Related
Hi there !
I just registered to this huge forum full of ressources and so many stuffs to dig in.. I own a Z1 Compact I bought last week and got into mods etc.. This is my first Android device and therefore got into it for the first time.. and what a world.. so many things over here..
As a developper, I'm getting interested in this environment so I first tried to gain access to this unix-based system called Android in order to see how this works..
Here my first steps: I needed to be root on this device..okay.. through tutos I read, I needed to unlock bootloader then I needed to install a new boot called ClockWorkMod (I believe this is a boot, according fastboot argument I supplied..) to allow me running the SuperUser script to be root. Afterwards, I backed up my TA partition..
Okay, these steps were done pretty out of the box, without Android knowledge so far.. Now, I'm about to install busybox for tools I'm used to use on every linux platforms.. but I really lack Android knowledge about Android partitioning system (I came across TA partition, /boot, /data what else ??), content, permissions management.. in few words, Android philosophophy So guys, do you know good web ressources around my questionings so that I can start properly and the right way
I'd really like to contribute in a humbly manner, I've already developped upon ARM platforms with realtime OS and many stuffs around linux kernel, so if you guys had any suggestions for low-level dev and Android in-depth ressources etc.. I'd be grateful
Thanks a lot.
PaowZ said:
Hi there !
I just registered to this huge forum full of ressources and so many stuffs to dig in.. I own a Z1 Compact I bought last week and got into mods etc.. This is my first Android device and therefore got into it for the first time.. and what a world.. so many things over here..
As a developper, I'm getting interested in this environment so I first tried to gain access to this unix-based system called Android in order to see how this works..
Here my first steps: I needed to be root on this device..okay.. through tutos I read, I needed to unlock bootloader then I needed to install a new boot called ClockWorkMod (I believe this is a boot, according fastboot argument I supplied..) to allow me running the SuperUser script to be root. Afterwards, I backed up my TA partition..
Okay, these steps were done pretty out of the box, without Android knowledge so far.. Now, I'm about to install busybox for tools I'm used to use on every linux platforms.. but I really lack Android knowledge about Android partitioning system (I came across TA partition, /boot, /data what else ??), content, permissions management.. in few words, Android philosophophy So guys, do you know good web ressources around my questionings so that I can start properly and the right way
I'd really like to contribute in a humbly manner, I've already developped upon ARM platforms with realtime OS and many stuffs around linux kernel, so if you guys had any suggestions for low-level dev and Android in-depth ressources etc.. I'd be grateful
Thanks a lot.
Click to expand...
Click to collapse
Welcome in the exciting world of Android! I am by no means a programmer, but I have been here for a while and will just explain a few things I think are helpful. If it's stuff you already know, feel free to ignore it.
Important things first: I hope you have made a Backup of your TA-Partition before unlocking the bootloader. Unlocking the bootloader modifies the TA- partition. It is not possible to undo it if you d not have a backup. Flashing someone else's TA will brick your device!
If I am not mistaken, the TA is mainly used to verify that the phone is in original condition e.g. not modified.
Unlocking the Bootloader (BL) removes Sony's DRM-Keys from the partition, because unlocking enables you to get root access and copy all the protected stuff anyways. The result is that you loose access to some of sony's services and the use of XReality engine.
Unlocking the BL breaks the Sony Update Service, but if you unlocked with Flashtool, you will be able to relock easily. Do only relock while on a stock kernel, else the phone won't boot because it detects modified firmware.
AFAIK root is a function of the kernel, as is ClockWorkMod Recovery (CWM). they come included in, for example, DooMKernel.
Superuser and SuperSU are apps that allow you to manage root acces, giving it to the apps that need it, and stopping bad apps from getting it.
Recovery and fastboot *for me* something like a secondary boot partition. I don't know if that's technically correct, but even if the system is unbootable, you can boot into CWM and work from there.
TWRP (TeamWin Recovery Project) is another custom recovery that allows you to do interesting things.
Do not mess with the BL and TA more than necessary. A broken TA, aswell as a messed-up BL, can prevent you from booting. As long as the BL is functional and you can get into Flashmode or fastboot mode, the phone can be saved.
If/when you have root, use Terminal Emulator from Google play to find partitions.
for more tecnical aspects, go over to the "Original Android Development" forum for the Z1C. Be aware that you need a minimum uf 10 posts to be able to post there. They are a little picky about the quality of your posts.
LINKS
http://forum.xda-developers.com/wiki/Android
https://developer.android.com/index.html
https://source.android.com/
http://en.wikipedia.org/wiki/Android_(operating_system)
http://www.google.com :angel:
Hi Coirpre !!
Thanks a lot for the tips
Important things first: I hope you have made a Backup of your TA-Partition before unlocking the bootloader. Unlocking the bootloader modifies the TA- partition. It is not possible to undo it if you d not have a backup. Flashing someone else's TA will brick your device!
Click to expand...
Click to collapse
Unlocking the Bootloader (BL) removes Sony's DRM-Keys from the partition, because unlocking enables you to get root access and copy all the protected stuff anyways. The result is that you loose access to some of sony's services and the use of XReality engine.
Click to expand...
Click to collapse
Well, this step is pretty confusing, since *they* indeed advise you to proceed to TA backup before any BL unlocking but before running the script that saves your TA, you need to be root.. and thus, to load CWM and guess what ? Need to unlock BL to install CWM.. Unless I missed something, it looks a bit weird..
Anyway, I unlocked through the use of FlashTool utility and apparently it hadn't compromised XReality nor TrackID either.. (I read somewhere TrackID app won't start if your DRM are broken.. true ??)
Do not mess with the BL and TA more than necessary. A broken TA, aswell as a messed-up BL, can prevent you from booting. As long as the BL is functional and you can get into Flashmode or fastboot mode, the phone can be saved.
Click to expand...
Click to collapse
This is one of my first questioning.. Usually, if you consider a mainstream PC, you have a piece of code we formerly called a BIOS before EFI system, this BIOS launchs a bootloader (GRUB/LILO whatever.. for linux or NTLDR for Win) and even if you wipe this bootloader, you can always rewrite a fresh one and the BIOS will then start it and the OS to start as well.. You just need to boot upon another medium to restore/install a bootloader, the BIOS is not altered.
But in this device, it appears one can hard-break the unit, solely by messing with BL/TA partitions.. like if there wasn't any BIOS equivalent.. When you say As long as the BL is functional [..] you can get into Flashmode/Fastboot mode I wonder how that piece of code responsible of this feature is not hard-coded in a ROM.. Powering up this device while gently pushing a hardware button is usually processed by a hard-coded system - the BIOS. Just like when you hold pressed the Power button of your running PC, this is the BIOS which interprets this command as a "Shut down right now !!" this is not the role of a bootloader.. I have to know more about Sony system
Thanks for the links, btw
There is a way to root and install CWM without unlocking the bootloader.
BTW Root is allowing us to modify /system and unlocking to change kernel.
/system partition is same as C:/WINDOWS on PC.
Only, on android this is prohibited. And you gain access by rooting it.
So, if you want to root you insert a few apps and scripts to /system. Since it's prohibited developers find exploits to insert those files to /system by various tricks.
That's how you are rooted without unlocking the bootloader. And that's how you can backup your TA before unlocking the bootloader.
And, yeah, CWM can be inserted to /system as well as in kernel. But it's better to be in kernel since it won't be easily wiped out when you screw up something.
Basically, what you did is unlock the bootloader (lost DRM?) > insert CWM to kernel > Use CWM to root.
But don't worry, one couldn't care less about DRM. You don't need that for anything. And I heard Sony fixed removing DRM issues by unlocking the bootloader on latest firmwares but I'm not sure.
And about BIOS, yeah...I was wondering about that as well. But for sure if you mess up with boot.img that you flashed phone won't be able to recover / must go to the service. That's a good question why. Anyone could tell me more about that?
PaowZ said:
Well, this step is pretty confusing, since *they* indeed advise you to proceed to TA backup before any BL unlocking but before running the script that saves your TA, you need to be root.. and thus, to load CWM and guess what ? Need to unlock BL to install CWM.. Unless I missed something, it looks a bit weird..
[...]
I have to know more about Sony system
Click to expand...
Click to collapse
As option58 said, you can root using exploits. Unlocking is the official way provided by sony. However, there are always some hacks which can get you root without unlocking. That way you can back up TA without unlocking. On this device it is quite a hassle and involves flashing japanese and english firmwares...
Some of it is Sony, mainly the TA stuff they integrated for security and modification-checking. The boot process however is probably more or less the same on all android devices.
Option58 said:
And about BIOS, yeah...I was wondering about that as well. But for sure if you mess up with boot.img that you flashed phone won't be able to recover / must go to the service. That's a good question why. Anyone could tell me more about that?
Click to expand...
Click to collapse
I agree that there must be something hardcoded that runs after the power button is pressed, but it probably is not enough. Notice that the device must be acessible (R/W) to restore a messed up BL, which is probably only the case after boot is completed. So:
Buttonpress --> BIOS --> BL (Whichever mode) --> partitions acessible. So If you can not get past the BL, you can not access the memory and thus not fix the BL.
But I am just speculating, so either we get some knowledgeable people in here, or someone has to read it up/google it.
[EDIT:] Oh, and by the way, PaowZ, can you change the topic to something more descriptive, "technical questions about boot process and partition handling" or something? maybe that will attract knowledgeable people...
Buttonpress --> BIOS --> BL (Whichever mode) --> partitions acessible. So If you can not get past the BL, you can not access the memory and thus not fix the BL.
Click to expand...
Click to collapse
I'm almost sure there must be a way to access to raw flash r/o through addressing.. at least from some pin-outs on the motherboard of the Z1C..
I don't know S1 flashing protocol, maybe there is a way to force writes at a specific address, provided we could know start addresses of each partition..
This is actually what I do when I have to deal with ARM devices through a rs232 port.. I can flash wherever I want and too bad if I make a typo in the address. The device just won't load up anything, but it won't hard-brick anything..
PaowZ said:
I'm almost sure there must be a way to access to raw flash r/o through addressing.. at least from some pin-outs on the motherboard of the Z1C..
I don't know S1 flashing protocol, maybe there is a way to force writes at a specific address, provided we could know start addresses of each partition..
This is actually what I do when I have to deal with ARM devices through a rs232 port.. I can flash wherever I want and too bad if I make a typo in the address. The device just won't load up anything, but it won't hard-brick anything..
Click to expand...
Click to collapse
well, this thread might interest you...
and I found this by chance, you were interested in the partitions:
Android-supported hardware shares some common features due to the nature of the operating system. The Android OS is organized into the following images:
Bootloader - Initiates loading of the boot image during startup
Boot image - Kernel and RAMdisk
System image - Android operating system platform and apps
Data image - User data saved across power cycles
Recovery image - Files used for rebuilding or updating the system
Radio image - Files of the radio stack
Click to expand...
Click to collapse
However: this topic is far beyond my knowledge, at the moment I have just started learning Java to start tinkering with Android on app-level. You will have to find out by yourself. However, I am VERY interested in what you find, because these thingsa are always good to know. There are a lot people from the forums which could help you. Just go read a bit in the "Original Android Development" subforum to find the good people
In the Google's YouTube channel there are quite many deep dive videos for multiple aspects of the Android system.
Use the search Luke ?
As far as I read this thread it is too late to make TA backup.
As it's Android One device, it probably uses Google OTA service. If you would be able to provide me with system fingerprint, there's a chance for me to get full OTA link to start up the development for this and possibly other devices.
How to do it?
Install Terminal Emulator from Google Play, type:
Code:
getprop | grep fingerprint
and click enter.
if you want to provide more of usable data, use just
Code:
getprop
Thread will be updated with links once somebody helps. Or will be closed in case of no solution.
pastebin.com/wWpYHPHd
WmcB said:
pastebin.com/wWpYHPHd
Click to expand...
Click to collapse
No update available yet, so I can't check currently if there will be full OTA zips. If you still have the access to this device, try getting kdz download link or file itself (via the official LG tool). Or post/*pm* the IMEI (it may be without last three numbers, because I don't need your own, but just any of them to simulate LG Bridge request). Basically, the only way to get fw now is to get the kdz. Aand last question: is G7 One bootloader unlockable? From what I saw in getprop, there was a prop suggesting that OEM unlock switch is blocked.
j1505243 said:
No update available yet, so I can't check currently if there will be full OTA zips. If you still have the access to this device, try getting kdz download link or file itself (via the official LG tool). Or post/*pm* the IMEI (it may be without last three numbers, because I don't need your own, but just any of them to simulate LG Bridge request). Basically, the only way to get fw now is to get the kdz. Aand last question: is G7 One bootloader unlockable? From what I saw in getprop, there was a prop suggesting that OEM unlock switch is blocked.
Click to expand...
Click to collapse
After enabling developer mode, I am given the option of unlocking the bootloader from the developer menu. I am able to enable it but I didn't test it.
The config [sys.oem_unlock_allowed]: [1] is now set
I tried using LG Mobile Support tool. Software is up to date, so I went into Upgrade Recovery menu option. It did a few checks and failed after "analyzing software version."
The error was "problem with communication between cell phone and PC." Maybe LG's support tool isnt updated to handle the phone yet.
I'll PM you an IMEI
WmcB said:
After enabling developer mode, I am given the option of unlocking the bootloader from the developer menu. I am able to enable it but I didn't test it.
The config [sys.oem_unlock_allowed]: [1] is now set
I tried using LG Mobile Support tool. Software is up to date, so I went into Upgrade Recovery menu option. It did a few checks and failed after "analyzing software version."
The error was "problem with communication between cell phone and PC." Maybe LG's support tool isnt updated to handle the phone yet.
I'll PM you an IMEI
Click to expand...
Click to collapse
Ok, managed to decrypt LGMST thingies. So, it seems that LG just didn't push any kdz yet. But the good news is that we should be able to fetch them as soon as they do it. In the free time, see if you can extract the Camera app from the device. Through Solid Explorer, for example.
j1505243 said:
Ok, managed to decrypt LGMST thingies. So, it seems that LG just didn't push any kdz yet. But the good news is that we should be able to fetch them as soon as they do it. In the free time, see if you can extract the Camera app from the device. Through Solid Explorer, for example.
Click to expand...
Click to collapse
Camera apk extracted
drive.google.com/drive/folders/1aRgQAUxq_aqtU7kOeXd3A1OD_dR6oUDo
WmcB said:
After enabling developer mode, I am given the option of unlocking the bootloader from the developer menu. I am able to enable it but I didn't test it.
The config [sys.oem_unlock_allowed]: [1] is now set
Click to expand...
Click to collapse
Did you end up unlocking the bootloader? I am considering getting this phone tomorrow but only if the bootloader can be unlocked.
jfd3220 said:
Did you end up unlocking the bootloader? I am considering getting this phone tomorrow but only if the bootloader can be unlocked.
Click to expand...
Click to collapse
I may not be savvy enough to test if it is unlocked. I ran "adb reboot bootloader" but it rebooted normally. Is there another way I can check?
WmcB said:
I may not be savvy enough to test if it is unlocked. I ran "adb reboot bootloader" but it rebooted normally. Is there another way I can check?
Click to expand...
Click to collapse
Maybe try
Code:
fastboot oem device-info
Bootloader unlocked from dev options.
I recall seeing other phones with that option that did not actually have unlockable bootloaders.
Pr0l1f1k said:
Bootloader unlocked from dev options.
Click to expand...
Click to collapse
Thanks but that's just a setting that you have to change to enable the unlocking. You also have to enable USB Debugging in Developer Options, then reboot into fastboot as instructed here.
Enable USB-Debugging on your phone. USB-Debugging is required for the commands “adb” and “fastboot” to work. To enable USB-Debugging, go to Settings > About phone > Software info and tap Build number 7 times. Return to the previous screen, select Developer options and enable USB-Debugging.
Enable OEM unlock on your phone. Activating the "Enable OEM unlock" is necessary for the bootloader unlock. To enable OEM unlock, go to Settings > Developer options and check Enable OEM unlock.
You can view the Device ID by connecting your phone to the PC using a USB cable and entering "adb reboot bootloader" in DOS command window. Your phone will reboot into the fastboot mode. Enter "fastboot oem device-id" in DOS command window.
Are you able to retrieve the Device ID?
EDIT: Never mind. I just got this from LG Support Chat: "As per our MC Specialists, unlocking the bootloader on G7 One is not possible anymore."
jfd3220 said:
EDIT: Never mind. I just got this from LG Support Chat: "As per our MC Specialists, unlocking the bootloader on G7 One is not possible anymore."
Click to expand...
Click to collapse
I can confirm that this phone will not enter fastboot with the "adb reboot bootloader" command. It just reboots to system like normal.
snardos said:
I can confirm that this phone will not enter fastboot with the "adb reboot bootloader" command. It just reboots to system like normal.
Click to expand...
Click to collapse
So is that it? Will we ever be able to unlock the bootloader.
j1505243 said:
As it's Android One device, it probably uses Google OTA service. If you would be able to provide me with system fingerprint, there's a chance for me to get full OTA link to start up the development for this and possibly other devices.
How to do it?
Install Terminal Emulator from Google Play, type:
Code:
getprop | grep fingerprint
and click enter.
if you want to provide more of usable data, use just
Code:
getprop
Thread will be updated with links once somebody helps. Or will be closed in case of no solution.
Click to expand...
Click to collapse
Hi ! I will receive my LG G7 One this week and I'm fully commited to help you get the files / test things on my device.
Please let me know, if can be any help !
Simshady97 said:
As it's Android One device, it probably uses Google OTA service. If you would be able to provide me with system fingerprint, there's a chance for me to get full OTA link to start up the development for this and possibly other devices.
How to do it?
Install Terminal Emulator from Google Play, type: and click enter.
if you want to provide more of usable data, use just
Hi ! I will receive my LG G7 One this week and I'm fully commited to help you get the files / test things on my device.
Please let me know, if can be any help !
Click to expand...
Click to collapse
Nah, we are seemingly clogged, until kdz start to distribute. For now, you may just capture the OTA link in adb.
Heads up for anyone interested in this phone: it is available on ebay. I've looked a few times over the last week, and there have been several of them up for grabs for a reasonable price. It's also available on Canadian Amazon (amazon.ca).
If anyone is wondering what frequency bands the phone will use, let me know and I can call around and ask some place that sells this phone.
Ok
Sent from my LGE LG-Q710AL using XDA Labs
fingerprint
O:/ $ getprop | grep fingerprint
[ro.boot.vendor.lge.fingerprint_sensor]: [1]
[ro.bootimage.build.fingerprint]: [lge/phoenix_lao_com/phoenix_sprout:9/PKQ1.180904.001/191471306ed81:user/release-keys]
[ro.build.fingerprint]: [lge/phoenix_lao_com/phoenix_sprout:9/PKQ1.180904.001/191471306ed81:user/release-keys]
[ro.vendor.build.fingerprint]: [lge/phoenix_lao_com/phoenix_sprout:9/PKQ1.180904.001/191471306ed81:user/release-keys]
:/ $
Can someone please share the stock camera APK of this phone?
This is a guide on how to unlock the bootloader, install TWRP, and root your Huawei Nova 3i/P Smart+. (INE-LX1/INE-LX2). You need at least $20 to unlock the bootloader.
Thanks for @medoamer for trying this first and helping me out!
Code:
#include <std_disclaimer.h>
/*
* Your warranty will be void if you follow this guide.
*
* Only YOU are responsible for any damage done to your
* device by following this guide. I'm not affiliated with, or
* responsible for any service mentioned below.
*
*/
You will need:
-A working Nova 3i/P Smart+.
-$20/$22/$55 depending on your preferences.
-A Windows PC. (PM me if you have a Linux one, I will update the guide accordingly)
-A working SD card that is tested and working with your phone.
-A reliable USB cable which works for connecting your phone to your PC.
-A backup (optional)
PART 1: Bootloader Unlock
To unlock your bootloader you need a bootloader unlock code. Huawei stopped giving bootloader codes in end of July. But you can buy one in one of the webistes below. You have to send your IMEI to them, and they will generate the unlock code and send it to you. You can see your IMEI at System>>About Phone>>IMEI.
1.) Global Unlocking Solutions for $20/$22
First of all, I know that the website looks super sketchy. But @medoamer, myself, and a lot of other XDA users had success with this method. I spent the extra $2 for the fast service, but it is up to you.
2.) FunkyHuawei for $55
The advantage of FunkyHuawei is that they have a good track record with XDA and other services, a refund policy, and just you know what you are getting into. You can ask for a refund if the code does not work.
3.) Ministry of Solutions for €30
A lot of XDA users had success with this method also. I don't know much information about this method, but the ysay they offer a refund if the code doesn't work.
Got the code? Good. You are mostly done now...
Install ADB and Fastboot. I'm not going to give a guide on how, you can search for it. Download and install Hisuite from here. Connect your phone to your PC, and open a command prompt on your ADB folder. Run,
Code:
adb reboot bootloader
Wait for your device to reboot and show a screen with title "FASTBOOT & RESCUE MODE". In the next command replace <code> with the unlock code you bought. The next step will wipe all the data on your device, so you might want to backup your important data.
Code:
fsatboot oem unlock <code>
Congratulations, you just unlocked the bootloader of your device. Your warranty is legally void now. Reboot the device with the command;
Code:
fastboot reboot
PART 2: Install TWRP and Magisk
First, connect your SD card to your phone, download Magisk ZIP here, and place it in your SD card.
Reboot to Fastboot again with,
Code:
adb reboot bootloader
Download the TWRP image here and copy it your ADB folder. Use this command to flash TWRP.
Code:
fastboot flash recovery_ramdisk twrp-kirin.img
Hold the power button to turn your phone off. Disconnect your phone from your PC. Now hold the power button and Vol. Up button until the Huawei logo appears, then let go of both buttons. The blue TWRP logo should appear and after a second you would see the TWRP menu. If you see the Keep System Read-Only menu, swipe right.
Go to Install>>Select Storage>>Micro SD Card. You should see the Magisk ZIP you placed there earlier. Select it, and Confirm to flash. After the flashing is over, reboot your phone.
Congratulations, now you have a rooted device!
If you need any help along the way, or end up bricking your device, I will help you the best I can.
Good Luck!
Tested procedure on PAR-LX9
I have tried the method in my Nova 3, PAR-LX9, and I confirm that this works.
I did search a little for the TWRP image since I can't access the TWRP image in your link..
If we can place another thread for the PAR-LX9 thread then that will be great.
By the way, this is my first post at xda, hopefully this post complies with the xda's rules
Cheers
codvph said:
I have tried the method in my Nova 3, PAR-LX9, and I confirm that this works.
I did search a little for the TWRP image since I can't access the TWRP image in your link..
If we can place another thread for the PAR-LX9 thread then that will be great.
By the way, this is my first post at xda, hopefully this post complies with the xda's rules
Cheers
Click to expand...
Click to collapse
Hi, Can you share the link where you got the TWRP? Can't seem to find the proper one. Thank you!
TWRP
june.castillote said:
Hi, Can you share the link where you got the TWRP? Can't seem to find the proper one. Thank you!
Click to expand...
Click to collapse
I can't post outside links for now (haven't got to 10 posts); Will try to send you PM
Note that it works in my unit PAR-LX9. If you have a different phone, flash at your own risk.
Has anyone have tried this with Nova 3i INE-LX2? Also do you have steps for Mac? Thanks!
codvph said:
I have tried the method in my Nova 3, PAR-LX9, and I confirm that this works.
I did search a little for the TWRP image since I can't access the TWRP image in your link..
If we can place another thread for the PAR-LX9 thread then that will be great.
By the way, this is my first post at xda, hopefully this post complies with the xda's rules
Cheers
Click to expand...
Click to collapse
friend do you think you could facilitate the twrp link I also have the par-lx9
TWRP
Julioz13 said:
friend do you think you could facilitate the twrp link I also have the par-lx9
Click to expand...
Click to collapse
here... this TWRP is for PAR-LX1, but I've flashed this and is working in my PAR-LX9
remember to backup before flashing...
drive.google.com/open?id=1X3jaCEUDhR08oPlAHbuwzbA07hrPcmoE
Does Phone unlocked mean bootloader unlocked?
https://forum.xda-developers.com/attachment.php?attachmentid=4633403&d=1541248513
talongt said:
Does Phone unlocked mean bootloader unlocked?
https://forum.xda-developers.com/attachment.php?attachmentid=4633403&d=1541248513
Click to expand...
Click to collapse
It SHOULD, but this device has a bug that causes it to br sometimes incorrectly displayed (Unlocked when actually locked)
Do I have to unlock bootloader first, before root it?
pls specify what version of emui to get the unlock codes.
oof, prices went up. how unfortunate.
codvph said:
here... this TWRP is for PAR-LX1, but I've flashed this and is working in my PAR-LX9
remember to backup before flashing...
drive.google.com/open?id=1X3jaCEUDhR08oPlAHbuwzbA07hrPcmoE
Click to expand...
Click to collapse
thanks friend and some page that you recommend to unlock the bootloader?
jioleight said:
pls specify what version of emui to get the unlock codes.
oof, prices went up. how unfortunate.
Click to expand...
Click to collapse
unlocking bootloader is via fastboot, so I don't think the version of EMUI is important
for reference: I unlocked mine back when EMUI was 8.2
---------- Post added at 09:59 AM ---------- Previous post was at 09:57 AM ----------
Julioz13 said:
thanks friend and some page that you recommend to unlock the bootloader?
Click to expand...
Click to collapse
global unlocking solutions.. the link is in the Nova 3i root/twrp guide
forum.xda-developers.com/nova-3/how-to/guide-how-to-install-twrp-root-huawei-t3878946
payment is via paypal.. you can message them via viber or e-mail.. they respond promptly..
Hi, the link to download the TWRP is not working. I need the recovery for INE-LX1, P Smart Plus. Could you help me? I'm trying to root my P Smart Plus.
Thanks in advance.
I'm using par-lx2...
waiting dear dev did some miracle.
firstly I'm hoping unlock bootloader and root, superSU or magisk. then I'm hoping some lineageOS or statixOS.
a moment of silence for my hopes...
No options to unlock bootloader nova 3i
NO OPTIONS TO UNLOCK BOOTLOADER NOVA 3I,
ABOVE LINKS ARE NOT WORKING.
Supersonic27543 said:
This is a guide on how to unlock the bootloader, install TWRP, and root your Huawei Nova 3i/P Smart+. (INE-LX1/INE-LX2). You need at least $20 to unlock the bootloader.
Thanks for @medoamer for trying this first and helping me out!
Code:
#include <std_disclaimer.h>
/*
* Your warranty will be void if you follow this guide.
*
* Only YOU are responsible for any damage done to your
* device by following this guide. I'm not affiliated with, or
* responsible for any service mentioned below.
*
*/
You will need:
-A working Nova 3i/P Smart+.
-$20/$22/$55 depending on your preferences.
-A Windows PC. (PM me if you have a Linux one, I will update the guide accordingly)
-A working SD card that is tested and working with your phone.
-A reliable USB cable which works for connecting your phone to your PC.
-A backup (optional)
PART 1: Bootloader Unlock
To unlock your bootloader you need a bootloader unlock code. Huawei stopped giving bootloader codes in end of July. But you can buy one in one of the webistes below. You have to send your IMEI to them, and they will generate the unlock code and send it to you. You can see your IMEI at System>>About Phone>>IMEI.
1.) Global Unlocking Solutions for $20/$22
First of all, I know that the website looks super sketchy. But @medoamer, myself, and a lot of other XDA users had success with this method. I spent the extra $2 for the fast service, but it is up to you.
2.) FunkyHuawei for $55
The advantage of FunkyHuawei is that they have a good track record with XDA and other services, a refund policy, and just you know what you are getting into. You can ask for a refund if the code does not work.
3.) Ministry of Solutions for €30
A lot of XDA users had success with this method also. I don't know much information about this method, but the ysay they offer a refund if the code doesn't work.
Got the code? Good. You are mostly done now...
Install ADB and Fastboot. I'm not going to give a guide on how, you can search for it. Download and install Hisuite from here. Connect your phone to your PC, and open a command prompt on your ADB folder. Run,
Code:
adb reboot bootloader
Wait for your device to reboot and show a screen with title "FASTBOOT & RESCUE MODE". In the next command replace <code> with the unlock code you bought. The next step will wipe all the data on your device, so you might want to backup your important data.
Code:
fsatboot oem unlock <code>
Congratulations, you just unlocked the bootloader of your device. Your warranty is legally void now. Reboot the device with the command;
Code:
fastboot reboot
PART 2: Install TWRP and Magisk
First, connect your SD card to your phone, download Magisk ZIP here, and place it in your SD card.
Reboot to Fastboot again with,
Code:
adb reboot bootloader
Download the TWRP image here and copy it your ADB folder. Use this command to flash TWRP.
Code:
fastboot flash recovery_ramdisk twrp-kirin.img
Hold the power button to turn your phone off. Disconnect your phone from your PC. Now hold the power button and Vol. Up button until the Huawei logo appears, then let go of both buttons. The blue TWRP logo should appear and after a second you would see the TWRP menu. If you see the Keep System Read-Only menu, swipe right.
Go to Install>>Select Storage>>Micro SD Card. You should see the Magisk ZIP you placed there earlier. Select it, and Confirm to flash. After the flashing is over, reboot your phone.
Congratulations, now you have a rooted device!
If you need any help along the way, or end up bricking your device, I will help you the best I can.
Good Luck!
Click to expand...
Click to collapse
@Supersonic27543 your TWRP link posted in OP to 4PDA is dead, as seen in screenshot..
@daveyannihilation why did you delete my previous post?
hinxnz said:
@Supersonic27543 your TWRP link posted in OP to 4PDA is dead, as seen in screenshot..
@daveyannihilation why did you delete my previous post?
Click to expand...
Click to collapse
Dude what the fudge are you talking about? I haven't deleted any post of yours.
daveyannihilation said:
Dude what the fudge are you talking about? I haven't deleted any post of yours.
Click to expand...
Click to collapse
Hey sorry bout that man, must of been my bad :cyclops:
Can anyone help me?
I can't for the life of me get Magisk to install on my Nova 3i. Every time i install it with TRWP, the install runs fine, then when i reboot the device, it says "Magisk not installed"??? I've tried updating, it doesn't work. Ive tried to download the official firware, but the extractor tool doesnt work with Nova 3i. Anyone help me???
Thanks
I started this thread awhile back in hopes to get more testers for the revision 4 bootloader. My other State of Root thread was originally based on BL Revision 3 anyways and just where we've released what root methods there are I'm going to eventually gear that more towards Revision 3 LP & MM status. I'm going to consolidate a bit of the later research in that thread here, specifically for rev4 so we can get a clearer vision of how to finish what we started 3 years ago.
Many Thanks go out to @afaneh92 , @xenomorph318 , @Reverse-anastomosis for helping me jump start this back up. Thanks to @jrkruse , and @elliwigy to giving me more ideas to get this going again. We might just be able to make this happen now.
****
So what I have is:
4APL1 Combo Firmware
1AOGG stock 5.1 fw (stock recovery mode speaks nothing of dm-verity)
2APB2 stock 5.1 fw
Rooted ENG UCE2APB2 boot.img
(looking for/getting) 4CPK1 stock 6.0.1 fw
4CQB2 stock 6.0.1 fw
These are the firmware files I am currently looking at. Before, we were looking primarily at Rev4 MM via dirtyc0w. But we never had safestrap back then. The Revision 4 bootloader supports LP, MM, and Nougat. And safestrap works on LP and Nougat right? So doesn't (can't it?) work on MM too? So couldn't we go from a rooted combo or stock 5.1 system with safestrap and flash over into a 6.0.1 build and retain safestrap? The HOME_CSC comes in handy in 6.0.1 flashing.
++ Now we have the option of potentially using a rom slot to do tests on a mirror dummy of the emmc. Don't be like me and try to mess with the partition table to /sdb with sgdisk, that's what deleted the bootloader on my g925v.
---- After we can get the 5.1 stock system booted for the rev4 combo BL, we can start to find out if we can flash the 2APB2 ENG Kernel through ODIN or if we will have to flash a safestrap package to get the LP Eng Kernel to boot.
=== Having the ENG Kernel Booted, with an sboot console also available, we would have a root shell to the AP & BL. There is a rev4 (combination, unbootable) recovery.img that fixes the DRK, that is supposed to also disable dm-verity. The Things in the system.img firmware are kind of copied into efs and param. As they don't seem to be populated until after first boot. But I see the .x509 FW key, and I also see A LOT of PEM certs on the FW too. Is it really hardware baked? Because it seems more like a lot of software checks in upgrade programs.
****
The end goal right now is to put together a pre-rooted stock 5.1 system.img, that can be flashed via safestrap, that will boot on on the 4APL1 combo bootloader. I'm talking about getting the same result as afaneh92's N920V ROM What has also come up, is the ability to connect directly to the UART Console inside of the sboot.bin. This is great news. If xenomorph318 and Reverse-anastomsis can come into this thread and post their recent findings as well, we can really get this party started.
--- INITIAL CONCEPT ---
The system.img's are sparsed ext4 partitions. They can easily be unsparsed using simg2img, and then mounted on a linux pc. What I am looking to do this week inbetween work, is go back over these init.*.rc files and see how much they actually differ. I'm also going to try to modify enough to boot up a build in qemu if I can. I will then also try to build a safestrap zip for flashing. We've seen that this method is possible on the N920V and the rev5 N950U. It is my thought that the same can be achieved here.
Once we can get a stable driver going, we can begin working on a way to get enough leverage to upgrade our rooted stock ROM. Lucky for us we just might have DC access in the cache on MM. And having access to the cache can mean a lot of things when the system thinks it is updating. But I don't want to get too far ahead yet.
Since the sboot console can get full kernel logs we might be able to leverage that to pull out some full Remote Code Execution inside the sboot to get the eng kernel to work somehow. It's just that, having access to both a root system console and possibly a root sboot console, we can attain data that may just allow safestrap to unlock the bootloader like SS has been able to do in the past. There's always been a bit of speculation here, but so far a lot has panned out in the right directions like I'd hoped, I still need testers to come together on this project so we can leverage all of our knowledge. Lucky for us, 6.0.1 are on rev4 as well. We should be able to get MM installed with safestrap maybe now too. And from their we might really be able to leverage the exploits available to root MM builds as well.
/// DOWNLOADS \\\
SM-N920A FILES via GDrive.
About Android Bootloaders
Other documentation
N920A_NobleZero_rev4_ROM_v1.2.zip ( SS Flashable Zip, NEEDS TESTED, Based on 2APB2 FW )
akiraO1 said:
Post#112
But I did want to post my findings so far on my selinux adventures thus far with my note 7....
So I was able to change the root context permanently from ubject_r:rootfs:s0 to u:r:shell:s0.
This by itself isn't all that helpful except that I actually changed it, and it stuck when I rebooted the device.
I achieved this through dirtycow-ing the file_contexts file with my customs file_contexts file and the commmands restorecon -RFv / and chcon -Rhv u:r:shell:s0 / restorecon makes selinux reload the file_contexts file immediately, so it loads all or most of my custom contexts. then I do a chcon command to make sure it writes?
well thats all I have for now but im working vigorously and will keep posting my findings as I find them =)
Click to expand...
Click to collapse
\/\/
droidvoider said:
Post #7
My tool will likely be helpful to you because that sounds good enough as long as you can get to a prompt that is CVE-2016-5195 / SVE-2016-7504 vulnerable. Anyone who isn't patched beyond Sept 2016 on any Android in the last 10 years will be able to use the tool I'm building to do amazing things. I am designing it precisely for people like you and Delgoth who have large investments in phones that could simply be repaired with enough access.
I am thinking now to fork off a child process anytime I can capture root + "any_new_context"... This will be forked into a child process then kept in a loop. If there is a new root + context that happens along through toolbox, we will grab that also.. (but I won't grab two of the same for example root + system_server I just need once)
I am hoping I can control this loop from the command line but since I am not the caller of the process for which I am capturing I am not sure that would work. This is new code to me, not sure of any examples of something like this. If I have to control it through values I set in files it adds a little more time. The great news is I am not having binary size problems so I can add quite a bit of code while still keeping toolbox much less than the currently installed version on my Note 5. File size must match exactly otherwise patching causes seg fault and seg fault ruins the fun (reboot to cure but irritating)
anyway just needed to come up for air I have a ton done, need to get toolbox fired up to test angle.. any c programmers that want to help or anyone with awesome ideas please feel welcome I could use help
Click to expand...
Click to collapse
/\/ Re-Envision with Safestrap available \/\
droidvoider said:
Post #110
Warning: This can lead to a ruined phone that can't be repaired proceed with caution!
Warning: This HOWTO erases your contacts, stored music + photos, apps + data, Internal Storage, all of it GONE. Back it up before continuing!!
Notice: When finished you will remain on Android 6.01 Marshmallow, you will not upgrade to Nougat. But you can get rid of AT&T + Samsung apps and extend battery life by a lot! You can do a lot more than that but it is SELinux Enforcing, so you still have some limits
Introduction
This HOWTO will outline how to gain root on AT&T Note 5 Marshmallow 6.01 through Nougat 7.0 before Feb 2018 update! i.e. basebands beginning in N920AUCS4. Such as N920AUCS4CPK1 through N920AUCS4EQL1
If your baseband is N920AUCS3 or lower you can already root with Wondershare GoMobile (start at step 9)
If your baseband is N920AUCS5 then this method won't work for you.
Please be aware
This is 1 of 2 root methods for binary 4 N920A Note 5 AT&T Phones!! There is also a Lolipop Android 5.11 root method that allows selinux permissive persistent root you can use on Post 51 of this thread!
Gain root to disable any app and do other cool stuff
1. You need the drivers for Note 5 but they are likely already installed test it via. Connect the USB charging cable between your computer<>Note 5 you should see your phone pop up in File Explorer
(if you can't connect to your phone find the Samsung Note 5 drivers first)
2. If you don't have adb installed first install it on your machine (you can test it by opening a cmd prompt and typing adb, you should get instructions for use)
https://www.xda-developers.com/install-adb-windows-macos-linux/
3. Install Wondershare GoMobile, it's a 5 day trial so be ready to do this!!
4. Download and Unzip the Customized PJ1 + PK1 Firmware into a directory
https://drive.google.com/open?id=1qHVndp4wZXeKb5TFZSnsUT-s3EBmkHVW
5. Download Odin and Unzip it to a directory then click the file to start it up.
6. Select Odin Options tab and in Odin check Auto Reboot, F.Reset Time and Nand Erase All
(load the 4 files from the Customized PJ1 + PK1 zip into the respective slots)
7. Place phone in download mode, connect it to your PC then in Odin select Start to flash the firmware, you can unplug cable when phone reboots.
8. During initial phone setup disable Wifi, skip Google Play account, exit or skip everything you can.
9. Disable security updates under SETTINGS|PERSONAL|Lock screen and security|Other security settings|Security policy updates|Automatic updates OFF
10. Enable Developer options under SETTINGS|SYSTEM|About device (tap build numbers 7 times) then push arrow back to SYSTEM and open Developer options.
11. Under Developer options OEM unlock and USB Debugging should both be ON
12. Always allow usb debugging on phone screen when you are asked. Also allow MTP file transfer.
13. If Google asks for feedback data always DECLINE, they don't help us!
14. Connect cable and connect to Wondershare GoMobile then "One Click Root"
15. After success open Windows Command Prompt and type adb shell, then su
16. You can disable any apps now but start with these (copy / paste into cmd windows then hit enter)
pm disable com.ws.dm
pm disable com.sec.android.soagent
pm disable com.policydm
pm disable com.samsung.android.securitylogagent
pm disable com.lookout
17. You can enable Wifi and Sign in the Google Play now.
18. If you reboot your phone you need to use One Click Root again to regain root, but you are free to unplug the cable!
(If you crash your phone enter recovery mode, wipe data/factory reset, wipe cache and then start over from step 8.)
Apps I disable
Here's some apps you may not like. You can copy / paste these into cmd window but only in small batches at a time (hit enter after pasting it in the window)
Code:
[AT&T]
pm disable com.att.android.digitallocker
pm disable com.sec.enterprise.knox.attestation
pm disable com.locationlabs.cni.att
pm disable com.sec.att.usagemanager3
pm disable com.att.myWireless
pm disable com.yahoo.mobile.client.android.mail.att
pm disable com.asurion.android.mobilerecovery.att
pm disable com.synchronoss.dcs.att.r2g
pm disable com.att.android.attsmartwifi
pm disable com.wavemarket.waplauncher
pm disable com.telenav.app.android.cingular
pm disable com.smlds
pm disable com.matchboxmobile.wisp
pm disable net.aetherpal.device
[Odd Apps I disabled]
pm disable com.cequint.ecid
pm disable com.facebook.katana
pm disable com.facebook.system
pm disable com.facebook.appmanager
pm disable com.instagram.android
pm disable com.amazon.mShop.android.install
pm disable com.amazon.mShop.android
pm disable com.google.android.apps.walletnfcrel
pm disable com.americanexpress.plenti
pm disable com.amazon.kindle
pm disable com.hancom.office.editor
pm disable com.google.android.talk
pm disable com.sec.android.app.sbrowser
pm disable com.mobitv.client.tv
pm disable com.sec.android.service.health
pm disable com.sec.android.app.shealth
pm disable com.yellowpages.android.ypmobile
pm disable com.google.android.feedback
[Game related]
pm disable com.enhance.gameservice
pm disable com.wildtangent.android
pm disable com.ampsvc.android
[Sync Adapters]
pm disable com.samsung.svoice.sync
pm disable com.google.android.syncadapters.contacts
pm disable com.google.android.syncadapters.calendar
[Samsung Apps]
pm disable com.sec.android.easyMover.Agent
pm disable com.sec.android.Kies
pm disable com.sec.android.app.billing
pm disable com.sec.android.iap
pm disable com.sec.spp.push
pm disable com.sec.android.app.SecSetupWizard
pm disable com.osp.app.signin
pm disable com.sec.android.app.sns3
pm disable com.sec.android.app.SamsungContentsAgent
pm disable com.samsung.android.provider.filterprovider
pm disable com.samsung.android.writingbuddyservice
pm disable com.sec.android.widgetapp.samsungapps
pm disable com.samsung.android.app.galaxyfinder
pm disable com.samsung.android.themestore
pm disable com.samsung.svoice.sync
pm disable com.samsung.clipboardsaveservice
pm disable com.samsung.android.provider.shootingmodeprovider
pm disable com.samsung.android.app.withtv
pm disable com.samsung.android.hmt.vrshell
pm disable com.samsung.android.easysetup
pm disable com.samsung.android.qconnect
pm disable com.samsung.ucs.agent.boot
pm disable com.samsung.faceservice
pm disable com.samsung.knox.rcp.components
pm disable com.samsung.android.email.provider
pm disable com.samsung.android.intelligenceservice2
pm disable com.samsung.android.MtpApplication
pm disable com.sec.android.app.samsungapps
pm disable com.samsung.android.slinkcloud
pm disable com.samsung.android.SettingsReceiver
pm disable com.samsung.android.securitylogagent
pm disable com.samsung.android.app.watchmanager
pm disable com.samsung.android.app.assistantmenu
pm disable com.samsung.android.communicationservice
pm disable com.samsung.SMT
pm disable com.samsung.aab
pm disable com.samsung.cmh
pm disable com.samsung.dcm
pm disable com.samsung.vvm
pm disable com.samsung.hs20provider
pm disable com.samsung.android.smartface
pm disable com.samsung.klmsagent
pm disable com.samsung.android.providers.context
pm disable com.samsung.android.sdk.professionalaudio.utility.jammonitor
pm disable com.samsung.android.app.colorblind
pm disable com.samsung.android.hmt.vrsvc
pm disable com.samsung.storyservice
pm disable com.sec.app.samsungprintservice
pm disable com.samsung.android.app.talkback
pm disable com.samsung.android.authservice
pm disable com.samsung.app.slowmotion
pm disable com.samsung.android.weather
pm disable com.samsung.android.app.pinboard
pm disable com.samsung.android.personalpage.service
pm disable com.samsung.advp.imssettings
pm disable com.samsung.android.app.advsounddetector
pm disable com.samsung.android.app.mirrorlink
pm disable com.samsung.android.app.vrsetupwizardstub
pm disable com.samsung.android.clipboarduiservice
pm disable com.samsung.android.asksmanager
pm disable com.samsung.android.themecenter
pm disable com.samsung.android.spdfnote
pm disable com.samsung.android.allshare.service.fileshare
pm disable com.samsung.android.universalswitch
pm disable com.samsung.helphub
pm disable com.samsung.android.app.filterinstaller
pm disable com.samsung.imagecompress
pm disable com.samsung.safetyinformation
pm disable com.samsung.app.highlightplayer
pm disable com.samsung.enhanceservice
pm disable com.samsung.android.keyguardwallpaperupdator
pm disable com.samsung.android.app.accesscontrol
pm disable com.samsung.android.beaconmanager
pm disable com.samsung.ucs.ucspinpad
pm disable com.samsung.android.app.FileShareClient
pm disable com.samsung.android.scloud.backup
pm disable com.samsung.android.fmm
pm disable com.samsung.android.mdm
pm disable com.samsung.accessory
pm disable com.samsung.android.app.scrollcapture
pm disable com.samsung.android.app.interactivepanoramaviewer
pm disable com.samsung.android.scloud
pm disable com.samsung.android.app.soundpicker
pm disable com.samsung.android.spayfw
pm disable com.samsung.app.newtrim
pm disable com.samsung.android.spay
pm disable com.samsung.android.intelligenceservice
pm disable com.samsung.android.sm.policy
pm disable com.samsung.android.dlp.service
pm disable com.samsung.android.bbc.bbcagent
pm disable com.samsung.android.voicewakeup
pm disable com.samsung.android.app.watchmanagerstub
pm disable com.samsung.android.app.FileShareServer
pm disable com.samsung.android.sdk.professionalaudio.app.audioconnectionservice
pm disable com.samsung.android.service.aircommand
pm disable com.samsung.dcmservice
pm disable com.samsung.voiceserviceplatform
pm disable com.samsung.aasaservice
pm disable com.samsung.android.allshare.service.mediashare
pm disable com.samsung.android.fingerprint.service
pm disable com.samsung.ipservice
pm disable com.samsung.sec.android.application.csc
pm disable com.samsung.android.sconnect
pm disable com.samsung.android.snote
pm disable com.samsung.android.video
pm disable com.samsung.location
Restore PK1 boot.img and recovery.img to close dirtycow vulnerability (removes ability to gain root)
1. Download this to a directory but don't extract it
https://drive.google.com/open?id=1374IZTBeyNBELdrK1ESdqkUuVGutbpDm
2. Load PK1boot_recovery_img_only.tar.md5 file into the AP slot in Odin
3. Place phone in download mode, connect it to your PC then in Odin select Start to flash the firmware, you can unplug cable when phone reboots.
Please let me know if any steps are unclear. I can reverse the rooting method but there's probably 20 people world wide who will use this method, so if you have security concerns make sure to close dirtycow vulnerability when you're done and just use the one click root method.
Updated notes:
If you get a Screen Overlay Detected error turn OFF overlay for both MobileGo apps!
I added a windows batch script to disable a lot of apps (root first with wondershare gomobile)
If you use the phone it looses root and becomes harder to root. (if it become impossible to root again flash the PJ1 boot and recovery only file but backup before you do it)
Don't create things with Assayed Kitchen then flash them to the phone or mix firmwares it almost refuses to enter download mode again :fingers-crossed:
In case of error
During the learning process to do things like this putting your phone into a bootloop or soft bricking is very common for new comers, but don't panic. After you complete the process I outlined it will take a couple minutes to boot it will have the AT&T logo on a white screen. If it hangs here for a really long time or it gets unusually warm this is a bad sign. Let's get the phone turned off so you can think.
Hard Reset: press Power + Volume Down for 7 seconds
Screen goes black: immediately presss Power + Volume Up + Home
Use Volume down to move to option Power Off then push the Power button to select it.
You can start over / try again by pressing Power + Volume Down + Home buttons again
or
Create a new post here and put my name in your post
Click to expand...
Click to collapse
Standby for more updates and uploads soon.
Hello,
Any news on the testing?
Regards,
abdk80 said:
Hello,
Any news on the testing?
Regards,
Click to expand...
Click to collapse
Yes, I've updated the OP and added more of a road map for current active development.
I have successfully built a UART jig and booted to a s-boot console on the n920v. This has been done on a few different devices, so it isn't exactly a new thing, but as far as I can tell it has never been done on any exynos 7420 devices. I am still exploring what is possible, and if anyone has any additional guidance on what to do with this access I'm all eyes/ears! I'll attach the 2 logs that I have so far that I find the most interesting.
Idea time: could we fry our bootloader somehow and replace it with a more favorable one? Like for the n920g? External SD card boot is possible through the s-boot console I think, but we don't have an external SD.
I have a kindle fire that uses a bootrom exploit to redirect the loading point for the bootloader so that it will load unsigned firmware/recovery/kernel stored elsewhere on eMMC.
Booting unsigned firmware/recovery/kernel might be possible through use of the tflash option in heimdall, however again...no external SD. I have been able to flash a TWRP image in heimdall on my n920v, but couldn't get it to boot.
I am in way over my head, but I have done a lot of reading over the last few weeks. Given the fact that our devices are now no longer being patched, and exploits have continued to be discovered we should be able to figure something out.
Reverse-anastomosis said:
I'll attach the 2 logs that I have so far that I find the most interesting.
Click to expand...
Click to collapse
Forgot to attach them.
One more pretty interesting log that I just grabbed.
Reverse-anastomosis said:
I have successfully built a UART jig and booted to a s-boot console on the n920v. This has been done on a few different devices, so it isn't exactly a new thing, but as far as I can tell it has never been done on any exynos 7420 devices. I am still exploring what is possible, and if anyone has any additional guidance on what to do with this access I'm all eyes/ears! I'll attach the 2 logs that I have so far that I find the most interesting.
Idea time: could we fry our bootloader somehow and replace it with a more favorable one? Like for the n920g? External SD card boot is possible through the s-boot console I think, but we don't have an external SD.
I have a kindle fire that uses a bootrom exploit to redirect the loading point for the bootloader so that it will load unsigned firmware/recovery/kernel stored elsewhere on eMMC.
Booting unsigned firmware/recovery/kernel might be possible through use of the tflash option in heimdall, however again...no external SD. I have been able to flash a TWRP image in heimdall on my n920v, but couldn't get it to boot.
I am in way over my head, but I have done a lot of reading over the last few weeks. Given the fact that our devices are now no longer being patched, and exploits have continued to be discovered we should be able to figure something out.
Click to expand...
Click to collapse
Tflash could possibly be helpful. Fry the BL to much will drop the device basically into edl mode. Which is weird on an Exynos SoC. Have only had two tests there. My g925v is still in 9006 mode now. My tests on 9008 mode dropped it into 9006 mode. Still bricked.
On my g925v the internal sdcard seemed to act as both internal and external SD cards to me a lot of times. We have no slot but the storage permissions still have to work somehow.
On the 4APL1 combo ramdisk I notice there is init.sec_debug.rc that calls the corehelper.sh script from /system/bin as root. Maybe we can modify the system.img and make the corehelper.sh script run our own commands by just setting a prop detail. We can still use /data/local/tmp to execute things.
But it looks from your logs like we could maybe change the kernel command line string from the sboot console. Meaning we might be able to set enforcing to permissive or change the debug level on a stock LP system. Or at least know where things will be loaded so that we can use safe strap to affect those areas as well.
It also seemed to show us the magic number for the Device Tree. I don't have time this morning. But I'll be back.
@Delgoth, I can't find the arguments to add to boot permissive. Do you happen to know the argument?
It will go as an argument on the boot command in the sboot console.
I bet I could force factory download mode on your g925v with my jig.
Reverse-anastomosis said:
@Delgoth, I can't find the arguments to add to boot permissive. Do you happen to know the argument?
It will go as an argument on the boot command in the sboot console.
I bet I could force factory download mode on your g925v with my jig.
Click to expand...
Click to collapse
I don't know it off hand and I'm not at my PC. But I've seen it before here on the forums used. There is a way to set selinux to permissive via the kernel command line.
Our devices should be vulnerable to this exploit.
https://www.google.com/url?q=https:...FjADegQIBxAB&usg=AOvVaw2-cc6gIXIrOjEJzxzd2Ebo
Reverse-anastomosis said:
Our devices should be vulnerable to this exploit.
https://www.google.com/url?q=https:...FjADegQIBxAB&usg=AOvVaw2-cc6gIXIrOjEJzxzd2Ebo
Click to expand...
Click to collapse
I haven't seen that pdf in a long time. And I don't think you're wrong. Going back and looking through the beginning of the State of Root thread, I realize that many of the failed tests were not done in the correct order now. How I would downgrade was by flashing the rev3 combo firmware via ODIN, I would reboot directly back to download mode without ever letting recovery or system ever boot up once. And then I would flash the rev3 actual eng boot, then reboot directly back to download mode, and then flash the the AP and CSC file of the Stock LP firmware I wanted (1AOGG). After I let that boot up I would go back to download mode and flash the 2APB2 root eng kernel. Then everything would work and you just had to setup SuperSu manually via the CLI (Which I probably still can't do....).
I don't know if anyone actually has tried Flashing the 4APL1 Combo firmware with nand erase all, and then tried to flash an AP file from 1AOGG. I saw people trying to downgrade from stock bootloaders and failing. Which is expected. Generally trying to downgrade param.bin or cm.bin or sboot.bin will result in errors. Can you flash just the AP file from the combo? What about flashing the AP directly after flashing the comfirmware without it booting? Because I guess I still can't be positive it was an eng rev3 sboot or if it were the nand erase all and flash/boot order. Then I typically used the 2APB2 Eng root kernel while using the rev3 combo firmware at the same time through odin. Because the ENG Kernel was an LP Kernel like the combo firmware.
I'm in the process of pulling relevant posts into this thread's OP for consolidation.
@Delgoth O_O Very exciting!! I just got free time and you know what i have to do tomorrow?!? Not 1 thing. I havent read your updated OP yet, I bout came out of my skin when i skimmed over it. Tis where im headed now and will definitely share what crazy stuff i get into.
Update
Hyped!! Ive got safestrap ready togo on rev 4 combo and even made custom rom slots ha, im flashing everything. I actually flashed gapps and doing all this from factory binary lol . I got Csploit running in root but it wont run the Metasploit rpcd server unless u flash gapps. Ofcourse you cant download and install from google play but adb doesnt mind!!! xD
xenomorph318 said:
@Delgoth O_O Very exciting!! I just got free time and you know what i have to do tomorrow?!? Not 1 thing. I havent read your updated OP yet, I bout came out of my skin when i skimmed over it. Tis where im headed now and will definitely share what crazy stuff i get into.
Update
Hyped!! Ive got safestrap ready togo on rev 4 combo and even made custom rom slots ha, im flashing everything. I actually flashed gapps and doing all this from factory binary lol . I got Csploit running in root but it wont run the Metasploit rpcd server unless u flash gapps. Ofcourse you cant download and install from google play but adb doesnt mind!!! xD
Click to expand...
Click to collapse
Cool. I think I found the two libraries we for a stock system image. I will try and make one up this afternoon and posts the steps to do it yourself as well because I might not do it right the first time. If you got all that working can you flash the 2APB2 eng kernel via Odin or use safe strap to flash it and still have the combo firmware boot? I've been able to get bad kernels to flash before on rev3. Once I actually got a boot error that said invalid kernel header but still managed to flash through Odin.
I have the eng 2APB2 tar file in my sm-n920a files link in the OP. If it doesn't flash over the standard 4APL1 combo firmware or boot, maybe we need to use the 1AOGG recovery.img or the special 4CQB2 recovery.img for drk fix.
Delgoth said:
Cool. I think I found the two libraries we for a stock system image. I will try and make one up this afternoon and posts the steps to do it yourself as well because I might not do it right the first time. If you got all that working can you flash the 2APB2 eng kernel via Odin or use safe strap to flash it and still have the combo firmware boot? I've been able to get bad kernels to flash before on rev3. Once I actually got a boot error that said invalid kernel header but still managed to flash through Odin.
I have the eng 2APB2 tar file in my sm-n920a files link in the OP. If it doesn't flash over the standard 4APL1 combo firmware or boot, maybe we need to use the 1AOGG recovery.img or the special 4CQB2 recovery.img for drk fix.
Click to expand...
Click to collapse
Yup yup i have done it before just to see if the root install script and the root boot script method would work for me and it did!
I just tried again to dbl check and yes again. I did it via odin I will try it via safestrap in just a sec to see if it will work that way as well. I have everything staged, i dont have a sd card at the moment
xenomorph318 said:
Yup yup i have done it before just to see if the root install script and the root boot script method would work for me and it did!
I just tried again to dbl check and yes again. I did it via odin I will try it via safestrap in just a sec to see if it will work that way as well. I have everything staged, i dont have a sd card at the moment
Click to expand...
Click to collapse
The metalcated root method is a tethered root method however. The way Wondershare Mobile Go does it must either setup SuperSu correctly. Which I couldn't tell you, or it uses exploits to untethered the root. On my old rev3 device with 1AOGG AP file, eng 2APB2 boot.img, and 3APH1 eng sboot.bin installed the metalcated root would still only give me a tethered root as well.
But are you saying the PB2 eng kernel flashed successfully via ODIN using the 4APL1 combo?
Because while the PB2 Eng Kernel has a root shell by default, it is stuck in SELinux Enforcing mode if I remember correctly. You actually have to setup root to switch to permissive persistently. Where the combo kernel is not rooted but is default set to permissive.
So the rev2 eng kernel still works on the rev4 combo firmware? This makes a difference to me and how we will setup flashing a stock system image over the combo system.
@Reverse-anastomosis which firmware have you been using your jig with? And have you tried using the Eng Kernel to see about different output to your console? Which commands have you tested? I'm looking into the console so I can flesh out its information in the OP. Hopefully we can even get instructions for making one too. We have something going here, we can keep the momentum going.
Right now I only have you two to help explain what I'm talking about and test it specifically. Im working on a test system image right now.
@xenomorph318 once you have the combo firmware installed and then flash the pb2 eng kernel, can you go back to ODIN and flash the stock AP (MINUS boot.img) File from either 1AOGG OR 2APB2? I used to be able to on rev3.
** CAN BOTH OF YOU ZIP UP YOUR /cache/recovery directories SO I CAN LOOK AT YOUR LOGS PLEASE PLEASE PLEASE **
Reverse-anastomosis said:
@Delgoth, I can't find the arguments to add to boot permissive. Do you happen to know the argument?
It will go as an argument on the boot command in the sboot console.
I bet I could force factory download mode on your g925v with my jig.
Click to expand...
Click to collapse
Reverse-anastomosis said:
Our devices should be vulnerable to this exploit.
https://www.google.com/url?q=https:...FjADegQIBxAB&usg=AOvVaw2-cc6gIXIrOjEJzxzd2Ebo
Click to expand...
Click to collapse
androidboot.selinux=permissive
And looking back over that PDF you linked, I feel like that was the R&D done to intially unlock the G925V that was quickly patched up. That was the original root and only BL unlock on the G925V if I recall right. So we might be patched, but it didn't take long to be officially patched and was on the Rev1 BL. But again, you now a whole new level of access.
Here, https://alephsecurity.com/2017/05/23/nexus6-initroot/ , we can find other arguments to test in the sboot console for the kernel. I'd bet some of this works. Seems the eng kernel works, maybe the commandline options there are better utilized. You've got me thinking now. I'm glad you're here right now ready to go. We might not be applicable to this exploit, different OEM, but they don't have a direct console to the bootloader either.
(For a stock bootloader if it loads the console) * buildvariant=userdebug
@Delgoth, I'll try this tonight. Then I'll write up everything that I have tried/know, in detail. I'll post it tonight of tomorrow.
Reverse-anastomosis said:
@Delgoth, I'll try this tonight. Then I'll write up everything that I have tried/know, in detail. I'll post it tonight of tomorrow.
Click to expand...
Click to collapse
Please and thanks. Please if you could also include your recovery logs from /cache/recovery. Either post them here or send them to me privately. But I'm looking for the things I see in my Note8's recovery logs, which we could affect to our great benefit with the eng kernel and sboot console here.
https://developer.android.com/things/sdk/pio/uart
This link could also be applicable to your jig. If we can get an app that will utilize the UART port, then maybe we could have realtime communication with a root system and the sboot. Farfetched and for later of course.
So I was doing some digging, and found this video. Have you seen it?
https://m.youtube.com/watch?v=QpaeneaNEbw
Delgoth said:
The metalcated root method is a tethered root method however. The way Wondershare Mobile Go does it must either setup SuperSu correctly. Which I couldn't tell you, or it uses exploits to untethered the root. On my old rev3 device with 1AOGG AP file, eng 2APB2 boot.img, and 3APH1 eng sboot.bin installed the metalcated root would still only give me a tethered root as well.
But are you saying the PB2 eng kernel flashed successfully via ODIN using the 4APL1 combo?
Because while the PB2 Eng Kernel has a root shell by default, it is stuck in SELinux Enforcing mode if I remember correctly. You actually have to setup root to switch to permissive persistently. Where the combo kernel is not rooted but is default set to permissive.
So the rev2 eng kernel still works on the rev4 combo firmware? This makes a difference to me and how we will setup flashing a stock system image over the combo system.
@Reverse-anastomosis which firmware have you been using your jig with? And have you tried using the Eng Kernel to see about different output to your console? Which commands have you tested? I'm looking into the console so I can flesh out its information in the OP. Hopefully we can even get instructions for making one too. We have something going here, we can keep the momentum going.
Right now I only have you two to help explain what I'm talking about and test it specifically. Im working on a test system image right now.
@xenomorph318 once you have the combo firmware installed and then flash the pb2 eng kernel, can you go back to ODIN and flash the stock AP (MINUS boot.img) File from either 1AOGG OR 2APB2? I used to be able to on rev3.
** CAN BOTH OF YOU ZIP UP YOUR /cache/recovery directories SO I CAN LOOK AT YOUR LOGS PLEASE PLEASE PLEASE **
Click to expand...
Click to collapse
give me 2 hours i'll be home by the pc to flash on odin again
but yes im 100% sure the rev 2 pb2 eng kernel flashed over the top of PL1,
here is the recovery directory u asked for after a fresh flash of the rev 2 LL eng kernel
sorry its taking me so long, i cant find a site that doesnt cap my download speed but i will have the pb2 stock downloaded in like 50 mins
I figured after reading a few things on the new S10 (non-flashable) combinations we could open up a thread and see if we can crack this probem. To start with, and although I've only started my research on this, I have a unpacked S10+ (TMB) firmware, lz4 decompressing and unpacking as much as i can. Kernel will be unpacked the normal way, and all arm type will need to be reversed or at least analyzed. I figured I'd start with the strings "factory approval", "token", etc.
The token unlocking I've read about is supposedly done by very few people that request payment, but we can figure this out ourselves. They probably just have Samsung hookups. You can get the token message in download mode by flashing an empty steady.bin
or try in a linux terminal
$ truncate -s 1024 steady.bin && tar -H ustar -c steady.bin>test_token_failed.tar
or
$ dd if=/dev/urandom of=steady.bin bs=1 count=1024 (tried both with random and zero, and got the same failure codes, maybe another user will have better luck?)
May have to unpack all the APK's from the system image and disassemble in search of strings, and with strings we'll find functions. I'm really thinking it's going to be a code that you can write to steady.bin then flash and unlock. Steady.bin is 1024 bits in size on all the firmware's i've seen. Steady.bin is also associated widely with Reactivation locks (even the Samsung Watches)
Let's reverse these things and get back our repair firmware. I myself don't care about FRP, but for tool development and need combination firmware working!! This is sad, Samsung!
kalexander7 said:
I figured after reading a few things on the new S10 (non-flashable) combinations we could open up a thread and see if we can crack this probem. To start with, and although I've only started my research on this, I have a unpacked S10+ (TMB) firmware, lz4 decompressing and unpacking as much as i can. Kernel will be unpacked the normal way, and all arm type will need to be reversed or at least analyzed. I figured I'd start with the strings "factory approval", "token", etc.
The token unlocking I've read about is supposedly done by very few people that request payment, but we can figure this out ourselves. They probably just have Samsung hookups. You can get the token message in download mode by flashing an empty steady.bin
or try in a linux terminal
$ truncate -s 1024 steady.bin && tar -H ustar -c steady.bin>test_token_failed.tar
or
$ dd if=/dev/urandom of=steady.bin bs=1 count=1024 (tried both with random and zero, and got the same failure codes, maybe another user will have better luck?)
May have to unpack all the APK's from the system image and disassemble in search of strings, and with strings we'll find functions. I'm really thinking it's going to be a code that you can write to steady.bin then flash and unlock. Steady.bin is 1024 bits in size on all the firmware's i've seen. Steady.bin is also associated widely with Reactivation locks (even the Samsung Watches)
Let's reverse these things and get back our repair firmware. I myself don't care about FRP, but for tool development and need combination firmware working!! This is sad, Samsung!
Click to expand...
Click to collapse
any luck so far ?
sent pm
its actually quite easy to bypass and flash combo.. of course it requires certain files as well as theres a few tricks to it.. the files needed are also not free and hard to find but if u have them then u dont need to purchase factory tokens which can only be used a set number of times forcing you to have to purchase again if u need to...
from my research you cannot make a token aka steady.bin.. its tied to device id aka did.. the ppl that sell em get ur device info then they have access to servers most likely these are businesses that pay for a license with samsung who provides them with access and a signing cert so they can sign the token.. basically takes ur device info then send to server that then uses w.e security amd algorithms to create the token then signs it and sends it back..
steady.bin is then flashed in odin amd then allows factory binary to be flashed.
ive tried to create them with my device info replicating an actual token but it didnt work of course.
ENG tokens are rare and alot more money (probably in thousands) but are done the same way.
i have sold my s10+.
if anyone is interested send me a pm and maybe we can work something out.
I should be able to complete combo flash remotely for example. I do not feel comfortable releasing them to anyone nor the exact method since dont want it to get patched
I can also do some exynos models too but this is untested as i dont own exynos devices.
Shoot me a pm or hit me up on tgram.. should be same as my username on here...
elliwigy said:
its actually quite easy to bypass and flash combo.. of course it requires certain files as well as theres a few tricks to it.. the files needed are also not free and hard to find but if u have them then u dont need to purchase factory tokens which can only be used a set number of times forcing you to have to purchase again if u need to...
from my research you cannot make a token aka steady.bin.. its tied to device id aka did.. the ppl that sell em get ur device info then they have access to servers most likely these are businesses that pay for a license with samsung who provides them with access and a signing cert so they can sign the token.. basically takes ur device info then send to server that then uses w.e security amd algorithms to create the token then signs it and sends it back..
steady.bin is then flashed in odin amd then allows factory binary to be flashed.
ive tried to create them with my device info replicating an actual token but it didnt work of course.
ENG tokens are rare and alot more money (probably in thousands) but are done the same way.
i have sold my s10+.
if anyone is interested send me a pm and maybe we can work something out.
I should be able to complete combo flash remotely for example. I do not feel comfortable releasing them to anyone nor the exact method since dont want it to get patched
I can also do some exynos models too but this is untested as i dont own exynos devices.
Shoot me a pm or hit me up on tgram.. should be same as my username on here...
Click to expand...
Click to collapse
Sure, let's schedule a time for this
kalexander7 said:
Sure, let's schedule a time for this
Click to expand...
Click to collapse
I have s20 model need flash token combination
Sent from my VOG-L09 using Tapatalk
S20? You're in the S10 forums dude.
vro66rand said:
I have s20 model need flash token combination
Click to expand...
Click to collapse
not possible.. even token servers r down
I bought this solutiion from a website can anyone can try with g975x?
https://mega.nz/file/LNoBSQbT
key VjLG-O2fcKbQ1P2wAsreSLvWWoyWHTkVPxUagcQQsp8
mariolcela said:
I bought this solutiion from a website can anyone can try with g975x?
https://mega.nz/file/LNoBSQbT
key VjLG-O2fcKbQ1P2wAsreSLvWWoyWHTkVPxUagcQQsp8
Click to expand...
Click to collapse
you bought it you can try it.. also g975x is LDU model
I dont have a g975x model.
Also its for all g975 models
What does flashing combo files do? Give root or bootloader unlock or something else?
mariolcela said:
I bought this solutiion from a website can anyone can try with g975x?
https://mega.nz/file/LNoBSQbT
key VjLG-O2fcKbQ1P2wAsreSLvWWoyWHTkVPxUagcQQsp8
Click to expand...
Click to collapse
Hey Buddy,
Where did you get it from?
I need a newer version ....
JazonX said:
Hey Buddy,
Where did you get it from?
I need a newer version ....
Click to expand...
Click to collapse
I don't know if they have a newer version but here you go
https://support.halabtech.com
Just search for your phone model
mariolcela said:
I don't know if they have a newer version but here you go
https://support.halabtech.com
Just search for your phone model
Click to expand...
Click to collapse
they dont lol.. bypass is easy
elliwigy said:
they dont lol.. bypass is easy
Click to expand...
Click to collapse
Really ?
Any clue how to do so?
I need help with such a device..
i dont try but if you can wipe the stady partition with root by dd command or you can flash boot-loader of combination directly by dd or purchase one token of desire set flash it and then take a whole backup by twrp and flash it with twrp this is my thinking i dont know this can work but possible that could be
harissiddiq said:
i dont try but if you can wipe the stady partition with root by dd command or you can flash boot-loader of combination directly by dd or purchase one token of desire set flash it and then take a whole backup by twrp and flash it with twrp this is my thinking i dont know this can work but possible that could be
Click to expand...
Click to collapse
huh lmao if u could do any of that then u dont need any token to begin with
[DELETED]