Related
Hi there!
Currently I am trying to extract and modify a boot.img from my car stereo (to set ro.secure=0 in default.prop - its a AV7) from MIC. ( http://www.shop.mic-deutschland.de/shop/article_W005/AV7.html?shop_param=cid=6&aid=W005& )
I did my exercises by studying the specs of a normal boot.img and learned that there should be a 2k header, followed by the gzipped kernel. I should be able to identify the kernel starting after those 2k of header and ending with some zeros finished with 1F 8B. The rest should be the ramdisk, gzipped and cpioed.
So far the theory - but apparently, I am not able to extract the kernel. I also tried some different scripts floating around - none of them ended up with an extractable kernel.
Example:
/unpackbootimg -i ../boot.img -o .
BOARD_KERNEL_CMDLINE
BOARD_KERNEL_BASE e3e0ff00
BOARD_PAGE_SIZE 1768697202
-> Kernel size 0, pretty everything ends up in the ramdisk which is NOT a gzip file.
This is the boot.img: http://ul.to/ivggomon
So you see me pretty clueless at the moment - any suggestion is highly appreciated!
Noone any idea?
unmkbootimg output:
Code:
unmkbootimg version 1.2 - Mikael Q Kuisma <[email protected]>
File ../boot.img not a plain boot image, seeking for embedded image ... not found.
boot_info (from bootimg_Toolset):
.
Code:
/boot_info ../boot.img
Android Magic not found in ../boot.img. Giving up.
The hread may be deleted. It was a uImage multi file with a gzipped cpio in it...
It seems that the boot.img images for Redmi Note 2 are being built/assembled using a custom (i.e., non-standard) version of mkbootimg, using non-standard offsets for the kernel and the ramdisk. I have tested this theory with boot.img from different ROMs, and all seem to suffer from the same fate. I have tried several tools and versions of mkbootimg (including abootimg, mktimg, and umkbootimg). Most can decompress the boot images, but none can assemble a boot image that will not brick the phone.
Does anyone have a copy of the mkbootimg (binary or source) that is being used to build these boot images?
Thanks.
PS: my goal is to build in support for running stuff from /etc/init.d/ during bootup (involves editing init.rc).
No worries, I've sorted it out. Can you please close this thread? Thanks.
use carliv image kitchen search in the forum or google it but use decompile or repack for normal android not mtk in the CMD menu as mt6795 uses different compressing method
type thanks please!
DarthJabba9 said:
No worries, I've sorted it out. Can you please close this thread? Thanks.
Click to expand...
Click to collapse
It would be nice and useful for other people if you explain how you've sorted it out.
gnazio said:
It would be nice and useful for other people if you explain how you've sorted it out.
Click to expand...
Click to collapse
I'm not sure anyone wants to hear about my trials and tribulations - but it involved downloading and testing all sorts of versions of mkbootimg (binaries, and sources) and other tools, patching mkbootimg sources, downloading Xiaomi Android sources from SudaMod and nofearnohappy github repositories, and studying all the arguments given to mkbootimg in the make files, bricking the phone about 30 times, etc. Eventually, I ended up with a combination of tools (from different sources) and mkbootimg arguments that did the job. I now have init.d support built into my boot image.
I have kept all the relevant tools in a folder for future reference. I'm not sure I'm allowed to distribute them here, or even that I would encourage anyone to try them, because the risk of bricking the phone is very high if something goes wrong (and it is very easy for something to go wrong with what you change in the decompressed ramdisk). For the curious, these were the right arguments (at least, for the boot image that I used - from Deer Stable 7.0.12.0) :
Code:
mkbootimg --kernel boot.img-kernel.img --ramdisk ramdisk.gz \
--base 0x40078000 \
--pagesize 2048 \
--kernel_offset 0x00008000 \
--ramdisk_offset 0x03f88000 \
--second_offset 0x00e88000 \
--tags_offset 0x0df88000 \
--board V7.0.12.0.LHMMI \
--cmdline bootopt=64S3,32N2,64N2 \
--output new_boot.img
I used Superr's kitchen v1.0.0.4 and it worked.
I am following this tutorial on my desire 610: http://http://whiteboard.ping.se/Android/Debian
All has gone well so far, the system works in chroot, etc etc etc, thats not the problem. My problem is that i cant seem to pack a boot image that works for the phone. I know the problem is with my boot image, because if the init script had been initalised, I had a line at the start which would start a log file, and the system would bootloop. Instead it takes me to the fastboot menu when i power on.
I have used the tool to unpack the boot image, found at http://whiteboard.ping.se/Android/Unmkbootimg , and its output was this:
Code:
unmkbootimg version 1.2 - Mikael Q Kuisma <[email protected]>
Kernel size 6004624
Kernel address 0x8000
Ramdisk size 1017204
Ramdisk address 0x2008000
Secondary size 0
Secondary address 0xf00000
Kernel tags address 0x1e00000
Flash page size 2048
Board name is ""
Command line "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3"
*** WARNING ****
This image is built using NON-standard mkbootimg!
OFF_KERNEL_ADDR is 0xFE208100
OFF_RAMDISK_ADDR is 0x00208100
OFF_SECOND_ADDR is 0xFF100100
Please modify mkbootimg.c using the above values to build your image.
****************
Extracting kernel to file zImage ...
Extracting root filesystem to file initramfs.cpio.gz ...
All done.
---------------
To recompile this image, use:
mkbootimg --kernel zImage --ramdisk initramfs.cpio.gz --base 0x1dfff00 --cmdline 'console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3' -o new_boot.img
---------------
I have tried doing as it says and compiling mkbootimg with those settings, however it still does not work. Could anyone possibly see what im doing wrong? And if not, does anyone have a copy of mkbootimg that works for the Desire 610?
Thanks in advance
falseascension said:
I am following this tutorial on my desire 610: http://http://whiteboard.ping.se/Android/Debian
All has gone well so far, the system works in chroot, etc etc etc, thats not the problem. My problem is that i cant seem to pack a boot image that works for the phone. I know the problem is with my boot image, because if the init script had been initalised, I had a line at the start which would start a log file, and the system would bootloop. Instead it takes me to the fastboot menu when i power on.
I have used the tool to unpack the boot image, found at http://whiteboard.ping.se/Android/Unmkbootimg , and its output was this:
Code:
unmkbootimg version 1.2 - Mikael Q Kuisma <[email protected]>
Kernel size 6004624
Kernel address 0x8000
Ramdisk size 1017204
Ramdisk address 0x2008000
Secondary size 0
Secondary address 0xf00000
Kernel tags address 0x1e00000
Flash page size 2048
Board name is ""
Command line "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3"
*** WARNING ****
This image is built using NON-standard mkbootimg!
OFF_KERNEL_ADDR is 0xFE208100
OFF_RAMDISK_ADDR is 0x00208100
OFF_SECOND_ADDR is 0xFF100100
Please modify mkbootimg.c using the above values to build your image.
****************
Extracting kernel to file zImage ...
Extracting root filesystem to file initramfs.cpio.gz ...
All done.
---------------
To recompile this image, use:
mkbootimg --kernel zImage --ramdisk initramfs.cpio.gz --base 0x1dfff00 --cmdline 'console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3' -o new_boot.img
---------------
I have tried doing as it says and compiling mkbootimg with those settings, however it still does not work. Could anyone possibly see what im doing wrong? And if not, does anyone have a copy of mkbootimg that works for the Desire 610?
Thanks in advance
Click to expand...
Click to collapse
I just use Blobtools and linux's standard abootimg. I'll find some links and do a quick Howto when I get home tonight.
MiniBlu
MiniBlu said:
I just use Blobtools and linux's standard abootimg. I'll find some links and do a quick Howto when I get home tonight.
MiniBlu
Click to expand...
Click to collapse
Cheers! looking forward to getting this thing actually working
Aha! Using abootimg made it work. Wish i knew about that earlier...
There's still a few errors though, need to fix that. Thanks for your help, you literally saved probably hours and hours more work if I hadnt known about this. Much appreciated
Recently purchased an iplay 7t after reading the xda review. This is replacing an LG v400 tablet that I had rooted. I updated the iplay to build T701_V1.20_20191112, enabled developer options, enabled oem unlock bootloader, found the corresponding firmware pac, installed magisk and used it to patch boot.img. So far so good.
I entered fastboot, then I attempted to flash the modified boot.img and was told:
Code:
target didn't report max-download-size
sending 'boot' (18584 KB)...
OKAY [ 0.593s]
writing 'boot'...
FAILED (remote: Flashing Lock Flag is locked. Please unlock it first!)
finished. total time: 0.608s
I tried various options to unlock the bootloader:
Code:
> fastboot getvar unlocked
unlocked:
finished. total time: -0.000s
> fastboot oem unlock
...
FAILED (remote: unknown cmd.)
finished. total time: -0.000s
> fastboot oem unlock-go
...
FAILED (remote: unknown cmd.)
finished. total time: 0.002s
> fastboot flashing get_unlock_ability
...
FAILED (remote: Not implement.)
finished. total time: -0.000s
> fastboot flashing unlock
...
FAILED (remote: Not implemet.)
finished. total time: -0.000s
> fastboot flashing unlock_critical
...
FAILED (remote: Not implement.)
finished. total time: 0.016s
> fastboot flashing unlock_bootloader
fastboot: usage: unknown 'flashing' command unlock_bootloader
> fastboot flashing unlock_bootloader_nonce
fastboot: usage: unknown 'flashing' command unlock_bootloader_nonce
Okay ... fine. I fired up SPD Research tool and attempted to use it to flash the modified boot.img. It transfers the image and then times out.
As a sanity check I used SPD Research tool to flash the original boot.img and that worked fine.
I'll note the modified image is smaller than the original, however padding the modified image with zeros to the same size didn't seem to help. Using SPD Research tool to flash the padded image still timed out.
I am looking to open a request up on the Alldocube support site (currently their registration form is giving me an error), in the meantime ... suggestions? Has anyone successfully flashed a modified boot.img on this device / rooted this device?
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
DR.Doyle said:
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
Click to expand...
Click to collapse
Yes ... I have that enabled.
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
jwehle said:
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
Click to expand...
Click to collapse
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery.
Click to expand...
Click to collapse
Thanks for supplying the modified PAC and for explaining the changes.
Your PAC seemed to work fine and now that I have a better understanding
of things I should be able build my own PAC when I have a chance.
Your time and effort in explaining things is appreciated.
What's the significance of removing the encryption for the vendor partitions?
jwehle said:
What's the significance of removing the encryption for the vendor partitions?
Click to expand...
Click to collapse
the vendor img in my pac,just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
fstab.sp9832e_1h10:
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="DarkOrange"]fileencryption[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]fileencryption[/COLOR]=aes-256-xts
---------->
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts
wangyiling said:
the vendor img in my pac,just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
Click to expand...
Click to collapse
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
jwehle said:
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
Click to expand...
Click to collapse
Just for twrp to read the data partition, convenient for personal use。
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Code:
vbmeta
boot
recovery
What was happening is when the system started normally it saw that recovery image had been modified so it checked if the boot image was the factory standard image. Since I hadn't touched the boot image the OS went ahead and attempted to replace the recovery image I flashed with a standard recovery image generated on the fly from the factory standard boot image. This caused a soft-brick when I rebooted into recovery since that recovery image wasn't signed using the public key specified by my replacement vbmeta.
By also flashing a newly signed boot image because the signature is different from what's it knows about the system no longer attempts to use it to refresh the recovery image.
Here's an outline of what I did to successfully root the device:
Use the Qin 2 Pro instructions / tools to unlock the boot loader.
Flash the appropriate factory standard firmware to establish a know starting point. I used iplay7t(T701)-Android9.0-ALLDOCUBE-191112 from the Alldocube web site.
Use SPD Rsearch Tool to extract vbmeta-sign.img, boot.img, and recovery.img.
Use avbtool (with the below patch) to extract the public keys from vbmeta-sign.img like so:
Code:
avbtool info_image --image vbmeta-sign.img.
Use make (with the below makefile) to sign vbmeta, boot, and recovery using a new key.
Flashed vbmeta, boot, and recovery.
Booted into recovery, saw that it worked, and did a factory reset.
Used magisk to patch recovery.img in the normal fashion, signed the patched recovery using the new key, and flashed the patched recovery.
Proceed to finish installing magisk in the normal fashion.
Notes:
rsa4096_vbmeta.pem is the private key mentioned in the Qin 2 Pro article.
The dhtbsign-vbmeta command is basically the dhtb signing python script from Qin 2 Pro article.
Here's the trival patch for avbtool to dump the public keys.
Code:
--- avbtool 2020-02-22 22:11:55.107787032 -0500
+++ avbtool.dumpkeys 2020-02-22 22:15:36.046283077 -0500
@@ -1657,6 +1657,10 @@ class AvbChainPartitionDescriptor(AvbDes
Arguments:
o: The object to write the output to.
"""
+ kfd = open(self.partition_name, "w");
+ kfd.write(self.public_key);
+ kfd.close();
+
o.write(' Chain Partition descriptor:\n')
o.write(' Partition Name: {}\n'.format(self.partition_name))
o.write(' Rollback Index Location: {}\n'.format(
Here's the makefile I used for signing the images.
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: Makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key ../rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
dhtbsign-vbmeta vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
avbtool add_hash_footer --image recovery-sign.img \
--partition_name recovery --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
@ jwehle,Very grateful for your detailed sharing
Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.
MissAyako said:
Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.
Click to expand...
Click to collapse
Seems the issue was with Windows. I thought I would be able to get the unlock token with Windows and then use WSL to do the rest of the signing, but apparently not.
Luckily I had an old laptop lying around. I threw Linux Mint on it and it worked just fine.
It didn't seem to work just using a live USB; I had to install Linux to the hard disk, but YMMV.
jwehle said:
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Click to expand...
Click to collapse
This was wonderful, thank you! I've added some of my own notes below as an experience of what I encountered when attempting this process myself (spoiler'd because it is a lot).
I do not have enough post count to add links, but titles to the relevant articles has been added.
Follow steps in Article "Guide: How to Unlock Xiaomi Qin 2 (Pro) and Install Custom ROMs" from step 1 to (and including) step 10 (Unlocking section).
Notes:
- A Linux PC is necessary.
- You'll have to mark the "fastboot" file from the "Android_device_unlock.rar" archive as executable (chmod +x).
- Run the "fastboot" file as root.
- Getting the "SPD Research Tool" to pick up the tablet and not let the tablet try to move to either the charging
screen or the bootlogo is difficult, but do-able. Press and hold Power+Vol_Up and release when Windows does its
USB device detected chime.
- Flashing takes a few minutes (I think around 300 seconds).
- The SPD Research Tool extracts the PAC file contents into a folder. Grab the system images from there.
- The "avbtool" is available to be cloned via git from Google's repo
- The avbtool is a python script that is patched with three lines of code at line 1776:
Code:
kfd = open(self.partition_name, "w");
kfd.write(self.public_key);
kfd.close();
- When you use the patched avbtool on the vbmeta-sign.img file you copied (avbtool info_image --image vbmeta-sign.img)
it will produce several partitions with relative public keys that need to be stored in separate files for the next step.
The contents of the files are simply the public key and the partition name as the file name. Store the files in a folder named "keys".
- When creating the makefile, ensure that proper indentation is used. The code segment below is properly formatted (hopefully). If you get make errors, remove and re-indent the lines.
- If your "rsa4096_vbmeta.pem" keyfile is not placed alongside the makefile, ensure the --key flag points to this file.
- The makefile exists in the same directory as the system images.
- I had to insert local paths to the avbtool, as it was not installed to the system PATH.
- The dhtbsign-vbmeta.py command is located below. Make sure to mark this as executable as well.
Everything else is rather straightforward.
# makefile
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
./dhtbsign-vbmeta.py vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
# dhtbsign-vbmeta.py file (from "How I Unlocked Xiaomi Qin 2 Pro and Installed Phh GSI")
Code:
#!/usr/bin/env python
import hashlib
import sys
f = open(sys.argv[1], "rb")
b = f.read()
sha = hashlib.sha256(b).digest()
f.close()
f = open("vbmeta_signed.img", "wb")
f.write(b)
f.seek(1048576 - 512)
f.write(b'\x44\x48\x54\x42\x01\x00\x00\x00')
f.write(sha)
f.write(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00')
f.seek(1048576 - 1)
f.write(b'\x00')
f.close()
wuxianlin has build a twrp device for T701.
i think this will be a help .
Help me
Sir help pliz same problem my device ,same chipset , Symphony i95 ,pliz sir modify my pac file pliz....
wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
Click to expand...
Click to collapse
can i just flash the pac without unlocking the bootloader.
thanks in advances
hidroela said:
can i just flash the pac without unlocking the bootloader.
thanks in advances
Click to expand...
Click to collapse
yes,just falsh pac
wangyiling said:
yes,just falsh pac
Click to expand...
Click to collapse
i did unlocked the bootloader and flash the pac and follow the instructions for magisk to work, but after a third reboot Root was gone.
i don't know what I am missing.
Hello!
I'm trying to compile and run a custom Android kernel on my Pixel 6. I did this multiple times in the past but with Android 12 it seems things have changed.
I'm following the usual "Building Kernels" page https://source.android.com/setup/build/building-kernels?hl=en
In more details these are the commands that I run:
mkdir android-kernel && cd android-kernel
repo init -u https://android.googlesource.com/kernel/manifest -b android-gs-raviole-5.10-android12-d1
./build/build.sh
Click to expand...
Click to collapse
However when I try to boot the boot.img using the "fastboot boot boot.img" command, I get immediately redirected back to the bootloader. I suspect this is due to a bad image file format.
I also tried to compile as follow
BUILD_BOOT_IMG=1 SKIP_VENDOR_BOOT=1 KERNEL_BINARY=Image \
GKI_RAMDISK_PREBUILT_BINARY=gki-ramdisk.lz4 \
BUILD_CONFIG=private/gs-google/build.config.gki.aarch64 \
./build/build.sh
Click to expand...
Click to collapse
where gki-ramdisk.lz4 is the ramdisk extracted from the prebuilt images found here https://developers.google.com/android/images#oriole
With this last setup I get a boot-loop, so at least the boot.img file format seems to be ok.
I think that these issues are related to the new GKI format, however I cannot find any information online on how to compile a custom GKI kernel.
Does any of you know how to build and run custom kernels for the Pixel 6?
Thanks!
barbito said:
Hello!
I'm trying to compile and run a custom Android kernel on my Pixel 6. I did this multiple times in the past but with Android 12 it seems things have changed.
I'm following the usual "Building Kernels" page https://source.android.com/setup/build/building-kernels?hl=en
In more details these are the commands that I run:
However when I try to boot the boot.img using the "fastboot boot boot.img" command, I get immediately redirected back to the bootloader. I suspect this is due to a bad image file format.
I also tried to compile as follow
where gki-ramdisk.lz4 is the ramdisk extracted from the prebuilt images found here https://developers.google.com/android/images#oriole
With this last setup I get a boot-loop, so at least the boot.img file format seems to be ok.
I think that these issues are related to the new GKI format, however I cannot find any information online on how to compile a custom GKI kernel.
Does any of you know how to build and run custom kernels for the Pixel 6?
Thanks!
Click to expand...
Click to collapse
You just need to run build_slider.sh script on the root of the repo you cloned for compile stock source
Ah thanks! build_slider works but you need to specify to compile the kernel otherwise it uses the prebuilt kernel
BUILD_KERNEL=1 ./build_slider.sh
barbito said:
Ah thanks! build_slider works but you need to specify to compile the kernel otherwise it uses the prebuilt kernel
BUILD_KERNEL=1 ./build_slider.sh
Click to expand...
Click to collapse
Hi I am trying to do the same thing, looks like there is no aosp folder anymore.
I had the same issue. I can no more compile it correctly.
They constantly change everything. I even tried to checkout to older branches where I was sure I managed to compile it but still no success. Maybe the sub cloned repository were not in sync
barbito said:
I had the same issue. I can no more compile it correctly.
They constantly change everything. I even tried to checkout to older branches where I was sure I managed to compile it but still no success. Maybe the sub cloned repository were not in sync
Click to expand...
Click to collapse
[email protected]:/mnt/code/shaoyang/aosp_kernel$ ls
build build_slider.sh prebuilts tools
build.config common-modules prebuilts-master update_symbol_list.sh
build_mixed.sh kernel private
[email protected]:/mnt/code/shaoyang/aosp_kernel$ BUILD_KERNEL=1 ./build_slider.sh
Building GKI kernel using aosp/build.config.gki.aarch64...
realpath: /mnt/code/shaoyang/aosp_kernel/aosp/build.config.gki.aarch64: No such file or directory
ERROR: Failed to compile GKI kernel: retval=1
ERROR: Failed to create mixed build: retval=1
there is no aosp folder any more, the older branches you mentioned is ?
hey,
try doing this.
Return to the ClockworkMod Recovery main menu. Choose "install zip from sdcard" and press "N." Choose "choose zip from sdcard" and press "N." Scroll through the list of ROMs, updates and kernels located on your SD card. Select the custom kernel you want to flash to the Nook.
I am trying to build AOSP 12 and kernel and unable to get it working on the Pixel 6.
my AOSP branch is android-12.1.0_r2 and my kernel branch is android-gs-raviole-5.10-android12L.
Pixel 6 works well if only flash the AOSP images I build, however, it won't boot up if I flash the boot.img build with kernel.
Here is my step:
1. mkdir android-kernel && cd android-kernel
2. repo init -u https://android.googlesource.com/kernel/manifest -b android-gs-raviole-5.10-android12L
3. repo sync
4. build/build.sh
I could see the logs below after I build successfully.
--------------------------------------------------------------------------------------------------------------------------
Files copied to /mnt/code/shaoyang/kernel/out/android-gs-pixel-5.10/dist
vendor_ramdisk-oriole.img is LZ4 compressed boot image created at boot.img
Signing the boot.img...
vendor boot image created at /mnt/code/shaoyang/kernel/out/android-gs-pixel-5.10/dist/vendor_boot.img
--------------------------------------------------------------------------------------------------------------------------
Note that the boot.img and vendor_boot.img had already been generated, then I use “fastboot flash boot boot.img” and “fastboot flash vendor_boot vendor_boot.img”to flash the boot.img and vendor_boot.img.
Unfortunately, the Pixel6 couldn’t boot up, it always stay in the fastboot mode.
I am also tried that copy all the files from out/android-gs-pixel-5.10/dist to the folder AOSP/device/google/raviole-kernel/
export TARGET_PREBUILT_KERNEL=out/android-gs-pixel-5.10/dist/Image.lz4
make bootimage
after that I flash the boot.img , Pixel 6 couldn't boot up.
I have compared the good boot.img and the bad boot.img, looks like there is no ramdisk in the bad boot.img .
I have also tried to do the below steps:
Building a Boot ImageIt's possible to build a boot image using the kernel build environment. To do this you need a ramdisk binary, which you can obtain by downloading a GKI boot image and unpacking it. Any GKI boot image from the associated Android release will work.
tools/mkbootimg/unpack_bootimg.py --boot_img=boot-5.4-gz.img
mv tools/mkbootimg/out/ramdisk gki-ramdisk.lz4
The target folder is the top-level directory of the kernel tree (the current working directory).
If you're developing with AOSP master, you can instead download the ramdisk-recovery.img build artifact from an aosp_arm64 build on ci.android.com and use that as your ramdisk binary.
When you have a ramdisk binary and have copied it to gki-ramdisk.lz4 in the root directory of the kernel build, you can generate a boot image by executing:
BUILD_BOOT_IMG=1 SKIP_VENDOR_BOOT=1 KERNEL_BINARY=Image GKI_RAMDISK_PREBUILT_BINARY=gki-ramdisk.lz4 BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
That file is located in the artifact directory $KERNEL_ROOT/out/$KERNEL_VERSION/dist.
The boot image is located at out/<kernel branch>/dist/boot.img.
looks like the boot.img still don't have the ramdisk.
the pixel 6 couldn't boot up after flashed the boot.img
barbito said:
I had the same issue. I can no more compile it correctly.
They constantly change everything. I even tried to checkout to older branches where I was sure I managed to compile it but still no success. Maybe the sub cloned repository were not in sync
Click to expand...
Click to collapse
Hi , we don't need to build the whole kernel, just replace the KO file and build your vendor_boot.img and flash it. that will works for your mofiy in kernel source.
shaoyang said:
I am trying to build AOSP 12 and kernel and unable to get it working on the Pixel 6.
my AOSP branch is android-12.1.0_r2 and my kernel branch is android-gs-raviole-5.10-android12L.
Pixel 6 works well if only flash the AOSP images I build, however, it won't boot up if I flash the boot.img build with kernel.
Here is my step:
1. mkdir android-kernel && cd android-kernel
2. repo init -u https://android.googlesource.com/kernel/manifest -b android-gs-raviole-5.10-android12L
3. repo sync
4. build/build.sh
I could see the logs below after I build successfully.
--------------------------------------------------------------------------------------------------------------------------
Files copied to /mnt/code/shaoyang/kernel/out/android-gs-pixel-5.10/dist
vendor_ramdisk-oriole.img is LZ4 compressed boot image created at boot.img
Signing the boot.img...
vendor boot image created at /mnt/code/shaoyang/kernel/out/android-gs-pixel-5.10/dist/vendor_boot.img
--------------------------------------------------------------------------------------------------------------------------
Note that the boot.img and vendor_boot.img had already been generated, then I use “fastboot flash boot boot.img” and “fastboot flash vendor_boot vendor_boot.img”to flash the boot.img and vendor_boot.img.
Unfortunately, the Pixel6 couldn’t boot up, it always stay in the fastboot mode.
I am also tried that copy all the files from out/android-gs-pixel-5.10/dist to the folder AOSP/device/google/raviole-kernel/
export TARGET_PREBUILT_KERNEL=out/android-gs-pixel-5.10/dist/Image.lz4
make bootimage
after that I flash the boot.img , Pixel 6 couldn't boot up.
I have compared the good boot.img and the bad boot.img, looks like there is no ramdisk in the bad boot.img .
I have also tried to do the below steps:
Building a Boot ImageIt's possible to build a boot image using the kernel build environment. To do this you need a ramdisk binary, which you can obtain by downloading a GKI boot image and unpacking it. Any GKI boot image from the associated Android release will work.
tools/mkbootimg/unpack_bootimg.py --boot_img=boot-5.4-gz.img
mv tools/mkbootimg/out/ramdisk gki-ramdisk.lz4
The target folder is the top-level directory of the kernel tree (the current working directory).
If you're developing with AOSP master, you can instead download the ramdisk-recovery.img build artifact from an aosp_arm64 build on ci.android.com and use that as your ramdisk binary.
When you have a ramdisk binary and have copied it to gki-ramdisk.lz4 in the root directory of the kernel build, you can generate a boot image by executing:
BUILD_BOOT_IMG=1 SKIP_VENDOR_BOOT=1 KERNEL_BINARY=Image GKI_RAMDISK_PREBUILT_BINARY=gki-ramdisk.lz4 BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
That file is located in the artifact directory $KERNEL_ROOT/out/$KERNEL_VERSION/dist.
The boot image is located at out/<kernel branch>/dist/boot.img.
looks like the boot.img still don't have the ramdisk.
the pixel 6 couldn't boot up after flashed the boot.img
Click to expand...
Click to collapse
Hi,I went through the same steps as you,“the Pixel6 couldn’t boot up, it always stay in the fastboot mode.” How to solve and finally successful?
environment:Unbutu 20.04
barbito said:
Hello!
I'm trying to compile and run a custom Android kernel on my Pixel 6. I did this multiple times in the past but with Android 12 it seems things have changed.
I'm following the usual "Building Kernels" page https://source.android.com/setup/build/building-kernels?hl=en
In more details these are the commands that I run:
However when I try to boot the boot.img using the "fastboot boot boot.img" command, I get immediately redirected back to the bootloader. I suspect this is due to a bad image file format.
I also tried to compile as follow
where gki-ramdisk.lz4 is the ramdisk extracted from the prebuilt images found here https://developers.google.com/android/images#oriole
With this last setup I get a boot-loop, so at least the boot.img file format seems to be ok.
I think that these issues are related to the new GKI format, however I cannot find any information online on how to compile a custom GKI kernel.
Does any of you know how to build and run custom kernels for the Pixel 6?
Thanks!
Click to expand...
Click to collapse
Hi,I went through the same steps as you ,I had the same problem as you; How to solve and finally successful? am looking forward to your early reply
any solution for this problem? can't find any with google.... need help badly
I know it's definitely possible, but getting boot loops/crashes. There are certainly working kernels out there. So I am sure that this is possible. But can't figure it out.
acuicultor said:
You just need to run build_slider.sh script on the root of the repo you cloned for compile stock source
Click to expand...
Click to collapse
acuicultor after this, do you just copy the files under out/mixed/dist to device/google/raviole-kernel? And then run the aosp build?
haunted2bwanted said:
I know it's definitely possible, but getting boot loops/crashes. There are certainly working kernels out there. So I am sure that this is possible. But can't figure it out.
acuicultor after this, do you just copy the files under out/mixed/dist to device/google/raviole-kernel? And then run the aosp build?
Click to expand...
Click to collapse
I run standalone builds, no need to build aosp just for the kernel.
Hello
Is it possible to compile only the kernel from source without downloading all that AOSP bloatware simply by using the Android NDK to build it? Just like you would build any other aarch64 binary using the ndk-build command? Thank you!
acuicultor said:
I run standalone builds, no need to build aosp just for the kernel.
Click to expand...
Click to collapse
Yep. That is exactly what I am curious about. I tried the same, I can't get my device to boot unfortunately. Couple of things:
I am on a userdebug build (not sure if that matters)
I started with branch android-gs-raviole-5.10-android12L
Detailed procedure as follows:
Bash:
# download the manifest and get the repo kernel
$ repo init --depth=1 -u https://android.googlesource.com/kernel/manifest -b android-gs-raviole-5.10-android12L
$ repo sync --force-sync -c --no-clone-bundle -j$(nproc --all) --verbose
# build the kernel
$ BUILD_KERNEL=1 ./build_slider.sh
# once the build finishes, you would find the following image files
# in ./out/dist/dist/
$ ls ./out/mixed/dist/*.img -ls
19188 -rw-rw-r-- 1 user user 67108864 Jul 23 11:39 ./out/mixed/dist/boot.img
484 -rw-rw-r-- 1 user user 495134 Jul 23 11:39 ./out/mixed/dist/dtb.img
2136 -rw-rw-r-- 1 user user 2183590 Jul 23 11:29 ./out/mixed/dist/dtbo.img
12116 -rw-rw-r-- 1 user user 12405857 Jul 23 11:39 ./out/mixed/dist/initramfs.img
4 -rw-rw-r-- 1 user user 38 Jul 23 11:39 ./out/mixed/dist/vendor-bootconfig.img
31656 -rw-rw-r-- 1 user user 32415744 Jul 23 11:39 ./out/mixed/dist/vendor_boot.img
43528 -rw-rw-r-- 1 user user 44605440 Jul 23 11:39 ./out/mixed/dist/vendor_dlkm.img
# I flash the following way:
$ adb reboot bootloader
$ fastboot flash boot boot.img
$ fastboot flash dtbo dtbo.img
$ fastboot flash vendor_boot vendor_boot.img
# boot to fastbootd
$ fastboot reboot fastboot
# flash the dlkm vendor image
$ fastboot flash vendor_dlkm vendor_dlkm.img
# reboot the device
$ fastboot reboot
haunted2bwanted said:
Yep. That is exactly what I am curious about. I tried the same, I can't get my device to boot unfortunately. Couple of things:
I am on a userdebug build (not sure if that matters)
I started with branch android-gs-raviole-5.10-android12L
Detailed procedure as follows:
Bash:
# download the manifest and get the repo kernel
$ repo init --depth=1 -u https://android.googlesource.com/kernel/manifest -b android-gs-raviole-5.10-android12L
$ repo sync --force-sync -c --no-clone-bundle -j$(nproc --all) --verbose
# build the kernel
$ BUILD_KERNEL=1 ./build_slider.sh
# once the build finishes, you would find the following image files
# in ./out/dist/dist/
$ ls ./out/mixed/dist/*.img -ls
19188 -rw-rw-r-- 1 user user 67108864 Jul 23 11:39 ./out/mixed/dist/boot.img
484 -rw-rw-r-- 1 user user 495134 Jul 23 11:39 ./out/mixed/dist/dtb.img
2136 -rw-rw-r-- 1 user user 2183590 Jul 23 11:29 ./out/mixed/dist/dtbo.img
12116 -rw-rw-r-- 1 user user 12405857 Jul 23 11:39 ./out/mixed/dist/initramfs.img
4 -rw-rw-r-- 1 user user 38 Jul 23 11:39 ./out/mixed/dist/vendor-bootconfig.img
31656 -rw-rw-r-- 1 user user 32415744 Jul 23 11:39 ./out/mixed/dist/vendor_boot.img
43528 -rw-rw-r-- 1 user user 44605440 Jul 23 11:39 ./out/mixed/dist/vendor_dlkm.img
# I flash the following way:
$ adb reboot bootloader
$ fastboot flash boot boot.img
$ fastboot flash dtbo dtbo.img
$ fastboot flash vendor_boot vendor_boot.img
# boot to fastbootd
$ fastboot reboot fastboot
# flash the dlkm vendor image
$ fastboot flash vendor_dlkm vendor_dlkm.img
# reboot the device
$ fastboot reboot
Click to expand...
Click to collapse
My guess is that the vendor modules inside the vendor_boot.img may not be updated. When the kernel is built the vendor modules might need to be rebuilt along with the GKI itself. Thoughts? acuicultor
haunted2bwanted said:
Yep. That is exactly what I am curious about. I tried the same, I can't get my device to boot unfortunately. Couple of things:
I am on a userdebug build (not sure if that matters)
I started with branch android-gs-raviole-5.10-android12L
Detailed procedure as follows:
Bash:
# download the manifest and get the repo kernel
$ repo init --depth=1 -u https://android.googlesource.com/kernel/manifest -b android-gs-raviole-5.10-android12L
$ repo sync --force-sync -c --no-clone-bundle -j$(nproc --all) --verbose
# build the kernel
$ BUILD_KERNEL=1 ./build_slider.sh
# once the build finishes, you would find the following image files
# in ./out/dist/dist/
$ ls ./out/mixed/dist/*.img -ls
19188 -rw-rw-r-- 1 user user 67108864 Jul 23 11:39 ./out/mixed/dist/boot.img
484 -rw-rw-r-- 1 user user 495134 Jul 23 11:39 ./out/mixed/dist/dtb.img
2136 -rw-rw-r-- 1 user user 2183590 Jul 23 11:29 ./out/mixed/dist/dtbo.img
12116 -rw-rw-r-- 1 user user 12405857 Jul 23 11:39 ./out/mixed/dist/initramfs.img
4 -rw-rw-r-- 1 user user 38 Jul 23 11:39 ./out/mixed/dist/vendor-bootconfig.img
31656 -rw-rw-r-- 1 user user 32415744 Jul 23 11:39 ./out/mixed/dist/vendor_boot.img
43528 -rw-rw-r-- 1 user user 44605440 Jul 23 11:39 ./out/mixed/dist/vendor_dlkm.img
# I flash the following way:
$ adb reboot bootloader
$ fastboot flash boot boot.img
$ fastboot flash dtbo dtbo.img
$ fastboot flash vendor_boot vendor_boot.img
# boot to fastbootd
$ fastboot reboot fastboot
# flash the dlkm vendor image
$ fastboot flash vendor_dlkm vendor_dlkm.img
# reboot the device
$ fastboot reboot
Click to expand...
Click to collapse
This procedure seems fine to me, just for july rom build you should use android-gs-raviole-5.10-android12-qpr3 branch
haunted2bwanted said:
My guess is that the vendor modules inside the vendor_boot.img may not be updated. When the kernel is built the vendor modules might need to be rebuilt along with the GKI itself. Thoughts? acuicultor
Click to expand...
Click to collapse
Running /build_slider.sh all the necessary stuff is being built, no need to do anything more than just running the script.
acuicultor said:
This procedure seems fine to me, just for july rom build you should use android-gs-raviole-5.10-android12-qpr3 branch
Running /build_slider.sh all the necessary stuff is being built, no need to do anything more than just running the script.
Click to expand...
Click to collapse
Very strange. This does not work for me. I tried android-gs-raviole-5.10-android12-qpr3 . I see the google logo and it restarts from bootloader mode. I have no idea what I am doing wrong. I updated my aosp version to oriole-sq3a.220605.009.b1. (Link to zip)
The only change I made what changing the version string of the kernel by modifying gki_defconfig.
Bash:
$ head -n2 aosp/arch/arm64/configs/gki_defconfig
CONFIG_LOCALVERSION="-haunted2bwanted-"
CONFIG_AUDIT=y
I see the version being reflected correctly:
Bash:
$ grep -a 'Linux version' out/mixed/dist/Image
(%u)%s: Unknown advertising packet type: 0x%02xhciLinux version %s (%s)Wrong link type (%d)
�l��� ����� ������������ �����
initcallinitcall_debugLinux version 5.10.81-haunted2bwanted--android12-9-geba40aecb3b7-dirty ([email protected]) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Tue May 3 02:46:17 UTC 2022
Could it be that I am on the wrong ROM? Which one do you recommend? @acuicultor
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
acuicultor I tried fastboot version your kernel provided here: RadioactiveKernel_RAVIOLE_v1.2.2_FASTBOOT.zip
I got identical results on my device. Reboot to bootloader.Any ideas?
I can record a video of how the device behaves if you like? In the past, the anykernel kiri kernel worked like charm. I tried it calyxos. I'll try the anykernel3 version dist of your kernel as well.