Need tech advice before archeology - Android Q&A, Help & Troubleshooting

Hi everyone,
I own a PonoPlayer which is running Android 2.3 (ARM v7 / Cortex A8). I'd like to perform some software upgrades but sadly the device is not running adb.
I'd like some tech advice before going deeper, just to make sure I'm using the proper approach and not wasting my time
Disclaimer: I read everything I could find about the Pono (there's some old thread about it on this forum) but that didn't really help.
What I already tried:
Because I'm more a developper and vulnerability researcher I started by what I'm comfortable with: looking for vulnerabilities. I decompiled the main APK (player-release.apk) but found nothing obviously exploitable.
The last available firmware update is version 1.0.6. The upgrade bundle is clearly based on that : https://github.com/Lekensteyn/make-gapps-zip
Decompressing the archive using apktool shows:
boot.img
META-INF (which contains META-INF/com/google/android/updater-script)
recovery
system
The update bundle seems to be signed using the test-keys found on the above repository. So I tried to forge a fake 1.0.7 update bundle by simply unpacking 1.0.6 and repacking + signing. This fails, the player detects the 1.0.7 update bundle, tries to perform the upgrade and is stuck. Obviously, someting wrong happens but since I've no log or any kind of remote access, there's no way for me to debug.
Next step:
I plan to setup a Android 2.3 emulator, running a dummy ARMv7 image and use it to load the 1.0.6 legit update bundle. Thus I would have something close to the real Player image.
From this, I would be able to load my 1.0.7 fake update and see what goes wrong.
I this something obvious that I'm missing? I this the proper approach?
Thanks for any advice!

Allright, here's my own follow up !
I ended up finding how to create an OTA package for the Pono Player.
Basically, I start from the last known firmware (1.0.6), patch it and re-bundle it.
Hopefully, the Pono Player uses the Android test keys ...
My main issue (for the last 4 years..) was that the whole OTA package is signed, not just its contents, by adding a specially crafted zip comment.
This can be enabled by using the "-w" option of the signapk command.
I've successfully updated the licences.txt (let's start small ) file on the device.
All the required scripts for unpacking/repacking an OTA package are available here: https://github.com/NothNoth/PonoPwn

Related

Places to host toolsets and boot/recovery roms?

I have been working on some boot/recovery ROM rebuilds for the Garmin/Asus Garminfone A50 (T-Mobile), as well as the scripts and instructions... I'm not sure where to host them.
I personally don't want to host them myself, and was wondering if there is a repository of sorts.
At the moment, I have the following:
* The tools necessary (dump_image & flash_image) to dump the firmware from the phone
* The scripts necessary to unpack/repack the boot/recovery ROM's (modified to support the Garminfone's different address layout). Linux based.
* Pre-built boot and recovery images that give permanent root and mount the system/data partitions as r/w by default.
* Instructions on how to do it yourself, complete with some tech info on the layut of the Garminfone boot/recovery images and how to verify before you flash it that it built properly.
* Instructions on how to flash the phone without risking bricking it, since there is no hardware key combo to get into recovery and a fastboot that's not fully implemented. The technique goes like:
- Verify with a hex editor that the proper addresses are in the header
- Flash the new boot image to recovery
- Reboot into recovery to make sure it boots the new boot image properly
- Flash the rooted recovery image to the recovery partition
- Reboot into recovery once more and verify that works
- Flash the tested boot image to the boot partition
- Reboot normally and have fun
That method works fairly well, and unless you target the wrong partition, and gives you a 99.9% success rate
I'm going to post what I can on the Wiki (as far as instructions go), but it would be nice if I had a place to put the tool set as well.
I'd rather not use one of the temporary sites like Mediafire or what not, since files on those sites have a tendency to disappear.
Please no PM's on having me send them the files directly. I don't have a heck of a lot of spare time and don't want to get into the habit of sending these out manually.
If you're against the typical file hosts and the files aren't too big you could try using dropbox or sugarsync and sharing the links.
Can I ask you a question? I have a Kyocera ZIO M6000 and have the openzio clockworkmod 2.5.1.1 port that only works with "fastboot boot openzio-recovery" and we have tried flashing to our recovery partition with no success. What will it take to break the tether and reboot recovery locally without fastboot?
Sent from my Zio using XDA App
merwin said:
I have been working on some boot/recovery ROM rebuilds for the Garmin/Asus Garminfone A50 (T-Mobile), as well as the scripts and instructions... I'm not sure where to host them.
I personally don't want to host them myself, and was wondering if there is a repository of sorts.
At the moment, I have the following:
* The tools necessary (dump_image & flash_image) to dump the firmware from the phone
* The scripts necessary to unpack/repack the boot/recovery ROM's (modified to support the Garminfone's different address layout). Linux based.
* Pre-built boot and recovery images that give permanent root and mount the system/data partitions as r/w by default.
* Instructions on how to do it yourself, complete with some tech info on the layut of the Garminfone boot/recovery images and how to verify before you flash it that it built properly.
* Instructions on how to flash the phone without risking bricking it, since there is no hardware key combo to get into recovery and a fastboot that's not fully implemented. The technique goes like:
- Verify with a hex editor that the proper addresses are in the header
- Flash the new boot image to recovery
- Reboot into recovery to make sure it boots the new boot image properly
- Flash the rooted recovery image to the recovery partition
- Reboot into recovery once more and verify that works
- Flash the tested boot image to the boot partition
- Reboot normally and have fun
That method works fairly well, and unless you target the wrong partition, and gives you a 99.9% success rate
I'm going to post what I can on the Wiki (as far as instructions go), but it would be nice if I had a place to put the tool set as well.
I'd rather not use one of the temporary sites like Mediafire or what not, since files on those sites have a tendency to disappear.
Please no PM's on having me send them the files directly. I don't have a heck of a lot of spare time and don't want to get into the habit of sending these out manually.
Click to expand...
Click to collapse
I would also suggest dropbox or even id host them off my computer via ftp
Can your method work with Garminasus A10?
Merwin you still working on this?
Yeah, I am working on it still. I am still looking for a better place than dropbox or hosting off of someone's home PC...
As for the A10, if you can get me a dump of the boot and recovery images I can make one for that too... you will want to preferably use the dump_image utility to get the image and the flash_image utility to flash it.
I can probably attach those to a post with dump instructions. They're tiny.
Basically, you root your phone, copy the files to a certain location, type a couple commands to fix permissions on the executables, then run a command to dump the image.
Flashing back requires clearing the boot or recovery partition with a command and then using the flash_image command to flash it.
My method tests the new boot image first by flashing it to recovery first and rebooting into recovery to make sure the new image works. Then flash the modified recovery image to the recovery and make sure it is rooted (so you can get things up again if something does go wrong). Then you flash the new tested boot image to boot. If, for some reason, that fails, it should reboot automatically into recovery after a few boot failures. Never had to test that, since I pre-test all images I make.
hi merwin, we are a fans group of GA a10 and we trust a lot in your work! if you need any kind of help contact me! probably you are the first in the world who can flash a GA phone
Merwin, Im not completely sure which type of place your looking for if its not either ftp or online file sharing
Rapidshare
2shared
Filefront
4shared
Hi merwin,
I found this page, is that similar to your method? Hope you guys can find out something.
http://mygarminfone.blogspot.com/
afoster1003 said:
Merwin, Im not completely sure which type of place your looking for if its not either ftp or online file sharing
Rapidshare
2shared
Filefront
4shared
Click to expand...
Click to collapse
You forget one widely used protocol. Good old http on a standard web server.
Those other sites annoy me greatly, between the amount of ads, having to wait to download and daily limits, and the fact that they are temporary unless I pay. I am against them on principle.
I figure if there is enough interest, someone will step up to host them, otherwise I will just provide scripts, instructions, and technical info for people to do it themselves.
slumpz said:
Hi merwin,
I found this page, is that similar to your method? Hope you guys can find out something.
http://mygarminfone.blogspot.com/
Click to expand...
Click to collapse
You are my hero That blog has the missing pieces I need to keep going.
A couple of days ago I found some info on how to decompile the .update files which gives us the recovery image and system partition from any other phone that uses a similar format, like the Asus A10... providing a whole host of opportunities for the Asus phones that are still being maintained.
For instance, I grabbed the files from the Chinese A50 that has newer firmware.
With the info from the blog, I may be able to at least compile and integrate the newer kernel and wifi firmware (which is stored on the phone and loaded into memory at boot). The Chinese version does have newer wifi module firmware in it... whether it is compatible or not is another story.
On another note, has anyone successfully downloaded the open sources kernels from Asus? I have tried every method on their site and all but a couple of the kernel versions in the zip are corrupt. One from march extracts fine, so I may use that as a base to start with.
merwin said:
You are my hero That blog has the missing pieces I need to keep going.
A couple of days ago I found some info on how to decompile the .update files which gives us the recovery image and system partition from any other phone that uses a similar format, like the Asus A10... providing a whole host of opportunities for the Asus phones that are still being maintained.
For instance, I grabbed the files from the Chinese A50 that has newer firmware.
With the info from the blog, I may be able to at least compile and integrate the newer kernel and wifi firmware (which is stored on the phone and loaded into memory at boot). The Chinese version does have newer wifi module firmware in it... whether it is compatible or not is another story.
On another note, has anyone successfully downloaded the open sources kernels from Asus? I have tried every method on their site and all but a couple of the kernel versions in the zip are corrupt. One from march extracts fine, so I may use that as a base to start with.
Click to expand...
Click to collapse
I have, magically I might add. I downloaded the source for v.5.0.70 and managed to get it compiled. The resulting files can be found on on my blog, the one Slumpz posted(I can't post links yet, lol.)
The only problem is, I don't have much experience with anything linux. But, If you have any questions Merwin, email me, [email protected].
Here's a little how to, just check my blog, or google: How To: Build Garmin-Asus Kernel from Source.
am willing to giv a subdomain/storage ftp access on this domain for the good of the community if it helps any
Domain darkjester.net
Disk Usage 5.4 / 1500.0 MB
Bandwidth 100000 MB (100GB)
Home Root /home/a2931495
Apache ver. 2.2.13 (Unix)
PHP version 5.2.*
MySQL ver. 5.0.81-community
Activated On 2011-05-15 14:42
Status Active
Hello guys, are you still working on this.
I found out that A10 has a new firmware posted, which is versioned 5.2.7 instead of 5.0.x like the others. I wonder if there's any method to test this firmware on foreign A10 (non Chinese firmware)?
So, got an HTC Sensation 4G... meaning not much more work on the Garminfone for me.
Still trying to find time to compile everything that I have done into some semi-coherent document with the unlocked boot and recovery images. I still have the Garmin, so if someone manages a huge breakthrough then I may pick it up again. Really didn't want to get rid of the phone but there just isn't enough community development going on to make it worthwhile.
By the way, the Garminfone GPS blows every other phone away. The Sensation 4G is crap in comparison.

[Q] How to make a recovery-flashable Firefox OS rom?

Hi,
I'm actually trying to port Firefox OS 2.1 on the Nexus 7 2013 (aka "flo"), and after managed to download and compile the sources, I am facing a problem at the last step. Instead of flashing Firefox OS on my Nexus via the conventional method (using flash.sh), I would like to create a recovery-flashable zip file (as is often seen with custom ROMs). However, I have no idea how to build one, and the analysis of some zip files does not really helped me to understand which files to include and which script to write.
Here are the files generated by the build: http :// i.imgur.com / MgobUsp.png
If anyone could help me and explain me how to create that famous zip file ^^.
In advance,
thank you
Nobody? :-/
@cmbaughman was working on this in this thread: http://forum.xda-developers.com/showthread.php?t=2479192&page=6
ImCoKeMaN said:
@cmbaughman was working on this in this thread: http://forum.xda-developers.com/showthread.php?t=2479192&page=6
Click to expand...
Click to collapse
Due to a large project that came my way at work, I've been unable to work on this however I hope to in a few weeks after we demo our new apps. If you want to check mine out it's here http://goo.gl/gioiDv however the only real issue with mine which is quite fixable was that I used the wrong version of the Gaia, and webapps. You can use mine as a template really, here is how:
1. Build FF OS
2. Now when building ( I am going from memory here so ask if you ha e questions), pass the argument otapackage and you'll get a "flashable" update.zip in your out dir.
3. Find either a fully built version of ff for any device but make sure its the same version, OR build Gaia yourself, see the official docs for how to do that as they explain it very well.
4. From that you go through the output and find the webapps dir.
5. Copy webapps to your built otapckage at /system/b2g/webapps.
6. Now I'd use either my update script from the link I gave you (after looking through and updating anything that needs updated because mine is a few months old.) Make sure there is nothing in there about formatting data or anything (cause you don't want to lose that!) And after repackaging (use a kitchen or whatever method you prefer), you'll have a flashable Firefox zip.
Its a process so use a little trial and error and you'll overcome any issues you find. Any questions let me know.
ImCoKeMaN said:
@cmbaughman was working on this in this thread: http://forum.xda-developers.com/showthread.php?t=2479192&page=6
Click to expand...
Click to collapse
Due to a large project that came my way at work, I've been unable to work on this however I hope to in a few weeks after we demo our new apps. If you want to check mine out it's here http://goo.gl/gioiDv however the only real issue with mine which is quite fixable was that I used the wrong version of the Gaia, and webapps. You can use mine as a template really, here is how:
1. Build FF OS
2. Now
any progress on this im intrested in doing this
Don't waste your time creating such a zip file, just use fastboot to flash the various IMG compiled files.

[SCRIPT][UTILITY] Suicide Flash for Moto

Drawing from the impressive work of CrashXXL in rooting our phones, jahrule in simplifying the process, and Sabissimo in developing a tutorial to bake in apps for those of us with locked bootloaders and write protected systems, I have with great effort arrived at this glorious day. I present to thee: Suicide Flash.
What is Suicide Flash? It is a collection of Bash scripts and other files which streamline and automate the process of using the Qualcomm emergency download mode (Qualcomm HS-USB QDLoader) to write to the system partition on Moto phones using MSM8960 processors. It applies the method used to root these devices (see here, for example) to the task of arbitrary system modification. In other words: Suicide Flash makes it easy(ish) to modify system files for those of us who can't use traditional methods.
Code:
DISCLAIMER: This is obviously a dangerous tool. I mean, it
flashes your phone by bricking it first. Be smart. I shan't be held
responsible if your phone melts, explodes, loses all of its data,
or cheats on you with a hula dancer.
Who Can Use It?
Suicide Flash is for sure compatible with most Moto X variants. The testing has been done primarily with an XT1049, the Republic Wireless model, but has also included the XT1060 (Verizon) and should work on most/all of them. However, in theory any phone, or at least any Moto phone, using the MSM8960 chip could be compatible, such as the Droid Turbo. So to simplify:
XT1049 (Moto X Republic Wireless): Tested and working
XT1060 (Moto X Verizon): Tested and working
XT1058 (Moto X AT&T): Untested, highly likely to work
XT10XX (Any other Moto X): Untested, likely to work
Others: Untested, may work as long as they use MSM8960
How Do I Use It?
Suicide Flash (SF) consists of three main scripts: a flashing script, a package creation script, and a pushing script. Details:
suicideflash.sh: Flashes SF packages to the phone in bricked (QDLoader) mode
pkgmaker.sh: For developers. Creates SF packages from system images.
suicidepush.sh: Uses the SF system to "push" system files in an ADB-like way
To use these scripts, simply extract them to a place of your convenience. All scripts must be run from the root Suicide Flash folder. Do not run any of them from within the "scripts" folder. Also, while it may not strictly be necessary, it is best (if you are developer) to include any relevant system images in the root Suicide Flash folder, as well.
As an end user, you can download SF packages created by developers and flash them using the main Suicide Flash script. As a developer, you can pull system images and use them to create SF packages with the pkgmaker.sh script. Anyone can feel free to use the Suicide Push script to push files to their device. For more information, here are the help pages for each.
Suicide Flash:
Code:
Usage: suicideflash.sh PACKAGE
Flashes PACKAGE to the system parition of a Moto phone using Qualcomm
emergency download mode.
Options:
-h, --help displays this help message
-s, --skip skips all prompts and runs without user interaction
Created by the Nicene Nerd, whose blog at <http://www.thenicenenerd.com/> has
absolutely nothing to do with Android
Package Maker:
Code:
Usage: pkgmaker.sh [OPTION]... ORIGINALSYSTEM TARGETDEVICE REQUIREMENTS
SYSTEMOFFSET OUTPUTFILE
Creates a Suicide Flash package for writing to Moto phones via the emergency
Qualcomm download mode.
Arguments:
ORIGINALSYSTEM provides the original system image to be modded
TARGETDEVICE specifies the model of phone for the package to flash
REQUIREMENTS notes any important requirements for the phone state
prior to flashing
examples: "Stock", "Rooted", or "Rooted+Xposed"
SYSTEMOFFSET the address of the system partition on the target device
should be in hex format (i.e. 0x6420000 or 6420000)
can use value ADB to pull the offset over ABD
OUTPUTFILE the name of the Suicide Flash zip package to be created
Options:
-h, --help returns this help message
-m MODDEDSYSTEM specifies an existing modded system image
if not given, will mount original for modification
Created by the Nicene Nerd, whose blog at <http://www.thenicenenerd.com/> has
absolutely nothing to do with Android
Suicide Push:
Code:
Usage: suicidepush.sh LOCALFILE REMOTEFILE
Uses Suicide Flash to push LOCALFILE to a phone system at REMOTEFILE.
Created by the Nicene Nerd, whose blog at <http://www.thenicenenerd.com/> has
absolutely nothing to do with Android
What Do I Need to Use It?
A Linux installation
ADB
Fastboot
Rhino
Python
A package called python-serial
VirtualBox
ADB Insecure (if developing or using Suicide Push)
If you don't have some of these (except, obviously, the first one and the last one), you can run the included script install-tools.sh. It will automatically install anything you're missing.
Okay, Give Me Step-By-Step Instructions
For End Users:
Download the attached Suicide Flash zip
Extract the zip to a convenient folder and open a terminal window there
Go ahead and use sudo su
Run install-tools.sh
Download an SF package from a developer for your device
Flash the package with the command:
Code:
./suicideflash.sh DOWNLOADEDPACKAGE.zip
Profit!
For Developers:
Download the attached Suicide Flash zip
Extract the zip to a convenient folder and open a terminal window there
Go ahead and use sudo su
Run install-tools.sh
Pull a system image from your phone
Run pkgmaker.sh to create an SF package
Upload the package for the benefit of others
For Anyone, to Use Suicide Push
Download the attached Suicide Flash zip
Extract the zip to a convenient folder and open a terminal window there
Go ahead and use sudo su
Run install-tools.sh
Push files to your phone's system partition with this command:
Code:
./suicidepush.sh LOCAL_SOURCE /system/PUSH_DESTINATION
So, What Can I Do with It Right Now?
If you're a developer, you can get to work creating SF packages for your device. If you're just a plain ol' user, there's not much to be done until others chip in. I have uploaded one package as a sample and for the convenience of anyone looking to root their XT1049 and install Xposed. I will maintain a master list of uploaded packages as people make them.
XDA:DevDB Information
Suicide Flash for Moto, Tool/Utility for the Moto X
Contributors
Nicene Nerd, CrashXXL, Sabissimo
Version Information
Status: Testing
Created 2015-08-07
Last Updated 2015-08-07
Master Package List
XT1049: Republic Wireless Moto X
- root-xposed-xt1049-4.4.4.zip: Root and Xposed for XT1049. Requires stock 4.4.4 from SBF, not OTA.
- busybox-xt1049-rooted-xposed-4.4.4.zip: BusyBox for XT1049. Requires 4.4.4 rooted w/ Xposed.​
XT1058: AT&T Moto X
- root-xt1058-4.4.4.zip: Root for XT1058 KitKat. Requires stock 4.4.4 from SBF, not OTA.
- xposed-xt1058-rooted-4.4.4.zip: Xposed for XT1058 KitKat. Requires rooted 4.4.4.
- root-xt1058-5.1.zip: Root for XT1058 Lollipop. Requires stock 5.1 from SBF, not OTA.​
XT1060: Verizon Wireless Moto X
- root-xt1060-4.4.4.zip: Root for XT1060. Requires stock 4.4.4 from SBF, not OTA.
- xposed-xt1060-rooted-4.4.4.zip: Xposed for XT1060. Required rooted 4.4.4.​
Changelogs:
08/07/2015 - v0.2
- suicideflash.sh: Increased wait period before giving error on not finding phone in emergency mode
- mountimg.sh: Fixed issue which would cause errors preventing images from mounting
- pkgmaker.sh: Added option to pull system image over ADB, improved error handling​
Developer pkgmaker.sh Tutorial: Creating an Xposed Framework Package
Say you want to make a package that installs the Xposed framework, since that requires writing to /system. Here's how you would do it with Suicide Flash (assuming you have already rooted the phone):
Open a terminal window to your Suicide Flash root folder. Then sudo su.
Pull a system image. One way to do that:
Code:
adb root
adb shell dd if=/dev/block/platform/msm_sdcc.1/by-name/system /sdcard/originalsystem.img bs=1024
adb pull /sdcard/originalsystem.img
Run the pkgmaker script like this, assuming you're using a rooted XT1049 on 4.4.4, but you don't know the offset of the system partition, so you want to pull it via ADB. The script will be placed in output/xposed-flash-package.zip.
Code:
./pkgmaker.sh originalsystem.img XT1049 "Stock 4.4.4" ADB xposed-flash-package.zip
The script will pause when originalsystem.img is mounted for writing. As root, copy the Xposed app_process file (which you can extract from the APK if you need it) to "mnt-originalsystem.img/bin/app_process". Then press enter.
The script will continue executing, hopefully without errors.
Voila! Your package xposed-flash-package.zip is ready to upload and/or flash.
Finally!
The XT1049 has stumped me for a long time, but finally someone found a way!
Just a thought as I'm going into this, there's no mention of drivers for linux. Obviously this isn't to "user" level yet, and I wouldn't put myself too much beyond that, but it's a nice thing to include. I'll be trying it later, but are the drivers for USB/ADB the same as the emergency mode drivers? I'm kind of nervous to try because of the soft brick, and there doesn't appear to be any mention of how the flashed file that bricks it is put back. I'm assuming I can pull the original image before I flash the new one, but I'm not sure yet.
Also, if you have it tested and everything with Republic, I would appreciate a torrent or hosted file somewhere. If there isn't one before I finish, I'll post it.
---------- Post added at 09:42 PM ---------- Previous post was at 09:38 PM ----------
Cindex said:
The XT1049 has stumped me for a long time, but finally someone found a way!
Just a thought as I'm going into this, there's no mention of drivers for linux. Obviously this isn't to "user" level yet, and I wouldn't put myself too much beyond that, but it's a nice thing to include. I'll be trying it later, but are the drivers for USB/ADB the same as the emergency mode drivers? I'm kind of nervous to try because of the soft brick, and there doesn't appear to be any mention of how the flashed file that bricks it is put back. I'm assuming I can pull the original image before I flash the new one, but I'm not sure yet.
Also, if you have it tested and everything with Republic, I would appreciate a torrent or hosted file somewhere. If there isn't one before I finish, I'll post it.
Click to expand...
Click to collapse
Sorry for the double post but I can't edit yet, just realized that the zip file there is all that's needed for Republic. I was going to post the ADB/USB driver setup link for linux, but I'm not allowed yet.
Cindex said:
The XT1049 has stumped me for a long time, but finally someone found a way!
Just a thought as I'm going into this, there's no mention of drivers for linux. Obviously this isn't to "user" level yet, and I wouldn't put myself too much beyond that, but it's a nice thing to include. I'll be trying it later, but are the drivers for USB/ADB the same as the emergency mode drivers? I'm kind of nervous to try because of the soft brick, and there doesn't appear to be any mention of how the flashed file that bricks it is put back. I'm assuming I can pull the original image before I flash the new one, but I'm not sure yet.
Click to expand...
Click to collapse
You shouldn't need to do anything special for Linux drivers. It works straightforwardly as long as you have fastboot and ADB. The flashed file that creates the softbrick is included by the package maker script in every Suicide Flash package, so it is easy to unbrick. In fact, I can upload another package just for unbricking if you'd like.
Added a BusyBox package for XT1049, and added root and Xposed packages for XT1060.
Edit: also added root packages for XT1058 on both KitKat and Lollipop, plus Xposed for XT1058 KitKat.
Nicene Nerd said:
You shouldn't need to do anything special for Linux drivers. It works straightforwardly as long as you have fastboot and ADB. The flashed file that creates the softbrick is included by the package maker script in every Suicide Flash package, so it is easy to unbrick. In fact, I can upload another package just for unbricking if you'd like.
Click to expand...
Click to collapse
That's good to know, I looked around and couldn't find anything on the driver for the Qualcomm Emergency Download mode. I suppose not needing one would be why. Actually some kind of emergency package to unbrick might be good. Now that I see the script in there I don't have a problem, but someone might like it.
So now I'm wondering if I actually have to do a factory reset again, or if I can just flash the SBF file itself and not have to wipe. I'm not sure how big of a difference there is, because I did the factory restore recently and the OTA update was like 6MB or something. I wouldn't think there's be an issue flashing it rather than factory restore. Any ideas?
Also, if anyone knows a good way to do this with Virtualbox it would be a nice addition. I'm personally not going to bother since I already have a bootable Ubuntu USB, but it seems that most people would rather set up a VM with a small linux distro. If it had the tools baked in, it would make it an easy process.
Cindex said:
That's good to know, I looked around and couldn't find anything on the driver for the Qualcomm Emergency Download mode. I suppose not needing one would be why. Actually some kind of emergency package to unbrick might be good. Now that I see the script in there I don't have a problem, but someone might like it.
So now I'm wondering if I actually have to do a factory reset again, or if I can just flash the SBF file itself and not have to wipe. I'm not sure how big of a difference there is, because I did the factory restore recently and the OTA update was like 6MB or something. I wouldn't think there's be an issue flashing it rather than factory restore. Any ideas?
Also, if anyone knows a good way to do this with Virtualbox it would be a nice addition. I'm personally not going to bother since I already have a bootable Ubuntu USB, but it seems that most people would rather set up a VM with a small linux distro. If it had the tools baked in, it would make it an easy process.
Click to expand...
Click to collapse
Technically, the only reason for the SBF is because when you install OTA updates, files may end up in slightly different positions depending on the circumstances. For this to work, you must start with an identical system partition to the one used for making the package. So all you need to really do is extract the system.img and flash it, if you wish. No data loss necessary.
Also, I'll look into a minimal VM. I thought about actually trying to make a Windows version of Suicide Flash. I'm not sure which I'll end up with.
So I tried this on my Ubuntu 12.04.5 last night, and it didn't recognize the device in fastboot. I'm going to try on Ubuntu 15.04 soon here. Another question for you though, which sdk do I use for XPosed? I don't seem to be able to figure it out searching all over. I would think 16, but maybe it's for Lollipop?
I think I'm going to get some of these with the OTA, it'll make it easier for the average Republic user once it's gotten going.
Cindex said:
So I tried this on my Ubuntu 12.04.5 last night, and it didn't recognize the device in fastboot. I'm going to try on Ubuntu 15.04 soon here. Another question for you though, which sdk do I use for XPosed? I don't seem to be able to figure it out searching all over. I would think 16, but maybe it's for Lollipop?
I think I'm going to get some of these with the OTA, it'll make it easier for the average Republic user once it's gotten going.
Click to expand...
Click to collapse
I can't answer your Xposed Lollipop question. I was wondering the same thing, but I ended up simply pulling the file from an existing Xposed installation. I suppose you could do the same and then diff the files to find out which is correct.
As for the OTA, that's not possible. Every time an OTA is installed, the files can end up in different places on the flash memory, and this utility requires knowing the exact locations for making changes. You'd have to make separate packages for every phone. Otherwise you'll end up with bootloops.
Has anyone tried using Suicide Push? It's slow, but I thought it would be the more celebrated part of this since it lets you do basically the same as an ADB push to the system partition. You could even install Xposed that way:
Code:
./suicidepush.sh local_app_process_file /system/bin/app_process
Nicene Nerd said:
Has anyone tried using Suicide Push? It's slow, but I thought it would be the more celebrated part of this since it lets you do basically the same as an ADB push to the system partition. You could even install Xposed that way:
Code:
./suicidepush.sh local_app_process_file /system/bin/app_process
Click to expand...
Click to collapse
I'm still working on getting it to root. I was going to a few days ago, but my flash drive burned out. I'm going to try Ubuntu 14.04.3.
What linux distro did you use?
---------- Post added 14th August 2015 at 12:41 AM ---------- Previous post was 13th August 2015 at 11:47 PM ----------
Sorry to double post again, but I can't edit yet and have a few more things. I can't seem to be able to find a RW SBF file. I'm thinking restore from factory sounds like a good solution, but I don't know if that's the same thing.
How can I pull a system image if I'm not root? Without an SBF file, I need to package it for myself. Without root, I can't pull the system.img. I'm sure others on networks not covered yet would like to know also. Where did you get your system.img?
Also, if we can get this deep, and you can modify the bootloader, couldn't you just flash the old bootloader image and then the rest of the ROM? Then we could unlock the bootloader using older methods. We might have to flash block by block, but it should work?
Cindex said:
I'm still working on getting it to root. I was going to a few days ago, but my flash drive burned out. I'm going to try Ubuntu 14.04.3.
What linux distro did you use?
---------- Post added 14th August 2015 at 12:41 AM ---------- Previous post was 13th August 2015 at 11:47 PM ----------
Sorry to double post again, but I can't edit yet and have a few more things. I can't seem to be able to find a RW SBF file. I'm thinking restore from factory sounds like a good solution, but I don't know if that's the same thing.
How can I pull a system image if I'm not root? Without an SBF file, I need to package it for myself. Without root, I can't pull the system.img. I'm sure others on networks not covered yet would like to know also. Where did you get your system.img?
Also, if we can get this deep, and you can modify the bootloader, couldn't you just flash the old bootloader image and then the rest of the ROM? Then we could unlock the bootloader using older methods. We might have to flash block by block, but it should work?
Click to expand...
Click to collapse
I used Ubuntu 14.04.
The RW 4.4.4 SBF can be found here or here. It does not appear possible to pull a system image without root. But even without permanent root, KingRoot can get you temp root long enough to pull a system image.
As for the bootloader, there's certainly a chance that this could be done. It's just so risky that I won't try it myself. If there was a single variable missed, it could easily mean hard-brick. But in theory, as far as I understand, it might work. The biggest obstacle might be partition changes. If you got the bootloader to get into fastboot mode, though, you could presumably fix that with an old SBF.
Flashing the olderer bootloader will not work (I have tried and confirmed it does not work). It is because the efuses verify the bootloader.
Wow! That's hell of a tool you've created here Awesome job! I haven't tried it myself yet, but, judging by source code, it should get the work done. More of a developer tool, ofc, but it's more then impressive Maaan, I wish there was a normal way to work with ext4 partitions to make it available on Windows))
Since you've made "push" version of it (and that's the most interesting part, longest though), the next step in future development should be doing the same with TWRP flashable zips. Some of them just put apk-s in system folder, some of them have shell scripts inside, I've yet to figure out the pattern But that would be awesome next step to this awesome project
download link not found )
theres a tool bar at top crash with download links next to discussions and screenshots
Sabissimo said:
Wow! That's hell of a tool you've created here Awesome job! I haven't tried it myself yet, but, judging by source code, it should get the work done. More of a developer tool, ofc, but it's more then impressive Maaan, I wish there was a normal way to work with ext4 partitions to make it available on Windows))
Since you've made "push" version of it (and that's the most interesting part, longest though), the next step in future development should be doing the same with TWRP flashable zips. Some of them just put apk-s in system folder, some of them have shell scripts inside, I've yet to figure out the pattern But that would be awesome next step to this awesome project
Click to expand...
Click to collapse
I've actually started work on a Windows version, but it's on back burner because school just started. Here's a hint, though: with OSFMount and Ext2Fsd, you can mount Moto system images (pulled from the phone, not SBF ones) as hard drives or removable disks. Suicide Flash for Windows will rely on them.
So what are the chances I could use this to pull a system.img, and actually go in and delete some apps out of my XT1058? I had some success but it pulled the image as a mbn and I'm hesitant to try flashing it.
lpjunior999 said:
So what are the chances I could use this to pull a system.img, and actually go in and delete some apps out of my XT1058? I had some success but it pulled the image as a mbn and I'm hesitant to try flashing it.
Click to expand...
Click to collapse
Here's what you'll want to do:
Create the system image on the phone with
Code:
dd if=/dev/block/platform/msm_sdcc.1/by-name/system of=/sdcard/oldsystem.img bs=1024
ADB pull or MTP copy the image to your PC.
Run pkgmaker.sh like so:
Code:
./pkgmaker.sh oldsystem.img XT1058 "My System" 4B000000 modded-system.zip
When prompted, you can delete apps as root from the mounted system image under mnt-oldsystem.img/app or mnt-oldsystem.img/priv-app
Continue and finish the script.
Flash with
Code:
./suicideflash.sh -s output/modded-system.zip

Some Hacking in Yoga Book

Hi folks.
I'm an Android firmware developer (you can see my posts here in xda) that got a yoga book yesterday. For me it works at it should (by now) but my hacker soul speak to me and said: "at least take a look to see what you can get from this device". I don't have many time, so I can't spend time doing roms or fixing things by myself, but I can share with you some info I get and help you with my knowledge if someone is interested in "play" with this device.
First of all, I'm not responsable of anything that you can break following these steps. Almost all of them are tested and with some common sense you will not break anything, and if you break anything I will try to help you to fix it (if you are polite), but this is a work in progress and hacking and the possibility of brick the device is always there.
I only have the Android version without LTE, so I only tested in my Book.
So, here we go:
1) Secret codes:
I get this codes decompiling EngineeringCode.apk with apktool. Be carefull with them:
####0000# - Display version info
####7599# - Display hardware info
####8375# - Display baseband info
####1111# - Factory test
####2222# - Display SN
####7777# - Factory Reset???
####5993# - Display internal frameWork version
####7642# - Cut the power off to reload the PMIC - This command shutdowns the device. Just press the power button to reboot.
####5236# - Display LCD name
####2834# - ES close test
####8899# - open the ums mode default for debug
####3333# - offline log
####3334# - offline modem log
####9527# - Mediaplayer setting
####78646# - RunIn test
####6020# - switch country code
####59930# - Display current country code
####8746# - Enter engineering mode
####4227# - Enter engineer test
####357# - DLP_TEST
To use these codes, open the contacts app, press the search button and enter the code in the search bar.
2) OTA Images
You can get OTA images directly from lenovo servers. Just open your browser and paste this url:
http://fus.lenovomm.com/firmware/3....WW06_BP_ROW&action=querynewfirmware&locale=en
Change device model if needed (LenovoYB1-X90F or LenovoYB1-X90L)
Change curfirmwarever to a valid OLD firmware, this way you will get the next one in age.
Change locale if needed.
With this url you will get a download url at the end of the result page. In this case: http://tabdl.ota.lenovomm.com/dls/v...S000426_1705080316_WW06_BP_ROW_WC80C2A0F2.zip
These images are not full ota images, they are diff versions. This means that we can't use them to mod the image, or recover a bricked device, but this is a first step
3) Custom images
We don't have real sources to build a custom image (the lenovo's open source files are useless), but this doesn't mean that we couldn't modify stock images to take out useless apks or get better performance.
We can get this using an Android Kitchen and a full update image for the device.
As Android kitchen you can use SuperR kitchen (https://forum.xda-developers.com/ap...chen-superr-s-kitchen-v1-1-50-v2-1-6-t3597434)
As full image, I only tested the one here (https://easy-firmware.com/index.php?a=browse&b=category&id=19521) because I can't download any newer one.
I tested uncompressing it, deodexing the apks and doing a new image. But I don't test it in the device because I need to install twrp to flash the new image and I don't have time to test. But this should work, I did it many times so if someone is interested I can give steps to do it and support for testing.
If someone can get the latest full images, send then to me and maybe I can get some time to do some tests.
PD: Probably we could use this as a base to get LineageOS 14.1 working: https://github.com/latte-dev/android_device_xiaomi_latte/tree/cm-14.1
So, if you are interested in some hacking with the Yoga Book, contact me and we could team to get the most of this device.
First of all thank you for your post, it´s really useful
if you could somehow manage to boot windows on this machine it´s by far the greatest war we have right now.
Il promise you a lunch or dinner on Lisbon whenevere you want!
joao1979 said:
First of all thank you for your post, it´s really useful
if you could somehow manage to boot windows on this machine it´s by far the greatest war we have right now.
Il promise you a lunch or dinner on Lisbon whenevere you want!
Click to expand...
Click to collapse
Sorry, my knowledge of Windows is only user level . Install it in personal computer to play games .
But I really don't know why people wants to run Windows there, it will go slowly than Android and its less touch oriented... but I suppose that this is a chat for another thread
corvus said:
Sorry, my knowledge of Windows is only user level . Install it in personal computer to play games .
But I really don't know why people wants to run Windows there, it will go slowly than Android and its less touch oriented... but I suppose that this is a chat for another thread
Click to expand...
Click to collapse
in my particular case, i´l admit that is for football manager the touch version
joao1979 said:
in my particular case, i´l admit that is for football manager the touch version
Click to expand...
Click to collapse
Have you tried running it through Crossover? It may be in its infancy but i have got a few apps running OK with it.
I have the full "YB1-X90F_USR_S000196_1611040312_WW06_BP_ROW" I can upload somewhere if anyone can suggest a good site to do so without signing up? The file is about 2.5gb
It will be great if we could get the latest version, because maybe these older versions have older files that we have updated in our tablets.
Mixing files could give unknown problems
The current TWRP is based on the new Yoga Tab 3
I am starting to think they do not do full roms for this in the same way they do for a lot of their other devices.
We know the otas are available from tabdl.ota.lenovomm.com/dls/v6/ and are named according to the 2 builds that it bridges. As easy-firmware had the december full rom under the file name B1-X90F_USR_S000196_1611040312_WW06_BP_ROW-flashfiles.zip I had hoped that I could work out the file path to pull it down.
There were some interesting ideas here, https://forum.xda-developers.com/android/help/how-download-stock-roms-lenovos-ota-t3109507 but it seems there is a difference between phonedl.ota and tabdl.ota
Queries to full roms that work for phones, don't seem to work for the yoga book.
Anyone with more web knowledge able to pick this up? I am not sure the files are there but I feel they should be.
Good luck
Update: the downloads seem to be hosted via CloudFront. An Amazon service, but I can not find out a way of listing the available files. The latest full rom would be
http://tabdl.ota.lenovomm.com/dls/v6/YB1-X90F_USR_S000426_1705080316_WW06_BP_ROW_WC80C2A0F2.zip
But the Last 8 chars are random and we do not know what they are.
So we have two hopes. First work out the right query to the link from fus.lenovomm.com or two find a way of listing files available in tabdl.ota.lenovomm.com/dls/v6
Not sure I have got much further but ill keep trying when I can.
Hey, I should mention that I have some files that you may find helpful; I got them from the easy firmware website. They're all the .img files for each partition in Android (ie. boot.img, cache.img, config.img, factory.img, recovery.img, system.img) as well as: biosupdate.fv, bootloader, firmware.bin and gpt.bin. However, these of course aren't in the normal "flashable .zip ROM" format. So unless you know how to take apart these .img files they aren't very useful. If you need any more help or have any other questions about how far we've come on our own, feel free to ask. danjac also has great knowledge of our efforts.
Yes, I know how to use them, unpack, modify, etc. But what I want is the latest version, no a old version (I hav these files too). If you have them I can do some changes, debloat, etc.
Anyway, I see little interest in custom roms in this forum ( probably because it's not a device with a lot of users or the users are not the techy kind), so I prefer to help others with info than do a custom rom that only 2 or 3 people will use. Doing custom roms is a time hungry task and probably it doesnt worth the effort. Anyway this device is not full of bloatware like samsung ones, so it useable as it is.
As I said in my first post if anyone is interested I can give some hints and support to modify the full image (but only the latest one).
It's so sad that there are only a few interested owners of this tab - it's such a nice device but i fear the day lenovo decides to end their support for it. There will be no custom roms to switch to and keep the device alive - it will be a soon to be bit of old tech garbage BTW. I still use my Asus Transformer Prime because of the nice community
@NiffStipples I fully agree. This device is so powerful and its a suprise that it is invisible to the "market". In my humple opinion the normal ROMs aren't that bad besides missing updates but I would love to see all the power served through a custom rom. unfortunately programming is not my business
Stefan
Broomfundel said:
Have you tried running it through Crossover? It may be in its infancy but i have got a few apps running OK with it.
Click to expand...
Click to collapse
Interesting - is Crossover good (and does it require factory reset)?
Hi, It works well with some things and not others. Often the why and where are not obvious. It is basically "wine" the layer that allows some windows apps to run on a linux install. Tweeked to work with android. Just an install to put crossover on. Then another install (Within crossover), to put you app on crossover. If it doesn't work out of the box, there windows libraries you can switch out and dependencies you can install. (Eg: directx , .net) Even if your not technical. I would say get on the beta program and give it a try.
Hi! what do you mean by "lenovo's open source files are useless"? do you refer to this packet on lenovo's suppport site? download.lenovo.com/consumer/open_source_code/lenovo_yb1_x90f_l_osc_201608.zip
I've entered the Android YogaBook's BIOS and noticed that VT-X is enabled by default! With Limbo x86 we could get a fully working virtualized Windows or Linux, if it wasn't for... KVM. It seems like it's not enabled in Lenovo's default kernel. Could we get to recompile the kernel with this option on? i'm not a big android/ROM expert but i surfed the open_source_code folder from Lenovo and it seemed, to me, that we could rebuild the Kernel at least.
This could really change things!
morrolinux said:
Hi! what do you mean by "lenovo's open source files are useless"? do you refer to this packet on lenovo's suppport site? download.lenovo.com/consumer/open_source_code/lenovo_yb1_x90f_l_osc_201608.zip
I've entered the Android YogaBook's BIOS and noticed that VT-X is enabled by default! With Limbo x86 we could get a fully working virtualized Windows or Linux, if it wasn't for... KVM. It seems like it's not enabled in Lenovo's default kernel. Could we get to recompile the kernel with this option on? i'm not a big android/ROM expert but i surfed the open_source_code folder from Lenovo and it seemed, to me, that we could rebuild the Kernel at least.
This could really change things!
Click to expand...
Click to collapse
How did you enter the bios? Can you boot from usb?
anyone managed to use swiftkey keyboard?

[PonoPlayer] Crafting a new firmware

Hi,
I own a Pono player, which is great when it comes to sound, but has a crappy firmware.
On early versions, it seems that debugging was easier (https://forum.xda-developers.com/t/...-file-1-0-3-gingerbread-complete-rom.2967757/) but since version 1.0.6 everything is locked (or I'missing something.. how did they extract logs, ROMs, etc?).
So my idea is to craft a fake update file in order to re-enable adb, push a new main app, etc.
The upgrade process works as follow:
- Connect the PonoPlayer and put a "pono_1.0.6.update" file on the /.pono/ directory
- Craft a firmware.xml file which is supposed to contain the current firmware version: set it to 1.0.5
- Disconnect the Pono, it now thinks it' in version 1.0.5 and an upgrade to 1.0.6 is available.
Internally, the main Pono app scans the .pono/ folder and calls RecoverySystem.verifyPackage.
This works just fine: the device updates again to version 1.0.6.
Now I want to modify this update file and I still have no success even with a simple unpack/repack, without touching anything, thus not altering signatures.
I've tried to unpack/repack using apktool ("apktool d pono_1.0.6.update" + "apktool b pono_1.0.6.update.out") but the firmware update fails (stucked at 0%, and according to the app code that's what happens when an unexpected exception occurs).
I've tried to re-sign it (PonoPlayer is using the android testkey) with no more success.
How is it that a simple unpack/repack creates an apk with seems wrong is some ways?
Thanks for any help, I'm quite stucked..
NothNoth said:
Hi,
I own a Pono player, which is great when it comes to sound, but has a crappy firmware.
On early versions, it seems that debugging was easier (https://forum.xda-developers.com/t/...-file-1-0-3-gingerbread-complete-rom.2967757/) but since version 1.0.6 everything is locked (or I'missing something.. how did they extract logs, ROMs, etc?).
So my idea is to craft a fake update file in order to re-enable adb, push a new main app, etc.
The upgrade process works as follow:
- Connect the PonoPlayer and put a "pono_1.0.6.update" file on the /.pono/ directory
- Craft a firmware.xml file which is supposed to contain the current firmware version: set it to 1.0.5
- Disconnect the Pono, it now thinks it' in version 1.0.5 and an upgrade to 1.0.6 is available.
Internally, the main Pono app scans the .pono/ folder and calls RecoverySystem.verifyPackage.
This works just fine: the device updates again to version 1.0.6.
Now I want to modify this update file and I still have no success even with a simple unpack/repack, without touching anything, thus not altering signatures.
I've tried to unpack/repack using apktool ("apktool d pono_1.0.6.update" + "apktool b pono_1.0.6.update.out") but the firmware update fails (stucked at 0%, and according to the app code that's what happens when an unexpected exception occurs).
I've tried to re-sign it (PonoPlayer is using the android testkey) with no more success.
How is it that a simple unpack/repack creates an apk with seems wrong is some ways?
Thanks for any help, I'm quite stucked..
Click to expand...
Click to collapse
Alright, I think I got it:
When rebuilding, the original scripts found in META-INF/com/ are lost. Just need to figure out how I can place them back.
It's probably for me time to read: https://forum.xda-developers.com/t/guide-index-how-to-modify-an-apk.4208093/post-84170227
NothNoth said:
Alright, I think I got it:
When rebuilding, the original scripts found in META-INF/com/ are lost. Just need to figure out how I can place them back.
It's probably for me time to read: https://forum.xda-developers.com/t/guide-index-how-to-modify-an-apk.4208093/post-84170227
Click to expand...
Click to collapse
For the record, I finally found how to fix that: https://forum.xda-developers.com/t/need-tech-advice-before-archeology.4306981/#post-85423037
Hi, I inadvertently wiped ny pono player, so now no music shows on player or the SD card. I formatted the internal memory when I was supposed to format the SD card. I am sure the player will now be unusable. Is this right ?

Categories

Resources