Notes on the VS985 (including bootloader details) - Verizon LG G3

Hi all. First, apologies if this is the wrong place for this sort of post. It's mainly just a collection of my notes on the Verizon LG G3 running stock software update VS98510B, so there are a lot of different topics touched upon. I'm usually pretty shy around forums, but I figured something I've found might be useful to someone else, so I finally decided to post here. Anyway, here's what I've found.
Autorun Installer
This really annoyed me for a while when I first got the phone. Every time I'd try connecting it to my computer, it'd enter some sort of installer mode for LG/Verizon drivers. It would stay in this mode for about 30 seconds unless I manually put it back into ADB mode. After a good bit of digging around, I found out how to disable it without root or any special permissions. Open the stock dialer app, then enter the code "##3328873" and press send. It'll prompt for a service code, which is (of course) "000000". While the Verizon G3 appears to be missing a large chunk of the hidden menus, this section still seems to work. One of the options is a checkbox for "Tool Launcher enable" - uncheck it to disable the Verizon autorun installer.
Sideloading in Recovery Mode
I was curious how IORoot worked, so I started taking it apart. Basically, on the G3, it just uses a .zip sideloaded in recovery mode to copy over the su and related binaries. There's a decent bit of documentation out there on how to create your own .zip for sideloading, but I found one catch - the .zip needs to be signed with the proper key, or recovery will reject it. It turns out that this key is located at "./bootable/recovery/testdata/testkey" in the AOSP project. I forget the exact command for signing the .zip, but using this key, you can create your own sideload applications. Edify provides a nice way to script your application; I used it to create a sideload application to replace the HotspotProvision apk with a slightly modified version that skips the billing checks. Doing so does not require root access, as the sideloaded application appears to run as root by default. Replacing "HotspotProvision.apk" also does not trigger the root detector. However, I also made my own sideload .zip to copy over the su binary I compiled from AOSP - as soon as I booted the phone, the software status indicator changed to modified. I have some more information on that below. If anyone wants either of these sideload applications, I can upload them somewhere with their source, just let me know.
Ramdisk Compression
The boot, recovery, laf, and factory partitions are all mostly in standard format and can be split into the kernel and ramdisk parts with existing tools. However, most tools seem to expect the ramdisk to be compressed using gzip. Since it's not, they'll fail to extract the cpio archive from it. The G3 ramdisk is compressed using LZ4 instead. Once decompressed using the standard LZ4 utility, it has the same structure as a normal boot ramdisk - the cpio archive can be extracted to view the boot filesystem. I haven't really looked into it, but I believe the boot images all have a device tree binary appended after the ramdisk as well.
AT Commands
When looking into the boot process, I stumbled upon the AT command framework for the G3, which proved to be rather interesting. When connected to my computer in ADB mode, the phone exposes two serial ports. One of these ports looks like it's supposed to accept plain-text AT commands, but it also has been rather buggy in registering the end of a command for me. The other port accepts commands in some sort of binary format that I have not taken apart yet. If you want to send AT commands to the phone from ADB shell, write them to "/dev/smd0" and read the response from there. Sometimes, the response is not put on the device for some reason, but instead just printed to the logs under the tag "Atd"; just use "logcat Atd:V" to view them. The requests seem to be handled by "/system/bin/atd", which largely uses "/system/lib/libatd_common.so" to work. Looking through the disassembly showed some interesting things, included what looked like a test command that involved the bootloader unlock status, though I haven't figured out exactly how it works yet. A lot of the commands began with "AT%", which I think is the vendor specific prefix for AT commands typically. For some reason, I couldn't get any of these commands to work, even though some of the standard commands worked fine. One particularly interesting function (to me) was one that claimed to be able to write the software bootloader, SBL1. The function was called "store_sbl1_image"; there are some other functions that affect sbl1 as well. There are also functions for qfuses/QFPROM and other things that may be of interest to us. A lot of these functions access the misc partition through "/system/lib/liblgftmitem.so", so that may be a partition worth looking into.
Volume Key Booting
Entering the dialer command "##228378" and pressing send brings up a menu that has an option called "Device Test". Choosing this option prompts you that the phone will reboot; if allowed, it will reboot into MiniOS mode, which is stored in the "factory" partition ("/dev/block/mmcblk0p40"). This mode allows you to run a number of device tests, though many options are disabled somehow. One interesting thing I've observed is that, if the phone is shut down from MiniOS mode, then turned on by holding the volume down and power buttons simultaneously (possibly while plugged into a computer, I forget if this is necessary), the phone enters a pseudo-recovery mode that vaguely resembles real recovery mode, but is actually implemented after boot. Another volume key command is to hold volume up while powering on and connected to a computer by USB (the USB connection is required). This boots into factory download mode from the "laf" partition("/dev/block/mmcblk0p33"). The only way I've found to exit this mode is to remove the battery from the case. One final note is that while booting into normal mode, but having done so by holding volume down and the power button, the bootloader logs a message that it is going to enter fastboot mode. However, it does not and just boots normally instead. It seems that fastboot can only be activated if aboot fails to boot normally. I've read of people accomplishing this by messing up the "laf" partition and then booting into download mode, but I've not tried it myself.
Root Checker ("/system/bin/rctd")
After already setting my system to the "modified" status, I looked into the root checker executable at "/system/bin/rctd". A quick disassembly showed almost no strings in the binary. This is because they are all obfuscated. To load the strings, as series of instructions store individual characters into the stack at the proper offsets, eventually forming all of the strings needed by the program. Because I don't have the "Pro" version of IDA, I can't just run the executable through the debugger to get the strings out, so I had to resort to writing a really hacky emulator for a few ARM instructions to produce the strings. I only did this for one function, but the results were rather interesting. This function constructed the following string(s): "mt6575 mt6577 /sbin/su ro.hardware /system/bin/su /system/xbin/su /system/sbin/su /data/local/tmp/su /system/bin/busybox /system/xbin/busybox /data/local/tmp/busybox /system/app/Superuser.apk /system/app/SuperUser.apk /system/app/superuser.apk /system/app/SuperuserPro.apk /data/local/tmp/Superuser.apk /data/local/tmp/SuperUser.apk /data/local/tmp/superuser.apk /data/data/com.noshufou.android.su". I'm assuming this is a list of all of the files that the program looks for to determine if the phone has been rooted. In theory, using some way of randomly naming these files could prevent the root checker from detecting a rooted presence. If anyone who has IDA Pro wants to run "rctd" through the debugger, they might find more interesting things.
fastboot oem-unlock
While I've not tried booting into fastboot mode myself, I have "manually" executed the "fastboot oem-unlock" command. By disassembling the "aboot" partition ("/dev/block/mmcblk0p5"), I found that oem-unlock writes the value 0x01 to offset 0x1FFE10 of the "aboot" partition. I replicated this action with the command from a root shell "echo -en '\x01' | dd of=/dev/block/mmcblk0p5 bs=1 seek=2096656 count=1 conv=notrunc". After doing so and rebooting, which seemed to take longer than usual, I checked the kernel logs in "/data/logger/kernel.log*", and, in the bootloader logs section, there was a line displaying "[ 0.355056 / 01-01 00:00:00.340] [580] use_signed_kernel=0, is_unlocked=1, is_tampered=0.", seemingly indicating that the device was unlocked. However, it is not, as I'll mention later.
LGFTMITEM Spam in logcat
On the two VS985 phones I've looked at, both seem to produce a large amount of spam to logcat under the tag "LGFTMITEM". This takes the form of several lines being logged every 500 ms, consistently. I believe that setting the property "sys.lgsetupwizard.status" to "1" should stop it, though I haven't been able to do so successfully yet.
Bootloader Unlocking
One of the main goals of my tinkering has been to find a method for unlocking the VS985 bootloader. I believe I have identified the path to do so while disassembling "aboot", but I do not know how to enable it. I'll try to describe it here. In "sub_F81FF5C" of the "aboot" partition (I created a basic ELF format binary from the partition by trimming the first 40 bytes of the partition dump and then creating a single section ELF file loading that trimmed portion to address 0x0F800000), there is code that verifies the kernel and ramdisk images of the loaded boot partition. The code refers to "FEATURE_LGE_QCT_HW_CRYPTO", if that has meaning to anyone. Before the verification takes place, however, the function calls function "sub_F81FF58" with a memory location passed in R2. If this function call stores the value 0x67661147 in the memory pointed to by R2, the function bypasses all of the verification checks and simply prints "Device UnLock". This is why I believe "fastboot oem-unlock" would not be effective - my bootloader logs still indicate that the bootloader is taking the cryptographic verification path even though I have "unlocked" the device. I've tried to follow the function calls from here, but they get rather complicated and refer to memory locations not within the executable itself, which confuses me. In one of the functions invoked from here, which seems to print out the results of some sort of command, there are the strings "READ_UNLOCK_DEVICE_CERTIFICATE", "UNLOCK_DEVICE_AUTHENTICATION", "ANTI_ROLLBACK", and most interesting to me, "BACKDOOR". I've been having trouble figuring out how this part of the code works, so if anyone has any ideas, I'd be interested in hearing them.
Well, I think that about covers most of what I've found out about this phone. I'd be happy to explain anything in more detail if it's not clear.

IllegalArgument said:
Hi all. First, apologies if this is the wrong place for this sort of post. It's mainly just a collection of my notes on the Verizon LG G3 running stock software update VS98510B, so there are a lot of different topics touched upon. I'm usually pretty shy around forums, but I figured something I've found might be useful to someone else, so I finally decided to post here. Anyway, here's what I've found.
Autorun Installer
This really annoyed me for a while when I first got the phone. Every time I'd try connecting it to my computer, it'd enter some sort of installer mode for LG/Verizon drivers. It would stay in this mode for about 30 seconds unless I manually put it back into ADB mode. After a good bit of digging around, I found out how to disable it without root or any special permissions. Open the stock dialer app, then enter the code "##3328873" and press send. It'll prompt for a service code, which is (of course) "000000". While the Verizon G3 appears to be missing a large chunk of the hidden menus, this section still seems to work. One of the options is a checkbox for "Tool Launcher enable" - uncheck it to disable the Verizon autorun installer.
Sideloading in Recovery Mode
I was curious how IORoot worked, so I started taking it apart. Basically, on the G3, it just uses a .zip sideloaded in recovery mode to copy over the su and related binaries. There's a decent bit of documentation out there on how to create your own .zip for sideloading, but I found one catch - the .zip needs to be signed with the proper key, or recovery will reject it. It turns out that this key is located at "./bootable/recovery/testdata/testkey" in the AOSP project. I forget the exact command for signing the .zip, but using this key, you can create your own sideload applications. Edify provides a nice way to script your application; I used it to create a sideload application to replace the HotspotProvision apk with a slightly modified version that skips the billing checks. Doing so does not require root access, as the sideloaded application appears to run as root by default. Replacing "HotspotProvision.apk" also does not trigger the root detector. However, I also made my own sideload .zip to copy over the su binary I compiled from AOSP - as soon as I booted the phone, the software status indicator changed to modified. I have some more information on that below. If anyone wants either of these sideload applications, I can upload them somewhere with their source, just let me know.
Ramdisk Compression
The boot, recovery, laf, and factory partitions are all mostly in standard format and can be split into the kernel and ramdisk parts with existing tools. However, most tools seem to expect the ramdisk to be compressed using gzip. Since it's not, they'll fail to extract the cpio archive from it. The G3 ramdisk is compressed using LZ4 instead. Once decompressed using the standard LZ4 utility, it has the same structure as a normal boot ramdisk - the cpio archive can be extracted to view the boot filesystem. I haven't really looked into it, but I believe the boot images all have a device tree binary appended after the ramdisk as well.
AT Commands
When looking into the boot process, I stumbled upon the AT command framework for the G3, which proved to be rather interesting. When connected to my computer in ADB mode, the phone exposes two serial ports. One of these ports looks like it's supposed to accept plain-text AT commands, but it also has been rather buggy in registering the end of a command for me. The other port accepts commands in some sort of binary format that I have not taken apart yet. If you want to send AT commands to the phone from ADB shell, write them to "/dev/smd0" and read the response from there. Sometimes, the response is not put on the device for some reason, but instead just printed to the logs under the tag "Atd"; just use "logcat Atd:V" to view them. The requests seem to be handled by "/system/bin/atd", which largely uses "/system/lib/libatd_common.so" to work. Looking through the disassembly showed some interesting things, included what looked like a test command that involved the bootloader unlock status, though I haven't figured out exactly how it works yet. A lot of the commands began with "AT%", which I think is the vendor specific prefix for AT commands typically. For some reason, I couldn't get any of these commands to work, even though some of the standard commands worked fine. One particularly interesting function (to me) was one that claimed to be able to write the software bootloader, SBL1. The function was called "store_sbl1_image"; there are some other functions that affect sbl1 as well. There are also functions for qfuses/QFPROM and other things that may be of interest to us. A lot of these functions access the misc partition through "/system/lib/liblgftmitem.so", so that may be a partition worth looking into.
Volume Key Booting
Entering the dialer command "##228378" and pressing send brings up a menu that has an option called "Device Test". Choosing this option prompts you that the phone will reboot; if allowed, it will reboot into MiniOS mode, which is stored in the "factory" partition ("/dev/block/mmcblk0p40"). This mode allows you to run a number of device tests, though many options are disabled somehow. One interesting thing I've observed is that, if the phone is shut down from MiniOS mode, then turned on by holding the volume down and power buttons simultaneously (possibly while plugged into a computer, I forget if this is necessary), the phone enters a pseudo-recovery mode that vaguely resembles real recovery mode, but is actually implemented after boot. Another volume key command is to hold volume up while powering on and connected to a computer by USB (the USB connection is required). This boots into factory download mode from the "laf" partition("/dev/block/mmcblk0p33"). The only way I've found to exit this mode is to remove the battery from the case. One final note is that while booting into normal mode, but having done so by holding volume down and the power button, the bootloader logs a message that it is going to enter fastboot mode. However, it does not and just boots normally instead. It seems that fastboot can only be activated if aboot fails to boot normally. I've read of people accomplishing this by messing up the "laf" partition and then booting into download mode, but I've not tried it myself.
Root Checker ("/system/bin/rctd")
After already setting my system to the "modified" status, I looked into the root checker executable at "/system/bin/rctd". A quick disassembly showed almost no strings in the binary. This is because they are all obfuscated. To load the strings, as series of instructions store individual characters into the stack at the proper offsets, eventually forming all of the strings needed by the program. Because I don't have the "Pro" version of IDA, I can't just run the executable through the debugger to get the strings out, so I had to resort to writing a really hacky emulator for a few ARM instructions to produce the strings. I only did this for one function, but the results were rather interesting. This function constructed the following string(s): "mt6575 mt6577 /sbin/su ro.hardware /system/bin/su /system/xbin/su /system/sbin/su /data/local/tmp/su /system/bin/busybox /system/xbin/busybox /data/local/tmp/busybox /system/app/Superuser.apk /system/app/SuperUser.apk /system/app/superuser.apk /system/app/SuperuserPro.apk /data/local/tmp/Superuser.apk /data/local/tmp/SuperUser.apk /data/local/tmp/superuser.apk /data/data/com.noshufou.android.su". I'm assuming this is a list of all of the files that the program looks for to determine if the phone has been rooted. In theory, using some way of randomly naming these files could prevent the root checker from detecting a rooted presence. If anyone who has IDA Pro wants to run "rctd" through the debugger, they might find more interesting things.
fastboot oem-unlock
While I've not tried booting into fastboot mode myself, I have "manually" executed the "fastboot oem-unlock" command. By disassembling the "aboot" partition ("/dev/block/mmcblk0p5"), I found that oem-unlock writes the value 0x01 to offset 0x1FFE10 of the "aboot" partition. I replicated this action with the command from a root shell "echo -en '\x01' | dd of=/dev/block/mmcblk0p5 bs=1 seek=2096656 count=1 conv=notrunc". After doing so and rebooting, which seemed to take longer than usual, I checked the kernel logs in "/data/logger/kernel.log*", and, in the bootloader logs section, there was a line displaying "[ 0.355056 / 01-01 00:00:00.340] [580] use_signed_kernel=0, is_unlocked=1, is_tampered=0.", seemingly indicating that the device was unlocked. However, it is not, as I'll mention later.
LGFTMITEM Spam in logcat
On the two VS985 phones I've looked at, both seem to produce a large amount of spam to logcat under the tag "LGFTMITEM". This takes the form of several lines being logged every 500 ms, consistently. I believe that setting the property "sys.lgsetupwizard.status" to "1" should stop it, though I haven't been able to do so successfully yet.
Bootloader Unlocking
One of the main goals of my tinkering has been to find a method for unlocking the VS985 bootloader. I believe I have identified the path to do so while disassembling "aboot", but I do not know how to enable it. I'll try to describe it here. In "sub_F81FF5C" of the "aboot" partition (I created a basic ELF format binary from the partition by trimming the first 40 bytes of the partition dump and then creating a single section ELF file loading that trimmed portion to address 0x0F800000), there is code that verifies the kernel and ramdisk images of the loaded boot partition. The code refers to "FEATURE_LGE_QCT_HW_CRYPTO", if that has meaning to anyone. Before the verification takes place, however, the function calls function "sub_F81FF58" with a memory location passed in R2. If this function call stores the value 0x67661147 in the memory pointed to by R2, the function bypasses all of the verification checks and simply prints "Device UnLock". This is why I believe "fastboot oem-unlock" would not be effective - my bootloader logs still indicate that the bootloader is taking the cryptographic verification path even though I have "unlocked" the device. I've tried to follow the function calls from here, but they get rather complicated and refer to memory locations not within the executable itself, which confuses me. In one of the functions invoked from here, which seems to print out the results of some sort of command, there are the strings "READ_UNLOCK_DEVICE_CERTIFICATE", "UNLOCK_DEVICE_AUTHENTICATION", "ANTI_ROLLBACK", and most interesting to me, "BACKDOOR". I've been having trouble figuring out how this part of the code works, so if anyone has any ideas, I'd be interested in hearing them.
Well, I think that about covers most of what I've found out about this phone. I'd be happy to explain anything in more detail if it's not clear.
Click to expand...
Click to collapse
You should rename the title of your thread to something more likely to be read by devs trying to unlock the bootloader. It's too generic in my opinion. Excellent work so far, though. Thanks for your efforts and interest!

Nice to see anyone working on an unlock, also thanks for sharing.
---------- Post added at 02:33 AM ---------- Previous post was at 02:25 AM ----------
I forwarded the post to Justin case to see if he may be able to get in touch

This was way over my head. Have you PM'd @autoprime or @thecubed (aka IOMonster)? They are a couple of the devs working on unlock.
Sent from my VS985 4G

Howdy there!
Just in time, too - since I just got back from vacation!
Hop on IRC (freenode) and join #lg-g3 and ask for IOMonster, and mention this thread. I'd be happy to explain what I can to you.
You've followed excellent logic and have come to many of the same conclusions as we have during our exploration of the device. Factory mode reads FTM items, and can enable/disable menu options at will (or you could just extract it like a boot.img and load the lgeftm_* binaries into IDA and see what they do).
RE: AT commands, there's a lot of good logic in there, however at the moment nothing that looks to give us our unlock.
RE: Unlocking, you're close, but a bit far off. There's some special sauce LG is using for unlocks, and last I was looking I believe LGE is obfuscating bits of code with a multi-stage loader. I'll discuss more about this on IRC if you're interested and the rest of the guys on IRC are alright with me doing so.
One of those memory addresses is a function pointer - before I left for vacation we were working on dumping the memory to pull the decompressed function out of RAM on another device that uses a (very) similar strategy.
I look forward to talking to you on IRC!

Hope you enjoyed I'm sure a much needed vacation.. Hopefully soon someone will be able to crack this boot loader and free the G3 variants.

They will unlock it because how can the great device be locked and have only the tmobile version be the only one unlocked... Lol that's crazy. They will unlock it in time

I think your right in time ,unfortunately these guys have full life schedules that don't allow them to stay on it all day! I hope all the g3 community gets to enjoy the full potential of such a great device in the future.

OP @IllegalArgument
Hats off for your first loaded post on XDA, really reassuring to see as many capable devs tinkering with this, welcome and keep em coming
dabug123 said:
....I hope all the g3 community gets to enjoy the full potential of such a great device in the future.
Click to expand...
Click to collapse
Near future hopefully

nerdo said:
OP @IllegalArgument
Hats off for your first loaded post on XDA, really reassuring to see as many capable devs tinkering with this, welcome and keep em coming
Near future hopefully
Click to expand...
Click to collapse
Will see im hopeful but I won't be upset since nexus is close

Nexus won't run on Verizon, you can book that.
Sent from my HTC6525LVW using Tapatalk

dbatech99 said:
Nexus won't run on Verizon, you can book that.
Sent from my HTC6525LVW using Tapatalk
Click to expand...
Click to collapse
Yep agreed, I'm making the switch

dabug123 said:
Yep agreed, I'm making the switch
Click to expand...
Click to collapse
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.

Jank4AU said:
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Click to expand...
Click to collapse
My thoughts exactly, and with the Wifi tether mod, I'm content, for now.

Jank4AU said:
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Click to expand...
Click to collapse
I enjoy it with xposed..Not the same in the end but the g3 is a great won't ever say different.

Ooh, exciting. I can't wait.

kdouvia said:
Ooh, exciting. I can't wait.
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Jank4AU said:
Click to expand...
Click to collapse
Fail lol[emoji13]

Interesting read OP.

Jank4AU said:
Click to expand...
Click to collapse
Haha, bro, I was serious this is the most information I've heard about the boot loader unlock in awhile. I love the meme though. :victory:

Related

[Q] Sharp 003SH 005 SH root success - SIM unlock help

I live in Japan and after more than 6 months I have successfully and permanently rooted both my Sharp 003 SH Galapagos and the 005SH Galapagos (Softbank not Docomo). My next concern is how to SIM unlock. I have been reading the posts about hacking the nv_bin file. I have searched through all of the the files (Root FTP thank you!) but there was no such file. I am happy to send along any screenshots or data files if that helps.
Thanks in advance.
Search Sharp 003SH Root Success and Sharp 005SH Root success on Youtube for more info
Can't really help you. Don't know anything about it. But I would like to know how you ended up rooting this phone of ours.
Its not a file on the filesystem. The sim locking in these phones is in the radio image; which can be accessed when you use the custom build kernel thats in the latest rootkit (I assume thats what you are using).
See the 2ch root/ROM thread for more details, but basically it is done through ADB, manually backing up the "_modem" partition; stripping the spare/ECC bytes and then extracting the radio OS using QualcommDumpAnalyser
I have managed to extract this image, but no idea where to go from there. None of the other device info seems to apply to this (HTC, Samsung, LG, any other Android that has had its sim-lock discovered in the radio)
Advice i got from the guys on 2ch: "Qualcomm's NAND code is neither difficult, nor unique, so if you know what you are looking for its not hard"
003SH 005SH Sim unlock
Thanks very much for giving me a new direction. I'll get started on it right away and let you know how it progresses.
It just sucks that the guys who know how to unlock it are staying quiet, saying its "taboo"
FYI, stripping the Spare/ECC bytes can be done manually (i wrote a C program to do it), but there is an option in the RevSkills app to do it all for you - i recommend doing that.
Of course we face another issue once we find the actual unlock - recalculating the ECC bytes after making the change; the only way to access the radio is with raw data access.
P.S. hope you have warranty on your phones - this is very likely to brick at least one phone until we get it right
---------- Post added at 12:30 PM ---------- Previous post was at 12:24 PM ----------
In the spirit of open cooperation, here are the instructions i was given, translated and simplified
In ADB Shell, type su to get the # prompt, then:
cat /proc/mtd <Enter>
Confirm that you have the "_modem" partition available. If not, you need to reflash with the custom build kernel
Dump the image to file with the following command:
dump_image -r -D -F _modem /sdcard/backupimages/modem.img
Access this with anything as "raw dump" and all blocks will get read as ECC error, so definitely dont do this
ECC positioning is different to Linux, so take care
The following maps out how 512bytes of data and 10 bytes of ECC info are stored in a 528 byte block:
0000 - 01CF (0-463): Data
01D0 - 01D1 (464-465): Unused (0xff)
01D2 - 0201 (466-513): Data
0202 - 020B (514-523): ECC
020C - 020F (524-527): Unused (0xff)
Use RevSkills application to extract the data portions:
Menu⇒Calculators/Generators⇒Android MTD Nand remove Spare and ECC
Extract all of the Data only portions out of the raw dump, and then use QualcommDumpAnalyser to read it and split up the various parts. I did notice that i wasnt able to get the AMSS block out with QualcommDumpAnalyser - i copied that out manually by calculating the byte positions shown in QDA.
003SH bootloader key sequence?
Eternalardor,
I'd be happy to swap information. Perhaps you could shed some light on the question of the bootloader for the Sharp 003SH and 005SH? There seems to be no discernible key sequence (Power+home+Volume up etc.) to access the bootloader. I feel like I've tried them all. Can you tell me this critical piece of information?
Is a form of the USB Jig necessary to access it?
Looking forward to your response.
003SH SIM unlock
Dominik,
Here are the results of the original /proc/mtd (before rooting)
boot
cache
misc
recovery
ipl
system
persist
log
battlog
calllog
ldb
userdata
I don't see the _modem partition. Should I?
I have also included a screenshot of the results showing size. I have most of them backed up as .img files too.
FYI: .img backed up sizes. Perhaps this will help you to ponder where the _modem partition may have gone. Maybe it's been renamed?
boot 11,264KB
cache 3,072KB
misc 1,024KB
recovery 11,264KB
ipl 15,360KB
system 419,840KB
persist 30,720KB
ldb 45,056KB
userdata 405,120KB
There is no bootloader menu AFAIK. If you install the custom kernel, you will have the option of a quasi-recovery mode, by pressing the home button between 7-12 seconds after the Galapagos logo is seen (or was that the Softbank logo)
Anyway, looking at the screenshots, it seems you do not have the custom kernel.
How did you achieve root on your phone?
To do this, you need to use the "003sh_005sh_dm009sh-rootkit" from at least 5/27 (recommend _0614); which is available on the 2ch forums. This includes 2 possible ways of achieving root:
1. A modified standard kernel (boot image), which, when flashed gives you regular root access
2. A custom compiled kernel, which has full root, a bunch of power profiles, and heaps more features (inc that quasi recovery), as well as access to the "_modem" image.
Judging from your youtube videos, you speak some Japanese, so the Japanese menus in the rootkit shouldnt be much trouble.
http://www1.axfc.net/uploader/Si/so/142435
This is what i used.
Go here for help/instructions http://anago.2ch.net/test/read.cgi/android/1337845757/
And dont even think about typing in English on there, or you will be ignored and/or told to go away
This all looks familiar. I have been using the root kit (5/27) to get where I am now - step by blessed step. It was pretty straight forward BUT I have never seen the option to write to the system partition. It is in all the instructions but the only option I have with respect to the system partition is to back it up. I'm confused as to why it doesn't seem to show up for me. I am using a Japanese machine so all the characters are displayed and I can read the instructions but I can't find help anywhere as to why I don't have that particular (and critical) option. I can see a lot of new and cool options in the 6/14 release. I'm excited and would like to get it installed.
I'll let you know how it goes. Thanks for your help .... keep it coming!
And another thing
Could you explain a little more about "having" the custom kernel? Using the root kit, I wrote to the Recovery partition then the Boot partition then rebooted from the Recovery partition and all seemed well. As I said above, I have never been able to write to the System partition despite it appearing in all the instructions. I suspect that is what is holding me back from the latest and greatest custom kernel. Still, I am enjoying all the same functionality that everyone else seems to be enjoying in root. What am I missing?
Eep, you wrote to the boot partition before trying the recovery? Brave!
The steps should be:
Write image to recovery partition;
Then reboot to recovery partition (from the menu) and confirm it all works without errors.
Then write image to boot partition
And then turn off the phone, and reboot (the last part is only my instructions - you could just select "reboot to boot partition" from the menu)
You are doing this on your 005SH right? It should be the same for the 003SH, but i only have the 005SH. In the rootkit there is 2 options when you say "burn custom image":
1 カスタムビルドrootedカーネル(リカバリーキット機能付き)
2 S4080 標準rootedカーネル(簡易リカバリー機能付き)
Q 中止してメインメニューへ戻る
You must do the first one, the CUSTOM rooted kernel, to get any of the really cool features. The second option is only if you just want root access for a particular app or something. AFAIK the second option doesnt even disable MIYABI LSM, which prevents you from mounting the system dir as R/W
But either way, writing to the System dir is not important for what we are doing. You need the Custom kernel, which gives you access to the "_modem"
Edit, i just noticed in your screenshots above, you didnt even get root in ADB shell?
Type
ADB Shell<Enter>
Then type
su<enter>
The cursor should change to a #, this means root. You may get a prompt on the phone from Superuser asking you to give root access to "shell". Once you have this try the cat /proc/mtd again
jcroot003sh,
can you tell me how to root 003sh?
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
DominikB said:
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
Click to expand...
Click to collapse
Thank you for your replying. I will wait for your translated version. You are really a good person.
Progress
I have successfully found and dumped the "_modem" image. Exactly as you stated - forgot the "su" command in ADB. Thanks. The next problem is editing out the code. I am way above my head here so I will do some research before bugging you for a step-by-step for that.
Also, the bootloader worked. I didn't realize how to do it until I read the notes in the 6/14 release. I successfully put a previously dead phone back on it's feet EXACTLY to the point of my current phone simply by backing up and then restoring partitions through the bootloader. Very slick and easy.
Will get to work. I'll be in contact soon with my progress on the SIM unlock.
I have spent a bit of time looking at it, it certainly isnt easy (Certainly isnt a "lock=yes" section). I assume the actual locking portion is encrypted/compressed/or just compiled, because it would be too easy otherwise (be happy to be proven wrong). For starters, i cannot even find my IMEI number in the dump file... I think that this dump only includes the radio code, not the NV RAM which contains the IMEI and SIM Lock status. If that is the case then the solution should be to change the portion of the radio code that queries the NV RAM, so that it doesnt care if the SIM lock is supposed to be applied.
Extracting the spare/ECC bits out should be done with the RevSkills app; extracting the relevant portions, that is a bit of a cludge; QualcommDumpAnalyser can show the start/end positions, but doesnt extract the AMSS part (AFAIK thats where the code will be). You need to use a hex editor to cut that part out manually... And i am still not 100% sure what the block size is on this NAND.
Good luck!
And if there *are* any experienced hackers out there willing to help out, i can offer some monetary help (as will a few of my fellow Japanese smartphone owning friends) as this will be valuable for not just these 2 phones (there is an army of 007SH owners waiting on this unlock)
Shall we give the 007/009 a shot?
I can see mountains of the 007SH on the auction (mostly pink). Perhaps I should pick one up and take it for a spin. I am happy to try to do something to help out for all the help I am receiving.
Or perhaps the 009SH?
How hard would it be to crack the 007? The 009SH looks like it is supported in the latest release kit.
Thoughts?
Currently, the 003/005SH are going to be the easiest, because they have the custom kernel which allows access to the "_modem" image. To do it on the 007SH we need to build a custom kernel (compiled from the sources available on the ktai-dev site), and add the modem access code (this is in the src directory of the rootkit). Not impossible, but i dont have a Linux machine to compile the sources.
However i think that the code will be fairly universal. Once we find it on the 005SH we will know what we are looking for on the 007SH as well. That will make many people happy
Anyway, my 005SH is under warranty/anshin plan so i dont mind if it gets bricked (especially now that we can take nand backups).
First things first though - examining the 005SH modem image. Does anyone know whether the NAND is a 16kb or 128kb block size? Or is it something completely different?
P.S. The DM009SH is just the Disney Mobile version of the 003SH
Linux machine no problem
I have a Linux server running 24/7 so compiling the kernel is easy. Don't let that be the holdup. I'll keep working on the 003SH _modem image.
DominikB,
I can't open this site [anago.2ch.net/test/read.cgi/smartphone/1319287551/] on channel2 for free. This site had been moved to the past-log storehouse. So.... I even can't look at Japanese version for rooting 003sh. It is very helpful if you can show me the steps for rooting 003sh.

How to root Wiko Lenny 5

Hello dear community, how can I root Wiko Lenny 5?
I would be very grateful for any idea. Thank you in advance!
No TWRP recovery
deadlyassin said:
Hello dear community, how can I root Wiko Lenny 5?
I would be very grateful for any idea. Thank you in advance!
Click to expand...
Click to collapse
Hi, there is no TWRP recovery at moment for this model, only unlock bootloader. Look here github com/phhusson treble_experimentations wiki Wiko-Lenny5
ROM for Lenny5
Would you mind uploading your firmware for testing? or sending a link to it...
My model: W_K400
I need to install the Recovery TWRP? Or Custom Rom? Or LineageOS? Or Root?
All nothing? Well, i am waiting. Thanks for your answer!
Wiko Lenny 5
Hey Peeps
I did some research on the Lenny 5 as i got this phone a few weeks ago.
There is at the moment, and to my knowledge, no Lenny 5 stock firmware available. I contacted Wiko Germany, asking if there is any place i missed and they answered me in the sense of:
"at the moment there is no stock firmware available online, refer to de[dot]wikomobile[dot]com/maj.php?telephone=2270 where a stock firmware should be uploaded shortly."
Still they didn't upload the file yet, so there only patience will help, if anything at all.
Another possible way i wanted to raise attention to is the site www[dot]wikogeek[dot]com/ where under www[dot]wikogeek[dot]com/index.php?telephone=LENNY5 there is a source seemingly for the phone system, although i don't know, what partitions of the phone system, if not all, are contained in the source code. Following the included Instructions, and doing some further research, i managed to compile some sort of Image which might be the way to get working partition images for the phone. I couldn't examine the image contents using a few different image explorers, so i cannot even tell how to work with the image if its of use at all.
I thought, maybe some of the more experienced users of this board could maybe work with this information to get something like TWRP to work even without having the stock firmware images. As this is my only working phone and my experience is little, i will not do any changes to the phone partitions as long as im not sure the result is a) working, as expected (no recovery required), or b) completely recoverable (at least to factory state), but maybe others are more courageous and want to try.
Hope this helps getting this topic to the latest state. Sorry for the non-URLs, i made the account specifically to contribute to this topic and my post count is to low to post complete urls.
ivelischt said:
Hey Peeps
I did some research on the Lenny 5 as i got this phone a few weeks ago.
There is at the moment, and to my knowledge, no Lenny 5 stock firmware available. I contacted Wiko Germany, asking if there is any place i missed and they answered me in the sense of:
"at the moment there is no stock firmware available online, refer to de[dot]wikomobile[dot]com/maj.php?telephone=2270 where a stock firmware should be uploaded shortly."
Still they didn't upload the file yet, so there only patience will help, if anything at all.
Another possible way i wanted to raise attention to is the site www[dot]wikogeek[dot]com/ where under www[dot]wikogeek[dot]com/index.php?telephone=LENNY5 there is a source seemingly for the phone system, although i don't know, what partitions of the phone system, if not all, are contained in the source code. Following the included Instructions, and doing some further research, i managed to compile some sort of Image which might be the way to get working partition images for the phone. I couldn't examine the image contents using a few different image explorers, so i cannot even tell how to work with the image if its of use at all.
I thought, maybe some of the more experienced users of this board could maybe work with this information to get something like TWRP to work even without having the stock firmware images. As this is my only working phone and my experience is little, i will not do any changes to the phone partitions as long as im not sure the result is a) working, as expected (no recovery required), or b) completely recoverable (at least to factory state), but maybe others are more courageous and want to try.
Hope this helps getting this topic to the latest state. Sorry for the non-URLs, i made the account specifically to contribute to this topic and my post count is to low to post complete urls.
Click to expand...
Click to collapse
Ok so Wiko Released the Firmware! Its a Windows software that downloads and flashes the ROM, and it makes a folder with stuff in it. Maybe experienced people can look into it and build TWRP?!! I would really love twrp but I don't have the experience :crying: . Hope developers see this
Matt 123456789 said:
Ok so Wiko Released the Firmware! Its a Windows software that downloads and flashes the ROM, and it makes a folder with stuff in it. Maybe experienced people can look into it and build TWRP?!! I would really love twrp but I don't have the experience :crying: . Hope developers see this
Click to expand...
Click to collapse
Would you mind adding a link to the firmware you've found?
edit: got it
Are you able to develop a TWRP?
Matt 123456789 said:
Are you able to develop a TWRP?
Click to expand...
Click to collapse
Nope, sorry. I just didn't get at first what firmware you refered to (the link i posted in the first place).
As i stated above, i don't know for sure, if the wikogeek-source really contains all of the files required to build anymore than (if even) the bootloader.
More experienced people would need to take a look into it.
Best regards
Hey again there, folks
Im not a excessive internet user and i may be off the site for months in series. i cannot guarantee any form of support, but if i happen to stumble across this thread and see questions that i can answer, i will do my best to do so. i hope i can encourage others to engage in the treble community in making this solution public. treble is not my work and i have nothing to do with it. maybe there is also a way to get twrp-treble versions, but i don't know what are the technical limits of that. what i want to say: i will not be responsable for your tries to hack your phone. if i can help i will, but i'm no pro in all of this at all!!!
This guide is quite long, but take care to not make mistakes, as it is reduced to what you really *NEED* to make this root method work. ALWAYS REMEMBER TO READ THE FULL GUIDE AND COMPLETELY PREPARING YOUR WORKSTATION BEFORE DOING ANY OF THE STEPS BELOW!!!
After some idling i decided to take another look into Lenny 5 rooting and stumbled across a way to do it pretty straightforward, but first of all:
*THIS GUIDE ASSUMES BASIC KNOWLEDGE ABOUT COMPUTERS AND FLASHING SMARTPHONES. IT ALSO ASSUMES THAT YOU KNOW WHAT ADB, FASTBOOT, ROM, IMAGE, VIRTUAL MACHINE, WORKING WITH WINDOWS AND UNIX PATHS AND OPERATING SYSTEMS, ETC. MEAN AND ARE FAMILIAR WITH THEIR USAGE. I WILL NOT PUBLISH ANY FORM OF PREPARED IMAGES NOR ANYTHING TO SPEED UP THIS PROCESS, AS IT MAKES YOU AWARE OF THE RISKS IN IT. I UNDERSTAND THIS AS SOME SORT OF COMMUNITY EFFORT, WHERE I JUST PRESENT ONE WAY OF GETTING WHERE YOU WANT TO GO. IF YOU DON'T THINK YOU CAN APPLY TO ALL OF THE REQUIREMENTS IN THIS GUIDE, YOU SHOULD CONSIDER TAKING DISTANCE FROM USING THIS GUIDE FOR YOUR ROOTING BEHALF.
DISCLAIMER: By using this method to Root your Lenny 5 you will lose all WARRANTY, DATA ON THE PHONE, YOU WILL NOT BE ABLE TO RETURN TO STOCK FIRMWARE as Wiko still did not share their SFW installer and i did not dig deeper into Source compilation. And LAST BUT VERY IMPORTANT: I DO NOT TAKE ANY RESPONSIBILITY FOR ANY DAMAGE ON YOUR PHONE. WHATEVER YOU DO IS AT YOUR OWN RISK!!! READ ALL OF THE TEXT AS THERE MIGHT BE CRUCIAL INFORMATION IN IT, WHICH I DIDN'T ESPECIALLY HIGHLIGHT. Allthough i will do my best.
DO NOT ATTEMPT ANY FLASHING UNTIL YOU GOT YOUR WORKING FIRMWARE IMAGE AT STEP 3 (3. Flashing the new Image to the Device). EXPERIENCED USERS MAY WANT TO FLASH A UNTOUCHED TREBLE IMAGE, WHICH IS ALSO POSSIBLE. YOU SHOULD ONLY EVER REFLASH YOUR DEVICE WHEN YOU ARE ABSOULTELY SURE ABOUT WHAT YOU DO AND THE (POSSIBLE) CONSEQUENCES OF WHAT YOU DO, INCLUDING, SOFT-/HARDBRICK, PERMANENT DAMAGE, AND OTHER NASTY STUFF. YOU TAKE FULL RESPONSABILITY FOR ANY OF THE STEPS YOU DO, ESPECIALLY BEYOND STEP 3!!!
I REPEAT: YOUR LENNY5 DOES NOT NEED TO BE CONNECTED OR EVEN TOUCHED TO YOUR COMPUTER AT ALL UNTIL STEP 3 (3. Flashing the new Image to the Device)!!!*
!!!READ THE BUGS LIST AND HELP OTHERS BY REPORTING OTHER BUGS YOU'VE FOUND IN THIS THREAD. IT IS IMPORTANT THAT YOU KNOW WHAT YOU ARE DOING HERE, BEFORE COMPLETELY MESSING UP WITH YOUR PHONES STORAGE!!! SO YOU BETTER READ THE WHOLE THREAD BEFORE TRYING ANYTHING
There is no Root-only method i know, SO BE AWARE, you are completely rearranging your Lenny 5 Firmware, which is the reason for complete data loss. Wiko DENIES ALL RESPONSABILITY when you unlock your bootloader, according to "phhusson", which is the reason you will lose all warranty.
Known bugs until now:
- On dual SIM handys, if you tell the handy to let you choose the sim card for each call, it will hang after choosing the Sim. The call will not happen. This is a Treble issue. To work around this, select the SIM you want to use in the preferences prior to making the call.
- It seems that after installing a newer Version of the AOSP image provided by phhusson, it is impossible to downgrade to an earlier version of the ROM. This might also be a bug in my device from tampering around with it. But it causes me to be unable to flash any other version than the newest one. If i do so, my device is stuck in a bootloop and i need to reset and reflash it via adb and fastboot. Maybe others can confirm/disregard this behaviour.
- This guide does not solve updating your phone, maybe i can deliver a solution to that at a later point. Until then, you will be urged to reflash your system each time an update is deployed.
- The configuration in this guide is gapps-less, although you might choose a treble-image, that's got them installed. I did not yet manage to install the opengapps-package seperately, as theres yet no solution to custom recovery (that i'm aware of) and i did not (yet) find out how to include it via the kitchen.
-many apps will require you to have at least basic gapps installed. you could compile treble aosp with the amount of google apps you need or use the gapps-img instead.
I will try to give an exact sequence of what to do to Root your Lenny 5 device, but some experimentation afterwards might be needed to get your best experience. Note that, depending on version and "bloating" of your new Firmware, you may experience more or less strong performance breakdowns. Be careful not to overload it, your Lenny 5's hardware is... lets say... not the best out there
Table of Contents:
0. Before starting
1. Preparing your Workstation
1.1.1 Get your copy of lubuntu 18+ (19 is recommended, the version of lubuntu i used in the whole process was 19.04)
1.1.2 Install Oracle Virtual Box
1.1.3 Install lubuntu 18+
1.1.4 Install openjdk-8+ (8 is recommended, i use that version, too)
1.1.5 Install python
1.2.1 Install samba
1.2.2 Configure samba
1.2.3 Connect to sambashare
1.3.1 A few words about handling file permissions in Linux
1.4.1 Get your copy of SuperR's Kitchen (what we do can be done in the Free version)
1.4.2 Install SuperR's Kitchen
2. Preparing your SuperR installation for your Custom AOSP Rom
2.1 Find out which Treble image you need
2.2 Copy and Extract your Treble image
2.3 Editing the contents (Rooting, etc.) of the Treble image
2.4 Repacking the Treble image
3. Flashing the new Image to the Device
4. Final words
0. Before starting
PLEASE CAREFULLY READ THESE STEPS BEFORE STARTING THE PROCESS!! There's a few things to say before starting to do this. I will use this section to note that.
ad 1.:
- If you are using (L)ubuntu 18+ or the corresponding Debian distributions, and already have OpenJDK-8(+)(-JRE) installed, you should be able to move straight to SuperR's kitchen installation. If the kitchen complains about missing OpenJDK, try installing OpenJDK-8(+)-JDK as well.
ad 1.1.1:
- I recommend placing a "Workfolder" somewhere on your host system, so you have all the corresponding data in one place. This helps accelerate the process a lot. In the rest of the document, i will always assume, that you have a workfolder and use it for all the files.
ad 1.1.3:
- i use 25GB for my virtual disk as i only unpack compiled ROMS (as for this guide). if you plan to use the VM for compiling sources, you should be well above 75 to 100GB as the source trees are HUGE.
ad 1.2.1:
- We will also create a workfolder on the virtual system, but this one we will take care of in the main tutorial steps.
- To make samba work, we need to make sure that VirtualBox connects to your Network as required. To do so, on the VirtualBox top menubar, Click on Devices -> Network -> Network Settings...
In the Drop-Down "Attached to:" choose "Bridged Adapter". Make sure that the "Name" Drop-Down shows the name of your physical LAN-Adapter. This way your Virtual Machine will obtain an IP from your local network router instead of NATing with your Host Machine as router. Click Okay. You can check the Network Mode change by using
Code:
ip a
in the terminal. If you want to make sure it changed the mode, restart your virtual machine and reopen the terminal by using CTRL+ALT+T again.
ad 2.1. the wiki-guide on Lenny 5 says "tested on v18". i had v18 installed on my system, but at some point it denied function. i don't know if this is a downgrade-issue or something else, but if you want to stick with it and are able to install it, feel free. but be aware that it does not contain the most recent security patches. i instead stick to AOSP8.1_v32 at the time of writing this guide.
ad 3. i assume that you have already installed adb. otherwise you can get it here in the forums or the specific wiko version from here. (WikoGeek Website) Just click on the download link.
it is important that you learn, that ~/android/... means the same as \\<yourvirtualdeviceip\androshare, if you closely follow this guide, especially the network and samba configuration.
1. Preparing your workstation
To prepare your workstation you must get a Debianesque Linux Environment running, as Windows (and Mac) User, the easiest way to get to this, is to install a Virtual Machine. For the sake of freelyness (is this even a word? ) we'll stick with Oracle's VirtualBox. This seems to be a lot of work, but it took me less than 2 hours to be completely ready to tamper with my image files. So lets begin.
Users on the correct systems ((L)ubuntu/Debian with Java 8 and python installed) can skip to 1.2.1
1.1.1 Get your copy of lubuntu 18+
Go to https://lubuntu.net/ and download lubuntu 18 if your pc hardware is 32-bit only, or lubuntu 19 for 64-bit hardware. You can do this by clicking the corresponding blue buttons on the main page or, if this doesn't apply anymore, find them in the Download section under the "previous lubuntu releases". Download the Image file and store it in your Workfolder
1.1.2 Install Oracle VirtualBox
From now on, all the steps mentioned will be either on the host-machine or the virtual machine i will clearly mark this out to avoid misunderstandings. Users already on correct systems will have to work-around these conceptions a little bit, but all in all the process should be the same for every workstation.
To install Virtual Box on the host-machine, get the installer for your host-system-architecture from https://www.virtualbox.org/wiki/Downloads. Follow the On-Screen-Instructions for the Installer to Setup VirtualBox for you. (I had it installed already, so i don't know the exact order of it. But maybe some of the users testing this out could come up with a quick "tutorial" for this step.) Most of the settings should be standard values.
After finishing the installation (and restarting?) you should now be able to Open the VirtualBox Manager via Desktop or Start Menu (whatever your host-OS offers, we will be sticking to Windows as host).
1.1.3 Install lubuntu 18+
In VirtualBox on your host-machine, create a "New" machine by clicking the button on the top left of the manager. As the name, choose how you want to memorize your virtual machine for later usage.
Use "Linux" as Type and "Ubuntu (32-bit/64-bit, choose appropriately)" as Version.
Your memory doesn't necessarily need to be gigantic. Still, i reserved 4GB of RAM for mine, and would recommend at least 2GB.
Check the radio button to "Create a virtual hard disk now" and click on "Create"
In the next dialog choose the Location for your VHD to be stored. The storage location should have around 25 GB of free space (read on section 0. for additional notes about storage space).
Choose your VHD size, i used 25GB to have some reserve, just in case. Click on Create. Choose your newly created virtual machine and select start from the top shortcut bar.
VirtualBox will come up with a new window and in it a dialog, asking for a installation medium for your new virtual machine. Click on the button to "Choose a virtual optical disk file..." and choose your previously stored Lubuntu disk image to mount as start-up disk. Click on Start, wait, then choose your Language. I recommend using english, so its easier to follow the tutorial, but this is up to you.
After that, you will be allowed to "Start Lubuntu" which we choose our virtual machine to do. The startup should be quite fast, from my experience. As soon as you get presented with your new (yet non-persistent) virtual desktop click on the icon to "Install Lubuntu xx.xx"
Soon the Lubuntu installer will come up, asking for the Language to be used. We'll keep American English (again, your choice) for now and click Next.
Choose your timezone and Region and click next. Choose your corresponding keyboard Layout, make sure it's the right one and click Next. In the next dialog step choose "Erase disk", leave the rest be and click Next.
On the next page, i recommend keeping it simple, as this is just a virtual machine, which ever only runs when you decide to extract and repack images. Enter "your" name, choose a login name, give the virtual machine a simple, locally-unique network name and choose a password for elevated rights operations. Remember, keep it simple, it will ease your work. I recommend to "Log in automatically without asking for the password" but i leave it to you to decide that. Click Next.
In the summary, check if you are okay with the Settings you entered, then click on Install.
Confirm the warning dialog with Install now.
Now it's all about Linux magic happening to create for you a persistent operating system on your virtual hard disk.
As the Installer asks you to Restart, do so by clicking on Done. Let the virtual machine reboot. When asked to do so, remove the installation medium (VirtualBox automatically does this for you, the options for this are under the main menu "Devices -> Optical Drives") and press ENTER.
After starting up, (and entering your password, if you didn't check the autologin checkbox), you are presented with your Desktop. On your keyboard press CTRL + SHIFT + T to open a terminal.
On a normal machine you should always keep your firewall on and setup. you can easily setup ufw for samba, but as we just crank around at a virtual machine (ideally behind a NAT-Router), it will be easier to just turn off the firewall alltogether by using
Code:
sudo ufw disable
in the terminal window (when asked for a password, enter your virtual machine user's password and press ENTER. at UNIX-like terminals it is normal that the password you enter will not be shown. don't worry, it's typing, just hiding. it will tell you after pressing ENTER, if its the right one or not.)
1.1.4 Install openjdk-8+
To install JDK on Lubuntu we use the built-in software installer. The following commands will update the system and install openjdk-8-jre
Code:
sudo apt update
you will be asked to enter your account password, enter password and confirm with ENTER
Code:
sudo apt dist-upgrade
confirm by typing "Y" into your keyboard and press ENTER.
This process will take a while, depending on your hardware and internet connection.
Code:
sudo apt install openjdk-8-jre
when asked, if you accept the changes to be made, type "Y" again and press ENTER.
this chain updates the virtual system packages and installs openjdk-8.
To check whether OpenJDK 8 JRE is installed, use the command
Code:
java --version
the output should be something like:
Code:
openjdk version "[B]1.8.0_222[/B]"
the bold part is the important, as it tells you that you have version 1.8.x, which is OpenJDK 8
Code:
OpenJDK Runtime Environment (build [B]1.8.0_222[/B]...
shows that the JRE version on your virtual machine is the same as the major openjdk version which is good.
1.1.5 Install python
To install python, use
Code:
sudo apt install python
this will install the required packages and configure them.
1.2.1 Install samba
To move files between your virtual machine and your host machine, the easiest way to do so is to use samba. It is easy to configure and fulfills our needs. To install samba enter
Code:
sudo apt install samba
into the terminal on your virtual machine and press ENTER. If asked, confirm changes with Y and ENTER.
1.2.2 Configure samba
We will configure samba in a way, so we don't need to "sudo" all of the time to use superr's kitchen, but instead use it as our autologin user. For this we will enter the following in our terminal (make sure that you didn't elevate ["sudo -i"] your terminal session, otherwise use exit, to return to unelevated session)
Code:
mkdir ~/android
chown -R [B]<yourusername>[/B]:[B]<yourusername>[/B] ~/android
cd ~/android
(the term "~/android" basically is a synonyme for "/home/<yourusername>/android; the ~ marks the path as inside your users /home/... directory)
this creates a folder called android in your virtual machine users home directory and changes the bash-path into it.
enter
Code:
sudo nano /etc/samba/smb.conf
to the terminal and press enter. this will open a console text editor with the samba configuration file. use PgDn or the Down-Arrow-Key to reach the end of the file and then append the following "code"
for <yourusername> use the username you selected during your virtual machine installation. its visible in the terminal before the ":" sign in the format
Code:
[B]username[/B]@[U]virtual[/U]machinename: ~$
Code:
[androshare]
comment = Android Share
path = /home/[B]<yourusername>[/B]/android
browseable = yes
read only = no
public = yes
create mask = 0644
directory mask = 0755
force user = [B]<yourusername>[/B]
save the changes by pressing CTRL + O on the keyboard and confirm with the ENTER key.
you can use the bash-command
Code:
testparm
and push ENTER to see your role configuration, and if you have made any mistakes in entering the configuration data.
to restart samba and make the share available enter
Code:
sudo service smbd restart
into the terminal and press ENTER.
sometimes the kitchen needs elevation for some tasks and will then write files that belong to the user "root". the easiest way to work around that is to sporadically use and memorize for later usage
Code:
sudo chown -R [B]<yourusername>[/B]:[B]<yourusername>[/B] ~/android
this will set file ownership to your user and thus allows you and shared samba-instances (as they are forced to run as your user) to regain read-write access to the respective files.
if you struggle with this, try asking in a new post (or maybe someone asked already?), maybe i or others can help you.
now you should be able to connect to your samba share.
1.2.3 Connect to sambashare
to connect to your newly created samba share, on your windows host machine use WIN + R or Startmenu -> Run... and enter \\<yourdeviceip>\androshare and press ENTER.
for other ways to connect to samba shares according to your host operating system, i must ask you to check google. this guide is long already, anyways. but its easily possible on any system (win,macos,linux,...)
to find your device ip, on the virtual machine enter the following into the terminal
Code:
ip a
you need to find the address obtained by your router. you normally find it under something like
Code:
1: lo:
...
inet 127.0.0.1/8 ...
2: enp0sX
...
inet [B]192.168.x.x[/B]
...
the bold part is important, while the upper address "127.0.0.1" is your local loopback address and not what we are looking for.
on your host machine enter the bold ip at <yourdeviceip> like this
Code:
\\[B]192.168.x.x[/B]\androshare
and press ENTER. this should open your Sambashare
1.3 A few words about handling file permissions in Linux
Sometimes SuperR's kitchen may create or modify files that are owned by root user, which prohibits you from changing these files without elevating via sudo. This is easily corrected by again using
Code:
chown -R [B]<yourusername>[/B]:[B]<yourusername>[/B] ~/android
if there are still files you can't access you can maybe fix it with
Code:
sudo chmod a+rwx ~/android/<fileyoucantmodify>
1.4.1 Get your copy of SuperR's Kitchen
SuperR's kitchen can be obtained at The Official SuperR's Kitchen Thread. Get the latest version. I use 1.2.1.1.
Download it to your host machine and put it into your host workfolder. from there, copy it to your \\virtualmachine\androshare directory.
1.4.2 Install SuperR's Kitchen
to install superr's kitchen, we need to unzip it. on the virtual host, type
Code:
cd ~/android
unzip [B]SuperRs-Kitchen_Linux-64_v1.2.1.1.zip[/B]
press ENTER and the archive should extract. if it did not extract, and instead throws an error about the package "unzip" beeing unknown to the system, use
Code:
sudo apt install unzip
to easily solve this problem, and repeat the upper step.
you can confirm that that unpacking was successfull by entering
Code:
ls -l ~/android/
into your terminal. the result should show at least a folder called "tools" and a file called "superr".
after confirming the correct extraction, use
Code:
rm [B]SuperRs-Kitchen_Linux-64_v1.2.1.1.zip[/B]
to delete the ZIP-File
replace the bold part with your SuperRs Kitchen ZIP-File Name.
Your ~/android directory should now contain 3 Elements, namely "README.md, superr" and a directory called "tools".
If everything went fine, you should now be able to start the kitchen by typing
Code:
./superr
into the terminal and pressing ENTER. if you are beeing told that you don't have permission to run this file as an executable, use
Code:
chmod ug+x ./superr
and repeat the above step. If everything worked, you should be asked to select your Language (english_srk.py). To choose it, type 1 on the keyboard.
The Kitchen will now ask you to download tools it needs to work properly. Allow it to do so by typing "Y" on the keyboard.
If everything went well, you should now be asked to enter your new Project name which identifies the folder, in which you will later store, modify and receive files. We will take care of that in the next step. This means, the Preparation process is over and you can now start using SuperR's Kitchen for your needs.
STEP 2 AND ON IN SECOND POST (CHARACTER LIMIT)
[CFW][W_K400][TREBLE] CFW and ROOT, MOSTLY-VANILLA
PART 2 OF THE POST, START WITH PART 1!!!!
2. Preparing your SuperR installation for your Custom AOSP Rom
In the Project Name we enter something identifying. Keep in mind that you may want to add multiple roms on this installation, so you should make it something rather unique. This process corresponds somewhat to Step 2.1, so you can read this one already to find out a good notation for your new project. I have already chosen my Treble image and will call mine
Code:
Enter new project name ...
lenny5_aosp8.1_vanilla_su_v32
2.1 Find out which Treble image you need
As you see in the last step, i selected a Version 8.1 "Oreo" image, where Vanilla tells you that theres no gapps at all and the suffix su means that it contains a rooted system. But later more about this. Also i chose v32 from the treble_experimentations releases.
To find your treble image, you need to have some information. First of all, read the information on this link. (phhusson's github wiki for Wiko Lenny 5)
Some informations here are important. First of all the flashing sequence, which will get important to us in a later step
Code:
Enable adb and oem unlock in developer options
adb reboot bootloader
fastboot flashing unlock
fastboot oem unlock
fastboot flash system your_gsi_path
fastboot reboot
as well as his testing notice
Code:
Flashed using Phh-Treble v18 - arm
as you can read in the Before starting section, there is a bug i could not resolve concerning installing older version ROMS, which could spontaneously start to apply to your device. i cannot "downgrade" my device, because it bootloops.
to select your image of choice, go to this site. (phhusson's treble image release site). to find v18, you will need to scroll down and go a few pages back in history.
some things to consider:
- lenny5 doesn't seem to be able to run AOSP9, so i'd recommend you stick with AOSP8.1
- there are lineageos compilations which might be interesting for some people. (i cannot tell if the root process for lineageos massively differs, as i don't use that one)
we will stick with AOSP8.1 in this guide.
first of all, you must decide if you want to stick with the go apps, install the stock gapps or go vanilla (no gapps at all). i will stick with vanilla. (note that some versions do not have the go version, others do)
then you will want to ask yourself if you want to root your phone, which we assume here to be yes.
as vanilla, like in our case, is not available with preinstalled su, we will stick with the nosu version. (which is a bit of a "hoax", as in fact this version already is rooted, you just have no way of controlling it, yet. we will take care of that in a later step.)
for our wiko lenny 5 we must choose the arm-aonly architecture. also i choose to stick with v32, the newest version per guide release date.
in my decision case, this leaves us with the following ROM:
https://github.com/phhusson/treble_experimentations/releases/tag/v32
Code:
system-arm-aonly-vanilla-nosu.img.xz
we will stick with that. if you want to use another rom, you must modify your choice. the overall process stays more or less the same. CONSIDER: It's proves easier to install some missing APK's etc. to your gapps-less system than removing unwanted gapps from your gapps-prebloated system.
click on the link and download the image file.
CONSIDER: Some of the images are in raw flashable format (the older ones), and have the extension *.img . For newer versions, the images are packed and CANNOT BE DIRECTLY FLASHED. these files are namely the ones with the extension *.img.xz
if your file has an extension that differs from *.img i strongly recommend you to use 7zip to extract the contained *.img file. 7-zip handles them all, which makes it the perfect standalone (de-)archiver on your computer. and no, i'm not getting paid by them for the advertising, it's just great and opensource.
now, if you didn't already, enter the name identifying your rom into the kitchen and confirm with ENTER.
to allow smb to write to your new project folder, reuse the command
Code:
sudo chown -R ~/android
by quitting superr (using the q key) or opening a second terminal (the easier way, in the original CTRL + ALT + T terminal on lubuntu, just doubleclick the top Tab-Bar off any other tabs and a new terminal tab will open) in which you execute this command.
now store the image file to your host workfolder and from there, copy it to your virtual workfolder's project folder (~/android/superr_<yourprojectname>/).
rename your system-arm-aonly-....img to just system.img for the kitchen to recognize it.
2.2 Extract your Treble image
To extract your Image file, on your virtual machines terminal, superr's kitchen should be running in the Main Menu.
if by any means you have stopped it, open a terminal with CTRL + ALT + T and enter
Code:
cd ~/android
./superr
press enter to execute and superr should launch. when asked for a project to load, choose the project you just created by pressing the correspondant cipher on the keyboard.
in the kitchen main menu, push cipher 4 on your keyboard to extract your obtained IMG-File. if asked, select your system.img by pressing the correspondant key and confirm the extraction with the "Y" key. wait for the process to finish. if asked, enter your virtual machine's user password. the kitchen sometimes needs to elevate some of it's processes during the extraction.
for the name of the zip, when asked, just enter "system_new". this is not so important, just dont simply call it "system", as this might confuse you under some circumstances and in the worst case overwrite your stock system.img.
for the perm type, select set_metadata by typing the "1" key on your keyboard, and you should be back in the main menu.
now your system image is unpacked into your virtual machine workfolder (~/android/<yourprojectfoldername>/system/)
2.3 Editing the contents (Rooting, etc.) of the Treble image
The editing in this guide's usecase is quite simple. We will want the following features and packages preinstalled:
- Root, of course
- including Root Management App
- BusyBox
- FDroid
- ...
you can add to this list to your hearts delight. The above will be my initial setup.
First we need to get the Root files.
These are found here
from this thread, get phh's-superuser.zip (the topmost file)
aswell as the phh's SuperUser apk file (top-second)
if you are having issues with the superuser implementation, try the bottommost element called phh's-superuser-aonly.zip instead of phh's-superuser.zip. this should normaly not be required.
copy both, the .zip and the .apk to your host workfolder.
now unpack the .zip to your host workfolder, which should create a folder "system" with 3 subfolders "bin,etc,xbin" in it.
copy this "system" folder to your virtual workfolder and into your project, so it integrates with the existing "system" folder on the virtual machine. if it asks you to overwrite, just allow it.
your virtual workfolder's project folder should now contain the following 3 files:
Code:
system/bin/phh-su
system/etc/init/su.rc
system/xbin/su
amongst the other system files.
Now download FDroid from here (the F-Droid site was temporarily down at the time of writing this guide)
Download the FDroid APK and store it in your host machine's workfolder.
After that, download the BusyBox APK from here
https://www.appsapk.com/busybox-app/
or a source you thrust more. There is a official busybox source, but i did not check which binary i must use for the Lenny 5, so i stick with the simplest method.
Download the BusyBox APK and store it in your host machine's workfolder.
Now copy the FDroid, BusyBox, and previously downloaded phh_s_SuperUser APK's from the host's workfolder to your virtual machine's project folder ~/android/<yourprojectfolder>/system/app/ (or \\<<yourvirtualmachineip\androshare\<yourprojectfolder>\system\app, respectively) to include them in your new ROM.
Thats basically all of the magic done. Your ~/android/<yourprojectfolder> should now contain the following 6 Elements
Code:
system/bin/phh-su
system/etc/init/su.rc
system/xbin/su
app/FDroid.apk
app/BusyBox.apk
app/phh_s_SuperUser_vX.X.X.X.apk
amongst the other elements from the Treble ROM.
move the APK app/FDroid.apk to a new Folder like this: app/FDroid/FDroid.apk
move the APK app/BusyBox.apk to a new Folder like this: app/BusyBox/BusyBox.apk
move the APK app/phh_s_SuperUser_vX.X.X.X.apk to a new Folder like this: app/phh/phh_s_SuperUser_vX.X.X.X.apk
as everything is sorted into folders, right?!
now we're done with modifying our treble image. lets repack it.
2.4 Repacking the Treble image
on your virtual machine terminal, with the kitchen open, go to the main menu if required and select "ROM Tools Menu" with the "8" key. You can check the "Root Menu" by pressing the "3" Key.
The Root/Unroot ROM should read (CURRENT: xbin/su) with Busybox and su.d "Disabled", which is okay, as BusyBox is not recognized, but there. If you want to utilize su.d, you must know yourself, how to do that properly. i don't know if it works as it should when done in the kitchen.
go back to the "ROM Tools Menu" with the "4" key and go to the "Build Menu" with the "7" key. Choose the option to "Build EXT4 img" by the key "2" and after the quick process finishes, in the menu "Which EXT4 img would you like to build?" select "system" by pressing the corresponding key, then select "sparse" by pressing the "2" key. for the file size, select the option to "Assume file size from project folder" by pressing the correspondent key and confirm the warning about this being BETA. Then wait for the process to finish.
The kitchen should say "system_new.img has been created in <yourprojectname>".
Now copy the newly created system_new.img from your virtual machine project directory to your host machine workfolder and we're done with editing and repacking the Image.
STEP 3 AND ON IN THIRD POST (CHARACTER LIMIT)
About TWRP and other stuff...
PART 3 OF THE GUIDE, START WITH PART 1!!!
3. Flashing the new Image to the Device
AT THIS POINT YOU SHOULD HAVE ALL YOUR DATA BACKUPED AND MAKE REALLY SURE FOR A LAST TIME, THAT YOU ACCEPT TO VOID YOUR WARRANTY AND TAKE ABSOLUTELY EVERY RISK TO YOURSELF FOR ANY CONSEQUENCES THAT COULD ARISE OF WHAT HAPPENS WITH YOUR DEVICE AT ANY TIME AFTER FOLLOWING THIS GUIDE.
The flashing process is simple. Enable Debug mode in your Phones Settings (Enable Developer Mode by taping the Build-Number several times Google: "Android Enable Developer Mode" - i really hope you know that after coming so far through this guide!!!.
When Developer Mode is activated, Go to Settings->Development Menu and activate the USB Debug Slider.
You must unlock the bootloader, at this point you must have generic adb or wiko specific adb installed, you can download it from here or get more information in section 0. "Before starting". The installation process is straightforward, possibly a restart of your host machine is required to get it running.
After installing ADB, you open the command line of your host machine and switch to your host machine workfolder by entering
Code:
cd <yourworkfolderpath>
and executing with ENTER.
use
Code:
dir
to make sure, that you are indeed in your workfolder.
when your phone is in usb debug mode, you can then reboot it into bootloader by entering
Code:
adb reboot bootloader
into your host machine command line. NOW THE DANGEROUS PART BEGINS, SO BE AWARE!!! WHEN UNLOCKING THE BOOTLOADER, YOUR LENNY5 WILL COMPLETELY WIPE ALL OF YOUR DATA AND RESET TO FACTORY SETUP!!!
by using the following commands in your command line you will unlock your bootloader, wipe your data and cache partitions including ALL PERSONAL DATA and flash your newly created ROM to the device.
Code:
fastboot flashing unlock
fastboot oem unlock
unlocks the boot loader. reenabling the debug mode (because of the factory reset) and/or rebooting the device may be required to reconnect to adb.
after that and making sure that you want to take the risk of flashing your new image, enter
Code:
fastboot flash system <yourhostworkfolderpath>\system_new.img
fastboot -w
fastboot reboot
the first command flashes your new image file, the second wipes your data and cache additionally, to make sure theres no residues there, which could mess with the first startup. after that we reboot the phone with the third command. after some loading, and a warning about the bootloader beeing unlocked, you should be greeted by AOSP's standard launcher with superuser, fdroid and busybox preinstalled.
4. Final words
After all it prove to be a quite long process, if you don't have any kitchen presetup. If the kitchen is ready, it's a thing of downloading, modifying and reflashing the device. but be careful. there's always a risk of bricking your device.
I will try to keep this guide up and running but memorize my Thread starting words.
If you think my RED BLOCKS are excessive - i'm sorry, but i care for your LENNY, too.
If you read this and are able to comply with all the steps in the guide, you are ready to flash your phone!
It's a wall of text, and i don't know if it's straight forward for all users, but it's the only way i could come up with, to root the LENNY5 phone, so it's worth it all the while, right?
I hope it helps some of you to get their Phones Unlocked and Unleashed.
Best regards
ivelischt
---------- Post added at 09:39 PM ---------- Previous post was at 09:37 PM ----------
if you find errors and mistakes in the guide, you are welcome to notice me and all the others by leaving a post in this thread.
Please ignore my posting titles, as they do not fit anymore, since i had to split from 2 to 3 posts to fit all of the text.
Okay some more words from my side concerning TWRP etc.
1. as far as i can tell, with the wikogeeks source you can indeed compile TWRP, but i'm not deep enough into it to try it.
2. with the procedure in the description above i now have a fully rooted phone
3. i am able to dump (mostly) any partition on my device (boot, recovery, system). so i have boot.img, recovery.img tested working. of course i was unable to dump my old system as it was not rooted. but i can dump my new system.img and it is also tested working, i reflashed all of the images to find it out.
4. if someone here in the forums thinks, that, with this information, you are able to port TWRP, i think we all would be glad,
because
5. i tampered around with various twrp roms. with the Jerry 3 ROM, which is out in the Net (DuckDuckGo-Search: w_k300 twrp), i thought i'd come to a point, as these are "sister-devices". in fact i had twrp running after loading the split-files (zKernel, etc...) from stock recovery to twrp recovery using the kitchen. but the screen isn't working. i need to "swipe for modifications", but i can't. as far as i can tell, it's just the touchscreen irresponsive. maybe this is something quickly fixed, maybe not.
so, i don't know if it's legal for me to share these sources here in the board but if anyone wants to test around on these write a on pm. just ask me and i will do what i can.
on my system, at the moment i have:
- stock boot.img
- stock recovery.img
- aosp8.1 system.img i use on my lenny
- semi-functional Jerry3-TWRP-Port, with the display unfunctional
let me know if you can do something with this stuff.
best regards
Matt 123456789 said:
Ok so Wiko Released the Firmware! Its a Windows software that downloads and flashes the ROM, and it makes a folder with stuff in it. Maybe experienced people can look into it and build TWRP?!! I would really love twrp but I don't have the experience :crying: . Hope developers see this
Click to expand...
Click to collapse
Hey Matt! Sorry, i completely misunderstood what you were talking about. Thats my fault
To clarify, there IS an actual Update package, just not under the various xx.wikomobile.com subdomains, but via world.wikomobile.com, using the IMEI number, you can infact get an Update.zip. I saw that really just now... The most recent update hides at https://support.wikomobile.com/maj/Lenny5_OPE_V34.zip
I don't know if this helps porting TWRP, as i'm actually experimenting with compiling it from source, for lenny 5 specifically. but to no success until this point. but whilst experimenting around, you can at the very least use it to flash to stock if required.
The update.zip contains the following:
- SPFlashTool
- MT6580 Scatterer-File
- boot-sign.img
- cache-sign.img
- lk-sign.img
- misc2-sign.img
- odmdtbo-sign.img
- recovery-sign.img
- secro-sign.img
- system.img
- tee-sign.img
- userdata-sign.img
- vendor-sign.img
- preloader_k400.bin
- as well as tons of other files
i think the stock system image is raw. to flash it you must either use the SPFlashTool or convert it to sparse format by other means...
best regards
edit: it seems, that lenny5 runs well with AOSP9, at least i upgraded my device today and it runs.
also, if you decide to install treble images by the guide above, using gapps, you will have to register your device here. (Android Device Registration)
their guide on getting the android_id may be a bit strange, i needed to progress as follows:
Code:
adb root
adb shell
inside shell type:
Code:
su <-- work as root
cd /data/data/com.google.android.gsf/databases/
sqlite3 gservices.db
this will start sqlite3 command line.
inside the sqlite3 command line enter
Code:
select * from main where name = "android_id"; <-- don't forget the semicolon!
after pressing enter, the output should be something like
Code:
android_id|[B]1234567890123456789[/B] <-- this code will be different on your device.
on the Android Device Registration page, you enter the bold part of the output and press Register. enter
Code:
.exit <-- to leave sqlite
exit <-- to leave su mode
exit <-- to leave shell
it will take a few minutes until your google services start to work properly without flooding your notifications.
you should now be able to use your gapps.
ivelischt said:
Please ignore my posting titles, as they do not fit anymore, since i had to split from 2 to 3 posts to fit all of the text.
Okay some more words from my side concerning TWRP etc.
1. as far as i can tell, with the wikogeeks source you can indeed compile TWRP, but i'm not deep enough into it to try it.
2. with the procedure in the description above i now have a fully rooted phone
3. i am able to dump (mostly) any partition on my device (boot, recovery, system). so i have boot.img, recovery.img tested working. of course i was unable to dump my old system as it was not rooted. but i can dump my new system.img and it is also tested working, i reflashed all of the images to find it out.
4. if someone here in the forums thinks, that, with this information, you are able to port TWRP, i think we all would be glad,
because
5. i tampered around with various twrp roms. with the Jerry 3 ROM, which is out in the Net (DuckDuckGo-Search: w_k300 twrp), i thought i'd come to a point, as these are "sister-devices". in fact i had twrp running after loading the split-files (zKernel, etc...) from stock recovery to twrp recovery using the kitchen. but the screen isn't working. i need to "swipe for modifications", but i can't. as far as i can tell, it's just the touchscreen irresponsive. maybe this is something quickly fixed, maybe not.
so, i don't know if it's legal for me to share these sources here in the board but if anyone wants to test around on these write a on pm. just ask me and i will do what i can.
on my system, at the moment i have:
- stock boot.img
- stock recovery.img
- aosp8.1 system.img i use on my lenny
- semi-functional Jerry3-TWRP-Port, with the display unfunctional
let me know if you can do something with this stuff.
best regards
Click to expand...
Click to collapse
Same with the display here, can't get it to work. I read that display touch malfunction is about kernel diferences, but I don't know how to modify it.
Hanthonious said:
Same with the display here, can't get it to work. I read that display touch malfunction is about kernel diferences, but I don't know how to modify it.
Click to expand...
Click to collapse
well, i then tried all the possible configurations of the following:
TWRP versions:
- self-compiled TWRP
- TWRP for some random FullHD-MTK6580 with more or less same specs as lenny 5
- K300 TWRP
kernel versions:
- twrp k300 kernel
- stock k400 kernel
- self-compiled k400 kernel
which makes quite some possible combinations. as far as i can recall, the most sucessful was the untouched k300 twrp with its k300 kernel, which managed to boot up but with the touchscreen not working.
i then tried the k300 twrp with stock and self-compiled k400 kernel, but both failed. i even tampered with the kernel adress to fit it to k400 and tried out multiple "tricks" i stumbled upon when searching the internet. but the phone always just hangs a few seconds, then boots into "normal" mode or stock recovery.
i cannot fully rule out whether its caused by me implementing the kernel in a wrong way (for me this is the most probable reason ) or if it's because SuperR's kitchen (thanks go out!) has some kind of mess while reintegrating the changed kernel, as i did all of these combine-and-retry kind of rom porting experiments with his product. maybe i am just using the tool in a wrong way.
i also compiled a stock kernel from wikogeek sources, then used that to compile twrp sources into a recovery.img, including the self-built kernel, which both, after some tinkering, built without any issue, but then also, this image just hangs for a few seconds and shows the same behavior as stated above.
whatever it is, i cannot identify it. this has two main reasons:
- first and most important: what i know is through learning-by-doing, which means, i have no degree in coding or anything. from my perspective, i feel a bit proud already, being able to compile aosp or lineage from source, even with a lot of help by those creating these mostly ready-for-use sources. :victory: learning-by-doing implicates my second point: time investment.
- i cannot afford to spend most of my time with digging into android development. and also often, i just don't have any delight in it and do other things.
also, my main purpose was to get a rooted system (with a custom rom on it), which i managed, so most of the time i spend on android stuff at the moment, is to update my build and distribute the updated images in time when security patches arrive.
short said: if twrp for k400 comes, it would be nice, but it's none of my main objectives at the moment to get this to work.
best regards

Apollo bulk mode unlock failure

I attempted to unlock the bootloader on my 3rd gen Fire HDX 8.9 (apollo) running 4.5.5.3, but am stuck at the bulk mode stage. I can reboot the device and see the USB connection drop and present the partitions again when it comes back up in bulk mode, but I see nothing visible on the screen. Holding volume up + power results in the same as just the power button. Can anyone confirm if the aboot stage of the boot should present anything on the screen or not? Without knowing more about the system, my guess would be that if that was working, I would have gone back into either the system image or fastboot.
I ran draxie's get_code.sh script, and was able to successfully write out a file from my Linux laptop. I then rebooted into fastboot and forced the system into bulk mode. That's where I got stuck:
$ sudo dd if=~/lineageos/apollo/emmc_appsboot-14.3.2.3.2_user_323001720.mbn of=/dev/sde6
677+1 records in
677+1 records out
#also tried this step with version 13, no difference
$ sudo dd if=~/lineageos/apollo/apollo-twrp-3.0.0-0.img of=/dev/sde18
16249+1 records in
16249+1 records out
#I also tried this one from the TWRP site for an alternate recovery, just in case, but no change
#$sudo dd if=~/lineageos/apollo/twrp_soho/recovery.img of=/dev/sde18
# I also looked at parted for /dev/sde before the flash, just to make sure the partition numbers matched up with the Windows instructions I located for bulk mode, and everything seemed to match up.
Do I have the correct files?
fd832b67eb6b44d847ec8c105a6a56943dc36cf11306e0aec44980a0306c3878 apollo-twrp-3.0.0-0.img
12e536cd88887012b60ae20478c005b79538908b9dfd591fa5748038a4eecc61 emmc_appsboot-13.3.2.3.2_user_323001720.mbn
ce616bbd84e9b1a711583eafa6e0722a733b9f488857a78f8a3c2708fcc2fe21 emmc_appsboot-14.3.2.3.2_user_323001720.mbn
Any hints to narrow down the troubleshooting?
Thank you!
nexusguy4 said:
I attempted to unlock the bootloader on my 3rd gen Fire HDX 8.9 (apollo) running 4.5.5.3, but am stuck at the bulk mode stage. I can reboot the device and see the USB connection drop and present the partitions again when it comes back up in bulk mode, but I see nothing visible on the screen. Holding volume up + power results in the same as just the power button. Can anyone confirm if the aboot stage of the boot should present anything on the screen or not? Without knowing more about the system, my guess would be that if that was working, I would have gone back into either the system image or fastboot.
I ran draxie's get_code.sh script, and was able to successfully write out a file from my Linux laptop. I then rebooted into fastboot and forced the system into bulk mode. That's where I got stuck:
$ sudo dd if=~/lineageos/apollo/emmc_appsboot-14.3.2.3.2_user_323001720.mbn of=/dev/sde6
677+1 records in
677+1 records out
#also tried this step with version 13, no difference
$ sudo dd if=~/lineageos/apollo/apollo-twrp-3.0.0-0.img of=/dev/sde18
16249+1 records in
16249+1 records out
#I also tried this one from the TWRP site for an alternate recovery, just in case, but no change
#$sudo dd if=~/lineageos/apollo/twrp_soho/recovery.img of=/dev/sde18
# I also looked at parted for /dev/sde before the flash, just to make sure the partition numbers matched up with the Windows instructions I located for bulk mode, and everything seemed to match up.
Do I have the correct files?
fd832b67eb6b44d847ec8c105a6a56943dc36cf11306e0aec44980a0306c3878 apollo-twrp-3.0.0-0.img
12e536cd88887012b60ae20478c005b79538908b9dfd591fa5748038a4eecc61 emmc_appsboot-13.3.2.3.2_user_323001720.mbn
ce616bbd84e9b1a711583eafa6e0722a733b9f488857a78f8a3c2708fcc2fe21 emmc_appsboot-14.3.2.3.2_user_323001720.mbn
Any hints to narrow down the troubleshooting?
Thank you!
Click to expand...
Click to collapse
Suggest you PM @draxie as you have access to a Linux host. Using his 1-click script will be far easier than self (or another member) walking you through the manual method.
Relevent link: https://forum.xda-developers.com/kindle-fire-hdx/general/multi-platform-1-click-bootloader-t3241014
nexusguy4 said:
I attempted to unlock the bootloader on my 3rd gen Fire HDX 8.9 (apollo) running 4.5.5.3, but am stuck at the bulk mode stage. I can reboot the device and see the USB connection drop and present the partitions again when it comes back up in bulk mode, but I see nothing visible on the screen. Holding volume up + power results in the same as just the power button. Can anyone confirm if the aboot stage of the boot should present anything on the screen or not? Without knowing more about the system, my guess would be that if that was working, I would have gone back into either the system image or fastboot.
Click to expand...
Click to collapse
Situation normal. The screen should be pitch black in bulk mode.
And once there, you cannot boot to anything else until you wrote
back part of the bootloader that got erased.
nexusguy4 said:
$ sudo dd if=~/lineageos/apollo/emmc_appsboot-14.3.2.3.2_user_323001720.mbn of=/dev/sde6
$ sudo dd if=~/lineageos/apollo/apollo-twrp-3.0.0-0.img of=/dev/sde18
Click to expand...
Click to collapse
These command-lines are incomplete. You could check the forums for the right ones,
but I could also just tell you to add at least 'oflag=direct' if you want them to be effective.
1-Click uses this incantation (where $bd refers to the block device representing your HDX's
internal storage, in your case /dev/sde; and the positional parameters should be as follows
$1 - input file
$2 - partition number
$3 - input size (e.g. stat -c%s $1)
$4 - friendly name for input [completely irrelevant]):
Code:
bulk_flash() {
local d=$bd$2
echo Flashing $4 to $d
dd if=$1 of=$d bs=64k conv=notrunc oflag=direct
echo Verifying $d
cmp -n $3 $1 $d
}
nexusguy4 said:
Do I have the correct files?
fd832b67eb6b44d847ec8c105a6a56943dc36cf11306e0aec44980a0306c3878 apollo-twrp-3.0.0-0.img
12e536cd88887012b60ae20478c005b79538908b9dfd591fa5748038a4eecc61 emmc_appsboot-13.3.2.3.2_user_323001720.mbn
ce616bbd84e9b1a711583eafa6e0722a733b9f488857a78f8a3c2708fcc2fe21 emmc_appsboot-14.3.2.3.2_user_323001720.mbn
Click to expand...
Click to collapse
You do have the correct appsboot files for sure.
That TWRP version is too old for me to have kept
a copy, but I'd expect that to be correct as well.
1-Click can fix this for you, but you can also do it yourself,
if you like, just don't forget the extra parameter to 'dd'.
Also, make VERY sure you write BOTH aboot *and* TWRP
with the right command-line BEFORE you attempt to boot.
I was foolish enough to "test" if it was working when only
aboot was flashed properly, and there was no way to get
anywhere with that device afterwards, as I had no valid
recovery and the button-combo to get into fastboot does
NOT work until the device gets unlocked (but you need
fastboot access to enter the unlock code -> catch 22).
Thank you so much, both of you. That bulk flash routine and arguments was exactly what I needed. I have TWRP running now, tablet unlocked, and I expect to be able be able to manage this just like any other of my lineage devices..
If this performs as expected based on the hardware specs, I'll probably hunt down a few more of this same model. At that price, it's the perfect size for standalone displays for some equipment like oscilloscopes/scope cameras, patch loading to a modeling guitar amp, etc.
nexusguy4 said:
Thank you so much, both of you. That bulk flash routine and arguments was exactly what I needed. I have TWRP running now, tablet unlocked, and I expect to be able be able to manage this just like any other of my lineage devices..
If this performs as expected based on the hardware specs, I'll probably hunt down a few more of this same model. At that price, it's the perfect size for standalone displays for some equipment like oscilloscopes/scope cameras, patch loading to a modeling guitar amp, etc.
Click to expand...
Click to collapse
Glad you got it working. Keep in mind 3rd gen HDX devices do not support OTG. That means no tethered devices or storage. Only adb, mtp and fastboot transactions. There are no known workarounds. Everything must be onboard or communicate wirelessly.
draxie said:
Situation normal. The screen should be pitch black in bulk mode.
And once there, you cannot boot to anything else until you wrote
back part of the bootloader that got erased.
These command-lines are incomplete. You could check the forums for the right ones,
but I could also just tell you to add at least 'oflag=direct' if you want them to be effective.
1-Click uses this incantation (where $bd refers to the block device representing your HDX's
internal storage, in your case /dev/sde; and the positional parameters should be as follows
$1 - input file
$2 - partition number
$3 - input size (e.g. stat -c%s $1)
$4 - friendly name for input [completely irrelevant]):
Code:
bulk_flash() {
local d=$bd$2
echo Flashing $4 to $d
dd if=$1 of=$d bs=64k conv=notrunc oflag=direct
echo Verifying $d
cmp -n $3 $1 $d
}
You do have the correct appsboot files for sure.
That TWRP version is too old for me to have kept
a copy, but I'd expect that to be correct as well.
1-Click can fix this for you, but you can also do it yourself,
if you like, just don't forget the extra parameter to 'dd'.
Also, make VERY sure you write BOTH aboot *and* TWRP
with the right command-line BEFORE you attempt to boot.
I was foolish enough to "test" if it was working when only
aboot was flashed properly, and there was no way to get
anywhere with that device afterwards, as I had no valid
recovery and the button-combo to get into fastboot does
NOT work until the device gets unlocked (but you need
fastboot access to enter the unlock code -> catch 22).
Click to expand...
Click to collapse
The extra `dd` arguments saved me from my long black screen days.
Thank you!

How To Guide Unlocking, Rooting, System RW, LED Notification Summary

First time posting and I wanted to say thank you to all the excellent talent here on XDA! None of this would have been done without the work of so many people.
I have a Moto G Play (2021) (XT2093-4) that I recently purchased (Best Buy - $159 US/Carrier Unlocked) and I wanted to document my adventure in to rooting, making '/system' RW, and fixing the missing LED notification light (hint: I used the charging light) (hint^2: It's not required to make '/system' RW in order to fix the LED notification light - I just wanted more control over my phone).
First, "OEM unlocking" was greyed out for me, but became available after several days of having the phone online with a SIM card.
I followed the instructions here to unlock the bootloader and root with Magisk (Non-TWRP). Along with these instructions.
Once bootloader is unlocked, you will need the 'boot.img' file from your stock firmware. I used the "Rescue and Smart Assistant" utility to grab a copy of the stock firmware (GUAMNA_RETAIL_QZAS30.Q4_39_35_9_subsidy_DEFAULT_regulatory_DEFAULT_CFC.xml) and extracted the "boot.img" file for the next steps.
Continue installing Magisk (Filenames may be different! Don't just copy and paste.):
Code:
adb install Magisk-v23.0.apk
adb push boot.img /sdcard/Download
(Follow the instruction on your phone to patch 'boot.img' in Magisk)
adb pull /sdcard/Download/magisk_patched-23000_aKKMt.img
adb reboot bootloader
fastboot flash boot_a magisk_patched-23000_aKKMt.img
fastboot flash boot_b magisk_patched-23000_aKKMt.img
You should now have a working, rooted Moto G Play. You can just stop here and have fun with your phone, but I noticed that even with root, the system partition was not RW.
I followed these instructions to make '/system' writable (Note: you will need the 'sysrw_repair.zip' that's included in the bundle and a Linux system):
Code:
adb push systemrw_1.32_flashable.zip /data/local/tmp/
adb shell
su
cd /data/local/tmp/
unzip systemrw_1.32_flashable.zip
cd systemrw_1.32/
chmod +x systemrw.sh
./systemrw.sh in=`ls -l /dev/block/by-name/super | awk '{print $NF}'` out=/data/local/tmp/systemrw_1.32/img/super_original.bin size=50
The phone doesn't have enough space to complete 'lpmake' on the device and will end with an "Error 73" code. Running the "sysrw_repair_v1.32" tool on a Linux machine was a workaround because it pulls the '*.img" files to your local machine then combines them in to a single '.bin' file. But, before I did that, and because it's really annoying, I made some room to stop the phone from complaining about a lack of space:
(Still on the phone's adb)
Code:
rm ./img/super_original.bin
Now, on the Linux machine, I unzipped 'sysrw_repair_v1.32_proper.zip' then commented out line 39 (where it calls the "flash()" function) of the script (sysrw_repair.sh) because I wanted to flash the "super" partition myself.
(On another Linux terminal)
Code:
cd /path/to/unzipped/sysrw_repair/dir/
chmod +x sysrw_repair.sh
./sysrw_repair.sh
This results in a new folder (img) with a rather large bin file (super_original.bin).
(Back on the phone adb)
Code:
exit # Exit root
exit # Exit adb
adb reboot bootloader
Now it's time to flash the fixed bin file to the "super" partition:
Code:
cd /path/to/unzipped/sysrw_repair/dir/
fastboot flash super ./img/super_original.bin
fastboot reboot
You should be able to login and have a writable '/system':
Code:
adb shell
su
mount -o rw,remount /
No errors should appear.
Last, I like having an LED indicator that tells me that I have an SMS/MMS notification waiting. Motorola thought it would be wise to eliminate that feature altogether instead of having the option to enable it. So, I forced it back on using a startup script that dumps the notifications and greps for some key words. And, if it finds something, it "breaths" the charging LED. The script loops until the notification is gone, then keeps checking for new notifications every 30 seconds. (Note: the "/data/adb/service.d/" directory is used by Magisk like an INIT service):
(Still root on the phones adb)
Code:
cd /data/adb/service.d/
cat <<EOF > ledfix.sh
#!/bin/sh
while true; do
if dumpsys notification | egrep NotificationRecord | egrep sms > /dev/null
then
if [[ $(cat /sys/class/leds/charging/breath) == 0 ]]
then
echo 1 > /sys/class/leds/charging/breath
sleep 2
continue
else
sleep 2
continue
fi
elif egrep 'Charging' /sys/class/power_supply/battery/status > /dev/null
then
if [[ $(cat /sys/class/leds/charging/breath) -ne 0 && $(cat /sys/class/leds/charging/brightness) -ne 0 ]]
then
echo 0 > /sys/class/leds/charging/breath
echo 255 > /sys/class/leds/charging/brightness
elif [[ $(cat /sys/class/leds/charging/breath) == 0 && $(cat /sys/class/leds/charging/brightness) == 0 ]]
then
echo 255 > /sys/class/leds/charging/brightness
else
continue
fi
else
echo 0 > /sys/class/leds/charging/breath
echo 0 > /sys/class/leds/charging/brightness
fi
sleep 30
done
EOF
chown 0.0 ledfix.sh
chmod 0755 ledfix.sh
reboot
Now, the charging light will fade off and on about every 2 seconds if there's an SMS/MMS notification waiting. And will check for notifications every 30 seconds. I'm sure someone can come up with a better way of doing this, but this was a nice quick-and-dirty way to get what I wanted.
Hope this helps!
I created an account to say thank you for this, I have already done a good portion, having unlocked the bootloader, the problem is the Rescue Smart Assistant, it won't let me log in, it keeps telling me it can't connect, and the GUI is different because of an update, there is no download button inside the program, only a greyed out rescue button. How did you manage to make the backup Boot.img? Maybe you are using a different OS, and/or version of the program (Not the app, that is already auto-installed), I'm using Windows 10, are you on Linux? I might just need to try from Linux, maybe in a VM.
I was trying to do this before I found this post, and have already installed ADB, the SDK, fastboot, and Motorola Drivers, I just need a way to get the Boot.img, and to patch it, also figure out how to flash it. The last android I rooted with a custom rom was the HTC EVO 4G with Oreo/Jellybean, so I'm a little rusty, but am able to understand technical jargon.
If anyone could help, that would be awesome. I've reinstalled different versions of Rescue Smart Assistant as well, they always upgrade on boot, same problem. I've added exceptions to my firewall and everything.
UPDATE: Was about to post this when I had updated from android 10 to 11 and decided to try logging in again a little closer to my router, to see if the connection was timing out, I think that was the cause, as I can now sign in, and the GUI seems correct from the first appearance. I don't see why I should have any trouble following the rest of the guide, but feel I should share my trials and frustrations anyways, for anyone else experiencing the same,
Thanks again.
PROFSLM said:
I created an account to say thank you for this, I have already done a good portion, having unlocked the bootloader, the problem is the Rescue Smart Assistant, it won't let me log in, it keeps telling me it can't connect, and the GUI is different because of an update, there is no download button inside the program, only a greyed out rescue button. How did you manage to make the backup Boot.img? Maybe you are using a different OS, and/or version of the program (Not the app, that is already auto-installed), I'm using Windows 10, are you on Linux? I might just need to try from Linux, maybe in a VM.
I was trying to do this before I found this post, and have already installed ADB, the SDK, fastboot, and Motorola Drivers, I just need a way to get the Boot.img, and to patch it, also figure out how to flash it. The last android I rooted with a custom rom was the HTC EVO 4G with Oreo/Jellybean, so I'm a little rusty, but am able to understand technical jargon.
If anyone could help, that would be awesome. I've reinstalled different versions of Rescue Smart Assistant as well, they always upgrade on boot, same problem. I've added exceptions to my firewall and everything.
UPDATE: Was about to post this when I had updated from android 10 to 11 and decided to try logging in again a little closer to my router, to see if the connection was timing out, I think that was the cause, as I can now sign in, and the GUI seems correct from the first appearance. I don't see why I should have any trouble following the rest of the guide, but feel I should share my trials and frustrations anyways, for anyone else experiencing the same,
Thanks again.
Click to expand...
Click to collapse
You can also get the firmware from
Lolinet Mirrors
https://t.me/MotoUpdatesTracker
Search for Firmware by codename, software channel, Software Version, and build #
So I wasn't going crazy when I could swear a LED notification light in the upper right side above the screen blinked once whenever I rebooted the phone?
Why would Motorola include such a thing and not utilize it for more than merely a boot up indicator? Like I dont even get to see it come on while charging, it literally only blinks once during boot and that's it.
mario0318 said:
So I wasn't going crazy when I could swear a LED notification light in the upper right side above the screen blinked once whenever I rebooted the phone?
Why would Motorola include such a thing and not utilize it for more than merely a boot up indicator? Like I dont even get to see it come on while charging, it literally only blinks once during boot and that's it.
Click to expand...
Click to collapse
I know!
I don't know what triggers that light to come on. I even waited until the battery was at 6% and the light still never came on.
So, I updated the script above to make the light go full brightness if the battery is charging. The order matters, so if a notification comes in while charging, it'll "breath" the LED. Also, if the battery is full, then the light will turn off. Kind of telling you that it's time to unplug.
I followed these steps and my touch screen stopped working. I had previously installed twrp already on it while trying to learn how to root it, and when i boot into fastboot it goed through twrp, i also used the boot.img file from lolinet, not sure which of these caused the issue. Interestingly though, the touch screen does work whilst in twrp. any suggestions on how to fix or what would be causing it? Phone does work with usb mouse over OTG
jorduino said:
I followed these steps and my touch screen stopped working. I had previously installed twrp already on it while trying to learn how to root it, and when i boot into fastboot it goed through twrp, i also used the boot.img file from lolinet, not sure which of these caused the issue. Interestingly though, the touch screen does work whilst in twrp. any suggestions on how to fix or what would be causing it? Phone does work with usb mouse over OTG
Click to expand...
Click to collapse
Are you absolutely sure you used the correct boot.img from an image version exactly matching your phone variant version?
mario0318 said:
Are you absolutely sure you used the correct boot.img from an image version exactly matching your phone variant version?
Click to expand...
Click to collapse
Im not completely sure how to get the right file, but I think the first time it was the wrong one, but then when i got what i thought was the right one, it just didn't work at all and I had to recovery flash it. I had just updated so maybe the correct image wasn't available yet. Im going to try again though
Oh! Hello @latentspork. Thanks for your interest in my SystemRW project. I just came across this thread randomly...
I'm happy you got my script to work on your Motorola device by using the included sysrw_repair script
Please feel free to send me your log files from script folder. Thanks. It's useful for further development of the script
latentspork said:
The phone doesn't have enough space to complete 'lpmake' on the device and will end with an "Error 73" code. Running the "sysrw_repair_v1.32" tool on a Linux machine was a workaround because it pulls the '*.img" files to your local machine then combines them in to a single '.bin' file. But, before I did that, and because it's really annoying, I made some room to stop the phone from complaining about a lack of space:
Click to expand...
Click to collapse
That's not 100% accurate. Lpmake error 73 means CAN'T_CREATE and has nothing to do with error 70 (insufficient space).
To this day I still don't know exactly what causes error 73 on some devices (mostly Motorola and others) but it looks like some kind of kernel panic. If anyone knows how to avoid this error 73 in Android please let me know! Thanks!
Yes that's true the included sysrw_repair script (Linux only) pulls the image files from the phone to your computer and attempts to run the same lpmake command with the same arguments that just failed with error 73 on the phone itself and now all of a sudden it just works in Linux. Go figure.
latentspork said:
(Still on the phone's adb)
Code:
rm ./img/super_original.bin
Click to expand...
Click to collapse
Why would you delete the super_original.bin ? That's your stock read-only super image which by default is automatically dumped by script for backup purposes in case you ever get a bootloop.
And if you launch the script by specifying a custom input value (in=x) like in your example above then you won't even have a super_original.bin file to begin with because script will skip the whole dumping of original super image process.
latentspork said:
This results in a new folder (img) with a rather large bin file (super_original.bin).
Click to expand...
Click to collapse
I think you mean super_fixed.bin
latentspork said:
Now it's time to flash the fixed bin file to the "super" partition:
Code:
cd /path/to/unzipped/sysrw_repair/dir/
fastboot flash super ./img/super_original.bin
fastboot reboot
Click to expand...
Click to collapse
Here in your instructions you are manually flashing the wrong file. Shouldn't you be flashing super_fixed.bin to your super partition?
Usually I only flash the super_original.bin to get back out of a bootloop...
latentspork said:
Now, on the Linux machine, I unzipped 'sysrw_repair_v1.32_proper.zip' then commented out line 39 (where it calls the "flash()" function) of the script (sysrw_repair.sh) because I wanted to flash the "super" partition myself.
Click to expand...
Click to collapse
See that's why I included that automatic flash() function in the repair script. Then you don't have to worry about manually flashing the wrong file to your super partition
Enjoy a fully read/write-able device!
Great news! New SystemRW version coming soon! ​
@lebigmac
I really appreciate the reply and the tool! It did work really well on my model (XT2093-4).
That's not 100% accurate. Lpmake error 73 means CAN'T_CREATE and has nothing to do with error 70 (insufficient space).
To this day I still don't know exactly what causes error 73 on some devices (mostly Motorola and others) but it looks like some kind of kernel panic. If anyone knows how to avoid this error 73 in Android please let me know! Thanks!
Click to expand...
Click to collapse
I only assumed that "Error 73" was caused by insufficient space, because the phone really did run out of space. I noticed that the phone was out of space because I got a home screen notification warning, asking me to free up space. I confirmed it with a "df -h" at the shell. Apparently, the OS takes up almost 15GB. When you add the ".img" files, there's only about 5GB left. There wasn't enough room to complete the ".bin" file. Maybe I could have used an SD card or something.
You're probably correct in that "Error 70" is the correct error for that, but on my phone, I never saw that error. I did notice that the tool was still trying to write data as the phone ran out of space, then it would throw the "Error 73". Maybe it didn't register the lack of space, or just an oddity with my model? No idea.
Why would you delete the super_original.bin ?
Click to expand...
Click to collapse
This is the file that was created when I initially ran the "./systemrw.sh" command on the phone. The result of running the command on the phone were several ".img" files and a very large "super_original.bin", but it was incomplete because the command threw an "Error 73". I was following your instructions, and I noticed that the output name of the file was "original" instead of "fixed". I probably could of outputted it to a new name to reduce confusion, but I didn't really care too much about the name as long as I had a working file.
I think you mean super_fixed.bin
...
Shouldn't you be flashing super_fixed.bin...
Click to expand...
Click to collapse
Normally, yes. But the Linux script also outputted the filename "super_original.bin". Again, as long as it worked, I was okay with it. The commands I used above were the exact commands that I ran at the time. I copied them from the terminal consoles I was using. So I don't know why it wasn't outputting the correct filename (again, I was following your instructions and was a little confused that the names came out differently - I just figured I was doing something wrong like not use the proper output command or something).
Then you don't have to worry about manually flashing the wrong file to your super partition...
Click to expand...
Click to collapse
I was really just being cautious because my previous phone broke and I didn't have a fallback.
But, at no point were there two bin files (original and fixed), so there wasn't much confusion. Where I originally had just ".img" files before running the script, I now had a single ".bin" file. I knew that was the file I needed.
But again, thank you for all the hard work on this tool! I was reading that it's worked on lots of different model phones, and it's always good to see the open source community doing things that help all kinds of people.
For moto notification for this phone at least use https://play.google.com/store/apps/details?id=br.com.itsmeton.motoledreborn or moto led reborn from the play store it just works
Hi, sorry. This can be removed. I put it in place because I was having issues with the xda app. For whatever reason, every time I tried to share this particular post, it would share a link for the post which I used originally, rather than the current post. I knew that if I commented I could get back here easily on my PC.
So what is the place holder for

Ulefone Armor x5 boot-debug.img

Ok, I get that boot-debug has been around for years... since android 10 for me, before that, it was variant=user, or variant=eng(ineer).
Strange how after I show boot-debug.img, magisk chooses this very path, but only after. Keeping in mind many people come here asking questions, and all those that know sit back and say nothing. Until they dont like what they see.
If you know better, and cant help, please keep your comments to yourself. This thread is intended to HELP, and is targetted toward those who CHOOSE to HELP because they CAN.
How I got su to work. Is this root? Now this is a good question. I dont want ANY overlaid system in my fone. I want to write to system like many others want to.
Not some google way of forcing us to use their mirrored online version of a locked filesystem already on my f'n.
Priority 1: I want to root my f'n without internet. Period. I do NOT want magisk using my credit. This proves we pay for magisk. I sometimes live so far from the world wide web, that offline is the only way to work. So I need to be able to root without google or THEIR employees offerings.
Priority 2: RW-able system.
So, I discover boot-debug.img for my f'n. Had it for a year, before I discovered it. Yeah, I discovered it after a year here asking, and getting NO replies that worked. Only after I'm vindicated to the naysayers 'thats been around forever...' yeah, try helping instead of useless comments.
In the end, I learned so much in such a short time. Constructive critiscism is NOT insulting. Magisk kills root in MY f'n. PERIOD. Camera does not work, location does not work, and I cant make/receive calls. But hey, it's an overlaid file system, of course it wont ALL work, I mean, I'd expect to lose a lil functionality, but disabling the GSI ability in dev options? I dont think so.. Worse, lack of adb or fastboot is produced in my f'n when using magisk, so tata magisk.
My logs actually explain all, so no more crappy adb logs. Yeah, I like simple adb, it works, or I'll MAKE it work.
Like this:
Attempt every possible method of flashing magisk according to tut's, nada. 3 different paths lead me to...?
1: The note9 recovery I found, that lopstom was kind enough to twrp for me (well appreciated) is the KEY to gaining root on my ulefone armor x5 mt6765. It turns out that the note9 recovery is actually an android 9 os, with a 'super' .img - and being android 9, the bootloader I used is an OLD bootloader, in particular, the variant=eng type. Note this, this is key.
2: With the note9 flashed to recovery I can RW system in android 10 properly, but only in twrp.
3: Discover boot-debug.img - yup, it's not quite a variant=eng build, but it does work for the following:
Flash boot-debug.img. By doing so, you get the adb root command, and the disable-verity options, way better than wiping vbmeta, which contains the 'is it rw, or ro' of every file in every partition to be mounted in their own partitions, but what most dont know, is each file mounted in it's own mountpoint also has the information contained by vbmeta, but for each seperate file. So unless you add the /null (one for system, the other for vendor) after the disable-verity...
Nah, wipe most of your directory structure, then wonder why in a RW-able system, it still dont work. Because each file in it's own mountpoint knows if the system directory SHOULD be ro or rw. That's EACH and EVERY stock file in it's OWN mountpoint, has the RW or RO inf for the system & vendor directory, ie, is system RW?
Example: Camera wont work, get it?
In the end, this is how I went about installing su.
Flashed boot-debug.img did NOT flash recovery. Flashed meefik busybox-arm64 to f'n, but did NOT install it, instead, I opened it to install it, top left, saved the busybox-arm64 and then flashed twrp, and while there, flashed the system_rw, to defeat the system_RW saying not enough space, I chose 1024, did the copy over of super_fixed, then rebooted, enabled system, THEN flashed the busybox-arm64 from twrp, and rebooted.
Results: I copied the busybox-arm64 su, from xbin to system. In order to defeat the system_RW saying not enough space, I chose 1024. Round numbers matter with system_RW, same senario as memory, so use sizes equal to how memory works. ie, 32, 64, 128, and multiples of.
Look at the adb posts in my closed thread.
With Su installed, I have to type exit TWICE to exit. without su in system, exit only needs typed once.
Now here is why I continue. I found root, but dont have the experience, but it's like this:
See all those lovely new file that end in .cel? Mine says platinum. That means I AM ROOT. By swapping out .cel files, I have all the access magisk denies me. .cel files... get on it devs... swap them out, try try try... find what I found.
I dont actually need su, but i need it for some apps. What I have proven, is that SU does NOT kill android 10_Q.
variant=user or variant=eng, is NOW dependant on .cel files, like, say, boot-debug.cel.
Have a nice discovery... I hacked googles latest offering my-cel-f
Edit: Cel files are found in the bootloader, a zero byte file, the file NAME decides what the loader can or cant do, PERIOD.
New root tools only require swapping these out, as well as a few system edits when done.
Ok, slight mistake in spelling so I'll add the following for you to 'see'..
userdebug_plat_sepolicy.cil
So it's not cel as I wrote in the first post, my point being just as valid.
Platinum clearly states there are more who's names I have yet to obtain...
Theoretically in my mind, if I swap the .cil file in the bootloader for say hypothetically:
engdebug_plat_sepolicy.cil... with the few edits seen in the android 10 notes I posted from china, the one where people say 'too much hassle' - I say, for them. Those notes show the rest of the cil files, so yeah, I got root OPTIONS to play with
Stay tuned for more scottish inventor style NOTES.
Edit: for the record: https://source.android.com/compatibility/vts/vts-on-gsi

Categories

Resources