NEW - March 2011
A method of booting custom kernels (using kexec) has been developed. Thanks Bin4ry, zdzihu, MrHassell, blagus, and all other devs who are working hard to make this stable.
The bootloader protection has been bypassed!
zdzihu said:
Bootloader is broken/bypassed!
Big bad huge font to avoid confusion =)
@Goroh_kun:
Buddy, I know you're still reading this forums so... I just want you to know that you are absolutely BRILLIANT. You're a STAR.
BIG thanks for all your contributions into this project! Nothing, and I mean NOTHING would happen without you.
@devs:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
@SE: lads, it's your turn now - please unlock it already. I promise we won't brick our phones
@all: DON'T ask for details. I will post here when I'm ready to do so. Today (I guess?) is the Arc release date and stuff, I don't want to mess around...
Still busy working abroad,
Cheers,
z
Click to expand...
Click to collapse
Link to 2.1 alpha kernel (2.6.29)
http://forum.xda-developers.com/showpost.php?p=12578251&postcount=848
OLD
Important info!
http://forum.xda-developers.com/showpost.php?p=12298790&postcount=811
Link to FlashTool
http://forum.xda-developers.com/showthread.php?t=920746
Here are some posts:
MrHassell said:
Yes and yes - while rebooting and as zdzihu previously reported kexec is viable.
http://forum.xda-developers.com/showpost.php?p=8714275&postcount=407
zdzihu
override partition table using kernel command line. Tried (via kexec) and it worked.
Code:
mtdparts=msm_nand:[email protected](appslog),[email protected](cache),[email protected](system),[email protected](userdata),[email protected](loader)
Bin4ry - tawrite - http://forum.xda-developers.com/showpost.php?p=8931422&postcount=442
cat /proc/mtd
mtd0 cache
mtd1 appslog
mtd2 userdata
mtd3 system
My final post on the subject. Have better things to do now the media have landed au reviour.
Click to expand...
Click to collapse
Bin4ry's kexec kit posts
http://forum.xda-developers.com/showpost.php?p=12240639&postcount=708 - V1
http://forum.xda-developers.com/showpost.php?p=12245719&postcount=711 - V2
http://forum.xda-developers.com/showpost.php?p=12260334&postcount=724 - V3
MrHassell's V3 test log
http://forum.xda-developers.com/showpost.php?p=12261764&postcount=729
21st March 2011, onwards
Bin4ry said:
Can you try to run it on chargemon script instead of xRec?
So that we can run it at the very beginning of boot process. Maybe this is a solution!
This should work in the chargemon script:
exec /data/local/tmp/run.sh
WARNING!
JUST TRY THIS IF YOU KNOW WHAT YOU ARE DOING !
Regards
Click to expand...
Click to collapse
Androxyde said:
chargemon the safer way :
Just before recovery if then else :
if [ -e /data/local/tmp/kexec ]
then
rm -r /data/local/tmp/kexec
exec /data/local/tmp/run.sh
fi
so from the OS, touch /data/local/tmp/kexec the reboot and it will boot the kexec script and remove the kexec file so that the next boot or reboot will go fine
Click to expand...
Click to collapse
Bin4ry said:
So, 2 users with bb58 had booted fine then WLOD.
Seems the initial idea is working
Now fix the problems and all is good ?
Regards
Click to expand...
Click to collapse
DooMLoRD's test
http://forum.xda-developers.com/showpost.php?p=12266289&postcount=750
Bin4ry's edited chargemon file
http://forum.xda-developers.com/showpost.php?p=12266422&postcount=753
Comment from DooMLoRD - actually about the above file.
DooMLoRD said:
just an additional comment...
the following chargemon will work only for recovery flashed through Flashtool v0.2.8 for stock roms only
also please do not try that chargemon on CM7RC2 roms (u wont be able to get into the OS cause recovery on CM7RC2 is shifted to /system/recovery/
also the line chroot / /init will work for 2.3 roms but is not compatible with 2.2 roms... for 2.2 roms u need /system/bin/chroot / /init
Click to expand...
Click to collapse
x10b's test
x10b said:
boot.img installed >> boots normal got my radio, wifi , everything works fine...
FW : 2.1.1.A.0.16
BB : 2.1.58
test ok......
Click to expand...
Click to collapse
x10b's test video
http://forum.xda-developers.com/showpost.php?p=12287032&postcount=798
DooMLoRD's edited (universal) chargemon file
http://forum.xda-developers.com/showpost.php?p=12267053&postcount=762
Important for 'non-devs' - also look at DooMLoRD's post ahead
wolfilein said:
@all
you shouldn't flash the file with xrecovery!
you should extract it to
/data/local/tmp/
on you phone
and replace the /system/bin/chargemon with the one bin4ry has posted some posts ago
after that make it executable
with
chmod 755 /system/bin/chargemon
then create the file /data/local/tmp/kexec
with
touch /data/local/tmp/kexec
and then reboot you phone should load the new kernel
Click to expand...
Click to collapse
DooMLoRD's post in reply to above:
http://forum.xda-developers.com/showpost.php?p=12267467&postcount=766
jerpelea said:
cm7 boots with custom kernel
Click to expand...
Click to collapse
More testing:
DooMLoRD said:
test with Stock SE ROM FW: 2.1.A.0.435 | BB: 2.1.54
booted into OS but no radio, strange question mark symbol on top of battery symbol (in notification bar)... phone rebooted in few seconds couldnt get into "About Phone"... though no LED notifications of any sort... even have made a video of boot up process [it look good on handset ] will post it here in a while
EDIT:
on second attempt tried to get to "About Phone" asap... under "Kernel Version" it was "unknown"... and then the system immediately rebooted...
keep up the great work Bin4ry and all other devs...
Click to expand...
Click to collapse
DooMLoRD's bootup video
http://forum.xda-developers.com/showpost.php?p=12269301&postcount=775
Androxyde said:
I am on stock firmware A.0.16
I modded my chargemon to implement booting cust kernels from it and a gscript script shortcut on the desktop to reboot.
I tried these :
Reboot custom kernel with stock BB .58 : booted / no radio / reboot in less than 1 minute
Reboot custom kernel with BB 55 : same as with .58
Reboot custom kernel with BB 52 : booted / no radio / no reboot
Reboot stock rom with BB 52 : no radio
So with my last try I cannot conclude anything about the "no radio"
Will keep you informed with my further tests
Click to expand...
Click to collapse
More tests from DooMLoRD
http://forum.xda-developers.com/showpost.php?p=12272634&postcount=784
http://forum.xda-developers.com/showpost.php?p=12282471&postcount=789
http://forum.xda-developers.com/showpost.php?p=12303304&postcount=812
Bin4ry's kernel patches, config and build script from zdzihu:
http://forum.xda-developers.com/showpost.php?p=12272201&postcount=781
Bin4ry's kernel based on SE .435 kernel sources
http://forum.xda-developers.com/showpost.php?p=12275044&postcount=786
Aeny's tests
Aeny said:
x10i | J's CM7 RC2 V10a | BaseBand 2.0.46 | boot.img: 22.03.11-00_25
-Same behavior as BB 2.0.52
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10i | J's CM7 RC2 V10a | BaseBand 2.0.49 | boot.img: 22.03.11-00_25
-Same behavior as BaseBand 2.0.52
x10i | J's CM7 RC2 V10a | BaseBand 2.0.52 | boot.img: 22.03.11-00_25
-Screen not waking up by pressing any buttons, to wake up press any button, then press the screen. If "Screen-on" and/or "Screen-off" animations are enabled in CM-Settings then screen cannot be woken up at all.
-Battery shows a percentage, but does not indicate charging, however the battery level is going up.
-Time seems to update once every few (10~11) minutes instead of every minute & always starts counting from 1/1/1970 -1h:00m at boot.
-WiFi shows "error" under settings but does magically work, just can't be turned off.
-Bluetooth doesn't want to turn on.
-Baseband: "Unknown".
-Kernel Version: 2.6.29Bin4ry "[email protected] #1".
-no reboots (running 15minutes).
-screen doesn't auto-turn off but dims instead.
-Battery status shows as "unknown" under settings -> about phone -> status.
-No USB.
-LED doesn't light up while charging.
x10i | J's CM7 RC2 V10a | BaseBand 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10a | J's CM7 RC2 V10a | BB 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds->reboot(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
Click to expand...
Click to collapse
Aeny said:
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.58 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.55(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
Back to CM7 for me, SE's rom felt like playing a game @ 2FPS.
~Aeny
Click to expand...
Click to collapse
Ahmed radi's tests
Ahmed radi said:
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.1.54
its work great !
boot normaly then radio work and WiFi also work !
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.0.52
freeze on SE logo fo about 5~9 sec | no radio (insert SIM) | Wifi work
@ Bin4ry
good look bro
Click to expand...
Click to collapse
Ahmed radi said:
@ DooMLoRD
good now we have conferm that bin4ry kernel work with .54
i try also 52 but there is no radio !
i reflash the phone with 54 BB but also get no signal !
any idea about this ?
@bin4ry
could we convert the .img to .sin ?
Click to expand...
Click to collapse
Bin4ry said:
No, sin is the signature header. For that we need the signing key and we don't have it!
Regards
Click to expand...
Click to collapse
Ahmed radi said:
good lack Bin4ry !
test report :
X10 2.1 .435
BB54
run gr8 ,with Xda then reboot in se rom with radia and i test wifi and its work also!
edit :
BB58 also just like above !
>after we have sacsesfully loud Bin4ry kernel , could we have muiltitouch(not just dual) ? thanx
Click to expand...
Click to collapse
More info from Bin4ry
http://forum.xda-developers.com/showpost.php?p=12285626&postcount=795
shyvue's test
shvyue said:
I'm new to this but what i did is, copy all files from bootkit to /data/local/tmp
adb shell
$ su
# chmod 06755 run.sh
# ./run.shls
Phone shows fast-usb reboot, then a cute dog at top-left, then xda-developer with brown background.
SE stock image:
2.1.A.435
x10i-2.1.58 white led after xda-developer image then reboot with SE logo, etc
x10i-2.1.54 white led after xda-developer image then reboot with SE logo, etc
Click to expand...
Click to collapse
mpasanthosh's test
http://forum.xda-developers.com/showpost.php?p=12311351&postcount=816
Starting from 14th January 2011
blagus said:
Hi to all developers!
I haven't read whole thread, but I'm sure bootloader hasn't been cracked yet.
I spoke to a source who know really a lot about SE phones. He has been investigating X10 a lot and I got some info from him. He might be able to give me some further info but only if you are willing to read and try to accept my post and not just tell me "Xperia is different SE phone".
Believe me, he knows a lot about how X10 boots/works, and what's happening inside it (software part). He's been investigating phones since DB2020, and knows something about phones even before that.
As first, when I told him about "bootloader" he wasn't 100% sure what is that.
Most correct structure of X10 boot process and all "parts" involved is:
first, "real" ROM, which is actually one time programmable and can't be ever reprogrammed, is started.
In EROM, there's signature which is checked by ROM at beginning of boot - if signature is OK, ROM proceeds with running EROM and leaves it to continue boot process.
That is: checking signatures of everything that it runs directly, and then launches it if signatures are OK.
He also said that ROM is very incorrect name for phone's firmware - because ROM is actually thing that I mentioned above. Of course, you don't have to rename all ROMs to FW now, however it would be good if at least here in development thread correct names are used because that would help you, me in understanding what you're talking about - because I have knowledge from A1/A2 series and now he proved me that I was right about what I was saying - and him in understanding and possibly some further small tips.
He said that the thing that launches actual firmware - Android, is S1Boot, and it actually is in some structural way connected with A1's EROM and A2's SEMCBOOT.
(That is the thing I've been trying to say some time ago however no one was listening to me, nor wanted to check it - everyone was just saying "No, this phone is different from other SE phones.)
That then means that getting developer (more understandable - "brown") loader.sin - which actually contains S1Boot, or as you probably call it, bootloader - won't help you because in that S1Boot, there are flags that define if brown image will be accepted or not.
Also, in ROM there is root certificate (Qualcomm), "first in the chain" he said, not Red - retail, or Brown - developer one. S1Boot is also signed with that root certificate, and even existing S1Boot in our Xperias contain both Red and Brown certificates (unlike on A1/A2, where there is either red which accepts just red flashes, or brown which accepts them all), and only thing that differs is flags which tells EROM/S1Boot should it accept brown flash or not.
Note: Do not mix root certificate that is S1Boot signed with, and Red/Brown located inside it!
You can easily check this by opening existing, "usual" available for download here loader.sin in Notepad and you'll first find few certificates - S1_loader_root, S1_EROM_root, etc. and after that S1_loader_test, S1_EROM_test, etc. - same names, but instead of root it says test - this proves that there are both red and brown certificates.
He also said that
"brown sin-s can be self-produced... usually the brown RSA keys are available".
That means that if we put brown RSA key before header of pre-patched loader.img, we would get brown signed loader.sin, and we would just have to find a way to change flag to make the phone accept that brown image.
About pre-patching: yes, S1Boot has to be patched in order to accept unsigned flashes - whether it's just changing those flags, or rewriting it - however in that case still original root certificate must stay inside because it's checked by ROM.
And last thing is that he said that "SE used to disable Jtag on retail phones".
I remember that someone here mentioned Jtag but I don't know what was the result.
To receive further help/tips from him, following questions must be answered:
Question 1: To what exactly do you refer when speaking about bootloader? Now when I explained about S1Boot, can we actually say that bootloader = S1Boot (similar to) > A1's EROM (similar to) > A2's SEMCBOOT?
Question 2: What's contained in boot.img, if S1Boot is inside loader.img/loader.sin?
Best regards
Click to expand...
Click to collapse
25th January 2011
Bin4ry said:
Anyone wants to try my modded kexec-tool? I hope i have found a solution, but don't know yet, because my netbook still compiles the kernel ..... (for another 20 hours )
Regards
Bin4ry
Click to expand...
Click to collapse
Bin4ry said:
Since Maxrfon didn't answered my last mail again (he's very busy now) i had spare time and worked on this little tool once more =)
I hope we can boot another kernel with kexec-tool now.
for that we need a zImage and a initrd + some bootparameters for the kernel (root partition)
So if anyone want to try i would be lucky. My compilation was broken and now i have to start again :'(
So i anyone here wants help to try i would be lucky =)
Regards
Click to expand...
Click to collapse
26th January 2011
Bin4ry said:
Yes a initrd is needed, because i have not found the initrd location in virtual memory now, so i cannot point to it from kexec
Code:
kexec -l /zImage --apend="root........" --file="/initrd"
kexec -e -f
also you should appen the root partition.
It would be nice if someone could upload a zImage, i'm still stuck in compiling it *LoL* ****ing netbook is compiling 15 hours and then it aborts with some errors ^^
Regards
Click to expand...
Click to collapse
blagus said:
Put kexec in /system, chmod 777
Put ramdisk_orig.tgz and zImage to / and chmod 777
Code:
# kexec-tool -l /zImage --append="/" --initrd="/ramdisk_orig.tgz"
# kexec-tool -fe
After reboot zImage and initrd dissapear from /
Maybe if I put them in /system... I'll try that and let you know result.
Click to expand...
Click to collapse
Bin4ry said:
@Shamux thanks for the kernel.
@blagus:
You have to append the root partition to kernel parameters, else it will not detect it!
It's just like you want to boot a normal kernel on pc
Try adding --append="root=/dev/blablabla rw"
check which one is root partition (don't know now) and then check again if it works.
What we really neew is some kmsg log or smth.
Also Z mentioned to compile the kernel with semc-es209ra-capk config.
A minimal config will be a better way to start because something is breaking up we cannot find it.
But if we can boot minimal kernel, we can try to add more and more step by step and find the problem =)
Regards
Click to expand...
Click to collapse
blagus said:
Hmm... then, a little bit of experimenting is required...
I've got new info regarding bootloader cracking, from my source again
In theory it's very simple and you probably know that already: we calculate prime numbers that public key is made from - one key is enough, second can be calculated with
key ÷ 1st prime formula. But, you already know that.
Now, how to get these keys? Probably you know that too but let me repeat:
with OpenSSL we can get certificates from loader.sin. For example, this is interesting part of S1_loader_root (root certificate):
Code:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ea:a5:f7:7d:bd:67:21:33:04:00:ea:91:b0:c6:
cd:38:6c:aa:da:60:c1:77:e2:24:67:be:b7:da:4f:
e6:e5:92:fd:5b:b4:1a:97:54:cb:2f:7d:b1:63:e3:
d4:43:b9:a6:91:70:36:9f:5f:3a:7a:0e:2c:a7:44:
3b:40:84:0f:40:79:4a:b7:e8:58:d7:47:15:29:79:
07:b7:65:7b:d3:6d:40:10:29:78:c5:8f:51:b0:6e:
38:a9:97:1c:ff:1e:e5:bc:0d:22:1c:08:22:db:ad:
40:6f:2f:28:8a:8f:5c:38:d3:2a:96:72:48:66:28:
07:80:11:f1:62:f9:d3:40:a7
Exponent: 65537 (0x10001)
Modulus here is public key.
Just give this modulus to the CPUs and GPUs and let them calculate primes.
With these primes, calculation of private key should be trivial.
Update: this key is what we need to crack, that's it. Then, we can even make our own certificate - just like now there are, for example, s1_loader (Red, retail) and s1_loader_test (Brown, developer), we can make our own s1_loader_xda... and then, if it's issuer is S1_Loader_Root_f851 (like it is in root certificate attached here), and it is present in all parts of loader.sin (signature, signature of loader payload data) then phone will accept it.
Yes, that's right: this "Modulus" number above is the one that we need to crack in order to modify bootloader.
Update: if there's something confusing in this certificate, it's probably the fact that it's issuer and subject are same: yes, it's self-signed. But unfortunately, it won't work if we make our self-signed certificate
Click to expand...
Click to collapse
arkedk said:
Don't know if this is any help or useful info for any of the devs.
But managed to check the code in the lib_s1_verification.so file
Here's the boot sequence.
These files is what I know has something to do with the s1:
/lib/lib_s1_verification.so
/bin/linker
/bin/s1_verification_test
I don't know what I'm looking at here, but just wanted to see if I could make some kind of contribution to get the bootloader opened up.
Also attached the dedexed files from within semc_bootinfoif.jar if those are useful to anyone.
Assuming this is the Booting Sequence:
Click to expand...
Click to collapse
I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Very good idea to start a new thread. Please someone of the moderators delete all future comments that are not related to root!
I finally compiled the tardis program but it doesn't work
Here my original post :
-----
This didn't work on X10. But possibly someone will try it on other devices.
Usage: ./tardis <BIG FILE>
Big file should be ~ 100mb
------
-Bin4ry
Gathered Information about the kernel and mount points so far:
Kernel Version: Linux version 2.6.29-rel ([email protected]) (gcc version 4.2.1) #2 PREEMPT Wed Mar 10 16:53:36 JST 2010
(notice it's been compiled on march 10 so it might have been patched until february)
Internal flash partitions:
/dev/block/mtdblock2 /system yaffs2 ro 0 0
/dev/block/mtdblock3 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock1 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/loop0 /cdrom iso9660 ro 0 0
4Mb ramdisk: tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
Inside the software update package, there are a lot of files:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
preset.ta ->
Inside there's this:
Code:
// preset.ta has same format as TA file generated by FXTool
// Specification document: 69/159 35-LXE 108 116 Uen, Rev PA3
// Format:
// [TAPartition<HEX8>]{1}
// [UnitID<HEX32> UnitSize<HEX16> Data<HEX8>{UnitSize}]{n}
// (c) Sony Ericsson Mobile Communications AB, 2009
02
000008FD 0010 00 00 08 00 05 00 00 00 0E 00 00 00 08 00 00 00
00000961 0004 FE FF FF FF
amss_fs.sin -> no idea...but it seems empty as the cache 639 byte
apps_log.sin -> template for wiping mtdblock0 partition? (639 byte)
cache.sin -> template for wiping cache partition (like data partition, 639 byte)
fota0.sin -> ?
fota1.sin -> ?
boot.sin -> our beloved boot.img? (5.4 mbytes)
recovery.sin -> it looks like we have a recovery mode after all (not just safe mode)
dsp1.sin -> dsp firmware?
amss.sin -> Radio firmware?
metadata.dat -> 536 bytes, I guess it will be package metadata
simlock.ta -> 1,3 kb
system_S1-SW-LIVE....sin -> 195Mb, system partition
userdata_S1-SW-LIVE....sin -> 4,8kb, template for wiping data partition, maybe it has some file in there... haven't checked yet.
Things I tried so far:
m7 exploit. It seems fixed on this kernel (that or it might need some tinkering to the code)
exit_notify() local root exploit. suid_dumpable is 0 on /proc, so useless
h00ly**** exploit. Bin4ry tried this, but it seems it didn't work either.
Good thing: Sony Ericsson update service is programmed in java, and lollylost100 has already managed to make the program dump update images decrypted, so we might have a chance with that.
Also, bootloader starts if you take out the battery, plug usb and then turn it back in. It goes on for 10 seconds, after that, it times out and reboots to normal. So maybe if we don't mess with the bootloader we can restore it no matter what happens to the rest of the flash (don't trust this much)
About the mtd partitions, there are only four visible to Android, but there have to be more.
Radio partition, recovery partition (if it flashes it will be somewhere, unless its just a kernel+ramdisk that boots when in 'safe mode'), bootloader and such. Where are they hidden?
I have a copy of the running configuration for the kernel from .16 version, if anybody wants, I can put it somewhere.
If you wan't to retrieve it from your phone just do:
cat /proc/config.gz > /sdcard/config.gz
from adb/local terminal.
@HunteronX: that error it gives you is because you need a dev firmware, or being able to do a 'su', to get root access, it's not a driver problem. If you do "adb shell" you get a terminal with user id 2000 (shell), but no way of getting id 0 (root) with official firmware (unless hacking).By the way, that post you pasted from me is very outdated and there's not much useful information so you can remove it from the first post Thanks for starting a new thread, hopefully we'll manage to keep it clean!
Regards, Biktor
biktor_gj said:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
Click to expand...
Click to collapse
Code:
<?xml version="1.0" encoding="utf-8" ?>
<UPDATE>
<NOERASE>amss_fs.sin</NOERASE>
</UPDATE>
HunteronX said:
I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Click to expand...
Click to collapse
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data
sim-value said:
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data
Click to expand...
Click to collapse
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
funfobia said:
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
Click to expand...
Click to collapse
Ok, thanks for telling me that - looks like i've got a lot to learn...
@biktor_gj I've hopefully now removed all the information you wanted.
/data is not the only place where you can run binaries, you can also execute them from /sqlite_stmt_journal ramdisk. The only issue is after rebooting the phone files will disappear, but /data has the nosuid flag enabled on the mount command, but that flag doesn't exist on the sqlite tmpfs.
Regards
I just sniffed yesterday the packets when SEUS is connecting to the Sonyerricsson Serve.
What I found out is that SEUS is requesting following IP: 195.95.193.10
If you enter this in your browser it returns following:
ma3.extranet.sonyericsson.com
There you can download a software called EMMA. Someone knows what's that for a software?
goroh_kun said:
I uploaded mtd dump program for xperia with my mtd_nand_ex module.
It includes souce code, and static linked binary.
http://hotfile.com/dl/52240500/a1a6e72/mtd_raw_dump.zip.html
With normal mtd-utils(nand-dump), you can't rip complete nand image.
so I have to change mtd mode to RAW MODE.
the raw image includes OOB(Out Of Band) area, so we have to
calculate ECC(Error Correction Code) to get its executable image.
Click to expand...
Click to collapse
I write program to rip original image from mtd raw image.
http://hotfile.com/dl/52522564/4d776ac/mtd_analyze.zip.html
I'm working to figure out how oob area works.
if you have any information please contact me, or write message here!
Try another method to run modified kernel.
hi, all
I found that the method modifying boot or recovery area is not good way,
because these partition are signed with SE signature, and it seems that
bootloader check its SHA hash and signature everytime on boot process.
so I try another approach that
execute another kernel, from original SE kernel like kexec method.
but original SE kernel is not configured with CONFIG_KEXEC.
so I have to modify kexec interfaces from system calls to proc filesystem
access.
http://hotfile.com/dl/52604229/240e97c/kexec_ex.zip.html
http://hotfile.com/dl/52609760/96288b5/kexec-tools.tgz.html
It seems work to boot new kernel. you have to build kernel with initrd image.
wait for details..
we have 2 options
patch loader or go kexec
flash tools for x10 nand
happy play
http://hotfile.com/dl/53734913/3b68720/flash_tools.tar.bz2.html
rosco16 said:
Great!!!
If you had flashed NAND ...is it correct to say that x10 is root 100% already ??
cheers
Click to expand...
Click to collapse
NO
- we can dump and flash nand (tested tools)
- SE boot (kernel is signed like .sin files) and our boot is not signed so it will not boot
WE need kexec to load our kernel or patch bootloader not to check for signed kernel
@custom rom Cyanogen V6 alpha is compiled but we can not boot it
zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
)
you are so funny
if it was that simple we would do it
zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
First, bootloader and fota applications have some kind of lock and cannot be read (unlike boot, recovery amss & dsp). Second, to patch a bootloader you need to disassemble it, find all the points where it checks for signatures, and patch them. Then you need to test it, and if you mess it once, 400$ phone to the trash. Much more useful to have kexec working, since with it you could, in theory, boot the bootloader from ram, to check if patching goes good and do all the testing withour breaking anything. And you could run a kernel of choice.
Things aren't as easy as that I'm affraid...
How to dump bootloader
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.
goroh_kun said:
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.
Click to expand...
Click to collapse
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?
biktor_gj said:
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?
Click to expand...
Click to collapse
yep is full
thanks goroh
but dump seems to be wrong
after 0x3000 is padding
next block is at 0x100000
@kexec we need to somehow patch it to load the loader
Coolpad 5560s - MegaThread: Info / Root
We are now ROOTED. I think we are the first too.
If you have any additional info, binaries, etc -- feel free to contribute!
USE AT YOUR OWN RISK
*** UPDATE ***
Fellow XDA'r stevenmirabito put together an all-in-one tool! If you wanna dig into the technical stuff follow directions below if not... check out his post!
*** UPDATE ***
USE AT YOUR OWN RISK
Updates:
17 Feb 2015
The fun begins ...
---> USE AT YOUR OWN RISK --->DOWNLOADS:
ALL TOOLS AND DOCUMENTS ARE for non-commercial, personal, and educational use only.
You assume all risks and liabilities.<--- USE AT YOUR OWN RISK <---
Big thank you to: stevenmirabito, keebler64,.. and all the other folks that contributed.
Proof of Concept
Code:
- Root is pre-cooked into the image.
- Root survives reboot.
- Note that the superuser daemon is.. rigged into one of the init.qcom.post-boot.sh files -- may break things. :P
[U]Removed:[/U]
- system/priv-app/Cota*.apk/odex
- system/app/CP_*.apk/odex
- system/etc/security/otaupdates.zip.
- system/etc/ recovery-data.dat (not the exact name -- but removed)
[U]Added: [/U]
- system/app: fdroid.apk, es file manager.apk
- system/xbin/su, system/bin/su (linked), /system/app/Superuser.apk ---> Clockworkmod's Superuser. :)
[U]BUGFIX for Proof-Of-Concept:[/U]
- From: stevenmirabito: --> see [URL="http://forum.xda-developers.com/showpost.php?p=58913680&postcount=55"]post #55[/URL]. <--- the Setup Wizard was disabled.. somehow... :P
It does work.. you can dump the partitions.. and it [U]appears[/U] that you *can* write to the boot/recovery.
HOWTO: Creating your own a custom system.img for flashing with the sda-flashtool
Code:
# Remove the following hex sequences from the stock system.img
# These are the only thing that stop the image from being a normal ext4 raw image.
"30 3C 38 30 30 30 30 30 2E 2E 2E 2E" (Three total)
"30 30 32 39 3D 39 36 38 2E 2E 2E 2E" (One)
# Convert the now fixed system.img to a raw ext4 image to mount using simg2img (linux or possibly windows)
simg2img system.img system.raw
# Mount the raw image using loop (linux)
mkdir rawsystem
mount -t ext4 -o loop system.raw ./rawsystem/
# When you are finished making changes - create a new_system.img using the 4096 sparse format.
make_ext4fs -s -l 1024M -b 4096 -a system new_system.img rawsystem/
# move the new_system.img to the sda-flashtool directory (in windows) :)
# run sda-flashtool
sda-flashtool
# note that the sda-flashtool takes care of the injecting the headers --- even with file size changes..
# semi-major bug right now is the new_system.img needs to be at least 600mb. Will be fixed soon?..
# Have fun!
Recovery / Fastboot Modes
Code:
[I]Recovery Mode[/I]
Power-off, Pull Battery, Press VOL UP & VOL DOWN then Hold Power until Logo. Release Power. Recovery Mode should start in 5-10 seconds.
[I]Fastboot Mode[/I]
Power-off, Pull Battery, Connect USB to computer, Screen should read: "FASTBOOT".
To enable developer options / ADB Debug
Code:
Menu -> Settings -> System -> About Phone -> Tap the 'Build Number' about 5-10 times -> a Message should pop up 'you are now a developer'
OTA / Calling home urls to block in your router (stock image)
Code:
*51coolpad.com, *izatcloud.net, *cootek.com, and *coolpadfuns.com << OTA test server.
Old Root / Progression Log -- moved here for clarity
Code:
16 Feb 2015
[LIST]
[*] System images now flashable. :D
[/LIST]
11 Feb 2015
[LIST]
[*] New Header calculations now verified against all the known stock headers. :good:
[*] Footers: 2 bytes of :confused:
[/LIST]
10 Feb 2015
[LIST]
[*][STRIKE]The headers are back on the todo list.[/STRIKE] FIXED. :)
-Due to the way Bless (hex editor) formats its conversion table, it appeared like the images headers first 4 bytes were converted to a hex string which became the 2nd set of 4 bytes and those bytes summed to the 2e 2e 2e 2e. It looked like it was a simple subtraction/mask issue. Its a bit more. :/
-[STRIKE]Also it appears that both the bootloader and the recovery have a seperate ramdisk partition which is an overlay(?) and so it needs to be flashed as well.[/STRIKE]
[*][STRIKE] Figured out the Headers. Now to the footers.[/STRIKE]
[*] Now able to transfer data w/o being timed out.
[*] Very close to a working custom flash tool.
[/LIST]
06 Feb 2015
[LIST]
[*] More OTA servers to block: *51coolpad.com, *izatcloud.net, *cootek.com, and *coolpadfuns.com << OTA test server.
[/LIST]
28 Jan 2015
[LIST]
[*] Posted older CPB file format found on google translate.
[*] [URL]https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.in189.com%2Fforum.php%3Fmod%3Dviewthread%26tid%3D814196&edit-text=&act=url[/URL]
[*] [STRIKE]Posted a method that would easily brick the phone, but does allow flashing recovery.[/STRIKE] <--- don't do this.. very possible to brick the modem areas of the phone. What you are actually doing when using this method is transferring the remaining bytes of a modem/sbX transfer .. that was already in progress.
[*] University started up so been a bit busy.
[/LIST]
16 Jan 2015
[LIST]
[STRIKE][*] Alright well, found a method that may end up working... I was able to flash the stock 5560s CPB without bricking my 5560s. :D[/STRIKE]
[*] At this point it looks like we either need to create a custom system image w/ SuperUser.apk and busybox pre-installed OR we need to create a custom CWM for the coolpad 5560s.
[STRIKE][*] It appears that as a part of the process of flashing the CPB, we can override the recovery.img with another recovery.img BUT we'd have to create a custom CWM. If we have enough information about the partition layouts.. hopefully.. a non-bricking custom recovery.img can be created. :D[/STRIKE]
[*] REF: [url]http://modaco.com/topic/373530-guide-ygdp-tool-for-flashing-stock-42-44-roms/[/url]
[/LIST]
16 Jan 2014
[LIST]
[*][STRIKE]Tested some (Chinese?) 5217 rooting methods on the 5560.. nothing worked so far.[/STRIKE]
[*]Per suggestions below-- tested a ton of modstrings for towelroot. -- Was unable to gain even temporary root. :/
[*]A fellow XDA'r (Dunno if he wanted pub credit or not) got the CPB file.. poking it with a stick. :)
[/LIST]
08 Jan 2014
[LIST]
[*]Testing some of the other coolpad rooting tools on the 5560.
[*]Tried: SRSRoot v1.7.3, Root Genius v1.9.6.. no luck.
[/LIST]
24 Dec 2014
[LIST]
[*]Xmas time-- gonna be outta it for a few days.
[*]Phone is vulnerable to CVE-2014-7911 - Not sure if helpful, as CVE-2014-7911 crashes JVM. It may be possible to take over one of the factory apks that does have root permissions and inject SU. :)
[/LIST]
22 Dec 2014
[LIST]
[*]Couldnt use the 9976A rooting method-- couldnt pull the MTK scatter. Hmm.
[*]Theres an internal test server but the apk is passworded-- messn around with it.
[/LIST]
20 Dec 2014
[LIST]
[*]Discovered some [B] Coolpad / 5560s Dialer Codes[/B]
[*]*#*#*20060606*#*#* -> EngMode -> Phone Settings -> [B][COLOR=Red]ENABLE Download Mode[/COLOR][/B]
[*]*#*#*9527*#*#* -> FactoryTest -> Some interesting things here..
[*]*#*#*4636*#*#* -> Testing -> Phone Info -> Just like the HTC Hidden Diag Screen, can turn off Radio / set prefered network type.
[/LIST]
slashdevandroid said:
Hi all, my question is... does anyone have any rooting experience with the Coolpad 5560S'? Also-- If you have any additional information on these phones feel free to respond as well!
Click to expand...
Click to collapse
I don't have much experience, but just got one of these and would like to root it so I hope you get some replies. Thanks.
If you manage to find anything out about this I am super interested. Just got one because... why not, it was 10 bucks lol. If you need a guinea pig im down.
Hope we can find root for this phone soon, many are trying current root tools, but none are working, I have tried like 5-6 different ones so far, none working as of yet. im sure in a few more days - someone will have an update on there tool for this to be rooted.
Nevermind.
I have 4 of them now, so hope we can find a way to root them soon, I also wanted to get the bootloader unlocked if possible.
NeoGodSpeed said:
I have 4 of them now, so hope we can find a way to root them soon, I also wanted to get the bootloader unlocked if possible.
Click to expand...
Click to collapse
Opened up one of my 5560s' (Arise) and it looks like it's almost identical to the Coolpad 5217 which happens to have a root and various ROMs available to download. I don't have much time available to start porting ROMs, but someone here might go ahead and give it a look. I'll try to find some time later today to post photos of the PCB.
keebler64 said:
Opened up one of my 5560s' (Arise) and it looks like it's almost identical to the Coolpad 5217 which happens to have a root and various ROMs available to download. I don't have much time available to start porting ROMs, but someone here might go ahead and give it a look. I'll try to find some time later today to post photos of the PCB.
Click to expand...
Click to collapse
That would be great
Have you tried towelroot?
towelroot does not work just tried it
I've been playing around with this device and I figured I would share the progress I've made. I also obtained the CPB file (along with the official USB drivers) from Coolpad and was able to extract it with YGDP, the result of which can be found at the link below:
https://drive.google.com/folderview?id=0B4t9dt63rRpXaHo0XzNqVy1WT00&usp=sharing
Based on the extracted boot.img and the partition information pulled from a running phone I attempted a build of CWM for the 5560S - which can also be found at the link above. I haven't had any luck getting YGDP to flash the custom recovery.img and attempting to flash it via Fastboot hangs on "Writing..." Perhaps someone with a little more time on their hands will be able to get this working.
A few notes:
Coolpad uses a custom USB device ID that is not recognized by the fastboot command automatically. You must use the following flag while issuing fastboot commands:
Code:
fastboot -i 0x1EBF <command>
Attempting to flash the stock CPB file via YGDP will result in a "soft-brick" where the phone will hang on a screen that says "1. modem" with up/down on the side. You can access the phone via ADB in this mode and issue the following command to reboot normally (which differs from the advise you may find online for other Coolpad models):
Code:
adb reboot system
Attempting to replace the recovery.img in the temporary folder YGDP creates (which only happens after modifying its configuration for the phone) does not seem to cause it to flash the custom image instead, unlike other Coolpad models
Attempting to replace the recovery.img in the CPB file with the custom recovery.img in a hex editor causes YGDP to complain about the checksum not matching. I'm not sure where this checksum is stored or if it's modifiable.
Hope this helps! :fingers-crossed:
Has anyone figured this I out yet?
Just wondering if root is available yet?
stevenmirabito said:
Attempting to flash the stock CPB file via YGDP will result in a "soft-brick" where the phone will hang on a screen that says "1. modem" with up/down on the side. You can access the phone via ADB in this mode and issue the following command to reboot normally (which differs from the advise you may find online for other Coolpad models):
Code:
adb reboot system
Attempting to replace the recovery.img in the temporary folder YGDP creates (which only happens after modifying its configuration for the phone) does not seem to cause it to flash the custom image instead, unlike other Coolpad models
Attempting to replace the recovery.img in the CPB file with the custom recovery.img in a hex editor causes YGDP to complain about the checksum not matching. I'm not sure where this checksum is stored or if it's modifiable.
Hope this helps! :fingers-crossed:
Click to expand...
Click to collapse
Awesome! TYVM!
I soft-bricked my 5560 as well-- ended up using adb's shell to reboot into the stock recovery, clear both the data and cache, then rebooted and.. it started up fully stock with no issues that I can see..
Quick question -- how did you get the YGDP to actually extract the *.imgs? Using procmon I've seen YGDP read from the CPB but never write to any files..
Coolpad 5560S Pics
Here are some crappy pics of the insides, I didn't see any specific headers for any UART or JTAG, but they could be multiplexed with other pins. I'll get around to actually desoldering the RF shields some day and using the Nikon D90 for the pics instead of the iPhone.
i.imgur.com/8Ywkt0l.jpg
i.imgur.com/UUiyKXa.jpg
i.imgur.com/EnVfhWM.jpg
i.imgur.com/M2XzlCi.jpg
i..imgur.com/8Ywkt0l.jpg
slashdevandroid said:
Awesome! TYVM!
I soft-bricked my 5560 as well-- ended up using adb's shell to reboot into the stock recovery, clear both the data and cache, then rebooted and.. it started up fully stock with no issues that I can see..
Quick question -- how did you get the YGDP to actually extract the *.imgs? Using procmon I've seen YGDP read from the CPB but never write to any files..
Click to expand...
Click to collapse
The XML config for the phone that presumably tells YGDP how to flash it is stored in dProdRes.dll. Using Resource Hacker or another resource editing application you can edit the XML value for UnzipCPB to "1" in the 5560S section, which causes YGDP to extract (more accurately "split" since the file isn't compressed in any way) the CPB file into the DownloadFiles directory. I've added my modified version of dProdRes.dll to the Google Drive folder referenced above - the md5sum for the original file should be 1041E39DF18B86E9945B4A8601E6ACD7 and the modified file should be E3C5538235B0742425B84D97DF066972.
keebler64 said:
Here are some crappy pics of the insides, I didn't see any specific headers for any UART or JTAG, but they could be multiplexed with other pins. I'll get around to actually desoldering the RF shields some day and using the Nikon D90 for the pics instead of the iPhone.
i.imgur.com/8Ywkt0l.jpg
i.imgur.com/UUiyKXa.jpg
i.imgur.com/EnVfhWM.jpg
i.imgur.com/M2XzlCi.jpg
i..imgur.com/8Ywkt0l.jpg
Click to expand...
Click to collapse
Awesome ty!
stevenmirabito said:
The XML config for the phone that presumably tells YGDP how to flash it is stored in dProdRes.dll. Using Resource Hacker or another resource editing application you can edit the XML value for UnzipCPB to "1" in the 5560S section, which causes YGDP to extract (more accurately "split" since the file isn't compressed in any way) the CPB file into the DownloadFiles directory. I've added my modified version of dProdRes.dll to the Google Drive folder referenced above - the md5sum for the original file should be 1041E39DF18B86E9945B4A8601E6ACD7 and the modified file should be E3C5538235B0742425B84D97DF066972.
Click to expand...
Click to collapse
Outstanding -- thanks for the explanation.
Playing around a bit today noticed:
-YGDP ignores the unzipped files and procmon shows even if YGDP unzips the CPB it still simply reads from the CPB. Tried playing around with the downmod="" section in the XML but YGDP still ignores the zips.
-Did notice that a few of the other coolpads had custom CPB's that only had the recovery in them. Perhaps its time to reverse engineer a file format..
slashdevandroid said:
Did notice that a few of the other coolpads had custom CPB's that only had the recovery in them. Perhaps its time to reverse engineer a file format..
Click to expand...
Click to collapse
I noticed that too, and it seems that the community for other models had figured out how to do exactly that. Unfortunately, I couldn't find any documentation or tutorials online and didn't receive a response from the one or two people that I contacted.
stevenmirabito said:
I noticed that too, and it seems that the community for other models had figured out how to do exactly that. Unfortunately, I couldn't find any documentation or tutorials online and didn't receive a response from the one or two people that I contacted.
Click to expand...
Click to collapse
Same.. We'll keep lookin!
Ty again for all your input in this.. sometimes we all have a bit of the puzzle.
Why cxant anyone figure this out?
It seems that since this is a excellent phone that can literally be purchased for $9.99 at King Soopers, that a lot of people would have them even if just for a backup phone. I figured there would be a lot of ROM's, Recovery's, ect... ANYONE, PLEASE HELP US!!!:good:
can i put kali on my device??
if so, how?
@AlfredoAAA, The answer is NO . This is the matter of particularity , even If you did meet all of the requirements I would explain later . I am using the sequel of this Popular continuation of Backtrack 5 R3 on my Multi-Boot system for penetration testing and still got problem with my medium custom made bulid ( specially GPU for all injection and compiling \/ coding/scanning/etc etc,,,) Now imagine how on earth this Debian development based going to work on your even most powerful Nexus/Galaxy Note ,,,,,,
Requirements :
- At least 7 GB free on your internal SD card
- Kali Linux custom ARM image dedicated for your device infrastructure >>
Kali Linux has ARM repositories integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of the distribution. Kali is currently available for the following ARM devices :
rk3306 mk/ss808
Raspberry Pi
ODROID U2/X2
Samsung Chromebook
EfikaMX
Beaglebone Black
CuBox
Galaxy Note 10.1
- Custom made recovery image for your device form the developer site
- Custom kernel patched for injection in case of wireless assessments for example.
This is quite off topic though , but I am going to share some practical method for medium to powerful devices such as Nexus line ( might be [email protected] related section though,, didn't check it) , which does not require physical installation of Canonical production line.
With the help of the attached app ( released by the same company ) , you can get your Dual boot inside your Android phone ( i,e: Nexus 7/5/,,,,,) .
We’ll need to use the Linux distribution Ubuntu to get this to work, however you won’t need to install it.
Requirements : 3 GB of free space on your device , as it needs this much to actually download and run the OS.
Instructions :
1. Create a live Disc >> Ubuntu website;download the latest desktop OS ( comes with ISO file ); Create your USB stick boot able device with the help of UNetbootin or any device you do prefer though.
2. Boot into Ubuntu >> you know the drill >> Boot your PC with USB attached; Bios choose to boot from your stick USB > After selecting , choose Try Ubuntu. It will boot into it straight from USB without installing anything literally.
3. Put the attached file into Home Folder in the File system . Open up Terminal ( assuming you have rudimentary knowledge of command line in Linux )
Type :
Code:
$ chmod +x dualboot.sh
4. We need to install Correct ADB and dependencies over company's portal through our terminal, which is included in one piece of software.
Type:
Code:
$ sudo apt-get install phablet-tools
and choose "Y" in following scene
5.Connect your Device to your PC; USB Debugging enabled through your settings>Developer. In the terminal from earlier session,
Type to install the app:
Code:
$ ./dualboot.sh
Device will be rebooted couple of times i guess upon completion
6. Ignore anything about loosing root and just press the power button once to reboot.
Once you are back into Android , open your brand new Ubuntu Dual Boot app.
7. Now we need a super fast internet and lots of patient to get through 3GB download .
From within the app, press the greyed out 'Choose which channel to install' to bring up the options. Check 'bootstrap' and scroll down to 'utopic' so you get the recommended
version of the OS. Press install.
8. During installation you'll have to grant SU permission and after a while you will be done. Press 'Reboot to Ubuntu' ( grayed out option) and your device will be booted into Ubuntu Touch OS. ( again ignore any Android identifiers while booting ).
9. Now lets Return to Android : ( Tip :Using Power button to turn it off and on again will allow you to always boot back into Android) and with the reboot button on the app you can get back into OS Touch . please pay attention in this method your Android OS will not be wiped in the process.
As usual , I am not responsible for any kind of device meltdown, possible Bricking ,, etc etc ,, All credits goes to Ubuntu developer team.
Q&A for [GUIDE][LINUX][MIUI] MIUI PatchROM -- BUILD YOUR OWN MIUI ROM
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [GUIDE][LINUX][MIUI] MIUI PatchROM -- BUILD YOUR OWN MIUI ROM. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!
[MIUI PATCHROM for WALTON PrimoF2[How to solve this??Please somebody help me...
Code:
[email protected]:~$ cd patchrom
[email protected]:~/patchrom$ . build/envsetup.sh
PATCHROM_BRANCH = jellybean42-mtk
ANDROID_PLATFORM = v17
PORT_ROOT = /home/atiq/patchrom
ANDROID_TOP =
ANDROID_OUT =
PORT_PRODUCT = Unknown
USE_ANDROID_OUT =
ANDROID_BRANCH =
[email protected]:~/patchrom$ cd primof2
bash: cd: primof2: No such file or directory
[email protected]:~/patchrom$ mkdir primof2
[email protected]:~/patchrom$ cd primof2
[email protected]:~/patchrom/primof2$ /home/atiq/patchrom/tools/releasetools/ota_target_from_phone -n
Wait for the device to be online...
Copy target file template into current working directory
Warning: the ota package will not contain bootimage!!!
Maybe you forget to pass the ota-package parameter.
Are you sure this is really what you want(yes/no):yes
Build recovery.fstab from device
Extract the whole /system from device
pull: building file list...
1423 files pulled. 0 files skipped.
2943 KB/s (570754099 bytes in 189.331s)
Remount /system to be writable
You don't have a rooted kernel. Please run the following command mannually
(1) adb shell
(2) su
(3) mount -o remount,rw /[email protected] /system
(3) chmod 0777 /system /system/*
If you finish running the above commands on your phone(yes/no):yes
/system/xbin/getfilesysteminfo: No such file or directory
Run getfilesysteminfo to build filesystem_config.txt
125 KB/s (5572 bytes in 0.043s)
Run getfilesysteminfo and recoverylink.py to recover symlink
Recovery link files success
Build apkcerts.txt
failed to copy '/data/system/packages.xml' to '/home/atiq/patchrom/primof2/out/target_files/packages.xml': Permission denied
Error: /home/atiq/patchrom/primof2/out/target_files/packages.xml doesn't exist or isn't a vaild xml file
rm: cannot remove ‘/home/atiq/patchrom/primof2/out/target_files/packages.xml’: No such file or directory
Generate metadata used to build target files...
Compress the target_files dir into zip file
/home/atiq/patchrom/primof2
Build full ota package: /home/atiq/patchrom/primof2/stockrom.zip
unzipping target target-files...
using device-specific extensions in .
unable to load device-specific module; assuming none
[MIUI CUST] OTA: copy data files
[MIUI CUST] OTA: handle relink
[MIUI CUST] OTA: SetPermissions
Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/share/java/jayatanaag.jar
done.
[email protected]:~/patchrom/primof2$
Where should I put the bellow commands
Code:
You don't have a rooted kernel. Please run the following command mannually
(1) adb shell
(2) su
(3) mount -o remount,rw /[email protected] /system
(3) chmod 0777 /system /system/*
If you finish running the above commands on your phone(yes/no):
here?? After this line?? Here I have only two option to input "yes" or "no" in this shell. Otherwise it shows too many arguments. Please tell me where to put those commands exactly?? another question: Is everything OK there except "packages.xml". I manually copied the packages.xml file from my device and paste it to target_files then zipped it. Will it work?? Please help..
Anyone here successfully booted miui 8 on MTK 32 bit kernel 3.18.19 can help me with bootloop!?
I already built the rom based on AOSP android one but it bootloops
Mysteryagr said:
Anyone here successfully booted miui 8 on MTK 32 bit kernel 3.18.19 can help me with bootloop!?
I already built the rom based on AOSP android one but it bootloops
Click to expand...
Click to collapse
Hook it up and run a log at on your pc. That will tell you what is bootlooping. It that should have been the first hinges you did. It is rom building basics
zelendel said:
Hook it up and run a log at on your pc. That will tell you what is bootlooping. It that should have been the first hinges you did. It is rom building basics
Click to expand...
Click to collapse
Thank you for your reply.
I already did that, and yes I edited defualt.prop inside the ramdisk to enable logcat during bootloop.
I have ported many roms, and also built some from source, and I noticed that I can only take logcat in bootloop if the rom is partially booted, notification led lights in red as a sign of that.
In Miui case the led doesn't light up, also I noticed that no space occupied in data partition (except for the extracted miui apps)
So I guess something prevent the rom to start and optimize any app, maybe it is the boot.img
If someone booted miui on MTK 32 bit chipset and MM kernel 3.18.19 can help me, I will be very thankful.
My device is Infinix Hot 2 running Android one 6.0 marshmallow, chipset: MT6580
Thanks in advance.
Mysteryagr said:
Thank you for your reply.
I already did that, and yes I edited defualt.prop inside the ramdisk to enable logcat during bootloop.
I have ported many roms, and also built some from source, and I noticed that I can only take logcat in bootloop if the rom is partially booted, notification led lights in red as a sign of that.
In Miui case the led doesn't light up, also I noticed that no space occupied in data partition (except for the extracted miui apps)
So I guess something prevent the rom to start and optimize any app, maybe it is the boot.img
If someone booted miui on MTK 32 bit chipset and MM kernel 3.18.19 can help me, I will be very thankful.
My device is Infinix Hot 2 running Android one 6.0 marshmallow, chipset: MT6580
Thanks in advance.
Click to expand...
Click to collapse
To be honest I have no other ideas. Devices with that chip maker are not sold in my country.
@zelendel
What is the difference between
make firstpatch
Click to expand...
Click to collapse
and
make second patch
Click to expand...
Click to collapse
?
Mysteryagr said:
@zelendel
What is the difference between
and
?
Click to expand...
Click to collapse
I don't know. To be honest I wouldn't touch miui with a 10 foot pole personally.