Alright, now that Adamoutler finally posted (I was waiting on that) I can now explain what we're going to try to do. You all know the unbrickable mod for a few samsung devices? The guy who did that wants to help us out but he needs a nook tablet. Anyway, what it does is completely disable hardware security and allows the flashing of a new bootloader. That's about as simple as I can make it. I would love to see this happen so hopefully, we can make it.
Question is, who's giving up a tablet?
Note:
Code:
This is not a thread to come in and complain saying that you're going to take it back. That's not our problem nor is it our concern. We need a place where we can have organized information about the bootloader and you telling us "I HATE IT, I need to return it!" doesn't help that.
If someone (me) wanted to get involved in this, how would I go about doing so? I know enough about linux, but nothing about Android programming. Is there somewhere I can start learning? I'd like to contribute to this if I am able.
http://forum.xda-developers.com/showthread.php?t=1366215
+
http://forum.xda-developers.com/showthread.php?t=1378919
I think you can through the service mode to replace the keys which the employee to sign the firmware and tested.
hobbit19 said:
http://forum.xda-developers.com/showthread.php?t=1366215
+
http://forum.xda-developers.com/showthread.php?t=1378919
I think you can through the service mode to replace the keys which the employee to sign the firmware and tested.
Click to expand...
Click to collapse
According to information from TI about the M-Shield security features of this chip, the "secure on-chip keys (E-Fuse) are OEM-specific, one-time-programmable keys accessible only from inside the secure environment for authentication and encryption". Protecting against that kind of key replacement is a big part of how this chip was designed. Finding out the private is likely to be the only way to create valid signed images of our own
Here is the source for that quote.
Indirect said:
Botnets are typically used under illegal reasons / methods. Im not talking about [email protected], im talking about stormworm, etc.
Sent by breaking the sound barrier
Click to expand...
Click to collapse
I know what you mean, but what _I_ mean is that botnets CAN be used for other things than illegal hacking and malicious intent. They can replace a supercomputer, as [email protected] proves. I think I have seen a similar initiatives for cancer research and DNA research, though I don't know the names of those projects.
notes
Hopefully this doesn't lead to any red herrings. I haven't been looking at this stuff very long.
"arm.com" has some info on the processor.
TI licensed the processor design from ARM. It's an ASIC, not really a cpu chip.
You have to agree to a non-disclosure to see the docs on arm.com.
After reading about it, not sure that the dual cpu is actually getting used like folks think. There may be two systems actually running.
The arm docs hint that it may be the hash key that actually gets stored on the asic not a private key and that there may be more than one. TI may have designed in their own protocol which is the M-Shield trademark.
TI doesn't exactly give out much info on it. The ARM site is a lot more informative. It doesn't cost anything to access it other than giving away your email address and agreeing to the nondisclosure.
In particular look for these documents:
DDI0406C_arm_architecture_reference_manual.pdf
DEN0013B_cortex_a_series_PG.pdf (chapter 26)
PRD29-GENC-009492C_trustzone_security_whitepaper.pdf
You can also review the source code for the tablet.
See the following exerpts:
distro\x-loader\lib\board.c
image.image = 2;
image.val = 99;
SEC_ENTRY_Std_Ppa_Call ( PPA_SERV_HAL_BN_CHK , 1 , &image );
if ( image.val == 0 )
{
/* go run U-Boot and never return */
printf("Starting OS Bootloader from %s ...\n", boot_dev_name);
((init_fnc_t *)CFG_LOADADDR)();
}
distro\u-boot\common\cmd_bootm.c
function do_bootm
...
U32 SEC_ENTRY_Std_Ppa_Call (U32 appl_id, U32 inNbArg, ...);
\x-loader\board\omap4430sdp\omap4430sdp.c
...
There are several calls to the SEC_ENTRY_Std_Ppa_Call function.
One (or two) for each image block being loaded.
I think these are the calls to the security layer..
SEC_ENTRY_Std_Ppa_Call ( PPA_SERV_HAL_BN_CHK ,...
They took the crc32 validation out in various places in the code. I suspect that if it is a signed key that if the image doesn't process out to the end key, then the crc2 would have failed anyway.
Has anyone actually checked what the "key" is? Could it be a crc or checksum?
The "_BN_" I assume is for barnes and noble.
Looking at "omap4_hs.h", it looks like that function can do a callback into the secure area and execute up to 32 different functions, though I'm guessing from the list in the file that BN only added two - INIT and CHK.
There is also a reference in that file to "Development CEK". Could this be the private key? Not the hash, just one part of the key? I'm by no means up on crypto algorithms.
/*
Defines from MShield-DK 1.2.0 api_ppa_ref.h
Make sure these align with the existing services in PPA.
*/
// Number of APIs
#define NB_MAX_API_HAL 32
// command / api keys
PPA_SERV_HAL_CPAUTOLOAD
PPA_SERV_HAL_CPINIT
PPA_SERV_HAL_CPSWRV
PPA_SERV_HAL_CPMSV
PPA_SERV_HAL_CPREPORT
PPA_SERV_HAL_CPCEK
PPA_SERV_HAL_TEST_API
PPA_SERV_HAL_BN_INIT
PPA_SERV_HAL_BN_CHK
/* Development CEK */
#define CEK_3 0x01234567 //127_96
#define CEK_2 0x89ABCDEF // 95_64
#define CEK_1 0x11121314 // 63_32
#define CEK_0 0x15161718 // 31_0
Another question I have, what level of GPL does android use?
The simple fact that they linked in the M-Shield function calls may be enough to force the release of that source as well. The latest GPL has a pretty nasty copy left. It may be in that archive already too. I haven't gotten through much of it yet.
And is it true that this tablet has a different wifi chip and thus doesn't have the fm and bluetooth available to it?
The brute force idea might work except that you'd have to do it on a nook tablet. You have to validate a data block using that function call.
Figuring out how to automate it through that security layer might be a bit troublesome. If you could call that function directly, maybe, but I suspect that it is only accessible from one side of the architecture. But that might also be why the tablet has so much memory dedicated to B&N and not split evenly. Maybe the bigger chunk of the memory is all in the secure side?
I have to say the OMAP4 is a pretty neat layout. Has a huge potential for corporate ethical abuse but technically it really is cool. They are going through a lot of hoops to keep this tablet locked down. I found one whitepaper on the netflix issue. Netflix apparently has a whole massive requirements list and this was the first tablet to meet it. I'm not sure netflix isn't overvaluing their product. There are other ways they could have done this versus locking the whole tablet down. They could have put the netflix app as a service in the secure side and just signed that part of the application. They could have still allowed the secondary bootloader in the unsecure area to be whatever the user wanted. I don't think they thought through the ethical notions of it all. But maybe they did and they just want to control something like apple is doing. Apple was defeated once by a lower cost, open architecture. History will repeat itself. It's a shame B&N's didn't go that route instead. If it wasn't for this one issue, they would have had a much better platform to work from than the fire.
Asking others for the info / ideas on bootloader isn't related to development. Hence moved to general
cheers,
I've been sitting back watching this thread for a while now. It's time to stop this foolishness. First off, the first post was started with absolutely no information.. basically 'you know what would be cool?'.. then the rest of the discussion has been a bunch of randomness. Why has not a single person mentioned the datasheets for the processor or memory? Why has Boone posted a memory dump of IROM? This thread contains nothing useful.
UnBrickable mod is the way to go. Put a device in my hands and ill enable it to boot from USB or sdcard. The device uses a hardware initiates boot chain. This chain can be broken at the hardware level.
This is an omap4430 device right?
Give me a device. Rebellos and I will locate the boot mode 5 pin which unlocks the boot from one NAND. We will then require an interceptor bootloader which is where Rebellos specializes. Once we hardware unlock the device and the interceptor bootloader is in place, the device will accept an insecure bootloader flash.
Adam, I can try and get you a nook tablet.
Also, I was waiting for you to post that. I wanted to leave this up to the community to see what could be thought of. Surprised hardware modification never came up. :|
AdamOutler said:
I've been sitting back watching this thread for a while now. It's time to stop this foolishness. First off, the first post was started with absolutely no information.. basically 'you know what would be cool?'.. then the rest of the discussion has been a bunch of randomness. Why has not a single person mentioned the datasheets for the processor or memory? Why has Boone posted a memory dump of IROM? This thread contains nothing useful.
UnBrickable mod is the way to go. Put a device in my hands and ill enable it to boot from USB or sdcard. The device uses a hardware initiates boot chain. This chain can be broken at the hardware level.
This is an omap4430 device right?
Give me a device. Rebellos and I will locate the boot mode 5 pin which unlocks the boot from one NAND. We will then require an interceptor bootloader which is where Rebellos specializes. Once we hardware unlock the device and the interceptor bootloader is in place, the device will accept an insecure bootloader flash.
Click to expand...
Click to collapse
I figured youd be here when the final specs on the Nexus Prime were released, and they used the OMAP4460 which is ironically very simmalir to the OMAP4430.
Thanks for your help and let us know if theres anything we can help you with.
Just for your all's information, Adam will have one in a day or two it has already been shipped.
AdamOutler said:
Give me a device. Rebellos and I will locate the boot mode 5 pin which unlocks the boot from one NAND. We will then require an interceptor bootloader which is where Rebellos specializes. Once we hardware unlock the device and the interceptor bootloader is in place, the device will accept an insecure bootloader flash.
Click to expand...
Click to collapse
I'm curious what you're getting at here.
SYSBOOT[5] selects between boot lists that put external type devices first and internal type devices first. I don't have a NT anymore, but I suspect the boot list is 0b010110, or USB->UART->MMC1->MMC2. Setting SYSBOOT[5] high would change the order to MMC2->USB->UART->MMC1.
All the above boot modes, and all others requiring a config header will need to pass the signature check before the OMAP will boot it.
The only boot mode that doesn't do config header checks is fast external boot (NORflash style), and the TRM has this to say:
The fast external boot is a special memory booting mode, possible only on GP devices. It consists of a blind jump to a code in an external XIP memory device connected to GPMC CS0. Fast external booting is set up by means of the SYSBOOT configuration pins and lets customers create their own booting code.
Click to expand...
Click to collapse
Not applicable of course since this is an HS part, and it would be painful to wire up external memory to boot this way.
Now, if you were to strip out the secure headers from the MLO and u-boot and throw them on a GP 4430 platform like a Pandaboard, you could start hunting for an attack. I can't remember if this u-boot reads any variables from unsecured parts of the flash, but if so there might be some buffer overflow magic waiting to happen.
Not trying to crap on your plans, just making sure you know the score before you commit to this.
Hardware mod
JoeM01 said:
Can this in fact be replicated by someone who is NOT necessarily a dev, but isn't afraid of cracking open a device and going to work with a soldering iron?
Click to expand...
Click to collapse
It depends ...
Assuming for the purpose of discussion that all you need to do is (un)ground an external pin, the difficulty can range from:
Getting access to a ball-grid-array device on a multi-layer board (effectively impossible).
Lifting a pin on a surface-mount chip (easy with the right tools and some skill).
Cutting a trace or soldering a jumper (easy with the right tools and some skill).
(Un)grounding at a solder pad pair (easy).
While the last is not likely, it happens. A case in point:
When IBM released a parallel port board for the original IBM PC, they also released the schematic in the technical reference manual for the PC. The schematic showed that the data buffer buffer chip was bidirectional (74LS374), but its ^OE (output-enable) pin was grounded (active-low logic), in effect making the parallel port output-only.
When the clone-makers replicated the parallel port from the IBM schematic, they all replaced the 74LS374 chip with one that was not bidirectional (a 74LS274, as I recall), saving a tiny bit of money.
However, you you actually had one of IBM's parallel port cards, you noticed that the ground trace on the 74LS374 was not grounded next to the chip (as would normally be expected), but ran a couple inches across the board to a "via", and then grounded in a short trace run. That "via" was exactly 0.1" away from another "via" that was connected to an "unused" bit on the control chip. In other words, a simple trace cut of the final ground run, followed by the installation of standard 0.1' spacing header pins (or a simple jumper) at the "via"s, would convert the parallel port to be bidirectional. Which I did at the time.
Several years later, when IBM modified their BIOS to support bidirectional parallel port operation, they introduced a new parallel port card. The above modification to the old ones worked, but all the clone parallel cards were obsolete.
So, I would not put it outside the realm of possibility that B&N provided a solder pad to be able to disable the signed bootloader feature.
I would also not put it outside the realm of possibility that instead, the hardware modification is very, very difficult, even with the right tools.
Then there is the software issue still to be fixed. Certainly worthy of investigation, but don't get your hopes too high (especially before Christmas).
The best way to think of this hardware unlock, is that the nook is like a building, there are lots of rooms we can get into, but there are also rooms that we cannot. What I assume is adam will get into those rooms, and there might be ways to turn off the power to certain rooms, and or put something in the water. This might allow us to make a software mod that will effect the rooms .
rooms .
pokey9000 said:
I'm curious what you're getting at here.
SYSBOOT[5] selects between boot lists that put external type devices first and internal type devices first. I don't have a NT anymore, but I suspect the boot list is 0b010110, or USB->UART->MMC1->MMC2. Setting SYSBOOT[5] high would change the order to MMC2->USB->UART->MMC1.
All the above boot modes, and all others requiring a config header will need to pass the signature check before the OMAP will boot it.
The only boot mode that doesn't do config header checks is fast external boot (NORflash style), and the TRM has this to say:
Not applicable of course since this is an HS part, and it would be painful to wire up external memory to boot this way.
Now, if you were to strip out the secure headers from the MLO and u-boot and throw them on a GP 4430 platform like a Pandaboard, you could start hunting for an attack. I can't remember if this u-boot reads any variables from unsecured parts of the flash, but if so there might be some buffer overflow magic waiting to happen.
Not trying to crap on your plans, just making sure you know the score before you commit to this.
Click to expand...
Click to collapse
I know the score. We had the same problem to deal with on the Hummingbird processor. What we ended up doing is exploiting a memory jump and redirecting the boot sequence. Rebellos can explain the inner working of the Hummingbird Interceptor Bootloader. Performing a total secure boot would tax the processor greatly and I believe that they likely just have a check in place on the first few bytes. It is possible to modify a bootloader to jump to a memory location which is unsecure. Using this technique, it may be possible to run Galaxy Nexus bootloader or Kindle bootloaders on the device.
So, lets get started with a IROM dump.
I need someone with a rooted device to get a memory dump for me please. This will be a snapshot of the live memory running on the device.
in order to do this:
place this binary on your internal storage http://blog.maurus.be/wp-content/uploads/viewmem
use market app "Mount /system (rw/ro)" https://market.android.com/details?id=com.beansoft.mount_system to mount your system folder RW
use market app "terminal emulator" https://market.android.com/details?id=jackpal.androidterm and type the following
Code:
su
cat /sdcard/viewmem > /system/bin/viewmem
chmod 1777 /system/bin/viewmem
exit terminal and restart terminal app
Now Viewmem is setup.
run this to get a dump
Code:
su
viewmem 0x40030000 0xC000>/sdcard/40030000Dump
and
Code:
viewmem 0x40028000 0xC000>/sdcard/40028000Dump
This will place two 48kb (or 0xC000 in hexidecimal length) files on your sdcard called ########Dump. Put these files onto your desktop into a zip form and upload them here.
I need both of these dumps because the processor manual has an obvious error in it... So I'm asking for the values for the 4460 processor as documented and the 4430 processor which may be the same... however they are documented differently.
These are Internal ROM boot dumps. They are important to figure out what is going on inside a on boot up and may reveal secrets. I'll try to get some strings and other data from these dumps and then I'll pass them over to Rebellos for analysis.
Doing the memory dump now.
Got this error on the first one:
[INFO] Reading 49152 bytes at 0x40030000...
[1] Bus error viewmem 0x40030000 0xC000 >/sdcard/40030000Dump
Only the 2nd one dumped properly.
http://dl.dropbox.com/u/15069134/40028000Dump.zip
AdamOutler said:
I know the score. We had the same problem to deal with on the Hummingbird processor. What we ended up doing is exploiting a memory jump and redirecting the boot sequence. Rebellos can explain the inner working of the Hummingbird Interceptor Bootloader. Performing a total secure boot would tax the processor greatly and I believe that they likely just have a check in place on the first few bytes. It is possible to modify a bootloader to jump to a memory location which is unsecure. Using this technique, it may be possible to run Galaxy Nexus bootloader or Kindle bootloaders on the device.
So, lets get started with a IROM dump.
I need someone with a rooted device to get a memory dump for me please. This will be a snapshot of the live memory running on the device.
in order to do this:
place this binary on your internal storage http://blog.maurus.be/wp-content/uploads/viewmem
use market app "Mount /system (rw/ro)" https://market.android.com/details?id=com.beansoft.mount_system to mount your system folder RW
use market app "terminal emulator" https://market.android.com/details?id=jackpal.androidterm and type the following
Code:
su
cat /sdcard/viewmem > /system/bin/viewmem
chmod 1777 /system/bin/viewmem
exit terminal and restart terminal app
Now Viewmem is setup.
run this to get a dump
Code:
su
viewmem 0x40030000 0xC000>/sdcard/40030000Dump
and
Code:
viewmem 0x40028000 0xC000>/sdcard/40028000Dump
This will place two 48kb (or 0xC000 in hexidecimal length) files on your sdcard called ########Dump. Put these files onto your desktop into a zip form and upload them here.
I need both of these dumps because the processor manual has an obvious error in it... So I'm asking for the values for the 4460 processor as documented and the 4430 processor which may be the same... however they are documented differently.
These are Internal ROM boot dumps. They are important to figure out what is going on inside a on boot up and may reveal secrets. I'll try to get some strings and other data from these dumps and then I'll pass them over to Rebellos for analysis.
Click to expand...
Click to collapse
Adam,
If no one has done this by the time i get home, I will do it for you. I will be on IRC tonight for some of the night and will be able to do whatever you need.
I just did it loglud, no worries.
I'm seeing the following strings in the boot dumps:
Code:
pGpGpGpG
@ABCDEGKJ
CHMMCSD
CHFLASH
CHRAM
PRIMAPP
X-LOADER
CHSETTINGS
KEYS
ISSW
It's not much to go on, but I'd expect to see something on UART from this.
Both of the files are the same. 49.2kB. http://dl.dropbox.com/u/15069134/40028000Dump.zip
however, those are just the complete strings... there's more..
Code:
Texas Instruments
Nokia
Motorola
OMAP4430
NOKIA USB ROM
BLANK
OMAP4430 N/A
N/A
PCB
PCI
R&D
2nd
CH
HLO
MLO
ULO
This NOKIA USB ROM looks interesting.
That's so strange i wonder what it is pointing to because from what i see there's no a single Nokia part in the entire device. You think its just the rom driver they use to flash the OMAP's Rom?
Related
Merry Christmas... In right before the buzzer.
Introduction:
We have a thread going on here about hacking the bootloaders. I've been compiling information for reasons of running custom firmware, and potential hardware modifications. I keep it all in a folder on my computer. I decided to share that so everyone has access to this otherwise obscure information.
The Nook Tablet Hack Pack contains:
The Nook Tablet Hack Pack Contains various projects and supporting information which require completion and/or testing. Most may be plausable with some additional work put into them.
2nd-init This program is rumored to be able to reinitialize a device via code injection.
Blaze Board -Links to places where you can read about the development platform used to design the Nook Tablet
Desktop Tools -these will require rework in order to use them as digital signatures are implemented on the Nook Tablet
omap4boot_panda -A tool used to boot pandaboard from USB
swetland-omap4boot- A tool used to boot OMAP4 processors from USB
Extracted Keys-Various keys found in the original Factory.zip which comes with the device.
Memory Hacking- These tools will help with remapping memory
viewmem- A tool used to view any block of memory. must be used with root
writemem- Added notes from a conversation... this is a work in progress, nothing has been done to make this a reality yet.
NookColor UART patch- This is a patch for a different device to enable UART output, this may or may not be useful at a later time
Nook Tablet 1.4 Source- This is claimed to be the source used for the Nook Tablet. I believe it is similar, but I'm not seeing any B&N specific information
panda-This is a collection of tools which are used to boot Pandaboard devices
Reading Materials Various reading materials
OMAP4PinOut
OMAP 4430 Processor Datasheet
Power, Reset, and Clock Management documentation
Using the TMS320C642x Bootloader
Using the TMS320DM646x DMSoC Bootloader
KeyStone Architecture User Guide
KeyStone Architecture Security Guide
SystemBins- various tools used for hacking any Android device
bash - the greatest scriptable shell ever
i2cdetect i2cdump i2cget i2cset -Part of the i2ctools collection
tcpdump- Network monitoring software
viewmem- Memory viewing software
UART Outputs-Currently only a single example of a UART output on this device. I will be filling this section out more
acclaim_update.zip- when placed on SDCard, this will revert the platform to 1.4.0 and enable sideloading
Boot-sequence- notes on boot sequence.
... and others
Download the Nook Tablet Hack Pack
Please note, this is a massive file weighing in at 467.8 megabytes... Wi-Fi required .
Happy hacking!
Thanks to:
150Pilot -Most of the reading material comes from his relentless scowering and searching of various sources on the internet.
All the other people who have participated in the discussions
And You!
WOW... Great Idea to publish all the info learned/available links todate ... THANX... And Merry Christmas!!!
Yup...
It'd be even better if the link was still functional.
I was actually really hoping to locate these files.
I live in Japan and after more than 6 months I have successfully and permanently rooted both my Sharp 003 SH Galapagos and the 005SH Galapagos (Softbank not Docomo). My next concern is how to SIM unlock. I have been reading the posts about hacking the nv_bin file. I have searched through all of the the files (Root FTP thank you!) but there was no such file. I am happy to send along any screenshots or data files if that helps.
Thanks in advance.
Search Sharp 003SH Root Success and Sharp 005SH Root success on Youtube for more info
Can't really help you. Don't know anything about it. But I would like to know how you ended up rooting this phone of ours.
Its not a file on the filesystem. The sim locking in these phones is in the radio image; which can be accessed when you use the custom build kernel thats in the latest rootkit (I assume thats what you are using).
See the 2ch root/ROM thread for more details, but basically it is done through ADB, manually backing up the "_modem" partition; stripping the spare/ECC bytes and then extracting the radio OS using QualcommDumpAnalyser
I have managed to extract this image, but no idea where to go from there. None of the other device info seems to apply to this (HTC, Samsung, LG, any other Android that has had its sim-lock discovered in the radio)
Advice i got from the guys on 2ch: "Qualcomm's NAND code is neither difficult, nor unique, so if you know what you are looking for its not hard"
003SH 005SH Sim unlock
Thanks very much for giving me a new direction. I'll get started on it right away and let you know how it progresses.
It just sucks that the guys who know how to unlock it are staying quiet, saying its "taboo"
FYI, stripping the Spare/ECC bytes can be done manually (i wrote a C program to do it), but there is an option in the RevSkills app to do it all for you - i recommend doing that.
Of course we face another issue once we find the actual unlock - recalculating the ECC bytes after making the change; the only way to access the radio is with raw data access.
P.S. hope you have warranty on your phones - this is very likely to brick at least one phone until we get it right
---------- Post added at 12:30 PM ---------- Previous post was at 12:24 PM ----------
In the spirit of open cooperation, here are the instructions i was given, translated and simplified
In ADB Shell, type su to get the # prompt, then:
cat /proc/mtd <Enter>
Confirm that you have the "_modem" partition available. If not, you need to reflash with the custom build kernel
Dump the image to file with the following command:
dump_image -r -D -F _modem /sdcard/backupimages/modem.img
Access this with anything as "raw dump" and all blocks will get read as ECC error, so definitely dont do this
ECC positioning is different to Linux, so take care
The following maps out how 512bytes of data and 10 bytes of ECC info are stored in a 528 byte block:
0000 - 01CF (0-463): Data
01D0 - 01D1 (464-465): Unused (0xff)
01D2 - 0201 (466-513): Data
0202 - 020B (514-523): ECC
020C - 020F (524-527): Unused (0xff)
Use RevSkills application to extract the data portions:
Menu⇒Calculators/Generators⇒Android MTD Nand remove Spare and ECC
Extract all of the Data only portions out of the raw dump, and then use QualcommDumpAnalyser to read it and split up the various parts. I did notice that i wasnt able to get the AMSS block out with QualcommDumpAnalyser - i copied that out manually by calculating the byte positions shown in QDA.
003SH bootloader key sequence?
Eternalardor,
I'd be happy to swap information. Perhaps you could shed some light on the question of the bootloader for the Sharp 003SH and 005SH? There seems to be no discernible key sequence (Power+home+Volume up etc.) to access the bootloader. I feel like I've tried them all. Can you tell me this critical piece of information?
Is a form of the USB Jig necessary to access it?
Looking forward to your response.
003SH SIM unlock
Dominik,
Here are the results of the original /proc/mtd (before rooting)
boot
cache
misc
recovery
ipl
system
persist
log
battlog
calllog
ldb
userdata
I don't see the _modem partition. Should I?
I have also included a screenshot of the results showing size. I have most of them backed up as .img files too.
FYI: .img backed up sizes. Perhaps this will help you to ponder where the _modem partition may have gone. Maybe it's been renamed?
boot 11,264KB
cache 3,072KB
misc 1,024KB
recovery 11,264KB
ipl 15,360KB
system 419,840KB
persist 30,720KB
ldb 45,056KB
userdata 405,120KB
There is no bootloader menu AFAIK. If you install the custom kernel, you will have the option of a quasi-recovery mode, by pressing the home button between 7-12 seconds after the Galapagos logo is seen (or was that the Softbank logo)
Anyway, looking at the screenshots, it seems you do not have the custom kernel.
How did you achieve root on your phone?
To do this, you need to use the "003sh_005sh_dm009sh-rootkit" from at least 5/27 (recommend _0614); which is available on the 2ch forums. This includes 2 possible ways of achieving root:
1. A modified standard kernel (boot image), which, when flashed gives you regular root access
2. A custom compiled kernel, which has full root, a bunch of power profiles, and heaps more features (inc that quasi recovery), as well as access to the "_modem" image.
Judging from your youtube videos, you speak some Japanese, so the Japanese menus in the rootkit shouldnt be much trouble.
http://www1.axfc.net/uploader/Si/so/142435
This is what i used.
Go here for help/instructions http://anago.2ch.net/test/read.cgi/android/1337845757/
And dont even think about typing in English on there, or you will be ignored and/or told to go away
This all looks familiar. I have been using the root kit (5/27) to get where I am now - step by blessed step. It was pretty straight forward BUT I have never seen the option to write to the system partition. It is in all the instructions but the only option I have with respect to the system partition is to back it up. I'm confused as to why it doesn't seem to show up for me. I am using a Japanese machine so all the characters are displayed and I can read the instructions but I can't find help anywhere as to why I don't have that particular (and critical) option. I can see a lot of new and cool options in the 6/14 release. I'm excited and would like to get it installed.
I'll let you know how it goes. Thanks for your help .... keep it coming!
And another thing
Could you explain a little more about "having" the custom kernel? Using the root kit, I wrote to the Recovery partition then the Boot partition then rebooted from the Recovery partition and all seemed well. As I said above, I have never been able to write to the System partition despite it appearing in all the instructions. I suspect that is what is holding me back from the latest and greatest custom kernel. Still, I am enjoying all the same functionality that everyone else seems to be enjoying in root. What am I missing?
Eep, you wrote to the boot partition before trying the recovery? Brave!
The steps should be:
Write image to recovery partition;
Then reboot to recovery partition (from the menu) and confirm it all works without errors.
Then write image to boot partition
And then turn off the phone, and reboot (the last part is only my instructions - you could just select "reboot to boot partition" from the menu)
You are doing this on your 005SH right? It should be the same for the 003SH, but i only have the 005SH. In the rootkit there is 2 options when you say "burn custom image":
1 カスタムビルドrootedカーネル(リカバリーキット機能付き)
2 S4080 標準rootedカーネル(簡易リカバリー機能付き)
Q 中止してメインメニューへ戻る
You must do the first one, the CUSTOM rooted kernel, to get any of the really cool features. The second option is only if you just want root access for a particular app or something. AFAIK the second option doesnt even disable MIYABI LSM, which prevents you from mounting the system dir as R/W
But either way, writing to the System dir is not important for what we are doing. You need the Custom kernel, which gives you access to the "_modem"
Edit, i just noticed in your screenshots above, you didnt even get root in ADB shell?
Type
ADB Shell<Enter>
Then type
su<enter>
The cursor should change to a #, this means root. You may get a prompt on the phone from Superuser asking you to give root access to "shell". Once you have this try the cat /proc/mtd again
jcroot003sh,
can you tell me how to root 003sh?
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
DominikB said:
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
Click to expand...
Click to collapse
Thank you for your replying. I will wait for your translated version. You are really a good person.
Progress
I have successfully found and dumped the "_modem" image. Exactly as you stated - forgot the "su" command in ADB. Thanks. The next problem is editing out the code. I am way above my head here so I will do some research before bugging you for a step-by-step for that.
Also, the bootloader worked. I didn't realize how to do it until I read the notes in the 6/14 release. I successfully put a previously dead phone back on it's feet EXACTLY to the point of my current phone simply by backing up and then restoring partitions through the bootloader. Very slick and easy.
Will get to work. I'll be in contact soon with my progress on the SIM unlock.
I have spent a bit of time looking at it, it certainly isnt easy (Certainly isnt a "lock=yes" section). I assume the actual locking portion is encrypted/compressed/or just compiled, because it would be too easy otherwise (be happy to be proven wrong). For starters, i cannot even find my IMEI number in the dump file... I think that this dump only includes the radio code, not the NV RAM which contains the IMEI and SIM Lock status. If that is the case then the solution should be to change the portion of the radio code that queries the NV RAM, so that it doesnt care if the SIM lock is supposed to be applied.
Extracting the spare/ECC bits out should be done with the RevSkills app; extracting the relevant portions, that is a bit of a cludge; QualcommDumpAnalyser can show the start/end positions, but doesnt extract the AMSS part (AFAIK thats where the code will be). You need to use a hex editor to cut that part out manually... And i am still not 100% sure what the block size is on this NAND.
Good luck!
And if there *are* any experienced hackers out there willing to help out, i can offer some monetary help (as will a few of my fellow Japanese smartphone owning friends) as this will be valuable for not just these 2 phones (there is an army of 007SH owners waiting on this unlock)
Shall we give the 007/009 a shot?
I can see mountains of the 007SH on the auction (mostly pink). Perhaps I should pick one up and take it for a spin. I am happy to try to do something to help out for all the help I am receiving.
Or perhaps the 009SH?
How hard would it be to crack the 007? The 009SH looks like it is supported in the latest release kit.
Thoughts?
Currently, the 003/005SH are going to be the easiest, because they have the custom kernel which allows access to the "_modem" image. To do it on the 007SH we need to build a custom kernel (compiled from the sources available on the ktai-dev site), and add the modem access code (this is in the src directory of the rootkit). Not impossible, but i dont have a Linux machine to compile the sources.
However i think that the code will be fairly universal. Once we find it on the 005SH we will know what we are looking for on the 007SH as well. That will make many people happy
Anyway, my 005SH is under warranty/anshin plan so i dont mind if it gets bricked (especially now that we can take nand backups).
First things first though - examining the 005SH modem image. Does anyone know whether the NAND is a 16kb or 128kb block size? Or is it something completely different?
P.S. The DM009SH is just the Disney Mobile version of the 003SH
Linux machine no problem
I have a Linux server running 24/7 so compiling the kernel is easy. Don't let that be the holdup. I'll keep working on the 003SH _modem image.
DominikB,
I can't open this site [anago.2ch.net/test/read.cgi/smartphone/1319287551/] on channel2 for free. This site had been moved to the past-log storehouse. So.... I even can't look at Japanese version for rooting 003sh. It is very helpful if you can show me the steps for rooting 003sh.
Hey guys,
Im researching in chinese forum Darkforces(www.darkforcesteam.com.cn).
It shows how to jailbreak lumia 800.
Original threads
http://bbs.xapcn.com/thread-31556-1-1.html
http://www.darkforcesteam.com.cn/thread-75187-1-1.html
Thanks Donjamal for non translated links.
Pityfuly its just for Qualcom bootloader, doesnt add nothing new for Dload users.
I will keep this post in case anything new shows up.
best,
Can you put the real link here? without the Google Translate url.
bartjuhhbartyow said:
Can you put the real link here? without the Google Translate url.
Click to expand...
Click to collapse
I agree, it's hard to know what thread he's on about.
http://translate.google.com/transla...&u=http://bbs.xapcn.com/thread-31556-1-1.html
Original thread
http://bbs.xapcn.com/thread-31556-1-1.html
http://www.darkforcesteam.com.cn/thread-75187-1-1.html
i thinks it is voor Qcomm only,
Kind regards
bartjuhhbartyow said:
i thinks it is voor Qcomm only,
Kind regards
Click to expand...
Click to collapse
Yes, pityfully only for qualcom bootloader.
keep searching.
best,
What about the kexec method you posted in the developers thread? Could someone maybe be able to get that to work?
LumiaLover said:
What about the kexec method you posted in the developers thread? Could someone maybe be able to get that to work?
Click to expand...
Click to collapse
Its quite viable way to overcome the bootloader limitation.
As i said there it has beein done many times, its a very know exploit.
But it need a serious hacking skils, and im afraind there is few hackers who buyed this phone.
Im exchanging mine for other android phone in a short time, till there i hope i can help a few.
best,
pedrocel85 said:
Its quite viable way to overcome the bootloader limitation.
As i said there it has beein done many times, its a very know exploit.
But it need a serious hacking skils, and im afraind there is few hackers who buyed this phone.
Im exchanging mine for other android phone in a short time, till there i hope i can help a few.
best,
Click to expand...
Click to collapse
kexec will be much harder on windows Phone because of the way windows Phone applications run in a sandbox like envoirment.
In the developer section people are working on a port of Haret but I am 99% sure programs like this needs a full unlocked device to run anyway.
Haret is like the same methot I guess? Loading a new kernel (Linux in case of Haret) and shutting down the old one. after booting Haret (Ubuntu, android..etc) we could flash the partitions probably.
Anyway, i dont think it is posible to run any of these kind of software on a non-unlocked device.
dravik said:
kexec will be much harder on windows Phone because of the way windows Phone applications run in a sandbox like envoirment.
In the developer section people are working on a port of Haret but I am 99% sure programs like this needs a full unlocked device to run anyway.
Anyway, i dont think it is posible to run any of these kind of software on a non-unlocked device.
Click to expand...
Click to collapse
Other devices had the same sandbox.
Instead of chit chating, here is some knowledge of boot process.
"The ARM9 is the primary processor. It boots first, executing the Primary Boot Loader (PBL) from on-board ROM at 0xFFFF0000 .
The MSM platform has the facility to force Secure Boot using the status of the FORCE_TRUSTED_BOOT Qfuse on-chip or a high-state BOOT_SCUR pin connected to GPIO95. In this mode the PBL verifies the signature of the SBL/OSBL before executing it,which verifies the REX/AMMS signature in the same way.
After some hardware initialisation the PBL reads the Device Boot Loader (DBL) from the first partition of the flash memory device (In Linux, mmcblk0p1).
DBL is part of Qualcomm's SecureBoot, which uses cryptography to guarantee that the boot-loader images haven't been tampered with. DBL configures the Cryptographic Look-aside Processor (CLP), a dedicated cryptographic co-processor, and other hardware sufficient to load and execute the Secondary Boot Loader (SBL) from a Flash memory device on EBI2 (External Bus Interface 2) from partition 3 (Linux mmcblk0p3).
The SBL, also known as the Operating System Boot Loader (OSBL), is loaded into memory at 0x8000000 (IMEM - Internal Memory, the MSM7230 package-on-package (PoP) RAM). This is the ARM9 Monitor (AMON). It provides an Extensible Firmware Interface (EFI) -like environment for controlling the boot process. After doing more hardware configuration including UARTs and USB (for potential remote console connections to the monitor) it loads the Applications processor Secondary Boot Loader (APPSBL a.k.a. hboot) on the ARM11 applications processor from partition 18 (Linux mmcblk0p18) into memory @ 0x8D000000 virtual, 0x00000000 physical.
It then loads and executes the combined REX/AMSS from partition 5 (Linux mmcblk0p5). The image contains the REX (Real-time EXecutive) which is an L4A Pistachio embedded micro-kernel and Iguana operating system combination, with extensive Qualcomm and HTC modifications and extensions.
REX is responsible for loading the firmware into the ancillary micro-controller (microP), digital signal processor and voice processor and initialising them. It runs in Security Domain 0 (SD0).
When the ARM11 starts REX unloads/disconnects its eMMC driver and from then on relies on remote procedure calls (RPC) via shared memory (SMEM) to the ARM11 application processor to read and write the eMMC. On the ARM11 side the Linux operating system uses the rmt_storage (remote storage) driver to handle such requests.
Finally on the ARM9 REX executes the Advanced Mobile Subscriber Software (AMSS). AMSS runs in Security Domain 1 (SD1)".
Source:
http://android.git.kernel.org/?p=platform/bootable/bootloader/legacy.git;a=summary
pedrocel85 said:
Other devices had the same sandbox.
Instead of chit chating, here is some knowledge of boot process.
"The ARM9 is the primary processor. It boots first, executing the Primary Boot Loader (PBL) from on-board ROM at 0xFFFF0000 .
The MSM platform has the facility to force Secure Boot using the status of the FORCE_TRUSTED_BOOT Qfuse on-chip or a high-state BOOT_SCUR pin connected to GPIO95. In this mode the PBL verifies the signature of the SBL/OSBL before executing it,which verifies the REX/AMMS signature in the same way.
After some hardware initialisation the PBL reads the Device Boot Loader (DBL) from the first partition of the flash memory device (In Linux, mmcblk0p1).
DBL is part of Qualcomm's SecureBoot, which uses cryptography to guarantee that the boot-loader images haven't been tampered with. DBL configures the Cryptographic Look-aside Processor (CLP), a dedicated cryptographic co-processor, and other hardware sufficient to load and execute the Secondary Boot Loader (SBL) from a Flash memory device on EBI2 (External Bus Interface 2) from partition 3 (Linux mmcblk0p3).
The SBL, also known as the Operating System Boot Loader (OSBL), is loaded into memory at 0x8000000 (IMEM - Internal Memory, the MSM7230 package-on-package (PoP) RAM). This is the ARM9 Monitor (AMON). It provides an Extensible Firmware Interface (EFI) -like environment for controlling the boot process. After doing more hardware configuration including UARTs and USB (for potential remote console connections to the monitor) it loads the Applications processor Secondary Boot Loader (APPSBL a.k.a. hboot) on the ARM11 applications processor from partition 18 (Linux mmcblk0p18) into memory @ 0x8D000000 virtual, 0x00000000 physical.
It then loads and executes the combined REX/AMSS from partition 5 (Linux mmcblk0p5). The image contains the REX (Real-time EXecutive) which is an L4A Pistachio embedded micro-kernel and Iguana operating system combination, with extensive Qualcomm and HTC modifications and extensions.
REX is responsible for loading the firmware into the ancillary micro-controller (microP), digital signal processor and voice processor and initialising them. It runs in Security Domain 0 (SD0).
When the ARM11 starts REX unloads/disconnects its eMMC driver and from then on relies on remote procedure calls (RPC) via shared memory (SMEM) to the ARM11 application processor to read and write the eMMC. On the ARM11 side the Linux operating system uses the rmt_storage (remote storage) driver to handle such requests.
Finally on the ARM9 REX executes the Advanced Mobile Subscriber Software (AMSS). AMSS runs in Security Domain 1 (SD1)".
Source:
http://android.git.kernel.org/?p=platform/bootable/bootloader/legacy.git;a=summary
Click to expand...
Click to collapse
Somebody mentioned ****ty talk.. The Android os is in fact much more open as the WP os. You can only run a not-marktplace application when you have already unlocked your device, and without any running application you wont be able to run any crashkernel.
The story about how the phone boots up doesnt matter much, as your mentioned method loads it after the kernel is already running.
dravik said:
Somebody mentioned ****ty talk.. The Android os is in fact much more open as the WP os. You can only run a not-marktplace application when you have already unlocked your device, and without any running application you wont be able to run any crashkernel.
The story about how the phone boots up doesnt matter much, as your mentioned method loads it after the kernel is already running.
Click to expand...
Click to collapse
I don't know too much about the way the kernel works, but you can install apps if you have developer unlock. Anyone can do it. Probably you could install the xap pedrocel85 talks about this way. Sorry if it sounds noobish and doesn't help
Lanex777 said:
I don't know too much about the way the kernel works, but you can install apps if you have developer unlock. Anyone can do it. Probably you could install the xap pedrocel85 talks about this way. Sorry if it sounds noobish and doesn't help
Click to expand...
Click to collapse
Thats true, infact a developer ( I got a student account myself ) can install 3 apps, on 3 different phones. But still, the XAP is generated by the Visual Studio compiler, which would block buffer overflows etc.
This is a cross-post from a reddit thread I started, but this is probably a more appropriate location for it.
I have been trying to modify files in the system folder for the Android container on the Asus Flip so I can install SuperSu, but have run into some problems.
The system folder is contained in a squashfs image on the chromebook at /opt/google/containers/android/system.raw.img. Mounted squashfs images appear to not support read-write access. I have been able to unsquash the image, add the SuperSU apk to the /system/priv-app folder and su to the /system/xbin folder, and remake the image. This boots, but SuperSU force closes as soon as it starts.
To make tinkering easier, I've tried building a writable image using dd and mkfs. I placed it in a location that has rw access and modified the /etc/init/android-ureadahead.conf script which mounts it to enable rw access. Unfortunately though it won't boot. The boot logs for the android container show a litany of SELinux errors for different things that it could not set context, operation not permitted. I can post the exact log if necessary. Some googling led me to find that the SELinux security context attributes weren't being replicated in my image, so I tried mounting with context and fscontext options equal to the contexts from the original image, but I get the same problem.
If anyone has any ideas I'd be especially grateful.
lionclaw said:
This is a cross-post from a reddit thread I started, but this is probably a more appropriate location for it.
I have been trying to modify files in the system folder for the Android container on the Asus Flip so I can install SuperSu, but have run into some problems.
The system folder is contained in a squashfs image on the chromebook at /opt/google/containers/android/system.raw.img. Mounted squashfs images appear to not support read-write access. I have been able to unsquash the image, add the SuperSU apk to the /system/priv-app folder and su to the /system/xbin folder, and remake the image. This boots, but SuperSU force closes as soon as it starts.
To make tinkering easier, I've tried building a writable image using dd and mkfs. I placed it in a location that has rw access and modified the /etc/init/android-ureadahead.conf script which mounts it to enable rw access. Unfortunately though it won't boot. The boot logs for the android container show a litany of SELinux errors for different things that it could not set context, operation not permitted. I can post the exact log if necessary. Some googling led me to find that the SELinux security context attributes weren't being replicated in my image, so I tried mounting with context and fscontext options equal to the contexts from the original image, but I get the same problem.
If anyone has any ideas I'd be especially grateful.
Click to expand...
Click to collapse
Wayyyy out of my area of expertise, but here's my (completely novice) best guess.
>All Chromebooks are write-protected with a screw on the motherboard
>Putting a Chromebook in developer mode allows for some tinkering ie things like chroots, and on the asus flip, the ability to install apks from unknown sources.
>Unscrewing the write-protect screw allows for the ability to completely install a new operating system or dual boot setup.
>Maybe you need to do that before you're able to accomplish root access?
My other idea would be to try and figure out a way of doing a systemless root?
Also, total aside but since this is the only thread I've found on XDA about this device, I think chroots are theoretically possible now without the need to be in developer mode via Android apps (even without root on Android). Download the GIMP port from the Play Store to see what I'm talking about. Playing around with that for a few minutes really made me wish that it didn't use emulated mouse/keyboard in it's implementation. Also, it appears that apt-get is broken, but regardless it might interest someone out there looking for a project.
back from the dead, any progress on this?
I have been able to successfully root the Android image on my Asus Flip.
I built a blank image with dd in /usr/local, formatted it with mkfs, mounted it to a folder, mounted the original system.raw.img to a folder, copied the files across, placed *all* the SuperSU files listed as 'required' in the SuperSU update-binary in the relevant places in /system in my new image, set permissions & contexts for those files, edited arc-system-mount.conf and arc-ureadahead.conf to point to the new image and, finally, patched /etc/selinux/arc/policy/policy.30 with the SuperSU sepolicy patching tool in order to boot my rooted Android instance with selinux set to enforcing.
I have created a couple of scripts which more-or-less fully automate this procedure, which can be downloaded from nolirium.blogspot.com. Please feel free to download, open the scripts in a text editor to check them out, and try them out if you like. Only tested on Asus Flip, though.
I seem to be unable to post attachments at the moment so I will just add the descriptions here, I could probably post the entire scripts here too if anyone wants. Feel free to let me know what you think.
DESCRIPTIONS:
1-3.sh
Combines the first three scripts listed below.
01Makecontainer.sh
Creates an 900MB filesystem image in /usr/local/Android_Images, formats it, then copies Android system files therein.
02Editconf.sh
Modifies two system files: arc-system-mount.conf - changing the mount-as-read-only flag and replacing the Android system image location with a new location; and arc-ureadahead.conf - again replacing the Android system image location. Originals are renamed .old - copies of which are also placed in /usr/local/Backup.
03Androidroot.sh
Mounts the previously created Android filesystem image to a folder, and copies SuperSU files to the mounted image as specified in the SuperSU update-binary.
04SEpatch.sh
Copies an SELinux policy file found at /etc/selinux/arc/policy/policy.30 to the Downloads folder, opens an Android root shell for the SuperSU policy patching command to be entered, then copies the patched policy back to the original location. A copy of the original policy.30 is saved at /etc/selinux/arc/policy/policy.30.old and /usr/local/Backup/policy.30.old
Uninstall.sh
Removes the folder /usr/local/Android_Images and attempts to restore the modified system files arc-system-mount.conf and arc-ureadahead.conf.
ok so two questions, one do you think this would work on the Acer r13 convertable? and 2 where can I find the actual instructions/scripts
keithkaaos said:
ok so two questions, one do you think this would work on the Acer r13 convertable? and 2 where can I find the actual instructions/scripts
Click to expand...
Click to collapse
The R13 has a 64-bit Mediatek processor, right?
I have added a version for ARM64, but I haven't tested it.
You can find the instructions and scripts at nolirium.blogspot.com
ya, its a mediatek. and thanks ill go see if i can find it
---------- Post added at 03:31 AM ---------- Previous post was at 02:58 AM ----------
wow, ok. i can do this but im not sure i want to.. after reading the possible problems i may run into. Im going to be getting the G. Home in a couple weeks and i gotta keep things running smooth. This seems like going a tad too far then i need to. The other day i had action launcher going and it looked pretty damn good but i really want to try and get the action3.apk that i have put into the pri-app folder or whatever the chromebook uses i found the syst folder but cant access it. Im wondering if i make the machine writable it would work but im afraid of losing my updates, as long as i could do them manualy, i guess that would be cool. Also since im already going on... has anyone found a way to disable the dev boot screen without tinkering with the physical chromebook yet?
SuperSU on Chromebook
Hey there I love this post but unfortunately im on the mediatek (well not unfortunately cause i love it) but i do really want super su .. But i found this other post that i tried out but i am having a problem executing the scripts. When i go to run the first one, it says can not open "name of script" but the dev takes a pretty cool approach. Im still new to Chrome OS but thanks for the post and if you have any advice on executing scripts id love to hear it!! http://nolirium.blogspot.com/
I'm guessing the above post was moved from another thread...
Anyway, it turns out that zipping/unzipping the files in Chrome OS's file manager sets all the permissions to read-only. Apologies! sudo chmod+x *scriptname* should fix it...
Regarding OS updates, I actually haven't had a problem receiving auto-updates with software write-protect switched off; the main possible potential issue I could imagine arising from the procedure I outlined would involve restoring the original conf files if both sets of backups get deleted/overwritten. This seems unlikely, but in that case either manually editing the files to insert the original string (/opt/google/containers/android/system.raw.img), or doing a powerwash with forced update might be necessary in order to get the original Android container booting again.
I don't think anyone's found a way to shorten/disable the dev boot screen without removing the hardware write-protect screw - from what I've read, the flags are set in a part of the firmware which is essentially read-only unless the screw is removed. Perhaps at some point the Chrome OS devs will get fed up of reading reports from users whose relatives accidentally reset the device by pressing spacebar, and change the setup. Here's hoping.
Hey just jumpig in the thread right quick to see if these instructions are old or what-- got a chromebook pro and the notion of having to update a squashed filesystem every timeto install su seems like a pain..
Is there any kind of authoritative documentation/breakdown regarding what Chromeos is mounting where before I start breaking things? Also anyone happen to know if there's a write-protect screw anywhere in the chromebook plus/pro?
Other questions:
* adbd is running, but is not accessible from adb in the (linux) shell, which shows no devices. Do I need to access adb from another device (i'm short a usb c cable right now) or can I use adb (which is there!) on the chrome side to access adbd on the android side?
* Anyone know if adb via tcp/ip is available? Don't see it in the android settings.
Hey,
There's no real documentation AFAIK, the thing is that ARC++ is a bit of a moving target, as it's so actively being developed/reworked. For instance, with the method described earlier in the thread - it started off being possible to just swap out a file location in arc-ureadahead.conf, then they changed it to arc-setup-conf, and now, since a few CrOS versions ago, the rootfs squashfs image is mounted in a loop fashion via the /usr/sbin/arc-setup binary instead, making an overview of the setup somewhat opaque to the casual observer.
I was kind of hoping to implement a kind of hybrid systemless root style setup myself, but unfortunately I haven't really managed to find the time to sit down and fully figure out a few parts of the puzzle, in particular relating to minijail and working with namespaces. So, I'm still using the method mentioned in posts above for my rooting needs at the moment, the only significant changes being that at the moment I'm replacing /opt/google/containers.android.system.raw.img with a symlink to my writeable rooted rootfs img, and also that in recent CrOS versions the mount-as-read only and debuggable flags can be found in /etc/init/arc-setup-env ("Environment variables for /usr/sbin/arc-setup").
In general though, one can kind of get an idea of what's going on in the default setup by reading through the various /etc/init/arc-* Chrome OS upstart jobs (and their logs in /var/log). Though, like I say, things keep changing around somewhat with every CrOS update, as the implementation 'improves'. As time goes by, and the subsystem matures, it'll certainly be interesting to see what other approaches are possible relating to customizing Android on Chrome OS.
There should definitely be a write protect screw somewhere on the motherboard for the Samsungs, but so far I haven't come across any pics showing exactly which screw it is. So far, no-one seems to have been brave/foolhardy enough to fully tear down their own machine and locate the screw!
Regarding adb, on my device I found the following in arc-setup-env:
# The IPV4 address of the container.
export ARC_CONTAINER_IPV4_ADDRESS=100.115.92.2/30
adb 100.115.92.2 (in Chrome OS's shell) works fine for me, the authorisation checkbox pops up and then good to go. su works fine through adb as expected. There's also a useful little nsenter script in Chrome OS to get into the android shell; /usr/sbin/android-sh, which I've been using in my script to help patch SE linux.
I actually just updated my rooting scripts recently to support 7.1.1, though I've only tested on my own Armv7 device (Flip C100).
I'll attach them to this post in case anyone wants to take a look. There's a readme in the zip, some more details can also be found here and below
EDIT: Fixed the SE Linux issue occurring with the previous version I uploaded (it was launching daemonsu from u:r:init:s0 instead of u:r:supersu:s0).
Anyone considering giving them a spin should bear in mind that the method does involve creating a fairly large file on the device as a rooted copy of the android rootfs. (1GB for arm, 1.4GB for Intel). There's a readme in the zip but the other couple of important points are that:
a) The SuperSU 2.82 SR1 zip also needs to be downloaded and extracted to ~/Downloads on the Chromebook.
b) Rootfs verification needs to be off. The command to force this is:
Code:
sudo /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --force --partitions $(( $(rootdev -s | sed -r 's/.*(.)$/\1/') - 1))
or the regular command to do it is:
Code:
sudo /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification
c) If, subsequent to running the scripts, there's a problem loading Android apps (e.g. after a powerwash or failed install), the command to restore the original rootfs image is:
Code:
sudo mv /opt/google/containers/android/system.raw.img.bk /opt/google/containers/android/system.raw.img
Hey this is a great response.. thanks!
Nolirum said:
Hey,
There's no real documentation AFAIK, the thing is that ARC++ is a bit of a moving target, as it's so actively being developed/reworked. For instance, with the method described earlier in the thread - it started off being possible to just swap out a file location in arc-ureadahead.conf, then they changed it to arc-setup-conf, and now, since a few CrOS versions ago, the rootfs squashfs image is mounted in a loop fashion via the /usr/sbin/arc-setup binary instead, making an overview of the setup somewhat opaque to the casual observer.
Click to expand...
Click to collapse
verity
Yeah playing with it now, I'm looking at these /etc/init/arc-*-conf files... I see that the /dev/loop# files are being set up... (more below)
Nolirum said:
I was kind of hoping to implement a kind of hybrid systemless root style setup myself, but unfortunately I haven't really managed to find the time to sit down and fully figure out a few parts of the puzzle, in particular relating to minijail and working with namespaces. So, I'm still using the method mentioned in posts above for my rooting needs at the moment, the only significant changes being that at the moment I'm replacing /opt/google/containers.android.system.raw.img with a symlink to my writeable rooted rootfs img, and also that in recent CrOS versions the mount-as-read only and debuggable flags can be found in /etc/init/arc-setup-env ("Environment variables for /usr/sbin/arc-setup").
Click to expand...
Click to collapse
Sorry not sure what you mean by "hybrid systemless root style setup"? I take it you're modifying the startup script and replaced the squashfs file in /opt... my concern about doing it was whether they were implementing some kind of dm-verity equivalent to the squashfs file to make sure it hasn't been tampered with (say, by adding /sbin/su or whatever) or whether it's safe to replace that file.. Sounds like you're saying it is? (update: I guess that's what rootfs verification does, and we can turn it off....)
Also you mean arc-setup.conf:
env ANDROID_DEBUGGABLE = 0
right?
Nolirum said:
In general though, one can kind of get an idea of what's going on in the default setup by reading through the various /etc/init/arc-* Chrome OS upstart jobs (and their logs in /var/log). Though, like I say, things keep changing around somewhat with every CrOS update, as the implementation 'improves'. As time goes by, and the subsystem matures, it'll certainly be interesting to see what other approaches are possible relating to customizing Android on Chrome OS.
Click to expand...
Click to collapse
I hadn't realized the boot was still in flux-- I'd have figured they'd worked that out by now...
Nolirum said:
There should definitely be a write protect screw somewhere on the motherboard for the Samsungs, but so far I haven't come across any pics showing exactly which screw it is. So far, no-one seems to have been brave/foolhardy enough to fully tear down their own machine and locate the screw!
Click to expand...
Click to collapse
Heh.. not gonna be me..
Nolirum said:
Regarding adb, on my device I found the following in arc-setup-env:
# The IPV4 address of the container.
export ARC_CONTAINER_IPV4_ADDRESS=100.115.92.2/30
adb 100.115.92.2 (in Chrome OS's shell) works fine for me, the authorisation checkbox pops up and then good to go. su works fine through adb as expected. There's also a useful little nsenter script in Chrome OS to get into the android shell; /usr/sbin/android-sh, which I've been using in my script to help patch SE linux.
Click to expand...
Click to collapse
Cool-- adb connect 100.115.92.2 does indeed work I was gonna use netcat to open port 5555 in chromeos and pipe it through, but looks like nc isn't here and I'm not yet ready to start changing the FS..though probably will be soon... btw any idea which partitions get overwritten when chrome it does it's updates? Will /root and /etc get overwritten, for example... would a "powerwash" overwrite it or can you get easily get into an unbootable state on these things?
It's also kind of strange that adb is listening to port 30 at that (internal?) bridge address by default witho no UI to turn it off.. and it's inaccessible from outside.. i wonder if there's an easy way to change the bridge to share the same IP as the actual interface...
Final thought-- I'd love to build that system image myself soup-to-nuts, but I can't find any "caroline" device tree set up... do you or anyone else happen to know if there's a standalone AOSP device tree for the chromebooks? It would be cool to have a mashup AOSP/lineageos if such a think could be possible-- I'm guessing chromiumos is just taking the android tree, building it and then adding it into their build... I Haven't build chromiumos for many years now so I can't even begin to imagine how this android build integrates with the whole emerge thing they had going.. but I bet it takes a while
Nolirum said:
I actually just updated my rooting scripts recently to support 7.1.1, though I've only tested on my own Armv7 device (Flip C100).
Click to expand...
Click to collapse
Cool I'll take a look at these scripts.
So I haven't yet run the scripts-- just looking through them-- I noticed the section starting:
if [ -e /etc/init/arc-setup-env ]; then
echo "Copying /etc/init/arc-setup-env to /usr/local/Backup"
This doesn't exist on the x86 CB Pro. There's an arc-setup.conf that sets up the environment variables though. It sets WRITABLE_MOUNT to 0, but then so does arc-system-mount.conf
Not sure if these are different between x86 and ARM or if it's just in the latest update.. but figured I'd let you know. Wanna throw thse scripts up on github somewhere? (Or I can do it) and we can maybe look at keeping them up to date and/or standardizing them? It wouldn't be hard to determine if it's running on ARM or x86_64 (uname -i for example)..
fattire said:
So I haven't yet run the scripts-- just looking through them-- I noticed the section starting:
if [ -e /etc/init/arc-setup-env ]; then
echo "Copying /etc/init/arc-setup-env to /usr/local/Backup"
This doesn't exist on the x86 CB Pro. There's an arc-setup.conf that sets up the environment variables though. It sets WRITABLE_MOUNT to 0, but then so does arc-system-mount.conf
Not sure if these are different between x86 and ARM or if it's just in the latest update.. but figured I'd let you know. Wanna throw thse scripts up on github somewhere? (Or I can do it) and we can maybe look at keeping them up to date and/or standardizing them? It wouldn't be hard to determine if it's running on ARM or x86_64 (uname -i for example)..
Click to expand...
Click to collapse
Oh, the arc-setup-env thing is intentional. There does appear to be another issue with the x86 version though. I've written up a detailed response to your previous post; it's in a text file at the moment so I'll copy it over and format it for posting here with quotes etc now - should only take a few minutes. Yeah, sticking them on github might be a good idea; I've been meaning to create an account over there anyway.
Yeah, so... Regarding the scripts, since I've put them up here for people to download - I should mention that the first person to test them (aside from me) has reported that something's not working right (I'm waiting for confirmation but I think he tried out the x86 version). It's likely either an error on my part when copying across from my Arm version, or perhaps something not working right with conditionals, meant to deal with the various OS versions ('if; then' statements, I mean). Once I find out more, I'll edit my earlier post...
fattire said:
Sorry not sure what you mean by "hybrid systemless root style setup"? I take it you're modifying the startup script and replaced the squashfs file in /opt... my concern about doing it was whether they were implementing some kind of dm-verity equivalent to the squashfs file to make sure it hasn't been tampered with (say, by adding /sbin/su or whatever) or whether it's safe to replace that file.. Sounds like you're saying it is?
Click to expand...
Click to collapse
Oh, sorry for being a bit vague - I just mean perhaps implementing a kind of systemless root à la Magisk/SuperSU (from what I understand of how these work) - avoiding the need to actually replace files in /system. Since I'm mainly just using su for the privileges rather than actually wanting to write to /system, I had the idea that perhaps a sort of overlay on e.g. xbin and a few other locations, rather than actually rebuilding the whole of /system, might be an interesting approach....
Yep, I've been replacing /opt/google/containers/android/system.raw.img with a symlink to my modified image lately. Works fine... I think they've been focused on just getting the apps working properly, maybe something like dm-verity is still to come.
Although, one of the cool things with Chromebooks IMO is that once the Developer Mode (virtual) switch has been flipped, the system's pretty open to being hacked around with. I think a large part of the much-trumpeted "security" of the system is thanks to the regular mode/Dev mode feature, once in Dev Mode with verified boot disabled on the rootfs, we can pretty much do what we want (I like the message that comes up in the shell when entering the first command I posted under the spoiler - it literally says "YOU ARE ON YOUR OWN!").
So yeah, with Dev Mode switched off, verified boot switched on, we can't even get into the shell (just the walled-off 'crosh' prompt), making the system indeed rather secure (but, for some of us, rather limited).
fattire said:
Also you mean arc-setup.conf:
env ANDROID_DEBUGGABLE = 0
right?
Click to expand...
Click to collapse
That's what I mean by a moving target, lol. On my device the Canary channel is at Chrome OS version 61; I think they started to move out some ARC++ (the acronym stands for Android Runtime on Chrome, version 2, if anyone's wondering, btw) environment variables to a separate file in version 60, or maybe 61. Problems with being on the more 'bleeding edge' channels include:
#Sometimes stuff gets broken as they commit experimental changes.
#Any updates sometimes overwrite rootfs customizations; the higher the channel - the more frequent the updates occur.
#Some of the stuff that gets updated, may later get reverted.
And so on...
fattire said:
I hadn't realized the boot was still in flux-- I'd have figured they'd worked that out by now...
Click to expand...
Click to collapse
Yeah you'd think so. Honestly, the more I use CrOS the more it seems like a (very polished) work-in-progress to me. Though, I guess most modern OSs are also works-in-progress though. (I don't mean the former statement in a critical way; I'm very happy that new features keep getting added to the OS - Android app support being a perfect case in point, that was a lovely surprise, greatly extending the functionality of my Chromebook).
fattire said:
Cool-- adb connect 100.115.92.2 does indeed work I was gonna use netcat to open port 5555 in chromeos and pipe it through, but looks like nc isn't here and I'm not yet ready to start changing the FS..though probably will be soon...
Click to expand...
Click to collapse
Netcat's not there but socat, which I haven't any experience with but have seen described as a "more advanced version of netcat", is listed in /etc/portage/make.profile/package.installable, meaning that adding it to CrOS is supported, and as simple as:
Code:
sudo su -
dev_install #(sets up portage in /usr/local)
emerge socat
I tried socat out and it seems to work, might be interesting to play around with.
fattire said:
btw any idea which partitions get overwritten when chrome it does it's updates? Will /root and /etc get overwritten, for example...
Click to expand...
Click to collapse
Theres a question. I forget some of the exact details now (gleaned from browsing the developer mailing lists and the documentation on chromium.org), but from what I do remember and my experiences tinkering, I can say:
The auto-update model uses kernel/rootfs pairs, e.g. at the moment my device is booting from partition 2 (KERN-A) with the rootfs being partition 3 (ROOTFS-B). My understanding is that with the next OS update pushed to my device, CrOS will download the deltas of the files to be changed, and apply the changes to partitions 4 and 5 (KERN-B and ROOTS-B), setting new kernel GPT flags (priority=, tries=, successful=), which will, post-reboot, let the BIOS know that 4 and 5 will form the new working kernel/rootfs pair. Then the following update will do the same, but with partitions 2 and 3, and so on and so forth, alternating pairs each time. It's a pretty nifty system, and I think something similar might be happening with new Android devices from version O onward (?).
So partitions 2,3,4,5 are fair game for being overwritten (from the perspective of the CrOS updater program). Partition 1, the 'stateful partition') is a bit special, in addition to a big old encrypted file containing all of the userdata (/home/chronos/ dir?), it also has some extra dirs which get overlaid on the rootfs at boot. If you have a look in /mnt/stateful/, there should also be a dir called 'dev_image', which (on a device in Dev mode) gets mounted up over /usr/local/ at boot. As I mentioned above, if you do
Code:
sudo su -
dev_install
you can then emerge anything listed in /etc/portage/make.profile/package.installable (not a great deal of stuff admittedly, compared to Gentoo), which gets installed to subdirs in /usr/local/. So I think stuff in partition 1; /mnt/stateful/, should be safe from being overwritten with an OS update. I think crouton chroots get put there by default.
Most of the other partitions don't really get used, and shouldn't get touched by the updater, here's a design doc on the disk format, and here's a Reddit post (from a Google/Chromium employee) mentioning dual booting from partitions 6 and 7.
fattire said:
would a "powerwash" overwrite it or can you get easily get into an unbootable state on these things?
Click to expand...
Click to collapse
It's not too hard to mess up the system and get it into an unbootable state, lol. The "powerwash" just seems to remove user data, mainly. If you change up (the contents of) some files in /etc, or /opt, for example, then powerwash, normally they won't get restored to their original state (unless you also change release channel).
But, as long as the write-protect screw's not been removed and the original BIOS overwritten, it's always possible to make a recovery USB in Chrome's Recovery Utility on another device, and then restore the entire disk image fresh (this does overwrite all partitions). Another thing that I did was make a usb to boot into Kali; I was experimenting with the cgpt flags on my internal drive and got it into an unbootable state, but was still able to boot into Kali with Ctrl+U, and restore the flags manually from there. (To successfully boot from USB, it was essential to have previously run the enable_dev_usb_boot or crossystem dev_boot_usb=1 command in CrOS). I understand also that the BIOS type varies with device release date and CPU architecture, and that Intel devices may have some extra potential BIOS options ('legacy boot').
fattire said:
It's also kind of strange that adb is listening to port 30 at that (internal?) bridge address by default with no UI to turn it off.. and it's inaccessible from outside.. i wonder if there's an easy way to change the bridge to share the same IP as the actual interface...
Click to expand...
Click to collapse
I think I saw something related to this on the bug tracker. If I come across any info, I'll let you know...
fattire said:
Final thought-- I'd love to build that system image myself soup-to-nuts, but I can't find any "caroline" device tree set up... do you or anyone else happen to know if there's a standalone AOSP device tree for the chromebooks? It would be cool to have a mashup AOSP/lineageos if such a think could be possible-- I'm guessing chromiumos is just taking the android tree, building it and then adding it into their build... I Haven't build chromiumos for many years now so I can't even begin to imagine how this android build integrates with the whole emerge thing they had going.. but I bet it takes a while
Click to expand...
Click to collapse
Yeah, I haven't built Chromium OS or anything, but apparently, there's an option to create a 'private' overlay for the build, which doesn't get synced with the public stuff.
I think that the higher-ups at Google might be still umming and ahing as to whether or not to make source code available for the Android container, it's certainly not been made public yet. Actually, I remember seeing a Reddit post from a Google/Chromium employee mentioning this.
"That article is a little misleading in terms of open source. While the wayland-server and services that communicate with the ARC++ container are open source, the actual ARC++ container is not."
Perhaps they're waiting to see how similar implementations of Android within a larger Linux setup (e.g. Anbox) fare.
There doesn't seem to be too much that differs from AOSP in the ARC++ container - a few binaries and bits and pieces linking the hardware to the container (e.g. the camera etc), maybe some stuff related to running in a container with the graphics being piped out to Wayland?, and so on.
Oh, I was searching the bug tracker for something else, and just saw this (quoted below). Looks like it might be possible to run AOSP based images on CrOS soon!
arc: Implement android settings link for AOSP image
Reported by [email protected], Today (72 minutes ago)
Status: Started
Pri: 1
Type: Bug
M-60
When ARC started without the Play Store support there is no way for user to activate Android settings. We need implement corresponded section that has
Title: Android settings:
Link: Manage android preferences:
Inner bug: b/62945384
Click to expand...
Click to collapse
Great response! I read it once and I'll read it again in more detail then will probably have questions For whatever it may be worth, my only experience with chromiumos was building the whole thing maybe 4 years ago for my original 2011 Samsung "snow" Chromebook-- and making a bootable USB (or was it an SDcard?) to run it on (with a modified firmware that did... something I can't remember.. i think it was basically a stripped down uboot and I remember adding a simple menu or something-- I think I was trying to bypass that white startupscreen or something..). However, after doing this a few times to play with it, I realized that Chromiumos without the Chrome goodies kinda sucks and I promptly forgot everything and went back to stock.
I did have it re-partitioned to run linux as a dual boot from the SD slot or something-- I remember using that cgpt thing to select the different boot modes and vaguely recall the way it would A/B the updates (which "O" is now doing)... but anyhoo I was using the armhf ubuntu releases with the native kernel and ran into all kinds of sound issues and framebuffer only was a little crappy so...
I'm gonna re-read in more detail soon and I'm sure I'll have questions-- one of which will be-- assuming that most stuff is the same on x86 vs arm, why are there two scripts? How do they differ?
ol. On my device the Canary channel is at Chrome OS version 61; I think they started to move out some ARC++ (the acronym stands for Android Runtime on Chrome, version 2, if anyone's wondering, btw) environment variables to a separate file in version 60, or maybe 61.
Click to expand...
Click to collapse
This is the -env file I'm missing, I presume?
I think that the higher-ups at Google might be still umming and ahing as to whether or not to make source code available for the Android container, it's certainly not been made public yet. Actually, I remember seeing a Reddit post from a Google/Chromium employee mentioning this.
Click to expand...
Click to collapse
It looks from the response that the gapps portion might be what's in question-- just like ChromiumOS vs Chrome has all the proprietary bits taken out?
Here's what I'd ideally like to see:
* Rooted Android, with a toggle switch to hide su in settings a la lineage (requires a kernel patch something like this one) + settings changes from lineageos
* adb access from outside the device-- critical for quickly testing apks from android studio w/o a cable. Basically put the chromebook in a "device mode" where adb is passed through... I'm going to see if I can pipe adb through with socat as you suggest...
* what else... I dunno watch this space.
An update from a couple of guys that have tested out the scripts on Intel: It seems to be that while they are able to launch daemonsu manually (with daemonsu --auto-daemon), it apparently does not seem to be getting launched at boot.
I am waiting for some more information on this. Previously, for Marshmallow, the script was setting up the app_process hijack method in order to to launch daemonsu at boot; to support Nougat I changed it to instead create an .rc file with a service for daemonsu, and add a line to init.rc importing it. This works for me, and from what I can gather, it copied/created all files successfully on the testers devices, too, so I'm not sure at this point what the issue is there.
Edit: Fixed the issue. I updated my previous post with further details.
fattire said:
I realized that Chromiumos without the Chrome goodies kinda sucks and I promptly forgot everything and went back to stock.
Click to expand...
Click to collapse
lol yeah. True, that.
fattire said:
...assuming that most stuff is the same on x86 vs arm, why are there two scripts? How do they differ?
Click to expand...
Click to collapse
It's literally just two things that differ: the few lines where we copy the su binary over e.g.
/x86/su.pie → /system/xbin/su, daemonsu, sugote
vs
/armv7/su → /system/xbin/su, daemonsu, sugote
...and also the size of the created container. The x86 container is about 30 percent larger than the Arm one.
I had a little look at how to determine the CPU architecture programmatically on Chrome OS a while back, but couldn't seem to find a reliable way of doing this, at least not without maybe getting a bunch of people with different CrOS devices to run something like, as you mentioned, uname -i (which returns 'Rockchip' on my device, uname -m (which returns 'armv7'), or such similar, and collating the results. It was just easier to do separate versions for x86/arm, rather than introduce more conditionals (with potential for errors). I'm certainly not averse to adding a check for $ARCH, and thus standardizing the script, as long as it's reliable.
fattire said:
This is the -env file I'm missing, I presume?
Click to expand...
Click to collapse
Yep! It's just the same few envs as in the .confs, moved into a new file. I'm fairly confident that the script's conditionals deals with them OK.
fattire said:
It looks from the response that the gapps portion might be what's in question-- just like ChromiumOS vs Chrome has all the proprietary bits taken out?
Click to expand...
Click to collapse
Yeah, although the respondant there perhaps doesn't seem to realise that he's talking to a Google/Chromium dev, the way he responds. Not that that makes anything he says in his post is necessarily less valid, though.
fattire said:
Here's what I'd ideally like to see:
* Rooted Android, with a toggle switch to hide su in settings a la lineage (requires a kernel patch something like this one) + settings changes from lineageos
* adb access from outside the device-- critical for quickly testing apks from android studio w/o a cable. Basically put the chromebook in a "device mode" where adb is passed through... I'm going to see if I can pipe adb through with socat as you suggest...
Click to expand...
Click to collapse
Interesting... I agree, those would both be useful additions to the functionality of ARC++...
Quick question-- has Samsung provided the source for the GPL components (including the kernel, obviously)? I looked here but didn't see anything...? Previously the kernel was included along with the chromium source and there was like a kernel and kernel-next repository.. but this was like five years ago. I think the codename for the samsung chromebook pro is called caroline... let me quickly see if I can find a defconfig in the chromium source...
Back.. nothing here in the chromeos-4.4 branch. Nothing here either in the master branch. Maybe I'm looking in the wrong branches-- master is probably mainline kernel. Also the directories.. it took me five minutes to realize it wasn't going to be in arch/arm - force of habit I guess. I'll keep looking unless anyone knows. This "chromium-container-vm-x86" one seems to have dm_verity as an unused option. Ah, this is looking promising.
...and... here!
So it would seem that this would be built as part of the chromiumos build system, which seemed to be half gentoo five years ago building out of a chroot and was kind of a pain to set up... still, I'm guessing that since it's got that weird script to make the defconfig, what you could do is use google's chromiumos build script to make the kernel image (with whatever changes you want), then, assuming that it doesn't care if you replace the kernel, just throw it over the right Kernel A/B partition and see if it boots and starts up chromeos... it's weird cuz the kernel has to do double-duty for chromeos and android.. but I bet you can just replace it and it would work fine...
I had a cursory go at building a couple of kernel modules for my Flip C100 a while back - I didn't get too far though, lol. People do seem to have had success building their own kernels and running them with Chrome OS though, as with most things I suppose it's just how much time/effort you're willing to put in.
I think I used this and maybe this, from the crouton project to guide me.
From what I remember, I just got fed up of all the arcane errors/config choices. I remember that even though I'd imported my current device config from modprobe configs, there were then such an incredibly long string of hoops/config choices to have to go through one by one, to then be confronted with various errors (different every time ISTR) that I think I just thought "screw this". I think there were some other issue with the Ubuntu version I was using at the time as well. I know that sort of stuff's kind of par for the course with kernel compilation, but I was mainly only doing it so I could edit xpad in order to get my joypad working, in the end I found a different solution.
It shouldn't be too much hassle though, in theory I guess.... Oh, also, in order to get a freshly built kernel booting up with the CrOS rootfs, in addition to the gpt flags, I think you might have to sign it, too? (just with the devkeys & vbutil_kernel tool provided on the rootfs), some info here, and here.
From what I remember, the build system would do whatever key signing was necessary.... although I do now remember you're right there was some manual step when I was building the kernel, but I can't remember if that's because of MY changes or that was just part of the build process.
I I just dug out the old VM (Xubuntu) I was using to build and, well, let's just say I'll be doing a LOT of ubuntu updates before I can even realistically look at this. I do kinda recall setting up the environment was a huge pain so I'm going to see if I can just update the 5 year old source, target the pro and just build the kernel image and see what pops out the other end. At least I won't have to deal with the cross compiler, though I think it should hopefully take care of that itself.
Interesting to see that those crouton projects have emerged (no pun intended) so I'll check them out too while ubuntu updates itself
Thanks for the github links.. I'm going to go read that wiki.
Update: Looked at it-- funny they just stripped out the chromeos-specific parts they needed rather than emerge everything which is smart. My only question is now that Android is involved, there's that script I linked to earlier that seems to say "if you want Android support you'll need these bits too"-- wonder if the same config scripts apply, and if there are any other device tree considerations as well...
I may play a bit and see how smoothly it goes.. Unfortunately I don't have unlimited time either :/
Also, please do let me know if you put the scripts on github and I can send you pull requests if I come up with anything.
Update: Finally updated like 3 major versions of ubuntu... the "depot_tools" repo had its last commit in 2013, so I updated that. Wow, this is so much clearer than previous docs... it looks like something called gclient is used now, which I configured with:
gclient config --spec 'solutions = [
{
"url": "https://chromium.googlesource.com/chromium/src.git",
"managed": False,
"name": "src",
"deps_file": ".DEPS.git",
"custom_deps": {},
},
]
'
that let me do gclient sync --nohooks --no-history ...which i think is updating the ancient source. I probably should have just started over, but anyway... we'll see what happens.
Update again: After updating with this new gclinet tool, it appears that the old repo sync method is still required as described here. That hasn't changed after all, so now I'm going to go through this old method, which will probably completely overwhelm my storage as it's downloading with history.. but anyway, in case anyone is trying this-- looks like the whole chroot/repo sync thing may still be how it's done... the /src directory described above may only be for building just the browser, not the whole OS...
...and here it is. I will have zero room to actually build anything tho, but hey.
* [new branch] release-R58-9334.B-caroline-chromeos-3.18 -> cros/release-R58-9334.B-caroline-chromeos-3.18
Note to self: use cros_sdk --enter to actually get in the chroot. Then:
~/trunk/src/scripts $ ./setup_board --board=caroline
to set up the build for caroline. Then to build:
./build_packages --board=caroline --nowithdebug
Useful links:
* Building ChromiumOS
* [URL="http://www.chromium.org/chromium-os/how-tos-and-troubleshooting/portage-build-faq"]eBuild FAQ
[/URL]
Hi all, I am new to the forums and I think that I need some help with a custom android project.
[Background]
I have bought a Meraki MC74, This phone is a VOIP office desk phone that has a nice 7 inch LCD screen that make for a ballin' custom intercom phone/general android device.
Cisco Meraki has dropped support for this phone, so even if I wanted to pay for a subscription, I couldn't. So custom android it is
[So what I know]
I know that the OEM OS is android 4.X.X with a custom Cisco Meraki dialer to do Meraki's cloud mumbojumbo. I was able to use ADB and Fastboot to flash ClockworkMod, and a custom version of Android 4.1.2 to get the device somewhat working. (it had lots of bugs and problems; but it was running android free of the Cisco Dialer!)
I was able to do this with the help of fellow xdadevelopers forum user "andrewmospak" (If you're reading this; I'm the dude from Ebay. And of course, thanks bro for the help so far!)
The storage is on a 4 GB Kingston EMMC.
[What I wanted for an end goal]
I wanted to have an interesting discontinued Meraki Desk phone that runs android and get all the functions of the phone working within android.
I also wanted to expand the storage from 4GB to 32GB. ( involving de-soldering existing EMMC and solder in the bigger EMMC.)
[What caused me to write this]
I would be fine if I wanted to stop there, but I wanted to try to install a GSI of android 9 in place of 4.1.2.
Again, this wouldn't be a big deal but I had to go and screw this up. I tried to resize some of the partitions (namely system to accommodate the bigger image of the android 9 GSI)but I accidentally completely killed the system,cache, and recovery partitions.
So, as one of the first steps of trouble shooting, I went to the hardest solution. The de-soldering of the EMMC.
I reached out to Andrewmospak again and asked for a full system emmc dump to try to flash his working file system to a spare 4GB EMMC to see an example of the file system of a working android EMMC. I received the image and flashed it to a spare Toshiba chip and soldered that to the phone, but I was unable to get the phone to boot into android right away, only able to load up fastboot.
Interestingly, I know that the EMMC is working because fastboot reports the S/N as the S/N of Andrewmospak's device and not the one written on my device.
[What I don't know]
Should some of the partitions on the EMMC not be recognized by Gparted in Debian? Like the User/System and others are partitioned ext4 while others are just not recognized.
Why when trying to flash partitions using Fastboot, wont fastboot recognise a recovery partition. It would just say that the partition just doesn't exist. same story with boot.
[What needs help]
I would like to know why fastboot wont see flashable volumes when using the EMMC dump flashed to another spare Toshiba EMMC, it is clearly there.
I would like to know how to reconstruct a volume to fix missing ones, and the number of partitions android needs to run.
Would I be able to flash an image of my working device to a 32gb emmc and just expand the system and user partitions into that extra space?
I will appreciate all help given to assist me and others that want a working device instead of a paperweight. ogChamp: :fingers-crossed:
That is an awesome project, and a great idea for an office line. I'll look into this!
Use MC74 for dashboard
I'm really interest to know, if you can have run a web browser on the MC74.
My needs are not fancy, I want to run a web browser on the touch screen, and have network connection with the ethernet jack in the back. I want to use it to interact with a touch dashboard for my home automation trough the webbrowser.
Thank you
Is it possible you didnt get the hidden boot partition in the emmc device? I know it isn't accessible through a sd card reader but can be seen through a SDIO controller interface.
page 15 of this document discusses this:
Google this: "us-17-Etemadieh-Hacking-Hardware-With-A-$10-SD-Card-Reader-wp.pdf" first link on blackhat.com
This project interests me as these devices are dirt cheap and i could use a few multipurpose desk phones
Thank you for starting this work. I have been waiting for this day since past couple of years now.
When you get a chance, could you please post the steps up to the point where you decided to swap the emmc?
sasha0413 said:
Hi all, I am new to the forums and I think that I need some help with a custom android project.
[Background]
I have bought a Meraki MC74, This phone is a VOIP office desk phone that has a nice 7 inch LCD screen that make for a ballin' custom intercom phone/general android device.
Cisco Meraki has dropped support for this phone, so even if I wanted to pay for a subscription, I couldn't. So custom android it is
[So what I know]
I know that the OEM OS is android 4.X.X with a custom Cisco Meraki dialer to do Meraki's cloud mumbojumbo. I was able to use ADB and Fastboot to flash ClockworkMod, and a custom version of Android 4.1.2 to get the device somewhat working. (it had lots of bugs and problems; but it was running android free of the Cisco Dialer!)
I was able to do this with the help of fellow xdadevelopers forum user "andrewmospak" (If you're reading this; I'm the dude from Ebay. And of course, thanks bro for the help so far!)
The storage is on a 4 GB Kingston EMMC.
[What I wanted for an end goal]
I wanted to have an interesting discontinued Meraki Desk phone that runs android and get all the functions of the phone working within android.
I also wanted to expand the storage from 4GB to 32GB. ( involving de-soldering existing EMMC and solder in the bigger EMMC.)
[What caused me to write this]
I would be fine if I wanted to stop there, but I wanted to try to install a GSI of android 9 in place of 4.1.2.
Again, this wouldn't be a big deal but I had to go and screw this up. I tried to resize some of the partitions (namely system to accommodate the bigger image of the android 9 GSI)but I accidentally completely killed the system,cache, and recovery partitions.
So, as one of the first steps of trouble shooting, I went to the hardest solution. The de-soldering of the EMMC.
I reached out to Andrewmospak again and asked for a full system emmc dump to try to flash his working file system to a spare 4GB EMMC to see an example of the file system of a working android EMMC. I received the image and flashed it to a spare Toshiba chip and soldered that to the phone, but I was unable to get the phone to boot into android right away, only able to load up fastboot.
Interestingly, I know that the EMMC is working because fastboot reports the S/N as the S/N of Andrewmospak's device and not the one written on my device.
[What I don't know]
Should some of the partitions on the EMMC not be recognized by Gparted in Debian? Like the User/System and others are partitioned ext4 while others are just not recognized.
Why when trying to flash partitions using Fastboot, wont fastboot recognise a recovery partition. It would just say that the partition just doesn't exist. same story with boot.
[What needs help]
I would like to know why fastboot wont see flashable volumes when using the EMMC dump flashed to another spare Toshiba EMMC, it is clearly there.
I would like to know how to reconstruct a volume to fix missing ones, and the number of partitions android needs to run.
Would I be able to flash an image of my working device to a 32gb emmc and just expand the system and user partitions into that extra space?
I will appreciate all help given to assist me and others that want a working device instead of a paperweight. ogChamp: :fingers-crossed:
Click to expand...
Click to collapse
Can't get to recovery mode -- wanna help
I'd like to help and write and app that is a (open) SIP client for the MC74. I bought an apparently new MC74 but I can't get it into recovery mode. Any help in doing this (so I can install a rooted Android)?
Holding down VolUp while connecting the POE ethernet to the WAN port doesn't work. The display remains blank then every several seconds the dislpay backlight flashes for a moment. Holding down Mute and connecting power has no effect, just boot normally to the Meraki logo screens then a minute later the normal keypad and menu display. (VolDn and powerup boots normally). I've tried this with USB flash drive (with some random recovery.img file on it) in the side USB port -- then I get an icon of a broken Android robot (presumably meaning it tried something with booting off the USB.
Has my MC74 been locked down somehow? What can I do to get a rooted Android on it?
ribo said:
I'd like to help and write and app that is a (open) SIP client for the MC74. I bought an apparently new MC74 but I can't get it into recovery mode. Any help in doing this (so I can install a rooted Android)?
Holding down VolUp while connecting the POE ethernet to the WAN port doesn't work. The display remains blank then every several seconds the dislpay backlight flashes for a moment. Holding down Mute and connecting power has no effect, just boot normally to the Meraki logo screens then a minute later the normal keypad and menu display. (VolDn and powerup boots normally). I've tried this with USB flash drive (with some random recovery.img file on it) in the side USB port -- then I get an icon of a broken Android robot (presumably meaning it tried something with booting off the USB.
Has my MC74 been locked down somehow? What can I do to get a rooted Android on it?
Click to expand...
Click to collapse
The way That I was able to boot into recovery was to hold mute and volume down NOT IMMEDIATELY hold the two only after the LCD backlight turns on. Only then you will be in recovery.
realc3blues said:
Is it possible you didnt get the hidden boot partition in the emmc device? I know it isn't accessible through a sd card reader but can be seen through a SDIO controller interface.
page 15 of this document discusses this:
Google this: "us-17-Etemadieh-Hacking-Hardware-With-A-$10-SD-Card-Reader-wp.pdf" first link on blackhat.com
This project interests me as these devices are dirt cheap and i could use a few multipurpose desk phones
Click to expand...
Click to collapse
My linux machine recognizes the mystery partitions but not their contents or partition scheme with some cheap USB to SD adapters. I think it works well. Thanks for the recommendation though!
ribo said:
I'd like to help and write and app that is a (open) SIP client for the MC74. I bought an apparently new MC74 but I can't get it into recovery mode. Any help in doing this (so I can install a rooted Android)?
Holding down VolUp while connecting the POE ethernet to the WAN port doesn't work. The display remains blank then every several seconds the dislpay backlight flashes for a moment. Holding down Mute and connecting power has no effect, just boot normally to the Meraki logo screens then a minute later the normal keypad and menu display. (VolDn and powerup boots normally). I've tried this with USB flash drive (with some random recovery.img file on it) in the side USB port -- then I get an icon of a broken Android robot (presumably meaning it tried something with booting off the USB.
Has my MC74 been locked down somehow? What can I do to get a rooted Android on it?
Click to expand...
Click to collapse
You need to hold down the VOLUME DOWN button before powering on the unit, and then continue to hold it. The phone will go into Fastboot mode. The screen will be blank, but backlit, and usually the LED lights up red. Here, you can flash a custom recovery firmware image (such as the ClockworkMod one that's floating around) that allows you to make changes to the system and user partitions. The thing you're seeing with the Android robot is expected. That's the default recovery firmware. Once you flash custom recovery firmware in Fastboot mode, you then unplug the unit, hold down the MUTE button, plug the device in, and continue to hold the MUTE button. It may take some time for it to get into the recovery firmware, but be patient. FYI, VOLUME UP is used for that feature where you can switch between two "slots" for firmware. I don't really know what that is, but I know that it's a thing with Android. It's pretty much unused on the MC as far as I can tell.
Has anyone considered working backwards with the version of Android running on the MC, rather than installing an entirely new version? So, instead of trying to get new firmware to work on the unit, why not work with whatever's on the device by default and pull out what you don't need? I know that some people have gotten different versions of Android to work on the unit, but this leads to bugs or hiccups. I'd imagine that this is because the kernel for that firmware isn't specifically made for the MC, but don't take my word for it. That's just a guess.
Due to the current pandemic situation that's going on here, I've decided to occupy my time by examining the MC in depth. I've managed to get ADB shell working when the device has booted normally, allowing me to examine the filesystem and pull out whatever Meraki included with the firmware. Even got the rainbow LED to stop obnoxiously glowing! I'm currently working on getting the system UI to work (there's no status bar or app switcher).
Got adbd running on MC74, Sort of got Linphone going
@sasha0413 and @jazzcandle, I got the boot.img updated so I could set 'ro.secure=0' in /default.prop in the boot up ramdisk. So now I can 'adb' into it by TCP or USB. Thanks for the help. (My MC74 calls itself a 'test-phone' so it may be a little different software. The problem was that the 'recovery' mode installed on it was pretty subtle, nothing showed on the screen.
My MC74 runs '4.2.5-meraki' version of JellyBean api 17, because I'm not good at porting newer versions of Android -- and because there may be modifications / drivers that Meraki put in to support the hardware, I'm working on a phone app with the original JellyBean.
I managed to get an old version of 'linphone' working to the extent that I can make a call -- and can be heard -- but I haven't mastered the speakers (Android AudioManager/MediaPlayer, etc) so I can't hear the phone call. I can play audio speakerphone speaker, but can't play it on the handset speaker. Figuring out the Android Audio system for JellyBean is hard, the implementation has change a lot since then.
---------- Post added at 14:11 ---------- Previous post was at 14:04 ----------
[/COLOR @jazzcandle I installed com.teslacoilsw.launcher-4.1.0-41000-minAPI16.apk as a launcher and told use it as the launcher rather than /data/app/com.meraki.dialer2-1.apk
How did you stop the RGB LED from cycling through the colors? Does something like: /system/app/DroidNode.apk or /system/app/DroidNodeSystemSvcs.apk start the led cycling, then perahps com.meraki.dialer2 stop it -- when it initializes?
ribo said:
My MC74 calls itself a 'test-phone' so it may be a little different software. The problem was that the 'recovery' mode installed on it was pretty subtle, nothing showed on the screen.
Click to expand...
Click to collapse
This is something that stumped me early on as well. But have no fear, all MCs run the same firmware, and you're not running different "test" firmware. The "test phone" value you're referring to is only seen in the recovery partition in the "default.prop" file, where "ro.product.model" is set to "BCM28155_TEST_PHONE". When booting normally, this value is set to "Meraki MC74" instead.
ribo said:
I managed to get an old version of 'linphone' working to the extent that I can make a call -- and can be heard -- but I haven't mastered the speakers (Android AudioManager/MediaPlayer, etc) so I can't hear the phone call. I can play audio speakerphone speaker, but can't play it on the handset speaker. Figuring out the Android Audio system for JellyBean is hard, the implementation has change a lot since then.
Click to expand...
Click to collapse
The way audio output works on the MC is a bit strange. In fact, it's not really Android's fault from what I can tell. However, I found that you have to "poke" the audio HAL to get it functioning somewhat normally (ie. getting audio to actually play through the speakers). You can do this by running the following command in the shell:
$ tinymix 1 1
At this point, you should be able to hear audio output through the speakers. Additionally, you should be able to switch between handset and speakerphone mode (so long as the app you're using allows you to do this).
ribo said:
I installed com.teslacoilsw.launcher-4.1.0-41000-minAPI16.apk as a launcher and told use it as the launcher rather than /data/app/com.meraki.dialer2-1.apk
Click to expand...
Click to collapse
You should delete the Dialer apk, you don't need it. In fact, you should delete the DroidNode.apk and DroidNodeSystemSvcs.apk files as well.
ribo said:
How did you stop the RGB LED from cycling through the colors? Does something like: /system/app/DroidNode.apk or /system/app/DroidNodeSystemSvcs.apk start the led cycling, then perahps com.meraki.dialer2 stop it -- when it initializes?
Click to expand...
Click to collapse
You need to modify "init.bcm911130_me1.rc" within "boot.img" and either remove or comment out the following:
Code:
service lightsd /system/bin/lightsd
class main
socket lightsd stream 600 system system
user root
Controlling RGB LED on MC74
Thanks jazzcandle, I'll look into /system/bin/lightsd to see what it does.
lightsd seems to open ANDROID_SOCKET_lightsd and listen to /dev/socket/lightsd
It seems to directly write to these /sys files to change the LEDs through which must be controlled through the SOC's GPIO pins..
/sys/class/leds/red/brightness
/sys/class/leds/green/brightness
/sys/class/leds/blue/brightness
/sys/class/leds/white/delay_off
/sys/class/leds/white/brightness
/sys/class/gpio/export
/sys/class/gpio/gpio11/directionout
/sys/class/gpio/gpio11/value
am broadcast -a com.meraki.LIGHTSD_START
I would be great to know what all the GPIO devices did and their a addresses.
I've left the Dialer2, DroidNode and DroidNodeSystemSvcs apps running at this point to see what they do and how they are used. I agree that eventually they need to be removed because they connect to cisco/meraki web services when they start up.
I noticed that the com.meraki.dialer2.LEDController class is how the dialer controls the LEDs:
public void notifyLeds(LedMode mode, int red, int green, int blue) {
this.r = red;
this.g = green;
this.b = blue;
this.m = mode;
sendLightCommand();
}
class LightCmd implements Consumer {
public void accept(Object o) {
Intent i = (Intent)o;
i.putExtra("red", r);
i.putExtra("green", g);
i.putExtra("blue", b);
Log.i(TAG, String.format("Broadcasting color change to rgb(%d, %d, %d)",
new Object[]{r, Integer.valueOf(g), Integer.valueOf(b)}));
ctx.sendBroadcast(i);
}
}
private void sendLightCommand() {
Consumer cons = new LightCmd();
getIntent().ifPresent(cons);
}
Click to expand...
Click to collapse
Methods ilke 'notifyLeds' takes a mode (Solid, Pulse, or Rainbow) and the R, G, B values and uses the sendLightCommand() method which broadcasts an intent that will probably be handled by something like the /system/bin/lightsd daemon. (I'm trying to document all these things for customizing/developing a SIP app.
I notice that the MC74 app is built on the PJSIP ( org.pjsip.pjua2 package) I was thinking of use the org.linphone SIP package. Anyone have experience with these SIP packages?
ribo said:
(I'm trying to document all these things for customizing/developing a SIP app.
I notice that the MC74 app is built on the PJSIP ( org.pjsip.pjua2 package) I was thinking of use the org.linphone SIP package. Anyone have experience with these SIP packages?
Click to expand...
Click to collapse
Thanks for documenting this, this is awesome info. A while back I built a rudimentary SIP client for MC74 based on the AJVoIP SIP package. I gave up on it once my trial period for that package expired. It was quirky, with flaky audio and no LED control (which both now could be solved by the info in this thread), but I did have hookswitch (hangup/answer by picking up the handset) working.
In the spirit of documentation, the hookswitch is an ambient light sensor that gets covered or uncovered by the handset's earpiece. The original Dialer2 app reads the raw value and compares it to a calibrated set point to determine on/off hook state. Reading the path
Code:
/sys/devices/virtual/input/input0/event0/device/raw_adc
with a FileReader will get you the current value. For my device, off hook (answered) is a value below 110. On hook (hung up) is a value above 110. For my testing I just polled this file every 250ms but you could attach a FileObserver to it or something.
jazzcandle said:
Has anyone considered working backwards with the version of Android running on the MC, rather than installing an entirely new version? So, instead of trying to get new firmware to work on the unit, why not work with whatever's on the device by default and pull out what you don't need?
Click to expand...
Click to collapse
This is actually what I am working on with a unit that I got.
The phone I have (from the build.prop file):
Code:
ro.build.version.release=4.2.3-phone-5068355-southern-userdebug
ro.product.model=Meraki MC 74
ro.product.brand=Meraki
ro.product.name=capri_me1
ro.product.device=capri_me1
ro.product.board=capri
Currently trying to work on getting ADB working from within the phone and not just within the Clockwork recovery that I got loaded on it.
Getting a pretty close stock experience on the MC74 is totally possible with some dedication and work. For reasons I cant get into, I am unable to provide the steps / files that it took to get where I am, but I have a functional MC74 with working handset & speakerphone. The only next thing I need to work on is getting the "IR" sensor to hangup in specific Dialer applications.
https://imgur.com/a/FFVq1sL
I am using Grandstream Softphone dialer.
drraccoon said:
Getting a pretty close stock experience on the MC74 is totally possible with some dedication and work. For reasons I cant get into, I am unable to provide the steps / files that it took to get where I am, but I have a functional MC74 with working handset & speakerphone. The only next thing I need to work on is getting the "IR" sensor to hangup in specific Dialer applications.
Click to expand...
Click to collapse
I was able to achieve the same, except GS dialer is not scaled correctly.
Not able to post link to image, as I don't have 10 messages.
So it is a/6aQYsz6 on imgur
Did not bother to fix it, as my intent is custom PJSIP dialer (someday
Headset sensor, led, mixer - figured out.
The only mystery is "mute" button and the red LED behind it.
sasha0413 said:
Hi all, I am new to the forums and I think that I need some help with a custom android project.
[Background]
I have bought a Meraki MC74, This phone is a VOIP office desk phone that has a nice 7 inch LCD screen that make for a ballin' custom intercom phone/general android device.
Cisco Meraki has dropped support for this phone, so even if I wanted to pay for a subscription, I couldn't. So custom android it is
[So what I know]
I know that the OEM OS is android 4.X.X with a custom Cisco Meraki dialer to do Meraki's cloud mumbojumbo. I was able to use ADB and Fastboot to flash ClockworkMod, and a custom version of Android 4.1.2 to get the device somewhat working. (it had lots of bugs and problems; but it was running android free of the Cisco Dialer!)
I was able to do this with the help of fellow xdadevelopers forum user "andrewmospak" (If you're reading this; I'm the dude from Ebay. And of course, thanks bro for the help so far!)
The storage is on a 4 GB Kingston EMMC.
[What I wanted for an end goal]
I wanted to have an interesting discontinued Meraki Desk phone that runs android and get all the functions of the phone working within android.
I also wanted to expand the storage from 4GB to 32GB. ( involving de-soldering existing EMMC and solder in the bigger EMMC.)
[What caused me to write this]
I would be fine if I wanted to stop there, but I wanted to try to install a GSI of android 9 in place of 4.1.2.
Again, this wouldn't be a big deal but I had to go and screw this up. I tried to resize some of the partitions (namely system to accommodate the bigger image of the android 9 GSI)but I accidentally completely killed the system,cache, and recovery partitions.
So, as one of the first steps of trouble shooting, I went to the hardest solution. The de-soldering of the EMMC.
I reached out to Andrewmospak again and asked for a full system emmc dump to try to flash his working file system to a spare 4GB EMMC to see an example of the file system of a working android EMMC. I received the image and flashed it to a spare Toshiba chip and soldered that to the phone, but I was unable to get the phone to boot into android right away, only able to load up fastboot.
Interestingly, I know that the EMMC is working because fastboot reports the S/N as the S/N of Andrewmospak's device and not the one written on my device.
[What I don't know]
Should some of the partitions on the EMMC not be recognized by Gparted in Debian? Like the User/System and others are partitioned ext4 while others are just not recognized.
Why when trying to flash partitions using Fastboot, wont fastboot recognise a recovery partition. It would just say that the partition just doesn't exist. same story with boot.
[What needs help]
I would like to know why fastboot wont see flashable volumes when using the EMMC dump flashed to another spare Toshiba EMMC, it is clearly there.
I would like to know how to reconstruct a volume to fix missing ones, and the number of partitions android needs to run.
Would I be able to flash an image of my working device to a 32gb emmc and just expand the system and user partitions into that extra space?
I will appreciate all help given to assist me and others that want a working device instead of a paperweight. ogChamp: :fingers-crossed:
Click to expand...
Click to collapse
Hey, I am interested but I don't have the device.
First of all:
I would be fine if I wanted to stop there, but I wanted to try to install a GSI of android 9 in place of 4.1.2.
Click to expand...
Click to collapse
You can install a GSI on a 4.1.2 based device, but you can't without creating a vendor partition, GSI is a part of the Project Treble released with Oreo. It requires a vendor partition to work. On 4.1.2, there's simply no device with a partition called vendor, so you can't flash a GSI.
But, if you have a fully working Android Pie tree, you can make a vendor partition yourself.
alex39wkd said:
I was able to achieve the same, except GS dialer is not scaled correctly.
Not able to post link to image, as I don't have 10 messages.
So it is a/6aQYsz6 on imgur
Did not bother to fix it, as my intent is custom PJSIP dialer (someday
Headset sensor, led, mixer - figured out.
The only mystery is "mute" button and the red LED behind it.
Click to expand...
Click to collapse
As you didn't mention that you couldn't share any information like the reply previous to yours, would it be possible for you to share what you used to get there?
As someone with only linux, networking and voip knowledge and that never played around with Android ROMs/ADB before, that would get me started as I can ATM only get to ADB.
Also, did you use the version of android already on the Phone or Flashed it with a new ROM?
Thank you!
jtthecanadian said:
As you didn't mention that you couldn't share any information like the reply previous to yours, would it be possible for you to share what you used to get there?
As someone with only linux, networking and voip knowledge and that never played around with Android ROMs/ADB before, that would get me started as I can ATM only get to ADB.
Also, did you use the version of android already on the Phone or Flashed it with a new ROM?
Thank you!
Click to expand...
Click to collapse
I have used "adb pull" (in recovery mode) to dump boot partition, just used path to it in /dev/...
Used android tools to decompress and unpack boot.
Changed ro.secure to 0 and something like "meraki usb debug" to 1
Repacked boot partition
Used adb to switch to fastboot
Flashed boot and boot2 with this image
Now it is accessable as normal Android phone, for whatever you might want to do with it.
Is anyone able to provide a working ROM for this device? I'm extremely confused about how to get this working. I would greatly appreciate any advice.