So I got my self this nice tab ASUS Memo Pad HD 7 (ME173x), rooted the thing as soon as I got home, removed some bloatware and then after few hours a notification for an OTA upgrade hits me (wich ofc was not available manually).
You are obviously reading this 'couse the upgrade fails, just a broken droid when it tries to flash the upgrade.
Maybe the upgrade is like of a patch (it's just 56MB) and it fails me because I have removed some (well lots actually...) of those nice installed apps?
What to do? Wait for a maybe more substantial upgrade? Look for a full factory image? Just swap the tablet with a new one claiming that "OMG doesn-t-work" (hmm and what after I root the new one, de-bloat, and an other new upgrade hits the air...).
Thanks!
I found the upgrade, wich is cached in /cache/dlpkgfile (and it's a *.zip).
If I browse it I found a lot of apps patches in system/app : would it be safe to erase just those I've disinstalled, re-zip and try to upgrade?
Well the whole upgrade has a checksum, which is not easy to recreate as the script makepatch works (I guess) with a full source / dest combo. Nor it would be simply to re-install some of the apps from market as the versions could mismatch with those provided in the base.
This means that we should need backups from a original un-upgraded device, and see if that would get through the patching.
A factory image would be useful actually.
Hey, ea_.
Sorry that I can't really help you with the update or anything, but I was wondering if you could upload that dlpkg file somewhere for me.
A friend of mine has a MeMO Pad 7 HD here, and he messed up when (improperly) installing Chainfire 3D, rendering the device soft-bricked. Now it's all cool, because I can still access the system and manipulate it, and it's rooted on top of that, so I'm still in control. The problem is as you've mentioned: those idiots at ASUS don't have any upgrade/recovery images posted, so while I am capable of restoring the stupid thing, there's absolutely nowhere [that I can see] to restore FROM!
I was hoping to find someone with a tablet like this, who could share his system files or a recovery image of some sort from which I could recover the device...
IceDrake said:
Hey, ea_.
Sorry that I can't really help you with the update or anything, but I was wondering if you could upload that dlpkg file somewhere for me.
Click to expand...
Click to collapse
Too bad: I gave back my unit yesterday for a replacement (so I could back-up the whole thing as stock) but my shop was out of stock.
They say maybe they'll get some more by 9 August.
IceDrake said:
Hey, ea_.
Sorry that I can't really help you with the update or anything, but I was wondering if you could upload that dlpkg file somewhere for me.
A friend of mine has a MeMO Pad 7 HD here, and he messed up when (improperly) installing Chainfire 3D, rendering the device soft-bricked. Now it's all cool, because I can still access the system and manipulate it, and it's rooted on top of that, so I'm still in control. The problem is as you've mentioned: those idiots at ASUS don't have any upgrade/recovery images posted, so while I am capable of restoring the stupid thing, there's absolutely nowhere [that I can see] to restore FROM!
I was hoping to find someone with a tablet like this, who could share his system files or a recovery image of some sort from which I could recover the device...
Click to expand...
Click to collapse
I have one unit. Let me know what files you need, and I'll help you out.
ericmaxman said:
I have one unit. Let me know what files you need, and I'll help you out.
Click to expand...
Click to collapse
Sweet!
Essentially, I wanted the entire /system (/system/*) so I could compare all the files and find the ones that were modified, or in the worst case: replace them all with the working ones and keep the image for future recovery.
Seeing that the /system partition here is nearly 700MB in .tar.gz form, it might be a bit cumbersome to upload, so if there's a problem with that, these seem more essential to me than the rest:
/system/bin
/system/etc
/system/lib
/system/vendor
/system/build.prop
Click to expand...
Click to collapse
Also, /system/usr seems like it may contain device-specific/personal stuff, so you might want to skip this one either way.
Many thanks!
P.S. Sorry for shamelessly hijacking and derailing the thread. The one I created is here and may be more appropriate.
2 options:
1) restore the removed "bloatware" to its original location
I had the same problem. You can check the update log on the device after the update. I believe it is in /cache/recovery/last_log and you will find the problem.
In Android 4.2 you can better disable bloatware via app manager and disable apps you don't need. Or just rename .apk to .apk.ORG in /system/app (after used stop command and then rm /data/dalvik-cache/* and reboot)
2) restore complete firmware with these tools:
http://4pda.ru/forum/index.php?showtopic=486532
Latest full firmware is ME173X_WW_user_4.2.4.06716_20130918
If you use flash_tool.exe from ULK173_20130618_2123_CSC then load scatter file (MT6589_Android_scatter_emmc.txt) from the main firmware, then flash it.
See attached picture. It is a factory reset process!
Pandawill also has a section in the forum describing flash process: http://www.pandawillforum.com/showt...er-PX2-MTK8389-Quad-Core-(update-Sep-6th-2013)
Hi gurus! I have done some searching based on this, but I seem to come across many different answers based on devices, ROMs etc. So I thought I would just ask. Apologies if there is an easy guide I have missed!
I need to configure a number of Android sticks with customized settings and software then deploy them in kiosk environments. Rather than configure each one separately, I'm hoping to be able to deploy an image nice and quickly to them.
The sticks are RK30 based. The webpage is here: http://multitouch.com/istick-a200-fastest-mini-computer.html and the specs are here: http://multitouch.com/download/datasheet/istick-a200-datasheet.pdf.
They are pre-rooted and you can download a "Factory Restore Pack" which includes the ADB driver, RKBatch Tool and a single factory image. It seems pretty easy to use the tool to push the image to the device and reset it.
I'm hoping to be able to configure a single device and then backup or export the image to an img file (like the factory default one) then just push this to the other devices using the same method. Is this possible and if so, how would I create the img file?
I've read and tried to understand about img files, but it seems there are boot.img files, system.img files and a whole bunch of others. I'm guessing this is a system.img file, but if I stuff around with no direction, I'll probably just brick a bunch of devices.
I also guess I could install clockwork mod and then backup to an SD, then install cm on each new device and restore the backup, but I'm hoping to do this without even needing cm by just using the RKBatch tool.
I really appreciate any help anyone can provide. Thanks in advance!
OK - update (maybe)
Can I use this tool: http://vondroid.com/threads/updated-27-08-2012-how-to-dump-current-rom.322/? I'm guessing that the file I then want to get is the system partition? Is this the one that RKBatchTool will push back to the device?
Soooo many ways to brick!!!
Hi all,
I'd like to politely ask for your help with adding Google Play to my friend's tablet which unfortunately doesn't provide this app in factory setting.
First of all I'd like to mention that I've searched here before (and other sources over the internet as well) and found many threads with similar issues. Still I was unable to get everything working because of some problems that I'm not able to solve as I'm still just a user... Unfortunately it seems that each device is unique and requires a little different stuff to reach the goal.
So here's some basic information about the device:
Maxell Maxtab C8
Android 4.0.4
Kernel version: 3.0.8+
Here's what I was able to do so far:
Successfully rooted the device
Successfully set -rw to /system (using the "Mount /system (-rw / -ro)" app
I've tried many various Google Play installers including:
Android Market_install_files.zip
PlayStore_v4.6.17.apk found somewhere here in the forums
And about 5 more other without any success. Result is that Google Play is there but it doesn't work - I mean the icon has been added, Gmail account has been "assigned" to it during its first run and then every time I try to run Google Play there occurs an error saying that "Google Play stopped working" and it simply won't run. I also tried the simple solution with "Android-Market_install_files" package (4 apps) - as I found out it's the official way how to use Google Play on devices where it's not preinstalled. Still it didn't work as well - again ended up with the same error (stopped working). But there is maybe some kind of problem with the installation because two of four .apk files included in the "Android Market_install_files.zip" package cannot be installed as the device tells me that this app cannot be installed because of the conflicting signature (I found more about this here: http://stackoverflow.com/questions/...g-package-by-the-same-name-with-a-conflicting). I'm using files signed by Google. Advices are to firstly uninstall the original apps and then install these but I'm not able to uninstall as I can't find them. Guess these are some kind of system apps and I'm not sure where to find them exactly. Still no luck even using Root Explorer. These apps are called "OneTimeInitializer-signed.apk" and "GoogleServicesFramework-signed.apk". I think maybe Google Play from this package could work but the problem is caused by the device which doesn't overwrite the original apps (because of the signature).
Currently I've also found GApps Manager (http://forum.xda-developers.com/showthread.php?t=2589167) - I think this might work but I'm not able to test it at all. Simply I can't find how to get this Maxell tablet into recovery mode to find the "install from zip file" option.
Interesting is that there is no "Phonesky.apk" file in the device's memory...
Sorry for my post being soooo long but I'd like to provide as many additional information as possible.
Could you please give me advice how to install GApps on Maxell Maxtab C8 device or any other solution?
This could look easy for many of you but I'm working on it over two weeks now and I'm really clueless, even more when there are users confirming that Google Play works with this device. So I hope you're be so glad to help. Any help will be highly appreciated! Thanks!
With kind regards
PJ
Some info, since you have root, you can simply move .apk to your /system/app folder.
Also you had stated there is a conflicting issue with the same type of signature, this is because there is already an existing file of the same source.
To uninstall this .apk it usually located in the following folder(s).
- /system/app
And
- /system/priv-app
Just select and delete it. Reboot the device. And move your new files into /system/app and reboot. Make sure you also move Ann app called "Google Play Services.apk or GP will not start
Great things come in small packages.
Re:
Hi krishneelg3,
many thanks for your answer. Your advice looked really easy and reasonable but it didn't work.
I deleted all required .apk files from /system/app. Maxell tablet doesn't have /system/priv-app folder. Then I copied all the GApps files to corresponding folders in the tablet (/system/app, /system/etc, /system/framework, /system/lib). Then the setup wizard started but when I tried to confirm the setup guide touching the green Android icon it did nothing. After restarting the tablet I didn't see the setup wizard app any more. Tried about 5 times in a row from the beginning (copied the original files from the backup back to tablet, then replace them with the new ones from GApps) and always ended up with the same result.
There's also META-INF folder included in the GApps package. It seems to contain some certificates but I'm not sure what to do with it or where to copy these files. Could this be causing the problem?
Thank you very much.
PJ
I would like to tell you that, the GApps package is supposed to flashed via recovery.
The META INFO contains scripts to install and also certs
So if you have a custom recovery available for your device flash the custom recovery img and if you already have it then just flash it via recovery.
Sorry for the delay... I didn't manage how to switch the device to recovery mode. I tried many solutions reported to work for this device but they didn't for me. Some tested, some not because apparently my knowledge is user-level. To be honest after over 3 weeks trying I gave up.
But thanks for your effort.
Regards
PJ
Disclaimer - this is your vehicle you are messing with. If you are not comfortable with potentially permanently damaging the head unit, stop here.
Now for the good stuff.
Credit where credit is due: this method relies on the recent "dirtycow" exploit. I used the POC Android exploit code located here:
https://github.com/timwr/CVE-2016-5195
This exploit in simple terms takes advantage of a Linux kernel bug that allows a (small) file to be "overwritten", when a user only has read access to that file. It doesn't actually modify filesystem contents, but any application that reads the file after the exploit is used will read the "new", post-exploit contents instead of the original.
The scripts attached use the dirtycow binary to overwrite the "/system/etc/factory_reset.sh" shell script with a nefarious version. This script is executed when you perform a factory reset operation through the settings menu, and gets executed as the root user .
The nefarious script is quite simple - it just calls another script that is uploaded and performs a reboot. The second script mounts the /system partition as R/W, then copies over an su binary and sets appropriate permissions, then syncs and mounts read only again.
Please note that the attached "rootme.sh" script is intended to be run from a Linux machine - if I get the time (or enough donations), or if someone else cares to, it can be ported over to a Windows batch file easily enough.
Updated the attached zip to include a Windows batch file.
Steps:
Download the attached zip file
Extract to a machine capable of connecting to your Pilot over ADB
Modify "rootme.sh" (*nix) or "rootme.bat" (Windows) to use the correct IP
- Change the "172.16.1.217" lines to reflect the correct IP for your Pilot
Execute "rootme.sh" (*nix) or "rootme.bat"
- ./rootme.sh should do it for *nix
- for Windows, open a command prompt, navigate to "rootme.bat" location and type "rootme.bat"
- Watch output for completion
Perform factory reset operation
- Note - should the exploit function correctly, this step should NOT perform any factory reset operations. However, you should fully expect everything to be reset if the exploit failed or some other problem occurred when attempting to use a nefarious factory_reset.sh script.
After the Pilot reboots, you should be able to get a shell over ADB as normal, except now issuing an "su" command will drop you to root!
Update - thanks to purespin figuring out the signature mechanisms, we can now install apps! I've attached OneClick.zip, which contains a series of scripts to automate the rooting & app installation process.
That said, be careful, use these at your own risk, etc.
Extract zip file to some folder then open up a command prompt in that folder. Also drop the APKs you wish to install to that folder.
Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]
The script will root your device if it's not already, then go ahead and perform steps necessary to install the APK (one reboot required if already rooted).
This basically performs the steps described in purespin's post to get a signature of the APK, download and modify the whitelist XML file, upload it back, reboot, then install the APK.
There's one prompt in the script that asks you too look things over - pay attention here, if any issues crop up at this point damage can be avoided, continuing in a bad state will have undefined results.
Updated the scripts to back up the white list on each run to /data/local/tmp/whitelist-(timestamp).xml.
Updated to handle APKs with more than one signature.
Edit: As suggested by wpg_moe, a Git Hub project has been set up here:
https://github.com/jersacct/2016PilotOneClick.git
Changes & suggestions are encouraged and welcomed, but this is a part time hobby project for me, so expect movement to be "lumpy", as I'm mostly only able to work on this during the weekends.
would this work on a 2016 civic android headunit? should be the same concept for it?
This is GREAT news!!! We will start to test it on a 2016/Civic/Touring. It reminds of of the hacking a linksys firmware via tftp.
sheryip said:
would this work on a 2016 civic android headunit? should be the same concept for it?
Click to expand...
Click to collapse
I don't have a Civic to test with, but I would imagine Honda uses the same factory reset mechanism on both models.
The included scripts are pretty straightforward - if you care to crack them open you'll see the operations they perform pretty plainly. I think the absolute worst you could suffer if you attempt this is that you factory reset your head unit. Remember your favorite radio stations if you decide to give it a shot.
Yes, I am able to root the 2016 Pilot using the method provided by jersacct. It is super easy and strait-forward!
Now the question is what is next I have been working as programmer for the last 20 years but I don't have much knowledge of Android hacking. What's the starting point?
I'd say step 2 is to get the system info from a Ridgeline or a '17 pilot when they come out so we can try to put Android Auto or Car Play on the 16 models. Navigation would be nice but with AA/CP, you wouldn't need it.
Yep, this is just a first step. We still have to work around the white list service Honda put in place that's preventing installation of other APKs. I have not been successful in replacing the ApplistUpdate.apk with a modified version or replacing /data/system/whitelist.xml with a modified version. In either case the service is still preventing installation of new APKs.
I have a couple of workaround theories I'm working on - tracking down and modifying the service's source to always allow APK installation (effectively disabling the white list check), using the service's own interface to add APKs to the white list (much like S_Mike has done for the EU versions), stripping out or disabling the service entirely.
I think it would be much easier to get APKs installed than porting Android Auto or Car Play over. I would be much happy if we can achieve what they have done on EU versions.
jersacct said:
Yep, this is just a first step. We still have to work around the white list service Honda put in place that's preventing installation of other APKs. I have not been successful in replacing the ApplistUpdate.apk with a modified version or replacing /data/system/whitelist.xml with a modified version. In either case the service is still preventing installation of new APKs.
Click to expand...
Click to collapse
Any summary on how S_Mike did that (using the service's own interface to add APKs to the white list)? If not, I might spend some time to loop through the 139-page thread after work
jersacct said:
I have a couple of workaround theories I'm working on - tracking down and modifying the service's source to always allow APK installation (effectively disabling the white list check), using the service's own interface to add APKs to the white list (much like S_Mike has done for the EU versions), stripping out or disabling the service entirely.
Click to expand...
Click to collapse
I have a pilot 2016. But i dont have a Linux machine. So how can i use this. Even if i use this, if i will not have access to install apks then what is the use. I am a bit confused. I am also a developer and have been rooting my phones to install custom roms, but that was all with the guides that i found on the internet. Didn't try any thing fancy.
ammarbukhari said:
I have a pilot 2016. But i dont have a Linux machine. So how can i use this.
Click to expand...
Click to collapse
I've updated the attachment to include a Windows batch file, and updated the instructions.
Rooting the device with this method doesn't mean you can unlock all the Android goodies we're hoping for. It will, however, help a person so inclined to defeat the Honda installation restrictions.
There is no zip file
jersacct said:
I've updated the attachment to include a Windows batch file, and updated the instructions.
Rooting the device with this method doesn't mean you can unlock all the Android goodies we're hoping for. It will, however, help a person so inclined to defeat the Honda installation restrictions.
Click to expand...
Click to collapse
Thanks, have you had any luck installing an apk? That's what I'm looking to do on my Ridgeline.
Sent from my Nexus 6P using Tapatalk
ammarbukhari said:
There is no zip file
Click to expand...
Click to collapse
Sorry, corrected.
enyce9 said:
Thanks, have you had any luck installing an apk? That's what I'm looking to do on my Ridgeline.
Click to expand...
Click to collapse
Not yet, still working on this.
The system doesn't just check the white list. It checks the certs as well. If it's isn't sign by the developer for Honda the package installer won't install the apk.
Guys, you probably have to change the signature of the APK in the list from that code to "PREINSTALL", without the "". I have a 2015 Honda HR-V and that's the way we can install apps on our head unit. Some people had problem to install apps after updating Honda applications, because it changed "PREINSTALL" to the app signature. After a factory reset, they got the PREINSTALL again for "HondaAppCenter_A1.apk". So, try removing the signature code to PREINSTALL for some APK and use that APK name to install the app.
maecar said:
Guys, you probably have to change the signature of the APK in the list from that code to "PREINSTALL", without the "". I have a 2015 Honda HR-V and that's the way we can install apps on our head unit. Some people had problem to install apps after updating Honda applications, because it changed "PREINSTALL" to the app signature. After a factory reset, they got the PREINSTALL again for "HondaAppCenter_A1.apk". So, try removing the signature code to PREINSTALL for some APK and use that APK name to install the app.
Click to expand...
Click to collapse
I think the protection mechanisms in this version are entirely different. There are no "process_controls.list" or "allowed_installations.list" files present in the entire filesystem, nor does a grep across the entire filesystem return any results for "HondaAppCenter". These tell me that the protection mechanisms are not the same as previous or EU versions.
I've attached what I believe to be a component of the replacement mechanisms, an XML file describing full app names, sometimes signatures, and fields describing permissions. Any edits to this file don't seem to be regarded, so I'm still digging in to the core services that make up the white list mechanism.
Did you update whitelist.xml file directly or update the whitelist.xml file in ApplistUpdate.apk?
What a coincidence this is, as I heard about the Dirty Cow exploit just the other day and spent time trying to root my 64 bit Samsung smartphone to no avail. I did hear that it works on 32 bit android platforms and how about this for a case in point.
Jersacct, thanks for making this available to the community! I can understand that the first hurdle is getting the system to stop blocking / removing non-whitelisted apps and it sounds like you are just getting to this point now. Keep up the good work and please let us know if there are any minor details that you need worked out that can be delegated to the community, i.e. testing, troubleshooting or research.
Looking forward to having more capabilities with my 2016 Honda Pilot!
purespin said:
Did you update whitelist.xml file directly or update the whitelist.xml file in ApplistUpdate.apk?
Click to expand...
Click to collapse
I've attempted both approaches, with no luck. It may be that my ApplistUpdate.apk replacement was flawed somehow, so I'm not sure there. Because you modify the zipped whitelist.xml in the APK, you also have to resign the APK before installation, Android won't reinstall an app with different signatures without uninstalling original, and because it's a system app it won't let you uninstall.....blah blah I deleted the original (after backing up) and replaced it with modified version, still no positive result. I attempted to add eu.chainfire.supersu (picked at random, could be anything) to the list of allowed apps in these cases but still couldn't get it installed.
I think my next approach will be to edit the system services (in /system/framework/services.(.jar,.odex)) and see if I can disable all whitelist checks.
Now that root is available, it's only a matter of time before someone gets around Honda's restrictions.
Yes I still have this cheap little phone. It is a pain in my ass, but that's why I love it. It creates a challenge for me. I have been experimenting with flashing different system image firmwares, and the rest of the required files without bricking the device and having to start over. A couple of key points, you cannot unpack any of the images at it then, then repack them and Flash the device. Because of the secure boot being enabled, anything that isn't signed or has the same signature affiliated with it as the original firmware, will immediately fail flashing. Though I'm not sure it is so much a issue with signatures as it is with binaries and not being able to flash from, for example ver 4 to ver 3. Or so I thought. Because of the amount of aggravation this device poses even when rooted oh, I have been trying to find ways around flashing original system images to it without triggering a secure authorization fail. So far I have been able to take all of the images from a SM-J100VV, to my J100VPP except for the boot.img and aboot. Neither of those will flash successfully on the device if they come from another. All the other images do flash so long as you do not unpack them and repack. So you can take the system.img.ext4, and extract it from the firmware file for the J100VV, as well as the rest of the images not including the two named above and successfully flash them to J100VPP. And everything is in working order it. Now I'm trying to experiment further and see what else I am able to flash as well. There are several reasons why I think this works. If you look at the build prop for J100VPP, it's literally named four or five different things. the official device code is j1qltevzw. Until I see otherwise I assume that a system image that remains unmodified from one J1 device can potentially flash to the J100VPP. Simply extract all of the images from the firmware file and individually archive them as a .tar and Flash in Odin. Unless you screw around with anything else you shouldn't have to crash the device in the first place , you will not need to flash the boot.img or aboot. Seeing as this is a system root I'm hoping I can either go up or down an Android version at least one stop in either direction. I also cannot get xposed to successfully flash on this device without it bricking. I have tried every Xposed installer I come across to no avail. However virtualxposed dogs work on this device however I've been having trouble getting modules to function properly if at all. But that's beside the point since it's a virtual machine environment you pretty much are operating in a whole new operating system on the side of Android. It's almost like having BlueStacks on a Windows machine. Anyways what I'm trying to get across is potentially very much improving this device a by being able to flash on modified system images from other J1 devices. I know this phone is well past its prime but it still doesn't hurt to experiment.