General Pixel Watch successfully bootloader unlocked - Google Pixel Watch

Shiny Quagsire has successfully unlocked the Pixel Watch's bootloader via the pogo pins (which ended up being USB like people suspected)
https://twitter.com/i/web/status/1583186847596892160

Thank you very much for info.
This sounds really interesting.
I hope Rooting is also possible with Magisk Version 25.2...
Best Regards

adfree said:
Thank you very much for info.
This sounds really interesting.
I hope Rooting is also possible with Magisk Version 25.2...
Best Regards
Click to expand...
Click to collapse
Magisk kinda works on Wear OS, but the UI is basically unusable. I am currently working on adding proper UI support, among other things.

Sorry. I come from Samsung Galaxy Watch...
Rooting only via USB cable like this:
SM-R765F Teardown
Dear friends, I found that the LTE connection is very useful when you have to leave your mobile somewhere and you can get calls and notifications through mobile connection. I bought a Gear S3 LTE (R765) from a Singapore site because in Italy it...
forum.xda-developers.com
boot.img and vbmeta.img patched with Magisk Version 25.2
Then I have nearly full access like this:
Firmware and Combination Firmware and FOTA Delta and CSC change and...
Looks like it could be harder since Tizen... A Stock Firmware for netOdin/Odin not available yet... B Combination Firmware not available yet C FOTA Delta File for study I have...
forum.xda-developers.com
No idea why write access... as Super.img is readonly... I thought...
Sorry for Hijack your Thread.
Good Luck.
Best Regards

Please, Maybe somebody could help me.
On Samsung GW4 I have only 1 Shell Linux Terminal... where I can type on Watch...
All others not show Keyboard:
Firmware and Combination Firmware and FOTA Delta and CSC change and...
Looks like it could be harder since Tizen... A Stock Firmware for netOdin/Odin not available yet... B Combination Firmware not available yet C FOTA Delta File for study I have...
forum.xda-developers.com
Exact this APK runs on all Firmware Versions I have tested:
Firmware and Combination Firmware and FOTA Delta and CSC change and...
Looks like it could be harder since Tizen... A Stock Firmware for netOdin/Odin not available yet... B Combination Firmware not available yet C FOTA Delta File for study I have...
forum.xda-developers.com
But it not handle Root...
I am too lazy to decompile and try to add something in Manifest...
Tiny and slow brain... I have.
Maybe on Pixel Watch more Apps work proper?
Thanx in advance.
Best Regards

Last 1 for today...
I have searched for APKs for "Secret Codes"...
Secret Codes - Apps on Google Play
Secret Codes allows you to scan your device and find hidden functionalities.
play.google.com
For my Samsung GW4 not work... as Codes looks like:
Code:
*#1234#
But maybe usefull for Pixel watch... in comment somebody posted:
Not 1 code is working. My "device is incompatible" try to put it in a dialer. There are other app that can forward code to a dialer app called "Engineer Mode MTK" without problems. Redmi Note 10S.
Click to expand...
Click to collapse
Sorry, I have only Samsung crap... so no idea how usefull in Android 11...
Best Regards

Maybe ask those questions in... the Samsung Galaxy Watch4 forums, maybe?

@GuyInDogSuit
The idea is to work together....
Maybe you not need Root in your Pixel Watch nor you sideload APKs to your Pixel Watch.

I'm currently working on attempting some modifications (possibly root), however the biggest blocker currently is the lack of a firmware image or OTA ZIP. So if anyone hasn't updated their watch yet and can capture an OTA ZIP URL, that would be super helpful.
In the meantime I got the kernel to build fine with my manifest at https://github.com/shinyquagsire23/kernel_manifest-r11btwifi, but now I need to build a bare-minimum rootfs/recovery so I can dump the partitions and make a factory image.

adfree said:
@GuyInDogSuit
The idea is to work together....
Maybe you not need Root in your Pixel Watch nor you sideload APKs to your Pixel Watch.
Click to expand...
Click to collapse
Maybe. But there's a reason why I mentioned that, as this is a forum for a different watch. Hence why I pointed you in that direction.

Dionicio3 said:
Shiny Quagsire has successfully unlocked the Pixel Watch's bootloader via the pogo pins (which ended up being USB like people suspected)
https://twitter.com/i/web/status/1583186847596892160
Click to expand...
Click to collapse
As cool as that is, here's hoping a more user-friendly solution is found, if the USB characger can't be used then hopefully wireless ADB asat the very least.

You won't be able to use either of those for fastboot. The cable doesn't support data transfer (it's a version of wireless charging) and wireless adb doesn't work for fastboot (needed to unlock the bootloader). The best chance we have is that someone creates a 3D printed cable.

Really hoping that this thing develops further, could really use it.
Unfortunately I already updated the watch.
shinyquagsire23 said:
I'm currently working on attempting some modifications (possibly root), however the biggest blocker currently is the lack of a firmware image or OTA ZIP. So if anyone hasn't updated their watch yet and can capture an OTA ZIP URL, that would be super helpful.
In the meantime I got the kernel to build fine with my manifest at https://github.com/shinyquagsire23/kernel_manifest-r11btwifi, but now I need to build a bare-minimum rootfs/recovery so I can dump the partitions and make a factory image.
Click to expand...
Click to collapse
Maybe you could post instructions on how to obtain the OTA url.

shinyquagsire23 said:
I'm currently working on attempting some modifications (possibly root), however the biggest blocker currently is the lack of a firmware image or OTA ZIP. So if anyone hasn't updated their watch yet and can capture an OTA ZIP URL, that would be super helpful.
In the meantime I got the kernel to build fine with my manifest at https://github.com/shinyquagsire23/kernel_manifest-r11btwifi, but now I need to build a bare-minimum rootfs/recovery so I can dump the partitions and make a factory image.
Click to expand...
Click to collapse
I was looking at your twitter and saw your awesome five minutes crafts. I just quickly measured the distance between the pins and it seems like it might be a standard distance of 1.27mm, which you can buy online. That might be easier.

Shebee said:
Really hoping that this thing develops further, could really use it.
Unfortunately I already updated the watch.
Maybe you could post instructions on how to obtain the OTA url.
Click to expand...
Click to collapse
The general gist is like, get the update notification, *don't download it* and do a bug report from the Watch app. Then download the update, do another bug report, and hope that the URL is somewhere in the logs.

shinyquagsire23 said:
The general gist is like, get the update notification, *don't download it* and do a bug report from the Watch app. Then download the update, do another bug report, and hope that the URL is somewhere in the logs.
Click to expand...
Click to collapse
The problem with the first update was that you were forced to install it before you could access the watch app. But should we be expecting a security update the first Monday of the month, like on the pixels? Or is it still too soon?

shinyquagsire23 said:
The general gist is like, get the update notification, *don't download it* and do a bug report from the Watch app. Then download the update, do another bug report, and hope that the URL is somewhere in the logs.
Click to expand...
Click to collapse
Surely there's a more reliable (if not tedious way), such as debugging/monitoring network traffic when initiating a update?

Managed to pull the boot partitions using gross fastboot schenanigans involving oem commands and ramdumps: https://drive.google.com/drive/folders/1m_gkqAopDyn4MhTtdYisGWWwpbMqoZxJ?usp=sharing
boot_b turned out to just be the same as the recovery partition. I also pulled super.img but I forget how to extract that, I'll upload system_a/b and other stuff later. No success in patching with Magisk yet though, I made an issue here.

and patched them with Magisk from my phone,
Click to expand...
Click to collapse
I see something with "Phone"...
I made this mistake with Samsung GW4.
You can not use other Hardware.
You need to run Magisk on Pixel Watch...
As Magisk need some info from device...
For my device I was successfull with Magisk Version 24.3 and now using 25.2...
Only as info.
Thanx for your Uploads.
Best Regards
Edit 1.
Not all files downloaded... started with vendor.img
Tested under Ubuntu with imjtool but no success...
Short looked with WinHex inside... no idea what it is...
But system.img is easy. Under Windows I can use 7Zip Tool to extract files.
Edit 2.
recovery.img I can extract with imjtool...
Code:
[email protected]:~/imj$ ./imjtool vendor.img extract
vendor.img is not a recognized image. Sorry
[email protected]:~/imj$ ./imjtool recovery.img extract
Boot image version 2 for OS version 0x16000167 (11.128 Patch Level 2022-7) detected (1660 byte header)
Part Size Pages Addr
Kernel (@0x0000800): 17465360 8529 0x80008000
Ramdisk (@0x10a9000): 7556181 3690 0x81000000
Device Tree(@0x17de000): 143653 71 0x81f00000
Recovery DTBO/ACPIO: 28472
MAGIC: 0x1eabb7d7
Extracting dtbo
AVB0 (@0x1809000): 2240
AVBf (@0x1ffffc0):
Tags: 0x80000100
Flash Page Size: 2048 bytes
ID: 81d8d1a935948a17696e088f49b7239d8c5dcc1c000
Name:
CmdLine: buildvariant=user
Found GZ Magic at offset 11460360
extracted/kernelimage.gz:
gzip: extracted/kernelimage.gz: decompression OK, trailing garbage ignored
-100.5% -- replaced with extracted/kernelimage
Extracting kernel
Extracting ramdisk
Searching for DT at 0x17de000
MAGIC: 0x1eabb7d7
Extracting dtbo - exists so renaming to _dtbo
Edit 3.
No idea if vbmeta.img is mandatory... for Patching with Magisk.
I have ever patched both files inside 1 tar:
Code:
boot.img
vbmeta.img

Dave_247 said:
Surely there's a more reliable (if not tedious way), such as debugging/monitoring network traffic when initiating a update?
Click to expand...
Click to collapse
I tried to reverse engineer the update API on my pixel 7 yesterday (just the part where it checks for a new update) but everything is encrypted (of course) and Google Play services refuses to accept any custom TLS certificates I put on my phone. There's probably a better way to do this, but I'm no expert. All I know now is that it uses the android.googleapis.com site.

Related

[Q] Trick Amazon update with URL redirect to older firmware to get root?

Hi,
just a quick thought (maybe my thinking is to easy but hear me out):
Can't we just redirect (Via DNS or something else, IDK) the amazon update queries to download a rooted firmware or an older signd (than rootable) official firmware?
We know, what URLs we have to block, so someone must have figured that out, maybe via Wireshark, where the FTV is looking for new updated. So, if you would connect the FTV via eth0 to your pc, to get to the internet: could some piece of software be on the pc to redirect it? So that the FTV thinks: htp://amzdigitaldownloads.edgesuite.net/obfuscated/0aa573bc909901dd4713dc2166eadbdf/bueller-ota-51.1.3.0_user_513011820-signed.bin is new, so I better grab it! But your computer redirects it (via DNS maybe??) to: htp://localhost/obfuscated/0aa573bc909901dd4713dc2166eadbdf/bueller-ota-51.1.3.0_user_513011820-signed.bin , which in reality would be a renamed older firmware (which would be rootable via towelroot), put in the same folder structure, as the original one.
So my question is:
a) Am I thinking to simple and this is just NOT possible in any way?
Or: b) In theory, this is possible, but there are missing pieces of information, we don't have at the moment (like, how it checks for an update, not where)
Or: c) Yea, this is possible, let me try it out, don't worry, I'm a professional
Just a thought, so what do you think? If a) than please explain for a dummy like me, why this is just not possible. If b) what information would be missing?
---
edit: I can't post URLs hence my lack of posts at XDA, so I shortend http to htp, but you get the idea...
bamdaschmu said:
Hi,
just a quick thought (maybe my thinking is to easy but hear me out):
Can't we just redirect (Via DNS or something else, IDK) the amazon update queries to download a rooted firmware or an older signd (than rootable) official firmware?
We know, what URLs we have to block, so someone must have figured that out, maybe via Wireshark, where the FTV is looking for new updated. So, if you would connect the FTV via eth0 to your pc, to get to the internet: could some piece of software be on the pc to redirect it? So that the FTV thinks: htp://amzdigitaldownloads.edgesuite.net/obfuscated/0aa573bc909901dd4713dc2166eadbdf/bueller-ota-51.1.3.0_user_513011820-signed.bin is new, so I better grab it! But your computer redirects it (via DNS maybe??) to: htp://localhost/obfuscated/0aa573bc909901dd4713dc2166eadbdf/bueller-ota-51.1.3.0_user_513011820-signed.bin , which in reality would be a renamed older firmware (which would be rootable via towelroot), put in the same folder structure, as the original one.
So my question is:
a) Am I thinking to simple and this is just NOT possible in any way?
Or: b) In theory, this is possible, but there are missing pieces of information, we don't have at the moment (like, how it checks for an update, not where)
Or: c) Yea, this is possible, let me try it out, don't worry, I'm a professional
Just a thought, so what do you think? If a) than please explain for a dummy like me, why this is just not possible. If b) what information would be missing?
---
edit: I can't post URLs hence my lack of posts at XDA, so I shortend http to htp, but you get the idea...
Click to expand...
Click to collapse
It seems they already tried this. One would have to match the FW's checksum it is trying to download or the downgrade or update fails. In other words it seems like it can't be done.
http://forum.xda-developers.com/showpost.php?p=55914173&postcount=6
Unless there is a way to inject the right checksum while loading the older FW. Since your talking about a 3rd party prog ("some piece of software"). But that is way above my pay-grade.
Myself and AFTVNews have both tried this without success
I tried doing this a few weeks ago. I was able to get the Fire TV to download 51.1.1.0 when it was actually requesting 51.1.3.0. The Fire TV downloaded the update, extracted it, but then knew it was not the version it was expecting. I assume when it gets the update URL from Amazon, it also gets the update version number. I assume it then compares the version number it is told to get with some version information inside the file it downloaded. Here are the relevant log file entries:
Code:
D/com.amazon.dcp.framework.IntentEvent( 1358): Intent { act=android.intent.action.DOWNLOAD_COMPLETE flg=0x10 pkg=com.amazon.dcp }
...
I/com.amazon.dcp.ota.DownloadManifestHandler( 1358): Verifying OS update at /cache/bueller-ota-51.1.3.0_user_513011520-signed.bin
...
E/com.amazon.dcp.ota.DownloadManifestHandler( 1358): The OS version from install manifest is 513011520, but 511070220 from update file.
The only way for this to work is to spoof/MITM the information returned from Amazon when checking if an update is available, and that's difficult (impossible?) because the communication is encrypted.
Is the signature done on the whole image (header + payload + checksum etc.) or only on the payload? If only the payload of the image is signed it could be probably possible to find the version in the header and change it to the version it does expect.
Calibaan said:
Is the signature done on the whole image (header + payload + checksum etc.) or only on the payload? If only the payload of the image is signed it could be probably possible to find the version in the header and change it to the version it does expect.
Click to expand...
Click to collapse
I haven't fully analzyer how the updater works, but the gist of it is it downloads the update and verifies the signature of the entire file. It then figures out which version it is, not sure how it does that though. It's a zipfile, so its not a header payload checksum. It probably reads one of the files inside of the zip to check the version.
Is a link URL known for a valid firmware image? Doesn´t matter which version. Would like to have a look on the file.
Calibaan said:
Is a link URL known for a valid firmware image? Doesn´t matter which version. Would like to have a look on the file.
Click to expand...
Click to collapse
This page has links to all the software versions.
http://www.aftvnews.com/software/
Sent from my SCH-I545 using Tapatalk
rbox said:
I haven't fully analzyer how the updater works, but the gist of it is it downloads the update and verifies the signature of the entire file. It then figures out which version it is, not sure how it does that though. It's a zipfile, so its not a header payload checksum. It probably reads one of the files inside of the zip to check the version.
Click to expand...
Click to collapse
my guess it checks "system/build.prop" for version
my guess it checks "system/build.prop" for version
Click to expand...
Click to collapse
Does someone can test this? This would be an easy method
apfelstyle said:
Does someone can test this? This would be an easy method
Click to expand...
Click to collapse
You can't modify the contents of the update. The file as a whole has a signature and all the files in it do too.
Maybe I´m thinking to easy but could it be that Amazon does handle the ROM images similiar like an APK, so that tricking around with ZipSigner:
https://play.google.com/store/apps/details?id=kellinwood.zipsigner2&hl=de
could sign a modified ROM image?
If this would be possible (couldn´t test it since my ordered FTV isn´t still delivered :/ ) the idea would be:
-unzip image
-insert su in image and add MD5 in "MANIFEST-FILES.MD5" or change build.prop to another version and correct its MD5 in "MANIFEST-FILES.MD5"
-zip image
-upload to /sdcard on FTV
-start ZipSigner and try to sign the image again
I know that the correct release keys are important but probably the loader does only check if just a valid signature does exist so it allows probably flashing also with test keys.
Calibaan said:
Maybe I´m thinking to easy but could it be that Amazon does handle the ROM images similiar like an APK, so that tricking around with ZipSigner:
https://play.google.com/store/apps/details?id=kellinwood.zipsigner2&hl=de
could sign a modified ROM image?
If this would be possible (couldn´t test it since my ordered FTV isn´t still delivered :/ ) the idea would be:
-unzip image
-insert su in image and add MD5 in "MANIFEST-FILES.MD5" or change build.prop to another version and correct its MD5 in "MANIFEST-FILES.MD5"
-zip image
-upload to /sdcard on FTV
-start ZipSigner and try to sign the image again
I know that the correct release keys are important but probably the loader does only check if just a valid signature does exist so it allows probably flashing also with test keys.
Click to expand...
Click to collapse
There are 2 checks. The first is after the file is downloaded, and the second is after recovery starts before it flashes it. If we ignore the first check, and focus on the second, recovery has the amazon public key in it and it definitely verifies the file was signed with the key that matches that public key.

2016 version (new fingerprint scanner, combined sim/sd)

Hey guys,
It seems more and more people are receiving the new version of the P8000:
- Stock Android 6
- New fingerprint scanner that is moved slightly higher and is able to unlock phone from screen-off (I confirm this is working)
- Sim 2 is combined with the micro-sd (I haven't tried whether you can have them both in at the same time)
- Somethings new about the display, since people are reporting errors with it after flashing older roms.
Warning: do NOT flash other roms. We have no way to unbrick the soft bricks yet!
---
Other topics that refer to this version:
http://forum.xda-developers.com/elephone-p8000/general/rom-p8000-t3431571
http://forum.xda-developers.com/elephone-p8000/help/stock-rom-p8000b-t3434477
http://forum.xda-developers.com/elephone-p8000/general/p8000-version-announced-t3346848
---
For development:
- The phone does not come pre-rooted. We have no way to flash custom recovery yet. Any tips for getting root? I've tried such tools as Kingo and vRoot, they don't work.
- We need the blocks file (scatter file) for SP Flash Tools. MTKDroidTools reports "unknown rom structure". Any help? Would love to start working on this.
Looking forward to hearing from others who have this version/who can help me with these questions.
Thanks!
Emile
Nice! Can you provide a dump from /system and /boot maybe?
BlueFlame4 said:
Nice! Can you provide a dump from /system and /boot maybe?
Click to expand...
Click to collapse
I would, if I knew how to. Any pointers?
Emileh said:
I would, if I knew how to. Any pointers?
Click to expand...
Click to collapse
Sure thing. On a rooted device, go into adb shell.
Then use "mount" command to check which partitions are mounted. One should be "/dev/block/platform/mtk-msdc.0/by-name/system" or similar. Use "dd if=/dev/block/platform/mtk-msdc.0/by-name/system of=/storage/emulated/0/system.img bs=1M" to dump the system to the internal sdcard to the file "system.img". If adb complains that bs=1M is an invalid option, try again without that one. A system dump can take some time where you will not get any feedback, so be patient there
Do the same for boot. So "/dev/block/platform/mtk-msdc.0/by-name/boot" should be the way to go for the path. I cannot tell the definite pathes on Android 6.0 but I am rather sure they are more or less like this.
If you run into troubles, just ask
BlueFlame4 said:
Sure thing. On a rooted device, go into adb shell.
Then use "mount" command to check which partitions are mounted. One should be "/dev/block/platform/mtk-msdc.0/by-name/system" or similar. Use "dd if=/dev/block/platform/mtk-msdc.0/by-name/system of=/storage/emulated/0/system.img bs=1M" to dump the system to the internal sdcard to the file "system.img". If adb complains that bs=1M is an invalid option, try again without that one. A system dump can take some time where you will not get any feedback, so be patient there
Do the same for boot. So "/dev/block/platform/mtk-msdc.0/by-name/boot" should be the way to go for the path. I cannot tell the definite pathes on Android 6.0 but I am rather sure they are more or less like this.
If you run into troubles, just ask
Click to expand...
Click to collapse
Thank you for your great instructions! The problem is that we've yet to achieve root on this device. We don't have a custom recovery for this version of the P8000 yet and other 'standard' methods of rooting don't work for me.
(I'm pretty solid in shell, so I'll do this afterwards, but I guess root is actually the first step).
// Edit to say: it does not come pre-rooted
Since the elephone support on facebook didn't realize there are two different versions of the P8000 available, I still need a ROM to unbrick my phone.
flo1k said:
Since the elephone support on facebook didn't realize there are two different versions of the P8000 available, I still need a ROM to unbrick my phone.
Click to expand...
Click to collapse
Ok, we know that, but doesn't really help us
Can you write them an e-mail?
I will do
Edit: OK, see if there will be an answer.
Thank you flo1k!
I have e-mailed as well, and would like to post on the Elephone forum, but don't seem to have access (because of minimum post count, I guess)
Anyone willing to ask for a ROM for the new P8000 on the forum there?
ROM Dump
@BlueFlame4
I can provide ROM dump in two versions:
1) a dump from adress 0000 0000 to 9d80 0000 (apr. 2.5 GB in one file)
2) a readback generated with the scatter.txt of the 'old' 5.1 stock ROM (apr. 2.8 GB seperated in 23 files)
FrauHofrat said:
@BlueFlame4
I can provide ROM dump in two versions:
1) a dump from adress 0000 0000 to 9d80 0000 (apr. 2.5 GB in one file)
2) a readback generated with the scatter.txt of the 'old' 5.1 stock ROM (apr. 2.8 GB seperated in 23 files)
Click to expand...
Click to collapse
The second choice looks promising
Maybe a stupid question
where shall I upload the files - any preferred webspace?
I'm uploading the files - because they contain my NVRAM I send the link as PM as soon as the upload is finished
FrauHofrat said:
Maybe a stupid question
where shall I upload the files - any preferred webspace?
I'm uploading the files - because they contain my NVRAM I send the link as PM as soon as the upload is finished
Click to expand...
Click to collapse
Are you sure we're talking about the same version of the P8000? Cause as far as I know there isn't 5.1 available for this version... Right?
Just checking thank you for your help in any case!! Really looking forward to it.
// edit: ah, you just used the old scatter file. But does that one work for this version?
Emileh said:
Are you sure we're talking about the same version of the P8000? Cause as far as I know there isn't 5.1 available for this version... Right?
Click to expand...
Click to collapse
No, there is only one Firmware available - the mysterious P8000_6.0_20160516.
Btw, this Phone contains a new mainboard model "K06TS-L-V2.0.3" - the 'old' mainboard is moder "K05T...."
// edit: ah, you just used the old scatter file. But does that one work for this version?
Click to expand...
Click to collapse
No, it doesn't work resp. the phone boots with this firmware, but the LCD-driver is the wrong one - the display only shows coloured lines and blurry spots. And there are probabely some more bugs ....
FrauHofrat said:
No, there is only one Firmware available - the mysterious P8000_6.0_20160516.
Btw, this Phone contains a new mainboard model "K06TS-L-V2.0.3" - the 'old' mainboard is moder "K05T...."
No, it doesn't work resp. the phone boots with this firmware, but the LCD-driver is the wrong one - the display only shows coloured lines and blurry spots. And there are probabely some more bugs ....
Click to expand...
Click to collapse
But if the phone boots with the firmware, doesnt that mean that the scatter file of the regular P8000 works? Since it flashes the firmware correctly.
The problem is that I was not able to flash the 'readback files' to the faulty phone.
When selecting 'Only Download' at SP-Flashtool I got the error "PMT... must be download"
When selecting 'Firmware Upgrade" I got some BROM error code
In both cases I used the same scatter,txt which I used to 'readback' the firmware from the working phone
Actually I have to correct my statement in post #15:
I flashed the faulty phone with the last 5.1 stock ROM (160711) - with this stock ROM the phone boots up but LCD (and probably more things) is not working.
I have actually gotten alot further
You have the use the scatter.txt from Android 6.0, which works perfectly fine. I have been able to extract boot.img, system.img and recovery.img that way (using Readback in SP Flash Tools)
Which ones do you need?
They probably flash fine (only thing I've flashed so far are custom recoveries, and although my ported PhilZ starts, I havent gotten it to mount anything.)
A little warning: don't use anything that has anything to do with Android 5.1. Those scatter files don't work
These are great news!
"Which ones do you need?"
Probably all of them
Ok this contains the scatter file, preloader, system.img, boot.img and stock recovery.img
https://ehaffmans.stackstorage.com/index.php/s/uKGKCir0BociydU
You need SP Flash Tools v5, select the scatter file first, then deselect everything, and only select these 4 and manually select the correct files.
Btw, the name of the preloader file is wrong, don't worry. It came from this phone
I am of course not responsible for anything!
Can you guys please confirm this doesn't contain anything personal? Like personal files or IMEI or something. Thanks!

NOST - Improved Version of OST LA 6.0.4 (v0.6, 02. Mar 2019)

"NOST" - short for "No Service Tool" (or "Nokia Service Tool" but that sounds too official and boring ) is a small hobby project I've been working on in the last couple of days.
It aims to make the service tool for Nokia 8 (and HMD Phones in general) more useable, user-friendly, and straigtforward to use, and after having to test it myself, and also
making a small beta test in the Telegram group for Nokia 8, I feel like posting it here so others can try it out too if they want.
First, to be clear: NOST is not completely my work. It is based on OST LA 6.0.4, which was made by HMD/Foxconn. Unlike the previous OST Patches, NOST does not replace
the executable with a hacked one, but instead wraps it and patches the methods that need patching at runtime. The result is that the changes are completely opensource
and readable by others, while the underlying OST files are not modified at all. I tried to base it on a different (i.e. newer) version of OST, but those are pretty much unpatchable,
at least not with a serious amount of reverse engineering, which brings not only time issues but legal ones as well.
NOST changes a couple of things, compared to the unmodified OST LA:
It removes the need for authentification against HMD/FIH servers (really, shoutout to the one who made the original hack, even though I could not use their code)
Moved the logs folder to the same folder as the application, as opposed to somewhere on the system to make debugging easier
The options for flashing firmware images appear reliable now. (At least for me they only appeared sometimes if not never on the original OST).
Removed one of the options that if it appeared crashed the flashing process ("Check System AP Status")
One user of the Telegram group had issues where OST would crash because it detects an invalid locale setting in Windows. NOST just catches that issue and defaults to english
Removed the "Edit Phone Information" button. It never worked and it's only purpose was to make the "Next" button appear, which works like it should now as well.
NOST refuses to flash your phone if your bootloader isn't unlocked critically. The old OST would just try to flash but never make any progress which confuses inexperienced users.
Perhaps the most important change: NOST allows to flash modified firmware images without the need to extract and modify them by hand.
With the original OST, people who wanted to reflash their phone had to download a firmware bundle, extract and edit it to be able to use it with OST LA 6.0.4, since the newer versions
had unpatchable issues that prevent using them. Repacking the images in a format OST expects wasn't possible either since that enabled some sort of signature algorithm on the modified
images and caused the flashing to fail. NOST solves this problem by allowing the use of a different packaging format. Those binaries still need to be extracted but it is done transparently in
the background without the user having to download any other tools. The formats that can be used in images are .zip and .qlz
.zip Firmwares:
.zip firmware files are simply archives of the (edited) files that would normally be extracted from an .nb0 file. This means, if you extract a .nb0 with the extractor found on XDA, the contents
of the *_unpacked folder it creates should be the contents of your .zip.
.qlz Firmwares:
.qlz files are based on QuickLZ compression, which gives them a small size but also a low decompression time.
The tool to generate them is called exdupe. Generating these images is pretty straigtforward. Assuming you are on windows, download the exdupe
tool from the link above (or take it from the NOST Tools/ folder) and copy it into the folder that contains the unpacked .nb0.
Code:
- exdupe.exe
- <nb0 name>_unpacked/
- <nb0 name>.mlf
- ....
Open a commandline in that folder, and run the following command:
Code:
exdupe.exe <name of the folder to compress> <name of the firmware file>.qlz
You should already see how fast it compresses the firmware folder now. As a reference: Compressing the latest Nokia 8 firmware (about 4GB) takes maybe 30 seconds and yields a 2GB file.
Repacked Firmware Bundles:
I created .qlz images of the May and November firmwares, as well as one of the various Pie Maintainance Releases.
You can find them here: https://tmsp.io/fs/xda/nb1/firmware
I already successfully reverted from December Security Patch to November using NOST, and then updated back using OTA Sideloading without problems.
As always when working with flashing tools, proceed with caution!
How to unlock to critical:
KonikoO said:
For those who wonder how to unlock into critical state :
Reboot into bootloader download mode and execute those commands :
fastboot flash unlock *unlock .bin*
fastboot flashing unlock_critical
Afterwards you should be able to flash provided .qlz with NOST.
Click to expand...
Click to collapse
Download:
The actual tool: https://github.com/StollD/NOST/releases
Drivers: https://github.com/StollD/nokia-driver-installer/tree/master/out
Source Code: https://github.com/StollD/NOST
License:
OST LA 6.0.4 is copyrighted by the respective authors. It is not modified permanently.
The custom NOST code is licensed under the GNU General Public License.
Icon by Freepik © Flaticon
I tried this is working,nice tool.
Thanks dev.
Thank you THMSP! very cool?
Sent from my TA-1004 using XDA Labs
Can flash the May and November update but cannot flash latest Pie with this tool. I flashed Pie but returned back to November update?
Lee Castro said:
Can flash the May and November update but cannot flash latest Pie with this tool. I flashed Pie but returned back to November update?
Click to expand...
Click to collapse
Yes, you can revert back from Pie to Oreo using this. What is the issue with Pie for you?
THMSP said:
Yes, you can revert back from Pie to Oreo using this. What is the issue with Pie for you?
Click to expand...
Click to collapse
What I mean is if I flash the Pie file you provided I just returned back to Android 8.1 Novemeber update no changes at all. Maybe there something wrong with the Pie file you uploaded. But the rests are all working fine with the tool.
Lee Castro said:
What I mean is if I flash the Pie file you provided I just returned back to Android 8.1 Novemeber update no changes at all. Maybe there something wrong with the Pie file you uploaded. But the rests are all working fine with the tool.
Click to expand...
Click to collapse
Thanks for the hint, I will take a look. Probably just derped when pulling partitions and renaming the images (might have worked in my November folder by accident).
EDIT: I repulled the images from Pie (I indeed somehow worked in my November folder when making the image), repackaged them and updated the version in the drive folder. You should now be able to flash Pie. Sorry for the mistake.
THMSP said:
Thanks for the hint, I will take a look. Probably just derped when pulling partitions and renaming the images (might have worked in my November folder by accident).
EDIT: I repulled the images from Pie (I indeed somehow worked in my November folder when making the image), repackaged them and updated the version in the drive folder. You should now be able to flash Pie. Sorry for the mistake.
Click to expand...
Click to collapse
Thanks again,This is really a big help.
Wow, this is something we've been all seeking for a long time now ! For those who wonder how to unlock into critical state :
Reboot into bootloader download mode and execute those commands :
fastboot flash unlock *unlock .bin*
fastboot flashing unlock_critical
Afterwards you should be able to flash provided .qlz with NOST.
hey there! wonderful tool to have. Thank u so much
Not working in my laptop say a software need a to update
Blackhacker07 said:
Not working in my laptop say a software need a to update
Click to expand...
Click to collapse
If you have dependency issues I would suggest to install OST LA 6.0.4 first, so you get its dependencies, until I can make a proper installer for NOST.
THMSP said:
If you have dependency issues I would suggest to install OST LA 6.0.4 first, so you get its dependencies, until I can make a proper installer for NOST.
Click to expand...
Click to collapse
Could you perhaps figure out how to get rid of the unlocked bootloader message?
ironman38102 said:
Could you perhaps figure out how to get rid of the unlocked bootloader message?
Click to expand...
Click to collapse
Are you talking about the error message that appears when you press the Next button to start flashing?
If yes, your bootloader needs to be unlocked to critical, then the message won't appear.
If you are unsure if your bootloader is unlocked to critical, do "fastboot oem device-info", it will tell you.
If you mean the message that your phone displays when booting with an unlocked bootloader then sorry, I doubt that's possible (I think it is embedded into the bootloader).
THMSP said:
Are you talking about the error message that appears when you press the Next button to start flashing?
If yes, your bootloader needs to be unlocked to critical, then the message won't appear.
If you are unsure if your bootloader is unlocked to critical, do "fastboot oem device-info", it will tell you.
If you mean the message that your phone displays when booting with an unlocked bootloader then sorry, I doubt that's possible (I think it is embedded into the bootloader).
Click to expand...
Click to collapse
Actually its in splash.img that can be dumped. Its the hex editing possibly that might be a problem for someone not familiar with it
How to flash it's says this...
Blackhacker07 said:
How to flash it's says this...
Click to expand...
Click to collapse
What do you mean?
KonikoO said:
Wow, this is something we've been all seeking for a long time now ! For those who wonder how to unlock into critical state :
Reboot into bootloader download mode and execute those commands :
fastboot flash unlock *unlock .bin*
fastboot flashing unlock_critical
Afterwards you should be able to flash provided .qlz with NOST.
Click to expand...
Click to collapse
Thank you so much for this advice. I wouldn't have ever figured out how to unlock critical on my own and that was the thing that was preventing me from flashing. I tried searching the other OST LA flashing threads as well but this info seemed to have been missing, or then i completely missed it. Thank you so much anyways. If anybody else is trying to figure out why their OST LA or NOST is giving them the se_err_adb_cmd_get_fail_result error, this should help. I just used the unlock.key in place of the *unlock.bin* in your command and it worked.
Can you please upload Oreo December update stock and patched boot image. TIA
Yesterday I noticed that my Pie Image was still not quite useable, since it contained a corrupted system partition.
This seems to have happened because of my Magisk Setup and me only replacing the boot partition image and not uninstalling Magisk completely.
I rebuilt the image, to be fully stock, and also included the latest B07 update that @hikari_calyx uploaded yesterday. You can get it from the drive link in the OP.

Teclast M40 Pro Discoveries

Teclast M40 Pro Discoveries​Various helpful points of knowledge to unlock your bootloader, to root, and use your tablet.
Problem: Where can I obtain the official firmware?
Solution: Teclast Website
Usage: type M1A3 in search
Problem How can I unpack "pac" files?
Solution: Build C utility divinebird / pacextractor
Solution: Download pre built Linux executable pacextractor.zip
Usage: >./pacextractor Firmware.pac
Bash:
git clone https://github.com/divinebird/pacextractor
cd pacextractor
make
Problem: I need tools to flash my device
Solution: Download the latest SPD Upgrade Flash Tool SPD_Upgrade_Tool
Problem: msvcr100.dll missing error in Windows whilst running SPD (Factory/Research/Upgrade) Tools
Solution: Download and install 2010 Visual C++ Distribution
Problem: I want to unlock my bootloader. (Window and Linux kit)
Solution: Download TeclastM40Pro_Unisoc_UnlockTools.zip
Usage: Read readme file.
Problem: How can I remove the dm_verify warning on boot up after unlocking the bootloader?
Untested Solution: digitally sign the vbmeta partition and write it back. See [Tutorial] How to create a custom signed vbmeta.img
Problem: I want to root my device.
Solution: Modify boot.img with Magisk, then sign.
Usage: Upload to your device's download directory, the current boot.img read from your device, or from the same version firmware. Then install Magisk app from here. Use Magisk to patch the boot.img. Sign the partition. Then flash back the signed magisk version of boot.img to "boot_a" partition. Guide to flashing single partition at Hovatek Website
Problem: I need to emergency flash my device?
Solution: Currently only from Windows, use SPD Upgrade Tools to reflash firmware.
Usage: From the tablet powered off, or if boot looping. Hold down the power-button and volume-down for five seconds, release the power-button, and keep the volume-down button still held for another five seconds, then release or release if the detected earlier. Windows and SPD tools should then detect your device to flash.
Problem: I want to improve my Telcast M40 Pro
Solution: List of suggested apps below;
FDroid App Store F-Droid Website
Aurora > via FDroid. App store allowing the direct download from Google Playstore, without your own account.
Lawnchair > via FDroid. Fast open source sophisticated launcher.
AdAway > via FDroid. Removes adverts whilst using apps.
TrackerControl > via FDroid. Manages apps access to internet, and blocks spyware and trackers.
.
Problem: I want root mode without the effort of hacking a rom partition.
Solution: For those with World version Teclast M40 Pro device, here is a signed rooted boot partition I created. Read the readme file inside the zip. You will require an unlocked device, windows setup with USB drivers for Teclast, the complete firmware from Teclast website, and SPD Update Tools installed. If you're successful, then on rooting you will need to install Magisk app to get root active. Magisk will reboot once to finalise.
Download : TeclastM40Pro_ROW__v1p0_signedboot_magiskrooted.zip
Download : TeclastM40Pro_ROW__v1p2_signedboot_magiskrooted.zip
SPD Upgrade Tools is closing while trying to flash stock firmware, both with M40 Pro locked and unlocked bootloader. What should i do?
laurorual said:
SPD Upgrade Tools is closing while trying to flash stock firmware, both with M40 Pro locked and unlocked bootloader. What should i do?
Click to expand...
Click to collapse
Sorry for replying late. I got no indication of the response. To the problem, I can only suggest getting a different version of SPD or m aking sure your computer system is properly updated. I hope you've already solved the issue!
Maybe you're experiencing, "Problem: msvcr100.dll missing error in Windows whilst running SPD (Factory/Research/Upgrade) Tools" See above for solution.
I've noticed a new ROM for world edition, "M40 Pro(M1A3)_Android 11.0_ROW V1.02_20220525", but not getting any system update options for OTA. People flashing their systems may want the latest firmware!
Thanks to your Magisk file I was able to root my tablet, but when updating to the latest version it goes into bootloop, I have tried updating the original firmware image again, but it also goes into bootloop.
Is there any way to install Magisk modules?
Thanks for your post, it helped me a lot to unlock my tablet.
Edit: My version is the M1A1 firmware V1.03_20210804
Edit 2: Finally, when updating my tablet with the root file that is in the post, it did not allow me to install any Magisk module, the solution is to download version 24.3, and update automatically, without changing to a higher version of Magisk
Glad you worked it out Miny !!! Sorry the warning emails for new posts have been going to a gmail account I no longer use.
Also your hardware maybe different and require it's own unique firmware and boot images. It seems the cracking in similar though.
Some questions:
Do I need to unlock my bootloader in order to be able to get root with magisk?
The tools for unlocking the bootloader uses
Code:
fastboot flashing unlock_bootloader
. My version of fastboot (33.0.3p1-android-tools) doesn't have that command. The included one (0.0.0-09219) does, but I wan't to be careful about running softwar from untrusted sources. Where is that version of fastboot from?
Does any of the steps necessary to get root access delete my data?
Hi there.
I have a m40pro (M1A1) running android 11, do you know if I can install firmware Z3A1 to get android 12? Or will be bricked?
Thanks in advance
rubsbcn said:
I have a m40pro (M1A1) running android 11, do you know if I can install firmware Z3A1 to get android 12? Or will be bricked? Thanks in advance
Click to expand...
Click to collapse
To tell you the truth, not sure. Most SoC are impossible or near impossible to brick. They usually allow for an injection or have a read only boot section. Other words you could test. Also research difference in hardware between models, and that may indlicate if something may not work. The kernel/drivers are the improtant aspect.
jorkusjorkus said:
Some questions:
Do I need to unlock my bootloader in order to be able to get root with magisk?
The tools for unlocking the bootloader uses
Code:
fastboot flashing unlock_bootloader
. My version of fastboot (33.0.3p1-android-tools) doesn't have that command. The included one (0.0.0-09219) does, but I wan't to be careful about running softwar from untrusted sources. Where is that version of fastboot from?
Does any of the steps necessary to get root access delete my data?
Click to expand...
Click to collapse
What OS are you using? Google is constantly changing Android Studio and the added modules. Then others may build with options removed. Personally I use Archlinux and load up standalone android-tools from the community repository. Currently v33.0.3-3
Try fastboot --help
Your version may have
Code:
fastboot flashing unlock_critical
minyfriki said:
Thanks to your Magisk file I was able to root my tablet, but when updating to the latest version it goes into bootloop, I have tried updating the original firmware image again, but it also goes into bootloop.
Click to expand...
Click to collapse
What I found works, is when using SPD Research Tool, load up the firmware.pac and then go into settings and click "Select All Files" and again to unselect, which leaves the default required items.
Then manually change BOOT to the Magisk img. Then click on all VBMETA types, and UBOOT_LOADER (may not be required though). Then flash.
You should get bootable tablet (no looping). Warning: UserData partition is written over.
I'll share my Magisk image for v1.2
e8hffff said:
What OS are you using? Google is constantly changing Android Studio and the added modules. Then others may build with options removed. Personally I use Archlinux and load up standalone android-tools from the community repository. Currently v33.0.3-3
Try fastboot --help
Your version may have
Code:
fastboot flashing unlock_critical
Click to expand...
Click to collapse
I'm using the same version as you on the same OS. After some research it seems like unlock_bootloader was removed in this commit from 2018. From what I can tell, unlock_critical does something else (unlock_bootloader runs
Code:
fb_queue_download("unlock_message", data, sz); fb_queue_command("flashing unlock_bootloader", "unlocking bootloader");
while unlock_critical runs
Code:
do_oem_command("flashing", "unlock_critical" and doesn't take the signature argument);
)
I'll see if I can compile the older version with the needed command.
What about my other questions?
Issue: Android not starting. I had the infinite restart when plugged in the usb. I tried to reload the installation package (succeeded), but didn't fixed the issue. Battery was not charging yet. When I started the Teclast M40 pro, the logo showed up, but the tablet turned off again.
Solution: I have disassembled the cover, unplugged the 5 pin plug from the battery for half hour and plugged again. When I tried to turn it on, everything was fine.
dougcwb said:
Solution: I have disassembled the cover, unplugged the 5 pin plug from the battery for half hour and plugged again. When I tried to turn it on, everything was fine.
Click to expand...
Click to collapse
Wow that's weird Doug. Remember this, if you don't already know, that you can do a cold start by holding down the power button for over 10 seconds, on most devices.
I guess you're running now on rooted tablet !!!
e8hffff said:
Wow that's weird Doug. Remember this, if you don't already know, that you can do a cold start by holding down the power button for over 10 seconds, on most devices.
I guess you're running now on rooted tablet !!!
Click to expand...
Click to collapse
I did the installation package process that the Teclast sent me. The last thing they told me to do was keep trying to install the package (wft?). Well, I just open the tablet, unplugged the battery for a while and after that it worked.
Maybe this resolved 2 things:
1-the battery was not properly connected in the first place, so when I plugged the 5 pin to the board it connected as it should.
2- Maybe there is a "memory" in the board attached to the battery that was bricked (or something like that) when I pulled off the plug, this memory was reseted.
BTW, when the tablet came to life again, the battery was at 87%.

How To Guide Guide to Lock Bootloader while using Rooted GrapheneOS (Magisk Root)

This guide is intended to help people to achieve having a Pixel 6 Pro using GrapheneOS with Root (using Magisk) and a Locked Boot Loader
Though it should be possible to do this with any device that GrapheneOS officially supports.
Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root. This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition. In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed. This effectively renders the device hard bricked.
I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.
Simple method without building from source Although I highly recommend building Graphene yourself,
All you really need to do is patch the official OTA released by graphene using AVBRoot
Simply flash the official factory graphene build, then your patched OTA, then flash the avb_pkmd.bin you created following the instructions for AVBRoot and you can lock the bootloader, with patched rooted graphene.
You will need to patch each new OTA to update and sideload the update as explained HERE Flash it to Both Slots
Better Method, But requires more time and a decent computer
Only Recommended for people with experience things building from source
The first step is to build GrapheneOS from its sources or to use AVBRoot on official builds. I will include some of the information specific for Pixel 6 Pro to help with the build process
Part one, follow this guide to build GrapheneOS from source
You will want to build a Stable Release using the TAG_NAME
Code:
TP1A.221105.002.2022111000
this an EXAMPLE Tag for the Pixel 6 Pro
Find the Latest tag on the Releases page https://grapheneos.org/releases#raven-stable
Build the Kernal for Raviole (6th generation Pixels) and follow all the instructions there
When it comes to the step of "Extracting vendor files for Pixel devices"
The DEVICE is
Code:
raven
and an Example of the BUILD_ID is
Code:
tp1a.221105.002
Check the TAG_NAME for the Latest BUILD_ID
Continue to follow the guide until completion, creating your own Keys during the process
I do recommend testing to Lock the Boot Loader, Just to see if you are able to
In my experience if the pixel does not detect a valid signed boot etc, it will not allow you to lock the bootloader
So if it brings up the screen on your phone where you can confirm the locking of the bootloader
at this stage you can just select No / Do not lock
To build with a specific BUILD_NUMBER use the command
Code:
export BUILD_NUMBER=2022112500
Replacing the number with what matches the version you are attempting to build
Remove the encryption from keys/raven/avb.pem that was created for Graphene so that you can use it with AVBRoot
Use the script
Code:
script/decrypt_keys.sh
https://grapheneos.org/build#encrypting-keys
And set a copy of the key aside for the next steps.
Use the following process to create the correct keys for AVBRoot & GrapheneOS
Use the avb.pem you decrypted in the last step
Convert the avb.pem to avb.key with the following command
Code:
openssl rsa -outform der -in avb.pem -out avb.key
Then clone the avb.key and rename it to ota.key
as it says "The boot-related components are signed with an AVB key and OTA-related components are signed with an OTA key. They can be the same RSA keypair, though the following steps show how to generate two separate keys."
Convert the public key portion of the AVB signing key to the AVB public key metadata format. This is the format that the bootloader requires when setting the custom root of trust.
Code:
PATH/TO/avbroot/external/avb/avbtool.py extract_public_key --key avb.key --output avb_pkmd.bin
Generate a self-signed certificate for the OTA signing key. This is used by recovery for verifying OTA updates.
Code:
openssl req -new -x509 -sha256 -key ota.key -out ota.crt -days 10000 -subj '/CN=OTA/'
I also edit the "CN" to match what I used earlier when I generated the keys for Graphene
I am not entirely certain what other of the keys I should use instead, I think this is the best approach for now
as it creates all the keys it requires and this process works for me
Copy the OTA (raven-ota_update-*.zip) from the folder where you have your own Factory Graphene Build and use this with AVBRoot
Then you will have all the keys and files you need to continue the guide and use the AVBRoot script
Now it's time to follow the instructions Here https://github.com/chenxiaolong/avbroot
To create a full factory installer, Intall it and lock the bootloader.
When you are done with AVBRoot and you have the boot.img, vbmeta.img and vendor_boot.img
All patched and signed by AVBRoot, Take a factory image from your Graphene Build and Extract it anywhere
Open the image-raven-*.zip with an Archive manager
Delete the existing boot.img, vbmeta.img and vendor_boot.img files and replace them the patched ones
also replace the avb_pkmd.bin with the one you have created in the previous steps for AVBRoot (might work without this step)
Finally, you are able to run the flash-all.sh and then lock the bootloader
Code:
./flash-all.sh
Code:
fastboot flashing lock
Updating is very simple, Once you use AVBRoot to create the Patched OTA.zip
you can reboot to recovery and flash the patched ota.zip with adb sideload
Code:
adb sideload raven-ota_update-*.zip.patched
https://grapheneos.org/usage#updates-sideloading
Creating the patched full factory installer is not required if you simply flash the avb custom key and the patched OTA zip before locking the bootloader, after flashing the unpatched full system install build
This for me allowed me after much struggle to achieve a Rooted, Locked Boot Loader using GrapheneOS and Magisk
Now though with this guide worked out, I think it should be quite easy for anyone with basic terminal knowledge to accomplish.
Something to note is that GrapheneOS does Not Pass the CTS Profile integrity check
and I do Not Pass the Play Integrity API Check currently, Neither the Basic or Strong check
But I can pass the Basic attestation Safety Net test when using the patched SafetyNet Fix
Further testing is needed and welcomed to try and pass SafetyNet and Play Integrity
To Be Clear, Although it already should be, This is NOT Modifying the official Graphene OS Sources, it is simply using them as a SOURCE for a GUIDE, You build it using unmodified grapheneOS source code so it is an unnofficial build according to their website
Sources: GrapheneOS, AVBRoot, Magisk
PayPal Donation Link
I highly recommend using your own build that is signed with your own keys that you can keep secure!
I make no promises to provide any updates to this rom at this time
Here more as a proof of concept that it works and updates are possible
Latest builds moved to: Unofficial GrapheneOS, Magisk Patched for Pixel 6 / 6 Pro
This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!
How would you update the rom? Repeat the whole process?
Spl4tt said:
This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!
How would you update the rom? Repeat the whole process?
Click to expand...
Click to collapse
I haven't worked out updating yet but all it requires is patching an updated OTA with AVBRoot in theory
I have been quite busy irl and haven't had much time to play around with it, if you do figure it out then please let me know
Spl4tt said:
This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!
How would you update the rom? Repeat the whole process?
Click to expand...
Click to collapse
now that I have had time to do it, Updating was very easy
I have also updated and improved the process for getting and creating the correct keys used for signing
After updating it booted normally, still rooted, no apparent problems or issues
New Release 2022111000
Changes since the 2022110800 release:
remove TrustCor Certificate Authority due to malicious domain squatting and ties to entites involved in surveillance which should have very little impact on web compatibility due to this CA barely being used by anyone other than a specific dynamic DNS provider
ignore wireless alert channels being marked as always-on to prevent channel configuration overriding presidential alert toggle
GmsCompatConfig: change app label from "GmsCompat config" to "GmsCompatConfig"
GmsCompatConfig: disable TelecomTaskService to resolve sandboxed Google Play services crash caused by feature flag
kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR1 Beta 3 to ship the December security update early
Vanadium: update Chromium base to 107.0.5304.105
Download Moved to https://forum.xda-developers.com/t/...magisk-patched-13-raven.4518953/post-87728629
Hey, thanks for the excellent guide, this is all about to be applicable to me
I have run into a small issue though, when generating the avb.key, openssl gives me an unsupported error
openssl rsa -outform der -in avb.pem -out avb.key
routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate
I am wondering if since I didn't put a password on the keys if that caused an issue. I tried encrypted/decrypted, same issue. It's a fresh arch linux install, so packages are up to date.
Thanks!
Wouldn't rooting GrapheneOS decrease the security of the operating system, a key aspect that Graphene is designed to improve? Seems like that defeats the purpose of using it in the first place.
holofractal said:
Hey, thanks for the excellent guide, this is all about to be applicable to me
I have run into a small issue though, when generating the avb.key, openssl gives me an unsupported error
openssl rsa -outform der -in avb.pem -out avb.key
routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate
I am wondering if since I didn't put a password on the keys if that caused an issue. I tried encrypted/decrypted, same issue. It's a fresh arch linux install, so packages are up to date.
Thanks!
Click to expand...
Click to collapse
Thank you, I am glad that it has been helpful for you, I have not encountered that error myself but I did use a password initially for the steps to create the keys for Graphene, I don't think this should matter though
If you don't mind and are able to, can you create another copy of the avb.pem, see if the problem still occurs and share it with me if it does, so I can test if I get the same error when I use your .pem
EonOfBlack said:
Wouldn't rooting GrapheneOS decrease the security of the operating system, a key aspect that Graphene is designed to improve? Seems like that defeats the purpose of using it in the first place.
Click to expand...
Click to collapse
I do clearly say in the first post
> Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.
I don't believe just using magisk is really such an issue, you are able to deny root from any applications you don't want to use it
it is possible there are unknown security vulnerabilities in magisk, but that's the same with anything.
Even though it may introduce some potential security vulnerabilities that Graphene combats against
I believe it should be everyones choice to use root and lock their boot loader if they choose to do so
holofractal said:
routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate
Click to expand...
Click to collapse
This problem appears to be related to this https://github.com/openssl/openssl/issues/14100#issuecomment-847125920
A great and helpful guide!
Thank you, dear FireRattus
​
FireRattus said:
This problem appears to be related to this https://github.com/openssl/openssl/issues/14100#issuecomment-847125920
Click to expand...
Click to collapse
openssl x509 -outform der -in avb.pem -out avb.crt
It was this command
Code:
openssl x509 -outform der -in avb.pem -out avb.crt
Could not read cert etc. of certificate from avb.pem
4087C8C0777F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Following grapheneos's guide, that is generated with:
openssl genrsa 4096 | openssl pkcs8 -topk8 -scrypt -out avb.pem
I think the root of this issue is that the pkcs8 avb.pem is an RSA private key, and the command you specified is expecting a certificate.
At any point in time do you use the crt made by Copy the avb.pem and convert it to .crt with this command step?
So if I read over everything right, I believe the solution here would be to use
openssl req -new -x509 -sha256 -key avb.key -out avb.crt -days 10000 -subj '/CN=AVB/'
But since avb and ota can be the same key, then presumably avb.crt and ota.crt could be the same as well? I get my pixel 7 tonight. I'll try and report back.
I may have accidentally made a mistake like that in the guide, I am not able to test it at the moment but would love to know what works for you
FireRattus said:
I may have accidentally made a mistake like that in the guide, I am not able to test it at the moment but would love to know what works for you
Click to expand...
Click to collapse
So you don't even need that last section.
There are some small differences for the pixel 7 though, but it was easy enough.
I have to say, building grapheneos was the easiest time I've ever had building a ROM. Not once did I have to go on Google fishing for answers. Flashing the ROM and relocking the bootloader took less than 10m, even with root.
This is why I switched to a pixel. I am too old and don't have the time to sit here and fiddle with my phone for hours on end anymore. I need things to just work.
This is as close as you are going to get to first party level support with aftermarket software, but I still care about privacy.
I'll do a write up later so other's don't have the same issues as me, but thanks for getting me started!
holofractal said:
So you don't even need that last section.
There are some small differences for the pixel 7 though, but it was easy enough.
I have to say, building grapheneos was the easiest time I've ever had building a ROM. Not once did I have to go on Google fishing for answers. Flashing the ROM and relocking the bootloader took less than 10m, even with root.
This is why I switched to a pixel. I am too old and don't have the time to sit here and fiddle with my phone for hours on end anymore. I need things to just work.
This is as close as you are going to get to first party level support with aftermarket software, but I still care about privacy.
I'll do a write up later so other's don't have the same issues as me, but thanks for getting me started!
Click to expand...
Click to collapse
I am really glad that the process could be made so smooth and simple for you
I did spend a long time trying to get a rooted grapheneOS with a locked boot loader before I managed to finally work it out, thanks mostly to the developer of AVBRoot, their script is the essential part which has made this so easy
with my internet troubles as well it ended up taking me a few weeks from when I initially started trying to when I was able to lock the booloader with root successfully
Now that I have it all worked out though, I can update and patch it in very little time
Although I did write this guide for the Pixel 6 I would be happy to include any additional information which could be helpful for people using other pixels, I am just not able to test and verify the information myself on other devices
and you don't need the last section? the part where I create a full patched installer ? I did think about this, just using the patched OTA to update the rom should also work to get you root with a locked bootloader if you first flash the full installer you built yourself
I think this is possibly a better way of doing it, but I like also having the patched full installer
I would like to hear peoples opinions and what works best for them.
holofractal said:
I think the root of this issue is that the pkcs8 avb.pem is an RSA private key, and the command you specified is expecting a certificate.
At any point in time do you use the crt made by Copy the avb.pem and convert it to .crt with this command step?
So if I read over everything right, I believe the solution here would be to use
openssl req -new -x509 -sha256 -key avb.key -out avb.crt -days 10000 -subj '/CN=AVB/'
But since avb and ota can be the same key, then presumably avb.crt and ota.crt could be the same as well? I get my pixel 7 tonight. I'll try and report back.
Click to expand...
Click to collapse
I have tested it now and the last command I had to create the files was an unnecessary step I left in by mistake, I have updated and corrected the guide so that now people should be able to use those commands without error to create the required files for AVBRoot
there should be no need to have an avb.crt and if there is, then the ota.crt should suffice
I believe it was this change to AVBRoot which led to me making this mistake
Merge pull request #3 from tnagorran/master · chenxiaolong/[email protected]
Update README.md
github.com
FireRattus said:
I am really glad that the process could be made so smooth and simple for you
I did spend a long time trying to get a rooted grapheneOS with a locked boot loader before I managed to finally work it out, thanks mostly to the developer of AVBRoot, their script is the essential part which has made this so easy
with my internet troubles as well it ended up taking me a few weeks from when I initially started trying to when I was able to lock the booloader with root successfully
Now that I have it all worked out though, I can update and patch it in very little time
Although I did write this guide for the Pixel 6 I would be happy to include any additional information which could be helpful for people using other pixels, I am just not able to test and verify the information myself on other devices
and you don't need the last section? the part where I create a full patched installer ? I did think about this, just using the patched OTA to update the rom should also work to get you root with a locked bootloader if you first flash the full installer you built yourself
I think this is possibly a better way of doing it, but I like also having the patched full installer
I would like to hear peoples opinions and what works best for them.
Click to expand...
Click to collapse
Oh I meant the part about avb.crt.
As for differences, if you follow the pixel 7 section on grapheneos build guide, that will suffice. Also, instead of boot.img, you flash init_boot.img.
I did also make myself an OTA and flashed it through adb, and that worked great. I want to try making my own OTA server to do away with flashing via PC. I have other family on graphene now too, so it wouldn't be all that effort just for myself.
holofractal said:
Oh I meant the part about avb.crt.
As for differences, if you follow the pixel 7 section on grapheneos build guide, that will suffice. Also, instead of boot.img, you flash init_boot.img.
I did also make myself an OTA and flashed it through adb, and that worked great. I want to try making my own OTA server to do away with flashing via PC. I have other family on graphene now too, so it wouldn't be all that effort just for myself.
Click to expand...
Click to collapse
I did end up figuring out that is what you probably meant. since the differences for the pixel 7 are essentially in the graphene build guide, I don't think any changes are really necessary for the guide, I do recommend just following the official guide for that part, I just include some information to help make that process a bit easier for peoples first time building the rom
for me, it wasn't very clear what the TAG_NAME and BUILD_ID were supposed to be as they didn't provide examples, but a little bit of trial and error helped me work it out
Although, since you flash init_boot, does that init_boot get patched by avbroot?
I would also like to setup an OTA server, although I don't really have the funds to do that at the moment
Guide has been updated with a much simpler method thanks to https://forum.xda-developers.com/m/boom15.11870611/
I haven't tested it myself but it was pointed out, that for those who want to
All you need to do is use AVBRoot to patch the official OTA's provided by Graphene following the instructions in the readme here https://github.com/chenxiaolong/avbroot
I did think this should be possible, but I still recommend building it from source yourself if you are able to

Categories

Resources