Hi!
As I promiss, here is the thread for clarify and brainstorming for Ascend P6 avaible development.
First of all, clarify the bootloader and phone status.
Our phone is an "emulator". It is not running Android natively. It's just emulated, Android is running in QEMU. Similar like the real Android SDK.
Huawei patched the QEMU for running Android our MTK chipset.
Huawei take a tricky step. He did the RSA5 encrypt to not able to write any files to the partition system, without a digital signature of Huawei.
Xloader check this signature and if it missing, you won't be able to update. (We are s*cking @ here...)
Bootloader Unlock
It means, you able to send boot image and recovery img via fastboot. I think, our fastboot haven't got some instructions and permission.
DON'T FORGET YOU ARE IN AN EMULATED STATE!!!
If Huawei "unlock the bootloader", 2 way to get this( I think):
1. Modified fastboot, to able flash boot image via fastboot like this:
Code:
fastboot flash boot boot.img/recovery.img
or
Code:
flash_image boot boot.img/recovery.img
2. Ignore the whole system signature check. (which is best for we and able to running native Android but it won't be happen)
1 is a big step forward to custom kernel/Custom rom/CM/AOSP.(Of course second is bigger)
I'm just praying first at this moment.
Partitions.
ONE REAL partition are in the MTK NAND chip. Called: hi_mci.1.
The other partitions are NOT REAL! They are emulated. Just like you running LINUX in Virtualbox or something like this.
Those partitions:
/sdcard vfat /dev/block/platform/hi_mci.1/by-name/sdcard
/system ext4 /dev/block/platform/hi_mci.1/by-name/system
/cache ext4 /dev/block/platform/hi_mci.1/by-name/cache
/data ext4 /dev/block/platform/hi_mci.1/by-name/userdata length=-16384
/misc emmc /dev/block/platform/hi_mci.1/by-name/misc
/boot emmc /dev/block/platform/hi_mci.1/by-name/boot
/recovery emmc /dev/block/platform/hi_mci.1/by-name/recovery
/cust ext4 /dev/block/platform/hi_mci.1/by-name/cust
/uboot emmc /dev/block/platform/hi_mci.1/by-name/uboot
/splash2 ext4 /dev/block/platform/hi_mci.1/by-name/splash2
/modem/modem_image ext4 /dev/block/platform/hi_mci.1/by-name/modemimage
/usb vfat /dev/block/sda
For native Android, we need to repartition the hole NAND chip. I think, it is impossible.
BOOT
Android boot system need boot.img for booting. Which contain the kernel and some system specific files.
This is formatting the device own emulated partition. It contains the ramdisks, etc.
We have an Huaewei Update Extractor, which can be unpack the update.app.
We get boot.img, recovery.img. Good.
Our bootloader is UNLOCKED from the begining. I think, our fastboot haven't got some instructions and permission.
With dsiXDA Kitchen you able to unpack boot and recovery.img, modify it and repack.
Just after the B118 update, I hope Huawei unlock this feature. It is a good point to start.
The new driver for ADB/fastboot
To be continued...
And feel free to contribute!
Take a test and build boot.img from b122. Two modification in:
1. ro.secure=0
2. ro.debuggable=1
Is this mean, you get true root acces to everywhere.
See in attachment.
Of course, it won't be able to to push via fastboot, because the limitations our fastboot.
Hi!
After new firmware B118, nothing will be changed , because secure lock loader was not removed !
You can not push boot.img by fastboot , but you can easy flashed a new kernel by this command :
# dd if=/sdcard/boot.img of=/dev/block/mmcblk0p12
Click to expand...
Click to collapse
and your device will never boot cause you need a signed image !
I was able to flash by this command only the stock kernel !
Good luck !
There appears to be a signed flashable CWM recovery.img with scatter file for the ascend mate over at needrom - I know the P6 is pretty much the same device save the screen size so maybe it can be of some use ?
(assuming it it genuine and works).
Needs an app called SP Flash Tool which is for MTK chipsets.
http://www.needrom.com/mobile/ascend-mate-mt1-u06-s4ui/
lonespeaker said:
There appears to be a signed flashable CWM recovery.img with scatter file for the ascend mate over at needrom - I know the P6 is pretty much the same device save the screen size so maybe it can be of some use ?
(assuming it it genuine and works).
Needs an app called SP Flash Tool which is for MTK chipsets.
http://www.needrom.com/mobile/ascend-mate-mt1-u06-s4ui/
Click to expand...
Click to collapse
Hi!
Yes, you are right , seem they managed to signed a recovery.img to be flashed on partition /recovery !
As long as the loader is locked ( This phone is secure lock state ! ) I do not think it helps us....
surdu_petru said:
Hi!
Yes, you are right , seem they managed to signed a recovery.img to be flashed on partition /recovery !
As long as the loader is locked ( This phone is secure lock state ! ) I do not think it helps us....
Click to expand...
Click to collapse
Yeah maybe you're right, but a bit odd releasing what appears to be an asop based rom with a signed recovery and signed boot.img rom and no way to actually install it. maybe one day...
surdu_petru
What do you think about not removing the hole security, just removing the boot image security. Loader not check the boot image signature. You able to run custom kernel. But not able to change recovery. Only for boot.img. And with this and your method(Blueandroid), we can get custom roms like AOSP. And every time we can go back to stock with our stock recovery.
bukest said:
surdu_petru
What do you think about not removing the hole security, just removing the boot image security. Loader not check the boot image signature. You able to run custom kernel. But not able to change recovery. Only for boot.img. And with this and your method(Blueandroid), we can get custom roms like AOSP. And every time we can go back to stock with our stock recovery.
Click to expand...
Click to collapse
Nop, loader also check boot image signature , because I can not flash a custom kernel ( boot.img ) !
Edit :
I think, I'm not 100% sure, xloader partition is check signature for all partitions on boot !
Who have courage to try this?
Finding some usefull info.
How should our device look like(NAND)
xloader => /dev/block/mmcblk0p1 /first stage bootloader
round => /dev/block/mmcblk0p2
nvme => /dev/block/mmcblk0p3
misc => /dev/block/mmcblk0p4
splash => /dev/block/mmcblk0p5
oeminfo => /dev/block/mmcblk0p6
reserved => /dev/block/mmcblk0p7 /It’s the Huawei digital signature of the boot partition, checked by the bootloader.
reserved2 => /dev/block/mmcblk0p8
splash2 => /dev/block/mmcblk0p9
recovery2 => /dev/block/mmcblk0p10
recovery => /dev/block/mmcblk0p11 /stock recovery
boot => /dev/block/mmcblk0p12 /kernel+ramdisk
modemimage => /dev/block/mmcblk0p13
modemnvm1 => /dev/block/mmcblk0p14
modemnvm2 => /dev/block/mmcblk0p15
system => /dev/block/mmcblk0p16
cache => /dev/block/mmcblk0p17
cust => /dev/block/mmcblk0p18
userdata => /dev/block/mmcblk0p19
mmcblk0boot0
This is the second stage bootloader. Huawei in his UPDATE.APP files call this partition as FASTBOOT!!!!
So, someone in this forum sad, B118 FASTBOOT.IMG is the different size. It's true! B118 FASTBOOT.IMG size is smaller then B122.
I think, we found the trick!
Huawei not unlock the Xloader(1st low-level loader), just unlock the second stage loader which will allow to flash and boot custom boot.img and recovery.img!
Who have any courage, to do this:
1. Place attached FASTBOOT.IMG to sdcard/
2. Connect phone in MTP
3. Enable USB Debug.
4. CMD on PC with administrator privileges
5. Navigate to the folder which contain adb.exe
6. type: ADB.exe shell
7. type su
8.
Code:
# dd if=/sdcard/fastboot.img of=/dev/block/mmcblk0boot0
with fastboot.img from extract from Chinese B118! File attached.
If am I right, after this we are able to use it on any version(unicom/mobile) and version of firmware(B111,B112,B119,B122, etc...)
If anything went wrong, you need to reflash the hole UPDATE.APP. So, I recommend to place update.app file to sdcard/dload/
Maybe if some of you think is real, I will do!
delete
bukest said:
So, someone in this forum sad, B118 FASTBOOT.IMG is the different size. It's true! B118 FASTBOOT.IMG size is smaller then B122.
I think, we found the trick!
Huawei not unlock the Xloader(1st low-level loader), just unlock the second stage loader which will allow to flash and boot custom boot.img and recovery.img!
Click to expand...
Click to collapse
You can not flash a custom kernel on B118 ! Take a look here !
surdu_petru said:
You can not flash a custom kernel on B118 ! Take a look here !
Click to expand...
Click to collapse
And what boot.img he had flashed?
What happend when boot.img needed to signed but not just Huawei. Bootloader allow every digital signed boot.img(public key or something like this)?
Not parse the signature with one stored in the OEMINFO or RESERVED. Just only need to contain a digital signature in the front of the file, which mean, you are little bit better than a hobby weekend engineer.
bukest said:
And what boot.img he had flashed?
What happend when boot.img needed to signed but not just Huawei. Bootloader allow every digital signed boot.img(public key or something like this)?
Not parse the signature with one stored in the OEMINFO or RESERVED. Just only need to contain a digital signature in the front of the file, which mean, you are little bit better than a hobby weekend engineer.
Click to expand...
Click to collapse
Do you already signed a custom kernel with a private key ( not from Huawei ofcourse ), and your device was able to boot ?
surdu_petru said:
Do you already signed a custom kernel with a private key ( not from Huawei ofcourse ), and your device was able to boot ?
Click to expand...
Click to collapse
NOT. If you read a few post back, you will see it's just an idea. But I want to walk around fully all around aspect and all possibility.
Another idea.
What about Huawei check you are on P6-U06 or P6-U00?
And with B118 fastboot.img only flashed if you are on U00. Think about this.
But what happend if we push it manually...
Someone on P6-U00(Originally)!
Extract the boot.img from B118. Make a small modification. Flashed via fastboot. And if it doesn't work, we are able to write down, Bootloader is not unlocked.
Edited:
Attached for this an edited boot.img for B118.
Of course, NOT signed! just unpack original, edit(default.prop) and repack.
Bad news!
Permission denied!
[email protected]:/ $ dd if=/sdcard/fastboot.img of=/dev/block/mmcblk0boot0
dd if=/sdcard/fastboot.img of=/dev/block/mmcblk0boot0
/dev/block/mmcblk0boot0: cannot open for write: Permission denied
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
bukest said:
Permission denied!
View attachment 2431245
Click to expand...
Click to collapse
In the way you use the command, this answer " Permission denied!" is 100% correct !
Please, use "#" instead "$" ! Good luck !
surdu_petru said:
In the way you use the command, this answer " Permission denied!" is 100% correct !
Please, use "#" instead "$" ! Good luck !
Click to expand...
Click to collapse
Ohhhh, stupid me...
Forgot to get su!
Thanks surdu.
But after a little research I find some other info with FASTBOOT partition. I will write down later at the day(have go to work at the moment).
WARNING!!!!
Do not use that method!!!
mmcblk0boot0 partition maybe contain some other information!!!
Unique FOR YOUR DEVICE!!!
Just like wifi MAC adress, etc!
And on a running system, partition around 2MB!
First backup your current boot0 partition!
# dd if=/dev/block/mmcblk0boot0 of=/sdcard/mmcblkboot0.img
It means, if we push the 500k image to 2mb partition directly, you may damage 1,5MB data.
I think, with update.app method, you just install the image file, not pushing directly!
IDEA
If we backup xloader partition:
# dd if=/dev/mmcblk0p1 of=/sdcard/xloader.img
Edit it in hex to remove digital signature check.
Push back and pray...
If it works, you have totally unlock phone, but if not YOUR PHONE TOTALLY DEAD!
hex-editing the xloader.img ...
I also like to live dangerously
Related
Hi,
As you probably know, ext4 image can be extracted from system.sin but cannot be mounted. When trying to mount it, it fails with :
[ 1476.821582] EXT4-fs (loop0): bad geometry: block count 262144 exceeds size of device (144631 blocks)
I open this thread just to share what I did around the issue and maybe have some helpful quotes about it
Here is what I did (under linux)
# First create an zero filled file. Size is system partition size (262144 blocks of 4096 each)
dd if=/dev/zero of=/home/xperia/virtualfs bs=4096 count=262144
# Attach file to loopback
sudo losetup /dev/loop0 /home/xperia/virtualfs
# Format it with same features as system partition on phone
sudo mkfs.ext4 -O has_journal,^ext_attr,^dir_index,^flex_bg,^huge_file,resize_inode,filetype,extent,sparse_super,large_file,^uninit_bg,^dir_nlink,^extra_isize -v /dev/loop0
# Write extracted system.sin.ext4 extracted image to loopback
sudo dd if=system.sin.ext4 of=/dev/loop0
# Mount filesystem
sudo mount /dev/loop0 /mnt
It can be mounted and I can have folder structure but I can't work with files. Editing default.prop gives me a non readable file.
But we can go a step ahead as we can now mount the image.
Still some issues have to be worked out.
The poit is, why we cant mount system.img on ICS but we can on GB?
maybe someone can contact with sony t oask
im extracting the .sin to .img like always but its impossible to mount.. what are you using to extract the .sin to a .ext4?
BTW, thanks for the info, i've been trying to modify system.img since ICS appeared.
EDIT: of, ext4 can be extracte with flashtool ~.~
maybe we need to read something from system.partinfo
Yakandu said:
The poit is, why we cant mount system.img on ICS but we can on GB?
maybe someone can contact with sony t oask
im extracting the .sin to .img like always but its impossible to mount.. what are you using to extract the .sin to a .ext4?
BTW, thanks for the info, i've been trying to modify system.img since ICS appeared.
EDIT: of, ext4 can be extracte with flashtool ~.~
maybe we need to read something from system.partinfo
Click to expand...
Click to collapse
Yes Flashtool can extract image from system.sin.
partinfo is partition information used by loader in flashmode to identify where to flash image on phone. (Something like start nand address of system partition)
so, any ideas why ext4 cant be mounted? maybe its encrypted or something..
Sorry for double post, i found a solution
Flash the system through a .ftf with flashtools
Flash a custom kernel with recovery (or the nozomi recovery)
Backup nandroid
We get a system.ext4.tar ··· move it to your developement folder
Create a folder (mkdir system)
Enter nautilus with root acces
Extract system files to the created folder
Modify whatever you want
Make a flashable system.img with: "./mkuserimg.sh -s /system ./system.img ext4 ./temp 1024M"
AND ITS WORKING!
Yakandu said:
Sorry for double post, i found a solution
Flash the system through a .ftf with flashtools
Flash a custom kernel with recovery (or the nozomi recovery)
Backup nandroid
We get a system.ext4.tar ··· move it to your developement folder
Create a folder (mkdir system)
Enter nautilus with root acces
Extract system files to the created folder
Modify whatever you want
Make a flashable system.img with: "./mkuserimg.sh -s /system ./system.img ext4 ./temp 1024M"
AND ITS WORKING!
Click to expand...
Click to collapse
This solution is already known
But my goal is to be able to mod a system partition without having to flash it before. And more, understand why extracted system image cannot be mounted and how to work this out
oh, ok xD
i didnt know that solution, its new for me
Yakandu said:
Sorry for double post, i found a solution
Flash the system through a .ftf with flashtools
Flash a custom kernel with recovery (or the nozomi recovery)
Backup nandroid
We get a system.ext4.tar ··· move it to your developement folder
Create a folder (mkdir system)
Enter nautilus with root acces
Extract system files to the created folder
Modify whatever you want
Make a flashable system.img with: "./mkuserimg.sh -s /system ./system.img ext4 ./temp 1024M"
AND ITS WORKING!
Click to expand...
Click to collapse
Have you already tried flashing this img on your device? I have already tried this solution twice but didn't succeed (@Spectre51 that's why I haven't replied your PM yet). system.img was succesfully created but I got boot loop when I flashed it on my device.
Hi Androxyde,
I figured it out, basically we have to dig further in sin format as new ext4 sins skips part of the file. See my thread for more details.
PS: Thanks for flashtool, it's a great tool!
LeTama
letama said:
Hi Androxyde,
I figured it out, basically we have to dig further in sin format as new ext4 sins skips part of the file. See my thread for more details.
PS: Thanks for flashtool, it's a great tool!
LeTama
Click to expand...
Click to collapse
:good:
Located in /dev/block, may be useful
Code:
mmcblk0p1 -> /xloader
mmcblk0p2 -> /round (-empty-)
mmcblk0p3 -> /nvme
mmcblk0p4 -> /misc
mmcblk0p5 -> /splash (-empty-)
mmcblk0p6 -> /oeminfo
mmcblk0p7 -> /reserved1 (-empty-)
mmcblk0p8 -> /reserved2 (-empty-)
mmcblk0p9 -> /splash2
mmcblk0p10 -> /recovery2 (-empty-)
mmcblk0p11 -> /recovery
mmcblk0p12 -> /boot
mmcblk0p13 -> /modemimage
mmcblk0p14 -> /modemnvm
mmcblk0p15 -> /modemnvm2
mmcblk0p16 -> /system
mmcblk0p17 -> /cache
mmcblk0p18 -> /cust
mmcblk0p19 -> /userdata
I took this info opening the direct accesses in /dev/block/platform/hi_mci.1/by-name
To extract the boot or recovery img with dd:
Code:
adb shell
su
dd if=/dev/block/mmcblk0p11 of=/sdcard/recovery.img
dd if=/dev/block/mmcblk0p12 of=/sdcard/boot.img
TheProd said:
To extract the boot or recovery img with dd:
Code:
adb shell
su
dd if=/dev/block/mmcblk0p11 of=/sdcard/recovery.img
dd if=/dev/block/mmcblk0p12 of=/sdcard/boot.img
Click to expand...
Click to collapse
I already extracted recovery.img But i can't unpack it, i use unyaffs.exe but i get "broken image file" D:
Same with the other *.img files
Code:
BOARD_KERNEL_CMDLINE vmalloc=512M k3v2_pmem=1 mmcparts=mmcblk0:p1(xloader),p3(n
me),p4(misc),p5(splash),p6(oeminfo),p7(reserved1),p8(reserved2),p9(splash2),p10
recovery2),p11(recovery),p12(boot),p13(modemimage),p14(modemnvm1),p15(modemnvm2
,p16(system),p17(cache),p18(cust),p19(userdata);mmcblk1:p1(ext_sdcard)
BOARD_KERNEL_BASE 00000000
BOARD_PAGE_SIZE 2048
BOARD_RAMDISK_ADDR 01400000
Unpacking ramdisk to "/ramdisk/" . . .
Compression used: gzip
2085 blocks
Done!
Boot.img unpacked, K3V2 uses ARMv7 Instruction Set. Let's see if we can't get something cooking already
I unpacked recovery and boot too
Sent from my HUAWEI P6-U06 using xda app-developers app
Good show, unless your planning on beginning work on a Custom Recovery what are you going to gain by unpacking the recovery.img?
I see your working on a CM port, so wish you all the best on that. I'll be porting MIUIv5 for the Ascend P6 as I did for a few other devices, also going to have another crack at porting Flyme OS since I already ported 90% to my previous device.
Best Regards,
s89
I unpacked boot and recovery to get info for BoardConfig.mk
Ty
Sent from my HUAWEI P6-U06 using xda app-developers app
If you've already got a build environment setup you may aswel build CWM from CM sources, we have more then enough information here to proceed. Even more convenient considering you have the recovery.img unpacked. Google "Build CWM Cyanogenmod" for more info. Failing that i'll setup a build environment and do so myself tomorrow evening.
Best Regards,
s89
I'm setting up the enviroment to build CWM, i hope to get it done in a few hours, anyways, i got bad news. My laptop screen broke today, and i send it to repair tomorrow and i don't know how much time will take :/
S34Qu4K3 said:
I'm setting up the enviroment to build CWM, i hope to get it done in a few hours, anyways, i got bad news. My laptop screen broke today, and i send it to repair tomorrow and i don't know how much time will take :/
Click to expand...
Click to collapse
Aww man that's unfortunate, wishing a speedy recovery for said laptop aha. Are you continuing the build on another machine or using an external monitor for the meantime?
Best Regards,
s89
Stickman89 said:
Aww man that's unfortunate, wishing a speedy recovery for said laptop aha. Are you continuing the build on another machine or using an external monitor for the meantime?
Best Regards,
s89
Click to expand...
Click to collapse
I got an small laptop and a pc, i have to install linux and will continue working (i think) i expect to be at least 1 week without my laptop (maybe i got it with screen broken ultil i wait the new screen)
Dam git sync, so ****ing long
Just a question, if i have in my .fstabfile the partition routes this way:
Code:
/dev/block/platform/hi_mci.1/by-name/sdcard
I have to change it to
Code:
/dev/block/mcblk....
In BoardConfig.mk or can i let it original? Looks the same for me, /dev/block/platform/hi_mci.1/by-name/ points the mcblk, i want to be sure
S34Qu4K3 said:
Just a question, if i have in my .fstabfile the partition routes this way:
Code:
/dev/block/platform/hi_mci.1/by-name/sdcard
I have to change it to
Code:
/dev/block/mcblk....
In BoardConfig.mk or can i let it original? Looks the same for me, /dev/block/platform/hi_mci.1/by-name/ points the mcblk, i want to be sure
Click to expand...
Click to collapse
EXT SDCard Mounts at:
Code:
/dev/block/mmcblk1p1
so your recovery.fstab should be setup like...
Code:
/sdcard vfat /dev/block/mmcblk1p1
So yup it needs to be changed to the second option.
I'm still syncing too... -.- ...zZzZzZzZz tired
Best Regards,
s89
Stickman89 said:
EXT SDCard Mounts at:
Code:
/dev/block/mmcblk1p1
so your recovery.fstab should be setup like...
Code:
/sdcard vfat /dev/block/mmcblk1p1
So yup it needs to be changed to the second option.
I'm still syncing too... -.- ...zZzZzZzZz tired
Best Regards,
s89
Click to expand...
Click to collapse
But /dev/block/platform/hi_mci.1/by-name/sdcard points to /dev/block/mmcblk1p1, so it shouldn't be necessary (i'll use /dev/block/mmcblk1p1 style, to be sure anyway)
In 4 hours, i leave my lapton in the shop, in another hour, i got it repaired (115€ D
I've built CWM from CM sources. Haven't tried it as of yet though.
Flash at your OWN risk. I will not take responsibility for any actions taken by the user in combination with the provided file... By downloading this image your accepting full liability for any issues that should arise as a result of undergoing ANY flashing/modding on YOUR device.
Removed for the time being! Do not use...
Best Regards,
s89
Stickman89 said:
I've built CWM from CM sources. Haven't tried it as of yet though.
Flash at your OWN risk. I will not take responsibility for any actions taken by the user in combination with the provided file... By downloading this image your accepting full liability for any issues that should arise as a result of undergoing ANY flashing/modding of your device.
Best Regards,
s89
Click to expand...
Click to collapse
My repo still 93% ;___;
Why you don't make a thread posting it??
Good job bro
We can try recoverys without flash using fastboot? Like the kernel?
S34Qu4K3 said:
My repo still 93% ;___;
Why you don't make a thread posting it??
Good job bro
We can try recoverys without flash using fastboot? Like the kernel?
Click to expand...
Click to collapse
I've tried "fastboot boot recovery.img" to no avail. The output is as follows...
Output:
Code:
downloading 'boot.img'...
OKAY [ 0.193s]
booting...
FAILED (remote: invalid command)
finished. total time: 0.194s
As you can see... It's expecting a boot.img so this command is only available for booting ramdisk & kernel.
Stickman89 said:
I've tried "fastboot boot recovery.img" to no avail. The output is as follows...
Output:
Code:
downloading 'boot.img'...
OKAY [ 0.193s]
booting...
FAILED (remote: invalid command)
finished. total time: 0.194s
As you can see... It's expecting a boot.img so this command is only available for booting ramdisk & kernel.
Click to expand...
Click to collapse
So, we have to flash it... Bad bad...D:
I tried fastboot boot recovery recovery.img but i get:
Code:
fastboot boot recovery recovery.img
cannot load 'recovery'
I don't think that command is applicable until post flash as according to cyanogenmod documentation:
Code:
Installing recovery using fastboot
You can use fastboot to install your recovery image to the device.
Installing ClockworkMod Recovery on the device
Connect the device to the computer via USB.
Make sure the fastboot binary is in your PATH or that you place the downloaded image in the same directory as fastboot.
Open a terminal on your PC and reboot the device into fastboot mode by typing adb reboot bootloader or by using the hardware key combination.
Once the device is in fastboot mode, verify your PC sees the device by typing fastboot devices
If you don't see your device serial number, and instead see "<waiting for device>", fastboot is not configured properly on your machine. See fastboot documentation for more info.
Flash ClockworkMod Recovery onto your device by entering the following command: fastboot flash recovery your_recovery_image.img where the latter part is the name of the file you downloaded.
Once the flash completes successfully, reboot the device into recovery to verify the installation. This can be done by typing fastboot boot your_recovery_image.img.
Note: Some ROMs overwrite recovery at boot time so if you do not plan to immediately boot into recovery to install CyanogenMod, please be aware that this may overwrite your custom recovery with the stock one.
How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders
Glad to see sum positive progress in the right direction....
BigCountry907 ,
Since the MarshaMallow update gives us the developer options OEM unlock switch, shouldn't we just update to it first, to get the bootloader unlock?
OEM Update
You won't find the option to turn on OEM in the device.
You can enable it! Here's how:
Go to the Google Play Store.
Search secret codes revealer.
Search codes
Look for 759
Click launch code
Confirm launch
Under oem click on.
Congrats. You've just enabled oem on your desire 526!
Happy hunting.
BigCountry907 said:
How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders
Click to expand...
Click to collapse
Good to know about the 759 code webag.youtag.
But without buying the clip device we are still stuck.
So hopefully BigCountry907 can find a way to unlock the bootloader and root without the clip.
Sidenote: I tried changing my PRL but couldn't get the changes to stick. I tried DFS and QPST. Am I missing something?
@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.
I was looking around and saw a post! (Rare I know)
Have you tried hboot instead of fastboot?also, I have no computer (sad). I am able to get temp root with "kingroot-4.8.2" I am able to use hex edit to change frp from 00 to 01. Is there a way to get identifier token without a PC? Maybe in configuration files or prop files?
BigCountry907 said:
@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.
Click to expand...
Click to collapse
Can you please upload your unlocked boot loader bigcountry907?
Any more progress on this, gentlemen?
When I follow the OP and get to the step:
"fastboot flash recovery Twrp-526-NO-TOUCH.img"
I receive the following error:
FAILED (remote: 9: SD_SECURITY_FAIL recovery and bootloader isn't BL_UNLOCK)
finished. total time: 2.762s
Steps taken:
-frp.img (Pulled from the device, edited & reflashed back with dd command, adb shell reports successful)
-pushed super.zip to device
-rebooted using fastboot to download mode
-attempted to flash TWRP & get the fail with the same error multiple times
Any suggestions or clues? I've attempted this several times, following the OP step by step.
Thanks for the help
@rfunderburk39
You have to unlock the BOOTLOADER first.
Currently I can only unlock it with the xtc-2 clip.
But I'm working on it.
Surprisingly my desire 530 was able to be s-off using TWRP recovery.
If i can somehow capture the commands passed from the xtc-2 clip to the twrp recovery we can replicate it.
Other than that were looking at cooking a qfil / qpst flashable rom.
Not easy.
does anyone know how to log all commands sent to TWRP?
BigCountry907, is the desire 530 you were able to root with twrp the verizon version? If so, did you have to unlock the bootloader first? Because I don't see it on htcdev.
@BigCountry907 I misunderstood the OP, I thought the frp.img edit was a work around of the Java Card.
I will look into the logging of the the TWRP commands. Let me know if I can help out in other ways.
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
Tommorrow my time will be limited during the day, but I can look into "qcom msm8909 source + manuals" & the ability to log TWRP commands and see what I can find.
Interesting about the 530, I was not aware that was possible.
I've used linux for about 20 years, and would consider my knowledge to be good, with the ability to usually get to source of a problem and/or find a solution slash work around.
I've never created a partition.xml, but would be happy to look into it.
I do have quite a bit of past JTAG experience but that was using a serial port not USB, which I assume you are referencing.
@supermaxkato
No my Desire 530 is Metro-Pcs.
I took one of the verizon 526 and activated it then used the phone number to port to Metro Pcs.
With the port it cost $70 for the Desire 530 + 1 month of unlimited service. Essentially the Desire 530 was free.
Any Verizon HTC most likely will have the same security scheme.
@rfunderburk39
This is good news. I would be grateful to have help on this.
It is difficult to know what kind of experience people have some don't even know how to use adb.
I will start another thread with all the information I know so far.
And I have the MSM8909 source code. Not just the kernel but the "Qualcomm Chipcode" Board Support Package.
And many qcom manuals.
This should be very helpful to us.
I will name the new thread "{WIP} {ROM} MSM8909 Service Rom From Source / QPST Root + Unlock + Unbrick"
I will post all current information there.
Something potentially worth trying:
-Grab the Settings.apk (and .odex) from the 526+ or 626, just make sure its the same version of android.
-Push those to device
-adb shell
-su
-mount -o rw,remount,rw /system
-exit
-exit
-adb push Settings.apk /system/priv-app/Settings/
-adb push Settings.odex /system/priv-app/Settings/arm/
-Open >settings>developer options on the device
-check and see if the option “OEM Unlock” appears
-reboot into "download mode" and see if the settings stick.
-run fastboot oem get_identifier_token
Granted this holds the possibility of bricking the phone, but more than likely will not stick on a reboot & the Settings.apk will be replaced with the device original.
I will test on mine.
Give me an hour
Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.
BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
BigCountry907 said:
Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.
Click to expand...
Click to collapse
I didn't think it would work, just an outside chance. Hoped it may give a different token, that in turn would pass over at HTC-DEV.
Back when I had other HTC devices, I used a tool here on XDA [TOOL] HTC Easy Unlock Bootloader Tool. It doesn't appear to be maintained any longer, its based around Windows *.bat files (easy enough to edit)
https://forum.xda-developers.com/showthread.php?t=2133336
and SimpleGoldCard
https://forum.xda-developers.com/showthread.php?t=970157
SimpleGoldCard would access a site, after downloading that, you select it in the SimpleGoldCard application & it would create the image.
https://huygens.hoxnet.com/goldcard.html
I haven't had time to read through these post just yet, the method may no longer be valid. But worth a look, and I will be reading through these today to see.
Also I will see what I can find about a work-a-round of the the writing to pg2fs partition
I wanted to create a thread so as to report any unique findings from the internet realm and my own discoveries surrounding the Vernee Apollo Phone. The aim is to bring resources together to encourage development and to release utilities and roms.
Please post your own discoveries and updates!!!
This is NOT a "Vernee Apollo Lite" nor a "Vernee Apollo X" thread even though some information maybe relevant.
Device Name and Specs
Vernee Apollo.
Device Model =K15TA_A
Official Product Website
Official Product Forum
http://www.devicespecifications.com/
Vernee Apollo - Antutu Benchmark v6.2.7.
Score 92,235.
3D: 19159
UX: 38097
CPU: 27535
RAM: 7444
Helio X25 MT6797 Family System on a Chip (SoC) Comparison
Vernee Apollo deploys a X25 MT6797T.
https://en.wikipedia.org/wiki/MediaTek#Octa-_and_deca-core
https://www.mediatek.com/products/smartphones/mt6797-helio-x20
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
ADB and FASTBOOT Modes
The Vernee Apollo's bootloader supports Fastboot. The Recovery mode supports the Android Debugging Bridge (ADB) . To access, perform the button sequence below. A menu will appear allowing you to cycle through option to either boot into the recovery partitio,n or to start the Fastboot service.
ADB service is also available also within the Android desktop if you enable USB Debugging in the revealed developers settings menu. You will most likely need to accept a signed key issued from the managing computer for the service to communicate!
Accessing Bootloader Menu
Buttons: [Top-Volume] + [Power-Button] for 8 Seconds.
When the phone is shutdown, hold both buttons at same time from for 8 seconds. The Bootloader menu will appear and then release buttons.
Using Bootloader Menu
Button: [Top-Volume] = Cycle selection.
Button: [Bottom-Volume] = Choose selected item.
With the high screen resolution it maybe hard to see the text-options. There should be three;
1. Recovery, (Boot into Recovery partition with ADB.)
2. Fastboot, (Start Fastboot server.)
3. Normal. (Proceed to boot normally.)
Using Recovery Mode and Menu
When you boot the Recovery partition you will be meet with a failed Android icon on the stock Vernee release rom. ADB will be accessible from here. Note: The Recover menu will cause the ADB server to fail. If you want to display the recovery menu options then perform the following during the failed Android icon screen.
Buttons: [Top-Volume] + [Power-Button] pulsing till the menu appears.
Fastboot
If you plan to develop on your Apollo or to install future community roms then it's advisable to unlock your storage partitions. Unlocking will allow you to change partitions but doing so will void software warranty clauses, and in the process scrub all your personal data from the phone so it's best to do it before installing personal content.
To unlock the phone issue the following command through Fastboot. You will be asked to confirm.
Code:
fastboot oem unlock
Engineering Mode
Enter the following phone number in Android desktop
Code:
Dial *#*#3646633#*#*
Phone Test Options
Alternatively there is a phone test mode available at low level with less options. Whilst the phone is shutdown, press the following.
Buttons: [Bottom-Volume] + [Power-Button] for 8 Seconds.
A test menu will appear and is in simplified Chinese.
SIMS
If your phone is not receiving data over 4G or 3G, Google on another computer "apn" "YOURMOBILEPHONEPROVIDER" "YOURNATION". Example;
Code:
"apn" "vodafone" "uk"
You should find links to technical settings for your data provider's access. Then enter them in by navigating to;
Settings>More>Mobile network settings>Access point names>CLICK-YOUR-LOCKED-ON-PROVIDER>THEN-CONFIRM-SETTINGS
USB
Device USB Coding
Code:
System Mode:
ID 0e8d:201d MediaTek Inc.
ADB Mode:
ID 0e8d:2008 MediaTek Inc.
Fastboot Mode
ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo
Microsoft Windows VCOM Drivers
On Microsoft systems you will need to have drivers installed so as to communicate with the Mediatek phone.
MediaTek DA USB VCOM (Android) Driver 3.0.1504.0 for Windows 7/Windows 8.1
MediaTek DA USB VCOM (Android) Driver 3.0.1504.0 for Windows 10
UART Ability?
I haven't opened the phone yet but if anyone does please capture images of the circuit board. If there are UART pins on the board it may have a root shell piped to the interface. A UART (universal asynchronous receiver/transmitter) in this sense is a device that couples serial communications port to USB to run a terminal over.
Vernee Official Rom Images & "Over The Air" Updates
Official Product Downloads/Support
VerneeX25_Recovery_OriginalStock_v1p0 (Thx to Relief66)
Download (2016-12) ROM "full_k15ta_a-ota-1482441792.zip"
Download (2017-01) ROM "full_k15ta_a-ota-1484567521.zip" (Creating .img from .dat files works!)
Download (2017-07) ROM "full_k15ta_a-ota-1499861676.zip"
Download (2017-07) OTA Patch "20170712201130-OTA.rar"
Note: "20170712201130-OTA.rar" is only designed to update "full_k15ta_a-ota-1482441792.zip" image.
Flashing Partitions
There are three main ways to flash;
1. using "Smart Phone Flash Tool",
2. Fastboot flash command,
3. via internal software like a root bash shell or routine from recovery.
Partition Table
Code:
system logical drive = 2621.44MB [= 2684354560 bytes = 5242880 x 512blocks]
recovery logical drive = 16.384MB
Scatter file from OTA
----------------------------
preloader 0x0
pgpt 0x0
recovery 0x8000
para 0x1008000
custom 0x1088000
expdb 0x13c88000
frp 0x14688000
nvcfg 0x14788000
nvdata 0x14f88000
metadata 0x16f88000
protect1 0x18f88000
protect2 0x19788000
seccfg 0x1a000000
oemkeystore 0x1a800000
proinfo 0x1aa00000
md1img 0x1ad00000
md1dsp 0x1c500000
md1arm7 0x1c900000
md3img 0x1cc00000
scp1 0x1d100000
scp2 0x1d200000
nvram 0x1d300000
lk 0x1d800000
lk2 0x1d880000
boot 0x1d900000
logo 0x1e900000
tee1 0x1f100000
tee2 0x1f600000
keystore 0x1fb00000
system 0x20800000
cache 0xc0800000
userdata 0xdb000000
flashinfo 0xFFFF0080
sgpt 0xFFFF0000
recovery.fstab
------------------
# mount point fstype device [device2]
/boot emmc boot
/cache ext4 /dev/block/mmcblk0p4
/data ext4 /dev/block/mmcblk0p5
/misc emmc misc
/recovery emmc recovery
/sdcard vfat /dev/block/mmcblk0p6
/system ext4 /dev/block/mmcblk0p3
live fstab via "cat /fstab.mt6797"
------------------------------------------
# 1 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
# 1 "<built-in>"
# 1 "<命令行>"
# 1 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
# 20 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/system /system ext4 ro wait
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check,resize,encryptable=/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/metadata,
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/cache /cache ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect1 /protect_f ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect2 /protect_s ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvdata /nvdata ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvcfg /nvcfg ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/custom /custom ext4 ro wait
/devices/mtk-msdc.0/11230000.msdc0* auto vfat defaults voldmanaged=sdcard0:auto
/devices/mtk-msdc.0/11240000.msdc1* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata
/devices/soc/11270000.usb3_xhci* auto vfat defaults voldmanaged=usbotg:auto
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/frp /persistent emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvram /nvram emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/proinfo /proinfo emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/lk /bootloader emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/lk2 /bootloader2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/para /misc emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/boot /boot emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/recovery /recovery emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/logo /logo emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/expdb /expdb emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/seccfg /seccfg emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/tee1 /tee1 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/tee2 /tee2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/scp1 /scp1 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/scp2 /scp2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1img /md1img emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1dsp /md1dsp emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1arm7 /md1arm7 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md3img /md3img emmc defaults defaults
Raw block partition label and user/group
-----------------------------------------------------
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/proinfo u:object_r:nvram_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvram u:object_r:nvram_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvdata u:object_r:nvdata_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/expdb u:object_r:expdb_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/misc2 u:object_r:misc2_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/logo u:object_r:logo_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/para u:object_r:para_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/tee1 u:object_r:tee_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/tee2 u:object_r:tee_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/seccfg u:object_r:seccfg_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/protect1 u:object_r:protect1_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/protect2 u:object_r:protect2_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/keystore u:object_r:keystore_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvcfg u:object_r:nvcfg_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1img u:object_r:md_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1dsp u:object_r:dsp_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1arm7 u:object_r:md_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md3img u:object_r:md_block_device:s0
On my rooted phone I can check the UUID of the partitions. (You may need BusyBox installed to use blkid command!).
Code:
adb shell
su
blkid
displays;
Code:
/dev/block/loop0: LABEL="iAmCdRom" TYPE="iso9660"
/dev/block/loop1: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/zram0: TYPE="swap"
/dev/block/mmcblk0p3: LABEL="custom" UUID="0f1095f4-0ece-e656-b6ac-e2ce104d5722" TYPE="ext4"
/dev/block/mmcblk0p6: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p7: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p9: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p10: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p28: LABEL="system" UUID="da594c53-9beb-f85c-85c5-cedf76546f7a" TYPE="ext4"
/dev/block/mmcblk0p29: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p30: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk1p1: UUID="0508-0E13" TYPE="vfat"
Modifying Partitions
Modify partitions often means Users hacking the commercial roms and that means extracting out the important files to work with. The most important blocks are the system-partition which holds the operating system, then the recovery-partition which pole vaults Users with low level tools and abilities, like startup phone root powers. Noting many modern phone root modes, deploy on the recovery-partition rather than modify the system-partition, so as to retain full compatibility and retention of abilities, when conducting "Over the Air" / OTA updates from the manufacturer.
There are two popular platforms to hack on. 1. on native Linux including the phone itself, and 2. on a Microsoft Windows platform with Linux style utilities.
To ready a partition, to then modify it, and to then save it for flashing has many steps. One should obtain the manufacturer's rom or OTA update, to seek out the latest images and files to utilise.
In this example of hacking an official rom, we will be using "full_k15ta_a-ota-1484567521.zip". Utility executables are readily available in repositories related to your Linux distribution, like AUR on Archlinux.
Linux - ACCESSING SYSTEM IMAGE TO MODIFY
1.) Extract the zip file to a new folder. The directory should be something like this structure.
Code:
.../tinysys-scp.bin
.../logo.bin
.../lk.bin
.../md1rom.img
.../system.patch.dat
.../type.txt
.../custom.new.dat
.../custom
.../custom/cip-build.prop
.../custom/app-res
.../custom/app-res/quicksearchbox-res
.../custom/app-res/quicksearchbox-res/quicksearchbox-res.apk
.../custom/app-res/android-res
.../custom/app-res/android-res/android-res.apk
.../custom/app-res/browser-res
.../custom/app-res/browser-res/browser-res.apk
.../custom/app-res/launcher3-res
.../custom/app-res/launcher3-res/launcher3-res.apk
.../custom/media
.../custom/media/audio
.../custom/media/audio/notifications
.../custom/media/audio/notifications/Leaf.ogg
.../custom/media/audio/notifications/Pure.ogg
.../custom/media/audio/notifications/Triumph.ogg
.../custom/media/audio/notifications/Vernee_n002.ogg
.../custom/media/audio/notifications/The_time_tunne.ogg
.../custom/media/audio/notifications/Jump.ogg
.../custom/media/audio/notifications/Whisper.ogg
.../custom/media/audio/notifications/Vernee_n001.ogg
.../custom/media/audio/notifications/Cuckoo.ogg
.../custom/media/audio/notifications/Cleverer.ogg
.../custom/media/audio/notifications/Meteor.ogg
.../custom/media/audio/notifications/Bongo.ogg
.../custom/media/audio/notifications/Ripples.ogg
.../custom/media/audio/notifications/Whistle.ogg
.../custom/media/audio/notifications/Gift.ogg
.../custom/media/audio/alarms
.../custom/media/audio/alarms/ClassicAlarm.ogg
.../custom/media/audio/alarms/Waltz.ogg
.../custom/media/audio/alarms/Vernee_a001.ogg
.../custom/media/audio/alarms/GoodLuck.ogg
.../custom/media/audio/alarms/Foredawn.ogg
.../custom/media/audio/alarms/Vernee_a002.ogg
.../custom/media/audio/alarms/MorningSunShine.ogg
.../custom/media/audio/alarms/Walking_in_the_rain.ogg
.../custom/media/audio/ringtones
.../custom/media/audio/ringtones/Call_of_love.ogg
.../custom/media/audio/ringtones/Spring.ogg
.../custom/media/audio/ringtones/New_life.ogg
.../custom/media/audio/ringtones/Menuet.ogg
.../custom/media/audio/ringtones/Vernee_r004.ogg
.../custom/media/audio/ringtones/Heartbeat.ogg
.../custom/media/audio/ringtones/Vernee_r005.ogg
.../custom/media/audio/ringtones/Technology.ogg
.../custom/media/audio/ringtones/Longing.ogg
.../custom/media/audio/ringtones/Vernee_r002.ogg
.../custom/media/audio/ringtones/Vernee_r003.ogg
.../custom/media/audio/ringtones/Westlake.ogg
.../custom/media/audio/ringtones/Vernee_r001.ogg
.../custom/media/audio/ringtones/Progress.ogg
.../custom/media/audio/ringtones/Journey.ogg
.../custom/media/audio/ringtones/GuitarPop.ogg
.../custom/media/audio/ringtones/Cloud.ogg
.../custom/media/audio/ringtones/Capriccioso.ogg
.../custom/media/audio/ringtones/IceWorldPiano.ogg
.../custom/plugin
.../custom/plugin/FwkPlugin
.../custom/plugin/FwkPlugin/FwkPlugin.mpinfo
.../custom/plugin/FwkPlugin/FwkPlugin.apk
.../custom/plugin/Signatures
.../custom/plugin/Signatures/mplugin_guard.xml
.../custom/etc
.../custom/etc/resources.xml
.../custom/bootani
.../custom/bootani/shutanimation.zip
.../custom/bootani/bootanimation.zip
.../custom/customprop
.../custom/customprop/custom.prop
.../system.new.dat
.../custom.patch.dat
.../md1arm7.img
.../md3rom.img
.../preloader_k15ta_a.bin
.../md1dsp.img
.../scatter.txt
.../custom.transfer.list
.../file_contexts
.../boot.img
.../META-INF
.../META-INF/CERT.SF
.../META-INF/MANIFEST.MF
.../META-INF/CERT.RSA
.../META-INF/com
.../META-INF/com/android
.../META-INF/com/android/metadata
.../META-INF/com/android/otacert
.../META-INF/com/google
.../META-INF/com/google/android
.../META-INF/com/google/android/update-binary
.../META-INF/com/google/android/updater-script
.../trustzone.bin
.../system.transfer.list
.../sdat2img.py
2.) the images we are looking for are either the system-partition or the recovery-partition to modify. In this case there is only the system and it's held in the file "system.new.dat", a 1.6 gigabyte file. We know from the partition tables above that the system-partition is 2.6GB wide, so this image is either compressed or short. Most partitions deployed on Android for updating are compressed in what's called a sparse format.
We need to uncompress any sparse file before we can work with it or mount it, but the issue in this case is the image is also in "dat" structure, which means we need to unsparse using structured data held in "system.transfer.list". Here we use "sdat2img" executable to create the file "system_fullsize.img";
Code:
sdat2img system.transfer.list system.new.dat system_fullsize.img
Alternatively if the file was not a dat format, we could simply unsparse using;
Code:
simg2img system.img system_fullsize.img
3.) Now that we have the full image we can mount it as a file-system to tinker with it. Example of making a mount point and mounting it;
Code:
sudo mkdir /system
sudo mount -t ext4 -o loop ./system_fullsize.img /system/
You can now modify the image simply by changing the files in the directory mounted on. After changes you can save out and attempting to flash it back to the phone for your custom system.
Linux - CAPTURING THE MOUNT BACK TO AN IMAGE FILE
1.) After we have modified the mounted system-partition we need to save it back out for flashing if you want to see your changes live on the phone.
Labelling (If desired). We can name the mount to enforce block-labels. In this case the loop device was "loop0" used to mount the image. (Check which loop-device was used when performing this. eg: lsblk) Here we are going to label it "system"..
Code:
e2label /dev/loop0 system
It maybe important to set the partition UUID the same as the manufacturer uses so the the mounting process finds the correct partition to mount at boot. We know the system partitions UUID from the above discovery details;
Code:
UUID="da594c53-9beb-f85c-85c5-cedf76546f7a"
We can set the mounted image's UUID to suit the original before creating a new;
Code:
sudo tune2fs /dev/loop0 -U da594c53-9beb-f85c-85c5-cedf76546f7a
Here we capture out the device to an "ext4" format file-system image. The length option, being 2684354560 bytes. Labelling option "-a" with name "system".
Code:
sudo make_ext4fs -s -l 2684354560 -a system system_modded.img /system/
2.) To flash your image, Android's recent "fastboot" utility will allow for unsparse and sparsed images to be flashed. I have broken down the fastboot process into each step.
CAUTION: fastboot writes over your phone's partition blocks. If you are not skilled in this area of computing them research "fastboot" before use.
Note: current I have not found out why this process is incompatible with Vernee Apollo. The images I write back are not operational even though they flash properly. My hunch is that I may need to enforce an ISO/image UUID the same as the manufacturers, but I haven't tested this yet.
Code:
fastboot -w
fastboot format system
fastboot flash system ./system_modded.img
If we want to sparse the file before flashing;
Code:
img2simg system_modded.img system_modded_sparse.img
If we want to create a sparse dat structured image;
Code:
img2sdat ./system_modded.img
Linux - ACCESSING RECOVER IMAGE TO MODIFY
An Android recovery image is really three items in one image. There is a compressed kernel (zImage) used to run a recovery system, a ramdisk (initrd.img), and configuration file. The ramdisk "initrd.img" holds the operating system files used by the recovery kernel. Note the bootimage partition/image is a similar structure to a recovery-image.
If you need a similar development community then the Xiaomi Redmi Pro is a similar phone due to its Mediatek Helio x25 but it uses a different cameras, screen and sensors. Modifying and tweaking settings in their recovery images can work on your Vernee Apollo X25.
To extract the sub held files (bootimg.cfg, zImage, initrd.img);
Code:
abootimg -x recovery.img
To unpack a ramdisk "initrd.img";
Code:
mkdir initrd
cd initrd
sudo zcat ../initrd.img | cpio -idmv
To pack files whilst in your ramdisk directory ''/initrd";
Code:
find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
To pack back up components into a recovery rom;
Code:
abootimg --create recovery_new.img -f bootimg.cfg -k zImage -r initrd.img
Alternatively;
Code:
mkbootimg --cmdline 'no_console_suspend=1 console=null' --kernel ./zImage --ramdisk ./newramdisk.cpio.gz -o recovery_new.img
Software
Chainfire SuperSU Release Announcement
F-Droid. Alternative App Store for public domain software.
.
Known Recovery Image Developers
Cleopatra Bianchi
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788
Known ROM Developers
Cleopatra Bianchi
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-roms-fix-t3561019
Vernee Apollo X25 General Resource Sites
http://www.needrom.com/ Vernee/ApolloX25
.
Hardware
Protective Covers
Silicone and more rigid covers are becoming available for the Vernee Apollo. Make sure you don't get a Lite version as it wont fit.
Those looking for more range and are willing to mod, the Lenovo K5 Note is very similar in dimensions to the Apollo X25, but the headphone jack, volume and power buttons are slightly off. Modding a K5 Note case will require cutting holes for the headphone jack, buttons, speaker holes, and possibly for the flash. Clear covers will allow the flash to work. Make sure the camera and finger scanner is a complete open section on any K5 cover!
https://www.aliexpress.com/item/Ver...-Shell-Back-Cover-For-Vernee/32799796884.html
TWRP Vernee Apollo Helio X25
Cleopatra Bianchi said:
Click to expand...
Click to collapse
http://bbs.vernee.cc/forum.php?mod=viewthread&tid=1721&extra=page%3D1
Cleopatra Bianchi said:
http://bbs.vernee.cc/forum.php?mod=viewthread&tid=1721&extra=page%3D1
Click to expand...
Click to collapse
I left it up to you to post. I hope people comment on what they think. I'm working on my own images so I can't install others at the moment to give an opinion. Readers please note I can't verify the security on this share. Do not take any compromising actions.
I'm super busy so not sure when I will have my own solutions.
How I wish I had more knowledge. This piece of Hw (Raw Hw?) has a lot of potential, but lacks interest of any developer adapt/adopt it....
The conditions are there (lets hope the owners free the code, as they have done with its small brother), and let's hope there are enough and good drivers for the chosen Hw.
Just to encourage your efforts.
Regards
I agree
lots of good hardware and poor software...I hope in this community
At the moment I found these "bad" things about this phone:
1) you can't choose to view the battery percentage in the upper bar
2) you have to set the APN manually or you can't use internet
3) you can't turn volume up or down if the screen is switched off
I've kind of hit a wall with modding the system image to root it. The system images I produce are just not compatible with flashing. They flash but no desktop runs on the phone. Tried both sparse and raws. and I've got the partition size correct. Mount point is set properly to "system" and they're ext4 images.
I'm building Chainfire's version of ext4_utils, specifically the make_ext4fs util. If that doesn't work then I'll build Google's version. Long process as you need SELinux headers which takes ages to install. There maybe a bug in older versions that's causing the trouble. Other thoughts, there maybe a different padding method or bit plane for storing file system nodes. I may need SELinux builds of executables just to get the job done as I did notice in a hex.diff that the original image has SELinux stamps in it. I need more investigation to know why that's so.
It would be nice if Cleopatra Bianchi chimed in if She knows the issue or has even been down this road before, so to speak.
Hi, E8
Do not know even if this could be valuable, but the sources of the lite version are there. I suppose they are taking the same engineering approaches with the big brother... or not...
but would check
Regards
jrotaetxe said:
Hi, E8
Do not know even if this could be valuable, but the sources of the lite version are there. I suppose they are taking the same engineering approaches with the big brother... or not...
but would check
Regards
Click to expand...
Click to collapse
I'll look into it as the scripts may indicate the process to image creation. Cheers.
TWRP and ROOT - successfully tested !
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788
Such a cool phone, but sending it back. Doesn't work with US carriers
Stock firmware in Flash Tool
Cleopatra Bianchi said:
TWRP and ROOT - successfully tested !
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788
Click to expand...
Click to collapse
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.
stock firmware
myextasy said:
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.
Click to expand...
Click to collapse
A working stock firmware will be here very soon.
Please be patient, I am working on that.
Cleopatra Bianchi said:
A working stock firmware will be here very soon.
Please be patient, I am working on that.
Click to expand...
Click to collapse
Anyway to unlock bands to get it working in US ???
myextasy said:
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.
Click to expand...
Click to collapse
You can easily restore the phone using the official zip rom. Place it on a micro sdcard and install via the Bootloader menu. Instructions are on the forst comment on how to get to the bootloader menu and then recovery. If you're destroyed your recovery partition but still have fastboot access then you can use the system image within the official rom to flash the system partition with a bit of modifications.
I've been super busy so I haven't had the time to work on my own version of the TWRP Recovery.
How can I find the drivers ? When I google search I only find the one for Apollo lite
Do not believe you can "unlock" US bands, as they differ from EU/ASIA system.
Anyway, trying is (almost) free. The worst thing can happen is a brick
Regards
Im Using C432 .. Rom 9.1.0.147 Newest Stock Update Here In Denmark
First Unlock Bootloader : flash oem unlock ********code******
Enter Bootloader Again, Now Flash Modded_recovery_ramdisk : fastboot flash recovery_ramdisk r.ram.mod.img
And Flash Erecovery_ramdisk with TWRP.img From kilroystyx
Do NOT Remove USB Cable But Hold Power Untill You See Black Screen
Then Quickly Pres And Hold VOL + Untill You Read "Your Device Is Booting Now..."
Now You Should See/Enter Your TWRP Recovery , Now Wipe And Format Data, Then Reboot Recovery "Force Close With Power" .. Again When You See Black Screen Then Quickly Pres And Hold VOL + Untill You Read "Your Device Is Booting Now..."
And You Should ReEnter TWRP Again.. now Mount Vendor then Start Terminal In Recovery under advanced
In Terminal Type :
mount -o remount,rw /dev/block/mmcblk0p55
mount -o remount,rw /dev/block/mmcblk0p37
mount -o remount,rw /dev/block/mmcblk0p53
"patition name/table layout of editable partitions from recovery"
cust = mmcblk0p53
vendor = mmcblk0p55
modem_fw = mmcblk0p37
erecovery_ramdisk = mmcblk0p29
recovery_ramdisk = mmvblk0p33
Now Use File Manager In Recovery Under Advanced To Copy fstab.modem , fstab.hi6250 And recovery.fstab From /vendor/etc/ to /sdcard/ And from /sdcard/ Over To a PC .. Edit fstab.* With Notepad++ One By One Remove The Word "verify" including the comma and replace ALL "ro" with "rw" Also Remove The Words With fileencryption***************** Including The Comma ...
Do This in ALL 3 Files When Done Copy Back The 3 Files To Sdcard And Use File Manager To Move The Edited Files Back To /vendor/etc/ Overwriting The Old Files Now Do The Same With The 2 Files In The Root /fstab.hi6250.data And /fstab.hi6250
THEN FROM RECOVERY Select REBOOT And RECOVERY .... AND YOUR DONE .. You Should Now Automaticly Enter The Rom..
YOU ARE NOW MAGISK ROOTED "Use 19.3 Stable Settings In Magisk Only" Dont Directly Update Magisk ! Clear Repo!
From Now On To Enter The TWRP You Need To Put The USB Cable In The Phone And Hold VOL- And Power To Enter Bootloader From Here Force Power Off " Hold Power Untill Black Screen Then Quickly Hold VOL+ Alone Untill You Read "Your Device Is Booting Now..." Only Way To Enter TWRP Using "ERECOVERY_RAMDISK" Partition.. And Always Use Reboot Then Recovery to Enter Rom From TWRP .. If Not You Need To Reflash recovery_ramdisk with r.ram.mod.img
Now You Can Backup Data And Restore Data With Out Fork Errors We Should Also Be Able To Both Backup/Restore Cust , Modem_fw And Vendor. But We Only Need Data, System , Erecovery_ramdisk And Recovery_ramdisk To Get A Good Complete Backup.
Peace MarsDroid/BrokenWorm
Unlock Bootloader
First Unlock Bootloader : flash oem unlock ********code******???????
The question is, will it unlock the bootloader? . This is what i need, plis
KenynTM said:
First Unlock Bootloader : flash oem unlock ********code******???????
The question is, will it unlock the bootloader? . This is what i need, plis
Click to expand...
Click to collapse
Becoes your new ill be nice.. but plz dude.. u got to read more before you use this guide or you will end up with a pretty door stopper.
To unlock your bootloader use this DC UNLOCKER CLIENT : https://www.dc-unlocker.com/downloads
This is the 1 and only solution .
I cant flash Erecovery, i got
Writing 'Erecovery_ramdisk'
FAILED (remote: Comand not allowed)
My bootloader is unlocked, please help
I'm also stuck here^^^
Flash erecovery_ramdisk from twrp recovery... Sry forgot to mention that..
I recomend following or reading this post i wrote .. https://forum.xda-developers.com/showpost.php?p=80044263&postcount=9 .. about the same stuff
Welp, i managed to flash twrp to Erecocery, it's pretty easy
1 download twrp and patched recovery_ramdisk (i strongly recomend to extract the one from update.app with huawei firmware finder and huawei firmware extractor and pacth it with magisk manager)
2 copy twrp.img into your minimal adb folder and copy twrp and patched recovery_ramdisk into your micro sd
3 connect p20 lite (in fastboot Mode) to pc and open minimal adb and fastboot (cmd here) and flash twrp (fastboot flash recovery_ramdisk twrp.img)
3 Disconect and force power off, turn p20 lite and boot into recovery (power off and vol +) it Will boot into twrp
4 go to install and go to external storage, also select "Install image"
5 select your twrp.img, it will you ask where to Install, select "Erecocery_ramdisk" and Install it
6 repeat step 4 and now select your patched recovery_ramdisk.img and Install it on "recovery_ramdisk"
7 ???
8 profit
And now i'm stuck with the fstabs, i do all the steps on first post but when i try to move the modified ones shows an error, so what now?
RyogaIgnored said:
Welp, i managed to flash twrp to Erecocery, it's pretty easy
1 download twrp and patched recovery_ramdisk (i strongly recomend to extract the one from update.app with huawei firmware finder and huawei firmware extractor and pacth it with magisk manager)
2 copy twrp.img into your minimal adb folder and copy twrp and patched recovery_ramdisk into your micro sd
3 connect p20 lite (in fastboot Mode) to pc and open minimal adb and fastboot (cmd here) and flash twrp (fastboot flash recovery_ramdisk twrp.img)
3 Disconect and force power off, turn p20 lite and boot into recovery (power off and vol +) it Will boot into twrp
4 go to install and go to external storage, also select "Install image"
5 select your twrp.img, it will you ask where to Install, select "Erecocery_ramdisk" and Install it
6 repeat step 4 and now select your patched recovery_ramdisk.img and Install it on "recovery_ramdisk"
7 ???
8 profit
And now i'm stuck with the fstabs, i do all the steps on first post but when i try to move the modified ones shows an error, so what now?
Click to expand...
Click to collapse
i would try remounting the partitions rw
brokenworm said:
i would try remounting the partitions rw
Click to expand...
Click to collapse
Hi. The code I wrote from the twrp terminal window gives an error.
mount -o remount,rw /dev/block/mmcblk0p55
mount: can't find /dev/block/mmcblk0p55 in /proc/mounts
akif688 said:
Hi. The code I wrote from the twrp terminal window gives an error.
mount -o remount,rw /dev/block/mmcblk0p55
mount: can't find /dev/block/mmcblk0p55 in /proc/mounts
Click to expand...
Click to collapse
When you enter "ls -l /dev/block/mmcblk*" in the terminal, what does it say then?
I want to transfer this procedure to Honor 7X. Can someone please send output from the following commands (first to get list of names of partitions, second to get list of mounted filesystems) executed via adb shell on the P20 lite:
ls -l /dev/block/by-name
mount
Thanks a lot in advance.
ZB2016 said:
I want to transfer this procedure to Honor 7X. Can someone please send output from the following commands (first to get list of names of partitions, second to get list of mounted filesystems) executed via adb shell on the P20 lite:
ls -l /dev/block/by-name
mount
Thanks a lot in advance.
Click to expand...
Click to collapse
the partitons change from rom build to rom build and is useless. ..
i moved on to new device sry ..
but this is the partitions i was playing with :
"patition name/table layout of editable partitions from recovery"
cust = mmcblk0p53
vendor = mmcblk0p55
modem_fw = mmcblk0p37
erecovery_ramdisk = mmcblk0p29
recovery_ramdisk = mmvblk0p33
im guessing this answers your question
brokenworm said:
the partitons change from rom build to rom build and is useless. ..
...
im guessing this answers your question
Click to expand...
Click to collapse
perfect! Thanks a lot!
Does anyone have a working link to the r.ram.mod.img file?
EDIT: Nevermind... figured out I had to extract it from my firmware.
Guys tell me how to decrypt huawei p20 lite, i.e. turn off encryption.
and this parameter is not quite clear what it is and how - disable verity.
The device - the data folder is already encrypted, of the more comprehensible methods are of interest to me these two
this 1) "https://forum.xda-developers.com/t/...tion-on-emui-9-1-stock-roms-and-root.3953946/"
and this 2)
"https://forum.xda-developers.com/t/...-mediapad-t3-10-ags-w0.3843728/#post-78558329 "
but the first method does not show what to do after you mount it
In Terminal Type :
mount -o remount,rw /dev/block/mmcblk0p55
mount -o remount,rw /dev/block/mmcblk0p37
mount -o remount,rw /dev/block/mmcblk0p53
"name/table layout of editable partitions from recovery"
cust = mmcblk0p53
vendor = mmcblk0p55
modem_fw = mmcblk0p37
erecovery_ramdisk = mmcblk0p29
recovery_ramdisk = mmvblk0p33
i don't know if it's necessary to go through these commands, when i can copy these files, edit them and replace them back via TWRP, do i understand correctly that these commands will unlock the partition to overwrite the files inside it?
but i don't know if this method will work with emui 9.1 yet and the links to img are broken. + i'm afraid to overwrite TWRP with erecovery, because i figured out that i can't flash emui from fastboot erecovery, it is closed for him, only with TWRP and i'm not sure if i can? "+ it's not clear, replaced the files and that's it? "
the second way I stopped
I don't understand why I can't see the boot img from the extracted firmware Anne-L01 9.1.0.370(C432E7R1P7T8)
Is it locked or what? but i saw verity in FASTBOOT.img - or should i edit it to disable verity? and the question is different things recovery and boot? so i doubt in the correct execution.
and in this video i saw how to remove veirty, but what is it ?
as i understand this will not remove the forced encryption , but as i understand this will move me one step closer to the goal of disabling all verity and encryption too.
I don't understand what vbmeta is either, do I have to dig around in my target just to remove this forced encryption or is it an extra parameter, I mean vbmeta ?