Coolpad 5560s - MegaThread: Info / Root
We are now ROOTED. I think we are the first too.
If you have any additional info, binaries, etc -- feel free to contribute!
USE AT YOUR OWN RISK
*** UPDATE ***
Fellow XDA'r stevenmirabito put together an all-in-one tool! If you wanna dig into the technical stuff follow directions below if not... check out his post!
*** UPDATE ***
USE AT YOUR OWN RISK
Updates:
17 Feb 2015
The fun begins ...
---> USE AT YOUR OWN RISK --->DOWNLOADS:
ALL TOOLS AND DOCUMENTS ARE for non-commercial, personal, and educational use only.
You assume all risks and liabilities.<--- USE AT YOUR OWN RISK <---
Big thank you to: stevenmirabito, keebler64,.. and all the other folks that contributed.
Proof of Concept
Code:
- Root is pre-cooked into the image.
- Root survives reboot.
- Note that the superuser daemon is.. rigged into one of the init.qcom.post-boot.sh files -- may break things. :P
[U]Removed:[/U]
- system/priv-app/Cota*.apk/odex
- system/app/CP_*.apk/odex
- system/etc/security/otaupdates.zip.
- system/etc/ recovery-data.dat (not the exact name -- but removed)
[U]Added: [/U]
- system/app: fdroid.apk, es file manager.apk
- system/xbin/su, system/bin/su (linked), /system/app/Superuser.apk ---> Clockworkmod's Superuser. :)
[U]BUGFIX for Proof-Of-Concept:[/U]
- From: stevenmirabito: --> see [URL="http://forum.xda-developers.com/showpost.php?p=58913680&postcount=55"]post #55[/URL]. <--- the Setup Wizard was disabled.. somehow... :P
It does work.. you can dump the partitions.. and it [U]appears[/U] that you *can* write to the boot/recovery.
HOWTO: Creating your own a custom system.img for flashing with the sda-flashtool
Code:
# Remove the following hex sequences from the stock system.img
# These are the only thing that stop the image from being a normal ext4 raw image.
"30 3C 38 30 30 30 30 30 2E 2E 2E 2E" (Three total)
"30 30 32 39 3D 39 36 38 2E 2E 2E 2E" (One)
# Convert the now fixed system.img to a raw ext4 image to mount using simg2img (linux or possibly windows)
simg2img system.img system.raw
# Mount the raw image using loop (linux)
mkdir rawsystem
mount -t ext4 -o loop system.raw ./rawsystem/
# When you are finished making changes - create a new_system.img using the 4096 sparse format.
make_ext4fs -s -l 1024M -b 4096 -a system new_system.img rawsystem/
# move the new_system.img to the sda-flashtool directory (in windows) :)
# run sda-flashtool
sda-flashtool
# note that the sda-flashtool takes care of the injecting the headers --- even with file size changes..
# semi-major bug right now is the new_system.img needs to be at least 600mb. Will be fixed soon?..
# Have fun!
Recovery / Fastboot Modes
Code:
[I]Recovery Mode[/I]
Power-off, Pull Battery, Press VOL UP & VOL DOWN then Hold Power until Logo. Release Power. Recovery Mode should start in 5-10 seconds.
[I]Fastboot Mode[/I]
Power-off, Pull Battery, Connect USB to computer, Screen should read: "FASTBOOT".
To enable developer options / ADB Debug
Code:
Menu -> Settings -> System -> About Phone -> Tap the 'Build Number' about 5-10 times -> a Message should pop up 'you are now a developer'
OTA / Calling home urls to block in your router (stock image)
Code:
*51coolpad.com, *izatcloud.net, *cootek.com, and *coolpadfuns.com << OTA test server.
Old Root / Progression Log -- moved here for clarity
Code:
16 Feb 2015
[LIST]
[*] System images now flashable. :D
[/LIST]
11 Feb 2015
[LIST]
[*] New Header calculations now verified against all the known stock headers. :good:
[*] Footers: 2 bytes of :confused:
[/LIST]
10 Feb 2015
[LIST]
[*][STRIKE]The headers are back on the todo list.[/STRIKE] FIXED. :)
-Due to the way Bless (hex editor) formats its conversion table, it appeared like the images headers first 4 bytes were converted to a hex string which became the 2nd set of 4 bytes and those bytes summed to the 2e 2e 2e 2e. It looked like it was a simple subtraction/mask issue. Its a bit more. :/
-[STRIKE]Also it appears that both the bootloader and the recovery have a seperate ramdisk partition which is an overlay(?) and so it needs to be flashed as well.[/STRIKE]
[*][STRIKE] Figured out the Headers. Now to the footers.[/STRIKE]
[*] Now able to transfer data w/o being timed out.
[*] Very close to a working custom flash tool.
[/LIST]
06 Feb 2015
[LIST]
[*] More OTA servers to block: *51coolpad.com, *izatcloud.net, *cootek.com, and *coolpadfuns.com << OTA test server.
[/LIST]
28 Jan 2015
[LIST]
[*] Posted older CPB file format found on google translate.
[*] [URL]https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.in189.com%2Fforum.php%3Fmod%3Dviewthread%26tid%3D814196&edit-text=&act=url[/URL]
[*] [STRIKE]Posted a method that would easily brick the phone, but does allow flashing recovery.[/STRIKE] <--- don't do this.. very possible to brick the modem areas of the phone. What you are actually doing when using this method is transferring the remaining bytes of a modem/sbX transfer .. that was already in progress.
[*] University started up so been a bit busy.
[/LIST]
16 Jan 2015
[LIST]
[STRIKE][*] Alright well, found a method that may end up working... I was able to flash the stock 5560s CPB without bricking my 5560s. :D[/STRIKE]
[*] At this point it looks like we either need to create a custom system image w/ SuperUser.apk and busybox pre-installed OR we need to create a custom CWM for the coolpad 5560s.
[STRIKE][*] It appears that as a part of the process of flashing the CPB, we can override the recovery.img with another recovery.img BUT we'd have to create a custom CWM. If we have enough information about the partition layouts.. hopefully.. a non-bricking custom recovery.img can be created. :D[/STRIKE]
[*] REF: [url]http://modaco.com/topic/373530-guide-ygdp-tool-for-flashing-stock-42-44-roms/[/url]
[/LIST]
16 Jan 2014
[LIST]
[*][STRIKE]Tested some (Chinese?) 5217 rooting methods on the 5560.. nothing worked so far.[/STRIKE]
[*]Per suggestions below-- tested a ton of modstrings for towelroot. -- Was unable to gain even temporary root. :/
[*]A fellow XDA'r (Dunno if he wanted pub credit or not) got the CPB file.. poking it with a stick. :)
[/LIST]
08 Jan 2014
[LIST]
[*]Testing some of the other coolpad rooting tools on the 5560.
[*]Tried: SRSRoot v1.7.3, Root Genius v1.9.6.. no luck.
[/LIST]
24 Dec 2014
[LIST]
[*]Xmas time-- gonna be outta it for a few days.
[*]Phone is vulnerable to CVE-2014-7911 - Not sure if helpful, as CVE-2014-7911 crashes JVM. It may be possible to take over one of the factory apks that does have root permissions and inject SU. :)
[/LIST]
22 Dec 2014
[LIST]
[*]Couldnt use the 9976A rooting method-- couldnt pull the MTK scatter. Hmm.
[*]Theres an internal test server but the apk is passworded-- messn around with it.
[/LIST]
20 Dec 2014
[LIST]
[*]Discovered some [B] Coolpad / 5560s Dialer Codes[/B]
[*]*#*#*20060606*#*#* -> EngMode -> Phone Settings -> [B][COLOR=Red]ENABLE Download Mode[/COLOR][/B]
[*]*#*#*9527*#*#* -> FactoryTest -> Some interesting things here..
[*]*#*#*4636*#*#* -> Testing -> Phone Info -> Just like the HTC Hidden Diag Screen, can turn off Radio / set prefered network type.
[/LIST]
slashdevandroid said:
Hi all, my question is... does anyone have any rooting experience with the Coolpad 5560S'? Also-- If you have any additional information on these phones feel free to respond as well!
Click to expand...
Click to collapse
I don't have much experience, but just got one of these and would like to root it so I hope you get some replies. Thanks.
If you manage to find anything out about this I am super interested. Just got one because... why not, it was 10 bucks lol. If you need a guinea pig im down.
Hope we can find root for this phone soon, many are trying current root tools, but none are working, I have tried like 5-6 different ones so far, none working as of yet. im sure in a few more days - someone will have an update on there tool for this to be rooted.
Nevermind.
I have 4 of them now, so hope we can find a way to root them soon, I also wanted to get the bootloader unlocked if possible.
NeoGodSpeed said:
I have 4 of them now, so hope we can find a way to root them soon, I also wanted to get the bootloader unlocked if possible.
Click to expand...
Click to collapse
Opened up one of my 5560s' (Arise) and it looks like it's almost identical to the Coolpad 5217 which happens to have a root and various ROMs available to download. I don't have much time available to start porting ROMs, but someone here might go ahead and give it a look. I'll try to find some time later today to post photos of the PCB.
keebler64 said:
Opened up one of my 5560s' (Arise) and it looks like it's almost identical to the Coolpad 5217 which happens to have a root and various ROMs available to download. I don't have much time available to start porting ROMs, but someone here might go ahead and give it a look. I'll try to find some time later today to post photos of the PCB.
Click to expand...
Click to collapse
That would be great
Have you tried towelroot?
towelroot does not work just tried it
I've been playing around with this device and I figured I would share the progress I've made. I also obtained the CPB file (along with the official USB drivers) from Coolpad and was able to extract it with YGDP, the result of which can be found at the link below:
https://drive.google.com/folderview?id=0B4t9dt63rRpXaHo0XzNqVy1WT00&usp=sharing
Based on the extracted boot.img and the partition information pulled from a running phone I attempted a build of CWM for the 5560S - which can also be found at the link above. I haven't had any luck getting YGDP to flash the custom recovery.img and attempting to flash it via Fastboot hangs on "Writing..." Perhaps someone with a little more time on their hands will be able to get this working.
A few notes:
Coolpad uses a custom USB device ID that is not recognized by the fastboot command automatically. You must use the following flag while issuing fastboot commands:
Code:
fastboot -i 0x1EBF <command>
Attempting to flash the stock CPB file via YGDP will result in a "soft-brick" where the phone will hang on a screen that says "1. modem" with up/down on the side. You can access the phone via ADB in this mode and issue the following command to reboot normally (which differs from the advise you may find online for other Coolpad models):
Code:
adb reboot system
Attempting to replace the recovery.img in the temporary folder YGDP creates (which only happens after modifying its configuration for the phone) does not seem to cause it to flash the custom image instead, unlike other Coolpad models
Attempting to replace the recovery.img in the CPB file with the custom recovery.img in a hex editor causes YGDP to complain about the checksum not matching. I'm not sure where this checksum is stored or if it's modifiable.
Hope this helps! :fingers-crossed:
Has anyone figured this I out yet?
Just wondering if root is available yet?
stevenmirabito said:
Attempting to flash the stock CPB file via YGDP will result in a "soft-brick" where the phone will hang on a screen that says "1. modem" with up/down on the side. You can access the phone via ADB in this mode and issue the following command to reboot normally (which differs from the advise you may find online for other Coolpad models):
Code:
adb reboot system
Attempting to replace the recovery.img in the temporary folder YGDP creates (which only happens after modifying its configuration for the phone) does not seem to cause it to flash the custom image instead, unlike other Coolpad models
Attempting to replace the recovery.img in the CPB file with the custom recovery.img in a hex editor causes YGDP to complain about the checksum not matching. I'm not sure where this checksum is stored or if it's modifiable.
Hope this helps! :fingers-crossed:
Click to expand...
Click to collapse
Awesome! TYVM!
I soft-bricked my 5560 as well-- ended up using adb's shell to reboot into the stock recovery, clear both the data and cache, then rebooted and.. it started up fully stock with no issues that I can see..
Quick question -- how did you get the YGDP to actually extract the *.imgs? Using procmon I've seen YGDP read from the CPB but never write to any files..
Coolpad 5560S Pics
Here are some crappy pics of the insides, I didn't see any specific headers for any UART or JTAG, but they could be multiplexed with other pins. I'll get around to actually desoldering the RF shields some day and using the Nikon D90 for the pics instead of the iPhone.
i.imgur.com/8Ywkt0l.jpg
i.imgur.com/UUiyKXa.jpg
i.imgur.com/EnVfhWM.jpg
i.imgur.com/M2XzlCi.jpg
i..imgur.com/8Ywkt0l.jpg
slashdevandroid said:
Awesome! TYVM!
I soft-bricked my 5560 as well-- ended up using adb's shell to reboot into the stock recovery, clear both the data and cache, then rebooted and.. it started up fully stock with no issues that I can see..
Quick question -- how did you get the YGDP to actually extract the *.imgs? Using procmon I've seen YGDP read from the CPB but never write to any files..
Click to expand...
Click to collapse
The XML config for the phone that presumably tells YGDP how to flash it is stored in dProdRes.dll. Using Resource Hacker or another resource editing application you can edit the XML value for UnzipCPB to "1" in the 5560S section, which causes YGDP to extract (more accurately "split" since the file isn't compressed in any way) the CPB file into the DownloadFiles directory. I've added my modified version of dProdRes.dll to the Google Drive folder referenced above - the md5sum for the original file should be 1041E39DF18B86E9945B4A8601E6ACD7 and the modified file should be E3C5538235B0742425B84D97DF066972.
keebler64 said:
Here are some crappy pics of the insides, I didn't see any specific headers for any UART or JTAG, but they could be multiplexed with other pins. I'll get around to actually desoldering the RF shields some day and using the Nikon D90 for the pics instead of the iPhone.
i.imgur.com/8Ywkt0l.jpg
i.imgur.com/UUiyKXa.jpg
i.imgur.com/EnVfhWM.jpg
i.imgur.com/M2XzlCi.jpg
i..imgur.com/8Ywkt0l.jpg
Click to expand...
Click to collapse
Awesome ty!
stevenmirabito said:
The XML config for the phone that presumably tells YGDP how to flash it is stored in dProdRes.dll. Using Resource Hacker or another resource editing application you can edit the XML value for UnzipCPB to "1" in the 5560S section, which causes YGDP to extract (more accurately "split" since the file isn't compressed in any way) the CPB file into the DownloadFiles directory. I've added my modified version of dProdRes.dll to the Google Drive folder referenced above - the md5sum for the original file should be 1041E39DF18B86E9945B4A8601E6ACD7 and the modified file should be E3C5538235B0742425B84D97DF066972.
Click to expand...
Click to collapse
Outstanding -- thanks for the explanation.
Playing around a bit today noticed:
-YGDP ignores the unzipped files and procmon shows even if YGDP unzips the CPB it still simply reads from the CPB. Tried playing around with the downmod="" section in the XML but YGDP still ignores the zips.
-Did notice that a few of the other coolpads had custom CPB's that only had the recovery in them. Perhaps its time to reverse engineer a file format..
slashdevandroid said:
Did notice that a few of the other coolpads had custom CPB's that only had the recovery in them. Perhaps its time to reverse engineer a file format..
Click to expand...
Click to collapse
I noticed that too, and it seems that the community for other models had figured out how to do exactly that. Unfortunately, I couldn't find any documentation or tutorials online and didn't receive a response from the one or two people that I contacted.
stevenmirabito said:
I noticed that too, and it seems that the community for other models had figured out how to do exactly that. Unfortunately, I couldn't find any documentation or tutorials online and didn't receive a response from the one or two people that I contacted.
Click to expand...
Click to collapse
Same.. We'll keep lookin!
Ty again for all your input in this.. sometimes we all have a bit of the puzzle.
Why cxant anyone figure this out?
It seems that since this is a excellent phone that can literally be purchased for $9.99 at King Soopers, that a lot of people would have them even if just for a backup phone. I figured there would be a lot of ROM's, Recovery's, ect... ANYONE, PLEASE HELP US!!!:good:
Related
Zen's Backtrack 5 For HD2 (and other) Android Smartphones
V0.3
----------------------------------------------------------
New app for loading this (and other) Linux Systems! - https://play.google.com/store/apps/details?id=com.linux.autoloader
Image and app support can be found here --> http://www.zenfulapps.com/
Packed - 640mb
Unpacked - 2.6gig (fits on 3.3 img now.)
--GRAB THE UPDATED SCRIPTS ATTACHED TO THIS POST, THEY ARE NOT PACKAGED INTO THE ZIP--
--Scripts are set to load from EXT4 partition, when i modify them for the .img's ill add them to the script pack--
--if you have .img mounting scripts from previous versions, they will work, as long as file names and directories match--
V0.3 Download
http://www.zenfulapps.com/Android/backtrack5-0.3.7z
(MD5 is still the same
MD5sum (of .7z file) - 9a4796f0ed96e03579c2b4a684d026f5
--------------------
Script pack contains
--------------------
btgo - mounts BT5, and askes how you would like to start, CLI or VNC
bts - stops BT5, and unmounts everything for it.
btl - used to login to bt5 after it has been mounted, to avoid all those "resource busy" messages
mkcore - directory installation and swap file creation
-------------
What you need
-------------
Rooted Android Smartphone
Linux on PC
Busybox installed on your device
SDcard adapter or reader, if neccesary
----------
Lets begin
----------
There are 3 different ways you can do this:
1. Fresh install on EXT4 Sdcard partition ( I HIGHLY recommend this method if possible, much better, a bit faster (no double loops to write to)
2. Create Fresh .img
3. Replace old BT5 system .img
=========================================
1. Fresh install on EXT4 Sdcard Partition
=========================================
This portion of the guide is to install BT5 on a FRESH EXT4 partition on your SDcard. Throughout this porcess, you will:
Backup your current sdcard (EVERY PARTITION, this is why we use PC-linux and not windows)
Fully erase and repartition your SDcard
Replace Android system and user data
Install BT5 on third partition
prepare system for chroot and VNC connection
----------------------------------------
Boot into your Linux operating system. **I DO NOT recommend using virtualbox or vmware, as drivers for usb and SDcard connections arent direct, things can go wrong.**
Shutdown your phone, and remove your SDcard. Do not use adb, or any other tools to do this.
insert your SDcard into your computer (adapter or reader yada yada) and mount every partition.
Make careful note of what is on which partition. safest way to back everything up is through the command line with the command
Code:
sudo cp -Rfvp /media/your-sdcard-partition/* /where/your/backup/folder/is
Do this for each partition, whether you have 1, 2, 3, or more.
In my case, my backup directory looks like this:
Code:
[[email protected] sdcard-backup]$ ls -l
total 12
drwxrwxr-x. 2 hookup-cellular hookup-cellular 4096 Sep 13 18:48 ext2
drwxrwxr-x. 2 hookup-cellular hookup-cellular 4096 Sep 13 18:48 ext4
drwxrwxr-x. 2 hookup-cellular hookup-cellular 4096 Sep 13 18:48 fat32
(ignore the empty directory sizes, my TRUE backup folder is MUCH more vulgar and i wont display it publicly, people may tear thier eyes out )
After everything is backed up, open your partition manager (in Gnome it is gparted, cant remember the name in others)
Navigate to your SDcard, and DELETE every partition. every one.
afterwards, recreate them using this strategy:
partition 1 - FAT32 size = total sdcard size minus ext2 and ext4 partition sizes
partition 2 - EXT2 size = 256mb, 512mb, 1gb, depending on how you like your apps2sd
partition 3 - EXT4 size = size you want for linux, minimum should be 4gb (mines at 10gb, i like my linux and got 3 different ones on it at the same time.)
When you are done, copy back your fat32 and ext2 stuff using the SAME COMMAND AS ABOVE (sudo cp -Rfvp from/here to/here)
Now, unzip/tar the .tar.gz package. I recommend extracting it to your pc before trying to put it on your sdcard.
Using the copy command above, put the extracted files onto your sdcard's EXT4 partition.
Double check the partition (navigate to it in nautilus or whatever filemanager your using) and ensure that it has the system copied over properly. You should see /boot /etc /root /sys so on and so forth, NOT just one folder with all of those inside of it.
Insert your SDcard, power on your phone, go to terminal emulator, and enter this:
Code:
su
cd /sdcard/scripts
sh mkcore
Swap file is damn near neccessary if your planning on using any GUI tools (armitage, zenmap)
Your directory structure is now in place, swap file created, and you start BT5 by typing (from /sdcard/scripts OR /data/linux):
Code:
sh btgo
=================================
2. Fresh Image Creation
=================================
for this, we use the dd command and mkfs.ext4 command.
Code:
dd if=/dev/zero of=/path/to/where/you/want/the/img bs=1M count=3300
Change this command as needed, running it as is wont do anything good. Change the of= to where you want your img to be located.
next is mkfs.ext4
Code:
mkfs.ext4 /path/to/where/you/want/your/img
select yes when it cautions about "not a block device"
When this is finished, mount it using these commands:
Code:
su
-your password-
mkdir -p /mnt/bt5img
mount -t ext4 /path/to/your/img /mnt/bt5img
now, extract the BT5 package to a place on your Computer. When finished, run this command:
Code:
sudo cp -Rfvp /path/to/bt5/core/* /mnt/bt5img/
changing parameters accordingly.
After this, copy the .img to /sdcard/bt5 and run the start scripts from your terminal emulator.
================================
3. Replace Existing Image
================================
Mount your bt5 image, erase what is inside of it, and copy in the new system:
Code:
su
-your password-
mkdir -p /mnt/bt5img
mount -t (your ext type) -o loop /path/to/your/bt5/img /mnt/bt5img
rm -Rfv /mnt/bt5img/*
cp -Rfvp path/to/bt5/core/* /mnt/bt5img/
unmount your .img, place it on your sdcard, and your all set.
==============================
Changes in v0.3
==============================
- Trimmed alot of fat, fits inside of 3.3 image now, though space is SEVERLY limited (removed CUPS and sound stuff, who needs to print from within thier phone anyways?)
- various small changes for performace improvements.
- a few new tools installed, but not tested
- restored my personal version that i nuked. It works now.
NEW STUFF TO COME, STAY TUNED!!!
First off, My apologies for starting a second thread on this, I've made ALOT of changes and i feel the first thread is dead and useless. (Reprimand me if needed
-pics coming once I find my camera could be a small while-
---------------------------------------
Backtrack5 for HD2 - v0.2
Customized by z3n
My goal: the perfect stealth
tool in your pocket
just one tap away
---------------------------------------
========================
Codename
Squeaky Wheel
========================
Updated, check second post for changelog
========================
DOWNLOAD
========================
Please use the scripts attached at the bottom of this post instead of the packaged ones, and i havent had a change to update the full image zip with it (uploads take a while )
V 0.2
Part 1 - http://www.megaupload.com/?d=D0MQVAS4
Part 2 - http://www.megaupload.com/?d=M2MRYLAH
MD5 - 06225e18cdbfee6f88daf7e9ee3a1163
SHA1 - eeba19e53565a1643703cf8938be2f8cfc12db9a
V 0.1
Part 1 - http://www.megaupload.com/?d=83B22Y00
Part 2 - http://www.megaupload.com/?d=SB98AA19
mirror - (NOT interchangeable)
Part 1 - http://www.megaupload.com/?d=HU320Z81
Part 2 - http://www.megaupload.com/?d=QN9C560Z
Checksums of bt5.img
MD5 = 863e6db99e5207a81ad0df7d13998235
SHA1 = c84d8f27df8b9b51059e5a6b09e65853f11de970
7zip required to extract.
Just over 1gb packed, unpacked is 4.9gb.
========================
INFO
========================
This is my first release of a customized, working, mostly stable BT5.
Many things have been added, taken out, and configured to be used within the Android system. For a full list, please see the bottom of this post.
Mounting is different than most other linux .img installations, allowing for a full (and expandable) image.
V 0.2 Now has a swap file created when you run the mkdirectory script. This swap file is necessary, as with all my tests, When you run VNC with most of the major tools, there's a high chance of the phone running out of memory (im running no extra apps, completely stock Hyperdroid)
(if you have a swapfile already, you can say no to creating another, just make sure that the file is located at /data/bt and named btswap.)
**This image is in ext4, make sure your kernel supports it!**
**Everything tested on Hyperdroid-CM7 by pongster**
==============
INSTALLATION
==============
You need:
-Full Nandroid Backup in case something goes batty
-16gb HD2
-ext4 support on your ROM/kernel (lost my ext2 image due to my own stupidity, will create another matching one later)
-Linux on PC (to create the ext4 partition)
-Busybox (from market)
-VNC Viewer (from market) (optional)
FAT32/EXT4 Split card
---------------------
1.
Back up your HD2 and SDCard to safe places (off of the phone and sdcard)
2.
Boot your linux installation and open partition manager. erase all the partitions on yor SDcard. Then create them in this order.
1. FAT32 - size of this is total sdcard size minus 6.5g (for bt image) minus 100mb for aps2sd
2. ext2 - 100mb
3. ext4 - 6.5 gb
3.
Copy the bt5.img to the root of your third partition.
copy the bts folder to the root of your FAT32 partition.
4.
if this is your first time using this script/image, run the mkdirectory script first with
Code:
su
sh /pathtoscripts/mkdirectory
Load up your android terminal and type
Code:
su
cd /path/to/scripts
sh go
5.
Now it asks you if you want to log in to the console or start vnc automatically. (check log for port, usually 5901 or 5902)
DEFAULT VNC PASSWORD IS: toortoor
DEDICATED SDCARD
----------------
Same as everything above, minus the FAT32 partition.
"sh ded"
starts for dedicated SDcard instead of
"sh go"
Proper Shutdown Procedure
=====================
Stop script has been modified to shutdown backtrack and all of the (usual) programs that stop things from unmounting properly.
Exit any VNC connection you currently have.
1. Run sh stop (from your scripts location)
2. Reboot phone as a precaution.
One thing i did personally to make this easier was load the scripts onto /data/bt, so switching SDcards or locations doesnt matter.
(I also changed the terminal start directory to my scripts folder easy quick access)
=======================
Main Features I've gotten to work
=========================
-Clean mount/umount, as long as VNC and MySQL are killed BEFORE exiting the chroot - stop script kills these now
-Apps no longer disappear for good with sdcard removed, only disappear until SDcard is reinserted (apps2SD/loop device problem, any ideas?)
-MySQL for metasploit
-Metasploit working
-Armitage working, missing some "Attack" options (looking into it)
-Zenmap installed
-OpenVPN installed
-Traffic analysis possible with tcpdump (local only)
-Enables possibility for FakeAP attacks
-macchanger works (kinda, phone needs a reboot for original MAC to return)
-Armitage Launcher placed on Desktop (takes a while to load, be patient)
-Terminal Launchers in various places (updating may randomly remove your terminal, synaptic placed on desktop as standby to redownload terminals
-guake installed (drop down Terminal, makes commands easier to see while working) (not configured to a key yet)
This probably works with other Android phones too. If you change the scripts, and as long as it has a external SDcard you can partition.
if your using a different phone, this is untested unless specified otherwise.
-boot and shutdown scripts run clean as long as VNC and MySQL are shut off(in almost all cases)
@ XDA
http://forum.xda-developers.com/show....php?t=1152994
PASSWORDS
------------
MySQL - user: root pass: toor
VNC - User: root pass:toortoor
sys pass - user:root pass:toor
(I know, standard ones, but this should answer a few questions)
===============================
Thanks
===============================
anantshri - for the original scripts and BT5 img for android
BT dev team - (of course )
and all of you
===============================
Information, bugs, and oddities
===============================
One important thing, While performing heavy operations, its normal for your screen to not turn on for a while if it turns off. Dont panic, just give it some time to finish whatever you were running and your phone will be back to normal again. DO NOT PULL THE BATTERY UNLESS ABSOLUTELY NECESSARY.
To avoid this, get wakelock (known to cause problems) or set your screen timeout to some large number.
Swap file will help with alot of this.
These are the features I've tested out so far.
No major changes to anything, (except new packages) just configuring everything i see.
If you find anything you want added in or that is acting odd, please let me know. Same goes for if you fix something!!
Overall
-------
-Repo's activated, most things work (upstart processes fail, for now)
-startvnc and stopvnc no longer give that pesky USER error
-startvnc starts mysql database for metasploit
-stopvnc stops mysql (mostly, invoke ps -A and look for mysqld. Kill it with fire(-9) if need be)
-network traffic is capture-able with tcpdump, with wifi hotspot activated
-working on adding in a swap partition on sdcard (if possible)
-openoffice installed
-openVPN installed (the quieter you become...)
-Removed Zoho Web services
MySQL
-----
default user - root
default pass - toor
-Starts automatically with startvnc
-stops automatically with stopvnc
-start manually by invoking "mysqld"
-Only runs as root (for now)
-Console hangs when it is manually loaded or shutdown, service continues running though. killall --signal 9 mysqld if needed.
Metasploit
----------
-Loads up alright (45-90 seconds)
-MySQL already set as default DB
-Must manually connect to MySQL DB each instance of metasploit by invoking (from msf) db_connect root:[email protected]
-working on a possible way to limit cpu consumption to prevent system hangs(cpulimit does some nasty things)
-So far, this is the only connection string ive been able to get to work: root:[email protected]
Armitage
--------
-Takes forever to load (30 seconds for connect screen, 4 minutes or so for main client)
-Causes system hangs frequently (to minimize this, leave the vnc server on your screen, and set the display timeout to 10 minutes-switch it back when done to conserve battery life)
-So far, this is the only connection string ive been able to get to work: root:[email protected]
-Can Crash phone if running too big of an operation (Max Phone memory problem, fixed in v.2 with swapfile added)
Zenmap
------
-Slows phone down (incredibly bad with more complex scans, of course)
-Some Complex scanning options can crash phone (Nothing damaging has happened)
-will attempt to throttle cpu usage in the future
-Can Crash phone if running too big of an operation (Max Phone memory problem, fixed in v.2 with swapfile added)
Aircrack-ng suite
-----------------
-Aircrack-ng works
-Airodump-ng doesnt work (needs monitor)
-Airdecap-ng untested
-Airdecloak-ng untested
-Airbase-ng doesnt work (needs monitor)
-Airmon-ng doesnt work (needs monitor)
-Aireplay-ng doesnt work (needs monitor)
-Airdriver-ng doesnt work (yet)
-Airolib-ng works (doesnt do anything yet)
-Airserv-ng doesnt work (needs monitor)
-Airtun-ng doesnt work(needs monitor)
Plus lots of stuff for the future, stay tuned!!
http://forum.xda-developers.com/show....php?t=1152994
In the future
=========
-nessus
-Booting via HD2 Toolbox by d4n14l (sp?)
-Custom kernel (WAYYYY down the road, but working on it)
and more
--Copyrighted by z3n, 2011
(just kidding, but it looks good )
Looks good will give it a go.
Thanks for sahring
I we could get our wifi card into monitor mode --> awesome!!!!
Thanks to z3nful & everyone made this possible!
Enjoy everyone
The next release is going to be faster, stabler, and more useful
I'm also working on a round-about way for packet injection and monitor mode
Stay tuned
Sent from my Hyperdroid Pocket Laptop
cool.. good job man..
Are you trying to patch the wifi drivers ? =D
Holy crap.....this is a dream in the making Bring on monitor mode and packet injection
I've done some researches.. and found out that many devs have tried making the driver to work on the Monitor mode.. but they failed to do that.
It looks to me that Backtrack on HD2 is kinda useless.
Not useless, just last night I ganked my roommates computer with my phone
As far as monitor mode and injection go, sadly, they may be right that its not possible, but I got some ideas that may make it work, I just need to hammer out some kinks in BT first
And who needs monitor when you can fakeAP?
"Make them hand you the keys and you don't have to break their Window(s)™"
Sent from my Hyperdroid Pocket Laptop
A m a z i n g
Next release is going to be even better this 5gig image is almost full, so I'm going to expand it to 6gig, along with instructions on how to expand your own image if that's to large or want even more space.
Btw, Wine should be good to go in the next one
stay tuned!!
Sent from my HD2 "Pocket Laptop"
I would love to see some Sceenshots (or better: a video) here!
Lol will do, gotta go find my 10 year old Polaroid I've been using this phone or all my pics and videos, so this could be tricky
Sent from my HD2 "Pocket Laptop"
good to see development beyond just starting up the image... I would be taking some pointers from here for my device too....
hope you don't mind that....
Not at all, I've been trying to track down your name again so it can add you to the credits part, as the basis of the scripts was yours lol, I just changed the loops and mounting structures around a bit, and added some stability checks.
The scripts for this image are slightly out of date but I got new ones going up once I have time they should fix a few of the small eerrors people get while mounting
My next version is a little ways out (works gotten crazy busy lately) but it'll be out eventually
Sent from my HD2 Pocket Laptop
Not Booting!
Hi Thank you for sharings this up!!! this is like a dream for alot of people.
i have followed all your steps but i have a problem when i run the scripts, the folders dont get created because when i run go i get a bounch of folder not found.
my SD card had some differences is a 16GB
with
Fat32
Ext-sd/ EXT2 -->1GB
EXT3 --> 100MB
EXT4 --> 6.5GB
could this setup causing the script to look on the wrong partitions? i have alot of time with out playing with Shell scripting but i would like to know if that is the place i should start looking for a fix
-edit- just double checked (forgot scripts were on my phone... its been a long week lol) and you should just need to change the mount -t ext4 /dev/block/vold/179:3 to /dev/block/vold/179:4
Also, did you run the new mkdirectory script? If you have the one packaged with the image its out of date. The attachment on the fist post has the updated ones
Ignore all mmcblk's
For another "buffer" partition, you need t point the sdcard parts (mmcblk0p* and vold/179:*) to what yours are in /dev/block. In your case I think you just need to change any vold/179:3 to 179:4. If you go to /dev/block/vold it will have folders from each partition (they are numbered 0 and up, but 1 would be your fat32, 2 is ext2 so on and so forth)
When I'm near my computer ill figure out the full ones for you
Sent from my HD2 Pocket Laptop
can I get it for Htc desire..??
It should work, as long as you have a big enough sdcard, your phomes kernel suppers ext4, and you might have to change a few small variables
Sent from my HD2 Pocket Laptop
>>>> In a post further down, I have released a updated zip file which contains the 2ndihkvc program as well as its source as well as few support scripts to allow experimentation with this mechanism of multiple user spaces <<<<
Hi All
I have been following the below thread, as well as working on my own on some of the concepts. You can get the details till now from my posts in the below thread.
http://forum.xda-developers.com/showthread.php?t=1378886
I was not able to get the SETREGS to succeed in setting PC required for the current/existing 2nd-init logic, nor wait was waiting to lock the process, SO I tried a new and simpler alternate method for triggering/execve the init process a 2nd time using only POKE and it seems to have succeeded. I am guessing this based on my nooktablet having got messed up and it keeps rebooting again and again when it reaches my logic potentially. I have to restore back to factory settings and try afresh in the morning (Well it is almost morning ;-) now here) with few more debug messages to pin point it fully.
The code I am injecting directly into init process is in the attached txt file which is actually a .s (assembly file). (NOTE: Currently I am not handling environment variables, not sure if that is causing my boot to keep looping).
In turn the logic to hijack the init process and inject the code is as simple as
Step1) PTRACE_ATTACH
Step2) PTRACE_GETREGS
Step3) PTRACE_POKETEXT (Regs.ARM_pc, code to inject)
Step4) PTRACE_CONT
Step5) PTRACE_DETACH
I will upload the code in a day or two - however the jist of the logic is above, if anyone wants to experiment on their own.
NOTE: The code is very simple and experimental and expects the pc address to be known before hand to massage the .s file appropriately.
NOTE: The above algo with the corresponding .s file is still EXPERIMENTAL and also requires additional shell scripts to get access to the boot flow to trigger the hijack. And the current code will break the nooktab booting, so don't experiment this logic and the .s file unless you know what you are doing.
NOTE: I am not that much into Custom Roms etc, so don't expect anything much shortly wrt Custom Roms etc, this is just a experimentation for myself and to feel happy inspite of BN removing some useful features like sideloading as well as forcing a signed bootloader on everyone.
can you make a 2-init zip like on the milestone
http://forum.xda-developers.com/showthread.php?t=998425
because then the devs can go on and make a recovery
Bit more exploration with init hijacking - 2ndihkvc src package for EXPERIMENTATION
Hi,
NOTE: Source code package is attached with this message. However this is WIP and provided for anyone wanting to EXPERIMENT on their own parallel to me. Because I think the basic logic is done now. It is more of cleaning up the init rc files and or killing some additional tasks before restarting init or some such things HOPEFULLY (NO harm in hoping and being positive . HOWEVER NOTE that the current version will loop your boot and fail. I have put a timed triggering logic to try and reduce the risk, check out the documents in the package, but it can factory reset or worst case wipe your partitions and render the nooktab dead.
After yesterdays initial init hijacking, I have cleaned up the .s file so that it passes the Args properly as well as added the environment variables set by Android by default. Also the ptrace code I have updated to do relocation (using a simple custom table) of injected code. Also rather than a minimal ptrace code, I have put a bit more full fledged one with my logic as well as skrilax's logic as well as reg dumping and few other stuff to help experimenters.
In turn I have cross verified, that init is actually getting restarted and it is running thro the scripts and setting up the properties as specified by my modified default.prop as well as in the process rerunning all the commands/services/prgs.
However some where beyond rild/vold sequence it seems to be blocking and looping the boot. Also I had modified the init a bit, have to check that also once later.
Enjoy and experiment
NOTE: Not sure how to avoid having to put the same message in two threads. I created this thread only becasue the original thread was in the wrong category (i.e non development), when it should have been in development also.
This is interesting. I have minimal experience with assembly, none of it ARM. I would like to help, if possible. I appreciate the work you have put into this. I'm really hoping to be able to have CM7 on this tablet eventually.
Sent from my BNTV250 using xda premium
Potentially working Alternate Userspace in uSD using 2ndihkvc
Hi All,
I have updated my 2ndihkvc package a bit more and now you can boot into a ALTERNATE Android user space in uSD (NOTE: Userspace only and not kernel - locked bootloader doesn't allow alternate kernel).
For this you require to copy your required android /system and /data partitions into a MicroSD card in its 2nd and 3rd partitions which should be ext4 (specified in the init.omap4430.rc file in 2ndihkvc directory).
NOTE: Best way of getting a working /system and /data partitions is to ==> After rooting your Nook and removing all unwanted Apps/Junk, make a copy of the /system partition from eMMC to uSD. Same for /data/partition. Then you can copy what ever additional applications you want in this uSD based Android /system/app or /data/app partition. Thus you can have different sets of Android user space in different uSD cards.
Follow the instructions in INSTALL file for experimenting this on your rooted NookTab. BUT REMEMBER IT IS STILL EXPERIMENTAL. ALSO as a SAFETY FEATURE, as of now it will boot into this ALTERNATE MODE (in uSD) only when the current HOUR is specified in the start2ndihkvc.sh file appropriately. Otherwise it tries to boot into the your normal Andorid system in eMMC. This should hopefull CATCH any mistake, BUT THIS IS NOT GUARENTEED AND THIS IS A DANGEROUS THING TO EXPERIMENT, UNLESS YOU KNOW WHAT YOU ARE DOING.
NOTE: One time it did reboot from my alternate android system, I haven't debugged this yet, as it has not occured after it (Well I have tried only once more) so cann't say one way or the other yet. But definitely, there are some corner cases.
NOTE: If something gets messed up or if something is different or even if there is some corner case in my code, which I haven't handled yet, it may MESS UP your NOOK TAB so EXPERIMENT WITH THIS only if you know how to recover on your own, provided the NOOKTAB is recoverable (90% should be, but NO GAURENTEE).
Now the BRAVE HEARTS can experiment and Enjoy a alternate Andorid system in uSD card.
NOTE: With this one should be able to boot into any Custom ROM after suitable updation of the scripts in my zip file, as well as by copying their /system and /data/ partitions into uSD 2nd and 3rd partitions. AS long AS that Custome ROM doesn't have any specific kernel requirements.
BYPASS Kernel and Ramdisk check for People with UART ACCESS
Hi,
NOTE: THis is based on a initial look at the source code and then the objdump of u-boot.bin. I haven't cross checked this yet, because for now I haven't opened up the nooktab for uart access yet. Also this assumes by default booti command is used for booting in BN uboot. If some one wants to use bootm, then a different location requires to be patched wrt the image loading security check.
If you are a lucky ;-) person working with opened up NookTab with UART access, then basically replacing the memory contents of these two offsets with NOP will 90% BYPASS the security check successfully and allow you to boot a MODIFIED KERNEL or RAMDISK as required.
All offsets specified Assuming u-boot is loaded at 0 (adjust for the actual address where u-boot.bin is loaded, haven't looked into that yet).
Check for Security check of Kernel image is at
[ORIG] 0x48c0 => bne 0x48d8 (0x1a00.0004)
Make this a NOP by overwriting using uboot memory write command to
[MODI] 0x48c0 => mov r0, r0 (0xe1a0.0000)
Check for Security check of RAMDisk image is at
[ORIG] 0x4928 => bne 0x4958 (1a00.000a)
Make this a NOP by overwriting with
[MODI] 0x4928 => mov r0, r0 (0xe1a0.0000)
Someone (Hi Adamoutler, maybe you) with opened up NookTab can try this and tell me if it worked or not.
NOTE: you have to add up the actual u-boot load address to the offsets specified.
UPDATE1: It appears the load address is either
Possibility 1) 0x80e8.0000 OR
Possibility 2) 0x80e8.0000-0x120 (More likely).
Have to dig thro bit more, but one of these two will potentially work.
So that means to NOP RAMDisk security check the offset is
Possibility 1 ==> 0x80e8.0000+0x4928
Possibility 2 ==> 0x80e8.0000-0x120+0x4928 (More likely)
Best is to cross check if the resultant address contains the BNE instruction bytes specified above.
Same concept applies for the Kernel security check Nopping offset.
NOTE: It appears there is a 0x120 size header before the actual u-boot.bin code starts and in turn, when I did the objdump, it included the 0x120 bytes of header also assumed as code. And inturn the full (including the header) u-boot.bin or for that matter the u-boot from emmc seems to load into 0x80e8.0000-0x120.
UPDATE 2:
Code around the locations to be noped to help identify the same in memory, in case my offset calculations are wrong
48b4: eb0030f1 bl 0x10c80
48b8: e59d3010 ldr r3, [sp, #16]
48bc: e3530000 cmp r3, #0
48c0: 1a000004 bne 0x48d8
48c4: e59f0104 ldr r0, [pc, #260] ; 0x49d0
48c8: e594100c ldr r1, [r4, #12]
48cc: e5942008 ldr r2, [r4, #8]
48d0: eb0015db bl 0xa044
............
491c: eb0030d7 bl 0x10c80
4920: e59d3010 ldr r3, [sp, #16]
4924: e3530000 cmp r3, #0
4928: 1a00000a bne 0x4958
492c: e59f00a4 ldr r0, [pc, #164] ; 0x49d8
4930: e5941014 ldr r1, [r4, #20]
4934: e5942010 ldr r2, [r4, #16]
4938: eb0015c1 bl 0xa044
UPDATE 3: ... for a rainy day in future ;-)
UPDATE 4: For maximum success, first try a changed RAMDisk rather than Changed Kernel. If Changed Ramdisk works then try Changed Kernel (THere is one more thing in Code, which I am not sure if it will impact a modified kernel or not yet, only way is to experiment).
How can I run 2ndihkvc just to load a new default.prop using the existing userspace? What I did so far was to remount / in rw, updated default.prop, pushed 2ndihkvc to /data/local/, changed permissions to 755 and executed. Here is the output
Code:
# ./2ndihkvc -p 1 -w 0 -c 0 -m 2
INFO:2ndihkvc:v30Dec_2020:
INFO:2ndihkvc: Tracing process with pid = 1
INFO:2ndihkvc: NewPrg = /init
WARN: RESPECT_WAIT disabled
WARN: Mode = MODE_INJECT_HKVC2
INFO: ContType = CONTINUE
INFO:2ndihkvc:PTRACE: Attached to (1)
INFO:2ndihkvc: Giving 2 secs to the likely traced process
ERROR:2ndihkvc:WAIT:Failed (No child processes)
INFO:2ndihkvc:hkvc2: InjectAddr (Regs->ARM_pc) = 0xffff0520
INFO:2ndihkvc:hkvc2: /init found at offset 0x100
INFO:2ndihkvc:hkvc2:ProgramToExecute: /init replaced with /init
INFO:2ndihkvc:hkvc2: At offset 0x208 relocating from 0x100 to 0xffff0620
INFO:2ndihkvc:hkvc2: At offset 0x200 relocating from 0x208 to 0xffff0728
INFO:2ndihkvc:hkvc2: At offset 0x280 relocating from 0x288 to 0xffff07a8
INFO:2ndihkvc:hkvc2: At offset 0x288 relocating from 0x300 to 0xffff0820
INFO:2ndihkvc:hkvc2: At offset 0x28c relocating from 0x307 to 0xffff0827
INFO:2ndihkvc:hkvc2: At offset 0x290 relocating from 0x312 to 0xffff0832
ERROR:PTRACE:POKE failed at location ffff0520
INFO:2ndihkvc:PTRACE: Continue/SingleStep ...
INFO:2ndihkvc: Detaching...
ERROR:2ndihkvc:PTRACE: Failed DETACH (No such process)
#
Do I need to push your init to /system/2ndihkvc/init? I am just trying to play around with it and Adam's BHT just to see what I can do them. Thanks.
Hi Brianf21,
As specified in the INSTALL file with in my zip
Copy my 2ndihkvc.zip file to /data/local/tmp
Then mount /system in rw mode.
Next unzip 2ndihkvc.zip into /system. It should create 2ndihkvc folder.
Next run ./install.sh from with in 2ndihkvc folder.
This will setup the boot process to start into 2ndihkvc. And it inturn will restart init with new set of init.*.rc as well as default.prop files.
Have a look at the 2ndihkvc folder, it already contains a default.prop file. If you want to change anything in default.prop then do the changes in this default.prop in /system/2ndihkvc folder.
Also remember to change the time check in start2ndihkvc.sh file in /system/2ndihkvc folder to the current hour, when you will be experimenting. Otherwise, it will not run 2ndihkvc, but continue with the normal Android init flow.
Cross check my INSTALL file once again for the details/steps to setup 2ndihkvc.
Once you have done the above. When you restart your system, it will trigger 2ndihkvc as required and the default.prop will be the new one which you would have edited/updated in /system/2ndihkvc/ folder.
NOTE: Looking at the address, it seems like you had tried 2ndihkvc once before in the same session. Try following the install step specified above/In the 2ndihkvc zip file and see. There is a minimally modified version of init.omap4430.rc and default.prop already in the 2ndihkvc folder, modify those if you want to modify them. This is because start2ndihkvc.sh will copy these files from /system/2ndihkvc/ folder when it is run to restart init.
I will have to read more, to avoid setting up system and data up on an sdcard. Once the setup is done, will it always hijack init for every following boot until it is removed or only one reboot? i am just to get a clearer picture of what's going on, I wanted to just see the hijack of init work independently of the other processes.. I kind of like to break things down into parts so I can get a better understanding of the entire process. Thanks for the work you've out in so far.
hkvc said:
Hi Brian21,
As specified in the INSTALL file with in my zip
Copy my 2ndihkvc.zip file to /data/local/tmp
Then mount /system in rw mode.
Next unzip 2ndihkvc.zip into /system. It should create 2ndihkvc folder.
Next run ./install.sh from with in 2ndihkvc folder.
This will setup the boot process to start into 2ndihkvc. And it inturn will restart init with new set of init.*.rc as well as default.prop files.
Have a look at the 2ndihkvc folder, it already contains a default.prop file. If you want to change anything in default.prop then do the changes in this default.prop in /system/2ndihkvc folder.
Also remember to change the time check in start2ndihkvc.sh file in /system/2ndihkvc folder to the current hour, when you will be experimenting. Otherwise, it will not run 2ndihkvc, but continue with the normal Android init flow.
Cross check my INSTALL file once again for the details/steps to setup 2ndihkvc.
Once you have done the above. When you restart your system, it will trigger 2ndihkvc as required and the default.prop will be the new one which you would have edited/updated in /system/2ndihkvc/ folder.
NOTE: Looking at the address, it seems like you had tried 2ndihkvc once before in the same session. Try following the install step specified above/In the 2ndihkvc zip file and see. There is a minimally modified version of init.omap4430.rc and default.prop already in the 2ndihkvc folder, modify those if you want to modify them. This is because start2ndihkvc.sh will copy these files from /system/2ndihkvc/ folder when it is run to restart init.
Click to expand...
Click to collapse
brianf21 said:
I will have to read more, to avoid setting up system and data up on an sdcard. Once the setup is done, will it always hijack init for every following boot until it is removed or only one reboot? i am just to get a clearer picture of what's going on, I wanted to just see the hijack of init work independently of the other processes.. I kind of like to break things down into parts so I can get a better understanding of the entire process. Thanks for the work you've out in so far.
Click to expand...
Click to collapse
If all you are interested is run 2ndihkvc with a modified default.prop but no other modification (i.e no uSD /system and /data partitions), then
a) overwrite the init.omap4430.rc in /system/2ndihkvc with the one in / . However if you have already booted into a system with 2ndihkvc then in /data/local/tmp.
Or if required you can directly edit the init.omap4430.rc in /system/2ndihkvc and update the mount commands in there to mount from emmc instead of uSD.
b) Remove the 2 lines in restart-userspace.sh corresponding to mount -o move ....
This will allow you to boot into a system with a modified default.prop but no other change from a runtime perspective (unless I have forgotten something).
Also 2ndihkvc will be applied each time boot into NookTab provided the current hour matches the hour set in start2ndihkvc.sh. Once the current hour no longer matches the hour set in the sh file, it will boot into the normal BN Nooktab environment.
NOTE: I purposefully modified the init.omap4430.rc file to replace the /system and /data from emmc to uSD, so that if someone is experimenting something, he doesn't corrupt the emmc easily as long as he doesn't become root user. HOWEVER with root access emmc can still get corrupted if one is not careful, because eMMC is still available and mounted.
tried but rebooted few times until factory reset kicked in
Hi,
ok. maybe a bit too optimistic, but I compiled ICS for pandaboard and put the system to sd card (partition 1 ext4 empty, partion 2 ext4 system with panda stuff, partion 3 data, partition 4 empty).
I hit adb reboot and the device booted a few times until it restored factory. Uff.
Is there a way without serial console to see what happens?
There's also small glitch in install.sh. It doesn't find init.rc in /system/2ndihkvc.
Rgds,
Chris
chrmhoffmann said:
Hi,
The device booted a few times until it restored factory. Uff.
Click to expand...
Click to collapse
If it's counting boots like the Nook Color you can stop it by running this (if the rom partition is mounted at /rom-- it's p2 on nc and I guess p5 on nt).
chrmhoffmann said:
Hi,
ok. maybe a bit too optimistic, but I compiled ICS for pandaboard and put the system to sd card (partition 1 ext4 empty, partion 2 ext4 system with panda stuff, partion 3 data, partition 4 empty).
I hit adb reboot and the device booted a few times until it restored factory. Uff.
Is there a way without serial console to see what happens?
There's also small glitch in install.sh. It doesn't find init.rc in /system/2ndihkvc.
Rgds,
Chris
Click to expand...
Click to collapse
Hi,
The missing init.rc is not a glitch, I purposefully left it out while packaging, so that one doesn't modify it drastically and botch up the boot. init.4430.rc is the only thing required to change the mount partitions.
Also if you are using my default start2ndihkvc.sh script, then it has a time check, so while xperimenting if you have goofed up. Just let the time you have set in this script pass by (i.e don't power on), then it will automatically go back to the stock NT boot, thus avoiding the factory reset.
There's a lot of nifty tools that will automatically root my phone with pre-packaged system images (CF-Auto-Root et al). However, I'd prefer not to load my phone with firmwares from internet strangers. Also, I try to avoid apps whose code I can't see (e.g. SuperSu).
What I'd like to do is take the system preloaded on my Galaxy Note 4 by Samsung (or the recovery image) and modify it manually so that I have root access. As I understand it, this should be a fairly reproducible process. (Chainfire wrote somewhere that he has a script that automatically generates rooted images from vendor images as new versions are released.)
Please, help me do it manually. Assume I have some general Linux knowledge (your typical Ubuntu user), but no Android development skills.
bump
bump
You can't. You will have to use one of the SU binaries and SU packages. Other then that you will have to find an exploit in the base system and then code a whole new binary and app.
Yes he has a script, but that is only after years of working on the exploit for root.
Axure said:
There's a lot of nifty tools that will automatically root my phone with pre-packaged system images (CF-Auto-Root et al). However, I'd prefer not to load my phone with firmwares from internet strangers. Also, I try to avoid apps whose code I can't see (e.g. SuperSu).
What I'd like to do is take the system preloaded on my Galaxy Note 4 by Samsung (or the recovery image) and modify it manually so that I have root access. As I understand it, this should be a fairly reproducible process. (Chainfire wrote somewhere that he has a script that automatically generates rooted images from vendor images as new versions are released.)
Please, help me do it manually. Assume I have some general Linux knowledge (your typical Ubuntu user), but no Android development skills.
Click to expand...
Click to collapse
1º Download source code or unpack boot.img with unpackbootimg tool,
2º then unpack the ramdisk,
3º edit default.prop
Code:
ro.secure=0
ro.debuggable=1
persist.service.adb.enable=1
4º $ cd ramdisk
5º $ find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
6º mkbootimg with the proper settings
7º ???
8º profit
[Q&A] [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery
Q&A for [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!
This looks like a really great tool but I'm having troubles with it.
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a MTK image with regular script?
If so, please use unpack_MTK_img script. ERROR!
>> Exit script
when I use MTK it says
Unpacking the ramdisk....
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a regular image with MTK script?
If so, please use unpack_img script. ERROR!
>> Exit script
this is for the LG Optimus F3 Boot.img from Team Win 2.8.0.0
is there any way to extract this puppy?
Code:
Printing information for "boot.img"
Android image info utility by [email protected]
Header:
Magic : ANDROID!
Magic offset : 0x00000000
Page_size : 2048 (0x00000800)
Base address : 0x80200000
Kernel address : 0x80208000
Kernel size : 7602936 (0x007402f8)
Kernel offset : 0x00008000
Ramdisk address : 0x88f108f0
Ramdisk size : 2048 (0x00000800)
Ramdisk offset : 0x08d108f0
Second address : 0x81100000
Tags address : 0x80200100
Tags offset : 0x00000100
Cmdline : 'androidboot.hardware=fx3s user_debug=31 vmalloc=308M'
Id : 46c3c0e3d52bc3f86497ddd8f07eae74643c5f0e
Successfully printed all informations for boot.img
HappyRoms said:
This looks like a really great tool but I'm having troubles with it.
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a MTK image with regular script?
If so, please use unpack_MTK_img script. ERROR!
>> Exit script
when I use MTK it says
Unpacking the ramdisk....
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a regular image with MTK script?
If so, please use unpack_img script. ERROR!
>> Exit script
this is for the LG Optimus F3 Boot.img from Team Win 2.8.0.0
is there any way to extract this puppy?
Code:
Printing information for "boot.img"
Android image info utility by [email protected]
Header:
Magic : ANDROID!
Magic offset : 0x00000000
Page_size : 2048 (0x00000800)
Base address : 0x80200000
Kernel address : 0x80208000
Kernel size : 7602936 (0x007402f8)
Kernel offset : 0x00008000
Ramdisk address : 0x88f108f0
Ramdisk size : 2048 (0x00000800)
Ramdisk offset : 0x08d108f0
Second address : 0x81100000
Tags address : 0x80200100
Tags offset : 0x00000100
Cmdline : 'androidboot.hardware=fx3s user_debug=31 vmalloc=308M'
Id : 46c3c0e3d52bc3f86497ddd8f07eae74643c5f0e
Successfully printed all informations for boot.img
Click to expand...
Click to collapse
Can you attach that image here, to take a look? It sounds like there is no ramdisk in it. There are some phones that doesn't have ramdisks in boot images.
carliv said:
Can you attach that image here, to take a look? It sounds like there is no ramdisk in it. There are some phones that doesn't have ramdisks in boot images.
Click to expand...
Click to collapse
Sure thing, just remove .zip from the file name, had to do that as it only allows 8Mb img uploads
I'm trying to edit the boot so that I might be able to make the external SD into the data drive, is this even possible or am I wasting my time?
Thanks!
HappyRoms said:
Sure thing, just remove .zip from the file name, had to do that as it only allows 8Mb img uploads
I'm trying to edit the boot so that I might be able to make the external SD into the data drive, is this even possible or am I wasting my time?
Thanks!
Click to expand...
Click to collapse
Ok, I see... Your image is "lokified". In order to use my tool you need to "de-lokify" it first, then after modding you need to "re-lokify" it back. Some infos here and here. It may be many other infos but I didn't have time to do a full search; you have to do it for yourself.
Some LG and Samsung devices have that "Loki" thing and you need to deal with it. Maybe when I'll have a phone like that I'll make an automated process for it, but now I haven't and I can't work "in blind".
I don't know what to say about your last question... I'm not even sure what you're talking about.
carliv said:
Ok, I see... Your image is "lokified". In order to use my tool you need to "de-lokify" it first, then after modding you need to "re-lokify" it back. Some infos here and here. It may be many other infos but I didn't have time to do a full search; you have to do it for yourself.
Some LG and Samsung devices have that "Loki" thing and you need to deal with it. Maybe when I'll have a phone like that I'll make an automated process for it, but now I haven't and I can't work "in blind".
I don't know what to say about your last question... I'm not even sure what you're talking about.
Click to expand...
Click to collapse
Awesome, thanks!
basically, the LG Optimus F3 comes with too little memory built in, there's a program that mounts an external SD's second partition as a data folder, but even still it runs out of internal memory or won't install apps larger than the internal memory because the "System" partition still has little room.
so the goal was to edit the boot so it will boot using an external SD directly as the system drive, it would read it's maximum memory available as whatever the external SD's maximum is.
this would solve the problem, if it works, if not then it'll probably just brick the phone :good:
I just wanted to update and say thanks. This helped out great! I was able to successfully boot /data from my external SD card as desired, however, my card is only a class 2 so it won't be a good idea until I upgrade it to a class 10.
Lg Optimus F3 comes with very little internal storage, which was giving me a headache, so I wanted to make the phone boot using an external SD as the /data partition.
after following your tip, I unloki'd the boot image and used your Carliv Image Kitchen to extract the contents, edited the fstab and edited out the original code: "/dev/block/platform/msm_sdcc.1/by-name/userdata /data" telling it to mount /data on the /dev/block/mmcblk1p2 instead.
after repacking and re-loking and flashing the .img it had some problems, for some reason it was just booting to a black screen, so I used dd from the team win terminal to copy the /dev/block/platform/msm_sdcc.1/by-name/userdata over to the /dev/block/mmcblk1p2, and it worked!
being a class 2, it booted slowly and responded slowly but works none the less.
to be sure there was no problem with partition size, being how I used dd to mirror userdata over to the sdcard, I ran gparted in linux and resized the partition smaller, then larger to full size (just in case)
thanks for your wonderful tool and for pointing me in the right direction.
help sir carliv please
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat on my alcatel pop d3 but it failed now my phone is stuck and wont turn on
what version of cm can that recovery install??????
DONTEGO said:
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat on my alcatel pop d3 but it failed now my phone is stuck and wont turn on
what version of cm can that recovery install??????
Click to expand...
Click to collapse
The answer is already in your question:
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat....
Click to expand...
Click to collapse
As I already posted in recovery's thread, it will work with kitkat kernels. Some people port it to lollipop but I never recommended that.
So to answer clearly cm11 because cm12 means lollipop, or it will work with any other kitkat based ROM if your phone has any kitkat kernel released.
You need to ask the one who released that cm12 for your phone to provide a matching recovery along.
Now you probably need to reflash the phone with SPFlashTools.
ok thanks a whole lot but im having another issue the sd card is now only readable by my phone how do i go about copying a rom to it whenever i plug it into the pc it doesnt come up
DONTEGO said:
ok thanks a whole lot but im having another issue the sd card is now only readable by my phone how do i go about copying a rom to it whenever i plug it into the pc it doesnt come up
Click to expand...
Click to collapse
im trying to install Mystic_OS_v4DL750.zip does it require a gapps package?
Can some one port ne a recovery for xolo era 4g
Sent from my Hacked_Era_4G using Tapatalk
Is it able to unpack stock recovery?
---------- Post added at 03:25 AM ---------- Previous post was at 03:23 AM ----------
Raakib Zargar said:
Can some one port ne a recovery for xolo era 4g
Sent from my Hacked_Era_4G using Tapatalk
Click to expand...
Click to collapse
Which chipset?
Hi there... I woul like to ask if this tool works for Helio x20 cpu's... (Mt6797 - Leagoo T10) because I'm trying to extract the stock recovery but having trouble with the ramdisk... It says "compression used unknown..." I've seen it mentioned in the discussion some times but the explanation was to use the 1. Metod ??? I'm using the windows 1.1 version and I really don't see any other method to use (start bat, r, 1 recovery.img, , 1 unpack image, error....) I'm just installing Ubuntu to see the difference but would be grateful for some advise... Thanks.
Since main Carlive Image Kitchen thread has been closed in 2017 all the util builds have been lost for some unknown reason. Dev claimed he have personal problems and adviced users to help each other.
I've found latest official version 1.3 builds and publish them here for practical and historic reasons. This util mentioned in a various manuals so people will look for it for a long time then. Old Linux modded version by yuweng is also added for completeness.
View attachment CarlivImageKitchen_Windows_v1.3.zip
View attachment CarlivImageKitchen_Windows_x64_v1.3.zip
View attachment CarlivImageKitchen-Linux_v1.3.zip
View attachment CarlivImageKitchen-Linux_x64_v1.3.zip
View attachment CarlivImageKitchen-Linux-DnD-yuweng.zip
Furthermore user FOV5 @ 4pda.ru forums have modded latest 1.3 version a few times so I do publish here his latest modded version 1.5B3 (12-Jan-2018)
Changes history:
- v1.4: Support for some non-standard kernel images (e.g. LibreELEC and similar).
- v1.5B1:
- Removed 'Boot' and 'Recovery' prefixes from file names while unpacking Boot/Recovery images. This is due to ability to easily compare whole Boot and Recovery folders after unpacking.
- Added optional experimental AmLogic core unpacking. This could be helpful to patch storage media layout when device partition build into the core.
- v1.5B2: Fixed 32 bit app crash after core unpacking. A few other small non critical fixes.
- v1.5B3:
- New while core slitting, parameters like Name, Load Address and Entry Point are preserved.
- Fixed: New app will try to pack core only when all the 4 kernel parts are found in the unpacking folder. If core unpacking process some kind failed, one or more kernel.* files will be missing, so repack process will use original core instead of trying to assemble broken one.
View attachment CarlivImageKitchen_Windows_v1.5B3.7z
If you have any questions related to this modded app version look for FOV5 user at 4pda.ru forums and ask him (I don't know does he speak any langs except Russian, online translators available anyway. There is also Russian numeric captcha problem for non-Russian speakers when loggin in to that forums, sorry guys). I do not often use this app and occasionally visit XDA, so I can't support this product in a professional manner. Help each other guys!
What is the Touchpad Toolbox?
https://forum.xda-developers.com/showthread.php?t=2756314
A set of Scripts (programs) that allows:
Easily manage LVM, one of the greatest features of the TP.
https://wiki.archlinux.org/index.php/LVM
Create Android, WebOS volumens, or total reset.
It can make a fresh /boot directory installation adding moboot.
Reflash the battery Firmware
Install specific, older version of recovery and Rom.
How is done?
https://webos-internals.org/wiki/Angstrom_on_Touchpad
A small Linux OS is built into an img (ext2) file system and is loaded into memory as a RAMDisk.
Angstrom v2015.01
Built from branch: master
Revision: 038d832
Target system: arm-angstrom-linux-gnueabi
This information is from the file angstrom-version located in the /etc folder of the RAMDisk.
Following this instructions will unpack the RAMDisk and Kernel, then can be repack as it would with any Android system.
All this is done on Linux ubuntu 18.04 x64 system. If you have any other OS you can install Linux as a virtual machine.
1 .Create a directory
hptoolbox
2. Unzip TPToolbox-2015-01-08-v42.zip to the directory hptoolbox (http://downloads.codefi.re/jcsullins/cmtouchpad/tptoolbox/TPToolbox-2015-01-08-v42.zip
3. Open terminal in the hptoolbox directoty and paste the following commands.
Code:
dumpimage -i TPToolbox-2015-01-08-v42.bin uImage.kernel
dumpimage -i TPToolbox-2015-01-08-v42.bin -p 1 RAMDisk_Compress
dd if=RAMDisk_Compress of=RAMDisk.xz bs=64 skip=1
xz -d RAMDisk.xz
## The RAMDisk which is 67.1MB is a Linux rev 0.0 ext2 filesystem data img file.
4. Creat a loop disk to have read and write access of the RAMDisk
Code:
sudo udisksctl loop-setup -f RAMDisk
## Mapped file RAMDisk as /dev/loop16 (this is only on my system and it will be different on others)
5. Mount the 67 MB Loop Device, it can easly be done using Disks
6. Open your file manager as sudo in (my system is nautilus, it can be different on other Linux)
Code:
[email protected]:~$ sudo nautilus
[sudo] password for ubuntu:
7. The settings for the ToolBox are in /usr/tptoolbox.
You have complete control on all the files, but read what each script says on top:
Code:
# This script is Copyright (c) 2014 James Sullins, All rights reserved.
# James (JC) Sullins, aka jcsullins
# No modifications or distribution without permission
To repack the Kernel and RAMDisk
1. Unmount the RAMDisk img and Detach the loop device
2 Open terminal in the hptoolbox directory and paste the following commands.
Code:
mkimage -A arm -T ramdisk -C none -n RAMDisk -d RAMDisk uImage.RAMDisk
mkimage -A arm -T multi -C none -n "Tenderloin ToolBOX Modified" -d uImage.kernel:uImage.RAMDisk uImage.ToolBox_Modified
In my system I can not make RAMDisk using xz compression but it works uncompress is just a 70MB file.
If the RAMDisk is compress using (( xz -9 RAMDisk )) then the file size will be as the original but it will not be recognized by the kernel at boot.
3. To load using the novacom driver:
Code:
novacom boot mem:// <uImage.ToolBox_Modified
Many thanks to jcsullins for creating the ToolBox ,which allowed many users to easily transition to Android from WebOS and gave new life to a device that could have been in landfills many years ago. In my opinion this has been the greatest Tool for the TP and finding out how it works made it even more amazing!
HP_TOUCHPAD said:
What is the Touchpad Toolbox?
--SNIP--
Click to expand...
Click to collapse
You've done a great job figuring that out HP_TOUCHPAD! As a result, if Sullins agreed (assuming he would even answer the request), the TPToolbox could be modified fairly easily to handle the latest ROMS, GAPPS, and RECOVERIES. For example, it turns out that there is an unused parameter that would allow TPToolbox to install the zipfiles without any checks. Additionally, it is simple to bypass having to install a GAPPS with the ROM, or to keep all checks but the one that checks for a compatible GAPPS..
shumash said:
You've done a great job figuring that out HP_TOUCHPAD! As a result, if Sullins agreed (assuming he would even answer the request), the TPToolbox could be modified fairly easily to handle the latest ROMS, GAPPS, and RECOVERIES. For example, it turns out that there is an unused parameter that would allow TPToolbox to install the zipfiles without any checks. Additionally, it is simple to bypass having to install a GAPPS with the ROM, or to keep all checks but the one that checks for a compatible GAPPS..
Click to expand...
Click to collapse
Thank you, and yes the ToolBox can be modified very easily only if JSullins agreed.
But there is only one section that needs to be modified to update the toolbox and make compatible with all ROMS now and forever. In my opinion there is no need for the Toolbox to install any ROMS as that is the work of TWRP to do and it does it well.
This is the only modification that needs to be done to update the toolbox and make it useful forever!
In the folder toolbox/bin/make_boot (open the script)
add the following under this line : (do_run cp /usr/tptoolbox/data/moboot /mnt/boot/uImage.moboot)
Code:
do_run cp /usr/tptoolbox/data/uImage.TWRP /mnt/boot/uImage.TWRP
do_run cp /usr/tptoolbox/data/android.default.recovery /mnt/boot/android.default.recovery
do_run cp /usr/tptoolbox/data/moboot.default /mnt/boot/moboot.default
do_run cp /usr/tptoolbox/data/uImage.ToolBOX /mnt/boot/uImage.ToolBOX
copy the files to /usr/tptoolbox/data/
uImage.TWRP
android.default.recovery
moboot.default
uImage.ToolBOX (this is the toolbox.bin, renamed it to be loadable from the moboot menu.
save the script.
I do not need to tell you "the Linux Guru" what is going on, but just for the record.
When recreating the boot it will install TWRP into boot and also the ToolBOX.
Reboot and now you have TWRP and also the ToolBOX in the moboot menu and you can install any ROM using TWRP.
This will make it super easy for all users to start fresh!
Complete reset (it will install TWRP, recovery by default) nothing extra for the user to do!
Reflash battery firmare
Resize Android volumens
Reboot and install ROM
I do not think it can be any easier for anyone than this and the change is minimal!
HP_TOUCHPAD said:
Thank you, and yes the ToolBox can be modified very easily only if JSullins agreed.
But there is only one section that needs to be modified to update the toolbox and make compatible with all ROMS now and forever. In my opinion there is no need for the Toolbox to install any ROMS as that is the work of TWRP to do and it does it well.
--SNIP--
I do not think it can be any easier for anyone than this and the change is minimal!
Click to expand...
Click to collapse
I like what you're suggesting, but it's not that easy. I think you're creating a different application. The python scripts need to be modified to remove the "Install Android" option. Making users decide how to (re)install non-datamedia (DM) or DM ROMS by themselves was one of the things HPToolbox solved. I think that a better way is just to prevent all the checks that are done for three zips, gapp/rom capatibility, etc. and let users install the gapps themselves, although I can see a way to expand the allowable gapps dictionary to include the latest versions
Additionally, unless you resize /boot (which is fixed in one of the python scripts and may require lots of other changes), users who want to retain WebOS (there may be one or two left.) won't be able to install Android because there won't be enough room having uImage.TPToolbox there.
shumash said:
I like what you're suggesting, but it's not that easy. I think you're creating a different application.
There is no changes to the menu is only adding uImage.TWRP to be copy to boot.
In the Toolbox MAIN MENU
The option: Complete Data Reset
Call the script: toolbox/bin/make_boot
It will completely erase and format boot then copy files located in (/usr/tptoolbox/data/) over to /boot
It is part of the toolbox option and how it works. Nothing needs to be added or the main script modified.
By adding this code to the already (toolbox/bin/make_boot) script
Code:
do_run cp /usr/tptoolbox/data/uImage.TWRP /mnt/boot/uImage.TWRP
do_run cp /usr/tptoolbox/data/android.default.recovery /mnt/boot/android.default.recovery
do_run cp /usr/tptoolbox/data/moboot.default /mnt/boot/moboot.default
And copy those files to (/usr/tptoolbox/data/).
When the user select the option in the MENU to Complete Data Reset, it will do as always the only difference is, it will install TWRP automatically, which in my opinion it needs to be there to install and back up.
The python scripts need to be modified to remove the "Install Android" option. Making users decide how to (re)install non-datamedia (DM) or DM ROMS by themselves was one of the things HPToolbox solved.
The Install Android can be there as is and do as you are suggesting which is to remove the limitation and be able to install any recovery or gapps
I think that a better way is just to prevent all the checks that are done for three zips, gapp/rom capatibility, etc. and let users install the gapps themselves, although I can see a way to expand the allowable gapps dictionary to include the latest versions.
Yes that is perfect and the way it should have been from the beginning, to allow installation of any ROM. There is nothing malicious that anybody can do to brick the device. Reloading the toolbox (novacom boot mem:// < uImage.Toolbox) will recreate everything even if /boot is destroy.
Additionally, unless you resize /boot (which is fixed in one of the python scripts and may require lots of other changes), users who want to retain WebOS (there may be one or two left.) won't be able to install Android because there won't be enough room having uImage.TPToolbox there.
Click to expand...
Click to collapse
Correct if uImage.Toolbox ( 11 MB ) file is copy to boot and TWRP there will be 8 MB left for one uImage boot file, only one OS will be able to boot.
That could be an option and does not need to be copy to boot, but it could make it easier for "Android only users" to have it handy and no PC will be required to load it again.
Here is another simple quick modification to avoid confusion and make it easier.
When you select Install Android, the USB media is mounted and a directory /ttinstall is created. At the same time the directory is created a shortcut (link) can be place of a landing web page where the links to all ROM and Recovery can be download from, that the user can click and download the correct Recovery, ROM and gapps.
Make it super easy and avoid confusion of what to install and where to get it from. It could be a landing page any where that can be updated.
This is another issue to think about. To load any uImage to fix a problematic TP, a PC is need it with novacom drivers install.
This is the command that will fix any TP:
novacom boot mem:// <
If novacom is not install in the user PC or not working properly nothing can be done.
Idea.
Create a basic Linux OS, bare minimum that will run anywhere. Have the novacom install and the toolbox in it, with a basic browser to get the files.
The Linux OS can be distributed as a Live CD (.iso) that can be booted on any PC. This will guarantee that the novacom driver will work and load the toolbox or any other uImage into the TP.
I made my own live CD of Ubuntu 18.04 ( is a 2GB file ) that has everything set up and do any kind of work on the TP and be able to use it on any PC.
HP_TOUCHPAD said:
__SNIP__
Click to expand...
Click to collapse
All good ideas, but this is much easier.
shumash said:
All good ideas, but this is much easier.
Click to expand...
Click to collapse
Crazy complicated !
Take a very close look at the steps.
" 1) complete data reset"
Before this happens the novacom driver needs to be install. It used to be an easy one to do, but with new OS, windows or Linux it can get complicated. Nothing can be done unless this driver is properly install and the environment is properly set to load the uImage. This can easily create errors and frustration and not a successful install.
The universal Java installer used to work, not any more. It will be great to have a portable novacom driver, but I do not know if that is even possible to load and work in different OS.
But anyways doing the first steps is to load the Toolbox to do a complete data reset.
Well if the toolbox is modified, once the complete data reset is done uImage.TWRP will be already copy into boot.
The only thing you have to do is reboot the device select TWRP and do the installation as regular.
No more steps need it, and nothing else to download or install.
One step and done!
But now you need to run:
TWRP_TmpLoad_v03_win.bat
Then install TWRP, because is temporally loaded in memory.
What it does is loading uImage.TWRP using:
novacom boot mem:// <uImage.TWRP
The same way the Toolbox gets loaded in the first place.
If the Toolbox restriction gets remove then it will install TWRP, and then reboot.
Like I said the magic command is:
novacom boot mem://
Any boot uImage can be load it that way, but the only thing that will reset everything is the Toolbox.