Related
Hello tonigh i **** up my phone(arc s) i tried to add a custom add-on and it **** up my phone.Heres the add on http://forum.xda-developers.com/showthread.php?t=1443273 . I tried to set up the add ons from the 2nd post (jtc42's post) and the phone started to do wierd things.1st i copied the files "Home.apk and systemui.apk to system/app" as said in the theme and the the phone started showing a messege saing com.android.systemmui. has stoped working and it gave me a force close option( i fixed that with restarting my phone).Then i tried to aply the files into the framework folder on my system folder as soon as i pasted then in there the phone started restarting itself a million times.I tried restarting it putting in and out the battery but nothing worked and now the phone is turn off and i really need to by tommorow.Is there a way t o recover it i have all the original files stored on my PC,the phone is arc s with stock rom nothing is changed its just rooted
If your BL is locked, use the repair function in PCC.
Before you try some MODs you should always do a backup in CWM.
And if you copy and paste some files into /system folder, you've always to set the right permissions.
try this : http://www.mediafire.com/?l7l9lmg0z740j6v
---------- Post added at 03:11 PM ---------- Previous post was at 03:10 PM ----------
all apps. are there if you accidentally delete your system app
So I decided to try to run ubuntu touch on my Samsung Galaxy Nexus(verizon). All went well, but now it seems I cant start the phone, can only get into fastboot mode. Can anyone please walk me through the steps of putting stock android back on my phone? I have adb and fastboot installed on my computer. There's a guide here that walks you through the process of returning the phone to stock software/firmware, but it requires USB debugging to be on, which I can't turn on because the phone won't boot up. I greatly appreciate any help!!!
Phone Info(what's written in fastboot):
PRODUCT NAME-Tuna
VARIANT- toro 32GB
HW VERSION- 9
BOOTLOADER VERSION: PRIMELC03
BASEBAND VERSION- I515.FK02 CDMA-I515.FK01
CARRIER INFO- NONE
SIGNING- production
LOCK STATE- UNLOCKED
You dont need USB debug on in order to use fastboot
---------- Post added at 05:39 PM ---------- Previous post was at 05:38 PM ----------
Debugging is only needed if using adb.
But if u already in fastboot bootloader mode then u don't need to do "adb reboot bootloader" command
ashclepdia said:
You dont need USB debug on in order to use fastboot
---------- Post added at 05:39 PM ---------- Previous post was at 05:38 PM ----------
Debugging is only needed if using adb.
But if u already in fastboot bootloader mode then u don't need to do "adb reboot bootloader" command
Click to expand...
Click to collapse
Thanks for the pretty fast response! I'm still lost as to how I can make everything go back to the way it is (i.e, get rid of ubuntu and get android back on ) . Definitely my last time trying to muck around with roms and such D;
vsp3317 said:
Thanks for the pretty fast response! I'm still lost as to how I can make everything go back to the way it is (i.e, get rid of ubuntu and get android back on ) . Definitely my last time trying to muck around with roms and such D;
Click to expand...
Click to collapse
Don't give up!
Once you've done it once or twice it becomes easier, everything starts to make sense
Did you download one of the Google factory img for toro to your computer? Get it from here
https://developers.google.com/android/nexus/images
(It will be under the Mysid/toro name) any of the available ones will work that are for toro.
---------- Post added at 06:19 PM ---------- Previous post was at 06:17 PM ----------
Then you just uncompress the file, open command prompt(aka terminal) in that folder/directory , put device into fastboot mode(bootloader), and then execute the flash all script that comes with the factory IMG download.
---------- Post added at 06:26 PM ---------- Previous post was at 06:19 PM ----------
Oh, and to easily open a command prompt in that directory, uncompress the factory img download file from that site linked above, then open the folder to view it's contents. Hold shift and right click within the folder and choose "open command prompt"
Then all you should need to do is put "flash-all.exe" and hit enter in the command prompt that pops up once device is connected and in fastboot(bootloader)mode. (No quotes...just enter the text) and then be patient. The flashing of the radio files might seem to take a long time especially the CDMA radio. Do NOT unplug or anything before it is completed fully)
If need anymore info ask away
ashclepdia said:
Don't give up!
Once you've done it once or twice it becomes easier, everything starts to make sense
Did you download one of the Google factory img for toro to your computer? Get it from here
(It will be under the Mysid/toro name) any of the available ones will work that are for toro.
---------- Post added at 06:19 PM ---------- Previous post was at 06:17 PM ----------
Then you just uncompress the file, open command prompt(aka terminal) in that folder/directory , put device into fastboot mode(bootloader), and then execute the flash all script that comes with the factory IMG download.
---------- Post added at 06:26 PM ---------- Previous post was at 06:19 PM ----------
Oh, and to easily open a command prompt in that directory, uncompress the factory img download file from that site linked above, then open the folder to view it's contents. Hold shift and right click within the folder and choose "open command prompt"
Then all you should need to do is put "flash-all.exe" and hit enter in the command prompt that pops up once device is connected and in fastboot(bootloader)mode. (No quotes...just enter the text) and then be patient. The flashing of the radio files might seem to take a long time especially the CDMA radio. Do NOT unplug or anything before it is completed fully)
If need anymore info ask away
Click to expand...
Click to collapse
Wow, I can't thank you enough man!!! :highfive: That worked like a charm , no problems at all . And oh it's "flash-all.bat" not .exe, for the people that might come across this thread later. Thanks again though, I really don't know what I would've done. Definitely going to do a **** ton more research next time I decide to go and flash a rom haha.
vsp3317 said:
Wow, I can't thank you enough man!!! :highfive: That worked like a charm , no problems at all . And oh it's "flash-all.bat" not .exe, for the people that might come across this thread later. Thanks again though, I really don't know what I would've done. Definitely going to do a **** ton more research next time I decide to go and flash a rom haha.
Click to expand...
Click to collapse
No problem buddy
That's what these forums are for, learning, helping, development, all that good stuff! Just happy it went smoothly for ya.
I think it used to be named .exe, at least it shows as exe on my laptop but I use Linux so it could just be seeing it differently(since I have wine installed)
There is usually a windows executable and a Linux .sh script that can be executed from the terminal to start the process.
See, it's not all THAT bad now is it? Especially since now you know how to do it, messing up the device isn't such a daunting thing anymore lol.
As for keeping status 7 from happening again I highly recommend bookmarking the TWRP or CWM official sites so that before flashing things in the future, you can make sure you have the most up to date custom recovery installed by comparing what is available vs what you have installed(booting into recovery mode will usually have the version info somewhere on the main screen) and of course having a recent nandroid backup made within your current custom recovery. I prefer TWRP but it's a personal choice to each user which they use
Just don't be afraid to play around
Congrats again on your first soft brick&restore! Lol
It's such a relieving feeling once you bring device back from the dead ain't it?
Root is no longer working on MM update.
Don't suppose anybody knows how to get to recovery with hardware button?
hecksagon said:
Don't suppose anybody knows how to get to recovery with hardware button?
Click to expand...
Click to collapse
Swipe from top-left to bottom-right at the Asus logo. That gets you to fastboot mode, then swipe up and down to change menu items, swipe right to select.
Or you can enable debug mode and use adb reboot recovery.
CSX321 said:
Swipe from top-left to bottom-right at the Asus logo. That gets you to fastboot mode, then swipe up and down to change menu items, swipe right to select.
Or you can enable debug mode and use adb reboot recovery.
Click to expand...
Click to collapse
You are a hero. I have looked for the better part of 2 hours for this. Anyway I'll sideload the LP update and start over. Hopefully somebody can make use of the recovery and boot pulls and get us a working recovery.
I would be very interested in REMOVING the Wellness app. This is the only reason I want root. Guess I will need to wait until we have a root enabled file manager. Alas, I can write in C++ fairly well, but know nothing of coding for android. Be glad to test any recoveries and operating systems on my ZenWatch.
nethead72 said:
I would be very interested in REMOVING the Wellness app. This is the only reason I want root. Guess I will need to wait until we have a root enabled file manager. Alas, I can write in C++ fairly well, but know nothing of coding for android. Be glad to test any recoveries and operating systems on my ZenWatch.
Click to expand...
Click to collapse
It can be done without a file manager. If you have root, you can enable debugging, connect to a PC by USB, use adb to get a root shell, then adb uninstall package_name.
Edit...Which Benton are you in, BTW. I'm not far from Benton, IL.
CSX321 said:
It can be done without a file manager. If you have root, you can enable debugging, connect to a PC by USB, use adb to get a root shell, then adb uninstall package_name.
Edit...Which Benton are you in, BTW. I'm not far from Benton, IL.
Click to expand...
Click to collapse
Es File Explorer works fine and has an OK interface when on the watch. Also the KingRoot app that gets pushed has an uninstaller too for system apps. The biggest issue I've had is that when the prompt to allow root comes up you can not select allow. You have to cover the screen to back out, then go into KingRoot and open the log, then select the app you want to allow and set it to always allow. You have to do this after the initial failed prompt.
Edit: Freeport, IL here. Worlds a small place.
File Types?
hecksagon said:
The latest Windows version of kingroot works on the zenwatch. I currently have root that persists after reboot and I am working on pulling the boot.img and recovery.img. Not sure what to do after that, hope somebody can pick up on this.
Recovery.img
https://drive.google.com/file/d/0BxOsuCVqSlnfVzVGRWo4bmZZZHc/view?usp=docslist_api
Boot.img
https://drive.google.com/file/d/0BxOsuCVqSlnfLVp4Z19EQ0owdTQ/view?usp=docslist_api
Click to expand...
Click to collapse
Am I looking at .iso files here, tarballs, or some other kind of binary? I need to add file extensions to make them useful.:good:
---------- Post added at 09:30 PM ---------- Previous post was at 09:28 PM ----------
Benton Arkansas.
---------- Post added at 09:32 PM ---------- Previous post was at 09:30 PM ----------
hecksagon said:
Es File Explorer works fine and has an OK interface when on the watch. Also the KingRoot app that gets pushed has an uninstaller too for system apps. The biggest issue I've had is that when the prompt to allow root comes up you can not select allow. You have to cover the screen to back out, then go into KingRoot and open the log, then select the app you want to allow and set it to always allow. You have to do this after the initial failed prompt.
Edit: Freeport, IL here. Worlds a small place.
Click to expand...
Click to collapse
I use ES File Explorer on my Nexus 6, CyanogenMod 12.1
I do not have a wearable app on my ZenWatch. Is it in settings somewhere?
nethead72 said:
Am I looking at .iso files here, tarballs, or some other kind of binary? I need to add file extensions to make them useful.:good:
---------- Post added at 09:30 PM ---------- Previous post was at 09:28 PM ----------
Benton Arkansas.
---------- Post added at 09:32 PM ---------- Previous post was at 09:30 PM ----------
I use ES File Explorer on my Nexus 6, CyanogenMod 12.1
I do not have a wearable app on my ZenWatch. Is it in settings somewhere?
Click to expand...
Click to collapse
You have to download the normal phone apk from apkmirror or some other site and use adb to sideload it. Google sideloading apps to Wear, should work the same for any watch. Otherwise you can buy Apps2Wear on the play store. I have done that because its more convenient.
Ok, went through the whole process, is there a way to check root access using ADB?
You should have KingRoot app installed on your watch. That will tell you if you have root. I imagine you could try to pull some files from /system or something that would normally not be accessible. I wouldn't recommend writing to system yet. I soft bricked by watch just by pasting a modified build.prop over the original, trying to turn off low bit depth ambient mode.
Root confirmed, having issues side-loading the ES File explorer apk, though. I'm using the App2Wear method. Still trouble shooting.
nethead72 said:
Root confirmed, having issues side-loading the ES File explorer apk, though. I'm using the App2Wear method. Still trouble shooting.
Click to expand...
Click to collapse
Make sure you have adb debugging and adb bluetooth debugging enabled on watch. Make sure you have usb adb debugging turn on on phone. Then make sure you have bluetooth debugging turn on in Wear app. Make sure you do these in that order because the toggle in the wear app wont show up unless you have debugging enabled on phone first.
This is the KingRoot file you need for windows.
https://onedrive.live.com/redir?res...3077&authkey=!AA2AI4RkRdiA4tg&ithint=file,exe
Attached is the latest ES File Explorer APK
EDIT: I rebooted everything, and worked fine. Funny how rebooting fixes so many issues... Will test when side-load is completed.
EDIT 2: Looks like its gonna take a long time. Gonna go do dishes and whatnot and be patient.
nethead72 said:
Am I looking at .iso files here, tarballs, or some other kind of binary? I need to add file extensions to make them useful.:good:
Click to expand...
Click to collapse
Sorry, they are .img. They were pulled using Flashify. The extension must have been stripped when I uploaded them to Drive.
nethead72 said:
This is the KingRoot file you need for windows.
https://onedrive.live.com/redir?res...3077&authkey=!AA2AI4RkRdiA4tg&ithint=file,exe
Attached is the latest ES File Explorer APK
EDIT: I rebooted everything, and worked fine. Funny how rebooting fixes so many issues... Will test when side-load is completed.
EDIT 2: Looks like its gonna take a long time. Gonna go do dishes and whatnot and be patient.
Click to expand...
Click to collapse
Sometimes it fails once and works when you retry. Not sure why.
hecksagon said:
Sometimes it fails once and works when you retry. Not sure why.
Click to expand...
Click to collapse
ES is 28 MB when installed, according to App2Wear, that should be 45-60 minutes to install.
nethead72 said:
ES is 28 MB when installed, according to App2Wear, that should be 45-60 minutes to install.
Click to expand...
Click to collapse
Maybe 10-15 mins when I did.
hecksagon said:
Maybe 10-15 mins when I did.
Click to expand...
Click to collapse
Seems like its taking way too long (going on 1 hour+). Gonna reboot and try again.
---------- Post added at 11:55 PM ---------- Previous post was at 11:25 PM ----------
If it fails this time, I will connect it to ADB with command line and manually push the apk onto the watch. I will give it until after dinner to complete the process.
Cant get it to install, and adb says its an invalid apk file when i try to push it. I suppose its not really necessary anyway. Ill just use KingRoot app if I need to do file management.
nethead72 said:
Seems like its taking way too long (going on 1 hour+). Gonna reboot and try again.
---------- Post added at 11:55 PM ---------- Previous post was at 11:25 PM ----------
If it fails this time, I will connect it to ADB with command line and manually push the apk onto the watch. I will give it until after dinner to complete the process.
Cant get it to install, and adb says its an invalid apk file when i try to push it. I suppose its not really necessary anyway. Ill just use KingRoot app if I need to do file management.
Click to expand...
Click to collapse
Did you confirm the apk was good? I'd try installing it on your phone. I don't think KingRoot has file management capabilities.
On a side note, I would advise against uninstalling anything. I just went to flash the previous OTA and it failed because I didn't have Jawbone installed.
HTC desire HD I am not sure of configuration I can not look at anything or even change or delete anything I did not even know she did it till I tried to root it myself I looked at the my app in play store and chainDD is instaled as well as hide my root, along with busy box, cryomods,rom manager anyway i want control back and to see what she is doing. I can not do a factory rest all that does is reset the APN all the apps and setting are the same. Neither does booting in recovery it shows me there is a image but when I try to load it it says there is no file or cant access the file. I tried flashing a new rom today it says need root access or root access denied. as well as hiding the su and binaries the are several other apps that are hidden. I tried that show or find hidden admin apps it scanned for all of about half a second and came back no hidden apps. some of my apps do not even do what they are supposed to. I am a noob all I know is what I have learned because of this. Please help!!!!
If your recovery gives you those messages I think you have a stock recovery.If she has root your phone by unlocking your bootloader she should have use a custom recovery to flash a superuser app.This means she could have restore the stock recovery on purpose or she has use some exploit to get the root.
Shutdown you phone and press (power button)+(vol- button) [Do not let them untill you see your bootloader]
Download ace tools from here.
Make sure you have HTC drivers installed.
After that open a cmd prompt and go to the folder you extracted the ace tools.(If you are using windows7 or later press shift+right click-->open with cmd)
Then give the command
Code:
fastboot getvar all
And copy-paste the results here (except your IMEI number).
---------- Post added at 05:39 AM ---------- Previous post was at 05:24 AM ----------
If your bootloader is unlocked with HTC_DEVs way you should see in your bootloader screen an ***Unlocked*** status.
(Your bootloader status could be locked/relocked/unlocked)
---------- Post added at 05:57 AM ---------- Previous post was at 05:39 AM ----------
As long as she has root your device without you know about that she could spying all your messages,calls and all your personal stuff you have inside.She could also take control of your device and even if you find what she is doing to remotly erase all the important clues from an other device.Be carefull.
I started this thread awhile back in hopes to get more testers for the revision 4 bootloader. My other State of Root thread was originally based on BL Revision 3 anyways and just where we've released what root methods there are I'm going to eventually gear that more towards Revision 3 LP & MM status. I'm going to consolidate a bit of the later research in that thread here, specifically for rev4 so we can get a clearer vision of how to finish what we started 3 years ago.
Many Thanks go out to @afaneh92 , @xenomorph318 , @Reverse-anastomosis for helping me jump start this back up. Thanks to @jrkruse , and @elliwigy to giving me more ideas to get this going again. We might just be able to make this happen now.
****
So what I have is:
4APL1 Combo Firmware
1AOGG stock 5.1 fw (stock recovery mode speaks nothing of dm-verity)
2APB2 stock 5.1 fw
Rooted ENG UCE2APB2 boot.img
(looking for/getting) 4CPK1 stock 6.0.1 fw
4CQB2 stock 6.0.1 fw
These are the firmware files I am currently looking at. Before, we were looking primarily at Rev4 MM via dirtyc0w. But we never had safestrap back then. The Revision 4 bootloader supports LP, MM, and Nougat. And safestrap works on LP and Nougat right? So doesn't (can't it?) work on MM too? So couldn't we go from a rooted combo or stock 5.1 system with safestrap and flash over into a 6.0.1 build and retain safestrap? The HOME_CSC comes in handy in 6.0.1 flashing.
++ Now we have the option of potentially using a rom slot to do tests on a mirror dummy of the emmc. Don't be like me and try to mess with the partition table to /sdb with sgdisk, that's what deleted the bootloader on my g925v.
---- After we can get the 5.1 stock system booted for the rev4 combo BL, we can start to find out if we can flash the 2APB2 ENG Kernel through ODIN or if we will have to flash a safestrap package to get the LP Eng Kernel to boot.
=== Having the ENG Kernel Booted, with an sboot console also available, we would have a root shell to the AP & BL. There is a rev4 (combination, unbootable) recovery.img that fixes the DRK, that is supposed to also disable dm-verity. The Things in the system.img firmware are kind of copied into efs and param. As they don't seem to be populated until after first boot. But I see the .x509 FW key, and I also see A LOT of PEM certs on the FW too. Is it really hardware baked? Because it seems more like a lot of software checks in upgrade programs.
****
The end goal right now is to put together a pre-rooted stock 5.1 system.img, that can be flashed via safestrap, that will boot on on the 4APL1 combo bootloader. I'm talking about getting the same result as afaneh92's N920V ROM What has also come up, is the ability to connect directly to the UART Console inside of the sboot.bin. This is great news. If xenomorph318 and Reverse-anastomsis can come into this thread and post their recent findings as well, we can really get this party started.
--- INITIAL CONCEPT ---
The system.img's are sparsed ext4 partitions. They can easily be unsparsed using simg2img, and then mounted on a linux pc. What I am looking to do this week inbetween work, is go back over these init.*.rc files and see how much they actually differ. I'm also going to try to modify enough to boot up a build in qemu if I can. I will then also try to build a safestrap zip for flashing. We've seen that this method is possible on the N920V and the rev5 N950U. It is my thought that the same can be achieved here.
Once we can get a stable driver going, we can begin working on a way to get enough leverage to upgrade our rooted stock ROM. Lucky for us we just might have DC access in the cache on MM. And having access to the cache can mean a lot of things when the system thinks it is updating. But I don't want to get too far ahead yet.
Since the sboot console can get full kernel logs we might be able to leverage that to pull out some full Remote Code Execution inside the sboot to get the eng kernel to work somehow. It's just that, having access to both a root system console and possibly a root sboot console, we can attain data that may just allow safestrap to unlock the bootloader like SS has been able to do in the past. There's always been a bit of speculation here, but so far a lot has panned out in the right directions like I'd hoped, I still need testers to come together on this project so we can leverage all of our knowledge. Lucky for us, 6.0.1 are on rev4 as well. We should be able to get MM installed with safestrap maybe now too. And from their we might really be able to leverage the exploits available to root MM builds as well.
/// DOWNLOADS \\\
SM-N920A FILES via GDrive.
About Android Bootloaders
Other documentation
N920A_NobleZero_rev4_ROM_v1.2.zip ( SS Flashable Zip, NEEDS TESTED, Based on 2APB2 FW )
akiraO1 said:
Post#112
But I did want to post my findings so far on my selinux adventures thus far with my note 7....
So I was able to change the root context permanently from ubject_r:rootfs:s0 to u:r:shell:s0.
This by itself isn't all that helpful except that I actually changed it, and it stuck when I rebooted the device.
I achieved this through dirtycow-ing the file_contexts file with my customs file_contexts file and the commmands restorecon -RFv / and chcon -Rhv u:r:shell:s0 / restorecon makes selinux reload the file_contexts file immediately, so it loads all or most of my custom contexts. then I do a chcon command to make sure it writes?
well thats all I have for now but im working vigorously and will keep posting my findings as I find them =)
Click to expand...
Click to collapse
\/\/
droidvoider said:
Post #7
My tool will likely be helpful to you because that sounds good enough as long as you can get to a prompt that is CVE-2016-5195 / SVE-2016-7504 vulnerable. Anyone who isn't patched beyond Sept 2016 on any Android in the last 10 years will be able to use the tool I'm building to do amazing things. I am designing it precisely for people like you and Delgoth who have large investments in phones that could simply be repaired with enough access.
I am thinking now to fork off a child process anytime I can capture root + "any_new_context"... This will be forked into a child process then kept in a loop. If there is a new root + context that happens along through toolbox, we will grab that also.. (but I won't grab two of the same for example root + system_server I just need once)
I am hoping I can control this loop from the command line but since I am not the caller of the process for which I am capturing I am not sure that would work. This is new code to me, not sure of any examples of something like this. If I have to control it through values I set in files it adds a little more time. The great news is I am not having binary size problems so I can add quite a bit of code while still keeping toolbox much less than the currently installed version on my Note 5. File size must match exactly otherwise patching causes seg fault and seg fault ruins the fun (reboot to cure but irritating)
anyway just needed to come up for air I have a ton done, need to get toolbox fired up to test angle.. any c programmers that want to help or anyone with awesome ideas please feel welcome I could use help
Click to expand...
Click to collapse
/\/ Re-Envision with Safestrap available \/\
droidvoider said:
Post #110
Warning: This can lead to a ruined phone that can't be repaired proceed with caution!
Warning: This HOWTO erases your contacts, stored music + photos, apps + data, Internal Storage, all of it GONE. Back it up before continuing!!
Notice: When finished you will remain on Android 6.01 Marshmallow, you will not upgrade to Nougat. But you can get rid of AT&T + Samsung apps and extend battery life by a lot! You can do a lot more than that but it is SELinux Enforcing, so you still have some limits
Introduction
This HOWTO will outline how to gain root on AT&T Note 5 Marshmallow 6.01 through Nougat 7.0 before Feb 2018 update! i.e. basebands beginning in N920AUCS4. Such as N920AUCS4CPK1 through N920AUCS4EQL1
If your baseband is N920AUCS3 or lower you can already root with Wondershare GoMobile (start at step 9)
If your baseband is N920AUCS5 then this method won't work for you.
Please be aware
This is 1 of 2 root methods for binary 4 N920A Note 5 AT&T Phones!! There is also a Lolipop Android 5.11 root method that allows selinux permissive persistent root you can use on Post 51 of this thread!
Gain root to disable any app and do other cool stuff
1. You need the drivers for Note 5 but they are likely already installed test it via. Connect the USB charging cable between your computer<>Note 5 you should see your phone pop up in File Explorer
(if you can't connect to your phone find the Samsung Note 5 drivers first)
2. If you don't have adb installed first install it on your machine (you can test it by opening a cmd prompt and typing adb, you should get instructions for use)
https://www.xda-developers.com/install-adb-windows-macos-linux/
3. Install Wondershare GoMobile, it's a 5 day trial so be ready to do this!!
4. Download and Unzip the Customized PJ1 + PK1 Firmware into a directory
https://drive.google.com/open?id=1qHVndp4wZXeKb5TFZSnsUT-s3EBmkHVW
5. Download Odin and Unzip it to a directory then click the file to start it up.
6. Select Odin Options tab and in Odin check Auto Reboot, F.Reset Time and Nand Erase All
(load the 4 files from the Customized PJ1 + PK1 zip into the respective slots)
7. Place phone in download mode, connect it to your PC then in Odin select Start to flash the firmware, you can unplug cable when phone reboots.
8. During initial phone setup disable Wifi, skip Google Play account, exit or skip everything you can.
9. Disable security updates under SETTINGS|PERSONAL|Lock screen and security|Other security settings|Security policy updates|Automatic updates OFF
10. Enable Developer options under SETTINGS|SYSTEM|About device (tap build numbers 7 times) then push arrow back to SYSTEM and open Developer options.
11. Under Developer options OEM unlock and USB Debugging should both be ON
12. Always allow usb debugging on phone screen when you are asked. Also allow MTP file transfer.
13. If Google asks for feedback data always DECLINE, they don't help us!
14. Connect cable and connect to Wondershare GoMobile then "One Click Root"
15. After success open Windows Command Prompt and type adb shell, then su
16. You can disable any apps now but start with these (copy / paste into cmd windows then hit enter)
pm disable com.ws.dm
pm disable com.sec.android.soagent
pm disable com.policydm
pm disable com.samsung.android.securitylogagent
pm disable com.lookout
17. You can enable Wifi and Sign in the Google Play now.
18. If you reboot your phone you need to use One Click Root again to regain root, but you are free to unplug the cable!
(If you crash your phone enter recovery mode, wipe data/factory reset, wipe cache and then start over from step 8.)
Apps I disable
Here's some apps you may not like. You can copy / paste these into cmd window but only in small batches at a time (hit enter after pasting it in the window)
Code:
[AT&T]
pm disable com.att.android.digitallocker
pm disable com.sec.enterprise.knox.attestation
pm disable com.locationlabs.cni.att
pm disable com.sec.att.usagemanager3
pm disable com.att.myWireless
pm disable com.yahoo.mobile.client.android.mail.att
pm disable com.asurion.android.mobilerecovery.att
pm disable com.synchronoss.dcs.att.r2g
pm disable com.att.android.attsmartwifi
pm disable com.wavemarket.waplauncher
pm disable com.telenav.app.android.cingular
pm disable com.smlds
pm disable com.matchboxmobile.wisp
pm disable net.aetherpal.device
[Odd Apps I disabled]
pm disable com.cequint.ecid
pm disable com.facebook.katana
pm disable com.facebook.system
pm disable com.facebook.appmanager
pm disable com.instagram.android
pm disable com.amazon.mShop.android.install
pm disable com.amazon.mShop.android
pm disable com.google.android.apps.walletnfcrel
pm disable com.americanexpress.plenti
pm disable com.amazon.kindle
pm disable com.hancom.office.editor
pm disable com.google.android.talk
pm disable com.sec.android.app.sbrowser
pm disable com.mobitv.client.tv
pm disable com.sec.android.service.health
pm disable com.sec.android.app.shealth
pm disable com.yellowpages.android.ypmobile
pm disable com.google.android.feedback
[Game related]
pm disable com.enhance.gameservice
pm disable com.wildtangent.android
pm disable com.ampsvc.android
[Sync Adapters]
pm disable com.samsung.svoice.sync
pm disable com.google.android.syncadapters.contacts
pm disable com.google.android.syncadapters.calendar
[Samsung Apps]
pm disable com.sec.android.easyMover.Agent
pm disable com.sec.android.Kies
pm disable com.sec.android.app.billing
pm disable com.sec.android.iap
pm disable com.sec.spp.push
pm disable com.sec.android.app.SecSetupWizard
pm disable com.osp.app.signin
pm disable com.sec.android.app.sns3
pm disable com.sec.android.app.SamsungContentsAgent
pm disable com.samsung.android.provider.filterprovider
pm disable com.samsung.android.writingbuddyservice
pm disable com.sec.android.widgetapp.samsungapps
pm disable com.samsung.android.app.galaxyfinder
pm disable com.samsung.android.themestore
pm disable com.samsung.svoice.sync
pm disable com.samsung.clipboardsaveservice
pm disable com.samsung.android.provider.shootingmodeprovider
pm disable com.samsung.android.app.withtv
pm disable com.samsung.android.hmt.vrshell
pm disable com.samsung.android.easysetup
pm disable com.samsung.android.qconnect
pm disable com.samsung.ucs.agent.boot
pm disable com.samsung.faceservice
pm disable com.samsung.knox.rcp.components
pm disable com.samsung.android.email.provider
pm disable com.samsung.android.intelligenceservice2
pm disable com.samsung.android.MtpApplication
pm disable com.sec.android.app.samsungapps
pm disable com.samsung.android.slinkcloud
pm disable com.samsung.android.SettingsReceiver
pm disable com.samsung.android.securitylogagent
pm disable com.samsung.android.app.watchmanager
pm disable com.samsung.android.app.assistantmenu
pm disable com.samsung.android.communicationservice
pm disable com.samsung.SMT
pm disable com.samsung.aab
pm disable com.samsung.cmh
pm disable com.samsung.dcm
pm disable com.samsung.vvm
pm disable com.samsung.hs20provider
pm disable com.samsung.android.smartface
pm disable com.samsung.klmsagent
pm disable com.samsung.android.providers.context
pm disable com.samsung.android.sdk.professionalaudio.utility.jammonitor
pm disable com.samsung.android.app.colorblind
pm disable com.samsung.android.hmt.vrsvc
pm disable com.samsung.storyservice
pm disable com.sec.app.samsungprintservice
pm disable com.samsung.android.app.talkback
pm disable com.samsung.android.authservice
pm disable com.samsung.app.slowmotion
pm disable com.samsung.android.weather
pm disable com.samsung.android.app.pinboard
pm disable com.samsung.android.personalpage.service
pm disable com.samsung.advp.imssettings
pm disable com.samsung.android.app.advsounddetector
pm disable com.samsung.android.app.mirrorlink
pm disable com.samsung.android.app.vrsetupwizardstub
pm disable com.samsung.android.clipboarduiservice
pm disable com.samsung.android.asksmanager
pm disable com.samsung.android.themecenter
pm disable com.samsung.android.spdfnote
pm disable com.samsung.android.allshare.service.fileshare
pm disable com.samsung.android.universalswitch
pm disable com.samsung.helphub
pm disable com.samsung.android.app.filterinstaller
pm disable com.samsung.imagecompress
pm disable com.samsung.safetyinformation
pm disable com.samsung.app.highlightplayer
pm disable com.samsung.enhanceservice
pm disable com.samsung.android.keyguardwallpaperupdator
pm disable com.samsung.android.app.accesscontrol
pm disable com.samsung.android.beaconmanager
pm disable com.samsung.ucs.ucspinpad
pm disable com.samsung.android.app.FileShareClient
pm disable com.samsung.android.scloud.backup
pm disable com.samsung.android.fmm
pm disable com.samsung.android.mdm
pm disable com.samsung.accessory
pm disable com.samsung.android.app.scrollcapture
pm disable com.samsung.android.app.interactivepanoramaviewer
pm disable com.samsung.android.scloud
pm disable com.samsung.android.app.soundpicker
pm disable com.samsung.android.spayfw
pm disable com.samsung.app.newtrim
pm disable com.samsung.android.spay
pm disable com.samsung.android.intelligenceservice
pm disable com.samsung.android.sm.policy
pm disable com.samsung.android.dlp.service
pm disable com.samsung.android.bbc.bbcagent
pm disable com.samsung.android.voicewakeup
pm disable com.samsung.android.app.watchmanagerstub
pm disable com.samsung.android.app.FileShareServer
pm disable com.samsung.android.sdk.professionalaudio.app.audioconnectionservice
pm disable com.samsung.android.service.aircommand
pm disable com.samsung.dcmservice
pm disable com.samsung.voiceserviceplatform
pm disable com.samsung.aasaservice
pm disable com.samsung.android.allshare.service.mediashare
pm disable com.samsung.android.fingerprint.service
pm disable com.samsung.ipservice
pm disable com.samsung.sec.android.application.csc
pm disable com.samsung.android.sconnect
pm disable com.samsung.android.snote
pm disable com.samsung.android.video
pm disable com.samsung.location
Restore PK1 boot.img and recovery.img to close dirtycow vulnerability (removes ability to gain root)
1. Download this to a directory but don't extract it
https://drive.google.com/open?id=1374IZTBeyNBELdrK1ESdqkUuVGutbpDm
2. Load PK1boot_recovery_img_only.tar.md5 file into the AP slot in Odin
3. Place phone in download mode, connect it to your PC then in Odin select Start to flash the firmware, you can unplug cable when phone reboots.
Please let me know if any steps are unclear. I can reverse the rooting method but there's probably 20 people world wide who will use this method, so if you have security concerns make sure to close dirtycow vulnerability when you're done and just use the one click root method.
Updated notes:
If you get a Screen Overlay Detected error turn OFF overlay for both MobileGo apps!
I added a windows batch script to disable a lot of apps (root first with wondershare gomobile)
If you use the phone it looses root and becomes harder to root. (if it become impossible to root again flash the PJ1 boot and recovery only file but backup before you do it)
Don't create things with Assayed Kitchen then flash them to the phone or mix firmwares it almost refuses to enter download mode again :fingers-crossed:
In case of error
During the learning process to do things like this putting your phone into a bootloop or soft bricking is very common for new comers, but don't panic. After you complete the process I outlined it will take a couple minutes to boot it will have the AT&T logo on a white screen. If it hangs here for a really long time or it gets unusually warm this is a bad sign. Let's get the phone turned off so you can think.
Hard Reset: press Power + Volume Down for 7 seconds
Screen goes black: immediately presss Power + Volume Up + Home
Use Volume down to move to option Power Off then push the Power button to select it.
You can start over / try again by pressing Power + Volume Down + Home buttons again
or
Create a new post here and put my name in your post
Click to expand...
Click to collapse
Standby for more updates and uploads soon.
Hello,
Any news on the testing?
Regards,
abdk80 said:
Hello,
Any news on the testing?
Regards,
Click to expand...
Click to collapse
Yes, I've updated the OP and added more of a road map for current active development.
I have successfully built a UART jig and booted to a s-boot console on the n920v. This has been done on a few different devices, so it isn't exactly a new thing, but as far as I can tell it has never been done on any exynos 7420 devices. I am still exploring what is possible, and if anyone has any additional guidance on what to do with this access I'm all eyes/ears! I'll attach the 2 logs that I have so far that I find the most interesting.
Idea time: could we fry our bootloader somehow and replace it with a more favorable one? Like for the n920g? External SD card boot is possible through the s-boot console I think, but we don't have an external SD.
I have a kindle fire that uses a bootrom exploit to redirect the loading point for the bootloader so that it will load unsigned firmware/recovery/kernel stored elsewhere on eMMC.
Booting unsigned firmware/recovery/kernel might be possible through use of the tflash option in heimdall, however again...no external SD. I have been able to flash a TWRP image in heimdall on my n920v, but couldn't get it to boot.
I am in way over my head, but I have done a lot of reading over the last few weeks. Given the fact that our devices are now no longer being patched, and exploits have continued to be discovered we should be able to figure something out.
Reverse-anastomosis said:
I'll attach the 2 logs that I have so far that I find the most interesting.
Click to expand...
Click to collapse
Forgot to attach them.
One more pretty interesting log that I just grabbed.
Reverse-anastomosis said:
I have successfully built a UART jig and booted to a s-boot console on the n920v. This has been done on a few different devices, so it isn't exactly a new thing, but as far as I can tell it has never been done on any exynos 7420 devices. I am still exploring what is possible, and if anyone has any additional guidance on what to do with this access I'm all eyes/ears! I'll attach the 2 logs that I have so far that I find the most interesting.
Idea time: could we fry our bootloader somehow and replace it with a more favorable one? Like for the n920g? External SD card boot is possible through the s-boot console I think, but we don't have an external SD.
I have a kindle fire that uses a bootrom exploit to redirect the loading point for the bootloader so that it will load unsigned firmware/recovery/kernel stored elsewhere on eMMC.
Booting unsigned firmware/recovery/kernel might be possible through use of the tflash option in heimdall, however again...no external SD. I have been able to flash a TWRP image in heimdall on my n920v, but couldn't get it to boot.
I am in way over my head, but I have done a lot of reading over the last few weeks. Given the fact that our devices are now no longer being patched, and exploits have continued to be discovered we should be able to figure something out.
Click to expand...
Click to collapse
Tflash could possibly be helpful. Fry the BL to much will drop the device basically into edl mode. Which is weird on an Exynos SoC. Have only had two tests there. My g925v is still in 9006 mode now. My tests on 9008 mode dropped it into 9006 mode. Still bricked.
On my g925v the internal sdcard seemed to act as both internal and external SD cards to me a lot of times. We have no slot but the storage permissions still have to work somehow.
On the 4APL1 combo ramdisk I notice there is init.sec_debug.rc that calls the corehelper.sh script from /system/bin as root. Maybe we can modify the system.img and make the corehelper.sh script run our own commands by just setting a prop detail. We can still use /data/local/tmp to execute things.
But it looks from your logs like we could maybe change the kernel command line string from the sboot console. Meaning we might be able to set enforcing to permissive or change the debug level on a stock LP system. Or at least know where things will be loaded so that we can use safe strap to affect those areas as well.
It also seemed to show us the magic number for the Device Tree. I don't have time this morning. But I'll be back.
@Delgoth, I can't find the arguments to add to boot permissive. Do you happen to know the argument?
It will go as an argument on the boot command in the sboot console.
I bet I could force factory download mode on your g925v with my jig.
Reverse-anastomosis said:
@Delgoth, I can't find the arguments to add to boot permissive. Do you happen to know the argument?
It will go as an argument on the boot command in the sboot console.
I bet I could force factory download mode on your g925v with my jig.
Click to expand...
Click to collapse
I don't know it off hand and I'm not at my PC. But I've seen it before here on the forums used. There is a way to set selinux to permissive via the kernel command line.
Our devices should be vulnerable to this exploit.
https://www.google.com/url?q=https:...FjADegQIBxAB&usg=AOvVaw2-cc6gIXIrOjEJzxzd2Ebo
Reverse-anastomosis said:
Our devices should be vulnerable to this exploit.
https://www.google.com/url?q=https:...FjADegQIBxAB&usg=AOvVaw2-cc6gIXIrOjEJzxzd2Ebo
Click to expand...
Click to collapse
I haven't seen that pdf in a long time. And I don't think you're wrong. Going back and looking through the beginning of the State of Root thread, I realize that many of the failed tests were not done in the correct order now. How I would downgrade was by flashing the rev3 combo firmware via ODIN, I would reboot directly back to download mode without ever letting recovery or system ever boot up once. And then I would flash the rev3 actual eng boot, then reboot directly back to download mode, and then flash the the AP and CSC file of the Stock LP firmware I wanted (1AOGG). After I let that boot up I would go back to download mode and flash the 2APB2 root eng kernel. Then everything would work and you just had to setup SuperSu manually via the CLI (Which I probably still can't do....).
I don't know if anyone actually has tried Flashing the 4APL1 Combo firmware with nand erase all, and then tried to flash an AP file from 1AOGG. I saw people trying to downgrade from stock bootloaders and failing. Which is expected. Generally trying to downgrade param.bin or cm.bin or sboot.bin will result in errors. Can you flash just the AP file from the combo? What about flashing the AP directly after flashing the comfirmware without it booting? Because I guess I still can't be positive it was an eng rev3 sboot or if it were the nand erase all and flash/boot order. Then I typically used the 2APB2 Eng root kernel while using the rev3 combo firmware at the same time through odin. Because the ENG Kernel was an LP Kernel like the combo firmware.
I'm in the process of pulling relevant posts into this thread's OP for consolidation.
@Delgoth O_O Very exciting!! I just got free time and you know what i have to do tomorrow?!? Not 1 thing. I havent read your updated OP yet, I bout came out of my skin when i skimmed over it. Tis where im headed now and will definitely share what crazy stuff i get into.
Update
Hyped!! Ive got safestrap ready togo on rev 4 combo and even made custom rom slots ha, im flashing everything. I actually flashed gapps and doing all this from factory binary lol . I got Csploit running in root but it wont run the Metasploit rpcd server unless u flash gapps. Ofcourse you cant download and install from google play but adb doesnt mind!!! xD
xenomorph318 said:
@Delgoth O_O Very exciting!! I just got free time and you know what i have to do tomorrow?!? Not 1 thing. I havent read your updated OP yet, I bout came out of my skin when i skimmed over it. Tis where im headed now and will definitely share what crazy stuff i get into.
Update
Hyped!! Ive got safestrap ready togo on rev 4 combo and even made custom rom slots ha, im flashing everything. I actually flashed gapps and doing all this from factory binary lol . I got Csploit running in root but it wont run the Metasploit rpcd server unless u flash gapps. Ofcourse you cant download and install from google play but adb doesnt mind!!! xD
Click to expand...
Click to collapse
Cool. I think I found the two libraries we for a stock system image. I will try and make one up this afternoon and posts the steps to do it yourself as well because I might not do it right the first time. If you got all that working can you flash the 2APB2 eng kernel via Odin or use safe strap to flash it and still have the combo firmware boot? I've been able to get bad kernels to flash before on rev3. Once I actually got a boot error that said invalid kernel header but still managed to flash through Odin.
I have the eng 2APB2 tar file in my sm-n920a files link in the OP. If it doesn't flash over the standard 4APL1 combo firmware or boot, maybe we need to use the 1AOGG recovery.img or the special 4CQB2 recovery.img for drk fix.
Delgoth said:
Cool. I think I found the two libraries we for a stock system image. I will try and make one up this afternoon and posts the steps to do it yourself as well because I might not do it right the first time. If you got all that working can you flash the 2APB2 eng kernel via Odin or use safe strap to flash it and still have the combo firmware boot? I've been able to get bad kernels to flash before on rev3. Once I actually got a boot error that said invalid kernel header but still managed to flash through Odin.
I have the eng 2APB2 tar file in my sm-n920a files link in the OP. If it doesn't flash over the standard 4APL1 combo firmware or boot, maybe we need to use the 1AOGG recovery.img or the special 4CQB2 recovery.img for drk fix.
Click to expand...
Click to collapse
Yup yup i have done it before just to see if the root install script and the root boot script method would work for me and it did!
I just tried again to dbl check and yes again. I did it via odin I will try it via safestrap in just a sec to see if it will work that way as well. I have everything staged, i dont have a sd card at the moment
xenomorph318 said:
Yup yup i have done it before just to see if the root install script and the root boot script method would work for me and it did!
I just tried again to dbl check and yes again. I did it via odin I will try it via safestrap in just a sec to see if it will work that way as well. I have everything staged, i dont have a sd card at the moment
Click to expand...
Click to collapse
The metalcated root method is a tethered root method however. The way Wondershare Mobile Go does it must either setup SuperSu correctly. Which I couldn't tell you, or it uses exploits to untethered the root. On my old rev3 device with 1AOGG AP file, eng 2APB2 boot.img, and 3APH1 eng sboot.bin installed the metalcated root would still only give me a tethered root as well.
But are you saying the PB2 eng kernel flashed successfully via ODIN using the 4APL1 combo?
Because while the PB2 Eng Kernel has a root shell by default, it is stuck in SELinux Enforcing mode if I remember correctly. You actually have to setup root to switch to permissive persistently. Where the combo kernel is not rooted but is default set to permissive.
So the rev2 eng kernel still works on the rev4 combo firmware? This makes a difference to me and how we will setup flashing a stock system image over the combo system.
@Reverse-anastomosis which firmware have you been using your jig with? And have you tried using the Eng Kernel to see about different output to your console? Which commands have you tested? I'm looking into the console so I can flesh out its information in the OP. Hopefully we can even get instructions for making one too. We have something going here, we can keep the momentum going.
Right now I only have you two to help explain what I'm talking about and test it specifically. Im working on a test system image right now.
@xenomorph318 once you have the combo firmware installed and then flash the pb2 eng kernel, can you go back to ODIN and flash the stock AP (MINUS boot.img) File from either 1AOGG OR 2APB2? I used to be able to on rev3.
** CAN BOTH OF YOU ZIP UP YOUR /cache/recovery directories SO I CAN LOOK AT YOUR LOGS PLEASE PLEASE PLEASE **
Reverse-anastomosis said:
@Delgoth, I can't find the arguments to add to boot permissive. Do you happen to know the argument?
It will go as an argument on the boot command in the sboot console.
I bet I could force factory download mode on your g925v with my jig.
Click to expand...
Click to collapse
Reverse-anastomosis said:
Our devices should be vulnerable to this exploit.
https://www.google.com/url?q=https:...FjADegQIBxAB&usg=AOvVaw2-cc6gIXIrOjEJzxzd2Ebo
Click to expand...
Click to collapse
androidboot.selinux=permissive
And looking back over that PDF you linked, I feel like that was the R&D done to intially unlock the G925V that was quickly patched up. That was the original root and only BL unlock on the G925V if I recall right. So we might be patched, but it didn't take long to be officially patched and was on the Rev1 BL. But again, you now a whole new level of access.
Here, https://alephsecurity.com/2017/05/23/nexus6-initroot/ , we can find other arguments to test in the sboot console for the kernel. I'd bet some of this works. Seems the eng kernel works, maybe the commandline options there are better utilized. You've got me thinking now. I'm glad you're here right now ready to go. We might not be applicable to this exploit, different OEM, but they don't have a direct console to the bootloader either.
(For a stock bootloader if it loads the console) * buildvariant=userdebug
@Delgoth, I'll try this tonight. Then I'll write up everything that I have tried/know, in detail. I'll post it tonight of tomorrow.
Reverse-anastomosis said:
@Delgoth, I'll try this tonight. Then I'll write up everything that I have tried/know, in detail. I'll post it tonight of tomorrow.
Click to expand...
Click to collapse
Please and thanks. Please if you could also include your recovery logs from /cache/recovery. Either post them here or send them to me privately. But I'm looking for the things I see in my Note8's recovery logs, which we could affect to our great benefit with the eng kernel and sboot console here.
https://developer.android.com/things/sdk/pio/uart
This link could also be applicable to your jig. If we can get an app that will utilize the UART port, then maybe we could have realtime communication with a root system and the sboot. Farfetched and for later of course.
So I was doing some digging, and found this video. Have you seen it?
https://m.youtube.com/watch?v=QpaeneaNEbw
Delgoth said:
The metalcated root method is a tethered root method however. The way Wondershare Mobile Go does it must either setup SuperSu correctly. Which I couldn't tell you, or it uses exploits to untethered the root. On my old rev3 device with 1AOGG AP file, eng 2APB2 boot.img, and 3APH1 eng sboot.bin installed the metalcated root would still only give me a tethered root as well.
But are you saying the PB2 eng kernel flashed successfully via ODIN using the 4APL1 combo?
Because while the PB2 Eng Kernel has a root shell by default, it is stuck in SELinux Enforcing mode if I remember correctly. You actually have to setup root to switch to permissive persistently. Where the combo kernel is not rooted but is default set to permissive.
So the rev2 eng kernel still works on the rev4 combo firmware? This makes a difference to me and how we will setup flashing a stock system image over the combo system.
@Reverse-anastomosis which firmware have you been using your jig with? And have you tried using the Eng Kernel to see about different output to your console? Which commands have you tested? I'm looking into the console so I can flesh out its information in the OP. Hopefully we can even get instructions for making one too. We have something going here, we can keep the momentum going.
Right now I only have you two to help explain what I'm talking about and test it specifically. Im working on a test system image right now.
@xenomorph318 once you have the combo firmware installed and then flash the pb2 eng kernel, can you go back to ODIN and flash the stock AP (MINUS boot.img) File from either 1AOGG OR 2APB2? I used to be able to on rev3.
** CAN BOTH OF YOU ZIP UP YOUR /cache/recovery directories SO I CAN LOOK AT YOUR LOGS PLEASE PLEASE PLEASE **
Click to expand...
Click to collapse
give me 2 hours i'll be home by the pc to flash on odin again
but yes im 100% sure the rev 2 pb2 eng kernel flashed over the top of PL1,
here is the recovery directory u asked for after a fresh flash of the rev 2 LL eng kernel
sorry its taking me so long, i cant find a site that doesnt cap my download speed but i will have the pb2 stock downloaded in like 50 mins