Related
I have somehow messed up my folio 100, and its BCT and bootloader information.
So im hoping someone else with little experience, knows how to use the nvflash utilities and dump the information for me and send me a link on where to get it.
the combo to get into bootloader mode is: POWER button pressed 4 times + VOL- key and it will go into bootloader mode.
I can extract these tomorrow evening.
Can you be clearer with the bootload sequence?
Tried to get the booload seq. Ended up with a partial reset of settings...
tshoulihane said:
I can extract these tomorrow evening.
Can you be clearer with the bootload sequence?
Tried to get the booload seq. Ended up with a partial reset of settings...
Click to expand...
Click to collapse
well, i dont think you should try it..!!
another user did, he ended up with a semi-bricked device too.. so thanks but now the fun stops.. it seems that Toshiba included a very,very bad key combo that terminates the device to a deadlocked machine..
so ill just figure out another way to get the partitions off it.. but my 4xpower + vol- is really scary, do NOT try it
at least until is cleared on how to get out of this bootloader state again.
I dumped the partitions which are visible from android already. Don't quite know what got resentment with your key sequence - DATA wiped? Some of the preloaded apps are broken now, but they were a bit broken before.
tshoulihane said:
I dumped the partitions which are visible from android already. Don't quite know what got resentment with your key sequence - DATA wiped? Some of the preloaded apps are broken now, but they were a bit broken before.
Click to expand...
Click to collapse
so you mean, you can extract all partitions from a shell?
ie. bootloader of partition2 and so forward?
i didnt notice that all 8 partitions were accessable there?
can you upload the dump of them somewhere?
A guy made the dumps of the ROM (not the recovery image though) on the forum of Frandroid DOT fr but I cannot post you the link directly here (anti spam as I do not have many messages on the forum).
I will PM you (if it allows me)
bootoo said:
A guy made the dumps of the ROM (not the recovery image though) on the forum of Frandroid DOT fr but I cannot post you the link directly here (anti spam as I do not have many messages on the forum).
I will PM you (if it allows me)
Click to expand...
Click to collapse
i have the dump of the /system i need all of the other partitions ie. 0 to 8
i cannot restore system, as i got no bootable tablet at all, i need raw partition dumps which i hope can be used using nvflash
Is it possible to extract opera mobile 10.1 apk?
toca79 said:
Is it possible to extract opera mobile 10.1 apk?
Click to expand...
Click to collapse
look for it here
Dexter_nlb said:
look for it here
Click to expand...
Click to collapse
Thx a lot found it.
I think the resolution is too high though.
Hi Dex, did you was able to restore your bricked folio?
roglio said:
Hi Dex, did you was able to restore your bricked folio?
Click to expand...
Click to collapse
decided to get another one..
ok!
I was hoping you did it because I'm a little tired of android (apple fan ).
My idea was to build and flash linux (ubuntu 10.10 works on toshiba AC100).
But if there isn't a way to restore the factory default (bootloader, etc.), I'll give up.
roglio said:
My idea was to build and flash linux (ubuntu 10.10 works on toshiba AC100).
Click to expand...
Click to collapse
when i was debugging bootloader configs, i was provided some config files that Ac100 users said would work on our folio, but i see now partition setup is very different, so we need to make proper configs for our folio before experimenting with the bootloader..
again, as you metion backup seems to do , when recover seems unavailable currently. it will be hard to verify if the parition table layout is working.
Hi,
sorry, maybe I missunderstood someting, but I cannot understand your problem in reading out the whole flash.
1. I have opened / disassembled my Filio 100. And like I have suspected there is a 16GB micoSD card connected (soldered) to the PCB and fixed with glue. One could read out the whole flash in a card reader.
2. You have fully access to the microSD card out of Android:
/dev/block/mmcblk0
sh-4.1# cd /dev/block
cd /dev/block
sh-4.1# pwd
pwd
/dev/block
sh-4.1# ls -l
ls -l
brw------- root root 254, 1 2010-12-07 08:46 dm-1
brw------- root root 254, 0 2010-12-07 08:46 dm-0
drwxr-xr-x root root 2010-12-07 08:45 vold
brw------- root root 179, 17 2010-12-07 08:45 mmcblk1p1
brw------- root root 179, 16 2010-12-07 08:45 mmcblk1
brw------- root root 7, 7 2010-12-07 08:45 loop7
brw------- root root 7, 6 2010-12-07 08:45 loop6
brw------- root root 7, 5 2010-12-07 08:45 loop5
brw------- root root 7, 4 2010-12-07 08:45 loop4
brw------- root root 7, 3 2010-12-07 08:45 loop3
brw------- root root 7, 2 2010-12-07 08:45 loop2
brw------- root root 7, 1 2010-12-07 08:45 loop1
brw------- root root 7, 0 2010-12-07 08:45 loop0
brw------- root root 179, 8 2010-12-07 08:45 mmcblk0p8
brw------- root root 179, 7 2010-12-07 08:45 mmcblk0p7
brw------- root root 179, 6 2010-12-07 08:45 mmcblk0p6
brw------- root root 179, 5 2010-12-07 08:45 mmcblk0p5
brw------- root root 179, 4 2010-12-07 08:45 mmcblk0p4
brw------- root root 179, 3 2010-12-07 08:45 mmcblk0p3
brw------- root root 179, 2 2010-12-07 08:45 mmcblk0p2
brw------- root root 179, 1 2010-12-07 08:45 mmcblk0p1
brw------- root root 179, 0 2010-12-07 08:45 mmcblk0
sh-4.1#
Regards, Artem
Hi DerArtem! Nice first post indeed!!!!
Thank you for your information.
A micro SD soldered is a nice gift from toshiba!!! This means upgrades, full dumps, etc.
Great
A request: could you please post some pictures?
DerArtem said:
sorry, maybe I missunderstood someting, but I cannot understand your problem in reading out the whole flash.
Click to expand...
Click to collapse
did i write i had problem dumping the entire mmc device? not really.
Yes, you misunderstood,Writing a proper cfg file describing the different areas is required.. dumping is easy part, documenting is harder..
but feel free to contribute and document the .cfg file for bootloader, that is of course appreciated...
I just got back from my business trip, and finally had some more time to take a closer look at the device.
roglio said:
Hi DerArtem! Nice first post indeed!!!!
Thank you for your information.
A micro SD soldered is a nice gift from toshiba!!! This means upgrades, full dumps, etc.
Great
A request: could you please post some pictures?
Click to expand...
Click to collapse
The device has a warranty seal inside. If you open the device completly the seal will break. I have just opened the device soo far, that the seal will not break. To make photos I will have to open it copletly. I will think about it....
Dexter_nlb said:
did i write i had problem dumping the entire mmc device? not really.
Yes, you misunderstood,Writing a proper cfg file describing the different areas is required.. dumping is easy part, documenting is harder..
but feel free to contribute and document the .cfg file for bootloader, that is of course appreciated...
Click to expand...
Click to collapse
Ok, I see. I have duped the mmc and mounted the partitions on my pc:
Here is the partition table on my PC:
Code:
[email protected] ~/bin/folio $ /sbin/fdisk -u -l folio.img
Platte folio.img: 15.9 GByte, 15920005120 Byte
1 Köpfe, 63 Sektoren/Spur, 493551 Zylinder, zusammen 31093760 Sektoren
Einheiten = Sektoren von 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Gerät boot. Anfang Ende Blöcke Id System
folio.img1 2048 526335 262144 83 Linux (/system)
folio.img2 526336 2623487 1048576 83 Linux (/cache)
folio.img3 2623488 2627583 2048 83 Linux (/misc)
folio.img4 2627584 31093759 14233088 5 Erweiterte
folio.img5 2628608 2644991 8192 83 Linux (???)
folio.img6 2646016 4743167 1048576 83 Linux (/data)
folio.img7 4744192 4754431 5120 83 Linux (???)
folio.img8 4755456 31093759 13169152 83 Linux (13G - storage)
Now you can mount the partitions on your pc:
Code:
sudo mount -o loop,ro,offset=$((512*2048)) folio.img /mnt/floppy/
I was not able to find the kernel or the bootloader or the root partition in the dump. I have also checked it with a hex editor.
Is the Folio using an other storage for kernel and bootloder? Does it have more NOR/NAND flash inside?
While looking at the size of the microSD (15920005120 bytes) I think that the bootloader is hiding a part of the microSD from the OS where the kernel and the bootloader are...
Where is the .cfg file you are talking about located?
DerArtem said:
Where is the .cfg file you are talking about located?
Click to expand...
Click to collapse
its a file assoiciated with the nvflash utility. search for the toshiba AC100 or here for more details for them it works fine.
the part 5 and 7 are boot kernel(8Mbyte) + recovery kernel(5Mbyte) , bootloader is as i know from ac100 on part0 , but thats not 100% yet.
Dexter_nlb said:
the part 5 and 7 are boot kernel(8Mbyte) + recovery kernel(5Mbyte) , bootloader is as i know from ac100 on part0 , but thats not 100% yet.
Click to expand...
Click to collapse
So, I have checked part 5 and 7. The content is the same like in boot.img and recovery.img. So the BCT is somewhere else...
Hello,
Here is something potentially useful for the devs.
I took some time the past few days to experiment a bit with my phone and work on my hexdump skills. After a few days, I came up with some interesting results which I think is worth posting.
CDT Table for Droid X2
After unpacking and experimenting a bit with the two SBF files for the DX2, I noticed an interesting pattern develop in CG3 (Code Group?). CG3 describes the CDT (Code Description Table?) which defines contents of the SBF file by each CG and where in flash memory space the CG is installed (I'd publish that too but I'm not trusting what Depacker 1.3 is telling me). I used the DX1 CDT file (found in CG31) as a reference but was hard since the format changed between the DX1 and the DX2. There is a pattern and here is what I currently have.
HTML:
CDT Entry # CDT Start Byte CDT Name CG# Signed Partition Location within Partition Signature Location Exists in SBF
1 0x0010 rdl.bin ? ? ? ? ? ?
2 0x0058 ptable 2 N ? 0x00000000 - 0x000057FF - Y
3 0x00A0 cdt.bin 3 Y mmcblk0p2 0x00000000 - 0x0007FFFF 0x0007F7FC - 0x0007FC52 Y
4 0x00E8 configtable 39 Y ? 0x00000000 - 0x002FFFFF 0x002FF7FC - 0x002FFC50 Y
5 0x0130 partitiontable 40 ? ? ? ? N
6 0x0178 bootloader 42 Y mmcblk0p1 0x00000000 - 0x002FFFFF 0x002FF7FC - 0x002FFC50 Y
7 0x01c0 mbr 45 ? ? ? ? N
8 0x0208 ebb 46 ? ? ? ? N
9 0x0250 microboot 47 Y mmcblk0p1 0x00300000 - 0x0037FFFF 0x0037F7FC - 0x0037FC52 Y
10 0x0298 pds 51 N mmcblk0p3 0x00000000 - 0x001FFFFF - N
11 0x02E0 ebr 52 ? ? ? ? N
12 0x0328 sp 53 ? ? ? ? N
13 0x0370 cid 54 ? ? ? ? N
14 0x03B8 misc 55 ? ? ? ? N
15 0x0400 logo.bin 56 N ? 0x00000000 - 0x00031FFF - Y
16 0x0448 kpanic 57 ? ? ? ? N
17 0x0490 recovery 58 Y mmcblk0p10 0x00000000 - 0x007FFFFF 0x007FF7FC - 0x007FFC52 Y
18 0x04D8 boot 59 Y mmcblk0p11 0x00000000 - 0x007FFFFF 0x007FF7FC - 0x007FFC52 Y
19 0x0520 system 60 N mmcblk0p12 0x00000000 - 0x1C1FFFFF - Y
20 0x0568 webtop 61 ? ? ? ? N
21 0x05B0 cdrom 62 N mmcblk0p14 0x00000000 - 0x013FFFFF - Y
22 0x05F8 cache 63 N mmcblk0p15 0x00000000 - 0x133FFFFF - N
23 0x0640 userdata 64 N mmcblk0p16 0x00000000 - 0x7FFFFFFF - N
24 0x0688 preinstall 65 N mmcblk0p17 0x00000000 - 0x12BFFFFF - Y
25 0x06D0 sdcard 66 N mmcblk1 - - N
I also tried to map the CGs to partitions in /dev/block. It some cases it was really simple especially since most of the bottom of the table is already mounted (adb shell cat /proc/partitions). The others I had to pull a data copy (e.g. adb shell su -c "dd if=/dev/block/mmcblk0p1 of=/mnt/sdcard-ext/Dev/Partitions/mmcblk0p1.img"), copied the blocks to the computer and did hex compares for the first 0x300 or so bytes. In some cases (particularly mmcblk0p1 where the bootloader and the microboot are made one block together), two CG files are flashed onto one partition back-to-back. In that case I got a bit lucky with hex searching.
Things got more interesting when comparing SBFs of the DX2's sister phones (Atrix 4G and Photon 4G). It turns out not only the table is located in the same CG (CG3) but it also follows the same byte order. Either the names and CG numbers are slightly different (Atrix) or the table is identical to the DX2 with a few extra entries (Photon). Here is what I have.
HTML:
CDT Entry # CDT Start Byte DX2 CDT Name DX2 CG# Atrix CDT Name Atrix CG# Photon CDT Name Photon CG#
1 0x0010 rdl.bin ? rdl.bin ? rdl.bin ?
2 0x0058 ptable 2 ptable 2 ptable 2
3 0x00A0 cdt.bin 3 CDT.bin 3 cdt.bin 3
4 0x00E8 configtable 39 BCT.bin 42 configtable 39
5 0x0130 partitiontable 40 PT.bin 43 partitiontable 40
6 0x0178 bootloader 42 EBT.bin 44 bootloader 42
7 0x01c0 mbr 45 MBR.bin 45 mbr 45
8 0x0208 ebb 46 EBB.bin 46 ebb 46
9 0x0250 microboot 47 NVC.bin 47 microboot 47
10 0x0298 pds 51 PDS.bin 48 pds 51
11 0x02E0 ebr 52 EBR.bin 49 ebr 52
12 0x0328 sp 53 SP.bin 50 sp 53
13 0x0370 cid 54 CID.bin 51 cid 54
14 0x03B8 misc 55 MSC.bin 52 misc 55
15 0x0400 logo.bin 56 LOG.bin 53 logo.bin 56
16 0x0448 kpanic 57 KPA.bin 54 kpanic 57
17 0x0490 recovery 58 SOS.bin 55 recovery 58
18 0x04D8 boot 59 LND.bin 56 boot 59
19 0x0520 system 60 APP.bin 57 system 60
20 0x0568 webtop 61 OSH.bin 58 webtop 61
21 0x05B0 cdrom 62 CDR.bin 59 cdrom 62
22 0x05F8 cache 63 CAC.bin 60 cache 63
23 0x0640 userdata 64 UDA.bin 61 userdata 64
24 0x0688 preinstall 65 PIA.bin 62 preinstall 65
25 0x06D0 sdcard 66 SDC.bin 63 sdcard 66
26 0x0718 EBF.bin 64 gpt 67
27 0x0760 NVF.bin 65
Verification
One thought must be going through your head is "how is this single digit poster coming up with this stuff?" One, despite not being a true dev, I like looking at low level code and have some experience with it. Second, I encourage that someone takes the time verify my findings by replicating the methods I used as well as provide any thoughts on making low level hex analysis useful.
SBFs Used:
Droid X2: VRZ_MB870_DTN-14.8_1FF_01.sbf
Atrix 4G: OLYFR_U4_1.5.2_SIGNED.sbf
Photon 4G: 1FF-sunfire-user-2.3.4-4.5.1A-1_SUN-154_MR-3-CM-release-keys-signed-Sprint-US.sbf
Procedure
- Take a SBF file
- Unpack using Moto Android Depacker 1.3
- Open CG3 in a hex editor (Hex Fiend is free for MacOSX)
- Find the location where an ASCII name starts (e.g. 0x0178 = bootloader, see tables above)
- Exactly 0x21 bytes from the start of the name is the CG value in hex
Thoughts
This analysis comes to mind two things:
1. A "Full" SBF does not mean it has all the partitions. - There is a possibility of bricking your phone beyond belief and even an SBF may not save you.
2. The DX2 seems to be really close to its siblings (Atrix 4G and especially Photon 4G). - I hate the idea gets thrown around of "Don't use Atrix mods unless you like bricks" without any real technical explanation as to why not. I'm not saying that people tomorrow should flash Atrix SBFs onto DX2 phones. I am saying that we (the DX2 community) should be aware and work closely with the other sister communities to know EXACTLY where the differences between the two phones lie. And hopefully the communities can contribute something that everyone can benefit (i.e. DX2 and Photon 4G ports of the Atrix bootloader unlock).
I'll experiment with a few other ideas I have in mind and I'll post them as I find something. Thanks for reading.
- mostKnownUnknown
As this makes no sense to me as a whole, I definetely agree with the similarity of Atrix and DX2.
I am guessing we could [somewhat] easily port the IHOP sbf unlock straight to our phone, and give us an unlocked bootloader.
Very thorough research! Well done!
religi0n said:
As this makes no sense to me as a whole, I definetely agree with the similarity of Atrix and DX2.
I am guessing we could [somewhat] easily port the IHOP sbf unlock straight to our phone, and give us an unlocked bootloader.
Click to expand...
Click to collapse
I doubt this quite a bit, as even the international version of the Atrix required a different SBF for IHOP, and with the X2, we're talking about different amount of RAM (which, coincidentally, was actually an issue with the international Atrix), and a different radio/chipset. However, it isn't a stretch to imagine that a couple of devoted devs could figure out a way to port the unlocked bootloader, especially since the Tenfar System Recovery worked with minimal modifications. So, hopefully.
jeffster888 said:
I doubt this quite a bit, as even the international version of the Atrix required a different SBF for IHOP, and with the X2, we're talking about different amount of RAM (which, coincidentally, was actually an issue with the international Atrix), and a different radio/chipset. However, it isn't a stretch to imagine that a couple of devoted devs could figure out a way to port the unlocked bootloader, especially since the Tenfar System Recovery worked with minimal modifications. So, hopefully.
Click to expand...
Click to collapse
I agree with you. Could we get a unlocked boot loader ported? Possibly but leaning into to the "won't work area".
The real problem is right now, the people with the know how either don't have a device to experiment with or they don't care/to frustrated with (motorola, the og x never being cracked), or they're just to interested in another device. For what ever reason, it seems like the heavy hitters are mostly just ignoring the X2, for now (hopefully).
Sent from my DROID X2 using XDA Premium App
religi0n said:
As this makes no sense to me as a whole, I definetely agree with the similarity of Atrix and DX2.
I am guessing we could [somewhat] easily port the IHOP sbf unlock straight to our phone, and give us an unlocked bootloader.
Click to expand...
Click to collapse
Yeah. Sorry if this seems a bit overwhelming. I'd figure to get the data out there first and generate some thoughts. Here's a little bit of background.
So memory in your phone is broken up into a number of partitions. This is much like how you would break up your hard drive into a number of partitions if you plan to install multiple OSes on to your computer. Instead, partitions on your phone are there to organize the data into groups for certain functionality.
If you have adb running, you can verify what partitions you have by running "adb shell cat /proc/partitions":
HTML:
./adb shell cat /proc/partitions
major minor #blocks name
179 0 7804416 mmcblk0
179 1 3584 mmcblk0p1
179 2 512 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 1 mmcblk0p4
179 5 1024 mmcblk0p5
179 6 512 mmcblk0p6
179 7 512 mmcblk0p7
179 8 1024 mmcblk0p8
179 9 2048 mmcblk0p9
179 10 8192 mmcblk0p10
179 11 8192 mmcblk0p11
179 12 460800 mmcblk0p12
179 13 512 mmcblk0p13
179 14 20480 mmcblk0p14
179 15 315392 mmcblk0p15
179 16 2097152 mmcblk0p16
179 17 307200 mmcblk0p17
179 18 4574208 mmcblk0p18
179 32 7774208 mmcblk1
179 33 7773184 mmcblk1p1
Some partitions (particularly the bottom of the table) are easy to figure out since they are mounted when the operating system is run and you can open its file structure (usually with root).
HTML:
./adb shell mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p12 /system ext3 rw,relatime,data=ordered 0 0
/dev/block/mmcblk0p16 /data ext3 rw,nosuid,nodev,noatime,nodiratime,data=ordered 0 0
/dev/block/mmcblk0p15 /cache ext3 rw,nosuid,nodev,noatime,nodiratime,data=ordered 0 0
/dev/block/mmcblk0p3 /pds ext3 rw,nosuid,noexec,relatime,data=ordered 0 0
/dev/block/mmcblk0p17 /preinstall ext3 ro,noatime,nodiratime,data=ordered 0 0
However, most of the partitions are not in a file format that you can mount. And it's hard to figure out that the partition is used for. Since access to the partitions are located in "/dev/block/", I've begun pulling partition images from the phone and trying some low level hex/byte analysis with our SBF's CG data.
For example, in the table from my first post, CG42 (bootloader) and CG47 (microboot) get flashed onto the same memory partition (mmcblk0p1). This has some weird complications which we need to be aware of. Both CG42 and CG47 are already signed. So when I analyzed mmcblk0p1, there are actually two sets of signature data in that partition. I'm not sure what the consequences are for messing with a double-signed partition but at least it's information that we can be aware of now.
As for the bootloader, I actually doubt we can do a direct port of the Atrix unlocker. I don't think it's a memory addressing issue (since most of the partitions have a fixed size and are filled with 0xFF blank data at the end if necessary). I think I'll be getting around the signature checking. If you open any of the bootloader unlock SBFs from Atrix's Project Pudding, all of them are signed and the signatures are not the same between the unlockers for Atrix ATT vs. Atrix Bell. Wasn't the unlock SBFs a leak from Moto's development servers? If so, since it came from Moto, I severely doubt that Moto would use the same private key between carriers, let alone between phones.
As a whole, I plan to learn as much about my phone as possible even if I need to delve down into byte data and assembly code. If we want an unlocked bootloader, I'm going to at least try to do something about it rather than sit on my butt and pray to the phone gods. If anything, we'll learn something new about this phone which is at least something since there is so little DX2 data out there.
I am in love with you bro.
If you get us an unlocked bootloader, I will give you $500 cash in person.
Sent from my ADR6350
Avelnan said:
$500 cash in person.
Click to expand...
Click to collapse
And you will have the love and admiration of hundreds of people.
Is there anything I can do to help in this process? I sort of followed what you saying...
Sent from my DROID X2 using XDA Premium App
Ihatepullups said:
Is there anything I can do to help in this process? I sort of followed what you saying...
Click to expand...
Click to collapse
Let's hack moto's servers and download all the development crap we can for the DX2! ;D
Kidding aside, I too also am wondering if there is anything I can do to help.
Edit: @Mostknownunknown How did you unpack the .sbf file? I can't figure it out..
0vermind said:
Let's hack moto's servers and download all the development crap we can for the DX2! ;D
Kidding aside, I too also am wondering if there is anything I can do to help.
Edit: @Mostknownunknown How did you unpack the .sbf file? I can't figure it out..
Click to expand...
Click to collapse
He Mentioned Something About Depacker 1.3.
0vermind said:
Edit: @Mostknownunknown How did you unpack the .sbf file? I can't figure it out..
Click to expand...
Click to collapse
Yeah. Sorry. It would be good if people knew how to get the tools.
After doing some plenty of google searching, Skrilax_CZ's SBF Depacker 1.3 works in unpacking SBFs from terga-based moto phones. Apparently, SBFs have been in use through the Moto RAZR days, but the format keeps changing. Skrilax_CZ's 1.3 version is the only one I know that works.
Since I can't post links yet:
modmymobile.com/forums/402-general-motorola-android/530781-sbf-depacker-1-3-03-22-2011-a.html
Any good hex editor is useful. I'm a Macbook Pro user so I've found Hexfiend. Google it.
0vermind said:
Kidding aside, I too also am wondering if there is anything I can do to help.
Click to expand...
Click to collapse
I have some ideas. But the more I'm researching Pudding, the more it seems impossible for a port. But I'll share my thoughts once I get out of work.
Hello again,
Here are some conclusions I came up when I researched Atrix Pudding:
1. Pudding bootloader has the component that issues the unlock command (fastboot oem unlock #).
2. The unlock command causes a "fuse" to be burned in the phone's hardware.
3. Pudding bootloader has the component that recognizes the phone as unlocked.
Here are my thoughts:
1. The Pudding bootloader can take in the phone id to issue the unlock. Whereas the DX2 bootloader has the command (fastboot oem unlock) but no implementation if you send it your phone id number (fastboot oem unlock #).
2. When the unlock is issued, a bit in your hardware changes. (Most people call it a "fuse". I think it's probably a small EEPROM since as a company, I would probably like to re-lock it if I could.) People who have worked on Pudding have found an indication to see if you are unlocked (see http://forum.xda-developers.com/showthread.php?p=16003820&highlight=fuse#post16003820). You can look up that same indication on the DX2 (adb shell, su, cat /sys/firmware/fuse/ReservedOdm) and mine reads 10000000000010001000100000000. I think this file is only a place holder for the fuse indications since overwriting it does not work.
3. I asked around if SBF-ing to original after unlocking re-locks you. Apparently, it sorta does and it sorta doesn't. SBF-ing to original after unlock removes the UNLOCKED at boot up and prevents you from flashing custom kernels and recovery. But when you re-flash Pudding again, the UNLOCKED appears and you can flash custom kernels and recovery without having to re-issue the unlock command (fastboot oem unlock #). This means that there is something in the Pudding bootloader which recognizes the unlock fuse.
This actually depresses me a bit. My initial thought about the bootloader is that the unlocked indication was held in a hidden partition that isn't SBFed. So if I verified the Atrix partitions before and after the unlock, I could determine what changed in a partition and attempt to apply the change to the DX2.
But since #2 is true and the unlocked indication is located external to the partition, the only way to unlock the DX2 is to feed the "fuse" component with the right commands to "burn". There's no coping a file/partiton that will give you the unlock.
#3 is interesting in that the bootloader needs to have the processing to test if you are unlocked and allow for the unlock. Which means that we need to mess with the bootloader in order to add this processing (since I'm pretty sure the DX2 bootloader doesn't have it). This was another item that I kinda wanted to avoid since I don't think we can easily inject new code into the bootloader because of the signature. Also, if we mess up with the bootloader partition, there is a strong possibility that the phone won't make it to the fastboot or rsd protocol setup and we'd be stuck with a hard brick.
I still have plenty of questions which are still good investigates/discussion points from here.
- What are the commands the bootloader gives to the "fuse" component to request an unlock?
- Is there a way to log/monitor bootloader commands?
- Can you instruct the "fuse" component a request for an unlock after the kernel is loaded? (Holy grail here - an APK-packaged unlocker)
- In the pudding bootloader, where is the check for the unlocked indication? (possible exploit to always indicate to the bootloader that the phone is unlocked without calling the external fuse check)
- Where in the DX2 bootloader does the signature check occur?
Again, I'm not a pure dev so I'm not thinking of implementation of anything here. I'm taking the academic approach of trying to discover some loophole and then asking a dev later to package and implement it. Also, I ask you to think and analyze for the sake of understanding our phone. The more info definitely helps no matter how little it is.
Thanks,
mostKnownUnknown
This is some great reading. Really, I love the research standpoint you are taking.
If I may comment, I do not think an APK packaged unlocker would be possible because the bootloader is called at system startup.
Just like if you have GRUB installed on your computer, you cant call GRUB to boot up to your Linux box from your windoze.
The ODM fuse is read at every boot. If you were to go into stock android recovery, it reads the ODM fuse. It says Reading ODM Fuse: 1.
I am not sure what that could mean, but maybe its a true/false indicator? As in if it Read the ODM Fuse as 0, we could be unlocked.
That is what I would have to say, nothing as much as you just my ideas.
There's gotta be an exploit or something that we can do, maybe some kind of code injection, something similar to 2nd-init, that allows some kind of injected code that loads our custom kernel. I flash a lot of phones for people. I've actually made it into a business here where I live, and one of the phones I flashed, the mytouch 4g, it initially wouldn't root, and I remember there was an update.zip exploit someone posted that you "flashed" in stock recovery and it would run a small exploit and open clockwork mod recovery, and it worked very well.
There's gotta be something, some kind of exploit. I used to do tons of programming in the past, I'm so not ready to let this one go. I know there has to be a way. Encrypted? Bullsh*t. Everything is hackable.
Thanks for your research though!! This is wayyyy interesting. I love it. I want to get my hands on an Atrix... haha.
religi0n said:
This is some great reading. Really, I love the research standpoint you are taking.
If I may comment, I do not think an APK packaged unlocker would be possible because the bootloader is called at system startup.
Just like if you have GRUB installed on your computer, you cant call GRUB to boot up to your Linux box from your windoze.
The ODM fuse is read at every boot. If you were to go into stock android recovery, it reads the ODM fuse. It says Reading ODM Fuse: 1.
I am not sure what that could mean, but maybe its a true/false indicator? As in if it Read the ODM Fuse as 0, we could be unlocked.
That is what I would have to say, nothing as much as you just my ideas.
Click to expand...
Click to collapse
I like where you are going with this, although that's not entirely true about not being able to call Grub from windows. You can tell the computer to reboot into Grub, but yeah you can't run grub on top of Windows.
Avelnan said:
I am in love with you bro.
If you get us an unlocked bootloader, I will give you $500 cash in person.
Sent from my ADR6350
Click to expand...
Click to collapse
There is a bounty thread here:
http://forum.xda-developers.com/showthread.php?t=1224166
At least $750 has been pledged already! Avelnan, can we add your $500 to the pot?
Spread the word!
Sent from my DROID X2 using Tapatalk
I think this thread needs to be bumped to the top. This has the potential to be a big help in the bootloader unlock process (if it happens).
I never even saw this thread! Where did this guy go? I could have sworn I saw him post recently!
AtLemacks said:
I never even saw this thread! Where did this guy go? I could have sworn I saw him post recently!
Click to expand...
Click to collapse
IDK. This was a hot topic for all of Aug then all the sudden nothing.
first of all bump!
second thanks for this I enjoy learning all this new information, anything else interesting you have to share you have found?
Hello,
I think this is a hard one for you.
My unrooted Nexus 4 (Android 4.3) worked perfectly fine until the day I (randomly?) lost the signal (couldn't make phone calls or browse the internet ). I thought, hey that's not too bad, make a restart and it will work again.
Well instead of booting again it was stuck in a bootloop. So I reflashed stock 4.3, again bootloop, I tried to flash CM, bootloop, I cleared caches/wiped files constantly with twrp and CWM. Then finally I flashed stock 4.2, hey it booted!
But I had no IMEI number, nor a baseband version! So I flashed several baseband versions, neither worked (the bootloader-start screen showed the flashed versions though!).
So far I am searching for a solution all over the internet on how to restore the IMEI without a backup! Is there any hope for me? I have the IMEI number and tbh from my understanding this number has to be saved somewhere in hardware as well.
Any help appreciated!
- David
Btw. update from 4.2 to 4.3 -> Bootloop.
Just flashed 4.4 and it bootloops.
Ok, new idea, but I need your help for it.
What if I can restore my IMEI based on one of your "m9kefs1.img"? Can anyone provide me a working image of "m9kefs1.img", "m9kefs2.img" and "m9kefs3.img", this would be awesome!
hi...im having the same issue ...i tried almost everything without luck... i was thinking why google developers wont give us a solution for those who are outside the U.S. ...cause its real pain in the a** trying to send it to their service.
Same problem
dav1dde said:
Ok, new idea, but I need your help for it.
What if I can restore my IMEI based on one of your "m9kefs1.img"? Can anyone provide me a working image of "m9kefs1.img", "m9kefs2.img" and "m9kefs3.img", this would be awesome!
Click to expand...
Click to collapse
What you have in "/dev/block" ?
This is mine:
~ # cd dev/block
cd dev/block
/dev/block # ls
ls
loop0 mmcblk0 mmcblk0p16 mmcblk0p23 mmcblk0p8 ram13 ram7
loop1 mmcblk0p1 mmcblk0p17 mmcblk0p24 mmcblk0p9 ram14 ram8
loop2 mmcblk0p10 mmcblk0p18 mmcblk0p25 platform ram15 ram9
loop3 mmcblk0p11 mmcblk0p19 mmcblk0p3 ram0 ram2 vold
loop4 mmcblk0p12 mmcblk0p2 mmcblk0p4 ram1 ram3
loop5 mmcblk0p13 mmcblk0p20 mmcblk0p5 ram10 ram4
loop6 mmcblk0p14 mmcblk0p21 mmcblk0p6 ram11 ram5
loop7 mmcblk0p15 mmcblk0p22 mmcblk0p7 ram12 ram6
News
I saved my "m9kefs1.img" & "m9kefs2.img"!
They are 2 files of 780KB with a lot of information, are they corrupted?
The problem are not the "files" in /dev/block but the contents of these 2 files:
Code:
m9kefs1 (/dev/block/mmcblk0p8)
m9kefs2 (/dev/block/mmcblk0p9)
I don't know if they are corrupted, because I can't compare them to mine, which are definitly broken.
News? On eBay I found an engineering sample with a "Repair EFS" program, where can I download it?
Thanks!
Help me! :banghead:
Android 4.4.1
Anyone have tried if Android 4.4.1 have bugfixed this problem?
PN.ItalyGirl said:
Anyone have tried if Android 4.4.1 have bugfixed this problem?
Click to expand...
Click to collapse
neither 4.4.1 or 4.4.2 factory images solve this unknow baseband / imei problem
I tried using kingo root, both on the phone and on the computer. I am not sure where to proceed from there. The main reason I want to root is to disable the startup sound, which does not get disabled automatically when I have my phone on mute. I tried using the sound disabler app from the play store, and it seems to not be working (the startup sound still plays).
Rooting Coolpad Canvas (Cricket)
Me too having same issue as well, tried kingoroot
And king-root some got to like 30%... need help rooting it as well.. and maybe twrp would be great
But possibly could flash twrp using the coolpad's
Note 3 twrp for it, because they both have same
Resolution and screen size i believe, so for the porting shouldn't be all that hard.. any advice
Would be great..
Coolpad Canvas Root
joshglen said:
I tried using kingo root, both on the phone and on the computer. I am not sure where to proceed from there. The main reason I want to root is to disable the startup sound, which does not get disabled automatically when I have my phone on mute. I tried using the sound disabler app from the play store, and it seems to not be working (the startup sound still plays).
Click to expand...
Click to collapse
SmartPhoneDeveloper said:
Me too having same issue as well, tried kingoroot
And king-root some got to like 30%... need help rooting it as well.. and maybe twrp would be great
But possibly could flash twrp using the coolpad's
Note 3 twrp for it, because they both have same
Resolution and screen size i believe, so for the porting shouldn't be all that hard.. any advice
Would be great..
Click to expand...
Click to collapse
I just ordered a coolpad canvas its coming on Saturday. I was able to root my last phone (Alcatel Onetouch Flint) which had no official guides on how to root it (so i made a guide). I might be able to do the same thing with this phone ill let u guys know if im able to root it when it comes.
Casey Campanile said:
I just ordered a coolpad canvas its coming on Saturday. I was able to root my last phone (Alcatel Onetouch Flint) which had no official guides on how to root it (so i made a guide). I might be able to do the same thing with this phone ill let u guys know if im able to root it when it comes.
Click to expand...
Click to collapse
Awesome!.. you won't believe how good this phone is for the price it has pretty powerful specs for the price and screen size is a whopping 5.5 inch and HD, I got mine for 49.99 when it was available at walmart luckily they had 2 left in Stock the day I went and got one.. but yeah I been trying to root it with no luck , but I'm not that good at programming when it comes to phones hopefully we can get this one rooted at least if anything .. it definitely deserves it being decently powerful phone here's the specs on it.. : https://ibb.co/ehJjtQ
Guys I was able to pull over 70% of the system files from it.. but for some reason it stops at when trying to pull WCNSS_qcom_cfg.ini file for some reason-(said permission was denied)??..hmm.., I will post pic shortly..
Any luck Casey on it?.. so far nothing working for rooting it yet you may have better luck than me..
SmartPhoneDeveloper said:
Any luck Casey on it?.. so far nothing working for rooting it yet you may have better luck than me..
Click to expand...
Click to collapse
No luck yet I tried kingroot, kingo app, towelroot, framaroot and some others nothing works. Still searching for a better method
So apparently it's harder to root nougat cuz of this new security feature. I feel like one click methods not gonna work
Well I also noticed when doing command get ver all that it said secured eMMc with the little kernel bootloader I'm sure there are ways around this but its going to require some help with someone that has higher phone developing skills than of my own of course.. also try command while connected to computer "adb pull system" without the quotes it got to 72% for me before it wouldn't write no more still have the files for system if anyone needs them for rewriting or porting in the bootloader ..
---------- Post added at 03:55 AM ---------- Previous post was at 03:43 AM ----------
Casey Campanile said:
No luck yet I tried kingroot, kingo app, towelroot, framaroot and some others nothing works. Still searching for a better method
Click to expand...
Click to collapse
Same here.. hmm , well if you or you can invite someone that maybe can port in or rewrite the little kernel bootloader to be unlocked, i have 72% of the system files.. still couldn't Figure out how to or where to extract the boot.img or recovery.img from?.. or the cache.img and the other .img files as well.. some of them or the .sh file in the system folder i extracted i believe may contain the answer?.. I'm sure for the rewriting of the bootloader but it's gonna require someone with better skills than of mine because i don't know how to rewrite little kernel bootloader image, but I'm sure for some this is a breeze though lol...
Oh almost forgot , from the building prop editor, i also managed to get the recovery key ID as well of someone knows how to port or rewrite the recovery.img, i know this will be of big help for sure this is the recovery key ID for the recovery image , i will post the pic of it shortly..
SmartPhoneDeveloper said:
Same here.. hmm , well if you or you can invite someone that maybe can port in or rewrite the little kernel bootloader to be unlocked, i have 72% of the system files.. still couldn't Figure out how to or where to extract the boot.img or recovery.img from?.. or the cache.img and the other .img files as well.. some of them or the .sh file in the system folder i extracted i believe may contain the answer?.. I'm sure for the rewriting of the bootloader but it's gonna require someone with better skills than of mine because i don't know how to rewrite little kernel bootloader image, but I'm sure for some this is a breeze though lol...
Click to expand...
Click to collapse
The mount points for where to pull the .img files from can't you find them by running cat /proc/mounts? These are the locations I got:
Interesting... so with these mount points I'm assuming we should be able to do something I'm sure of it considering the zte zmax pro which also is qualcomm snapdragon processor and also utilizing same procedure of sorts and they managed to make twrp for it and also root so I'm sure same here ...which they some how put it into diagnostic mode or called **DFU mode and it allowed them to flash after mounting points was made with Linux OS
---------- Post added at 02:13 AM ---------- Previous post was at 02:11 AM ----------
Also we you could possibly use also called QPST tool for Windows allows flashing of qualcomm processors as well ...
SmartPhoneDeveloper said:
Interesting... so with these mount points I'm assuming we should be able to do something I'm sure of it considering the zte zmax pro which also is qualcomm snapdragon processor and also utilizing same procedure of sorts and they managed to make twrp for it and also root so I'm sure same here ...which they some how put it into diagnostic mode or called **DFU mode and it allowed them to flash after mounting points was made with Linux OS
---------- Post added at 02:13 AM ---------- Previous post was at 02:11 AM ----------
Also we you could possibly use also called QPST tool for Windows allows flashing of qualcomm processors as well ...
Click to expand...
Click to collapse
Managed to get exact locations of each partition by running cat /proc/partitions and then running df to convert them into the common names. Here's what I got:
cp3636a:/ $ cat /proc/partitions
major minor #blocks name
254 0 524288 zram0
179 0 15267840 mmcblk0
179 1 102400 mmcblk0p1
179 2 1 mmcblk0p2
179 3 8 mmcblk0p3
179 4 512 mmcblk0p4
179 5 512 mmcblk0p5
179 6 512 mmcblk0p6
179 7 512 mmcblk0p7
179 8 2048 mmcblk0p8
179 9 2048 mmcblk0p9
179 10 256 mmcblk0p10
179 11 256 mmcblk0p11
179 12 16384 mmcblk0p12
179 13 2048 mmcblk0p13
179 14 2048 mmcblk0p14
179 15 32 mmcblk0p15
179 16 2048 mmcblk0p16
179 17 16 mmcblk0p17
179 18 4096 mmcblk0p18
179 19 20480 mmcblk0p19
179 20 65536 mmcblk0p20
179 21 3072 mmcblk0p21
179 22 3072 mmcblk0p22
179 23 65536 mmcblk0p23
179 24 65536 mmcblk0p24
179 25 1024 mmcblk0p25
179 26 262144 mmcblk0p26
179 27 32768 mmcblk0p27
179 28 1024 mmcblk0p28
179 29 512 mmcblk0p29
179 30 32 mmcblk0p30
179 31 65536 mmcblk0p31
259 0 32 mmcblk0p32
259 1 1024 mmcblk0p33
259 2 1024 mmcblk0p34
259 3 32768 mmcblk0p35
259 4 512 mmcblk0p36
259 5 4096 mmcblk0p37
259 6 384 mmcblk0p38
259 7 384 mmcblk0p39
259 8 384 mmcblk0p40
259 9 384 mmcblk0p41
259 10 256 mmcblk0p42
259 11 256 mmcblk0p43
259 12 256 mmcblk0p44
259 13 256 mmcblk0p45
259 14 8 mmcblk0p46
259 15 65536 mmcblk0p47
259 16 2928640 mmcblk0p48
259 17 10876911 mmcblk0p49
179 32 4096 mmcblk0rpmb
179 64 7761920 mmcblk1
179 65 16384 mmcblk1p1
179 66 7744495 mmcblk1p2
253 0 2882924 dm-0
253 1 10876895 dm-1
253 2 7744495 dm-2
cp3636a:/ $ df
Filesystem 1K-blocks Used Available Use% Mounted on
rootfs 866276 5212 861064 1% /
tmpfs 947448 616 946832 1% /dev
tmpfs 947448 0 947448 0% /mnt
/dev/block/dm-2 7622740 879764 6726592 12% /mnt/expand/ad6a771b-2b4f-4d99-8f6d-640bb1ebd212
/dev/block/dm-0 2792600 2109896 666320 76% /system
/dev/block/bootdevice/by-name/cache 253920 368 248312 1% /cache
/dev/block/bootdevice/by-name/dsp 12016 5052 6640 44% /dsp
/dev/block/bootdevice/by-name/modem 102352 69776 32576 69% /firmware
/dev/block/dm-1 10574084 4527048 6030652 43% /data
/dev/fuse 7622740 879764 6726592 12% /storage/emulated
cp3636a:/ $
---------- Post added at 04:54 PM ---------- Previous post was at 04:50 PM ----------
SmartPhoneDeveloper said:
Interesting... so with these mount points I'm assuming we should be able to do something I'm sure of it considering the zte zmax pro which also is qualcomm snapdragon processor and also utilizing same procedure of sorts and they managed to make twrp for it and also root so I'm sure same here ...which they some how put it into diagnostic mode or called **DFU mode and it allowed them to flash after mounting points was made with Linux OS
---------- Post added at 02:13 AM ---------- Previous post was at 02:11 AM ----------
Also we you could possibly use also called QPST tool for Windows allows flashing of qualcomm processors as well ...
Click to expand...
Click to collapse
So using the location I tried to use the dd command to pull system.img but it said permission denied looks like it requires root:
dd if=/dev/block/dm-0 of=/storage/emulated/0/system.img
dd: /dev/block/dm-0: Permission denied
1|cp3636a:/ $
Don't know a whole lot about development but I'm pretty comfortable with using the Android back end and I'd be willing to help any way I can if there's something I can do or provide. This is such a neat little phone and I think it has a lot of potential.
Picked a canvas up on sale at bestbuy as a back up.. I must say its a nice phone for the money...
Now I just have to wait for coolpad- cricket to release unlock codes so I can use overseas travel.
Try this root
joshglen said:
I tried using kingo root, both on the phone and on the computer. I am not sure where to proceed from there. The main reason I want to root is to disable the startup sound, which does not get disabled automatically when I have my phone on mute. I tried using the sound disabler app from the play store, and it seems to not be working (the startup sound still plays).
Click to expand...
Click to collapse
Hi bro.. Try this root.. I tried in my coolpad canvas cricket but this root is only temporary because I have not found twrp to install super us..
https://forum.xda-developers.com/android/development/guide-to-root-coolpad-note-5-flashing-t3637644
Carzacamil said:
Hi bro.. Try this root.. I tried in my coolpad canvas cricket but this root is only temporary because I have not found twrp to install super us..
https://forum.xda-developers.com/android/development/guide-to-root-coolpad-note-5-flashing-t3637644
Click to expand...
Click to collapse
Here is a link to a TWRP build for the Redmi 4a, same exact internals as our phone. I mean the phones are exact all the way across the board. The best thing to do is to fastboot boot the .img first to see if it works 100%, and being on Nougat flash su systemless root. If it boots to TWRP from fastboot and you can flash su than we should be able to permanently flash TWRP from there. https://forum.xda-developers.com/android/development/recovery-twrp-3-1-0-0-xiaomi-redmi-4a-t3576024
zMILWAUKEE said:
Here is a link to a TWRP build for the Redmi 4a, same exact internals as our phone. I mean the phones are exact all the way across the board. The best thing to do is to fastboot boot the .img first to see if it works 100%, and being on Nougat flash su systemless root. If it boots to TWRP from fastboot and you can flash su than we should be able to permanently flash TWRP from there. https://forum.xda-developers.com/android/development/recovery-twrp-3-1-0-0-xiaomi-redmi-4a-t3576024
Click to expand...
Click to collapse
i tried it but my cellphone is bootloop .. when i do fastboot it says:
Now send the package you want to apply
to the device with "adb sideload <filename>". . .
Finding update package. . .
opening update package. . .
Verifing update package. . .
E:failed to verify whole-file signature
Update package verification took 0.7 s (result 1)
E:signature verification failed
Installation aborted.
Carzacamil said:
i tried it but my cellphone is bootloop .. when i do fastboot it says:
Now send the package you want to apply
to the device with "adb sideload <filename>". . .
Finding update package. . .
opening update package. . .
Verifing update package. . .
E:failed to verify whole-file signature
Update package verification took 0.7 s (result 1)
E:signature verification failed
Installation aborted.
Click to expand...
Click to collapse
From what you're describing it sounds like you didn't do it correctly. In the bootloader it should never ask you to sideload anything. The correct steps are, with the phone on and adb debugging enabled, adb devices, should show your connected to your phone, next adb reboot bootloader, phone will restart into a download type screen, next step, on PC type fastboot devices to see if the PC and phone are communicating correctly, next is to type fastboot boot recovery.img, if it boots into the TWRP we're good, sorry but I don't have a PC up and running right now. So all I can do is suggest and hope you guys can get it running.
Anyone check into this and the comment that's on it, don't know if it will help, but just maybe.
https://mobile.twitter.com/srsroot/status/871056445315452933?lang=en
meatball702 said:
Anyone check into this and the comment that's on it, don't know if it will help, but just maybe.
https://mobile.twitter.com/srsroot/status/871056445315452933?lang=en
Click to expand...
Click to collapse
Don't do it, it's bull crap nothing but viruses. That srs spam link says they can root all phones, well if they could more devs on XDA would push it, but no it's a load of b.s.
follows the link of Stock Moto X4 ROM with Android 7.1.1 and September patch.
Model: X4 (Payton)
Version: NPW26.83-34-0-1
https://rsdsecure-cloud.motorola.co...ubsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip
The linked page shows a error, will be better if you can upload the file.
Yeah, link is borked. But I may pull it anyway... will post here if I do.
Had my XT1900-1 (Project Fi) for about an hour before I got bored and the bootloader was unlocked.
Thinking of rooting just to debloat (don't get me started on how bloated the Android One build is)... seems like root will be pretty straightforward given that unlock is painless and partition access seems unrestricted. Haven't tried yet, but thinking that just perms and pushing su might do the trick. Would like to have the device for a couple days before I go that far. [edit: Actually, Magisk looks like a pretty good bet w/o custom recovery... may try that]
Then maybe, if I have time start gathering vendor stuff/blobs/etc and build... something.
Anyone else out there tinkering yet?
mightysween said:
Yeah, link is borked. But I may pull it anyway... will post here if I do.
Had my XT1900-1 (Project Fi) for about an hour before I got bored and the bootloader was unlocked.
Thinking of rooting just to debloat (don't get me started on how bloated the Android One build is)... seems like root will be pretty straightforward given that unlock is painless and partition access seems unrestricted. Haven't tried yet, but thinking that just perms and pushing su might do the trick. Would like to have the device for a couple days before I go that far. [edit: Actually, Magisk looks like a pretty good bet w/o custom recovery... may try that]
Then maybe, if I have time start gathering vendor stuff/blobs/etc and build... something.
Anyone else out there tinkering yet?
Click to expand...
Click to collapse
I heard that the reason for the bloat is due to a huge number of partitions that consume space. As such, debloating may not be as easy as you hoped...
ebrandsberg said:
I heard that the reason for the bloat is due to a huge number of partitions that consume space. As such, debloating may not be as easy as you hoped...
Click to expand...
Click to collapse
Just ran cat /proc/partitions.... dang, you are right
|payton_sprout:/ $ cat /proc/partitions
major minor #blocks name
1 0 8192 ram0
1 1 8192 ram1
1 2 8192 ram2
1 3 8192 ram3
1 4 8192 ram4
1 5 8192 ram5
1 6 8192 ram6
1 7 8192 ram7
1 8 8192 ram8
1 9 8192 ram9
1 10 8192 ram10
1 11 8192 ram11
1 12 8192 ram12
1 13 8192 ram13
1 14 8192 ram14
1 15 8192 ram15
253 0 1048576 zram0
179 0 30535680 mmcblk0
179 1 3584 mmcblk0p1
179 2 3584 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 2048 mmcblk0p4
179 5 512 mmcblk0p5
179 6 512 mmcblk0p6
179 7 512 mmcblk0p7
179 8 512 mmcblk0p8
179 9 128 mmcblk0p9
179 10 128 mmcblk0p10
179 11 512 mmcblk0p11
179 12 512 mmcblk0p12
179 13 1024 mmcblk0p13
179 14 1024 mmcblk0p14
179 15 512 mmcblk0p15
179 16 512 mmcblk0p16
179 17 512 mmcblk0p17
179 18 512 mmcblk0p18
179 19 512 mmcblk0p19
179 20 512 mmcblk0p20
179 21 128 mmcblk0p21
179 22 128 mmcblk0p22
179 23 256 mmcblk0p23
179 24 256 mmcblk0p24
179 25 112640 mmcblk0p25
179 26 112640 mmcblk0p26
179 27 1 mmcblk0p27
179 28 8 mmcblk0p28
179 29 16384 mmcblk0p29
179 30 16384 mmcblk0p30
179 31 1024 mmcblk0p31
259 0 512 mmcblk0p32
259 1 512 mmcblk0p33
259 2 2048 mmcblk0p34
259 3 2048 mmcblk0p35
259 4 6144 mmcblk0p36
259 5 6144 mmcblk0p37
259 6 32768 mmcblk0p38
259 7 512 mmcblk0p39
259 8 128 mmcblk0p40
259 9 16384 mmcblk0p41
259 10 512 mmcblk0p42
259 11 8192 mmcblk0p43
259 12 65536 mmcblk0p44
259 13 65536 mmcblk0p45
259 14 16384 mmcblk0p46
259 15 16384 mmcblk0p47
259 16 1024 mmcblk0p48
259 17 8192 mmcblk0p49
259 18 256 mmcblk0p50
259 19 256 mmcblk0p51
259 20 1 mmcblk0p52
259 21 1 mmcblk0p53
259 22 4608 mmcblk0p54
259 23 4608 mmcblk0p55
259 24 33424 mmcblk0p56
259 25 33424 mmcblk0p57
259 26 64 mmcblk0p58
259 27 64 mmcblk0p59
259 28 8192 mmcblk0p61
259 29 8192 mmcblk0p62
259 30 589824 mmcblk0p63
259 31 589824 mmcblk0p64
259 32 4227072 mmcblk0p65
259 33 4227072 mmcblk0p66
259 34 20262895 mmcblk0p67
179 32 4096 mmcblk0rpmb
252 0 4161104 dm-0
252 1 580580 dm-1
Click to expand...
Click to collapse
---------- Post added at 02:09 PM ---------- Previous post was at 01:56 PM ----------
Looks like the OP file was a leaked Brazilian version of the firmware... wonder if the boot.img is the same as US ?
And also looks like Motorola may be giving each variant of the device its own device name... not sure if this will be good down the line, development-wise, or not:
ro.product.name=payton_fi
ro.product.device=payton_sprout
Click to expand...
Click to collapse
So is it because of project Treble that we have such large system partition. Using 13 GB is too much.
saketkutta said:
So is it because of project Treble that we have such large system partition. Using 13 GB is too much.
Click to expand...
Click to collapse
Is this the partition scheme for Treble? If so, I'm fine with this personally, as it means they have thought ahead to help future-proof the phone (if there is such a thing).
I was seeing users in other threads saying it takes 16-18GB. That's just ridiculous. It should be half that, at most. My brand new install of OS X 10.13 High Sierra doesn't even take up that much space.
crazyates said:
I was seeing users in other threads saying it takes 16-18GB. That's just ridiculous. It should be half that, at most. My brand new install of OS X 10.13 High Sierra doesn't even take up that much space.
Click to expand...
Click to collapse
My custom OS on Nexus 5X took little more than 4 GB. Even if it was project treble (which is not confirmed yet BTW) it should not take more than 9 GB or 10 GB max. Mine out of the box it was 13 GB and something which is ridiculous)
Where did you get the ROM from? Link above is dead?
Iansip said:
Where did you get the ROM from? Link above is dead?
Click to expand...
Click to collapse
I don't think anyone got it here... I saw it bouncing around a couple Brazilian servers, but not open to download. Now that I look, it is the same Build # as the Project Fi version. So, hopefully it will turn up somewhere.
Seems the link in the OP is not dead, just goes to a secure server. It was originally posted on some G+ feeds, but no one has mirrored it yet, apparently
Actually, looks like that whole server is down right now. Every URL returns the same XML error. So maybe it will come back to life soon...
Oh, look at that... Moto has either geo or ISP restrictions on their download! VPN Proxy through server in Los Angeles, and download is running (sloooooowwwly).
Will update tomorrow morning.
UPDATE: Download died at 1.1 GB and the VPN workaround is no longer working. Grrrrr. Could probably extract boot.img anyway, but with no way to check the hash and no images to fall back on, too risky to actually patch/flash it
Got it... well, I have a completed download -- Obviously there is no way to verify the file since I have no MD5/SHA to check against. That said, the archive opens without errors, so I have boot.img now, just not enough stupidity to modify it and flash an unverified firmware back onto a brand new device.
Have a mirror uploading, will share when complete and maybe can get added to the OP.
WARNING: This is unverified fimware for testing/research only. Please don't flash it and then complain when you paperweight your new X4.
UPDATED 10-27-2017: This ZIP has several corrupt files... verify anything against the MD5 in the "flashfile.xml" file before using!
FILE: PAYTON_NPW26.83-34-0-1_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip
SIZE: 2702597112 bytes
SHA256 (unverified on the Motorola end!!!): 124f53fef572850532d029d00166829e200b777491502504c9de215fe7dd1046
DOWNLOAD: https://drive.google.com/open?id=0ByZWXbOZqmVqQ09FUXliN3hYMGs
@Anderson_ARS , can you add this to the OP to save people asking the same question over and over and over? Thanks
mightysween said:
Yeah, link is borked. But I may pull it anyway... will post here if I do.
Had my XT1900-1 (Project Fi) for about an hour before I got bored and the bootloader was unlocked.
Thinking of rooting just to debloat (don't get me started on how bloated the Android One build is)... seems like root will be pretty straightforward given that unlock is painless and partition access seems unrestricted. Haven't tried yet, but thinking that just perms and pushing su might do the trick. Would like to have the device for a couple days before I go that far. [edit: Actually, Magisk looks like a pretty good bet w/o custom recovery... may try that]
Then maybe, if I have time start gathering vendor stuff/blobs/etc and build... something.
Anyone else out there tinkering yet?
Click to expand...
Click to collapse
I'd love to see a unlock/root method. Hope to see TWRP asap!
Slickademo said:
How do you unlock and root? I just got mine today
Click to expand...
Click to collapse
Unlock is just a regular Motorola unlock... lot of threads on how that is done.
Root is a little more risky and complicated to explain here. The first thing we all need is a trusted factory image -- hopefully the one above is just that. I would suspect that once we confirm a factory image, root methods will be plentiful.
mightysween said:
Got it... well, I have a completed download -- Obviously there is no way to verify the file since I have no MD5/SHA to check against. That said, the archive opens without errors, so I have boot.img now, just not enough stupidity to modify it and flash an unverified firmware back onto a brand new device.
Have a mirror uploading, will share when complete and maybe can get added to the OP.
Click to expand...
Click to collapse
I have tried downloading the file several times and always get to the very end and then it fails. I'm using idm and multiple threads and maybe I should try just a single thread..
once I get it downloaded I will validate the checksum with yours.
edit: I should add that I am in Vegas and have been able to access the link directly from the day it was posted.
Jayman007 said:
I have tried downloading the file several times and always get to the very end and then it fails. I'm using idm and multiple threads and maybe I should try just a single thread..
once I get it downloaded I will validate the checksum with yours.
edit: I should add that I am in Vegas and have been able to access the link directly from the day it was posted.
Click to expand...
Click to collapse
Oh, neat...definitely IP restricted then as I tried a VPN in LV and was still blocked. Wonder what the story is there!
Yes, if you end up with the same SHA256 let me know, we can at least be sure the file is intact.
---------- Post added at 10:37 PM ---------- Previous post was at 10:35 PM ----------
Jayman007 said:
I have tried downloading the file several times and always get to the very end and then it fails. I'm using idm and multiple threads and maybe I should try just a single thread..
once I get it downloaded I will validate the checksum with yours.
edit: I should add that I am in Vegas and have been able to access the link directly from the day it was posted.
Click to expand...
Click to collapse
Also FWIW, using that proxy link I posted gave me dl speeds of 2.5-3 Mbps, and plowed straight through to 100%.
mightysween said:
FILE: PAYTON_NPW26.83-34-0-1_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip
SIZE: ~2.0 GB
CHECKSUM: UNVERIFIED! (my local SHA256: f8efa78d21f0fd4b968e860ec06b85442caaf7a93c325fbe7c5c0913306af86e)
DOWNLOAD: https://mega.nz/#!RkM2nSpL!4kHuZQfyHoSfeD-bfCcRxOi3A3rO7hz37RGcxRCglic
@Anderson_ARS , can you add this to the OP to save people asking the same question over and over and over? Thanks
Also, if you wish to try a direct download from Motorola, this link may work... it is a proxy download through NordVPN. Again, no guarantees and no way to verify (though if you end up with the same SHA256 as above, there is good chance the file is intact).
DIRECT DOWNLOAD (via anon proxy): http://proxy-it.nordvpn.com/browse....cbNvGOLw5iqOebtX0lAb+hCJw==&b=1&f=norefer&pr=
Click to expand...
Click to collapse
I downloaded it via the proxy and have the same checksum as you, so at least this means that your download is *probably* not corrupt. I don't have the device, so I'm certainly not going to flash it.
Code:
f8efa78d21f0fd4b968e860ec06b85442caaf7a93c325fbe7c5c0913306af86e PAYTON_NPW26.83-34-0-1_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip
gee one said:
I downloaded it via the proxy and have the same checksum as you, so at least this means that your download is *probably* not corrupt. I don't have the device, so I'm certainly not going to flash it.
Click to expand...
Click to collapse
Thank you kindly! I downloaded again as well with same checksum, so I think we can assume the file is intact.