I live in Japan and after more than 6 months I have successfully and permanently rooted both my Sharp 003 SH Galapagos and the 005SH Galapagos (Softbank not Docomo). My next concern is how to SIM unlock. I have been reading the posts about hacking the nv_bin file. I have searched through all of the the files (Root FTP thank you!) but there was no such file. I am happy to send along any screenshots or data files if that helps.
Thanks in advance.
Search Sharp 003SH Root Success and Sharp 005SH Root success on Youtube for more info
Can't really help you. Don't know anything about it. But I would like to know how you ended up rooting this phone of ours.
Its not a file on the filesystem. The sim locking in these phones is in the radio image; which can be accessed when you use the custom build kernel thats in the latest rootkit (I assume thats what you are using).
See the 2ch root/ROM thread for more details, but basically it is done through ADB, manually backing up the "_modem" partition; stripping the spare/ECC bytes and then extracting the radio OS using QualcommDumpAnalyser
I have managed to extract this image, but no idea where to go from there. None of the other device info seems to apply to this (HTC, Samsung, LG, any other Android that has had its sim-lock discovered in the radio)
Advice i got from the guys on 2ch: "Qualcomm's NAND code is neither difficult, nor unique, so if you know what you are looking for its not hard"
003SH 005SH Sim unlock
Thanks very much for giving me a new direction. I'll get started on it right away and let you know how it progresses.
It just sucks that the guys who know how to unlock it are staying quiet, saying its "taboo"
FYI, stripping the Spare/ECC bytes can be done manually (i wrote a C program to do it), but there is an option in the RevSkills app to do it all for you - i recommend doing that.
Of course we face another issue once we find the actual unlock - recalculating the ECC bytes after making the change; the only way to access the radio is with raw data access.
P.S. hope you have warranty on your phones - this is very likely to brick at least one phone until we get it right
---------- Post added at 12:30 PM ---------- Previous post was at 12:24 PM ----------
In the spirit of open cooperation, here are the instructions i was given, translated and simplified
In ADB Shell, type su to get the # prompt, then:
cat /proc/mtd <Enter>
Confirm that you have the "_modem" partition available. If not, you need to reflash with the custom build kernel
Dump the image to file with the following command:
dump_image -r -D -F _modem /sdcard/backupimages/modem.img
Access this with anything as "raw dump" and all blocks will get read as ECC error, so definitely dont do this
ECC positioning is different to Linux, so take care
The following maps out how 512bytes of data and 10 bytes of ECC info are stored in a 528 byte block:
0000 - 01CF (0-463): Data
01D0 - 01D1 (464-465): Unused (0xff)
01D2 - 0201 (466-513): Data
0202 - 020B (514-523): ECC
020C - 020F (524-527): Unused (0xff)
Use RevSkills application to extract the data portions:
Menu⇒Calculators/Generators⇒Android MTD Nand remove Spare and ECC
Extract all of the Data only portions out of the raw dump, and then use QualcommDumpAnalyser to read it and split up the various parts. I did notice that i wasnt able to get the AMSS block out with QualcommDumpAnalyser - i copied that out manually by calculating the byte positions shown in QDA.
003SH bootloader key sequence?
Eternalardor,
I'd be happy to swap information. Perhaps you could shed some light on the question of the bootloader for the Sharp 003SH and 005SH? There seems to be no discernible key sequence (Power+home+Volume up etc.) to access the bootloader. I feel like I've tried them all. Can you tell me this critical piece of information?
Is a form of the USB Jig necessary to access it?
Looking forward to your response.
003SH SIM unlock
Dominik,
Here are the results of the original /proc/mtd (before rooting)
boot
cache
misc
recovery
ipl
system
persist
log
battlog
calllog
ldb
userdata
I don't see the _modem partition. Should I?
I have also included a screenshot of the results showing size. I have most of them backed up as .img files too.
FYI: .img backed up sizes. Perhaps this will help you to ponder where the _modem partition may have gone. Maybe it's been renamed?
boot 11,264KB
cache 3,072KB
misc 1,024KB
recovery 11,264KB
ipl 15,360KB
system 419,840KB
persist 30,720KB
ldb 45,056KB
userdata 405,120KB
There is no bootloader menu AFAIK. If you install the custom kernel, you will have the option of a quasi-recovery mode, by pressing the home button between 7-12 seconds after the Galapagos logo is seen (or was that the Softbank logo)
Anyway, looking at the screenshots, it seems you do not have the custom kernel.
How did you achieve root on your phone?
To do this, you need to use the "003sh_005sh_dm009sh-rootkit" from at least 5/27 (recommend _0614); which is available on the 2ch forums. This includes 2 possible ways of achieving root:
1. A modified standard kernel (boot image), which, when flashed gives you regular root access
2. A custom compiled kernel, which has full root, a bunch of power profiles, and heaps more features (inc that quasi recovery), as well as access to the "_modem" image.
Judging from your youtube videos, you speak some Japanese, so the Japanese menus in the rootkit shouldnt be much trouble.
http://www1.axfc.net/uploader/Si/so/142435
This is what i used.
Go here for help/instructions http://anago.2ch.net/test/read.cgi/android/1337845757/
And dont even think about typing in English on there, or you will be ignored and/or told to go away
This all looks familiar. I have been using the root kit (5/27) to get where I am now - step by blessed step. It was pretty straight forward BUT I have never seen the option to write to the system partition. It is in all the instructions but the only option I have with respect to the system partition is to back it up. I'm confused as to why it doesn't seem to show up for me. I am using a Japanese machine so all the characters are displayed and I can read the instructions but I can't find help anywhere as to why I don't have that particular (and critical) option. I can see a lot of new and cool options in the 6/14 release. I'm excited and would like to get it installed.
I'll let you know how it goes. Thanks for your help .... keep it coming!
And another thing
Could you explain a little more about "having" the custom kernel? Using the root kit, I wrote to the Recovery partition then the Boot partition then rebooted from the Recovery partition and all seemed well. As I said above, I have never been able to write to the System partition despite it appearing in all the instructions. I suspect that is what is holding me back from the latest and greatest custom kernel. Still, I am enjoying all the same functionality that everyone else seems to be enjoying in root. What am I missing?
Eep, you wrote to the boot partition before trying the recovery? Brave!
The steps should be:
Write image to recovery partition;
Then reboot to recovery partition (from the menu) and confirm it all works without errors.
Then write image to boot partition
And then turn off the phone, and reboot (the last part is only my instructions - you could just select "reboot to boot partition" from the menu)
You are doing this on your 005SH right? It should be the same for the 003SH, but i only have the 005SH. In the rootkit there is 2 options when you say "burn custom image":
1 カスタムビルドrootedカーネル(リカバリーキット機能付き)
2 S4080 標準rootedカーネル(簡易リカバリー機能付き)
Q 中止してメインメニューへ戻る
You must do the first one, the CUSTOM rooted kernel, to get any of the really cool features. The second option is only if you just want root access for a particular app or something. AFAIK the second option doesnt even disable MIYABI LSM, which prevents you from mounting the system dir as R/W
But either way, writing to the System dir is not important for what we are doing. You need the Custom kernel, which gives you access to the "_modem"
Edit, i just noticed in your screenshots above, you didnt even get root in ADB shell?
Type
ADB Shell<Enter>
Then type
su<enter>
The cursor should change to a #, this means root. You may get a prompt on the phone from Superuser asking you to give root access to "shell". Once you have this try the cat /proc/mtd again
jcroot003sh,
can you tell me how to root 003sh?
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
DominikB said:
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
Click to expand...
Click to collapse
Thank you for your replying. I will wait for your translated version. You are really a good person.
Progress
I have successfully found and dumped the "_modem" image. Exactly as you stated - forgot the "su" command in ADB. Thanks. The next problem is editing out the code. I am way above my head here so I will do some research before bugging you for a step-by-step for that.
Also, the bootloader worked. I didn't realize how to do it until I read the notes in the 6/14 release. I successfully put a previously dead phone back on it's feet EXACTLY to the point of my current phone simply by backing up and then restoring partitions through the bootloader. Very slick and easy.
Will get to work. I'll be in contact soon with my progress on the SIM unlock.
I have spent a bit of time looking at it, it certainly isnt easy (Certainly isnt a "lock=yes" section). I assume the actual locking portion is encrypted/compressed/or just compiled, because it would be too easy otherwise (be happy to be proven wrong). For starters, i cannot even find my IMEI number in the dump file... I think that this dump only includes the radio code, not the NV RAM which contains the IMEI and SIM Lock status. If that is the case then the solution should be to change the portion of the radio code that queries the NV RAM, so that it doesnt care if the SIM lock is supposed to be applied.
Extracting the spare/ECC bits out should be done with the RevSkills app; extracting the relevant portions, that is a bit of a cludge; QualcommDumpAnalyser can show the start/end positions, but doesnt extract the AMSS part (AFAIK thats where the code will be). You need to use a hex editor to cut that part out manually... And i am still not 100% sure what the block size is on this NAND.
Good luck!
And if there *are* any experienced hackers out there willing to help out, i can offer some monetary help (as will a few of my fellow Japanese smartphone owning friends) as this will be valuable for not just these 2 phones (there is an army of 007SH owners waiting on this unlock)
Shall we give the 007/009 a shot?
I can see mountains of the 007SH on the auction (mostly pink). Perhaps I should pick one up and take it for a spin. I am happy to try to do something to help out for all the help I am receiving.
Or perhaps the 009SH?
How hard would it be to crack the 007? The 009SH looks like it is supported in the latest release kit.
Thoughts?
Currently, the 003/005SH are going to be the easiest, because they have the custom kernel which allows access to the "_modem" image. To do it on the 007SH we need to build a custom kernel (compiled from the sources available on the ktai-dev site), and add the modem access code (this is in the src directory of the rootkit). Not impossible, but i dont have a Linux machine to compile the sources.
However i think that the code will be fairly universal. Once we find it on the 005SH we will know what we are looking for on the 007SH as well. That will make many people happy
Anyway, my 005SH is under warranty/anshin plan so i dont mind if it gets bricked (especially now that we can take nand backups).
First things first though - examining the 005SH modem image. Does anyone know whether the NAND is a 16kb or 128kb block size? Or is it something completely different?
P.S. The DM009SH is just the Disney Mobile version of the 003SH
Linux machine no problem
I have a Linux server running 24/7 so compiling the kernel is easy. Don't let that be the holdup. I'll keep working on the 003SH _modem image.
DominikB,
I can't open this site [anago.2ch.net/test/read.cgi/smartphone/1319287551/] on channel2 for free. This site had been moved to the past-log storehouse. So.... I even can't look at Japanese version for rooting 003sh. It is very helpful if you can show me the steps for rooting 003sh.
Related
I have been working on some boot/recovery ROM rebuilds for the Garmin/Asus Garminfone A50 (T-Mobile), as well as the scripts and instructions... I'm not sure where to host them.
I personally don't want to host them myself, and was wondering if there is a repository of sorts.
At the moment, I have the following:
* The tools necessary (dump_image & flash_image) to dump the firmware from the phone
* The scripts necessary to unpack/repack the boot/recovery ROM's (modified to support the Garminfone's different address layout). Linux based.
* Pre-built boot and recovery images that give permanent root and mount the system/data partitions as r/w by default.
* Instructions on how to do it yourself, complete with some tech info on the layut of the Garminfone boot/recovery images and how to verify before you flash it that it built properly.
* Instructions on how to flash the phone without risking bricking it, since there is no hardware key combo to get into recovery and a fastboot that's not fully implemented. The technique goes like:
- Verify with a hex editor that the proper addresses are in the header
- Flash the new boot image to recovery
- Reboot into recovery to make sure it boots the new boot image properly
- Flash the rooted recovery image to the recovery partition
- Reboot into recovery once more and verify that works
- Flash the tested boot image to the boot partition
- Reboot normally and have fun
That method works fairly well, and unless you target the wrong partition, and gives you a 99.9% success rate
I'm going to post what I can on the Wiki (as far as instructions go), but it would be nice if I had a place to put the tool set as well.
I'd rather not use one of the temporary sites like Mediafire or what not, since files on those sites have a tendency to disappear.
Please no PM's on having me send them the files directly. I don't have a heck of a lot of spare time and don't want to get into the habit of sending these out manually.
If you're against the typical file hosts and the files aren't too big you could try using dropbox or sugarsync and sharing the links.
Can I ask you a question? I have a Kyocera ZIO M6000 and have the openzio clockworkmod 2.5.1.1 port that only works with "fastboot boot openzio-recovery" and we have tried flashing to our recovery partition with no success. What will it take to break the tether and reboot recovery locally without fastboot?
Sent from my Zio using XDA App
merwin said:
I have been working on some boot/recovery ROM rebuilds for the Garmin/Asus Garminfone A50 (T-Mobile), as well as the scripts and instructions... I'm not sure where to host them.
I personally don't want to host them myself, and was wondering if there is a repository of sorts.
At the moment, I have the following:
* The tools necessary (dump_image & flash_image) to dump the firmware from the phone
* The scripts necessary to unpack/repack the boot/recovery ROM's (modified to support the Garminfone's different address layout). Linux based.
* Pre-built boot and recovery images that give permanent root and mount the system/data partitions as r/w by default.
* Instructions on how to do it yourself, complete with some tech info on the layut of the Garminfone boot/recovery images and how to verify before you flash it that it built properly.
* Instructions on how to flash the phone without risking bricking it, since there is no hardware key combo to get into recovery and a fastboot that's not fully implemented. The technique goes like:
- Verify with a hex editor that the proper addresses are in the header
- Flash the new boot image to recovery
- Reboot into recovery to make sure it boots the new boot image properly
- Flash the rooted recovery image to the recovery partition
- Reboot into recovery once more and verify that works
- Flash the tested boot image to the boot partition
- Reboot normally and have fun
That method works fairly well, and unless you target the wrong partition, and gives you a 99.9% success rate
I'm going to post what I can on the Wiki (as far as instructions go), but it would be nice if I had a place to put the tool set as well.
I'd rather not use one of the temporary sites like Mediafire or what not, since files on those sites have a tendency to disappear.
Please no PM's on having me send them the files directly. I don't have a heck of a lot of spare time and don't want to get into the habit of sending these out manually.
Click to expand...
Click to collapse
I would also suggest dropbox or even id host them off my computer via ftp
Can your method work with Garminasus A10?
Merwin you still working on this?
Yeah, I am working on it still. I am still looking for a better place than dropbox or hosting off of someone's home PC...
As for the A10, if you can get me a dump of the boot and recovery images I can make one for that too... you will want to preferably use the dump_image utility to get the image and the flash_image utility to flash it.
I can probably attach those to a post with dump instructions. They're tiny.
Basically, you root your phone, copy the files to a certain location, type a couple commands to fix permissions on the executables, then run a command to dump the image.
Flashing back requires clearing the boot or recovery partition with a command and then using the flash_image command to flash it.
My method tests the new boot image first by flashing it to recovery first and rebooting into recovery to make sure the new image works. Then flash the modified recovery image to the recovery and make sure it is rooted (so you can get things up again if something does go wrong). Then you flash the new tested boot image to boot. If, for some reason, that fails, it should reboot automatically into recovery after a few boot failures. Never had to test that, since I pre-test all images I make.
hi merwin, we are a fans group of GA a10 and we trust a lot in your work! if you need any kind of help contact me! probably you are the first in the world who can flash a GA phone
Merwin, Im not completely sure which type of place your looking for if its not either ftp or online file sharing
Rapidshare
2shared
Filefront
4shared
Hi merwin,
I found this page, is that similar to your method? Hope you guys can find out something.
http://mygarminfone.blogspot.com/
afoster1003 said:
Merwin, Im not completely sure which type of place your looking for if its not either ftp or online file sharing
Rapidshare
2shared
Filefront
4shared
Click to expand...
Click to collapse
You forget one widely used protocol. Good old http on a standard web server.
Those other sites annoy me greatly, between the amount of ads, having to wait to download and daily limits, and the fact that they are temporary unless I pay. I am against them on principle.
I figure if there is enough interest, someone will step up to host them, otherwise I will just provide scripts, instructions, and technical info for people to do it themselves.
slumpz said:
Hi merwin,
I found this page, is that similar to your method? Hope you guys can find out something.
http://mygarminfone.blogspot.com/
Click to expand...
Click to collapse
You are my hero That blog has the missing pieces I need to keep going.
A couple of days ago I found some info on how to decompile the .update files which gives us the recovery image and system partition from any other phone that uses a similar format, like the Asus A10... providing a whole host of opportunities for the Asus phones that are still being maintained.
For instance, I grabbed the files from the Chinese A50 that has newer firmware.
With the info from the blog, I may be able to at least compile and integrate the newer kernel and wifi firmware (which is stored on the phone and loaded into memory at boot). The Chinese version does have newer wifi module firmware in it... whether it is compatible or not is another story.
On another note, has anyone successfully downloaded the open sources kernels from Asus? I have tried every method on their site and all but a couple of the kernel versions in the zip are corrupt. One from march extracts fine, so I may use that as a base to start with.
merwin said:
You are my hero That blog has the missing pieces I need to keep going.
A couple of days ago I found some info on how to decompile the .update files which gives us the recovery image and system partition from any other phone that uses a similar format, like the Asus A10... providing a whole host of opportunities for the Asus phones that are still being maintained.
For instance, I grabbed the files from the Chinese A50 that has newer firmware.
With the info from the blog, I may be able to at least compile and integrate the newer kernel and wifi firmware (which is stored on the phone and loaded into memory at boot). The Chinese version does have newer wifi module firmware in it... whether it is compatible or not is another story.
On another note, has anyone successfully downloaded the open sources kernels from Asus? I have tried every method on their site and all but a couple of the kernel versions in the zip are corrupt. One from march extracts fine, so I may use that as a base to start with.
Click to expand...
Click to collapse
I have, magically I might add. I downloaded the source for v.5.0.70 and managed to get it compiled. The resulting files can be found on on my blog, the one Slumpz posted(I can't post links yet, lol.)
The only problem is, I don't have much experience with anything linux. But, If you have any questions Merwin, email me, [email protected].
Here's a little how to, just check my blog, or google: How To: Build Garmin-Asus Kernel from Source.
am willing to giv a subdomain/storage ftp access on this domain for the good of the community if it helps any
Domain darkjester.net
Disk Usage 5.4 / 1500.0 MB
Bandwidth 100000 MB (100GB)
Home Root /home/a2931495
Apache ver. 2.2.13 (Unix)
PHP version 5.2.*
MySQL ver. 5.0.81-community
Activated On 2011-05-15 14:42
Status Active
Hello guys, are you still working on this.
I found out that A10 has a new firmware posted, which is versioned 5.2.7 instead of 5.0.x like the others. I wonder if there's any method to test this firmware on foreign A10 (non Chinese firmware)?
So, got an HTC Sensation 4G... meaning not much more work on the Garminfone for me.
Still trying to find time to compile everything that I have done into some semi-coherent document with the unlocked boot and recovery images. I still have the Garmin, so if someone manages a huge breakthrough then I may pick it up again. Really didn't want to get rid of the phone but there just isn't enough community development going on to make it worthwhile.
By the way, the Garminfone GPS blows every other phone away. The Sensation 4G is crap in comparison.
Hi! So I'm wondering if anyone know if there is\have been any development for
the Tizzbird Stick N1 (M\G) ?
We have this Android-stick in stock at my store, but I'm not sure if I'm going to get it or not yet. Depends the development, as I'd really like to see the capabilities for it. I believe it's a lowbrand tho. so I might be out of luck.
Anyone know anything?
I searched the forums, and did a google search. Didnt find much.
regards,
Dag M.
Hi there!
I own one of those, and there are a handful of (german-speaking) people activly posting in this forum http://forum.tizzbird-tv.de/ about the Tizzbird N1. - The problem with that forum is that they heavily censor it - as soon as anyone posts info on how to "get in", or if someone asks uncomfortable questions - those posts gets deleted.
They sell it really cheap for 30€ (not all the time, but twice for one day @ redcoon) and although the Wifi-Chip (or the drivers for it) are really crappy, the media player part is really nice.
update: I've did a little research, and here is a little list of relevant links about the tizzbird n1:
==== Marketing Product Pages ====
http://valueplus.co.kr/english/product/product_player_n1.html
http://www.tizzbird.com/eng/index.php?mm_code=719&sm_code=755
http://tizzbird-tv.de/tizzbird/tizzbird-n1.html
==== Official Firmware ====
http://www.tizzbird.com/eng/index.php?mm_code=726&sm_code=727&board_search_head_word=stick+n1
http://download.tizzbird-tv.de/TizzBird_N1G_update_GMS_V3_20_13072719.tzbird
==== German Support Forum (posting info about root-access prohibited) ====
http://forum.tizzbird-tv.de/viewforum.php?f=11
==== GPL-Code for Tizzbird N10, N20 & N30 - but not for N1? ====
http://www.tizzbird.com/eng/index.php?mm_code=752&sm_code=754
==== Kernel Sources ? ====
http://www.cnx-software.com/2012/03...k-n1-android-ics-hdmiusb-dongle-media-player/
http://www.cnx-software.com/2012/07...hips-tcc8925-mini-pcs-cx-01-z900-tizzbird-n1/
https://github.com/cnxsoft/telechips-linux
Yeah, the pretend to be "community friendly and supportive" but once you actually start digging in, they get quite agressive and boot you out.
Anyways, I got a N1 a couple of days myself now (snagged it for 30 bucks at another RedCoon sale ) and I am surprised.
Got it pretty much only to tinker around with it and this thing suits more perfectly for that than I imagined.
Esp. that fact they used a simple SD card as "internal flash storage" - my guess is because a simple SD is cheaper than an actual eMMC flash chip, but it's so cool on so many levels for us.
I already found out how to replace the 4GB SD with a bigger one (have a 16GB in mine ATM).
I'll post some more details about it here later, got a few things I want to test and/or prepare first (thinking of some "easy to use cloning script"), but long story short:
You need to copy the bootloader to the very end (last few blocks) of the SD you want to use.
Once the BL is at the proper place it already boots from the new SD again, to be sure everything is as it's supposed to be one should apply an update via USB (I'm not 100% sure about a possible pointer to the BL that needs to be corrected, which the update does).
After that the partition information has to be edited to make the userdata partition larger and you're done.
thanks for the info HellcatDroid!
It would be great if you could elaborate on how to put the bootloader at the end of the sd-card.
Also I would love to get info how to get root into the stock firmware, that crippled down root-firmware that they allow to exist in the official tizzbird forum doesn't really satisfy my needs
I did it via a hex editor, but it should be doable with a few "dd" commands as well - that's one of the things I still want to try, find the propper dd params to copy the BL over.
If you dumped the original SD into a file using dd, at the very end of the image file you will find the bootloader and the very last block of the SD is a "header" telling the bootrom of the N1 a few things about it, so it can properly locate and load it.
So what you got to do is to copy those last ~230k from the image to the end of the new SD card.
As said, I'll try to write a small shell script that does it.
The rooting is even more easy (Stonecold would kill me if he'd read this, lol):
For when running on Linux (no can do on Windows, as Windows doesn't know the ext4 FS):
Since you got the SD in your PC anyways already, just mount partition 2 (e.g. if the SD is sdc on your PC, mount /dev/sdc2).
That is the partition where the Android system is sitting on.
Then just copy over the files needed for root to where they need to go, chown/chmod them properly, unmount and done
I used the "update-supersu.zip" I had for my Nexus7 to grab the required files.
But I'm planning to make a simple rooting script as well.
So if all goes as planned it'll come down to
- insert original SD
- run script 1
- insert new SD
- run script 2
- to root run script 3
brilliant! I would love to see those scripts
way easier than start tinkering with that stuff myself
One thing I wonder about - over at the official forum you said that a simple dd copy didn't work - is that if the target sd-card is bigger or also for an sd-card of equals size? because with equal size simple dd copy of the sd-card should still work, even if some things need so be exactly at the end.
Yup, just a dd didn't work because the new SD card was larger and the bootloader ended up being somewhere in the middle of the card instead of at the end.
While your thought of "dd to equal size cards" is totally correct, it might still fail due to the fact every card is not 100% exact same size counting down to last byte.
There ususally is a tiny size difference (a few bytes to kbytes) between cards, even if they are supposed to be same, so the bootloader might end up truncated or not exactely at the end.
If, however, the size of the cards is 100% the same, down to the last byte, then yes, a simple dd clone would work.
HellcatDroid said:
... There ususally is a tiny size difference (a few bytes to kbytes) between cards, even if they are supposed to be same, so the bootloader might end up truncated or not exactely at the end. ...
Click to expand...
Click to collapse
Oh! Didn't know that. I thought same marketing size means not the same size they write on the box, but at least the same size between those that are marketed with the same GB numbers on their stickers.
OK, here we go, I slapped together a few scripts for prepping a new (and larger) SD card to work in the N1 and while having the SD in the PC to aplly some root.
* hints at attachment of this post
The scripts might still have problems and not work on any Linux out there, but it's a start.
If there's more people interested and joining in on this I might continue but for now I got what I wanted - more storage and root.
Hi
I think I destroyed my MiniSC cand! The N1 is dead. I tried to insert the card in a linux and gparted did not see anything. What can I do?
thank you for your help
somade said:
Hi
I think I destroyed my MiniSC cand! The N1 is dead. I tried to insert the card in a linux and gparted did not see anything. What can I do?
thank you for your help
Click to expand...
Click to collapse
Could you post how you got there? what did you do to the sd-card that destroyed it?
Hi.
If you got a dump from a working state of the SD you can just dd it back onto the card.
If you don't, it can still be recovered but might need bit more work.
Two options:
find someone who gives you a dump of their card and use the write-card script from my above post to write it to your SD.
Problem with this: a working dump contains copyrighted code, like the bootloader, it technically it's "not OK" to share it
we come up with another script that only contains an "empty" image (i.e. only partitioning information) and that takes the bootloader and recovery from the official update and gets the card into a state that it boots into recovery and lets you install a working system using the official update from USB (option in the recovery menu)
Option 2 would be nicer, IMO.
I'll try to make up said script
Thank you for your immediate answer!.
Actually I dont know what has happened, maybe the sharp instrument I used to remove the plastic cover scratch it...But now when I put it in a card reader the led of the reader switch off and the card is heated!!!. And also when I put it in the N1 the blue led turns off!.
So I bought a new empty micro Sd .
Waiting for your script to partition the new card and then boot in recovery mode and install a firmware....
Because I am not expert to linux please give me a lot of details how to do this.
Thanks again!
HellcatDroid said:
we come up with another script that only contains an "empty" image (i.e. only partitioning information) and that takes the bootloader and recovery from the official update and gets the card into a state that it boots into recovery and lets you install a working system using the official update from USB (option in the recovery menu
Click to expand...
Click to collapse
Do you think the bootloader is even part of the offical updates? wouldn't it be "best practice" to leave the bootloader partition alone as long as possible (and normally firmware updates don't need to change the bootloader)
update: something else I've just found, those might be kernel sources for our Tizzbird N1:
http://www.cnx-software.com/2012/07...hips-tcc8925-mini-pcs-cx-01-z900-tizzbird-n1/
-->
https://github.com/cnxsoft/telechips-linux
Yep, the bootloader is in the update - at least in the 3.20 one.
And yes, usually the bootloader shouldn't be touched because that's usually the one thing that can "perma-brick" Android devices.
However, sometimes the manufacturer updates it (fixing bugs, adding functionality) - on my Nexus7 they updated the bootloader on pretty much every update and also Samsung updates their bootloaders every now and then (and every single update flashes the current one).
Last, not least, on the N1 the bootloader isn't on a partition but at unpartitioned space at the very last blocks of the SD (=> reason for a simple dd to a larger card not booting).
Ohyay at the possible kernel sources!
It'd be so cool if that's really sources able to build a kernel for the N1 with - I think we might be able to even get custom recovery (CWM and the likes) on the N1 if those sources work
OK, while trying to recreate a working SD card w/o using a dump of a working one I found out a few more things - some of them still need figuring out if we wanna do it properly.
There seem to be TWO bootloaders!
A stage1 bootloader of ~1kB size located at the third and second last block of the SD. If it's missing the N1 can't boot and it looks like ARM code (haven't tried to disassamble it yet), I assume the bootrom loads and executes that piece of code which in turn parses the header (see below) and load/starts the stage2 bootloader (the one also found in the FW update).
The very last block of the SD is a "header block" with some information beeing parsed either by the bootrom or (more likely) the stage1 bootloader.
The headerblock contains (among numerous other unkown data) the size of the ("stage2") bootloader (the one that then actually loads and boots the Linux kernel of the Android OS, this is also the one contained in the FW update) and the usable size of the SD card! (everything works fine though if the SD size is wrong and a proper FW update updates the header during writing of the bootloader and also sets the correct size).
Also, the headerblock has a checksum of which I have no clue on how it is generated.
All that is just educated guesses and might be totally off, but for now it looks like it's not too far off.
So, for now we can assume the following boot sequence:
Boot-ROM
-> loads stage1 bootloader from fixed position "SDsize - 3 blocks" (1 block = 512bytes)
stage1 bootloader at fixed position on SD
-> checks checksum of headerblock (?), gets size of stage2 bootloader from headerblock, locates stage2 bootloader based on it's size and loads/executes it
stage2 bootloader on variable position on SD
-> base initialisation of hardware
-> checks for recovery trigger (the red button on the remote control) and boots kernel from partition 6 if trigger present
-> boots kernel from partition 1 if recovery was not triggered
-> enters fastboot mode when booting the kernel fails
Kernel
-> loads base drivers and boots up the system
you're brilliant Hellcat!
And did you also find both bootloader stages inside the firmware updates?
Another question that came to my mind while reading your post (fastboot..)
Is there a way to use the Tizzbird as USB-slave? So to make use of adb and fastboot and such stuff? Okey adb could also be used via network I guess..
somade said:
Hi
I think I destroyed my MiniSC cand! The N1 is dead. I tried to insert the card in a linux and gparted did not see anything. What can I do?
thank you for your help
Click to expand...
Click to collapse
Somade, do you have a linux running on your pc? If no, download and get a knoppix running. and then contact me via pm. I have the original n1 image so no problem to recover the n1.
sebastian.heyn said:
Somade, do you have a linux running on your pc? If no, download and get a knoppix running. and then contact me via pm. I have the original n1 image so no problem to recover the n1.
Click to expand...
Click to collapse
Welcome to our rouge and non-censored Tizzbird N1 forum Sebastian!
I wonder if you found us here, if the German Tizzbird support also already knows about us
update: I just remembered, I've sent you the link as PM over in the official forums, thats how you landed here.
Sharing your sd-card image might be a copyright violation, and if you're profile name is strongly linked to you're real identity you should definitly be cautious with such things on public forums...
kaefert said:
And did you also find both bootloader stages inside the firmware updates?
Click to expand...
Click to collapse
Nope, unfortunately the stage1 bootloader is not in the update :-/
kaefert said:
Is there a way to use the Tizzbird as USB-slave? So to make use of adb and fastboot and such stuff? Okey adb could also be used via network I guess..
Click to expand...
Click to collapse
Yeah, it works, even officially XD
Go to the TizzBird settings -> "System Settings" -> "Advanced Settings"
It has an option "OTG Mode" there, set it to "Debug".
If you have your N1 connected to your PC via the micro-USB port (and hence your PC powering the N1!) you can use ADB and fastboot just as usual
I have not yet tried if that option is persistant, i.e. it survives a power loss.
When booting the kernel fails it should fall back to fastboot mode, so flashing a new kernel w/o pulling the SD should be possible - need to test this a bit more, though.
What works is, if you're rooted and and you fire the command "reboot bootloader" from a root shell, that gets you into fastboot mode no matter what (given you applied above mentioned setting first).
But needing a running system to get into fastboot mode kinda defeats the purpose of it - this aint Ouya which is a total fail when it comes to fastboot XD
---------- Post added at 09:26 AM ---------- Previous post was at 09:05 AM ----------
kaefert said:
I wonder if you found us here, if the German Tizzbird support also already knows about us
Click to expand...
Click to collapse
Eventually they will, I'd say.
And I'd love to see their faces when they do XD
Hi all. First, apologies if this is the wrong place for this sort of post. It's mainly just a collection of my notes on the Verizon LG G3 running stock software update VS98510B, so there are a lot of different topics touched upon. I'm usually pretty shy around forums, but I figured something I've found might be useful to someone else, so I finally decided to post here. Anyway, here's what I've found.
Autorun Installer
This really annoyed me for a while when I first got the phone. Every time I'd try connecting it to my computer, it'd enter some sort of installer mode for LG/Verizon drivers. It would stay in this mode for about 30 seconds unless I manually put it back into ADB mode. After a good bit of digging around, I found out how to disable it without root or any special permissions. Open the stock dialer app, then enter the code "##3328873" and press send. It'll prompt for a service code, which is (of course) "000000". While the Verizon G3 appears to be missing a large chunk of the hidden menus, this section still seems to work. One of the options is a checkbox for "Tool Launcher enable" - uncheck it to disable the Verizon autorun installer.
Sideloading in Recovery Mode
I was curious how IORoot worked, so I started taking it apart. Basically, on the G3, it just uses a .zip sideloaded in recovery mode to copy over the su and related binaries. There's a decent bit of documentation out there on how to create your own .zip for sideloading, but I found one catch - the .zip needs to be signed with the proper key, or recovery will reject it. It turns out that this key is located at "./bootable/recovery/testdata/testkey" in the AOSP project. I forget the exact command for signing the .zip, but using this key, you can create your own sideload applications. Edify provides a nice way to script your application; I used it to create a sideload application to replace the HotspotProvision apk with a slightly modified version that skips the billing checks. Doing so does not require root access, as the sideloaded application appears to run as root by default. Replacing "HotspotProvision.apk" also does not trigger the root detector. However, I also made my own sideload .zip to copy over the su binary I compiled from AOSP - as soon as I booted the phone, the software status indicator changed to modified. I have some more information on that below. If anyone wants either of these sideload applications, I can upload them somewhere with their source, just let me know.
Ramdisk Compression
The boot, recovery, laf, and factory partitions are all mostly in standard format and can be split into the kernel and ramdisk parts with existing tools. However, most tools seem to expect the ramdisk to be compressed using gzip. Since it's not, they'll fail to extract the cpio archive from it. The G3 ramdisk is compressed using LZ4 instead. Once decompressed using the standard LZ4 utility, it has the same structure as a normal boot ramdisk - the cpio archive can be extracted to view the boot filesystem. I haven't really looked into it, but I believe the boot images all have a device tree binary appended after the ramdisk as well.
AT Commands
When looking into the boot process, I stumbled upon the AT command framework for the G3, which proved to be rather interesting. When connected to my computer in ADB mode, the phone exposes two serial ports. One of these ports looks like it's supposed to accept plain-text AT commands, but it also has been rather buggy in registering the end of a command for me. The other port accepts commands in some sort of binary format that I have not taken apart yet. If you want to send AT commands to the phone from ADB shell, write them to "/dev/smd0" and read the response from there. Sometimes, the response is not put on the device for some reason, but instead just printed to the logs under the tag "Atd"; just use "logcat Atd:V" to view them. The requests seem to be handled by "/system/bin/atd", which largely uses "/system/lib/libatd_common.so" to work. Looking through the disassembly showed some interesting things, included what looked like a test command that involved the bootloader unlock status, though I haven't figured out exactly how it works yet. A lot of the commands began with "AT%", which I think is the vendor specific prefix for AT commands typically. For some reason, I couldn't get any of these commands to work, even though some of the standard commands worked fine. One particularly interesting function (to me) was one that claimed to be able to write the software bootloader, SBL1. The function was called "store_sbl1_image"; there are some other functions that affect sbl1 as well. There are also functions for qfuses/QFPROM and other things that may be of interest to us. A lot of these functions access the misc partition through "/system/lib/liblgftmitem.so", so that may be a partition worth looking into.
Volume Key Booting
Entering the dialer command "##228378" and pressing send brings up a menu that has an option called "Device Test". Choosing this option prompts you that the phone will reboot; if allowed, it will reboot into MiniOS mode, which is stored in the "factory" partition ("/dev/block/mmcblk0p40"). This mode allows you to run a number of device tests, though many options are disabled somehow. One interesting thing I've observed is that, if the phone is shut down from MiniOS mode, then turned on by holding the volume down and power buttons simultaneously (possibly while plugged into a computer, I forget if this is necessary), the phone enters a pseudo-recovery mode that vaguely resembles real recovery mode, but is actually implemented after boot. Another volume key command is to hold volume up while powering on and connected to a computer by USB (the USB connection is required). This boots into factory download mode from the "laf" partition("/dev/block/mmcblk0p33"). The only way I've found to exit this mode is to remove the battery from the case. One final note is that while booting into normal mode, but having done so by holding volume down and the power button, the bootloader logs a message that it is going to enter fastboot mode. However, it does not and just boots normally instead. It seems that fastboot can only be activated if aboot fails to boot normally. I've read of people accomplishing this by messing up the "laf" partition and then booting into download mode, but I've not tried it myself.
Root Checker ("/system/bin/rctd")
After already setting my system to the "modified" status, I looked into the root checker executable at "/system/bin/rctd". A quick disassembly showed almost no strings in the binary. This is because they are all obfuscated. To load the strings, as series of instructions store individual characters into the stack at the proper offsets, eventually forming all of the strings needed by the program. Because I don't have the "Pro" version of IDA, I can't just run the executable through the debugger to get the strings out, so I had to resort to writing a really hacky emulator for a few ARM instructions to produce the strings. I only did this for one function, but the results were rather interesting. This function constructed the following string(s): "mt6575 mt6577 /sbin/su ro.hardware /system/bin/su /system/xbin/su /system/sbin/su /data/local/tmp/su /system/bin/busybox /system/xbin/busybox /data/local/tmp/busybox /system/app/Superuser.apk /system/app/SuperUser.apk /system/app/superuser.apk /system/app/SuperuserPro.apk /data/local/tmp/Superuser.apk /data/local/tmp/SuperUser.apk /data/local/tmp/superuser.apk /data/data/com.noshufou.android.su". I'm assuming this is a list of all of the files that the program looks for to determine if the phone has been rooted. In theory, using some way of randomly naming these files could prevent the root checker from detecting a rooted presence. If anyone who has IDA Pro wants to run "rctd" through the debugger, they might find more interesting things.
fastboot oem-unlock
While I've not tried booting into fastboot mode myself, I have "manually" executed the "fastboot oem-unlock" command. By disassembling the "aboot" partition ("/dev/block/mmcblk0p5"), I found that oem-unlock writes the value 0x01 to offset 0x1FFE10 of the "aboot" partition. I replicated this action with the command from a root shell "echo -en '\x01' | dd of=/dev/block/mmcblk0p5 bs=1 seek=2096656 count=1 conv=notrunc". After doing so and rebooting, which seemed to take longer than usual, I checked the kernel logs in "/data/logger/kernel.log*", and, in the bootloader logs section, there was a line displaying "[ 0.355056 / 01-01 00:00:00.340] [580] use_signed_kernel=0, is_unlocked=1, is_tampered=0.", seemingly indicating that the device was unlocked. However, it is not, as I'll mention later.
LGFTMITEM Spam in logcat
On the two VS985 phones I've looked at, both seem to produce a large amount of spam to logcat under the tag "LGFTMITEM". This takes the form of several lines being logged every 500 ms, consistently. I believe that setting the property "sys.lgsetupwizard.status" to "1" should stop it, though I haven't been able to do so successfully yet.
Bootloader Unlocking
One of the main goals of my tinkering has been to find a method for unlocking the VS985 bootloader. I believe I have identified the path to do so while disassembling "aboot", but I do not know how to enable it. I'll try to describe it here. In "sub_F81FF5C" of the "aboot" partition (I created a basic ELF format binary from the partition by trimming the first 40 bytes of the partition dump and then creating a single section ELF file loading that trimmed portion to address 0x0F800000), there is code that verifies the kernel and ramdisk images of the loaded boot partition. The code refers to "FEATURE_LGE_QCT_HW_CRYPTO", if that has meaning to anyone. Before the verification takes place, however, the function calls function "sub_F81FF58" with a memory location passed in R2. If this function call stores the value 0x67661147 in the memory pointed to by R2, the function bypasses all of the verification checks and simply prints "Device UnLock". This is why I believe "fastboot oem-unlock" would not be effective - my bootloader logs still indicate that the bootloader is taking the cryptographic verification path even though I have "unlocked" the device. I've tried to follow the function calls from here, but they get rather complicated and refer to memory locations not within the executable itself, which confuses me. In one of the functions invoked from here, which seems to print out the results of some sort of command, there are the strings "READ_UNLOCK_DEVICE_CERTIFICATE", "UNLOCK_DEVICE_AUTHENTICATION", "ANTI_ROLLBACK", and most interesting to me, "BACKDOOR". I've been having trouble figuring out how this part of the code works, so if anyone has any ideas, I'd be interested in hearing them.
Well, I think that about covers most of what I've found out about this phone. I'd be happy to explain anything in more detail if it's not clear.
IllegalArgument said:
Hi all. First, apologies if this is the wrong place for this sort of post. It's mainly just a collection of my notes on the Verizon LG G3 running stock software update VS98510B, so there are a lot of different topics touched upon. I'm usually pretty shy around forums, but I figured something I've found might be useful to someone else, so I finally decided to post here. Anyway, here's what I've found.
Autorun Installer
This really annoyed me for a while when I first got the phone. Every time I'd try connecting it to my computer, it'd enter some sort of installer mode for LG/Verizon drivers. It would stay in this mode for about 30 seconds unless I manually put it back into ADB mode. After a good bit of digging around, I found out how to disable it without root or any special permissions. Open the stock dialer app, then enter the code "##3328873" and press send. It'll prompt for a service code, which is (of course) "000000". While the Verizon G3 appears to be missing a large chunk of the hidden menus, this section still seems to work. One of the options is a checkbox for "Tool Launcher enable" - uncheck it to disable the Verizon autorun installer.
Sideloading in Recovery Mode
I was curious how IORoot worked, so I started taking it apart. Basically, on the G3, it just uses a .zip sideloaded in recovery mode to copy over the su and related binaries. There's a decent bit of documentation out there on how to create your own .zip for sideloading, but I found one catch - the .zip needs to be signed with the proper key, or recovery will reject it. It turns out that this key is located at "./bootable/recovery/testdata/testkey" in the AOSP project. I forget the exact command for signing the .zip, but using this key, you can create your own sideload applications. Edify provides a nice way to script your application; I used it to create a sideload application to replace the HotspotProvision apk with a slightly modified version that skips the billing checks. Doing so does not require root access, as the sideloaded application appears to run as root by default. Replacing "HotspotProvision.apk" also does not trigger the root detector. However, I also made my own sideload .zip to copy over the su binary I compiled from AOSP - as soon as I booted the phone, the software status indicator changed to modified. I have some more information on that below. If anyone wants either of these sideload applications, I can upload them somewhere with their source, just let me know.
Ramdisk Compression
The boot, recovery, laf, and factory partitions are all mostly in standard format and can be split into the kernel and ramdisk parts with existing tools. However, most tools seem to expect the ramdisk to be compressed using gzip. Since it's not, they'll fail to extract the cpio archive from it. The G3 ramdisk is compressed using LZ4 instead. Once decompressed using the standard LZ4 utility, it has the same structure as a normal boot ramdisk - the cpio archive can be extracted to view the boot filesystem. I haven't really looked into it, but I believe the boot images all have a device tree binary appended after the ramdisk as well.
AT Commands
When looking into the boot process, I stumbled upon the AT command framework for the G3, which proved to be rather interesting. When connected to my computer in ADB mode, the phone exposes two serial ports. One of these ports looks like it's supposed to accept plain-text AT commands, but it also has been rather buggy in registering the end of a command for me. The other port accepts commands in some sort of binary format that I have not taken apart yet. If you want to send AT commands to the phone from ADB shell, write them to "/dev/smd0" and read the response from there. Sometimes, the response is not put on the device for some reason, but instead just printed to the logs under the tag "Atd"; just use "logcat Atd:V" to view them. The requests seem to be handled by "/system/bin/atd", which largely uses "/system/lib/libatd_common.so" to work. Looking through the disassembly showed some interesting things, included what looked like a test command that involved the bootloader unlock status, though I haven't figured out exactly how it works yet. A lot of the commands began with "AT%", which I think is the vendor specific prefix for AT commands typically. For some reason, I couldn't get any of these commands to work, even though some of the standard commands worked fine. One particularly interesting function (to me) was one that claimed to be able to write the software bootloader, SBL1. The function was called "store_sbl1_image"; there are some other functions that affect sbl1 as well. There are also functions for qfuses/QFPROM and other things that may be of interest to us. A lot of these functions access the misc partition through "/system/lib/liblgftmitem.so", so that may be a partition worth looking into.
Volume Key Booting
Entering the dialer command "##228378" and pressing send brings up a menu that has an option called "Device Test". Choosing this option prompts you that the phone will reboot; if allowed, it will reboot into MiniOS mode, which is stored in the "factory" partition ("/dev/block/mmcblk0p40"). This mode allows you to run a number of device tests, though many options are disabled somehow. One interesting thing I've observed is that, if the phone is shut down from MiniOS mode, then turned on by holding the volume down and power buttons simultaneously (possibly while plugged into a computer, I forget if this is necessary), the phone enters a pseudo-recovery mode that vaguely resembles real recovery mode, but is actually implemented after boot. Another volume key command is to hold volume up while powering on and connected to a computer by USB (the USB connection is required). This boots into factory download mode from the "laf" partition("/dev/block/mmcblk0p33"). The only way I've found to exit this mode is to remove the battery from the case. One final note is that while booting into normal mode, but having done so by holding volume down and the power button, the bootloader logs a message that it is going to enter fastboot mode. However, it does not and just boots normally instead. It seems that fastboot can only be activated if aboot fails to boot normally. I've read of people accomplishing this by messing up the "laf" partition and then booting into download mode, but I've not tried it myself.
Root Checker ("/system/bin/rctd")
After already setting my system to the "modified" status, I looked into the root checker executable at "/system/bin/rctd". A quick disassembly showed almost no strings in the binary. This is because they are all obfuscated. To load the strings, as series of instructions store individual characters into the stack at the proper offsets, eventually forming all of the strings needed by the program. Because I don't have the "Pro" version of IDA, I can't just run the executable through the debugger to get the strings out, so I had to resort to writing a really hacky emulator for a few ARM instructions to produce the strings. I only did this for one function, but the results were rather interesting. This function constructed the following string(s): "mt6575 mt6577 /sbin/su ro.hardware /system/bin/su /system/xbin/su /system/sbin/su /data/local/tmp/su /system/bin/busybox /system/xbin/busybox /data/local/tmp/busybox /system/app/Superuser.apk /system/app/SuperUser.apk /system/app/superuser.apk /system/app/SuperuserPro.apk /data/local/tmp/Superuser.apk /data/local/tmp/SuperUser.apk /data/local/tmp/superuser.apk /data/data/com.noshufou.android.su". I'm assuming this is a list of all of the files that the program looks for to determine if the phone has been rooted. In theory, using some way of randomly naming these files could prevent the root checker from detecting a rooted presence. If anyone who has IDA Pro wants to run "rctd" through the debugger, they might find more interesting things.
fastboot oem-unlock
While I've not tried booting into fastboot mode myself, I have "manually" executed the "fastboot oem-unlock" command. By disassembling the "aboot" partition ("/dev/block/mmcblk0p5"), I found that oem-unlock writes the value 0x01 to offset 0x1FFE10 of the "aboot" partition. I replicated this action with the command from a root shell "echo -en '\x01' | dd of=/dev/block/mmcblk0p5 bs=1 seek=2096656 count=1 conv=notrunc". After doing so and rebooting, which seemed to take longer than usual, I checked the kernel logs in "/data/logger/kernel.log*", and, in the bootloader logs section, there was a line displaying "[ 0.355056 / 01-01 00:00:00.340] [580] use_signed_kernel=0, is_unlocked=1, is_tampered=0.", seemingly indicating that the device was unlocked. However, it is not, as I'll mention later.
LGFTMITEM Spam in logcat
On the two VS985 phones I've looked at, both seem to produce a large amount of spam to logcat under the tag "LGFTMITEM". This takes the form of several lines being logged every 500 ms, consistently. I believe that setting the property "sys.lgsetupwizard.status" to "1" should stop it, though I haven't been able to do so successfully yet.
Bootloader Unlocking
One of the main goals of my tinkering has been to find a method for unlocking the VS985 bootloader. I believe I have identified the path to do so while disassembling "aboot", but I do not know how to enable it. I'll try to describe it here. In "sub_F81FF5C" of the "aboot" partition (I created a basic ELF format binary from the partition by trimming the first 40 bytes of the partition dump and then creating a single section ELF file loading that trimmed portion to address 0x0F800000), there is code that verifies the kernel and ramdisk images of the loaded boot partition. The code refers to "FEATURE_LGE_QCT_HW_CRYPTO", if that has meaning to anyone. Before the verification takes place, however, the function calls function "sub_F81FF58" with a memory location passed in R2. If this function call stores the value 0x67661147 in the memory pointed to by R2, the function bypasses all of the verification checks and simply prints "Device UnLock". This is why I believe "fastboot oem-unlock" would not be effective - my bootloader logs still indicate that the bootloader is taking the cryptographic verification path even though I have "unlocked" the device. I've tried to follow the function calls from here, but they get rather complicated and refer to memory locations not within the executable itself, which confuses me. In one of the functions invoked from here, which seems to print out the results of some sort of command, there are the strings "READ_UNLOCK_DEVICE_CERTIFICATE", "UNLOCK_DEVICE_AUTHENTICATION", "ANTI_ROLLBACK", and most interesting to me, "BACKDOOR". I've been having trouble figuring out how this part of the code works, so if anyone has any ideas, I'd be interested in hearing them.
Well, I think that about covers most of what I've found out about this phone. I'd be happy to explain anything in more detail if it's not clear.
Click to expand...
Click to collapse
You should rename the title of your thread to something more likely to be read by devs trying to unlock the bootloader. It's too generic in my opinion. Excellent work so far, though. Thanks for your efforts and interest!
Nice to see anyone working on an unlock, also thanks for sharing.
---------- Post added at 02:33 AM ---------- Previous post was at 02:25 AM ----------
I forwarded the post to Justin case to see if he may be able to get in touch
This was way over my head. Have you PM'd @autoprime or @thecubed (aka IOMonster)? They are a couple of the devs working on unlock.
Sent from my VS985 4G
Howdy there!
Just in time, too - since I just got back from vacation!
Hop on IRC (freenode) and join #lg-g3 and ask for IOMonster, and mention this thread. I'd be happy to explain what I can to you.
You've followed excellent logic and have come to many of the same conclusions as we have during our exploration of the device. Factory mode reads FTM items, and can enable/disable menu options at will (or you could just extract it like a boot.img and load the lgeftm_* binaries into IDA and see what they do).
RE: AT commands, there's a lot of good logic in there, however at the moment nothing that looks to give us our unlock.
RE: Unlocking, you're close, but a bit far off. There's some special sauce LG is using for unlocks, and last I was looking I believe LGE is obfuscating bits of code with a multi-stage loader. I'll discuss more about this on IRC if you're interested and the rest of the guys on IRC are alright with me doing so.
One of those memory addresses is a function pointer - before I left for vacation we were working on dumping the memory to pull the decompressed function out of RAM on another device that uses a (very) similar strategy.
I look forward to talking to you on IRC!
Hope you enjoyed I'm sure a much needed vacation.. Hopefully soon someone will be able to crack this boot loader and free the G3 variants.
They will unlock it because how can the great device be locked and have only the tmobile version be the only one unlocked... Lol that's crazy. They will unlock it in time
I think your right in time ,unfortunately these guys have full life schedules that don't allow them to stay on it all day! I hope all the g3 community gets to enjoy the full potential of such a great device in the future.
OP @IllegalArgument
Hats off for your first loaded post on XDA, really reassuring to see as many capable devs tinkering with this, welcome and keep em coming
dabug123 said:
....I hope all the g3 community gets to enjoy the full potential of such a great device in the future.
Click to expand...
Click to collapse
Near future hopefully
nerdo said:
OP @IllegalArgument
Hats off for your first loaded post on XDA, really reassuring to see as many capable devs tinkering with this, welcome and keep em coming
Near future hopefully
Click to expand...
Click to collapse
Will see im hopeful but I won't be upset since nexus is close
Nexus won't run on Verizon, you can book that.
Sent from my HTC6525LVW using Tapatalk
dbatech99 said:
Nexus won't run on Verizon, you can book that.
Sent from my HTC6525LVW using Tapatalk
Click to expand...
Click to collapse
Yep agreed, I'm making the switch
dabug123 said:
Yep agreed, I'm making the switch
Click to expand...
Click to collapse
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Jank4AU said:
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Click to expand...
Click to collapse
My thoughts exactly, and with the Wifi tether mod, I'm content, for now.
Jank4AU said:
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Click to expand...
Click to collapse
I enjoy it with xposed..Not the same in the end but the g3 is a great won't ever say different.
Ooh, exciting. I can't wait.
kdouvia said:
Ooh, exciting. I can't wait.
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Jank4AU said:
Click to expand...
Click to collapse
Fail lol[emoji13]
Interesting read OP.
Jank4AU said:
Click to expand...
Click to collapse
Haha, bro, I was serious this is the most information I've heard about the boot loader unlock in awhile. I love the meme though. :victory:
WARNING - THESE TOOLS WRITE TO THE DEVICE PARTITIONS DIRECTLY
If you don't know what that means...
THIS CAN REALLY SCREW UP YOUR ---
I HAVE ONLY TESTED THESE ON THE A2020U (NON-5G) - I CANNOT SAY THEY ARE SAFE ON ANY OTHER VERSION OF THE PHONE (YET)(If you want to test it on a specific model you own, send a PM or post and I can tell you to run a few (safe) things from these tools to make them compatible your phone.)
See my next post down for some more "beginner friendly" general tips and tricks for this phone, including some fixes for common problems and a quick guide for installing Magisk!
If you can't afford to brick your phone, these tools aren't made for you.
There aren't really any protections from doing damage. I made them for myself because doing them on a command line constantly is a pain. I'm just sharing them for two reasons:
1) So myself or other people have tools available to make it easier when advising someone on how to fix their phone.
2) For tinkerers who are okay taking the risk that they'll mess something up.
Thanks to @djkuz / @Unjustified Dev for the EDL tool. These scripts really just expand the use of fh_loader commands in that tool. If you are able to read C++ and want to understand fh_loader I suggest searching on google, the source code is available and from that you can better understand what the tool does / what the command line options do. Feel free to ask here too, I'll do my best to share what I know.
Anyway - below I'll go into plenty of detail of what each "tool" does and some helpful information about using them.
I write in a kind of permanent verbose mode, so if you're impatient and need a TL;DR for these... tough. =)
CURRENT VERSION: Version 1.1d
Changelog:
Version 1.1d:
- Fixed reset scripts
Version 1.1c:
- Fixed a typo in backup_GPT ¯\_(ツ)_/¯
Version 1.1b:
- Fixed errors in GPT_Tools - apparently these existed since v1.0 DO NOT USE PREVIOUS VERSIONS
- Removed the v1.1a download (use 1.1b)
Version 1.1a:
- Added script to find the COM port automatically
- Updated all scripts to use the COM port in the file COMPort (created by the above script)
- Added the missing AB Partition manipulation files (accidentally left out of v1.0)
- Added script to run the phone reset EDL command
- Fixed all the filename inconsistency in the XML files - HOPEFULLY. Please post any errors you find. Unfortunately this will make this version incompatible with v1.0 backups without some work - either rename your backup files to match the new format or use the old XML files included.
-- Especially fixed the XML typo of "uefi_sec.mbn" being backed up from both A and B to the same file (overwriting the A copy with B during an ALL backup).
- Added support for installing firmware packages created for this tool. Put them in the Firmware_Package_Restore directory and use the scripts included with them.
Basic Instructions:
1) Download zip (See attachment at the bottom, or here - Download from AndroidFileHost)
2) Unpack zip
3) Move folder to the root directory, or inside any chain of directories that do NOT have spaces in any of the names
4) Right-click on scripts and select "Run with Powershell" to run
5) If running scripts fails due to permissions, see these instructions: https://superuser.com/questions/106360/how-to-enable-execution-of-powershell-scripts
Make a "Complete Backup" (minus userdata):
1) Run Load Programmer
2) Run "backup_all"
3) Check the backup directory and verify the files were backed up and sizes make sense - a full backup should be 10,387,202,048 bytes / 39 files for the critical files and 1,626,697,728 bytes / 64 files for the non-critical (Don't include the port_trace log file when checking size)
Note: You will see a lot of "warnings" before the files begin to download, the program checking if the files already exist.
How to Use These Tools:
Important:
When the scripts run there will be a lot of information dumped to the console. It's not necessary to read all of that BUT - IF YOU DO NOT SEE THE ASCII ART "DONE" AT THE END of running any of these scripts it is likely the script encountered a serious issue. "WARNING" art is normal for some scripts, but "ERROR" means something went wrong.
None of these find the COM port automatically. It is possible (the EDL tool does) but it's just extra work I'm not paid to do =P
You will need to edit each program and change the variable at the top (usually $COMPort = "6") to whatever port number your phone shows up on.
Sorry that's inconvenient, but it should just be once per script - my port number never changes so it wasn't worth implementing automatic port finding.
This is no longer needed after v1.1a.
1. Load Programmer
This is a simple but extremely important tool! You need to run this before running anything else. This script will open a window that runs a command to open a connection to the phone (when it is in EDL / "9008" mode). The window will stay open until you close it. When working on backups I often need to re-connect the programmer, so this makes that easy - just alt-tab to it and hit enter. If you look at the script, it's fairly straightforward - just read the instructions on the screen after running it. The "secret sauce" for this is really the firehose protocol for our chipset that Unjustified Dev provided in the EDL tool.
2. Backup / Restore:
backup_all: This will backup everything on the phone EXCEPT for the huge userdata partition. It will create a backup in two directories, which I'll explain.."critical" / "non-critical": You can see that I have scripts to run these two "types" of backups. Non-critical DOES NOT MEAN NOT IMPORTANT. It means that it is not critical TO ME to back up those files EVERY time I do a backup, because they rarely change. They're EXTREMELY important to have at least one backup of for your phone. The "critical" backup files are files that change often, although some of them are extreme non-critical (cache for example). Use a different name than "critical" if you like, but the point is that only with BOTH backups run (which is what backup_all does) will you have a complete backup.restore_all: This will restore a full (both critical and non-critical) backup set. The backup files have to be in the "restore_critical" and "restore_non-critical" directories respectively. If you didn't make the backup you're trying to restore with this tool CHECK THE FILENAMES, e.g. if you used Unjustified's EDL tool you have to rename the "abl.elf" file his backup generates to "abl_a.elf" for mine. I put _a and _b on every partition that has an a/b version because I got tired of getting them confused. Of course you can always install a backup to either slot.Files moved to the "restore_" directories won't be changed at all by the restore process so you can cut/paste the files from your backup into the directory instead of copying them.
3. A/B Partition Manipulation
These are no more complicated than the backup/restore tools. But they are written to make manipulations of the A/B partitions easier.My main use for these is when I know I have a good, working ROM setup on slot A, I run A2B copy. Then no matter which slot I end up booting I'm sure it will work. (That is, if you have a working, booting slot, copying all the files from that slot to the other slot using this tool will make both slots the same.)Backup/Copy:run_AB-partition-backup: As it says, it will backup both the A/B partition files - WARNING this is NOT a full backup of the phone.run_AB-partition-swap: This will backup all the A/B partition files, then it will write the B files to A and A to B, effectively swapping the partitions and leaving you with a backup in case it screwed up. This backup is ONLY OF THE A/B FILES.. NOT the whole device!run_A2B-partition-copy (and run_B2A-partition-copy): These will do a backup of both A/B partition files, then write the A partition onto the B partition (A2B) or vice versa (B2A), effectively mirroring that partition.
Write/Restore:All the restore scripts try to find their files in the "restore_Partitions" directory - place the files from one of the backups to be restored there.restore_AB-partition-backup: Restore a backup of both the A and B partition files.restore_A-partition-backup (and B): Restore just the backup of one partition to the same partition it was taken from (A to A and B to B).restore_A2B-partition-backup (and B2A): These write from one partition backup to the other partition as the name suggests.
4. GPT Tools
These are some basic tools to directly interact with the partition tables - these are not going to be of any use to 99% of people, so just ignore them if you don't know what they do.run_fixGPT: This issues the --fixgpt command to each of the LUNs. USE AT YOUR OWN RISK. As I understand it, this will use the onboard device configuration information from each LUN (e.g. logical size) and try to rebuild the GPTs. It's similar to running patch XMLs, it can clean up flashing messes. It isn't magic and won't fix everything.Rarely will anyone need it unless they've been messing around with the flash tools recklessly... I certainly don't know anyone who would do something that dumb backup_GPT: Backup all of the header and footer (main/backup) GPTs for all the partitions (lun 0-5). I am not aware of whether any other models of the phone have more LUNs, so be careful if you're using this on a non A2020U phone.restore_GPT: Simply write an entire GPT backup set (both main and backup 0-5) onto the phone. The backups must be in the restore_GPT folder. This DOES NOT BACKUP before it runs so make sure you did your backup.
6. Set Bootable Partition:
Alright this one is important for everyone. There are two scripts here - one for slot A and one for slot B. These just run a simple command, but they will fix a common problem I (and probably others) have - when the ROM active-slot information does NOT match the partition (hard drive) bootable flag, the phone will bootloop EVEN THOUGH EVERYTHING IS GOOD.So when you flash an EDL backup (depending on which files you flash, I believe this happens because of either the bootloader or the GPT files) there is a chance the backup you're flashing was originally from a different slot than the one you're restoring it to. The config thinks it should be on slot A while the hardware thinks slot B should be booting.This will result in a fast ~3 second bootloop as the two disagree and reset.This tool changes which partition is expecting to boot - "1" for slot A and "2" for slot B.This does NOT change the active slot - the phone will continue to boot the same slot it's trying to boot. You just need to make the partition that it is trying to boot has a bootable flag.AFAIK there is no way to change the active slot (the one XBL (I think) is trying to boot), except through fastboot or when the phone fails to load the OS 8 times in a row (note - if it fail to load the OS - if the phone bootloops before "boot" is called it won't ever switch slots on its own).This was a common cause of fast bootloops for me before I figured this fix out.
It does no harm to try this as you can always switch again. If neither one works for you, then it's something wrong with the files you're flashing. If you know which slot the phone is trying to boot (the one it was on last), run the script that matches that slot.
7. Write "Unlocked" Bootloader and FRP:
Just like the original EDL tool, these very simply overwrite your existing (probably stock) bootloader (abl) files with the fastboot enabled version, and/or your FRP with the "unlocked" flag on (see description below). This will allow you to enter the bootloader menu (Vol+/- on booting) and use fastboot to unlock the bootloader.backup_FRP-and-bootloaders: As it says, this will make backups of both the FRP file and current bootloader files (ABLs).run_all: Literally just runs both of the below scripts *shrug*write_UD-bootloader: This automatically backs up both your existing A/B bootloaders before overwriting them (BOTH) with the unlocked/fastboot bootloader.WARNING - an unfortunate fact is that if you're using the stock ROM and you have this bootloader installed, it borks the USB mode so it's stuck in charge only. There's a way to fix it temporarily, I'll post it in my "tips" thread, but you have to do it every time you boot, very annoying. I can't fix it permanently because I don't know how the bootloader file was built!WARNING 2 - Android 10 will NOT BOOT with this bootloader installed. You can still install it, trying to boot will bootloop, but you can get into the bootloader menu and use fastboot - but there are no recoveries I know of that work with Android 10 right now, so there's very limited use to having fastboot right now. Hopefully we can get a port of TWRP 3.4 going for this phone..write_unlock-frp: This is also in the EDL tool, but maybe poorly explained - the FRP file holds the flag you change in the OS Developer Options to designate "allow bootloader unlock". If you FORGOT to switch that flag on and unlock, as I understand it, you get bootlooped. This can fix that for you without having to go through all the work of undoing that mess.WARNING - I have only tested this with a brand new factory reset OS WITHOUT any fingerprint/code set. It may not work if you set one. I warn against using this if you are not ready to lose your data. It's convenient if you just forgot, but if you set a pattern/fingerprint security and encrypted the filesystem overwriting the FRP might remove your ability to decrypt which would force you to factory reset. Again, I haven't tested it for that so it may work, but be careful.If you already screwed up and ran this to set the flag - the script runs a quick backup of your old FRP just in case. So you can try to restore that FRP and pray lol)
8. Specific Files:
This is just a generic program to backup/write(restore) "specific files".I include a "Reference.XML" which has a full <program> line for every partition you might want to write/read on the phone. To use this, you need to copy the lines from the reference XML into "rawprogram-specific-files.xml" for the files you want to read/write.As an example I already set up "rawprogram-specific-files.xml" with the two lines for "abl_a" and "abl_b" in it. So the script will backup or restore those files (provided you put the abl's you want to restore in the restore_files directory).I personally use this template a lot - I have one for ABLs, one for AOPs, one for BOOTs, and so on. If you are trying to fix a specific file(s) it's convenient.
9. Userdata Backup:
I put this last because, to be honest, I'm not sure how good of an idea including this even is.VERY IMPORTANT - DO NOT USE THIS USERDATA TOOL IF YOUR PHONE IS NOT THE 256GB VERSION!!!!!I will need someone with the 128GB version to send me their GPT files if they want me to make an XML that works for them. Because the userdata size for SURE depends on your phone version.Also, I wrote a script that breaks up the file into download slices (and can be written back to the phone in slices, of course) - one, to see if I could do it and if it would work (it does)... and two, so that in the horrible case that something goes wrong during the... nearly 2hrs of transfer time, for my 256gb image ... that I can at least not have to start all over. If something happens, you should be able to remove the entries in the XML for what you already have and start again.Finally - is it even worth doing? Is backing up the userdata even useful?I don't know yet.For an unecrypted pre-A10 phone I do know it works to fully flash ALL the files on the phone + the userdata all at the same time to return the phone to the exact "state" it was backed up in - all the apps and settings and everything, exactly as they were.But A10 is encryption enabled always, and it uses file encryption which sounds even worse for this idea.. and I don't know if the crypto keys change and when. So flashing an entire encrypted partition might just leave you unable to decrypt all, some, or none and you lose everything.OR it might just work - you throw the whole image on there and the decrypt key is the same, boom, easy backup.If anyone tries it, let me know how it goes (or doesn't). I'll update with any results I find.Update 1: I have confirmed that for the 256gb A2020U backing up the full phone and userdata allows you to restore the phone to that exact state. Doesn't matter if it's encrypted, password set or not, etc. If you backup the entire userdata image and reflash it that is where the phone will be. In most cases you also need all the other partitions too, but if they have not changed they don't have to be reflashed. (I confirmed going from encrypted with password -> encrypted with no password -> back up encrypted with password.. This is on Android 10 with its more complicated encryption).Another nice thing to note - of course the image of the phone will be the size of the partition (ie. 256gb for mine, 128gb for others). But if your phone storage is largely empty, you compress the backup using something like 7z once the image has been backed up. It won't take up so much space then. How much less? My 256gb image compressed is 4.5gb. lol.... it makes sense, the phone is new and there's basically no information on the userdata. Many of the pieces of my userdata backup have the same exacty hashes - meaning they are literally just all 0's... 260gb of zeros. Unfortunately you can't get away with just backing up part of the image as data could be anywhere. And over time as the sectors get written to, it will get more difficult to compress.Anyway, if anyone has a 128GB version they want to donate to science (kidding - I just need backups of the GPT) I can make the XML file to use for backing those up too.
Extra Note: All the programs automatically build a log of the console window, so if something goes by too fast just check the log. The fh_loader also creates a log and dumps it somewhat randomly about... lol.. the filename is port_trace.txt. This tends to get deleted and overwritten easily so if you want to keep it, move it when the script finishes,. it does often contain more information than the console shows - it can be useful understanding what's going on.
Extra Note 2: You'll notice a script "Create Hash List" in practically every directory. That's to strongly hint that using that script is super useful. All the files backed up through these tools, by definition, have the exact same size. If you hash your files though, you can tell if they have changed at all. This is extremely useful in troubleshooting problems.
How to install an EDL firmware package:
Note: This tool is specifically made for the firmware packages I posted. It won't work with any other package (although it can, with a little work).
1. Install the EDL tools
2. Run a backup of your phone! Even if it isn't booting.
3. Download a firmware package from this thread: [ROM][STOCK] Stock Firmware Packages (For Expanded EDL Tools)
4. Unpack the firmware archive into the tool directory "Firmware_Package_Restore"
5. Put phone in EDL mode and run Load Programmer
6. Run whichever "Write Firmware vX to Y.ps1" you want (X = firmware version, Y = A or B partition) (If you don't know which partition is currently booting, just install both.)
7. Wait for the install to finish ("done"), then reset the phone with either the power button or the reset tool
8. You might see a few bootloops and then the phone ask you to do a factory reset / system wipe.
9. Done.
PLEASE POST IN THE FIRMWARE THREAD _NOT HERE_ IF YOU RUN INTO ANY ISSUES!
Enjoy!
Also, while I'm here... some other helpful notes for this phone:
-------------------------------
General Information:
As of right now there are a lot of working options for Android 9 and quickly expanding thanks to work @Unjustified Dev did and work @rafyvitto is continuing to do! Check out some of his sGSI ROMs, lots of options!
Thanks to Unjustified LOS 16 is available for Android 9 also, and is the base install for most ROMs. See his threads for that. I may write up an install guide here that's a little more in depth than his.. not today though.
Upgrading to Android 10 with the bootloader unlocked is possible but requires a workaround:
You must unlock on Android 9 then use recovery to side-load the Android 10 update available from ZTE USA (HERE).
This will remove the fastboot enabled bootloader and requires a complete system wipe.
You will retain bootloader unlock.
Once you have updated to A10 you can run OTA updates to get up to the latest version.
Downsides to A10 include - NO RECOVERY (yet), NO CUSTOM ROMs (yet), and if you flash the fastboot enabled bootloader you CAN use fastboot, but you cannot boot- the phone will be in a bootloop until you restore the stock A10 bootloader.
-------------------------------
Resetting the phone manually:
In EDL Loop - Hold power for 20 seconds
In EDL Not-Looped - Hold power for 5 seconds
In System (booted after ZTE logo) - Hold power for 10 seconds
----------------------------------
Entering Modes:
All of these start by using reset above, THEN the button(s) below - in all except one case (EDL), when the phone resets it will vibrate and then show the blue ZTE logo.
When you feel the vibration you want to immediately release the power button and press the mode buttons.
This can be confusing and tricky - most people say "hold power + button" - that is incorrect. Most cases if you hold any button other than power the phone will not finish resetting until you release that button.
What you want to do is right before or as the phone vibrates, then you hold the button. Once the ZTE screen is up it is probably too late if you missed it. So hold power for your reset and be ready to push the button you want when you feel the vibration.
The one exception - EDL mode. For EDL mode you can (and must) hold the key combo just before/during the restart.
Recovery Mode: Vol+ Button
Factory Test Mode: Vol- Button
Bootloader/Fastboot Mode: Vol+/- Button (both) when phone is NOT plugged into USB (if you are too early pressing the combo, even with the USB unplugged, you will get EDL mode)
Emergency Download Mode: Vol+/- Button (both) when phone IS plugged into USB
--------------------------------
EDL Flash Errors (esp. when EDL looped):
There is NO indication the phone is even ON when you are EDL stuck/looped. Other than when you plug into the computer with the right drivers it shows up as a 9008 device (9008 mode is EDL for Qualcomm).
Even when you can see the phone on your computer, it can often "freeze" in EDL if it is left idle for too long (not connected to and being used by a Sahara programmer).
If you try the EDL tool or another flash tool and they give you errors related to the Sahara programmer not loading or no "hello", do this:
Reset the phone - use a clock to count if you need, has to be accurate since there's no indication of when it resets. Press down Vol+/- and the power button, count to 20sec, then release JUST the power button. Keep holding both of the volumes for another 5 sec, then release them. That will get you back into a fresh EDL. You can watch your Device Manager to see the phone disconnect as an indicator when to let go of the power button. If you mess up the timing, wait a bit before trying again so the phone isn't in the middle of rebooting.
Easiest way to tell if you're in EDL is to watch the Device Manager while you do it. Otherwise there is just a lot of guess work, since there's no logo or vibration when you get it right, phone just appears off.
--------------------------------
USB Mode Stuck After Unlocking:
Something about the fastboot/"unlocked" bootloader causes the USB mode when you boot in the OS to be stuck on "Charge Only" mode.
Luckily I found @meow sir 's comment tucked away in this thread, and he knew a way to fix it (thanks!):
1. Open the phone dialer
2. Dial in "*#*#DEBUG#*#*" (debug = 33284)
(Sometimes takes a little bit to open, but a debugger menu will open)
3. Select the 2nd option for USB
4. Pick the only option - this will unset some strange "testing" mode and you can use MPT again.
Unfortunately this fix doesn't stick, you have to do it every time unless you switch back to the stock ABL. =(
--------------------------------
Installing Magisk, Quick Guide:
- You must have your bootloader unlocked already! This works on both A9 and A10.
1. Use this tool to create a full backup! (backup_all)
2. Go into the "critical" directory created by the backup and find the files for boot_a.img and boot_b.img - rename them to boot_a_bak.img and boot_b_bak.img and keep that window open, need them in a second
2. Boot into the OS. Download the Magisk Manager APK from HERE
3. Copy the APK and both of those boot files to your phone, open a file manager and install the APK
4. Open Magisk Manager and click on "Install" for Magisk (upper right)
5. Select "Patch Boot ROM" (or whatever it says.. something like that..)
6. Navigate to boot_a_bak.img and patch it.
7. Go to your Downloads directory (where Magisk dumps the patched file) and rename it to boot_a_magisk
8. Go back to Magisk and repeat those steps for boot_b
9. Copy the two patched Magisk boot files to your computer, into the folder with your "critical" files backup.
10. Rename the Magisk files to "boot_a.img" and "boot_b.img"
11. Move all the files from the "Backup\backup_all-critical-(...)" directory to the "Restore\restore_critical" directory in my tools
12. Finally, reboot into EDL.. almost there!
13. Run "restore_all-critical" (don't forget to run Load Programmer first..)
14. It will restore all you files, kinda a waste of time - if you know how to use the "Specific Files" tool this is a perfect time to use it to flash JUST the boot files. But anyway - this will get it done.
15. When done flashing, reboot the phone and open Magisk Manager to confirm it is installed!
The Magisk team recommend you DO NOT FLASH your stock boot files back to uninstall it, instead they say you should run their uninstaller.zip. However, I am not sure how to uninstall it if you're on A10 since we don't have a recovery that can flash zips? (Unless the stock recovery works for that, I don't think it would..)
I suspect (but have not tried) that on our phone flashing the boot files back over Magisk will not really be a problem since the recovery and ramdisk are all wrapped up into the boot image. But I don't recommend trying it if you value your data! Fair warning.
---------------------------
Alright that's everything. Good luck!
This will be useful for a lot of folks on here, thanks for taking the time to look for a work around.
rafyvitto said:
This will be useful for a lot of folks on here, thanks for taking the time to look for a work around.
Click to expand...
Click to collapse
Glad to be helpful! Usually I lurk the forums getting information I need to unlock/root/etc lol.. but I saw I actually could contribute something to this forum so hopefully it encourages people to get interested in this phone. It's looking pretty sweet now that I'm not spending days fighting with bootloops!
Indeed,on the note of attracting more users. im going to be releasing something for the pixel lovers very soon ?
Thanks Bob!
I'm on A10 with unlocked bootloader. I made all EDL tool backups when on A9 but these were done before correcting the typos as suggested. So I am not confident of successfully flashing back to A9 (preference).
Therefore I will likely flash the magisk-patched boot files to attempt root and report my experience...
Sent from my ZTE A2020U Pro using Tapatalk
big thx, glad to see some life to this almost dev-dead device
Hey thanks for the post. I'm thinking about buying the phone but have a quick question. Can I update to the latest version of Android 9 before unlocking or will the OTA be Android 10. How would I go about updating to the latest version version of Android 9 and not go to Android 10. Can I download the Android 9 OTA from somewhere and flash that one? Thanks in advance for the help!
Crackass said:
Hey thanks for the post. I'm thinking about buying the phone but have a quick question. Can I update to the latest version of Android 9 before unlocking or will the OTA be Android 10. How would I go about updating to the latest version version of Android 9 and not go to Android 10. Can I download the Android 9 OTA from somewhere and flash that one? Thanks in advance for the help!
Click to expand...
Click to collapse
:good: I think your question borderlines on needing its own thread in the Q&A section but I'll answer you anyway...
Currently as long as you are on A9 when you get the phone you can just do OTA updates from firmware version 1.10 to 1.11 to 1.13 (not sure what android security update that is), after 1.13 it goes to A10.
There is an A10 firmware available from ZTE to SD card sideload. Once installed it has to be updated to the latest A10 via a couple OTA updates.
Going directly from A9 to A10 via OTA goes directly to the latest version.
You cannot flash the A9 OTA... because flashing an OTA is an oxymoron... but I guess you mean can you download the A9 firmware and flash them. The answer is... maybe. ZTE does not offer official downloads any A9 firmware for A2002U (USA version), only A10.
They do offer A9 firmware for A2020G (european) and I think other foreign versions (RU, CN). These cannot be interchanged, if you have the US or EU or CN phone you need to use that firmware... from what I have read. I could be wrong, I don't have those phones.
But there is an unofficial stock A9 firmware for the A2020U here on the forums, uploaded by @rafyvitto . That will get you to.. I forget.. 1.11? That can be flashed using the original EDL tool or, with a little modification, the EDL tools in this thread.
Additionally.. if I ever get around to it... I plan to upload all three A9 firmware packages for the US version which can be flashed with the EDL tools in this thread. Not sure if it's really necessary, but I have them.. it's just a matter of figuring out hosting them and spending the time to upload them.
bobthenormal said:
:good: I think your question borderlines on needing its own thread in the Q&A section but I'll answer you anyway...
Currently as long as you are on A9 when you get the phone you can just do OTA updates from firmware version 1.10 to 1.11 to 1.13 (not sure what android security update that is), after 1.13 it goes to A10.
There is an A10 firmware available from ZTE to SD card sideload. Once installed it has to be updated to the latest A10 via a couple OTA updates.
Going directly from A9 to A10 via OTA goes directly to the latest version.
You cannot flash the A9 OTA... because flashing an OTA is an oxymoron... but I guess you mean can you download the A9 firmware and flash them. The answer is... maybe. ZTE does not offer official downloads any A9 firmware for A2002U (USA version), only A10.
They do offer A9 firmware for A2020G (european) and I think other foreign versions (RU, CN). These cannot be interchanged, if you have the US or EU or CN phone you need to use that firmware... from what I have read. I could be wrong, I don't have those phones.
But there is an unofficial stock A9 firmware for the A2020U here on the forums, uploaded by @rafyvitto . That will get you to.. I forget.. 1.11? That can be flashed using the original EDL tool or, with a little modification, the EDL tools in this thread.
Additionally.. if I ever get around to it... I plan to upload all three A9 firmware packages for the US version which can be flashed with the EDL tools in this thread. Not sure if it's really necessary, but I have them.. it's just a matter of figuring out hosting them and spending the time to upload them.
Click to expand...
Click to collapse
Just wanted to chime in, interchanging firmware between each model is possible, you would only need to reflash your model/nonhos/tz partitions to the ones of your variant to have working ril/fod fp/sensors.
Ok Bob I gave it a go and successfully rooted my A2020U running stock A10 v2.09. This is my experience...
Firstly, my A2020U could not connect so I used the @Unjustified Dev Tool ("original tool") to easily determine my com port (i.e. 3). I edited the your scripts accordingly (using Notepad++) and got connected.
I'd rather not fiddle with the hardware buttons to change modes so I used the CLI to "adb reboot edl" to get into EDL mode.
I executed the backup_all.ps1 script.
It echoed several "warnings" indicating that it could not find files. However, the created backup folders did in fact include those files.
I noted that none of the "A" slot files include the "_a" postfix; the "B" slot files did include "_b".
Now I needed to transfer those boot files to my device by first rebooting my device and connecting via MTP.
I noted that the original tool offered a reboot menu option (but sadly only after executing a successful operation). So, not wanting to fiddle, I used the original tool to backup my boot files, then used the menu option to reboot; On my device I then manually selected it to connect via MTP.
After transferring the "boot.img" and "boot_b.img" files to my device, and installing Magisk Manager. I patched them and transferred them back to my PC.
To "flash" (restore) the patched files I decided to cut 'n' paste the two lines regarding them from your Reference.xml file into your rawprogram-specific-files.xml file, replacing your example lines.
I executed your run_write-files.ps1 script and it completed successfully.
Not wanting to fiddle again with the hardware buttons (just so that I can get the reboot option), I backed up the patched files using the original tool and rebooted. Now my device is successfully rooted.
Thank you!
Additional notes and suggestions:
1. Can you please investigate the "false" warnings? See my (redacted) log file attached;
2. It would be great if you could create/duplicate a script within your expanded tool set (or main program) to determine and set the appropriate COMPort (and teach us non-coders the actual commands);
3. Would you also consider investigating and including a reboot device script? (It looks like the original tool calls reset.xml);
4. Note that, at the time of reporting this, the latest versions for the Manager and Magsk are 8.02 (307) and 21.0 (21000) respectively, and that I had to switch the update channel to "beta" for the patched files to pass SafetyNet;
5. Because rooting is a likely use of your tool I am attaching my modified rawprogram-specific-files.xml file which targets the boot files for convenience.
bobthenormal said:
...
Additionally.. if I ever get around to it... I plan to upload all three A9 firmware packages for the US version which can be flashed with the EDL tools in this thread....
Click to expand...
Click to collapse
If this can help me get my A10 device to a state where I can install a custom recovery and cutom ROMs, I would appreciate it!
eKeith said:
Ok Bob I gave it a go and successfully rooted my A2020U running stock A10 v2.09. This is my experience...
Firstly, my A2020U could not connect so I used the @Unjustified Dev Tool ("original tool") to easily determine my com port (i.e. 3). I edited the your scripts accordingly (using Notepad++) and got connected.
I'd rather not fiddle with the hardware buttons to change modes so I used the CLI to "adb reboot edl" to get into EDL mode.
I executed the backup_all.ps1 script.
It echoed several "warnings" indicating that it could not find files. However, the created backup folders did in fact include those files.
I noted that none of the "A" slot files include the "_a" postfix; the "B" slot files did include "_b".
Now I needed to transfer those boot files to my device by first rebooting my device and connecting via MTP.
I noted that the original tool offered a reboot menu option (but sadly only after executing a successful operation). So, not wanting to fiddle, I used the original tool to backup my boot files, then used the menu option to reboot; On my device I then manually selected it to connect via MTP.
After transferring the "boot.img" and "boot_b.img" files to my device, and installing Magisk Manager. I patched them and transferred them back to my PC.
To "flash" (restore) the patched files I decided to cut 'n' paste the two lines regarding them from your Reference.xml file into your rawprogram-specific-files.xml file, replacing your example lines.
I executed your run_write-files.ps1 script and it completed successfully.
Not wanting to fiddle again with the hardware buttons (just so that I can get the reboot option), I backed up the patched files using the original tool and rebooted. Now my device is successfully rooted.
Thank you!
Additional notes and suggestions:
1. Can you please investigate the "false" warnings? See my (redacted) log file attached;
2. It would be great if you could create/duplicate a script within your expanded tool set (or main program) to determine and set the appropriate COMPort (and teach us non-coders the actual commands);
3. Would you also consider investigating and including a reboot device script? (It looks like the original tool calls reset.xml);
4. Note that, at the time of reporting this, the latest versions for the Manager and Magsk are 8.02 (307) and 21.0 (21000) respectively, and that I had to switch the update channel to "beta" for the patched files to pass SafetyNet;
5. Because rooting is a likely use of your tool I am attaching my modified rawprogram-specific-files.xml file which targets the boot files for convenience.
Click to expand...
Click to collapse
Nice! :good:
For the questions..
0. Thanks for the heads up on filenames! I completely missed that the _a files don't have the labels... As you probably noticed all the files are backed up correctly still (no missing/overwritten files), but I removed the _a from all the A slot files. That was my original "fix", so I guess I started building this package before I got annoyed by not having the _a/_b consistency. I'll update the correct XML file and upload it as a new version.
1. Don't worry about those! They're part of using the fh_loader interface. Warnings are usually just fine, ERRORS are bad. I'll add a note to the post when I get a chance so people don't get scared by that.
It's only when you do a backup the program is really only designed in the "writing" sense, for backups you literally run an identical XML to writing but you send a flag that reverses the process. So it weirdly checks if the files it is going to copy (which of course don't exist) exist, and it throws the standard warning, but then it just creates them (of course).
I can't turn those off without lowering the verbosity setting for that tool. I decided to leave it set to high because if someone has a problem and they post their log file (like so!) it's very useful to troubleshoot.
2. I'll think about it / try. Not very hard to program but a little time consuming.
I'll throw a copy of lsusb.exe in the next version. Windows port of the linux command. People can simply run that on a command prompt and it will list all the active COM ports/devices. If you're not familiar with it - you can also find out by clicking on the windows start bar or pressing the windows key and typing in "Device Manager". In the hardware list there is a category for COM ports where it lists them.
3. Yeah that's very easy I'll put one in the next version as well.
4. Helpful to know. Interesting that you needed beta to pass... I didn't think to mention I use the canary builds (not really recommended... the current one crashes when I try to hide Magisk Manager lol)
5. Thanks! Maybe I should make a directory specific to boot backup/write... but I do think anyone not comfortable doing the change you did might not want to be flashing their boot files anyway haha.. things to consider I guess.
As for getting you back from A10, definitely. I'll figure out how to upload them to one of those file sharing sites in a week or two.
In the mean time, with a backup from this tool you're safe (as far as bricking goes, you'll have to system wipe) to try rafy's EDL backup to revert to A9. I'll find the actual post... I should have been less lazy and linked it in my post lol... HERE - rafyvitto's EDL.
If flashing his backup doesn't boot right away try the tool I included to fix the bootable partition. If it still doesn't work after that (maybe mention here what happened) then just restore your backup.
Do you have the 128gb phone by chance?
Thanks much, especially for your detailed clarifications and convenient link!
I have the 8/256GB (P855A03_NA) model.
PS
I want to spend more time on ensuring I have a complete device backup before nuking with another EDL; will dedicate some time this week...
Sent from my ZTE A2020U Pro using Tapatalk
eKeith said:
Thanks much, especially for your detailed clarifications and convenient link!
I have the 8/256GB (P855A03_NA) model.
PS
I want to spend more time on ensuring I have a complete device backup before nuking with another EDL; will dedicate some time this week...
Sent from my ZTE A2020U Pro using Tapatalk
Click to expand...
Click to collapse
Oh nice, with the 256gb model you're good to use the userdata backup program too. Sounds ideal for you since, like me, you want a really bulletproof backup. If you run a full backup and then run the userdata backup you literally have a "phone state" so you can return your phone back to exactly where it was, not have to wipe system or anything.
Of course I'd hate to be wrong so as usual, do at your own risk! Lol. But I am using that method and it has worked great. The downside being over an hour of waiting for the userdata to download or upload... and having to store 256gb (for long term storage you can compress it down to literally a few gb).
I've been kinda busy, but working on getting some of those things from my last post done hopefully this week.
bobthenormal said:
Oh nice, with the 256gb model you're good to use the userdata backup program too. Sounds ideal for you since, like me, you want a really bulletproof backup. If you run a full backup and then run the userdata backup you literally have a "phone state" so you can return your phone back to exactly where it was, not have to wipe system or anything.
Of course I'd hate to be wrong so as usual, do at your own risk! Lol. But I am using that method and it has worked great. The downside being over an hour of waiting for the userdata to download or upload... and having to store 256gb (for long term storage you can compress it down to literally a few gb).
I've been kinda busy, but working on getting some of those things from my last post done hopefully this week.
Click to expand...
Click to collapse
That's great to know! Your user data backup option has simplified my life.
I will wait for your next revision to do a full backup plus user data before nuking.
I am looking forward to moving on from ZTE's A10 to one of Ray's ROMs...
Sent from my PH-1 using Tapatalk
Updated to 1.1a - kind of had to rush on some things so keep an eye out for mistakes, especially in the XML files, and let me know if you find any.
Should have an 1.09 (A9) firmware package up "Soon(TM)", just have to make the xml files then upload the file somewhere.
EDIT: Already needed to update to 1.1b - I found that the GPT_Tools had a big error that probably was there since 1.0 and no one noticed! Backups of the GPT should now actually work...
Thank you @bobthenormal !
Looking forward to your A9 EDL backup...
Sent from my PH-1 using Tapatalk
eKeith said:
Thank you @bobthenormal !
Looking forward to your A9 EDL backup...
Sent from my PH-1 using Tapatalk
Click to expand...
Click to collapse
It's up -- see the new thread.
I didn't have time to test it so make sure you backup but I'm 99,99% sure it will work. I tested it several times in the past, but to make the firmware package I took out all the (I hope) unnecessary files.
There's one thing I'm not sure of - whether you'll need to use the Fix Bootable tool after installing it. IF you need to, then I believe you will have to install it to partition B and then run fix bootable B. (The 1.10 backup was taken originally from the B partition).
If you find that it works without having to do that, let me know... it may not be necessary if wherever that bootable flag is stored didn't get included in the firmware package.
bobthenormal said:
It's up -- see the new thread.
I didn't have time to test it so make sure you backup but I'm 99,99% sure it will work. I tested it several times in the past, but to make the firmware package I took out all the (I hope) unnecessary files.
There's one thing I'm not sure of - whether you'll need to use the Fix Bootable tool after installing it. IF you need to, then I believe you will have to install it to partition B and then run fix bootable B. (The 1.10 backup was taken originally from the B partition).
If you find that it works without having to do that, let me know... it may not be necessary if wherever that bootable flag is stored didn't get included in the firmware package.
Click to expand...
Click to collapse
Thank you @bobthenormal !
I should be able to give it a go this weekend and inform...
Sent from my PH-1 using Tapatalk
Ok, I get that boot-debug has been around for years... since android 10 for me, before that, it was variant=user, or variant=eng(ineer).
Strange how after I show boot-debug.img, magisk chooses this very path, but only after. Keeping in mind many people come here asking questions, and all those that know sit back and say nothing. Until they dont like what they see.
If you know better, and cant help, please keep your comments to yourself. This thread is intended to HELP, and is targetted toward those who CHOOSE to HELP because they CAN.
How I got su to work. Is this root? Now this is a good question. I dont want ANY overlaid system in my fone. I want to write to system like many others want to.
Not some google way of forcing us to use their mirrored online version of a locked filesystem already on my f'n.
Priority 1: I want to root my f'n without internet. Period. I do NOT want magisk using my credit. This proves we pay for magisk. I sometimes live so far from the world wide web, that offline is the only way to work. So I need to be able to root without google or THEIR employees offerings.
Priority 2: RW-able system.
So, I discover boot-debug.img for my f'n. Had it for a year, before I discovered it. Yeah, I discovered it after a year here asking, and getting NO replies that worked. Only after I'm vindicated to the naysayers 'thats been around forever...' yeah, try helping instead of useless comments.
In the end, I learned so much in such a short time. Constructive critiscism is NOT insulting. Magisk kills root in MY f'n. PERIOD. Camera does not work, location does not work, and I cant make/receive calls. But hey, it's an overlaid file system, of course it wont ALL work, I mean, I'd expect to lose a lil functionality, but disabling the GSI ability in dev options? I dont think so.. Worse, lack of adb or fastboot is produced in my f'n when using magisk, so tata magisk.
My logs actually explain all, so no more crappy adb logs. Yeah, I like simple adb, it works, or I'll MAKE it work.
Like this:
Attempt every possible method of flashing magisk according to tut's, nada. 3 different paths lead me to...?
1: The note9 recovery I found, that lopstom was kind enough to twrp for me (well appreciated) is the KEY to gaining root on my ulefone armor x5 mt6765. It turns out that the note9 recovery is actually an android 9 os, with a 'super' .img - and being android 9, the bootloader I used is an OLD bootloader, in particular, the variant=eng type. Note this, this is key.
2: With the note9 flashed to recovery I can RW system in android 10 properly, but only in twrp.
3: Discover boot-debug.img - yup, it's not quite a variant=eng build, but it does work for the following:
Flash boot-debug.img. By doing so, you get the adb root command, and the disable-verity options, way better than wiping vbmeta, which contains the 'is it rw, or ro' of every file in every partition to be mounted in their own partitions, but what most dont know, is each file mounted in it's own mountpoint also has the information contained by vbmeta, but for each seperate file. So unless you add the /null (one for system, the other for vendor) after the disable-verity...
Nah, wipe most of your directory structure, then wonder why in a RW-able system, it still dont work. Because each file in it's own mountpoint knows if the system directory SHOULD be ro or rw. That's EACH and EVERY stock file in it's OWN mountpoint, has the RW or RO inf for the system & vendor directory, ie, is system RW?
Example: Camera wont work, get it?
In the end, this is how I went about installing su.
Flashed boot-debug.img did NOT flash recovery. Flashed meefik busybox-arm64 to f'n, but did NOT install it, instead, I opened it to install it, top left, saved the busybox-arm64 and then flashed twrp, and while there, flashed the system_rw, to defeat the system_RW saying not enough space, I chose 1024, did the copy over of super_fixed, then rebooted, enabled system, THEN flashed the busybox-arm64 from twrp, and rebooted.
Results: I copied the busybox-arm64 su, from xbin to system. In order to defeat the system_RW saying not enough space, I chose 1024. Round numbers matter with system_RW, same senario as memory, so use sizes equal to how memory works. ie, 32, 64, 128, and multiples of.
Look at the adb posts in my closed thread.
With Su installed, I have to type exit TWICE to exit. without su in system, exit only needs typed once.
Now here is why I continue. I found root, but dont have the experience, but it's like this:
See all those lovely new file that end in .cel? Mine says platinum. That means I AM ROOT. By swapping out .cel files, I have all the access magisk denies me. .cel files... get on it devs... swap them out, try try try... find what I found.
I dont actually need su, but i need it for some apps. What I have proven, is that SU does NOT kill android 10_Q.
variant=user or variant=eng, is NOW dependant on .cel files, like, say, boot-debug.cel.
Have a nice discovery... I hacked googles latest offering my-cel-f
Edit: Cel files are found in the bootloader, a zero byte file, the file NAME decides what the loader can or cant do, PERIOD.
New root tools only require swapping these out, as well as a few system edits when done.
Ok, slight mistake in spelling so I'll add the following for you to 'see'..
userdebug_plat_sepolicy.cil
So it's not cel as I wrote in the first post, my point being just as valid.
Platinum clearly states there are more who's names I have yet to obtain...
Theoretically in my mind, if I swap the .cil file in the bootloader for say hypothetically:
engdebug_plat_sepolicy.cil... with the few edits seen in the android 10 notes I posted from china, the one where people say 'too much hassle' - I say, for them. Those notes show the rest of the cil files, so yeah, I got root OPTIONS to play with
Stay tuned for more scottish inventor style NOTES.
Edit: for the record: https://source.android.com/compatibility/vts/vts-on-gsi