*
* We are not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at us for messing up your device, we will laugh at you.
Hi guys and girls, as you may know it's pretty easy to find here on xda but on other forums (techablets for example) info and files for rooting this tablet, but who has the TCL variant /which is Dual Boot Type C one) will only find outdates files and complex guides; that's the reason why - after spending a lot of time on bootloops and fails trying to figure how the hell modify the boot.img) I finally decided to share what I found here.
First thing first: this guide collects, improves and updates how-to from Laura of techtablets; I also want to thanks @jetfin and @master.pumpgun (aka Tom on techtablets) - they know why!
I will basically divide this guide per two: first section is READY TO FLASH, where you'll find my own boot.img (from and ONLY for the latest available stock build); before flashing this image file PLEASE be sure to check if your version is the same I had when preparing the image; also you should absolutely check the MD5 of all the files you will download from here:
check MD5 on any Linux distro by simply typing
Code:
md5sum /path/to/file/file
on Windows you could maybe use this tool: WinMD5
The second section is DO IT YOURSELF, and it's for users with a different kernel/build version from mine. I'll try to eventually update the boot.img if we will receive any new OTA, which I think will never happen. I'll write the second section as soon as possible, but I can speed work up if requested and if Cube updates
- - - - - - - - - - -
---> READY TO FLASH
Code:
PLEASE NOTE
While the general procedure here reported remains
always correct, the files provided in this part of the
guide - specially the modified boot.img may not work
into your device is the kernel and build version are different
from the one I had, so please go to Settings, About tablet
and check if your specs meet mine:
[B]Model[/B] i15-TCL
[B]Kernel[/B] 3.14.37-x86_64-L1-R517 [email protected] #1
Sat May 7 17:02:18 CST 2016
[B]Build[/B] i15-TCL_V1.0_20160507
If you want to root your i15-TCL there's an high chance you would not need nothing more than backup your data, install drivers and adb/fastboot tools and flash file you will download here! BUT you need to have the same kernel and build as I had when prepared the boot.img file, which is the latest at the moment I'm writing. If you know about a newer version lease notify me and I'll try to process it again.
Last but not least, please note that is a pretty long and detailed Guide, I tried to explain and illustrate every single step, also covering some very common issues you may have, so please don't blame on me if it's a long story to read, I'm sure that a few newbies will appreciate
First thing to do is to backup data you want to restore because we need to unlock the bootloader (unfortunately there's no way to achieve the root without that, I tried everything I could but it's not possible). Also a general backup of all your partitions (both Windows both Android) could help and make you feel more comfortable. To backup partition please refer this thread on techtablets: The big threads of how-tos. Windows users could also have to install the proper Intel driver attached to end of the post.
Once you did that install adb/fastboot:
if you use Windows you can use this tool;
if you use a Linux distro please check if the package android-tools (more info here is available for your distro, otherwise you may have to install the official Android SDK (info about that here; no need Android Studio).
Into your tablet go to Settings / About tablet and press 7 times the Build number fields to enable Developer options; now go Back and tap the new voice Developer option: be sure that the main switch is ON and so the OEM unlocking and the USB debugging ones.
Connect your tablet to your PC, open the command prompt or a Linux shell and type
Code:
adb devices
you should receive an output like
Code:
adb devices
List of devices attached
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
0123456789ABCDEF device
If not, please please stop and check previous steps, but also:
If you use Linux and you see a udev error about permissions you have two solutions: one is running the adb/fastboot by root/sudo, another one is to let udev correctly recognize your idVendor and so your device (always prefer this last way, if possible!), which you can do by following this great mini tutorial on StackOverflow
If you use Windows 64bit try to install the driver attached below; don't know if they are also available for 32bit.
Now you have the basic stuff prepared and you are ready to go to fastboot/bootloader, so this is the last time you could check if your build is the same I had, so please do it if you missed that step before. Once more, the info you read from Settings / About tablet have to be
Code:
[B]Model[/B] i15-TCL
[B]Kernel[/B] 3.14.37-x86_64-L1-R517 [email protected] #1
Sat May 7 17:02:18 CST 2016
[B]Build[/B] i15-TCL_V1.0_20160507
Into your command prompt or shell type
Code:
adb reboot-bootloader
Your device will now go to fastboot mode. You can use your Volume Down / Volume Up to move choose menu commands and Power button to pick one. At the moment you don't need to pick any, so check if you have these two lines in red:
Code:
[COLOR="Red"]SECURE BOOT - disabled
LOCK STATE - unlocked[/COLOR]
If you have these exact lines you can jump to step10. My bootloader (and also Tom one) was already unlocked; others people reported it was locked, I guess it depends from where we bought the device. So, if your bootloader has those two red lines (which means the bootloader is already unlocked) go to step 10. If you have similar lines but in white and with different text, go to next step
CAUTION: this will permanently erase your userdata partition, which is where you store the applications and their data; you may also have there downloads, music, videos and photos so BE SURE you updated your relevant stuff!! If want to go further type into your command prompt/shell
Code:
fastboot devices
and check if you have the right output, that is
Code:
0123456789ABCDEF fastboot
If so, go on by typing:
Code:
fastboot oem unlock
This will erase your data and finally unlock the bootloader. you'll see something like that
Code:
...
OKAY
[ 0.162s] finished. total time: 0.162s
Now reboot the bootloader: move between the menu with the Volume rockers and press Power when you selected the Restart bootloader command. Wait for reboot, choose Android and you are on bootloader / fastboot mode again. Now you should absolutely have those two lines in red from step 6.
Download modified boot.img rootboot_mod.img and once finished PLEASE CHECK THE MD5 of the file: it should ABSOLUTELY match this one: 53cc4b08b123489e7c73cb013742f35d
Type on command prompt/shell
Code:
fastboot flash boot /path/to/your/file/rootmod_boot.img
Let the magic happen!
Now download the custom TWRP recovery (courtesy of @vampirefo), check if MD5 is correct (3c05a8704f5a77e20a45364c7a822a2b) and flash it with
Code:
fastboot flash recovery /path/to/your/file/i15_recovery.img
Use the Volume rockers to pick the Recovery mode command and press Power to go to recovery. Swipe to allow modification, go to Mount and tap the System checkbox
Download the latest SuperSu recovery flashable version available here, check the MD5 reported in that page and then from your tablet in recovery tap Advanced and then Adb Sideload. Swipe to let sideload mode start and type into your command prompt / shell (and change the path /opt/android-sdk/platform-tools/ with the path where YOU installed adb/fasboot)
Code:
adb sideload /path/to/your/file/supersu_file_you_downloaded.zip
If you are on Linux and you have udev permissions issues again when sideloading proceed like that
Code:
cd /opt/android-sdk/platform-tools
su
Password:
[email protected]*********:/opt/android-sdk/platform-tools# ./adb kill-server
[email protected]*********:/opt/android-sdk/platform-tools# ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[email protected]*********:/opt/android-sdk/platform-tools# ./adb devices
List of devices attached
0123456789ABCDEF sideload
[email protected]*********:/opt/android-sdk/platform-tools# ./adb sideload /path/to/your/file/supersu_file_you_downloaded.zip
If you have issues on Windows or still having issues on Linux you can always copy the SuperSu zip to a USB Pen and attach the pen to the tablet using the OTG cable or paste the file to a micro SD.
Reboot your device and it's done!
Doing that instead of using the well know root.bat is much better - IMHO - because we don't have to reboot the device two times and we don't have to uninstall SuperSu and flash a new version to update binaries (SuperSu it is not able to update the binaries by itself, nor by recovery nor by app. Also remember that when a new version os SuperSU will be available: Open SuperSu app, go to Settings and tap on Reinstall. Wait for it to finish and shut down the device. Go to bootloader (or use adb when the device is still on), download latest updated flashable SuperSu zip and flash via recovery).
DOWNLOADS SECTION
rootmod_boot.img
i15_recovery.img
- - - - - - - - - - -
---> DO IT YOURSELF
WARNING: to do that you need a Linux machine / Virtual machine!
First, be sure to have adb and fastboot working; if issues read the first section for common solutions; you should also have already unlocked your bootloader.
If you did not create a dd backup of your partition I recommend once again to do that; you should at least backup android_boot, android_recovery, android_system (but also consider android_bootloader and android_bootloader2). Please note that to check partition in a human readable mode you can use
Code:
adb shell
ls -las /dev/boot/by-name/*
Now we should create our working folders environment; you can do that by yourself or follow my suggstions.
Open a terminal as normal user; you should be in your home folder; launch the following commands one by one
Code:
mkdir -p Android/iWork10/_working/ ; cd Android/iWork10
mkdir _stockimg ; cd _stockimg
adb shell
su
dd if=/dev/block/by-name/android_boot of=/sdcard/boot.img
cd /sdcard/
md5sum boot.img > bootmd5
exit
please note that you could have to execute the exit command 2 times; just be sure to go back to your terminal into your
Code:
/home/USER/Android/iWOrk10/_stockimg
if su is still not available try to dd the same; for me the bootloader was already unlocked and I had no issue to create the dd image
Then
Code:
adb pull /sdcard/boot.img
adb pull /sdcard/bootmd5
and check if MD5 is OK with
Code:
md5sum -c bootmd5
if error recreate the boot image file, if OK go on.
Now we need to download and extract the Android Bootimg Tools; click this link and save it into the
Code:
/home/USER/Android/
folder; once downloaded (the file it's less than 8 kB) we'll extract the two file in the _working dir so to have all the stuff organized; please note that it's important to keep files organized because we'll decompress and re-compress the boot partition and the kernel it contains; if we don't move files appropriately unneeded stuff could go into the kernel! So please try to understand the process or to follow my steps
Code:
cd ../_working/
tar -zxvf ../../android_bootimg_tools.tar.gz
mkdir bootimg
./unpackbootimg -i ../_stockimg/boot.img -o bootimg/
As you can see we unpacked the stock boot.img to the folder bootimg we just created..
Now let's extract the ramdisk, that is where we were pointing from the start..
Code:
cd bootimg ; mkdir ramdisk ; cd ramdisk
gunzip -c ../boot.img-ramdisk.gz | cpio -i
Now if you are familiar with nano or pico terminal continue on terminal to apply the following mods, otherwise open your file manager to the ramdisk folder, then open the default.prop file and change
Code:
ro.secure=1
to
Code:
ro.secure=0
Save and close the editor.
Open the init.rc file and change
Code:
service media /system/bin/mediaserver
class main
user [COLOR="Red"]media[/COLOR]
to
Code:
service media /system/bin/mediaserver
class main
user [COLOR="Red"]root[/COLOR]
Please note here that if your bootloader was unlocked without your intervention you could have already user root (I had). In that case just leave as it is and close, otherwise save and close.
Go back to your terminal, you should still be into the ramdisk folder, if not navigate with cd to go to that folder and then
Code:
find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
Now we have our new ramdisk; at this point we need to open the boot.img-cmdline file that is located into the bootimg folder and copy its content, then go back to the terminal; the terminal should be still in ramdisk folder, so
Code:
cd ..\..\
and we are into the _working folder.
Now the last command, that you CANNOT simply copy and paste. The command is something like that (hold on, don't execute it)
Code:
./mkbootimg --kernel bootimg/boot.img-zImage --ramdisk bootimg/newramdisk.cpio.gz --cmdline 'CONTENT OF YOUR boot.img-cmdline CONTENT HERE; PUT IT BETWEEN SINGLE ' BOTH AT THE START BOTH AT THE END' -o root_boot.img
Please note the double -- for kernel, ramdisk and cmdline options (while single - for -o that stays for output) and also note the single ' peaks that contain the boot.img-cmdline content.. So in my case it will be:
Code:
./mkbootimg --kernel bootimg/boot.img-zImage --ramdisk bootimg/newramdisk.cpio.gz --cmdline 'loglevel=5 androidboot.hardware=cht_cr_mrd_w firmware_class.path=/system/etc/firmware i915.fastboot=1 memmap=4M$0x5c400000 vga=current i915.modeset=1 drm.vblankoffdelay=1 enforcing=0 androidboot.selinux=permissive console=ttyS0,115200n8 bootboost=1 pm_suspend_debug=1 pstore.backend=ramoops' -o ../root_boot.img
BUT PLEASE DON'T COPY AND PASTE THIS ONE; JUST USE YOUR boot.img-cmdline FILE (I'm pretty sure they are identical but cannot be sure, SO USE YOURS)
If the command doesn't give errors or the standard output that describe the usage of a linux command (so like usage: mkbootimg --kernel <filename> --ramdisk <filename> - this means you missed something) we are done, we just need to flash it and root. So we now have our modified boot image which will let the tablet boot a rooted OS without bootloop.
If you haven't do it already go to download latest Recovery Flashable zip of SuperSU from SuperSu webpage and the custom TWRP recovery for this device that you find in the first section (also check MD5) and copy both to your internal of external sdcard (if you are not familiar with sideload)
Reboot your device to bootloader with
Code:
adb reboot-bootloader
Once it's there,
Code:
fastboot flash boot /home/USER/Android/iWork10/root_boot.img
fastboot flash recovery /path/where/you/downloaded/recovery.img
Now use the volume rockers to pick RECOVERY MODE option and press the Power button. The device will boot the TWRP recovery; allow system modifications when asked and finally flash the SuperSu zip file you downloaded and copied to the tablet (or use adb sideload /path/to/supersu/into/your/pc/supersufile.zip)
You may need to adjust settings in TWRP (timezone and language), then reboot the system and you should have rooted your i15-TCL!
It's easy, isn't it?
PLEASE NOTE: If you have errors like adb, fastboot not recognizing your device, don't ask but read the other section where I explain the most common solution for Windows and Linux; same if you don't find links for recovery, SuperSU or other read the first section, thanks!
- - - - - - - - - - -
THANKS
@jetfin for providing a lot of goodies that saved my ****** last month (wish you all the best for the next future mate!)
@master.pumpgun (aka Tom on techtablets - amazing guy! :good
@vampirefo for custom TWRP for this device
Laura - for all the info she's made available for this device
Great job mate!
It seems very analytical and very useful for people who need a step by step guide.
Unfortunately it requires a full wipe of user data, so for now I am not willing to try this guide.
Sent from my i15-TCL using Tapatalk
RASTAVIPER said:
Great job mate!
It seems very analytical and very useful for people who need a step by step guide.
Unfortunately it requires a full wipe of user data, so for now I am not willing to try this guide.
Sent from my i15-TCL using Tapatalk
Click to expand...
Click to collapse
Well, I feel you, unlocking is always annoying but there are apps which let you backup everything.
I couldn't live without root + Link2SD into the cube!
Thanks for the nice words ?
Inviato dal mio Nexus 7 utilizzando Tapatalk
Hi brainvison,
it`s a nice, correct and clear tutorial, many thanks.
Only one question
Fortunately I have an unlocked bootloader, then I`ll do it from step 10, but I have a same kernel and build version (3.14.37/x86_64-L1-R517 and V1.0) but the date of this version is different (20160913).
What do you suggest, try it? Or could you help me to create a new version of the boot.img, please?
Nice regards
Peter
brainvision said:
Code:
PLEASE NOTE
While the general procedure here reported remains
always correct, the files provided in this part of the
guide - specially the modified boot.img may not work
into your device is the kernel and build version are different
from the one I had, so please go to Settings, About tablet
and check if your specs meet mine:
[B]Model[/B] i15-TCL
[B]Kernel[/B] 3.14.37-x86_64-L1-R517 [email protected] #1
Sat May 7 17:02:18 CST 2016
[B]Build[/B] i15-TCL_V1.0_20160507
Click to expand...
Click to collapse
rpeter said:
Hi brainvison,
it`s a nice, correct and clear tutorial, many thanks.
Only one question
Fortunately I have an unlocked bootloader, then I`ll do it from step 10, but I have a same kernel and build version (3.14.37/x86_64-L1-R517 and V1.0) but the date of this version is different (20160913).
What do you suggest, try it? Or could you help me to create a new version of the boot.img, please?
Nice regards
Peter
Click to expand...
Click to collapse
both kernel and build dates are different, aren't them?
I'll try to write the missing section as soon as possible, don't worry..
In the meantime could you please check a few things that could help to understand a few things?
If your bootloader is unlocked you should have no issue doing that; assuming you already have adb working, open a terminal and execute this commands (just "read" commands, no mods here)
Code:
adb shell
uname -a
cat default.prop
If errors try to execute adb root (this does NOT root, it just use adb as root user, it should work with the unlocked bootloader) before adb shell and if possible please report me the output from unameand cat
EDIT: also my advice is to backup your system partitions so to able to go back to stock if needed; at least partitions
Code:
android_boot
android_bootloader
android_bootloader2
android_recovery
android_system
To do that you could check Laura's thread from techtablets or use
Code:
dd if=/dev/by-name/your_partition of=/sdcard/your-partition.img
the if= option is where you choose the partition to backup while the of= one is the resulting file that will be created (an image .img file)
If you agree you could also upload those somewhere on the cloud so we could use them, too, it would be interesting to see what changes.. Naturally the partition I suggested do not contain any personal file, no worry about that (your data is on the android_userdata - or _data, don't remember the name here).
EDIT2: you'll need a Linux machine to mod your boot.img partition, do you have one?
brainvision said:
both kernel and build dates are different, aren't them? yes, both of the are the same date:20160913
the build.prop is:
Code:
[email protected]:/system # cat build.prop
# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=LMY47I
ro.build.display.id=i15-TCL_V1.0_20160913
ro.build.version.incremental=eng.softteam.20160913.102513
ro.build.version.sdk=22
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=5.1
ro.build.version.security_patch=2016-03-01
ro.build.version.base_os=
ro.build.date=Tue Sep 13 10:26:20 CST 2016
ro.build.date.utc=1473733580
ro.build.type=userdebug
ro.build.user=softteam
ro.build.host=pdd-build
ro.build.tags=release-keys
ro.build.flavor=cht_cr_mrd_w-userdebug
ro.product.model=i15-TCL
ro.product.brand=i15-TCL
ro.product.name=cht_cr_mrd_w
ro.product.device=i15-TCL
ro.product.board=i15-TCL
# ro.product.cpu.abi and ro.product.cpu.abi2 are obsolete,
# use ro.product.cpu.abilist instead.
ro.product.cpu.abi=x86
ro.product.cpu.abilist=x86,armeabi-v7a,armeabi
ro.product.cpu.abilist32=x86,armeabi-v7a,armeabi
ro.product.cpu.abilist64=
ro.product.manufacturer=i15-TCL
ro.product.locale.language=en
ro.product.locale.region=US
ro.wifi.channels=
ro.board.platform=gmin
# ro.build.product is obsolete; use ro.product.device
ro.build.product=cht_cr_mrd_w
# Do not try to parse description, fingerprint, or thumbprint
ro.build.description=cht_cr_mrd_w-userdebug 5.1 LMY47I eng.softteam.20160913.102513 release-keys
ro.build.fingerprint=intel/cht_cr_mrd_w/cht_cr_mrd_w:5.1/LMY47I/softteam09131026:userdebug/release-keys
ro.build.characteristics=tablet
# end build properties
#
# ADDITIONAL_BUILD_PROPERTIES
#
ro.dalvik.vm.isa.arm=x86
ro.enable.native.bridge.exec=1
sys.powerctl.no.shutdown=1
dalvik.vm.heapstartsize=8m
dalvik.vm.heapgrowthlimit=100m
dalvik.vm.heapsize=174m
dalvik.vm.heaptargetutilization=0.75
dalvik.vm.heapminfree=512k
dalvik.vm.heapmaxfree=8m
ro.opengles.version=196609
ro.setupwizard.mode=OPTIONAL
ro.com.google.gmsversion=5.1_r1
ro.gnss.sv.status=true
ro.hwui.texture_cache_size=24.0f
ro.hwui.text_large_cache_width=2048
ro.hwui.text_large_cache_height=512
drm.service.enabled=true
keyguard.no_require_sim=true
ro.com.android.dataroaming=true
ro.com.android.dateformat=MM-dd-yyyy
ro.config.ringtone=Ring_Synth_04.ogg
ro.config.notification_sound=pixiedust.ogg
ro.carrier=unknown
ro.config.alarm_alert=Alarm_Classic.ogg
persist.sys.language=zh
persist.sys.country=CN
persist.sys.timezone=Asia/Shanghai
persist.sys.dalvik.vm.lib.2=libart.so
dalvik.vm.isa.x86.features=sse4_2,aes_in,popcnt,movbe
dalvik.vm.lockprof.threshold=500
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
# begin fota properties
ro.fota.platform=IntelZ3735F_5.1
ro.fota.id=mac
ro.fota.type=pad_phone
ro.fota.oem=hampoo-cherrytrail_5.1
ro.fota.device=i15-TCL
ro.fota.version=i15-TCL_V1.0_20160913
# end fota properties
[email protected]:/system #
I'll try to write the missing section as soon as possible, don't worry..
Many thanks
Code:
adb shell
uname -a
cat default.prop
the adb root and the cat is ok, but the uname is not found
the output of the cat is:
Code:
127|[email protected]:/ # cat default.prop
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.sf.lcd_density=240
ro.frp.pst=/dev/block/by-name/android_persistent
persist.intel.ogl.username=Developer
persist.intel.ogl.debug=/data/ufo.prop
persist.intel.ogl.dumpdebugvars=1
ro.ufo.use_msync=1
ro.ufo.use_coreu=1
wifi.interface=wlan0
persist.service.apklogfs.enable=1
persist.core.enabled=0
ro.secure=1
ro.allow.mock.location=0
ro.debuggable=1
ro.modules.location=/lib/modules
ro.dalvik.vm.native.bridge=libhoudini.so
persist.sys.usb.config=mtp,adb
persist.nomodem_ui=true
ro.zygote=zygote32
dalvik.vm.dex2oat-Xms=64m
dalvik.vm.dex2oat-Xmx=256m
dalvik.vm.image-dex2oat-Xms=64m
dalvik.vm.image-dex2oat-Xmx=64m
[email protected]:/ #
EDIT: also my advice is to backup your system partitions so to able to go back to stock if needed; at least partitions
Code:
android_boot
android_bootloader
android_bootloader2
android_recovery
android_system
All of my partitions expect the largest one(maybe windows) were backed up to sd with dd
If you agree you could also upload those somewhere on the cloud so we could use them, too, it would be interesting to see what changes.. Naturally the partition I suggested do not contain any personal file, no worry about that (your data is on the android_userdata - or _data, don't remember the name here).
I will upload it to somewhere, but which partitions are you need (i don't no clearly, how can I determinate, which partition is the boot, bootloader, ...)
the outputs of the /proc/partitions are the following:
Code:
[email protected]:/ # cat /proc/partitions
major minor #blocks name
254 0 102400 zram0
179 0 61071360 mmcblk0
179 1 102400 mmcblk0p1
179 2 102400 mmcblk0p2
179 3 30720 mmcblk0p3
179 4 30720 mmcblk0p4
179 5 1024 mmcblk0p5
179 6 16384 mmcblk0p6
179 7 2621440 mmcblk0p7
179 8 262144 mmcblk0p8
179 9 8388608 mmcblk0p9
179 10 1024 mmcblk0p10
179 11 8192 mmcblk0p11
179 12 102400 mmcblk0p12
179 13 16384 mmcblk0p13
179 14 48361472 mmcblk0p14
179 15 1024000 mmcblk0p15
179 48 4096 mmcblk0rpmb
179 32 4096 mmcblk0boot1
179 16 4096 mmcblk0boot0
179 64 15671296 mmcblk1
179 65 15667200 mmcblk1p1
253 0 2600764 dm-0
maybe the *p3 is the bootloader, the *p14 is the windows, maybe the *p9 included the data and *p7 is the system, but don't know, which one is the boot, bootloader2, recovery
EDIT2: you'll need a Linux machine to mod your boot.img partition, do you have one?
Click to expand...
Click to collapse
yes, I have, a debian.
One question, if we have any problem with the upload the modified bootloader, how can i restore the old one (how can I upload (which method, adb, fastboot, or the phone flash?) an original bootloader, if we have a problem with the modded bootloader)
Have you link(s) with the full original windows and andoid image of the i15-tcl? I found to i15-t, i15-td, but not for this version...
Nice regards
Peter
i have the same software version as rpeter. When i first boot in fastboot my bootloader was unlocked and secure boot was disabled. Itried flash twrp and it was succesful. Next i downloaded superSu zip from official website and i flashed it. After reboot i stuck at bootlogo. Can you share me a system image to restore?
The mmcblk0p9 partition is the system? I will share it as soon as possible.
07 is system. 09 is data partition.
https://drive.google.com/file/d/0B_QRR9kog1iZQ2ZaNzdZenQ4MkE/view?usp=sharing
@rpeter I'll read your long reply asap, now just want to tell you that to check partition in a human readable way you should use
Code:
ls -las /dev/block/by-name/*
the partition I would like you to share are
Code:
android_boot
android_bootloader
android_bootloader2
android_system
android_recovery
when using dd of course as I told you can directly point to that name convention (which are nothing but symbolic link) so
Code:
dd if=/dev/block/by-name/android_boot of=/sdcard/android_boot.img
this is for the boot partition, the other the same..
also please before uploading to cloud check the MD5 so we could verify it before installing
are you sure you wrote uname -a the right way? It's weird you don't have it...
About restoration, you could use fastboot in future, I tried it by myself.. the most important are
Code:
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash system system.img
I don't think we'll ever need the two bootloader restoration, it's just to go extremely safe but I still don't find a reason to flash them.. But backup anyway!
EDIT: please note the .img extension for the of= part of the dd command!
@boberq sorry for your issue but I have to say that it was obvious: it's not plenty of guides and how-to about this tablet but the few available are also easy to find, and they all clearly state that you need to modify the boot image before rooting, otherwise as you know now, bootloop!
so, if you guys need to immediately root you can send me the boot.img file and I do it for you, otherwise you can wait and do it by yourself - I'm going to write the how-to right now, it should be ready for tomorrow, I guess..
EDIT and yes, we don't have any full restoation image like for other variants, I asked them on Twitter https://twitter.com/CubeHeping (it seems this is their official account that I found via www.51cube.com) - please do the same, maybe they will listen to us
I flashed i15 td rom and it works without auto rotation. If rpeter share images i want flashthe stock.
---------- Post added at 12:52 PM ---------- Previous post was at 12:44 PM ----------
I flashed a i15td rom and everything is fine without auto rotate. Rpeter please share boot and system images, they help me to restore the stock rom.
Ps After first boot if i want enter to recovery , it show red triangle with green android. There was any recovery.
boberq said:
I flashed i15 td rom and it works without auto rotation. If rpeter share images i want flashthe stock.
---------- Post added at 12:52 PM ---------- Previous post was at 12:44 PM ----------
I flashed a i15td rom and everything is fine without auto rotate. Rpeter please share boot and system images, they help me to restore the stock rom.
Ps After first boot if i want enter to recovery , it show red triangle with green android. There was any recovery.
Click to expand...
Click to collapse
stock recovery is not a real recovery there.. Red triangle is the right thing.. BUT if you flashed the custom TWRP with
Code:
fastboot flash recovery recovery.img
you should have noticed that the process failed.. I don't remember the exact output but you should have seen FAILED instead of SUCCESS. If flash succeed you also need stock recovery, I guess, otherwise it should still bootloop after system restore..
@brainvision
Has anything changed about rooting?
I remember that the process was involving resetting in order to unlock bootloader, etc
Sent from my m1 note using Tapatalk
RASTAVIPER said:
@brainvision
Has anything changed about rooting?
I remember that the process was involving resetting in order to unlock bootloader, etc
Sent from my m1 note using Tapatalk
Click to expand...
Click to collapse
nope, and it never will in that direction..
you should definitively make a backup, the more you'll wait the worst it'll be!
I flashed twrp and from it i want flash supersu and i get bootloop. After this i flashed i15td rom andeverything works fine. So can i flash boot,recovery and system image and get stock without root? Or should i flash it using intel flash tool?
boberq said:
I flashed twrp and from it i want flash supersu and i get bootloop. After this i flashed i15td rom andeverything works fine. So can i flash boot,recovery and system image and get stock without root? Or should i flash it using intel flash tool?
Click to expand...
Click to collapse
you can flash them with fastboot indeed and then root again, I finished writing my how-to, I'm formatting it and update the first post in an hour max..
Never looked at Intel Flash Tool, I don't know if it permits the flash of a single partition or if you need a full image provided by OEM, can't help with that..
So i'm waiting for original images from rpeter and i'm goind to flash it. I have a twrp backup with original 20160913 firmware but after bootloop. I can sare it but i think it isnt usefull.
PS
Brainvision , can you share me your original partition images for i15TCL from May? I think it will repair my autorotation.
boberq said:
So i'm waiting for original images from rpeter and i'm goind to flash it. I have a twrp backup with original 20160913 firmware but after bootloop. I can sare it but i think it isnt usefull.
PS
Brainvision , can you share me your original partition images for i15TCL from May? I think it will repair my autorotation.
Click to expand...
Click to collapse
I do NOT recommend you to flash that because you will completely mess things up, having boot, recovery and kernel with a build date and system with a different one! You went to fast on rooting your device without reading stuff, now I suggest you to wait for @rpeter images - but anyway here it is system.img https://mega.nz/#!YBdw1bIT!GibOWLBNyXAhwEiEdXIV3JKKdMM9gXzLIYvppKn0Bgs
EDIT: guys I updated OP with the missing sectioon, please click thanks if you find it useful..
@rpeter before rooting remember to backup partition with dd, then upload when you can but backup before rooting!
if you have suggestion for the guide or you think something is not so clear please tell me that I'll try to improve..
brainvision, boberq, I'm so sorry, yesterday is one of my longest working day...
My gdrive is currently full, bu I created a dedicated place for yours in my server.
The link is: http://rpeter.dyndns.info/xda
user: xda_users
pwd: i15-tcl
It's included all partitions compressed and uncompressed version expect p9 and p14 (data and windows) and the md5 checksum file.
The output of the "identification" is here:
Code:
127|[email protected]:/ # ls -las /dev/block/by-name/*
lrwxrwxrwx root root 2016-11-12 12:21 Basic_data_partition -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2016-11-12 12:21 EFI_system_partition -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2016-11-12 12:21 Microsoft_reserved_partition -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2016-11-12 12:21 android_boot -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2016-11-12 12:21 android_bootloader -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2016-11-12 12:21 android_bootloader2 -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2016-11-12 12:21 android_cache -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2016-11-12 12:21 android_config -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2016-11-12 12:21 android_data -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2016-11-12 12:21 android_metadata -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2016-11-12 12:21 android_misc -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2016-11-12 12:21 android_persistent -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2016-11-12 12:21 android_recovery -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2016-11-12 12:21 android_system -> /dev/block/mmcblk0p7
[email protected]:/ #
I will put it somewhere fastest place, when I have enough time to do it
Nice regards
Peter
rpeter said:
brainvision, boberq, I'm so sorry, yesterday is one of my longest working day...
My gdrive is currently full, bu I created a dedicated place for yours in my server.
The link is: http://rpeter.dyndns.info/xda
user: xda_users
pwd: i15-tcl
It's included all partitions compressed and uncompressed version expect p9 and p14 (data and windows) and the md5 checksum file.
The output of the "identification" is here:
Code:
127|[email protected]:/ # ls -las /dev/block/by-name/*
lrwxrwxrwx root root 2016-11-12 12:21 Basic_data_partition -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2016-11-12 12:21 EFI_system_partition -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2016-11-12 12:21 Microsoft_reserved_partition -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2016-11-12 12:21 android_boot -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2016-11-12 12:21 android_bootloader -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2016-11-12 12:21 android_bootloader2 -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2016-11-12 12:21 android_cache -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2016-11-12 12:21 android_config -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2016-11-12 12:21 android_data -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2016-11-12 12:21 android_metadata -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2016-11-12 12:21 android_misc -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2016-11-12 12:21 android_persistent -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2016-11-12 12:21 android_recovery -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2016-11-12 12:21 android_system -> /dev/block/mmcblk0p7
[email protected]:/ #
I will put it somewhere fastest place, when I have enough time to do it
Nice regards
Peter
Click to expand...
Click to collapse
great work mate!
Thanks a lot. As you may have read I updated the OP with the new section, hope you'll find useful and clear enough, if not don't hesitate to ask, it will be a pleasure to help and to improve the how-to
Hi all,
I have tried to follow the instructions for fixing a bootloop here.
I am using Linux Mint 18.3 as my laptop OS.
I can push the bootit..ko file on to the device but when I run insmod I get this error message:
Code:
error: protocol fault (no status)
I think it is because TWRP crashes before the command can complete and the device starts rebooting.
I can see the device is connected on doing
Code:
adb devices
List of devices attached
015d29955b3ffe11 recovery
and I can even see the contents of the / directory:
Code:
blimey~/work/android_roms/recovery_images $ adb shell ls -ltr /
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
-rw-r--r-- 1 root root 4603 Jan 1 1970 ueventd.rc
-rw-r--r-- 1 root root 2520 Jan 1 1970 ueventd.cardhu.rc
drwxr-xr-x 5 root root 0 Jan 1 1970 twres
drwxr-xr-x 3 root root 0 Jan 1 1970 system
-rw-r--r-- 1 root root 9438 Jan 1 1970 service_contexts
-rw-r--r-- 1 root root 120253 Jan 1 1970 sepolicy
-rw-r--r-- 1 root root 52 Jan 1 1970 selinux_version
-rw-r--r-- 1 root root 578 Jan 1 1970 seapp_contexts
drwxr-x--- 2 root root 0 Jan 1 1970 sbin
drwxr-xr-x 3 root root 0 Jan 1 1970 res
-rw-r--r-- 1 root root 2920 Jan 1 1970 property_contexts
drwxr-xr-x 3 root root 0 Jan 1 1970 license
-rwxr-x--- 1 root root 1327 Jan 1 1970 init.recovery.usb.rc
-rwxr-x--- 1 root root 2814 Jan 1 1970 init.rc
-rwxr-x--- 1 root root 305668 Jan 1 1970 init
-rw-r----- 1 root root 1839 Jan 1 1970 fstab.cardhu
-rw-r--r-- 1 root root 11473 Jan 1 1970 file_contexts
-rw-r--r-- 1 root root 3044 Jan 1 1970 default.prop
drwxr-xr-x 2 root root 0 Jan 1 1970 data
lrwxrwxrwx 1 root root 13 Jan 1 1970 charger -> /sbin/healthd
dr-xr-xr-x 103 root root 0 Jan 1 1970 proc
drwxrwxr-x 2 root shell 60 Jan 8 01:17 tmp
drwxr-xr-x 13 root root 0 Jan 8 01:17 sys
drwxr-xr-x 2 root root 0 Jan 8 01:17 sideload
drwxr-xr-x 2 root root 0 Jan 8 01:17 recovery
drwxr-xr-x 11 root root 3500 Jan 8 01:17 dev
drwxr-xr-x 2 root root 0 Jan 8 01:17 boot
drwxrwxrwx 2 root root 0 Jan 8 01:17 sdcard
drwxr-xr-x 2 root root 0 Jan 8 01:17 etc
drwx------ 2 root root 0 Jan 1 2016 root
drwxrwx--- 6 system cache 4096 May 21 2017 cache
If I try to ls the file contents after pushing the bootit.ko file to check it has definitely been copied the TWRP always crashes before the command can complete (I'm guessing) and it reboots again ad infinitum.
I really don't know what else to try so any suggestions are real welcome. Thanks in advance.
Try adb shell insmod sdcard/bootit.ko
Wouldn't that entail pushing the bootit.ko to /sdcard?
I tried this:
Code:
[email protected] ~/work/android_roms/recovery_images $ adb push bootit.ko /sdcard/
672 KB/s (27690 bytes in 0.040s)
[email protected] ~/work/android_roms/recovery_images $ adb shell insmod /sdcard/bootit.ko
error: protocol fault (no status)
...but no joy, it seems like it exits TWRP before it can finish doing insmod. Also I'm not convinced the bootit.ko file is being saved to disk after each push. Am I right?
..
So I made a shell script to execute the two commands one after the other and I now got the screen with the 3 icons in the middle of the screen: RCK,Android,WipeData.
I did the following comands from that screen:
Code:
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[sudo] password for blimey:
015d29955b3ffe11 fastboot
[email protected]~/work/android_roms/recovery_images $ sudo fastboot erase misc
erasing 'misc'...
OKAY [ 1.044s]
finished. total time: 1.044s
[email protected]~/work/android_roms/recovery_images $ sudo fastboot erase cache
******** Did you mean to fastboot format this partition?
erasing 'cache'...
OKAY [ 2.276s]
finished. total time: 2.276s
But after this when running fastboot devices I get no output:
Code:
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
I think the battery has died so I'll recharge and give it another go tomorrow.
Care to share the script?
berndblb said:
Care to share the script?
Click to expand...
Click to collapse
Sure - see attached file, just need .txt removed from the filename.
So I picked up where I left off and this what I got:
Code:
blimey~/work/android_roms/recovery_images $ sudo fastboot devices
015d29955b3ffe11 fastboot
blimey~/work/android_roms/recovery_images $ sudo fastboot erase system
******** Did you mean to fastboot format this partition?
erasing 'system'...
OKAY [ 2.813s]
finished. total time: 2.813s
blimey~/work/android_roms/recovery_images $ sudo fastboot erase recovery
erasing 'recovery'...
OKAY [ 1.970s]
finished. total time: 1.970s
blimey~/work/android_roms/recovery_images $ sudo fastboot -w
Creating filesystem with parameters:
Size: 61415620608
Block size: 4096
Blocks per group: 32768
Inodes per group: 8192
Inode size: 256
Journal blocks: 32768
Label:
Blocks: 14994048
Block groups: 458
Reserved block group size: 1024
Created filesystem with 11/3751936 inodes and 281560/14994048 blocks
Creating filesystem with parameters:
Size: 448790528
Block size: 4096
Blocks per group: 32768
Inodes per group: 6848
Inode size: 256
Journal blocks: 1712
Label:
Blocks: 109568
Block groups: 4
Reserved block group size: 31
Created filesystem with 11/27392 inodes and 3534/109568 blocks
erasing 'userdata'...
OKAY [ 88.674s]
sending 'userdata' (141163 KB)...
OKAY [ 24.116s]
writing 'userdata'...
OKAY [ 1.483s]
erasing 'cache'...
REBOOTED THE TABLET manually HERE as per the instructions
Code:
FAILED (command write failed (Protocol error))
finished. total time: 476.548s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot erase boot
erasing 'boot'...
OKAY [ 2.020s]
finished. total time: 2.020s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot erase misc
erasing 'misc'...
OKAY [ 1.007s]
finished. total time: 1.007s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot erase cache
******** Did you mean to fastboot format this partition?
erasing 'cache'...
OKAY [ 1.740s]
finished. total time: 1.740s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot -i 0x0B05 flash system ./AsusFirmware/TF700K_all_WW_USER_V5.0.4.17.raw
erasing 'system'...
OKAY [ 2.411s]
sending 'system' (755707 KB)...
OKAY [125.324s]
writing 'system'...
OKAY [ 2.987s]
finished. total time: 130.722s
NO BLUE BAR OBSERVED ON TABLET
TABLET CONTINUES SHOWING THE 3 ICONS: RCK, ANDROID and WIPE DATA
Code:
[email protected]~/work/android_roms/recovery_images $ sudo fastboot -i 0x0B05 reboot
rebooting...
Nothing happening, the tablet screen remains the same with the 3 icons.
Is the boot.blob file contained within TF700K_all_WW_USER_V5.0.4.17.raw?
I think this .raw file is the wrong file, I found a different file for my SKU on the Asus website which contains the contents in the attached screenshot. Is it blob or boot.img I should use?
Yes, flash the blob and only the blob, no extension on the file name. That should do it
So I tried that but I got this result:
Code:
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot -i 0x0B05 flash system blob
erasing 'system'...
OKAY [ 2.313s]
sending 'system' (1781 KB)...
OKAY [ 1.121s]
writing 'system'...
FAILED (remote: (InvalidState))
finished. total time: 7.059s
The blue bar did appear this time but in addition to the error there is some red text in the top left corner saying "Signature mismatch"
I've googled for a solution, some people suggested here https://forum.xda-developers.com/showthread.php?t=2417097 that the system image might be the wrong version for this bootloader version (I think ).
So I downloaded the original version of the system image from http://drivers.softpedia.com/get/JOYSTICK-GAMEPAD-WHEELS-and-TABLETS/ASUS/ASUS-Transformer-Pad-Infinity-TF700T-Firmware-10611410-WW.shtml which matched the version number displayed in the bootloader and after flashing that blob hey presto its working again!!!:laugh::laugh::laugh:
Thanks a bloody million for your guidance and patience!!
As the thread starter state's...
Android 10 'System-As-Root' was never supposed to be released. Google it.
It never was. Nothing wrong with my fone. boot-debug.img IS the system-as-root, it just isnt a root app.
User-debug will be tied to your account, so dont expect to see them ever again...
So many naysayers saying my fone company got it wrong, that my fone is fecked up...
Na.. System-As-Root = root, as good as it's ever gonna be in the open, provided by boot-debug.
You have root but cant flash a dynamic /system. Magisk KILL's Developer/Feature Flags. With stock boot, feature flags is seen, but shows 'experimental' nothing else. With boot-debug, all feature flags are shown. First thing you'll do is flash magisk. Why does magisk remove this access? In particular for YOU is 'settings-dynamic-system' (used to overlay your gsi - needed to flash gsi). Without these feature flags to set, how will your magisk'd fone boot gsi on system-as-root a-only? It cant. Uninstall magisk... but magisk leaves traces on the fone that prevent earlier versions of magisk being installed, so how can we test earlier versions? That we know worked before?
Magisk'd boot removes the feature flags section from developer menu in Android 10_Q. Why?
This is needed to mount any gsi on an 'a-only' 'system-as-root', by mounting to 'upper' partition, which wipes when re-flashing stock boot.img. Do the work in the upper (like we do in twrp) reflash to the lower after 'sync' will retain your work before reflashing stock boot.img, so no root app needed, but we need one to cut down on how tedious it all is now.. at least they keep you at home... safe lol...
Magisk is only using overlay because it works in pie... in fact, all using magisk are using PIE exploits that dont work in android 10 system as root!! (just a noticed warning )
SystemRW works in PIE, even works in my system-as-root but useless, cause the point, being able to write system while in fone gui, is negated by the fact that system is ro, in about 20 different locations, in about a billion different mount points and well... right down to file sizes for each file in each partition contained within the super.img, but what I dont get is why it works in twrp, yet not in the gui.. (i'm in the directory so cant mount it when using fone, duh...)
As for the other tool to create rw in the super partition, I'll say this:
Pie is dying. Re-write your apps to work with the android 10 super, which is NOT the same as PIE super.img... (this is not a super.img ring any bell's?)
Both rw tool authors stuck on them damn pie's.. I'd swap parted to get the auto resize of space on the fly, I'd give my 10 cents worth, but you know better... if they kill all fones previous to android 10... google win.
They gave us root.
Overlay your own tools!
In a system-as-root booted fone. Feck safety net, I use my nokia 8310 to this day..
And for the naysayers...
D:\0\AdbStation>adb reboot download
D:\0\AdbStation>fastboot flashing unlock_critical
(bootloader) Start unlock flow
OKAY [ 4.196s]
Finished. Total time: 4.196s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.420s
D:\0\AdbStation>fastboot -w
Erasing 'userdata' OKAY [ 0.452s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6311931 4k blocks and 1581056 inodes
Filesystem UUID: aa3b871c-2496-11ec-9dd6-d71d0c30be37
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'userdata' (180 KB) OKAY [ 0.016s]
Writing 'userdata' OKAY [ 0.047s]
Erasing 'cache' OKAY [ 0.016s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 110592 4k blocks and 110592 inodes
Filesystem UUID: aa63fe86-2496-11ec-99f6-f719dec4c630
Superblock backups stored on blocks:
32768, 98304
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'cache' (68 KB) OKAY [ 0.016s]
Writing 'cache' OKAY [ 0.031s]
Erasing 'metadata' OKAY [ 0.016s]
Erase successful, but not automatically formatting.
File system type raw data not supported.
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb disable-verity
Error getting verity state. Try adb root first?
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # whoami
root
Armor_X5_Q:/ # mount -o rw,remount /
'/dev/block/dm-3' is read-only
Armor_X5_Q:/ # mount -o rw,remount /sys
Armor_X5_Q:/ # cd sys
Armor_X5_Q:/sys # ls
block bus dev firmware kernel mtk_rgu
bootinfo class devices fs module power
Armor_X5_Q:/sys # bootinfo
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # bootinfo --help
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # devices
/system/bin/sh: devices: inaccessible or not found
127|Armor_X5_Q:/sys # cd dev
Armor_X5_Q:/sys/dev # ls
block char
Armor_X5_Q:/sys/dev # cd /
Armor_X5_Q:/ # cd /
Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
AudioSetParam hwclock printenv
abb hwservicemanager printf
acpi i2cdetect procrank
adbd i2cdump profman
aee i2cget ps
aee_aed i2cset pwd
aee_aed64 iconv racoon
aee_archive id readlink
aee_core_forwarder idmap realpath
aee_dumpstate idmap2 reboot
am idmap2d recovery-persist
apexd ifconfig renice
app_process ime requestsync
app_process32 incident resize.f2fs
app_process64 incident_helper resize2fs
applypatch incidentd restorecon
appops init rm
appwidget inotifyd rmdir
art_apex_boot_integrity input rmmod
ashmemd insmod rss_hwm_reset
atrace install rtt
audioserver install-recovery.sh run-as
auditctl installd runcon
awk ionice schedtest
badblocks iorapd screencap
base64 iorenice screenrecord
basename ip sdcard
batterywarning ip-wrapper-1.0 secdiscard
bc ip6tables secilc
bcc ip6tables-restore sed
blank_screen ip6tables-save sendevent
blkid ip6tables-wrapper-1.0 sensorservice
blockdev iptables seq
bmgr iptables-restore service
boot_logo_updater iptables-save servicemanager
bootstat iptables-wrapper-1.0 setenforce
bootstrap keystore setprop
bpfloader keystore_cli_v2 setsid
bu kill settings
bugreport killall sgdisk
bugreportz kpoc_charger sh
bunzip2 lbs_dbg sha1sum
bzcat lcdc_screen_cap sha224sum
bzip2 ld.mc sha256sum
cal librank sha384sum
cameraserver linker sha512sum
cat linker64 showmap
charger linker_asan simpleperf
chcon linker_asan64 simpleperf_app_runner
chgrp lmkd sleep
chmod ln sload_f2fs
chown load_policy sm
chroot locksettings sort
chrt log split
cksum logcat ss
clatd logd sspm_log_writer
clear loghidlsysservice st_factorytests
cmd logname start
cmp logwrapper stat
comm losetup statsd
connsyslogger lpdump stop
content lpdumpd storaged
cp ls strings
cpio lshal stty
crash_dump32 lsmod surfaceflinger
crash_dump64 lsof svc
cut lspci swapoff
dalvikvm lsusb swapon
dalvikvm32 make_f2fs sync
dalvikvm64 md5sum sysctl
date mdlogger tac
dd mdnsd tail
debuggerd media tar
defrag.f2fs mediadrmserver taskset
device_config mediaextractor tc
devmem mediametrics tc-wrapper-1.0
dex2oat mediaserver tcpdump
dexdiag met-cmd tee
dexdump met_log_d telecom
dexlist microcom terservice
dexoptanalyzer migrate_legacy_obb_data.sh thermald
df mini-keyctl time
diff mkdir timeout
dirname mke2fs tombstoned
dmctl mkfifo toolbox
dmesg mkfs.ext2 top
dnsmasq mkfs.ext3 touch
dos2unix mkfs.ext4 toybox
dpm mknod tr
drmserver mkswap traced
du mktemp traced_probes
dumpstate mobile_log_d trigger_perfetto
dumpsys modemdbfilter_client true
e2fsck modinfo truncate
e2fsdroid modprobe tty
echo monkey tune2fs
egrep more tzdatacheck
emdlogger1 mount ueventd
emdlogger2 mountpoint uiautomator
emdlogger3 move_widevine_data.sh ulimit
emdlogger5 mtkbootanimation umount
env mtpd uname
expand mv uncrypt
expr nc uniq
fallocate ndc unix2dos
false ndc-wrapper-1.0 unlink
fgrep netcat unshare
file netd unzip
find netdiag uptime
flags_health_check netstat usbd
flock netutils-wrapper-1.0 usleep
fmt newfs_msdos uudecode
free nfcstackp uuencode
fsck.f2fs nice uuidgen
fsck_msdos nl vdc
fsverity_init nohup viewcompiler
fsync notify_traceur.override.sh vintf
gatekeeperd notify_traceur.sh vmstat
getconf nproc vold
getenforce nsenter vold_prepare_subdirs
getevent oatdump vr
getprop od vtservice
gpuservice oem-iptables-init.sh wait_for_keymaster
grep paste watch
groups patch watchdogd
gsi_tool perfetto wc
gsid pgrep which
gunzip pidof whoami
gzip ping wificond
head ping6 wm
heapprofd pkill xargs
hid pm xxd
hostname pmap yes
hw pppd zcat
Armor_X5_Q:/system/bin # getenforce
Enforcing
Armor_X5_Q:/system/bin # setenforce 0
Armor_X5_Q:/system/bin # get enforce
/system/bin/sh: get: inaccessible or not found
127|Armor_X5_Q:/system/bin # getenforce
Permissive
Armor_X5_Q:/system/bin # root mofo's, System-As-Root! boot-debug rocks!
> ^C
130|Armor_X5_Q:/system/bin # Who needs su
/system/bin/sh: Who: inaccessible or not found
127|Armor_X5_Q:/system/bin # whoami
root
Armor_X5_Q:/system/bin #