Related
ok so please be gentle here, coming back here after 7 years, from old Windows Mobile days!
I am a newbie to Android and want to root my Z5 compact. The only reason I want to root it is to enable some apps like Greenify and GSam battery monitor to work with all their features enabled. I do not want to flash a new ROM. I am happy with Sony's stock ROM.
Is it possible to get root access without installing / flashing a new ROM?
I have searched the internet but people talk about flashing every time I read about rooting. Then I also saw this thread: http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
Lots of geeky stuff there which is fine, but again, it seems to talk about flashing the ROM, which I really do not want to do or do not see the need (yet).
Unlock boot loader:
I see that Sony lets me unlock the boot loader from their dev site. I am willing to unlock the boot loader. (Not sure if I want to do that first. Maybe unlocking BL is all I need?)
rajdude said:
ok so please be gentle here, coming back here after 7 years, from old Windows Mobile days!
I am a newbie to Android and want to root my Z5 compact. The only reason I want to root it is to enable some apps like Greenify and GSam battery monitor to work with all their features enabled. I do not want to flash a new ROM. I am happy with Sony's stock ROM.
Is it possible to get root access without installing / flashing a new ROM?
I have searched the internet but people talk about flashing every time I read about rooting. Then I also saw this thread: http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
Lots of geeky stuff there which is fine, but again, it seems to talk about flashing the ROM, which I really do not want to do or do not see the need (yet).
Unlock boot loader:
I see that Sony lets me unlock the boot loader from their dev site. I am willing to unlock the boot loader. (Not sure if I want to do that first. Maybe unlocking BL is all I need?)
Click to expand...
Click to collapse
The only reason to use that guide is to backup ta keys for whatever reason you'd want to do that.
If you're after root on stock ROM the single easiest way is to unlock bootloader, flash twrp 3.0.2, flash xpower 3.0, and that's it. Solid marshmallow with root goodies. Xpower has everything and is deodexed and ready for xposed framework.
just a little more clarification please?
civicsr2cool said:
.....easiest way is to unlock bootloader, flash twrp 3.0.2, flash xpower 3.0, and that's it. ......
Click to expand...
Click to collapse
Ok thanks.....that sounds straight forward.....but isn't TWRP a ROM? (sorry, the moment I hear flashing...I think ROM)
And I am looking up xpower...not sure what that is (yet) and why do I need it
I do want xposed framework though.
I wish there was a simple straightforward answer
rajdude said:
Ok thanks.....that sounds straight forward.....but isn't TWRP a ROM? (sorry, the moment I hear flashing...I think ROM)
And I am looking up xpower...not sure what that is (yet) and why do I need it
I do want xposed framework though.
I wish there was a simple straightforward answer
Click to expand...
Click to collapse
Twrp is your recovery,you flash through fastboot, xpower 3.0 is the ROM, just a pre-modded stock ROM with options of xperia x addons. Use lite and stock kernel for xpower and you'll be set.
still a little confused
civicsr2cool said:
Twrp is your recovery,you flash through fastboot, xpower 3.0 is the ROM, just a pre-modded stock ROM with options of xperia x addons. Use lite and stock kernel for xpower and you'll be set.
Click to expand...
Click to collapse
Ok thanks! So my understanding (so far) is :
We "must" flash a ROM in order to root a phone. Did I get that correct?
Since I said I like the stock Sony ROM, you recommended the xpower 3.0 ROM.........but the point is.....I still have to flash ROM.
A little confused here...
I am a systems engineer (my day job). In Linux or Windows OS, if we want root access (to run some software or a low level command, like partitioning a disk etc), we either run SU command and put root's password OR right click and run as administrator......
We never have to install a brand new Operating System to get root access.
Just a total newbie question.....Why do we have do install a whole new OS (flash new ROM) on our Android phones to get root access?
rajdude said:
Ok thanks! So my understanding (so far) is :
We "must" flash a ROM in order to root a phone. Did I get that correct?
Since I said I like the stock Sony ROM, you recommended the xpower 3.0 ROM.........but the point is.....I still have to flash ROM.
A little confused here...
I am a systems engineer (my d Linux or Windows OS, if we want root access (to run some software or a low level command, like partitioning a disk etc), we either run SU command and put root's password OR right click and run as administrator......
We never have to install a brand new Operating System to get root access.
Just a total newbie question.....Why do we have do install a whole new OS (flash new ROM) on our Android phones to get root access?
Click to expand...
Click to collapse
Android is Linux, to gain root in the ROM you have on your phone currently all you need is an unlocked bootloader to run SU, but then you'll be left with a phone that still needs a customized kernel to keep root and a DRM fix for the camera. Xpower 3.0 is that package.
You could really benefit from reading more. Google up on dm-verity and Sony Ric, and fastboot/adb for a little better understanding of what you're getting into without a pre compiled ROM. Messing around with any Android you'll have the majority of the same steps, unlock bootloader with fastboot, flash Supersu, customized kernel.. Etc
Why use a stable compiled ROM?
Let me list down and explain to you why it's best to use a stable compiled ROM. But first you need to understand these few things before you decide to unlock your bootloader and root.
Before Sony Z models kicked in, every rooted Sony device are still able to retain all the features that came together with the phone before it was rooted. When Sony introduce the first Z model, they start to create these things called DRM keys. DRM keys are unique algorithm (i guess i should put it that way) which is attached to every phone the same way an IMEI number is attached to every phone. In short, my DRM keys cannot be used on your phone and vice versa.
DRM key: It's a unique algorithm that holds all the unique features that an unrooted Sony phone boast such as camera quality, X-reality, High Res Audio etc etc.
The moment you unlock your bootloader, that's the moment your DRM keys will be lost. But don't panic, the wonderful devs on XDA have prepared a tool to backup your TA partition (a partition that contains your DRM key) for your own convenience if you want to relock your bootloader.
Then recently Sony/Android come up with new features called Sony RIC and dm-verity. (You may Google what these are all about but to my understanding it is placing limitations to people who root their phones to meddle around with the system settings of thier phone)
With all these "hurdles", it have taken some time for devs here to find a work around and like every fairytale ending, they manage to find a way.
Now you're wondering if you can actually root without flashing another rom. Good news for you: you can! There's a guide that will teach you how to actually root and apply the work around after unlocking your bootloader and rooting.
.. But ask yourself what's the point of going through the hassle of rooting and your phone is not tweaked for performance or for theming purposes?
That's when people flash roms and in Z5 compact's case, XPower is the best rom there is. It gives you all the performance tweak you need to make your phone lag free, it has a lite version that removes all the unnecessary system apps you can't delete without root, it gives you an option to add themes and framework from Xperia X with all those work around in place.
For your second question: why is there a need to install TWRP?
TWRP is a recovery tool which is a need for all rooted phone. It's also a tool for you to backup and restore your current rom so that you can rollback to the last working configuration if your phone went into a bootloop etc. Plus i believe all these guides require you to actually use TWRP to flash the SuperSU to successfully root your phone.
I hope this explains your doubts.
Thanks a lot but...
firdyRAY, thanks a lot for the comprehensive reply to my questions. And yes, it has shed a LOT of light on my doubts.
I googled Sony RIC and dm-verity:
I could not get find much on ric
Dm-verity seems to me a way to check if the boot image has been modified from the last boot, and if it has, stop from booting. Sounds like a good idea until we understand that to flash a ROM dm-verity needs to be bypassed/turned off.
So to compile what I have understood so far:
By unlocking bootloader, you lose DRM keys. There is a way to backup DRM keys which are in the TA partition, but this is to be done BEFORE you unlock bootloader. Good that I have not done anything to my X5c yet.
The next steps for me would be to look into XPower 3 ROM…which I did and here is what I found out:
http://forum.xda-developers.com/z5-compact/development/rom-xpower-v1-0-aroma-debloat-custom-t3371100
First, what's up with the scary looking warning in RED right at the top of the first thread. I did read the OP and the second post, I did not see anything in there which IF I missed will cause my phone to explode! That is probably posted to make noobs read all instructions, right?
Second, I do not see any step in there to backup the DRM / TA partition. I guess the dev is assuming the phone already has lost the DRM, right? So I gotta find instructions on how to backup DRM / TA
Then I searched for problems in this ROM and seems to me that the fingerprint sensor is reported by many to be not working and/or buggy. I rely on the fingerprint sensor day and night. I have many apps which rely on that, like lastpass. That would be a major deal breaker for me.
So going back to stock ROM option…I remember you said "There's a guide that will teach you how to actually root and apply the work around after unlocking your bootloader and rooting."
Could you please post a link to that?
Thanks again!
I think this is a pretty great thread rajdude. It's getting people to spell out a lot of information to noobs like us that it seems most posters have taken for granted over time.
I'm a complete novice at all of this. Sort of gleaning information as I go along, but I used this guide: http://twigstechtips.blogspot.hk/2016/04/sony-z5-compact-root-without-losing-ta.html?m=0
Along with this guide: http://forum.xda-developers.com/xperia-z5/general/guide-rooting-unlocking-bootloader-t3354307
The first guide is pretty basic step-by-step instructions. It unfortunately occasionally kind of skips over a couple very small things (that will be clear as you go along), or occasionally words things in such a way that might not be completely intuitive, but maybe that's cause I need things explained to me like I'm five sometimes. Any time I might have had a question about something in the the first guide, I went to the other and found the answer. It didn't take me long to get the gist of the whole thing though, and overall, it wasn't as scary as I thought it was going to be. It'd be fantastic if someone created a video walkthrough, but so far as I know, no one has done that yet.
The guide will help you back up your TA Partition where your DRM keys are stored, unlock your bootloader, root your device, and then restore your DRM keys. In order to do this you need to downgrade to Lollipop (if you're not already on it), and then upgrade back up to Marshmallow. It will also install TWRP (which I had no clue was installed until I went into "recovery mode" by pressing UP when I saw the LED flash yellow during boot). There may be an easier way to go about this whole process, but this is the process I used.
Before jumping into anything, I'd hold off until you heard more from firdyRAY or someone more experienced. They may look at the guide I linked and be horrified.
And yeah, I haven't installed xpower yet for the same reasons you haven't. Sounds like there's even an xpower 4.0 that was released recently, but still seems kinda buggy. Being rooted with stock I've been able to give Greenify access to root. Install Adaway (which was worth getting root to begin with). Install sound/music mods like DiVA-X, Viper4Android and Dolby Atmos. Install Titanium Backup. And make a few other minor tweaks (that I've since reversed). I still don't know much about custom ROMs and all that jazz, so I'm holding off until I get more understanding. I'd love to install the xpower ROM (when the bugs are worked out), and maybe some sort of sound ROM. I also need to get more understanding on some of the other vernacular like what exactly a "dirty flash" is.
rajdude said:
firdyRAY, thanks a lot for the comprehensive reply to my questions. And yes, it has shed a LOT of light on my doubts.
I googled Sony RIC and dm-verity:
I could not get find much on ric
Dm-verity seems to me a way to check if the boot image has been modified from the last boot, and if it has, stop from booting. Sounds like a good idea until we understand that to flash a ROM dm-verity needs to be bypassed/turned off.
So to compile what I have understood so far:
By unlocking bootloader, you lose DRM keys. There is a way to backup DRM keys which are in the TA partition, but this is to be done BEFORE you unlock bootloader. Good that I have not done anything to my X5c yet.
The next steps for me would be to look into XPower 3 ROM…which I did and here is what I found out:
http://forum.xda-developers.com/z5-compact/development/rom-xpower-v1-0-aroma-debloat-custom-t3371100
First, what's up with the scary looking warning in RED right at the top of the first thread. I did read the OP and the second post, I did not see anything in there which IF I missed will cause my phone to explode! That is probably posted to make noobs read all instructions, right?
Second, I do not see any step in there to backup the DRM / TA partition. I guess the dev is assuming the phone already has lost the DRM, right? So I gotta find instructions on how to backup DRM / TA
Then I searched for problems in this ROM and seems to me that the fingerprint sensor is reported by many to be not working and/or buggy. I rely on the fingerprint sensor day and night. I have many apps which rely on that, like lastpass. That would be a major deal breaker for me.
So going back to stock ROM option…I remember you said "There's a guide that will teach you how to actually root and apply the work around after unlocking your bootloader and rooting."
Could you please post a link to that?
Thanks again!
Click to expand...
Click to collapse
sony ric is a layer of security for sony roms so that they can protect nfc and fingerprint stuff. samsung and htc have there own variants as well.
yes lol the big red lettering is there to make you read, although hes not far off on the melting your phone part, the s810 is ridiculously hot.
the xpower thread doesnt not include the drm backup instructions because: 1) you need bootloader unlocked to flash it. and 2) because it includes the drm fix in it so you dont have to backup your ta keys.
the fingerprint sensor bug is on any bootloader unlocked phone, the hardware fails after x amount of hours and requires a reboot to work again. xpower is a stock rom, the only thing different is its pre-rooted, de-bloated, and deodexed for xposed to work. we have a separate thread for the fingerprint sensor bug and its been solved.
rajdude said:
firdyRAY, thanks a lot for the comprehensive reply to my questions. And yes, it has shed a LOT of light on my doubts.
I googled Sony RIC and dm-verity:
I could not get find much on ric
Dm-verity seems to me a way to check if the boot image has been modified from the last boot, and if it has, stop from booting. Sounds like a good idea until we understand that to flash a ROM dm-verity needs to be bypassed/turned off.
So to compile what I have understood so far:
Click to expand...
Click to collapse
Sony RIC main function is to disable /system write even you got root permission(you still able to do /system write but after a reboot will restore to original). There is a workaround but very trouble, TWRP recovery file manager can bypass Sony RIC(it works in the old day for me, not sure about now). BTW, all 3rd kernel should be disabled RIC nowadays. For any regular computer, there is no hardware or software lock to prevent you gain root access in linux but there are many such trouble stuffs in the android world... lol
I'm running XPower 3.0 Full as a daily driver since June and been very happy. Battery life, stability and speed is good.
Please note, that you MAY lose your warranty when you lose your DRM keys. That's why I didn't unlocked my phone before there was a way to backup TA partition. Now I'm after warranty repair, and before it I was able to fully restore stock ROM with DRM and all features fully functional. In my country, there is only one Sony approved repair center and they check DRM keys before repairing anything - even if it's mechanical fault.
When I had Z1c in KitKat days, it didn't had dm-verity and Sony RIC. It was possible to gain permanent root with bootloader locked, so I was happily using stock ROM and kernel. In Z5c case, first thing I tried was to do the same and it was possible (just backup TA, unlock bootloader, and flash TWRP with patched kernel (dm-verity and Sony RIC disabled) to begin with), but going XPower way was much more confident - I didn't had to think about removing every bloat app. I just flashed lite version in June and I'm using it till this day without any problems at all
Another thing is that you lose OTA (Over-The-Air Update) functionality when you unlock bootloader and disable Sony RIC and dm-verity. Updating to newer versions of firmware, even on stock ROM is problematic when you modify it.
michuroztocz said:
Another thing is that you lose OTA (Over-The-Air Update) functionality when you unlock bootloader and disable Sony RIC and dm-verity. Updating to newer versions of firmware, even on stock ROM is problematic when you modify it.
Click to expand...
Click to collapse
It's simply not possible. If you are rooted you can't apply OTA updates and neither should you.
flopower1996 said:
It's simply not possible. If you are rooted you can't apply OTA updates and neither should you.
Click to expand...
Click to collapse
That's just what I wrote - just put it in another words
So, I cobbled together a (custom-recovery) flashable NC4 stock ROM.
I'm interested to find out whether it is possible to boot it successfully from later bootloader firmware - e.g. NK1, OB6, or OF1
(I'm still on NC4 bl and not planning on upgrading near term. It boots on NC4 bl but that's pretty obvious lol)
[size=+2]Q: Why would this be useful?
A: to provide a means for upgrading bootloader firmware without starting from scratch.[/size]
For instance, there are folks on OB6 firmware that would like to use a custom ROM that will only work on OF1 firmware. They can certainly start from scratch (backup and unload the entire device); an alternative would be to:
- Make a backup of an existing rooted ROM (that more than likely has a custom or modified boot image so is not bootable when the bootloader gets re-locked) using the currently-installed custom recovery (which will also be non-bootable under re-lock).
- Restore a (debloated) pure stock ROM w/ Samsung kernel. Root it with Towelroot (does not touch boot image)
- Flash replacement bootloader only in Odin. Locked bootloader = no custom recovery... but with a rooted stock ROM already in place with an unmodified stock kernel it can be immediately unlocked.
NC4 is easily rooted with Towelroot-v3 "on device". No need for PC drivers, online rooting tools with a separate PC, etc (e.g. as with Yemen rooting methods on OB6, OF1)
This approach in principle saves the need to backup everything up in the /sdcard - but you have to know in advance that the NC4 stock kernel and ROM can successfully be booted with later bootloaders.
So anyway, that's what I'm asking for help testing with - folks that are: (a) unlocked and (b) on NK1, OB6 or OF1 bootloader willing to try flashing a debloated NC4 Stock ROM using their existing custom recovery, and see if it boots, roots, and if root survives a single boot cycle.
Contact me via this thread or PM; I'll provide the flashable NC4 and the Towelroot .apk
.
my n900v came with 5.0 Of1 but i rooted, unlocked BL. installed twrp and flashfired NC4 tar minus recovery
runs smooth.I hate lollipop.lol
only bug is wifi password resets everytime i reboot
im curious as to why i have trouble running certain nc2/nc4 roms..some want to bootloop/freeze
baja,biggins,and objective rom
kernel issue maybe? or BL version
btw. i am rooted via towelroot v3
hotrod85z said:
my n900v came with 5.0 Of1 but i rooted, unlocked BL. installed twrp and flashfired NC4 tar minus recovery
runs smooth.I hate lollipop.lol
Click to expand...
Click to collapse
Thank you for posting that, very useful/helpful information to know.
Does Flashfire understand the Samsung "sparse" image format of the system.img.ext4 file inside the Stock (Odin) .md5 tarfile blob? Or maybe somebody else packaged up a "flashable .zip" of NC4?
hotrod85z said:
only bug is wifi password resets everytime i reboot
Click to expand...
Click to collapse
in /system/build.prop, set ro.securestorage.support=false and reboot. You might also want to set ro.config.tima=0 as well.
I suspect that mixing and matching Samsung kernels with bootloader versions breaks something in the TrustZone, and so secure containers and other sort-of-obscure security functions no longer work as the TZ smells something fishy. I am using a rooted PL1 rom on NC4 bl and it would spontaneously reboot (infrequently) until I made the above changes - it's been rock stable for about 4 days now. Why this works I can't really say - it's a "generation skipping" bootloader and stock rom combination - N* bootloader and P* ROM *
hotrod85z said:
im curious as to why i have trouble running certain nc2/nc4 roms..some want to bootloop/freeze
baja,biggins,and objective rom
kernel issue maybe? or BL version
btw. i am rooted via towelroot v3
Click to expand...
Click to collapse
all of the above or none of the above LOL
There are definitely some mysteries here, and I don't claim to fully understand the interdependence of the TZ (== bootloader firmware), the TIMA and RTKP stuff in the kernel, and the cross-communication between kernel and TZ via the qseecom service daemon (which is in the ROM in /system/bin) much less how the APIs of all these interfaces might have changed between major releases.
You could check those two build.prop settings in those ROMs for starters though. I suspect that if the TZ smells something fishy (e.g. a kernel TIMA to TZ info mismatch), a variety of secure credential services in the TZ stop working. It is possible that "ro.securestorage.support" is a toggle that attempts to use TZ services when it is set to "true", and so anything in the ROM which builds on it breaks because the TZ is refusing to play on an otherwise "stock" ROM variant.
FWIW I got the AryaMod (S7Edge MM port) + phantom kernel running on NC4 bl + OF1 modem for a full 24 hours after I disabled the qseecom service daemon. It ran long enough that I had customized the whole thing as a daily driver with all my apps, verified that all sensors & radios worked, made test calls, etc. Rebooted it and the kernel started getting reset by a "Modem Reset". Even weirder was that despite the use of the OF1 "modem" firmware, the kernel was reporting a bunch of RIL "unknown ioctl's". Strikes me as odd that the whole thing could run that long with so many different things happening, and then the "modem" is unhappy - even though other folks are using the ROM with OF1 bl + OF1 radio/modem firmware. (As if the "modem" isn't really the source of the problem, even though that's what initiates the device reset).
.
i initially tried flashing NC4 full tar via ODIN. but even bl unlocked. i got FAIL. flashfire worked!
very curious as to whether a custom n900v kernel would boot my 4.4.2 custom roms..its either that or the BL isnt compatible with non-touchwiz roms....
most of the kernel/modem/firmware links on here are 404 error dead links.. would be nice to see an up to date sticky. ill flash anything as long as i dont end up in JTAG mode with a brick.lol
ive played with verizon s5 atnt s2,galaxy capitivate,atrix 4g and many other phones
the s2 is still by far the fastest Smoothest phone on cm7..the newer the phones..the newer the OS..the bigger the resourse hogs"ram" im a minimalist...
even after flashing NC4 official full tar..im still showing OF1 baseband under settings
@hotrod85z
FWIW I posted a bunch of recovery-flashable stock ROMs here.
There is also a link in that thread to a complete set of (Odin flashable) modems for NC4, NJ6, NK1, OB6, OF1, and PL1 if that is of interest to you.
Maybe I wasn't paying attention, but I could swear that on at least one occasion or two when I performed an Odin modem flash, it didn't "stick", despite no complaints on the handset screen or in Odin - the next boot showed the (prior) baseband version, not what I flashed. Its a bit of a mystery to me; but for now I've resolved to make sure that after the Odin session is complete, I wait 30 seconds or so, then remove the USB cable, and then pull the battery rather than try to restart the device by holding buttons down. It is possible that those events occurred when I soft-restarted the phone, but I'm not sure. For now I'm just trying to always flash and restart with exactly the same method to avoid different behaviors from creeping in.
PS I have no idea if those ROM flashables are compatible with Flashfire. They might be, but I've never tested it, and as they are not pre-rooted I'm not going to suggest it for fear that somebody with a rooted but locked (bootloader) phone will try using flashfire and then end up with a phone that needs a full Odin re-install. Appearances are that each version of the bootloader restricts the Samsung signing verification to only the matching kernel version - you can't even boot a Signed samsung kernel on a locked phone if it is a different version than the bootloader's version.
Hello all I have a emmc exploit note 3 I'm using here and I wanted to flash different radios for the us carrier note 3's and I first tried to use flash fire to try to update the modem, but even that didn't stick, cause I don't readily have a pc available, I wasn't ballsy enough to flash a different carrier modem, since I checked the odin screen and saw that instead of a bootloader unlock, its in developer mode and I didn't want a brick, so overall my question is, do I need a unlocked bootloader to flash different modems and do I need odin tovdo it or will some sort of mobile odin or something do it? Thanks mates and happy flashing.
Dlind said:
Hello all I have a emmc exploit note 3 I'm using here and I wanted to flash different radios for the us carrier note 3's and I first tried to use flash fire to try to update the modem, but even that didn't stick, cause I don't readily have a pc available, I wasn't ballsy enough to flash a different carrier modem, since I checked the odin screen and saw that instead of a bootloader unlock, its in developer mode and I didn't want a brick, so overall my question is, do I need a unlocked bootloader to flash different modems and do I need odin tovdo it or will some sort of mobile odin or something do it? Thanks mates and happy flashing.
Click to expand...
Click to collapse
Well, your question is way off topic for this thread.
But since nobody is in here anyways, I guess I'll answer the parts that I am able to.
The modems that I posted over in that other thread were meant to be flashed in Odin using a PC. You can use either the AP slot or CP slot. Note that the very first post says - in big bold blue letters "Odin-flashable Modems".
Not flashfire. It never said anything about flashfire.
Is there such a thing as MobileOdin? If there is, I know nothing about it and certainly have never tested anything with it. So I don't know and am not going to speculate.
You said something confusing here:
Dlind said:
I checked the odin screen and saw that instead of a bootloader unlock, its in developer mode
Click to expand...
Click to collapse
If it says "MODE: Developer" you have an unlocked bootloader. Which is exactly the same thing as a Developer Edition phone.
If you were to use a PC with Odin and you flashed a FULL Stock firmware flash, yes it would overwrite the unlocked bootloader and indeed re-lock the phone. If you were able to re-root that (stock) ROM, you could perform the unlocking procedure again to unlock it.
On the other hand, those Odin-flashable modem packages do not contain the bootloader firmware, so if you were to use Odin on a PC to flash just those modem images, your bootloader would not get re-locked - the unlocked bootloader is still there, untouched.
When the carriers issue an OTA update, many times (perhaps most of the time) they contain a modem update (NON-HLOS.bin and modem.bin). So it is obvious that they are able to be flashed **somehow** right on the phone, without using Odin from the PC or an "Odin app" at all.
BUT that happens using a combination of the STOCK recovery and the bootloader itself during the reboot following the actions taken by the STOCK recovery. (My guess is that the recovery simply "stages" it into place, and sets some flags so that the bootloader knows that it is supposed to evaluate the crypto signatures of the file blobs that the recovery put into place and it is actually the bootloader that does the flashing. That's really not a whole lot different than what happens when you transfer files from Odin to the phone - the "Odin/Download" mode is just one of the personalities of the bootloader. (Odin is actually a rather dumb program - it's the bootloader on the phone that gets to decide whether a flash happens. It does that by carefully examining the file blob that gets transferred, e.g. crypto signature checks)
My guess is that you would be able to flash STOCK modem packages from Odin (using a PC) independent of whether the bootloader is locked or unlocked. But as I said: "guess".
I don't have a second phone to test with, so I would have to flash completely back to stock and lock my bootloader to be able to test that hypothesis. That's a big jobs because of all the crap I have to backup and restore to my phone.
Frankly, if you don't have access to a PC, and you really need your device to keep working, I would advise you to stop screwing around with it, simply because you don't have good tools available to fix it if a disaster occurs.
PS. I've never once noticed anything different between various radio firmwares on ANY device I've ever owned.
bftb0 said:
Well, your question is way off topic for this thread.
But since nobody is in here anyways, I guess I'll answer the parts that I am able to.
The modems that I posted over in that other thread were meant to be flashed in Odin using a PC. You can use either the AP slot or CP slot. Note that the very first post says - in big bold blue letters "Odin-flashable Modems".
Not flashfire. It never said anything about flashfire.
Is there such a thing as MobileOdin? If there is, I know nothing about it and certainly have never tested anything with it. So I don't know and am not going to speculate.
You said something confusing here:
If it says "MODE: Developer" you have an unlocked bootloader. Which is exactly the same thing as a Developer Edition phone.
If you were to use a PC with Odin and you flashed a FULL Stock firmware flash, yes it would overwrite the unlocked bootloader and indeed re-lock the phone. If you were able to re-root that (stock) ROM, you could perform the unlocking procedure again to unlock it.
On the other hand, those Odin-flashable modem packages do not contain the bootloader firmware, so if you were to use Odin on a PC to flash just those modem images, your bootloader would not get re-locked - the unlocked bootloader is still there, untouched.
When the carriers issue an OTA update, many times (perhaps most of the time) they contain a modem update (NON-HLOS.bin and modem.bin). So it is obvious that they are able to be flashed **somehow** right on the phone, without using Odin from the PC or an "Odin app" at all.
BUT that happens using a combination of the STOCK recovery and the bootloader itself during the reboot following the actions taken by the STOCK recovery. (My guess is that the recovery simply "stages" it into place, and sets some flags so that the bootloader knows that it is supposed to evaluate the crypto signatures of the file blobs that the recovery put into place and it is actually the bootloader that does the flashing. That's really not a whole lot different than what happens when you transfer files from Odin to the phone - the "Odin/Download" mode is just one of the personalities of the bootloader. (Odin is actually a rather dumb program - it's the bootloader on the phone that gets to decide whether a flash happens. It does that by carefully examining the file blob that gets transferred, e.g. crypto signature checks)
My guess is that you would be able to flash STOCK modem packages from Odin (using a PC) independent of whether the bootloader is locked or unlocked. But as I said: "guess".
I don't have a second phone to test with, so I would have to flash completely back to stock and lock my bootloader to be able to test that hypothesis. That's a big jobs because of all the crap I have to backup and restore to my phone.
Frankly, if you don't have access to a PC, and you really need your device to keep working, I would advise you to stop screwing around with it, simply because you don't have good tools available to fix it if a disaster occurs.
PS. I've never once noticed anything different between various radio firmwares on ANY device I've ever owned.
Click to expand...
Click to collapse
Thanks SOOOOOO MUCH for your input I kinda had a feeling that the idea was risky at first and I don't know a whole lot about odin and I wish Samsung could have created something much easier to use, but thanks for answering the wayyyyy off topic question, I'm gonna smash that thanks button, I'm also going to take the advise on not cross flashing different modems, its just to risky. You answered all my questions so thanks, Also I want to say thank you for your continued work on this phone is by normal terms "old" now but in reality its still an amazing phone with the right custom software, and happy flashing!
Important notice! : iLLNiSS made me aware of a serious risk!
If you play with the firmwares manually and not with the flash all bat then DO NOT flash the blobs!
These are the actual bootloader files and stuffing up here will cause a hard brick!
I have to stress this out as it is serious thanks to not having working APX drivers a flshing programs for the Shield!
For starters, I uploaded a copy of the 7.2 developer firmware here:
7.2 developer ZIP on Dropbox
It is the full 1.1Gb update and not the 422mb block based one.
I have done some extensive tests since the first block based update wrecked my rooted Shield.
Some of it will end up in this post as info for everyone.
But lets start with what seems to be the problem for a lot of users right now who run a rooted Shield : Fixing the problem
A downgrade is officially not supported by Nvidia but my tests showed it works just fine if you only go back to the 7.1.
So far my tests showed differen sources for a Shield no longer working after the OTA.
1. The device had an unlocked bootloader and you got the 422mb block update.
This would have stuffed your bootloader and the Shield won't go past 1/4 on the progress bar for the update.
You are in luck as just flashing the 7.1 bootloader will fix it.
After that just dismiss the update and change the settings to manual updates.https://forum.xda-developers.com/editpost.php?do=editpost&p=78466377
2. Your device was already fully rooted and you got the full update that resulted in your Shield doing all sorts of thing but nothing properly anymore.
As long as your apps are still there and the Shield is still somhow usable you are lucky again.
A downgrade to 7.1 will fix it, I will explain the steps required further down.
3. You made bid mods, used Magisk or other rooting tools and now your Shield complains that your system is corrupt.
Bad luck if your bootloader is locked as you loose it all.
Lucky if the bootloader is unlocked as you might be able to keep most if not all during the downgrade.
General words of warning:
Even if your bootloader was unlocked from day one I can not garantee that the downgrade will keep all settings, apps, databases and so on.
For me it works fine as I kept all vital databases on external storage.
The procedures are all based on the developer firmware, on the stock firmware some things can still be done but then again you should not have more than software problems.
On the stock firmware the bootloader is locked by default and you can use some things required to owngrade due to the restrictions of a stock system.
General downgrade procedure for the developer firmware to get back to 7.1 :
If the update did get stuck on the progess bar early on and a reboot won't fix it so you can dismiss the update you just follow the steps.
If you can reboot into the 7.1 then just dismiss the update.
Trust issues or curruption warnings at boot but an otherwise working shield on 7.1 require to flash the 7.1 bootloader again.
In some cases it is possible to skip the corruption warning with a connected controller.
A reboot once you got to the homescreen will determine how bad it is.
Reboot goes fine: You are good.
Reboot keeps nagging with warnings other than the unlocked bootloader: Downgrade.
The downgrade is only required if you have problems or the Shield already runs on the 7.2!
In almost all other cases just flashing the 7.1 bootloader is sufficient.
Fixing a stuffed Shield by sideloading the 7.1 firmware while keping all apps and things:
Enable USB debugging and allow the connections for the computer if you still have access to the settings.
Otherwise you need to flash the 7.1 fresh and might loose vital things that need to install again.
Reboot into the stock recovery, if you use TWRP flashed on the Shield already then please flash the recovery from the 7.1 firmware first.
Hook up the controller and pressing A or B should get you into the normal recover screen past the dead droid.
ADB sideload XXX - where the xxx stands for the filename you have for the developer ZIP.
After the rebbot you should be back on your 7.1 homescreen and can dismiss the 7.2 update.
Also change the update settings while at it
Fixing a fully stuffed Shield and then downgrading to the 7.1 firmware:
If all went down south then you tried a few things and realised there is no way to get your data back and even less to prevent the 7.2 update.
Installing the 7.1 from scratch forces the setup wizard and before you can get anywhere you need to update to 7.2
So much easier to use the linked 7.2 update from above until Nvidia provides it on their download servers.
A vital thing to do is to keep the bootloader locked!!
Same for NOT having TWRP installed on the Shield!
If in doubt flash the 7.1 boot and recovery partitions first then go back into the stock recovery and wipe the cache.
Coming from a stock developer firmware with just an unlocked bootloader you are good to go.
Sideload the 7.2 update.
Unplug when the reboot starts and go into fastboot to lock the bootloader: Fastboot oem lock.
This is a vital step as the new kernel otherwise could ruin the completion of the install.
Ignore the double hassles and go through the wizard so you can enter the settings again to enable the developer mode and USB debugging.
Unlock the bootloader so you can do it all again Last time I promise!
Once you have both the bootloader unlocked AND the Shield in a usable condition past the setup wizard:
Reboot into the recovery to sideload the 7.1 firmware.
After the next reboot you are back on the 7.1 homescreen drirectly and can dismiss the update.
Possible tricks that can help you to prevent the installation of the 7.2 update if you come from a fresh 7.1 install instead:
Don't allow the reboot and instead use ADB to reboot into the recovery.
Wipe the cache - this will remove the scripts required to start the update after the reboot.
The next reboot should bring you back to the homescreen where you can stop the new download of the update and change the update settings.
TWRP, full root and new security measures in 7.2:
The 4.9 kernel used also makes use of a Fstab configuration that no longer includes the system partition.
This and other restrictions currently make the normal use of Magisk impossible.
With no system partition available to Magisk the changes in the boot process come to a stop and the Shield gets stuck during boot.
The added restrictions also make it very, very hard to manually add SU and busybox.
At least without getting the currupt system popup on every boot and finding out that a lot of things still don't work properly.
A final 7.2 firmware is said to be available on the download servers today.
If this final is no different from the current OTA then it will not be of any use for users requiring a fully rooted devices.
With the stock recovery still using the old kernel all attempts to use recovery functions to alter the system for rooting fail as well.
Can't blame the company as all this is part of Google revamp og security and closing backdoors and loopholes for possible attackers.
Personally I think it is Googles way of keeping control over devices they don't actually own.
Anyways I did make some little progress:
Plans for the near future:
Security is good but I like to know what my Android devices are doing and especially what Google likes to collect if I can not find ways to stop it.
So I will not try to use any backdoors or secrurity vulnerablilites in the new kernel to allow a full root on my Shield.
I will go the route I know best: Manual labour
The bootloader is already fixed to allow what we are used to from previous developer firmwares.
As SU and busybox can not be manually entered at this stage I will try to include them directly in the stock 7.1 firmware while renaming the OTA updater to have it a bit easier.
Assuming that works as expected I will do the same on the 7.2 firmware and compare the corresponding scripts and so on.
If the standard SU still works on an "unlocked" 7.2 I should be able to adjust the Magisk ZIP accordingly to implement it into the bootloader.
Only need to figure out if Magisk then has enough rights to work and the system is still happy to accept the changes.
I noly have the 16Gb 2017 model to work with but since the bootloader seems to be same for all Shield models I think if it works then it should do so for all models.
In the meantime I hope the infos here will help some pople to get their shield back without the need to sent it in.
Update 25/12/18: I got TWRP working on 7.2
This is only true for the 2017 model though as I have only this for testing.
Currently creating a backup to the internal storage.
If the restore works then I will upload the new TWRP - for the said model only!
Give me a day or two to fix it for the other models too.
There is progress on the rooting front as well.
Created new scripts for my kitchen to be able to handle the new file_context thing.
A fully pre-rooted and totally unsecure (in terms of ABD, DM-verity and such) is already cooked, just did not dare yet to try it out as I have a real life job too.
As for the pre-rooted firmware:
Things have changed quite a bit with the new kernel in terms of "just adding SU or Magisk".
Magisk might see an update for this problem soon, SU however seems to tally fail on two levels.
So far I was unable to do a full install of the modded firmware.
Flashed all at once and the boot just hangs.
Bootloader, reboot, then the rest seems to work.
At least for the basic install of the system.
If I add SU and busybox the system still ends up with a corrup notice during boot and then it fails.
Tune in over the next few days for progress updates at the end of the thread.
Major developments will be added right here.
Just a matter of finding the last restrictions.
Once that is done Magisk should be possible as well.
Ok, TWRP boot fine, does a backup but fails to restore the system to a bootable state.
Will now check if at least installing a zip works.
Well, it did not, so TWRP has to wait a few more days
I edited post 3 with instructions on how to "unbrick" and go back to 7.1.
Update 27/12/18: A friend of mine found some intersting stuff.
A 7.2 firmware offering a pure Android without any TV stuff but also a full root possible.
I hope he will share his finding here soon or allow me post it all in his name.
For now lets just say: It really works if done the rght way!
Full write rights, installing Magisk modules and all.
All thanks to an undocumented flaw in the device security structures, so even without any hidden backdoors or such LOL
Update: Whiteak was so kind to provide a working root solution in post 36, please check it.
I can confirm it is working as promised.
So the credits for this one go to Whiteak and the credits for the idea and use of the DTB file to Zulu99 - great idea!
To prevent any problems I advise to perform a factory wipe after the install and before the first boot.
Switch to the stock recovery to do this then boot as normal an enjoy.
A complete firmware with the required mods is sitting on my PC just waiting for idiot behing the keyboard to figure out how to pack it properly for flashing.
Once that problem is sorted and also TWRP working again things will get a lot easier.
Annoying update:
I was not able to confirm my web findings on the 7.2 firmwares bootloader but it seems other devices running the same type of kernel and bootloader and a bit lost now.
AVB is fully implemented on the latest level.
(Again I am working on confirming or denying these findings!)
This means any alteration to vital parts of the system will fail with a corruption warning or worse.
Custom recovery access is limited if not fully restricted.
But even if it works you still need a firmware to flash that either is able to disable all this crap, hoping the bootloader alone will allow it, or
to hope Nvidia will provide a future bootloader update with these restrictions removed.
We can not downgrade the bootloader and even if there is some old one out there that would actually be flashable the risk is high to end with a brick anyway.
The DTB, at least in my tests gives us the required system wide write access but I have no information about the AVM verfified boot other than that Zulu99's firmware works.
But if it was compiled with the NVidia developer suite then it will be signed accordingly so the bootloader accepts it.
Could not find any info on how his firmware was actually created.
It gives me the hope though that once I have a fully working TWRP again that my modded 7.2 will work as expected and with no restrictions anymore.
Thanks for the info.
Edit: Will use this post to list options to recover the Shield is all seems lost.
As a result of far too much rom cooking and mods I needed a 100% working way to recover the Shield in case things turn very ugly.
So lets sum up what I define as very ugly when playing with firmwares:
1. Firmware installed but the Shield just hangs on the logo.
2. Firmware installed and now the system is corrupt and even it is boots it takes forever to get around the nag screens.
3. Firmware downgrade attempted but now the Shield won't even boot anymore.
4. Anything that would qualify for a soft brick.
My worst case when I only got a flashing white screen after trying to restore a TWRP backup under 7.2.
There any many way that work for a variety of boot problems but it takes too long to list all cases I encountered with a list of fixes that work or a comment that only the below way works.
So just to be clear here: This is not for any recovery purpose other than fixing what can't be fixed through a factory reset or fresh flashing of the firmware!
1. Get the Shield into Fastboot mode: Connect wired controller and male to male USB cable.
2. Power the Shield up while holding A and B on the controller.
Keep holding until you see the fastboot menu on the screen.
3. Install the 7.1 recovery firmware for your Shield type after unpacking it.
With Fastboot connection working type: flash-all.bat and hit enter.
4. Keep an eye on the progess!
5. Once the Shield is finnished and reboots, hold the A and B buttons on the controller again to enter fastboot mode!
Do not let the Shield boot up other than into the fastboot mode!
6. Lock the bootloader! Fastboot oem lock
Confirm with the controller, then go down and select the recovery kernel.
7. Once the dead droid is on the screen press B on the controller to enter the real recovery.
If B does not work try A
8. Select the factory reset option to wipe all!
9. Once the wipe is done you can boot into 7.1 as normal again.
10. With a bit of chance you might even get directly to the homescreen if the previous setup was completed.
If you need the full seup wizard again and are forced to update to 7.2 then at least the update will work fine this time around.
In case you desire to go back to the 7.1:
If you just finnished the above only to end with the 7.2 then set it up and flash the 7.1 - you won't get the setup wizard again and can skip the update.
If you are on a working 7.2 that was update the OTA way but want to go back:
1. Install the 7.1 firmware.
2. Lock the bootloader.
3. Boot and then skip the update to 7.2.
Any idea what to do if the Shield sticks at the NVidia logo when you select Recovery from Fastboot? I reflashed boot and got the same result.
psycho_asylum said:
Any idea what to do if the Shield sticks at the NVidia logo when you select Recovery from Fastboot? I reflashed boot and got the same result.
Click to expand...
Click to collapse
It won't work from fastboot.
Fastboot operates on a different level and calling the recovery from there lets it end up in nowhere with no access to the system.
You need to boot into recovery through ADB as (for the new model) without a power button and usable hardware buttons we can't get into it otherwise.
Having said that, the fastboot way should still work with an unmodified bootloader.
When the dead droid is on the screen the recovery should be available after pressing the A button on the wired up controller.
But during my tests on 7.2 it did not always work, so you might have to try a few times and also try the B button.
Downunder35m said:
It won't work from fastboot.
Fastboot operates on a different level and calling the recovery from there lets it end up in nowhere with no access to the system.
You need to boot into recovery through ADB as (for the new model) without a power button and usable hardware buttons we can't get into it otherwise.
Having said that, the fastboot way should still work with an unmodified bootloader.
When the dead droid is on the screen the recovery should be available after pressing the A button on the wired up controller.
But during my tests on 7.2 it did not always work, so you might have to try a few times and also try the B button.
Click to expand...
Click to collapse
I have not been able to get to the dead droid screen.
Downunder35m said:
For starters, I uploaded a copy of the 7.2 developer firmware here:
7.2 developer ZIP on Dropbox
It is the full 1.1Gb update and not the 422mb block based one.
(snip)
Click to expand...
Click to collapse
Thanks for posting this, but please note that this firmware is only for the 2017 16GB model and cannot be used with a 2015 or Pro model.
I just got a 7.2.1 update that forced me to update. Wouldn't give me an option to skip it... As soon as I turned on my Shield, it said something about the 7.2.1 update and then rebooted and installed.
I was holding off on updating too so I didn't lose root. Now I'm unrooted and am unable to get Magisk working again until I can get my hands on a 7.2.1 bootloader... Bleh.
Weird, I am not getting the 7.2.1 at all here.
And since yesterday the OTA only tries the block based but not the full image.
AthieN said:
I just got a 7.2.1 update that forced me to update. Wouldn't give me an option to skip it... As soon as I turned on my Shield, it said something about the 7.2.1 update and then rebooted and installed.
I was holding off on updating too so I didn't lose root. Now I'm unrooted and am unable to get Magisk working again until I can get my hands on a 7.2.1 bootloader... Bleh.
Click to expand...
Click to collapse
I was able to downgrade using the 7.2 image after setting up the device on 7.2.1 OTA just make sure you disable automatic updates
Thanks downunder this kind of in-depth info is always appriciated man........i like to learn these kind of things, having bits here and bits there gives a better picture of the whole, while also giving us upto date current info.
Thanks for taking the time to write this :good:
---------- Post added at 07:35 AM ---------- Previous post was at 07:27 AM ----------
Edit
Hi downunder, could you confirm i have this correctly
With no access to fastboot thus no twrp or root, are you implying, assuming your able to inject root into stock firmware, that, i'd be able to flash this stock+root rom in STOCK recovery, which i do have access to?
Edit: im under the impression that stock firmware zips are checked by stock recoveries, so modifying a stock firmware zip tends to fail this check and thus wont install/flash.......which makes me think im misunderstanding here......or just hoping im not
If so, im interested
Edit
i just read your second post which near enought answers my curiousity, so that'll teach me to read beyond the first post before asking answered questions ........even if the post excites me............ahhh, who am i kidding, ill probabably do it again........the equivelancy of a mental post boner........not controllable
Sorry for the disgusting analogy
SyberHexen said:
I was able to downgrade using the 7.2 image after setting up the device on 7.2.1 OTA just make sure you disable automatic updates
Click to expand...
Click to collapse
Did I understand it correctly? You successfully downgraded from 7.2.1 to 7.2?
ErAzOr2k said:
Did I understand it correctly? You successfully downgraded from 7.2.1 to 7.2?
Click to expand...
Click to collapse
Yes,
Just ran flash all from the bootloader. For the newly released 7.2 developer_rooted factory image.
As long as we don't jump to Android 9 we should always be able to downgrade through a full factory firmware.
Once Android 9 comes this might not work anymore due to the massive changes involved for the boot and system checks.
@banderos101: Unless you really did something bad you should always be able to enter the fastboot mode to flash a full firmware.
If I have some time after xmas I will have another look on the options of signing the zip properly or simply to fake it.
Biggest problem will be to generate the corret SHA checksums ince all is installed so I can use the same checksums in the check files.
The bootloader needs them to identify the system and vendor as genuine.
The system needs them to confirm all is actually unmodified as otherwise all fails to boot at some stage.
Modding a proper userdebug firmware is not really that hard, but converting a release version that also is a true and secure user release...
Lets just say that it won't be an easy task.
As it looks like the kernel is a keeper I might have to figure something out unless TopJohnWu won't enjoy a break after his exams and works on a way to get Magisk working with out kernel.
At least I figured out why the recovery trick isn't working for me.
The system partition is not mounted for the sideload mode.
To apply an update the stuff is written directly onto the partition, so no file level access left to play with and break things
In comparison you could say the shield is now like a modern car with keyless operation only.
You know you can start it with ease, if you only could the remote that you left in the drivers seat when you locked the door
SyberHexen said:
Yes,
Just ran flash all from the bootloader. For the newly released 7.2 developer_rooted factory image.
Click to expand...
Click to collapse
Just wondering what is achieved by going back to 7.2?
What do you mean "going back"?
Right now the 7.2 is the official and latest firmware.
I was unable to get my hands in the 7.2.1 but guess it might have been a testversion for certain models only.
I wasted a few hours trying to fix the system image.
First stage was only to get the basic "features" back, like full ADB support, enabling the support to use SU and busybox....
Just what is required to actually allow these nice apps we like to gain root to work.
This backfired badly as right after the start the bootloader complained about the system being corrup and no override to get past this worked.
So of course I then removed the known restrictions from the bootloader...
As you guessed it the damn thing then did not even boot at all, just jumped right into the (locked) recovery mode.
A half decent comparision with my last manual root on a tv box that was a success showed I still did the right things...
If anyone wondered why we needed a new bootloader for the support of smart helpers an some codes stuff:
We didn't as all this could have been done with the 7.1 bootloader as well.
Since my root attempts so far all ended either in disaster or in a root access that failed shortly after/corrupted the system, I took a look of the general kernel changes that were published for other devices.
Before I could find anything meaningful I realised the 4.9 kernel is actually a requirement for Android Pie!
With that info sorted I started digging inti the new "security" features Pie can offer.
I will try to keep it simple and to the stuff that actually concerns us for rooting purposes:
The new boot process with Pie is aimed at being secure from the hardware level up and all the way into the system partion once the boot is completed.
So the hardware checks if the bootloader is actually usable - we had that for a long time, nothing new.
Once the bootloader starts and reaches the point of actually getting somewhere, all partitions required will be checks by either a hash check or a trusted certificate gererated at boot time that is compared to the previous certificate.
Only if that is fine the bootloader will call upon the system and vendor partitions.
The handover of control from bootloader to the system is made far more secure as well.
SELinux is called early on to ensure that only trusted apps and tasks can work but also to all a new control level.
System related apps no longer run as root or with special permissions.
Instead every single app and service runs as its own user!
And under SELinux conditions this means nothing can access anything that it is not entitled to unless included as a user for the other app.
And with that sorted the vendor stuff is called to ensure all hardware and vendor related stuff is still genuine - this include the required certs but also the recovery and bootloader hash codes and certs.
So if something is fishy either SELinux will stop us or the vendor stuff will just overwrite it all.
Once we finally reach the system stage the recovery is checked if called from within the system, if fully implemented it could mean that using an official update on a modded firmware will delete all data as the encryption from the old system is declared invalid.
Sadly it does not stop there because even with full rigths (faked or otherwise) to access the system partition with write access we still can not just change things.
If something belongs to a user (a secure app) than a change will corrupt the system.
To overcome all this without using vulnerabilities that so far no one has found, a compatible userdebug release has to be created from the official user firmware.
DM-Verity needs to be disabled as well as all partition encryption stuff.
The bootloader needs to be adjusted to reflect these changes and the required turst certificates generated and included in both system and boot images.
The only problem here is that the kernel won't allow these changes unless it itself is a userdebug kernel.
After that it is only the little efford to go through about 60 different scripts to remove or redirect the calls for all boot and system security related things.
If then by some chance all this actually boots up and goes all the way into a usable homescreen the entire stuff needs to be secured again.
This time so that the final system has a correct cert and checksum that matches those we need to include in the bootloader.
Anyone knows how to gain full access to the trusted keystore on the 4.9 kernel? LOL
For the moment I don't really care about all the stuff above.
I would be happy to figue out what to make out of these new fstab configurations without the vital partitions listed.
The real aprtitions used have not changed but it is impossible include them in the fastab, doing so causes the bootloader to fail.
Presumably because the kernel realised we try to get around the verification process.
This and some other minor things are also the reason TWRP fails so badly, same for the stock recovery by the way.
Since TWRP is toy a lot us like:
TWRP and 7.2....
Without a system partion in the bootloader fastab TWRP can not mount it.
Same for all other things TWRP needs to mount as it simply does not have the right to access these areas.
To make things worse, we need system access to even start TWRP through fastboot.
So, now matter if we flash or start it through fastboot: The bootloader and system will realise our recovery does not match the checksum.
What does al this now mean in terms a lot more people are able to understand?
Let me try...
Imagine the 7.2 in a running version would be just some encrypted file with a lot of folders in it.
And like PGP or other encryptions software we know there is a private and a public key.
With the public key you can see a lot and use most the encrypted file - but only to a level that is required, nothing above your low level clearance.
For every attempt to write into this file or to make changes we need the private key.
If you follow so far then lets just say the recovery (stock) and Fastboot can be, to some extent, used for this access.
But since every folder in the encrypted file also uses private and public keys it is like tracing a tree.
Although it is getting too long, let me give you the example of just adding SU to the sytem partition:
Adding SU into the system image is no big deal.
Singing this image to get a usable key and including this key into the keystore is.
Assume we would just be able to do it....
SU needs to be called quite early in the boot process.
It then elevates the access level for certain things and also intercepts all root related requests from apps and services.
Except of course those that already had these rights by default.
Problem here is that adding the scripts we need plus changing some others means violating the tree of trust on the device and we get locked out.
Finding a spot to add the required rights for SU might be still possible.
On the other hand it will be impossible to give SU any rights or access to "trusted user" owned parts, files, folders, partitions....
The entire concept of SU just fails.
I will have to check how much of the new features are active in the 7.2 kernel that hinder us.
If I find enough it might be possible it enough to call for a Magisk update.
But I guess it is of little use for just one set of devices, so maybe once more devices on the 4.9 kernel fail to work with Magisk it will be easier to spot a usable pattern.
In case someone else if already working ona mdified system: Please let me know how you made it boot after the changes
Shield Tv 16 2017 - OTA update 7.2.1 Ready for updating
Im on 7.1. I have been waiting for 7.2 developer image, which is now out and just noticed 7.2.1 is available OTA. I'm really confused what to do. I want to keep root without bricking my Shield. Should I Stay with what I have as it is running well.
I am not even sure if it is safe trying to update to dev 7.2 image (or if I would want to) by hooking to computer and using ADB Fastboot tools.
Is there any good reason to update to 7.2 or 7.21? and if so how would I go about doing it? Which program is good for flashing developer images or OTA updates. I used to use flash-fire, which seems to be obsolete now and have heard TWRP is incompatible rooting with SU with OREO updates????
Should I play it safe and stay with what I have rather than experiment and end up with a brick? (wouldn't be the first time)
Anyone know if 7.21 is some-kind of bug fix?
Alot of questions but hope someone has some answers.
Thanks for any info.
"You know you can start it with ease, if you only could the remote that you left in the drivers seat when you locked the door "
My fastboot issue
Yeah, i think i busted the microusb somehow with a faulty usb hub, whenever i plug the usb to my raspberrypi/windows box(for adb/fastboot) now, it turns off all usb ports on the pi aswell as the windows box, even when the shield is unplugged, some sort of earth problem maybe
......all i have is adb over network, adb reboot bootloader simply reboots back to system, adb reboot recovery works though.
ive read that fastboot over tcp(ethernet) had been introduced a couple of android versions ago, but i dont think its been implemented in our shields
infact heres a link
https://www.androidpolice.com/2016/...-capabilities-wireless-flashing-isnt-far-off/
Looks like it needs to be specifically added onto a build
As far as you making a stock root build, if you can, that would awesome, more then awesome, but if it becomes more work then you thought dont worry about it, its not like their making it easy
Also, sounds like 4.9/future android is gonna be a nightmare for root......... having the ability to root so that the option is there to see whats going on in the background of these devices, these devices posessing cameras/microphones/old+latest sensors/personal files/personal info, which reside on our personal beings or in our homes........is just one reason why i dont want to see root go away
So what is the purpose of the developer image of 7.2?
Rather, I know the stated purpose of the developer image, but if it is locked in the way described it sounds like the benefit is negated for typical developers.
(e.g. sometimes I debug an application without permissions in order to benchmark or debug a problem).
For casual users of the shield, using ad blockers and whatnot, is there any benefit to derive from installing the developer rom over stock? Does "adb root" still work?
What is left as the difference. It doesn't sound like they produced a userdebug build of the OS.
Thanks
The 2 new updates are horrible. I have gone back to 7.1. They have crippled my shield. I'll wait for a new update.
I'd like to keep this simple. I tried rooting and not a single tutorial on here has ended with root privileges for various reasons. I'm done with it. I flashed stock firmware in hopes of removing any trace of files that may have been altered during the various root tutorials I followed, but Samsung Pass says the device is still rooted.
What do I need to do to return to 100% stock?
noxarcana said:
I'd like to keep this simple. I tried rooting and not a single tutorial on here has ended with root privileges for various reasons. I'm done with it. I flashed stock firmware in hopes of removing any trace of files that may have been altered during the various root tutorials I followed, but Samsung Pass says the device is still rooted.
What do I need to do to return to 100% stock?
Click to expand...
Click to collapse
I assume you unlocked the bootloader. Try Relocking and flash the firmware again.
Weather that will work is anybodys guess.
Rooting is a pretty simple procedure I can't think of any reason it didn't work except user error.
This method works perfectly on T860.
***********************
https://forum-xda--developers-com.c...-to/root-guide-t860-root-twrp-method-t4095677
jhill110 said:
I assume you unlocked the bootloader. Try Relocking and flash the firmware again.
Weather that will work is anybodys guess.
Rooting is a pretty simple procedure I can't think of any reason it didn't work except user error.
Click to expand...
Click to collapse
Well, this isn't the first time I've rooted a device and I followed every step of every tutorial I found on here and, for some reason, it would not root. This is the first, and only, device I've had this much trouble with.
The tutorial for rooting without TWRP: I made the patched AP file and flashed it; however, I could not boot into recovery or download mode and it always stuck on the boot logo.
The tutorial for installing TWRP didn't have a link for the encryption disabler and the one I found did absolutely nothing and the folders in storage just showed as a string of numbers and letters.
Maybe, if someone could put together a full tutorial with the files being used within the tutorial, it would have worked.
noxarcana said:
Well, this isn't the first time I've rooted a device and I followed every step of every tutorial I found on here and, for some reason, it would not root. This is the first, and only, device I've had this much trouble with.
The tutorial for rooting without TWRP: I made the patched AP file and flashed it; however, I could not boot into recovery or download mode and it always stuck on the boot logo.
The tutorial for installing TWRP didn't have a link for the encryption disabler and the one I found did absolutely nothing and the folders in storage just showed as a string of numbers and letters.
Maybe, if someone could put together a full tutorial with the files being used within the tutorial, it would have worked.
Click to expand...
Click to collapse
Did you get the bootloader unlocked?
Unlocking the bootloader:
https://www.getdroidtips.com/how-to...to_Unlock_Bootloader_on_Samsung_Galaxy_Tab_S6
To get to download mode it's volume up and volume down then plug your pc into device. NOT POWER AND VOLUME DOWN. This can be a pain in the back side.
If you do it this way you'll get the option unlock / lock bootloader or go to bootloader mode.
If you follow the instructions perfectly and then follow the instructions for rooting it will work.
Move on to root.
ROOTING :
https://forum-xda--developers-com.c...-to/root-guide-t860-root-twrp-method-t4095677
AP SLOT = PATCHED FILE
BL SLOT = BL FILE
CP SLOT = CP FILE (T865) NOT T860... T860 HAS NO CP FILE
CSC SLOT =HOME CSC FILE
DON'T forget to setup WiFi before installing magisk manager. ^^^^^^^^^
Install TWRP.
TWRP :
https://forum-xda--developers-com.c...b-s6/development/recovery-twrp-3-3-1-t3975587
I hope this helps you out.
If you have anymore questions just ask.
Disable DM VERITY ENCRIPTION DISABLER
PATCHED ODIN
jhill110 said:
Did you get the bootloader unlocked?
Click to expand...
Click to collapse
Yep, bootloader unlock was easy. I'll give root another try with your steps in a couple of days when I'm off work. Sorry if I came across a bit aggressive in my previous posts; I have a tendency to do so even when I'm not frustrated.
This has been so frustrating to me because I know rooting is usually a simple process; as you said previously.
jhill110 said:
ROOTING :
https://forum-xda--developers-com.c...-to/root-guide-t860-root-twrp-method-t4095677
AP SLOT = PATCHED FILE
BL SLOT = BL FILE
CP SLOT = CP FILE (T865) NOT T860... T860 HAS NO CP FILE
CSC SLOT =HOME CSC FILE
DON'T forget to setup WiFi before installing magisk manager. ^^^^^^^^^
Click to expand...
Click to collapse
So, yea, I'm a bit late getting around to this. Sorry.
This is where things get hung up. Everything flashes just fine and I can even get into TWRP; however, when I try to boot the tablet i get the Galaxy Tab S6 screen, then the warning about the bootloader being unlocked, and back to the Galaxy Tab S6 screen but with a "unofficial software" warning....and repeat. It just boot loops and this is where I've since I started this thread.
Also, returning to stock doesn't completely remove root traces as I can't use Samsung Pass and I simply get a warning about the device seemingly being rooted even though it isn't.
If you installed TWRP, then you tripped Knox tripping Knox will permentally disable Samsung Pay as far as I'm aware. You'll never get it back, regardless of root or no root access.
Also, I'm not sure why you're installing TWRP AND trying to flash a Magisk patched OS. It's one or the other, you don't need to do both. Unless something has changed in Android 10?
If you're flashing TWRP, you just need to flash Magisk in TWRP(along with the other files!), no need to patch AP.
bartleby999 said:
If you installed TWRP, then you tripped Knox tripping Knox will permentally disable Samsung Pay as far as I'm aware. You'll never get it back, regardless of root or no root access.
Also, I'm not sure why you're installing TWRP AND trying to flash a Magisk patched OS. It's one or the other, you don't need to do both. Unless something has changed in Android 10?
If you're flashing TWRP, you just need to flash Magisk in TWRP(along with the other files!), no need to patch AP.
Click to expand...
Click to collapse
Not Samsung Pay, I couldn't care less about that, but Samsung Pass; I guess it looks for knox being tripped now too. That sucks, but I'll make do without it.
I was following the guides posted above. The root guide said to flash a Magisk patched OS and then there was a guide for installing TWRP. I never had this many issues or this much confusion with my 1st gen Tab S; maybe I just haven't kept as close of an eye on these things since I've been without a tablet for awhile before getting the Tab S6.
Anyway, for clarification, all I need to do is flash TWRP and then flash magisk from within TWRP? Or, just install the magisk apk after booting into Android?
noxarcana said:
Not Samsung Pay, I couldn't care less about that, but Samsung Pass; I guess it looks for knox being tripped now too. That sucks, but I'll make do without it.
I was following the guides posted above. The root guide said to flash a Magisk patched OS and then there was a guide for installing TWRP. I never had this many issues or this much confusion with my 1st gen Tab S; maybe I just haven't kept as close of an eye on these things since I've been without a tablet for awhile before getting the Tab S6.
Anyway, for clarification, all I need to do is flash TWRP and then flash magisk from within TWRP? Or, just install the magisk apk after booting into Android?
Click to expand...
Click to collapse
My bad for some reason I just read that as Samsung Pay. But yeah Samsung Pass also doesn't work with root, I'm not sure if that is permanent though as I've never used Samsung Pass, but did come across this thread https://forum.xda-developers.com/general/rooting-roms/samsung-pass-knox-tripped-devices-t3687977 it is possible to get some components of Knox to function again, (I have a working Secure Folder) so might be worth taking a look.
As for you question...
You should give this thread a good read... https://forum.xda-developers.com/galaxy-tab-s6/development/recovery-twrp-3-3-1-t3975587
Basic steps are... Unlock the bootloader and then boot into system and ensure it's unlocked in settings. You may need to connect to the web, I can't remember tbh
First you need to install TWRP, once that is done you need to reboot but YOU HAVE TO boot directly back into TWRP. You cannot boot into system, or TWRP will be overwritten by stock recovery and you'll need to start over again. Once TWRP is installed, boot into TWRP and format data then reboot recovery, flash Kernel then flash encryption disabler then unmount the system and flash Magisk 20.4 - Finally reboot to system.
I'd seriously and strongly suggest reading that TWRP thread to ensure things go smoothly.
bartleby999 said:
First you need to install TWRP, once that is done you need to reboot but YOU HAVE TO boot directly back into TWRP. You cannot boot into system, or TWRP will be overwritten by stock recovery and you'll need to start over again. Once TWRP is installed, boot into TWRP and format data then reboot recovery, flash Kernel then flash encryption disabler then unmount the system and flash Magisk 20.4 - Finally reboot to system.
I'd seriously and strongly suggest reading that TWRP thread to ensure things go smoothly.
Click to expand...
Click to collapse
I'll give those threads a thorough reading over tonight and tomorrow night while at work and then see if I can get this all sorted out Monday when I'm off. I remember Pass still working with root on the original Tab S so I'm hoping it hasn't changed.
Thanks for jumping in to try and help me with this. I'll update within a few days instead of months like my last update. ?
noxarcana said:
I'll give those threads a thorough reading over tonight and tomorrow night while at work and then see if I can get this all sorted out Monday when I'm off. I remember Pass still working with root on the original Tab S so I'm hoping it hasn't changed.
Thanks for jumping in to try and help me with this. I'll update within a few days instead of months like my last update. ?
Click to expand...
Click to collapse
It has definitely changed. Pass doesn't work on my Tab S6 and I'm rooted, I guess Knox is now integrated with alot of Samsung apps now. Not sure if it's possible or not to get it working again though, I've never bothered to research it as I don't need it for anything - But as I said, I got Secure Folder working again, so there's some hope for Pass I guess - That first thread I linked looked promising, but I only skimmed it, because frankly I'm not interested.
If you need anymore help, report back -I'll try my best. Also, the TWRP thread I linked is full of helpful people. :good:
bartleby999 said:
It has definitely changed. Pass doesn't work on my Tab S6 and I'm rooted, I guess Knox is now integrated with alot of Samsung apps now. Not sure if it's possible or not to get it working again though, I've never bothered to research it as I don't need it for anything - But as I said, I got Secure Folder working again, so there's some hope for Pass I guess - That first thread I linked looked promising, but I only skimmed it, because frankly I'm not interested.
If you need anymore help, report back -I'll try my best. Also, the TWRP thread I linked is full of helpful people. :good:
Click to expand...
Click to collapse
Perhaps I'm just not meant to have root with this device. Flashing that kernel causes Wifi not to work, but it does boot. Not flashing the kernel also booted, but I couldn't install Magisk Manager. Other than the bootloader still being unlocked, I'm back on stock firmware.
noxarcana said:
Perhaps I'm just not meant to have root with this device. Flashing that kernel causes Wifi not to work, but it does boot. Not flashing the kernel also booted, but I couldn't install Magisk Manager. Other than the bootloader still being unlocked, I'm back on stock firmware.
Click to expand...
Click to collapse
What firmware are you running?
I remember seeing something about one of the newer Kernels effecting WIFI on Android 10. Assume you're running that?
If that's the case, give the TWRP thread a browse - You maybe able to find an older version of the Kernel that'll work - As far as I'm aware, an older Kernel than what you currently installed will work, but a newer version than currently installed will possibly cause bootloop.
I can't help much with Android 10 specific stuff as I'm still running Android 9 because it's stable.
bartleby999 said:
What firmware are you running?
I remember seeing something about one of the newer Kernels effecting WIFI on Android 10. Assume you're running that?
If that's the case, give the TWRP thread a browse - You maybe able to find an older version of the Kernel that'll work - As far as I'm aware, an older Kernel than what you currently installed will work, but a newer version than currently installed will possibly cause bootloop.
I can't help much with Android 10 specific stuff as I'm still running Android 9 because it's stable.
Click to expand...
Click to collapse
I am definitely on the latest Android 10 update so I'll see if I can find an earlier version that will work. I'll see what I can find out on the TWRP thread.
noxarcana said:
I am definitely on the latest Android 10 update so I'll see if I can find an earlier version that will work. I'll see what I can find out on the TWRP thread.
Click to expand...
Click to collapse
If you can't find an older Kernel (I'm not sure there is one for Android 10), it may be the case that you'll need to wait for the Kernel to be updated.
bartleby999 said:
If you can't find an older Kernel (I'm not sure there is one for Android 10), it may be the case that you'll need to wait for the Kernel to be updated.
Click to expand...
Click to collapse
Yea, it looks like Samsung made some "wifi improvements" in OneUI 2.5 and that's causing some kernel issues preventing wifi from working. I think I could find a kernel fairly easily, but I think I'm just going to wait for a kernel update. If it never comes, I'll find an older kernel. Thanks for the help!
Hello everyone,
i am new to the device and i have read the threads on unlocking BL & rooting. However, I am still unsure about how to update the device after rooting. Can someone please write out a high level few lines?
You flash the stock firmware then root it again.
Well Id though Id done this enough for that to be a simple job (I did manage to root the device the day I bought it..) But I seem to be having an issue reflashing the boot.img back to the device using Fastboot after updating OTA to 12 .Any ideas?
Well I'm completely out of ideas. I've tried Canary build of Magisk, I've tried using the patched boot.img (waiting on any device eternally in Fastboot).I've tried patching the AP file (as .md5 and as .tar) Process fails each time.....
I was on Rooted 11 but I thought I could UNroot then grab 12 and REroot. Well I did actually have 12 installed (briefly) but now I've got an UNrooted 11, that just sux ,and I should've have never tried to get 12 lol. My BL is still unlocked of course so I just really want to go back to where I started if rooted 12 is a no-go for now. Any help would be greatly appreciated .
Ahalol I'm sorry for high jacking your thread but it said exactly what I wanted to ask :/
Thanks XDA as always!
I finally got it, all good.
ahalol said:
Hello everyone,
i am new to the device and i have read the threads on unlocking BL & rooting. However, I am still unsure about how to update the device after rooting. Can someone please write out a high level few lines?
Click to expand...
Click to collapse
For future reference for anybody who may read this in the future, updating a rooted Tab S7 / S7+ without losing your data is pretty much outlined step by step in the official Magisk installation guide.
Installation
The Magic Mask for Android
topjohnwu.github.io
Scroll down to the Samsung section, and then "Upgrading the OS". It's basically the same as Odin flashing the firmware as you normally would to restore to stock, except you're flashing the Magisk patched AP file in the AP slot instead, and using HOME_CSC instead of CSC in the CSC slot. CSC wipes data, HOME_CSC does not.
With the exception of a few weird Samsung devices (like the S6 Lite), don't listen to ppl who tell you to extract the boot image and flash separately. Just follow the *official* (I felt the emphasis was necessary here, again) Magisk installation guide in this case... Download the firmware file via Frija or whatever your source for firmware is (honestly dude.. just use Frija), extract the files, copy the AP file to your tablet (recommend adb push, not MTP), and use the Magisk app to patch the ENTIRE AP file. This is important because Magisk will also patch out other parts of the firmware like vbmeta, which is what allows it to work around avb restrictions. If you attempt to flash the full bone stock firmware and then a patched boot image separately, you will likely get an error that results in the need to wipe data, because avb (Android Verified Boot) has been violated without having had vbmeta patched among possibly other things, and then have fun with the misery of wiping and starting over... Anyway, after patching the FULL AP file in Magisk app, make sure there were no errors in the log (btw, this is where you can clearly see that Magisk is patching more than just the boot image...) and copy it back to your computer (again, like adb push was recommended before, use adb pull to move to computer), and then flash the BL / Magisk patched AP / HOME_CSC files in their respective slots (and CP if you have LTE model) in download mode. It'll reboot probably twice, then optimize apps before finishing booting to your updated system.
tl;dr - read the official Magisk guide I linked above (notice yet that I keep mentioning this?? lol)
My post is assuming you are on bone stock rooted ROM without custom recovery and/or encryption disabled mods and stuff (e.g. multidisabler mod). Every update for me goes without a hiccup, and I am fairly heavily modded with SafetyNet passing and everything (LSposed / GravityBox / Firefds kit / a bunch of Magisk modules). Loving that these tablets keep Widevine L1 even after rooting.. was my primary reason for buying! I also like / prefer the fact that my tablet is still encrypted without custom recovery so that the chances are my data is still safe should the tablet ever be lost or stolen. Anyway, if you do have custom recovery or flashed multidisabler already, I would definitely do your due diligence and research / ask questions to find out if there's anything different you have to do (different in relation to the official Magisk installation guide resource, or any pre-/post-install quirks).
Sorry, I know I rambled a bit but I hope this post is somewhat informative and able to be followed. Typing it from phone and browser is kinda glitching out. But I just felt the need to type this all out. It seems I don't see so much more misinformation on XDA than on the Samsung subforums lol. D:
i5lee8bit said:
For future reference for anybody who may read this in the future, updating a rooted Tab S7 / S7+ without losing your data is pretty much outlined step by step in the official Magisk installation guide.
Installation
The Magic Mask for Android
topjohnwu.github.io
Scroll down to the Samsung section, and then "Upgrading the OS". It's basically the same as Odin flashing the firmware as you normally would to restore to stock, except you're flashing the Magisk patched AP file in the AP slot instead, and using HOME_CSC instead of CSC in the CSC slot. CSC wipes data, HOME_CSC does not.
With the exception of a few weird Samsung devices (like the S6 Lite), don't listen to ppl who tell you to extract the boot image and flash separately. Just follow the *official* (I felt the emphasis was necessary here, again) Magisk installation guide in this case... Download the firmware file via Frija or whatever your source for firmware is (honestly dude.. just use Frija), extract the files, copy the AP file to your tablet (recommend adb push, not MTP), and use the Magisk app to patch the ENTIRE AP file. This is important because Magisk will also patch out other parts of the firmware like vbmeta, which is what allows it to work around avb restrictions. If you attempt to flash the full bone stock firmware and then a patched boot image separately, you will likely get an error that results in the need to wipe data, because avb (Android Verified Boot) has been violated without having had vbmeta patched among possibly other things, and then have fun with the misery of wiping and starting over... Anyway, after patching the FULL AP file in Magisk app, make sure there were no errors in the log (btw, this is where you can clearly see that Magisk is patching more than just the boot image...) and copy it back to your computer (again, like adb push was recommended before, use adb pull to move to computer), and then flash the BL / Magisk patched AP / HOME_CSC files in their respective slots (and CP if you have LTE model) in download mode. It'll reboot probably twice, then optimize apps before finishing booting to your updated system.
tl;dr - read the official Magisk guide I linked above (notice yet that I keep mentioning this?? lol)
My post is assuming you are on bone stock rooted ROM without custom recovery and/or encryption disabled mods and stuff (e.g. multidisabler mod). Every update for me goes without a hiccup, and I am fairly heavily modded with SafetyNet passing and everything (LSposed / GravityBox / Firefds kit / a bunch of Magisk modules). Loving that these tablets keep Widevine L1 even after rooting.. was my primary reason for buying! I also like / prefer the fact that my tablet is still encrypted without custom recovery so that the chances are my data is still safe should the tablet ever be lost or stolen. Anyway, if you do have custom recovery or flashed multidisabler already, I would definitely do your due diligence and research / ask questions to find out if there's anything different you have to do (different in relation to the official Magisk installation guide resource, or any pre-/post-install quirks).
Sorry, I know I rambled a bit but I hope this post is somewhat informative and able to be followed. Typing it from phone and browser is kinda glitching out. But I just felt the need to type this all out. It seems I don't see so much more misinformation on XDA than on the Samsung subforums lol. D:
Click to expand...
Click to collapse
cheers mate. I am leaning towards rooting my tab s7 now. it dont sound to hard.
Edit I did it did you also have to install safety net module to get safety check working