Hey, i know this a really really old tablet with basically no software support but, a few months ago it ocurred to me: could the Nintendo Switch coldboot exploit work in my Sony Tablet S?
In theory every tegra chip before the X1 should be vulnerable, provided you have RCM (APX) access.
And that is my first problem: how do i even get to RCM (APX)? Well , i asked just that in the ReSwitched discord server and they told me that modifying some adresses and stuff could boot RCM. In the end it worked, and you need the following: ROOT, Terminal Emulator and busybox.
Type in terminal emu this in this order:
su
devmem 0x7000E450 w 2
devmem 0x7000E400 w 16
Click to expand...
Click to collapse
Now you have booted into RCM (APX) . I tried to push a payload with fusee launcher editing the usb pid, but it still errors out. Log: https://del.dog/zuquyejeqo
Any ideas?
Flash Surface RT firmware on your Sony Tablet S
theandroid02 said:
Hey, i know this a really really old tablet with basically no software support but, a few months ago it ocurred to me: could the Nintendo Switch coldboot exploit work in my Sony Tablet S?
In theory every tegra chip before the X1 should be vulnerable, provided you have RCM (APX) access.
And that is my first problem: how do i even get to RCM (APX)? Well , i asked just that in the ReSwitched discord server and they told me that modifying some adresses and stuff could boot RCM. In the end it worked, and you need the following: ROOT, Terminal Emulator and busybox.
Type in terminal emu this in this order:
Now you have booted into RCM (APX) . I tried to push a payload with fusee launcher editing the usb pid, but it still errors out. Log: https://del.dog/zuquyejeqo
Any ideas?
Click to expand...
Click to collapse
Did you ever investigate any further?
Does any of you know if with this we can finally install a custom rom? I know this tablet is capable of running android 10 from the mininum required specs. I just want a PDF reader to work on this thing
Related
I've got an Iconia tablet with a broken recovery (I've been using CWM and Thor's ICS ROM). I'm going to follow the steps outlined here
http://forum.xda-developers.com/showthread.php?t=1129873
but.... when I look up the UID from every method, all I get is 0123456789ABCDEF.
Given all the dire warnings about not being able to recover if/when things go wrong without the real UID... this 123 UID isn't the real UID.... is it safe to proceed with the repair here? Or are things really messed up?
I have not messed with ICS myself, but my understanding from reading the ICS threads in the Iconia forums is that the device is no longer using the uid for usb serial number. So it seems you can't get it that way if you have installed any of the ICS updates.
The suggestion I have seen is to look for androidboot.serialno in dmesg directly after booting, but that does not seem to help everyone.
Another option might be to get the device into APX mode and do a usb bulk read, the first read should return 8 bytes that is the UID. I would assume this to still work even after you have installed ICS but I have not tried. I pasted some code for opening the device, reading and printing the uid (using libusb, tested on Linux) on the Iconia forum earlier this week.
Hmm OK that's helpful info. Thanks.
I tried the androidboot.serialno in dmesg, but I wasn't able to find the string.... I will try that again after a clean boot.
I've been doing all the debugging from my one Windows machine... I haven't tried plugging it into my Linux PC yet... that's next... I haven't discovered APX mode yet. Time to do some more reading, thanks for the pointers.
Edit 1: OK checked lsusb -v and I serial also shows 0123456789ABCDEF
Edit 2: Clean boot and did a new dmesg dump.. parsed the output and no sign of androidboot.serialno or anything that even resembles it.
OK, things are not getting better here. I've been tinkering a lot, and in some respect I've just made things worse.
I still cannot find the UID with any of the documented methods here on XDA. I've tried
using adb devices
using Linux lsusb -v
checking the output of dmesg for androidboot.serialno
plugging in to Windows and looking at the USB mount info using USBDeview
looking at the device manager in Windows and checking the "Parent" field
I have also booted into APX mode and to discover the UID that way too... and nothing.
All I get is 0123456789ABCDEF
At this point the frustration level was getting high enough for me to be a bit reckless... I copied "itsmagic" into /data made it executable and ran it. No errors.
I rebooted into Recovery mode, and there I get scrambled graphics on the screen (it's the Acer logo duplicated several times with loads of tearing and distortion) and the tablet vibrates constantly.. non stop until I reboot it.
I can boot normally into the current ROM (Thor2002ro v96) so I haven't busted it completely. If I try to use my existing CWM manager to install any other ROM or use the manager to reboot into recovery mode, it goes back to the scrambled screen and vibrating constantly.
Does anyone have any ideas or suggestions here? I'd be happy to even roll back to stock and start fresh. There is nothing on the tablet that needs to be saved... except the functionality of the tablet itself.
When you write nothing about APX mode, does that mean literary nothing or nothing different?
If you have root you can see if you have anything interesting in /proc/cmdline.
If not I'm out of ideas on how the get the UID for now.
While i very much doubt 0x0123456789ABCDEF is the UID used to generate the SBK of the device you could try reading and decrypting the beginning of mmcblk0 using the SBK that would give (0xA9EA7E00 0xF12BEB06 0x3AD20804 0x364A5F03) to verify this.
You could probably overwrite the restore partition from your running system, I have never done that myself though.
OK, it's SOLVED.
After much swearing and crying and a little help from the forum here and in other posts the solution to fixing the broken tablet was actually quite easy.
Based on the information here:
http://forum.xda-developers.com/showthread.php?t=1459821
- I downloaded recovery-ra-iconia-3.16-gnm.img using teh links provided on the thread above
- I ran itsmagic
- Then I did these steps:
Code:
adb push recovery-ra-iconia-3.16-gnm.img /mnt/sdcard
adb shell
su
dd if=/mnt/sdcard/recovery-ra-iconia-3.16-gnm.img of=/dev/block/mmcblk0p1
sync
reboot recovery
This booted a working recovery mode (FINALLY), and I was able to successfully flash the latest Thor2002ro ICS ROM.
Thanks for your help and suggestions eppeP, they got me thinking in the right direction.
Hello guys I am trying to bypass screen lock via adb but when I write adb devices it shows "0123456789ABCDEF Device" and then when I type adb shell then it shows"$" after that whatever I type it shows permission denied(even if I write adb).Please Help
please clear up Google
account lock
Good Morning,
I've recently purchased a Lenovo IdeaTab A2109 Tegra 3 running 4.1.1 (build A2109_A411_03_13_121126_UK) running stock but with the bootloader unlocked via fastboot.
Last weekend I read about APX/NVFlash which (subject to the backup) gives my device a true bootrom recovery to allow me to restore my device in the case of a brick (handy for if I mess around with custom roms).
So far I've tried using both Windows 8 (with Nvidia generic drivers) and Linux Mint 15 (in a VM) but both have ended in failure producing the following errors:
Windows 8) "Unknown Device Found"
Linux) "Nvflash v1.5.66719 started
rcm version 0X4
Command send failed (usb write failed)"
Two theories I have right now are 1) I'm missing something e.g. firmware.bin, key, etc. or 2) NVFlash is incompatible with my tablet but the problem is I can only find information/specific software for other tablets e.g. Asus TF.
Are there any suggestions for what I can try to get this working? I am able to get temporary root access via CWM and ADB if I need to get anything off the device.
Thank you.
Boot Rom is DRM protected
tech3475 said:
rcm version 0X4
Command send failed (usb write failed)"
Thank you.
Click to expand...
Click to collapse
0x4 incidates the Boot Rom is DRM protected.
As far as I got you need to change the motherboard to an unprotected Boot Rom.
m.hataj said:
0x4 incidates the Boot Rom is DRM protected.
As far as I got you need to change the motherboard to an unprotected Boot Rom.
Click to expand...
Click to collapse
Thanks
Looks like it will be impossible (for me) then since I can't find anything about it for this tablet (e.g. SBK, bootloader, etc.) for this model and I can't do something this low level.
I'll start first with the specs.
On the box, it says "Turbo Touchscreen Internet Tablet T9020". In the settings, it says "rk30sdk".
RAM: 1GB
CPU: 1.2ghz(Cortex A9) dual core
Android version: 4.2.2 Jellybean
I didn't do a nandroid backup because it seemed impossible as it COULDN'T boot into bootloader mode which was required to backup using rockchip tools. It doesn't have a custom recovery.
It started to bootloop when i messed around with the build.prop. I tried to pull it using ADB (so i could revert the changes) but I can't. I can't mount /system. Additionally, when I'm in ADB SHELL, i couldnt just use any command without typing "busybox" first. If i dont type "busybox <command>" it will just say that it can't find the command in blah blah something like that.
I also tried to open the tablet physically, hoping to find "clues" and on the CPU, "RK3168" is written. After that, i downloaded a firmware for "Cube U25GT" which was also an rk3168 and I tried to flash it, but still, no luck. The tablet wasnt even detected by rockchip's flash tool.
I would really appreciate your help
bump
I have a chinese TVpad2 mini-pc running on custom linux (factory OS) with busybox.
I want to install Android or anything other than the factory OS but there's a lot of problems with this device:
-Filesystem is CRAMFS
-Can only access as root through telnet
-Can't access bootloader or put into FWDN (no info how this is done for this device)
What I have:
-Firmware update that contains the kernel
-Telnet root access
-Physical access to device (USB flashdrive only)
There is a forum dedicated to TVpad but they are also having trouble installing an OS on tvpad2...
What do I need to know that will help me accomplish this?
thanks
TVpad3
Hi,
I actually have TVpad3 which is very similar to your TVpad2, and Im very keen on having Android developed for these TVpads.
Theres probably thousands of these wasted devices around the world after the TVpad pirate network got shutdown.
Ive searched high and low, and so far have Not found any trace of any custom Android development anywhere.
So hopefully we can kick start something here !
This is what I know so far ....
Since the devices run on highly stripped-down Android OS, we know these devices can run android and should be a potential for custom Android development.
Unfortunately theres little hardware or development info out there for these devices.
But as far as I know, the hardware platform for these models are all based on Telechip TCC89xx chips.
https://www.telechips.com/eng/Product/consumer_pro13.asp
I have a TVpad3 personally, which I believe is based on a Telechips TCC8925.
Ive found that there are a few similar devices out there based on this platform, including the Pandawill CX-01 TV sticks which have very similar specs to TVpad3 (512mb RAM, 4gb Flash).
So we definitely know that the TVpad's hardware is capable of running full blown Android !
http://www.cnx-software.com/2012/06...v-box-powered-by-telechips-tcc8923-cortex-a5/
http://www.slatedroid.com/topic/36988-cx-01-cortex-a5/
Telechips has released platform sources here, with the latest being Android KitKat... its a bit old but could have potential for a starting point...
https://www.telechips.com/technical_support/kor/opensource/opensource_list.asp
I havent found anything about booting these devices into Recovery or ADB.
But there seems to be some mention of a "FWDN" mode here:
http://freaktab.com/forum/tv-player-support/other-tv-players/4695-cx-01-information-by-tatubias
http://tvpadtalk.ca/discussion/506/how-to-unbrick-your-tvpad1
http://androtab.info/arm/telechips/how-to-update/
http://auswitch.xyz/2012/08/16/how-to-upgrade-firmware-for-cx-01-mini-pc/
From what I can gather, FWDN works in conjunction with a Windows-based utility used to flash firmware over a USB cable.
And this poses the biggest problem for TVpads, they DONT have any peripheral USB port !
I've pulled my TVpad3 apart, and found what appears to be provision for a USB header, but im not sure if these are functional even if a USB socket was soldered in ?
If we can get a functional USB peripheral port working, then that would lead us to the Second problem, that is, HOW to activate FWDN mode on the TVpad ?
From what I can gather, different Telechip TCC89xx based devices seem to have different ways to enter FWDN mode.
Some devices require a certain key combo to be pressed during power up, while others need a hidden button pressed or certain pins on the circuit board to be shorted.
So before we can even think about developing Android, we need to figure out those two issues...
1 - USB connectivity, so that we can flash it with FWDN tool.
2 - How to enter FWDN mode, so that the FWDN tool can talk to the TVpad.
If we can overcome these two issues, then we can start building sources.
Or even flash ROMs from similar Telechip TCC89xx based devices.
Anyway, I hope this helps anyone out there.
And I hope we can really make some progress here
.
Unfortunately I've hard-bricked my TVpad2 playing around with fdisk command in telnet. I found out that if you repartition and then copied all the data back, changes will be persistent so you can store whatever onto the NAND flash. Just don't delete the partition containing linux which I idiotically did... oh well.
Anyway there's a command utility "tccbox" with various tools one of them having the ability to update firmware. Hopefully TVpad3 has it as well?
Sorry to hear you bricked your TVpad !
I guess your only way back is to FWDN flash it.
I wasnt even aware the TVpads had telnet enabled.
But that "tccbox" utility sounds very interesting.
I wonder if we can use it to flash firmwares from other TeleChips based devices ???
.... such as the Pandawill CX-01 TV sticks.
wildchill said:
Sorry to hear you bricked your TVpad !
I guess your only way back is to FWDN flash it.
I wasnt even aware the TVpads had telnet enabled.
But that "tccbox" utility sounds very interesting.
I wonder if we can use it to flash firmwares from other TeleChips based devices ???
.... such as the Pandawill CX-01 TV sticks.
Click to expand...
Click to collapse
Hi i have found my old TVpad3 but no working now, i want flash it for use to android device, you have any tutorial for this PLS
TY
Is this the right forum area? I posted over in CF-Auto root with no response, figured I would try here.
http://www.randmcnally.com/product/tnd-tablet
It supposedly has a custom proprietary build Rand McNally uses. It has a built in recovery of which I'll post a screen.
The "reboot to bootloader" option simply hangs on the boot screen.
I've tried kingroot/kingoroot, towelroot, and googled my life away trying to root this GPS/tablet.
There doesn't seem to be a way to flash a custom recovery without bricking it(unsupported device), and there's no way to pull the recovery.img without root!
Can anyone help? The rooting of these devices would open up a world of possibilities.
How is it possible to root this thing if its not recognized by fastboot? Any attempt of rebooting into bootloader even through external tools is stuck on bootscreen.
It allows the Delevoper option of unlocking bootloader, but how if I can't even send the command? Not only is bootloader locked, it seems completely off limits.
Some possibly relevant details from bugreport, and the logcat file???
========================================================
== dumpstate: 2017-08-30 20:23:15
========================================================
Build: LVY48E.20170428-091903
Build fingerprint: 'TNDT80B/tulip_p1/tulip-p1:5.1.1/LVY48E/20170428-091903:user/'
Bootloader: unknown
Radio: unknown
Network: (unknown)
Kernel: Linux version 3.10.65 ([email protected]) (gcc version 4.9.3 20150113 (prerelease) (Linaro GCC 4.9-2015.01-3) ) #3 SMP PREEMPT Fri Apr 28 09:03:37 CST 2017
Command line: enforcing=1 earlyprintk=sunxi-uart,0x01c28000 initcall_debug=0 console=ttyS0,115200 loglevel=0 root=/dev/system init=/init [email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected][email protected]:[email protected]:[email protected]:[email protected] cma=256M androidboot.serialno=74005034440c1c05088e androidboot.hardware=sun50iw1p1
------ MMC PERF (/sys/block/mmcblk0/stat) ------
*** /sys/block/mmcblk0/stat: No such file or directory
Ok, it is now recognized by my system by fastboot, but no fastboot commands will work! Stuck on the boot animation even though recognized.
Any checks for OEM Device info, Locked bootloader, or Tamper flags just hangs...
Down another rabbit hole after finding out this thing is an "AllWinner" brand Android tablet...
Hey, any chance you could upload the Launcher APK and lib s? I'm also investigating root on a TND740 (which is also Android based), so maybe I can help if I find anything out. The launcher would be awesome though. Thanks!
I'd love to put that software on my Asus Tablet <3 hook us up
tnd t80b bootloop no adb permissions
Hey guys, I have a bootloop on this tablet. And I managed to wipe adb certificates off it so I cant even adb in anymore. TND T80B Anyone have a stock Firmware or any clue how to use this tablet again.
Thanks for any help!
How did u get into fastboot mode from engineering menu? I cant seem too, it just reboots too system after about 1 min.
I assume, like to enter recovery menu, there is a key press combo i need too use after choosing fastboot mode, but i dont know what it is
I think you adb reboot ....
it could be .. bootloader.. fastboot..RUU...RRU..recovery..
I cant remember exactly. I had to get root first I think. this device has an Allwinner A64 chipset on a tulip board. Allwinner has everything available on github and a wiki site for building roms for this device and others.
Felmode... look it up... these are unbrickable...
if you find a rom or a Stockrom let me know please
---------- Post added at 12:30 AM ---------- Previous post was at 12:26 AM ----------
if I could ever get a copy of the api or a compiler to work correctly on linux... I'd have my own to flash on.
Also I've never tried but there is another USB port on the back of this thing where the 2nd GPS hooks on. you might be able to boot or access some un secured path through that.
Lostwon said:
I think you adb reboot ....
it could be .. bootloader.. fastboot..RUU...RRU..recovery..
I cant remember exactly. I had to get root first I think. this device has an Allwinner A64 chipset on a tulip board. Allwinner has everything available on github and a wiki site for building roms for this device and others.
Felmode... look it up... these are unbrickable...
if you find a rom or a Stockrom let me know please
---------- Post added at 12:30 AM ---------- Previous post was at 12:26 AM ----------
if I could ever get a copy of the api or a compiler to work correctly on linux... I'd have my own to flash on.
Also I've never tried but there is another USB port on the back of this thing where the 2nd GPS hooks on. you might be able to boot or access some un secured path through that.
Click to expand...
Click to collapse
I guess i should have been more careful when i posted here, i actually have an Rand McNally OveryDryve 8 not a TND series tablet, and thats the one i cant get into fastboot too get the bootloader unlocked and then root and stuff....
If i cant get fastboot commands too works i cant do anything else...
I would use dr.Phone like others have, but it does not install seemless root apparently, it modifies files that break updates, and i dont want that, id prefer Magisk with seemless so i can then install safteynet and gapps properly
How can I get a copy of the truck gps app to load on another tablet?
AllenScott said:
How can I get a copy of the truck gps app to load on another tablet?
Click to expand...
Click to collapse
Short answer.... You cant.... I tried with a previously rooted model too send the apk file, even if it installs on your new device, it wont work without ALL of the RM Services apps as well, and all have too be system apps and setup just right or its not going too work... I gave up and never ened up getting it too work because i couldnt get half of the apks too istall let alone run without crashing constantly...
I've spoken to rand and they seem to think their GPS hardware is better than that found in today's phones like they are Holy as ####. Their systems are junk but the 2.0 navigation is far worse, I want to pull the old software and install it to a newer or different device like y'all. I'm willing to put some money towards the goal, I know some of my friends would do the same, anyone up for starting a fund, or someone have the skills to make it happen? Let's get this rolling!
Side notes, if you look at the older devices specifically the tndt80 that has Google play on it, (newer ones don't!) I at one time had the installation files and installed them onto a cell phone. I was able to run a route comparison before the software realized my Samsung galaxy wasn't a tnd tablet, once it realized it wasn't one of their devices it had a message saying that and closed down.
I'm pretty sure that's on one of my old phones with a busted screen, I'll get some screens ordered and see if I'm right (hopefully!)
So besides the installation files that would be the next hurdle, maybe an emulator to bypass the device name/serial etc to allow it to run?