Mecool KM2 - Root
Hi
Is there any change for TWRP or ROOT method for this Widevine certified Mecool device? Any TWRP,ROOT and MagiskHide are possible?
Looking for someone who help me root this device.
Code:
CPU: Amlogic S905X2 Quad Core ARM Cortex A53
GPU: ARM Mail-G31 MP2
OS: Android 10.0 ATV
Memory: DDR4 2GB, eMMC 8GB
Review: https://www.wirelesshack.org/review-mecool-km2-android-10-tv-box-2gb-ram-s905x2-cpu.html
reserved for future updates
LifelessLife said:
Mecool KM2 - Root
Hi
Is there any change for TWRP or ROOT method for this Widevine certified Mecool device? Any TWRP,ROOT and MagiskHide are possible?
Click to expand...
Click to collapse
I don't think this will happen. This box is certified by Netflix.
Once you can root it, Mecool will lose the Netflix certification and most probably Mecool won't get certification in the future.
Noter2017 said:
Once you can root it, Mecool will lose the Netflix certification and most probably Mecool won't get certification in the future.
Click to expand...
Click to collapse
That's not true. Nvidia Shield is rooted, doesn't mean they cannot get future certifications.
rajricardo said:
That's not true. Nvidia Shield is rooted, doesn't mean they cannot get future certifications.
Click to expand...
Click to collapse
Can you name another box?
The Shield is a complete exception. Not even the certificated Xiaomi boxes can be rooted, even though they have a huge community.
Mecool also has to be super careful. Not that long ago they have been selling boxes with fake/illegal certificates that could play Netflix in HD. Netflix blocked all of these boxes at some point.
Hi All,
I'm fairly new to this android tv scene, but have been following these discussions for a couple months now... I'm a hardware guy, so I picked up a couple of these units, and dissected one, ie took off the CPU and emmc.
I'm still not quite understanding of what exactly is happening with 'unlocking' bootloaders, and how this AMLogic 'tee' environment fully works, maybe you all can try to help me out a bit..
but I did want to share that I see we can still USB boot this thing, and use the AMLogic burning tool to at least re-write an image to the flash... the 'boot_5' pin I've shown in the attached pics..
you can catch it from that via (or trace) in the pic, and just touch it to gnd while powering on the unit, and it goes into USB boot via the amlogic rom... world cup device comes up and you can indeed use the burning tool..
I also dumped the emmc flash if anyone wants it? I'm not sure if that helps for being able to root it though, that's where I need some help understanding... I realize there are BL1, BL2, and BL3 boot stages, BL2 & BL3 I believe are the 'boot.img' and 'bootloader.img' that are present in the flash? that right?
I can put the emmc dump up on a mega.nz link if anyone wants it, but wasn't sure if it matters...
Principal-McVicker said:
but I did want to share that I see we can still USB boot this thing,
Click to expand...
Click to collapse
By, "USB boot" do you mean actually boot operating system files from USB, or do you mean just the ability to obtain a burn mode (worldcup) connection over USB?
Principal-McVicker said:
I'm still not quite understanding of what exactly is happening with 'unlocking' bootloaders,
Click to expand...
Click to collapse
Skyworth has modified u-boot (bl33) for this device such that u-boot won't recognize an unlocked status for the bootloader.
Principal-McVicker said:
use the AMLogic burning tool to at least re-write an image to the flash...
Click to expand...
Click to collapse
For the above reason (no recognition of an unlocked status), flashing images that are not unmodified stock will fail verification and not boot.
Principal-McVicker said:
I also dumped the emmc flash if anyone wants it?
Click to expand...
Click to collapse
What version does it contain?
Hi,
So hopefully this will clarify a bit... the AmLogic S905X2/X3 uses the 'boot4/boot5/boot6' pins for the power-on boot order (power-on config) pins... these are shared pins, that are also DAT4,DAT5,DA6 (data bits 4,5,6) for the emmc interface.
So internally the amlogic has boot4/5/6 pull up, ie '111' for the boot order. When you pull boot5 low, it goes 101, ie USB first.... this is essentially what this is doing, so the amlogic bootRom is now in USB boot first, versus emmc.
(I'm assuming you can prob. also do this by just shorting any of the emmc data bits to gnd (versus just bit 5), cause corruption, and it should also fail over to usb..
I haven't tried to actually flash any image yet, but at least I see the worldcup device, and connect with the burning tool...
so I'll attach the bootup log, as well as the 'build.prop' from the /vendor folder in the image... I think this should tell you what version it's running...
*** BTW: forgot to mention, most of these devices that have a 'recovery' button or hidden switch, seem to be using 'GPIOA0_3' pin, a GPIO pin... and it's coded into the AmLogic u-boot code is 'AMLOGIC_KEY' or something like that... so when you hold it... u-boot eventually see's it and halts, and starts up the usb device ***
This is much later then when doing the above, putting the CPU into usb-boot.. just FYI....
Another thing I wanted to mention, regarding the BL33 (which I now understand is u-boot), in the image dump, it starts at offset 0x200, and appears to probably be AES encrypted, there's not even a header on it?
I also took apart an X96 Max+ for comparison, since that box is pretty much open, and the flash image has u-boot unencrypted at the same location, and it starts with the @aml header...
I've been going through the AMLogic tools trying to understand where/how the encryption is done, but I don't understand yet how this BL33 is encrypted, and how BL32 knows what the keys are? and what's the difference from the X96 having u-boot unencrypted..
and in this one, the BL33 is encrypted? How did 'Skyworth' decrypt the bootloader to patch it?
(I'll follow-up with a mega.nz link with the mecool image once it finishes uploading)
Here's the full emmc dump:
734.74 MB file on MEGA
mega.nz
LifelessLife said:
Mecool KM2 - Root
Hi
Is there any change for TWRP or ROOT method for this Widevine certified Mecool device? Any TWRP,ROOT and MagiskHide are possible?
Looking for someone who help me root this device.
Code:
CPU: Amlogic S905X2 Quad Core ARM Cortex A53
GPU: ARM Mail-G31 MP2
OS: Android 10.0 ATV
Memory: DDR4 2GB, eMMC 8GB
Review: https://www.wirelesshack.org/review-mecool-km2-android-10-tv-box-2gb-ram-s905x2-cpu.html
Click to expand...
Click to collapse
Principal-McVicker said:
but at least I see the worldcup device, and connect with the burning tool...
Click to expand...
Click to collapse
Note that there are two types of worldcup connections. One is invoked entirely from bootrom, it is sometimes called usb download mode. It is sort of a DFU mode that has limited functionality.
In the uart console, a connection to this type of worldcup connection will look something like this;
Code:
G12A:BL:0253b8:61aa2d;FEAT:F2F939B2:32060;POC:F;RCY:0;EMMC:800;NAND:81;SD?:20000;USB:8
Note that nothing can be done using the burning tool, or the command-line update tool, with the above type of worldcup connection on the km2, due to download mode access being password protected on this device. Notwithstanding the fact that the usb burning tool will report the connection.
The second type of worldcup connection is invoked from an application in u-boot named "update". This type of worldcup connection can work with the usb burning tool or the command-line update tool. There is no password protection. In the uart console, a connection to this type of worldcup connection will look something like this;
Code:
InUsbBurn
wait for phy ready count is 0
[MSG]sof
Set Addr 1
Get DT cfg
Get DT cfg
Get DT cfg
set CFG
Get DT cfg
Get DT cfg
Principal-McVicker said:
I've been going through the AMLogic tools trying to understand where/how the encryption is done, but I don't understand yet how this BL33 is encrypted, and how BL32 knows what the keys are? and what's the difference from the X96 having u-boot unencrypted..
Click to expand...
Click to collapse
Read all of the stuff at the following link, starting from oldest to newest;
Code:
https://fredericb.info/tag/amlogic.html
Principal-McVicker said:
How did 'Skyworth' decrypt the bootloader to patch it?
Click to expand...
Click to collapse
Maybe it is not most correct to call it a "patch" I use that terminology because that is what skyworth uses. You'll see something like this in the uart console;
Code:
[sk_patch,24]amlogic's uboot for Android10().date:Apr 8 2021
Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
** Bad device usb 0 **
[sk_usb_cfg_init,422]load file "/skyworth/factory_mode/uboot/check_udisk.cfg" from u disk failed!
[sk_boot,182]general boot.
Whatever skyworth does to u-boot, it is done at the source level before the bootloader is compiled.
Principal-McVicker said:
most of these devices that have a 'recovery' button or hidden switch, seem to be using 'GPIOA0_3' pin, a GPIO pin... and it's coded into the AmLogic u-boot code is 'AMLOGIC_KEY' or something like that... so when you hold it... u-boot eventually see's it and halts, and starts up the usb device ***
This is much later then when doing the above, putting the CPU into usb-boot.. just FYI....
Click to expand...
Click to collapse
You can define the upgrade_key to be any gpio pin you like that is not otherwise used.
You can use GPIOA0_3, but I think skyworth also uses that for some usb power mode. I think I used GPIOA0_5, which is one of the pins on the uninstalled infrared led near the micro sd slot.
The factory location for the reset button is a side mounted smd switch below the microsd slot (opposite side of the board). In the fcc photo's this switch is actually installed along with some smd resistors near it. I never figured out what gpio pin it uses. But it could never work without being defined in the environment, which it is not!
What's your end goal here? Modifying the bootloader will be rough unless you can get the bootrom keys. If you don't modify the bootloader so that an unlocked status is recognized, you can't flash non-stock partitions.
If you just want root, that can be done with a workaround. If you want to use the device to boot an alternate operating system, this probably can be done, with a workaround.
G12A:BL:0253b8:61aa2d;FEAT:F2F939B2:32060;POC:F;RCY:0;EMMC:800;NAND:81;SD?:20000;USB:8
Note that nothing can be done using the burning tool, or the command-line update tool, with the above type of worldcup connection. Notwithstanding the fact that the usb burning tool will report the connection.
Click to expand...
Click to collapse
Heya,
Just wanted to clarify on this... that is the USB connection right from bootROM that I get... and the burning tool would work if I had the bootrom pwd, as this unit reports PWD is needed...
I just did this last night on a 'banana pi M5', which does not have a pwd locked bootrom, and I did the usb burn from this boot method, as it did not have any code on it whatsoever prior to me loading it....
Thanks for all of the info BTW, I'll read over it all, what I really wanted to know about was how that BL33 was encrypted... I'll get back if I have more questions, but I really appreciate all the info
My end goal was really just to understand what all of you already knew, I just couldn't get my head around all of it... I wanted to either just load another OS on this entirely, or figure out a way to hack the bootloader....
Principal-McVicker said:
Just wanted to clarify on this... that is the USB connection right from bootROM that I get... and the burning tool would work if I had the bootrom pwd, as this unit reports PWD is needed...
Click to expand...
Click to collapse
Right, in order to use usb download mode, you need the password (if one is employed).
But this is the very odd case use of a worldcup connection. Unheard of for end-user use.
End users use the reset button, which runs the u-boot "update" application to establish a more robust worldcup connection that can flash and read, and even run u-boot shell commands, without any password.
yeah, so I've been looking at compiling source, as its all up there for the banana pi, so I can play with all the pieces..
Is this skyworth info up in another thread here on this site?
Also, how did he actually write this re-compiled BL33 to the device? he re-program the flash and re-mount it? or just tap the lines and program in place?
Or, I'm taking a guess he may have used the unsigned loader exploit? I'm guessing that may not be patched in current bootROMs? or at least not all of them?
Principal-McVicker said:
these devices that have a 'recovery' button or hidden switch, seem to be using 'GPIOA0_3' pin, a GPIO pin...
Click to expand...
Click to collapse
goapy said:
The factory location for the reset button is a side mounted smd switch below the microsd slot (opposite side of the board). In the fcc photo's this switch is actually installed along with some smd resistors near it. I never figured out what gpio pin it uses. But it could never work without being defined in the environment, which it is not!
Click to expand...
Click to collapse
Since you have an extra km2 with the x2 SoC removed, can you trace back the factory reset button traces to the gpio location on the SoC?
I tried finding it by shorting the traces, and using u-boot's gpio command to see which pins had a status change, but I still couldn't find which gpio pin is being used by the factory reset switch location.
Principal-McVicker said:
Here's the full emmc dump:
734.74 MB file on MEGA
mega.nz
Click to expand...
Click to collapse
Thanks for this. This contains version;
MECOOL/HP4035-Mecool/LAS:10/QTT5.200819.003/C2.0.6_20210723:user/release-keys
Although over a year old, it is 4 months newer than what I had.
Since you have an extra km2 with the x2 SoC removed, can you trace back the factory reset button traces to the gpio location on the SoC?
I tried finding it by shorting the traces, and using u-boot's gpio command to see which pins had a status change, but I still couldn't find which gpio pin is being used by the factory reset switch location.
Click to expand...
Click to collapse
Sure thing... I'll do this tonight when I get back home from work, no problem at all...
I think the first step I'd like to try with this thing is just get root? if possible... or at least do something fun to it...
(best way to try and really get a better understanding of this arm tee is to work on a fully locked implementation like this one)
Principal-McVicker said:
I think the first step I'd like to try with this thing is just get root? if possible... or at least do something fun to it...
Click to expand...
Click to collapse
Since doing this is a rather technical process and requires verbose instructions, I'll send the details via direct message.
Principal-McVicker said:
(best way to try and really get a better understanding of this arm tee is to work on a fully locked implementation like this one)
Click to expand...
Click to collapse
It might help to turn on full log level console output for the stock build. Then at least you'll see all of the tee interactions during bootup.
goapy said:
Since doing this is a rather technical process and requires verbose instructions, I'll send the details via direct message.
It might help to turn on full log level console output for the stock build. Then at least you'll see all of the tee interactions during bootup.
Click to expand...
Click to collapse
Heya, Ok... that would be great if you could PM me whatever you can help with...
I double-checked myself, as I thought maybe I missed a u-boot console, but I don't see one on this thing, I don't see any way for it to break into u-boot or any stage while it's booting up? nothing I hammer on the keyboard stops the process from what I can tell?
So, I was trying to identify which pads you are saying are for the smd switch.. but I waasn't totally sure, figured it would be faster to just post the top/bottom pics from that side, and you just circle the spot you want me to trace out?
(FYI, I took down my mega.nz link for the dump, since it sounds like you pulled it down, I hate leaving that stuff up for long unless someone else needs it, they can always PM me)
See attached image. The purple arrow identifies the pad that I want to trace.
But I just remembered that it is difficult to trace because it goes to a via to the opposite side of the board underneath the card slot.
I don't want to make work for you, I was just curious.
Related
"Factory" Recovery for MTCx PX3, PX5 and PX6 SOM.
UPDATED" 26.06.2023 - Before doing this, try your Headunit USB cable first - Some headunits support OTG directly on the headunit USB cable.
Come here after using paid Software "Mod" tools like Modinstaller?
This method is the factory method, which can completely recover a "bricked" SOM, recover from failed "modinstaller" or failed upgrade of Paid mods.
Finally - OTG for all without modifying your head-unit. With only basic electronic/soldering skills, get OTG and fearlessly flash or recover a 'bricked' MTCD/E (HCT printed on SOM) Rockchip PX3, PX5 SOM.
See attached pics for making an OTG cable from a USB cable and two resistors.
Resistors are 12K and 15k (22k is probably better) or anyone of the following. combinations. These resistors are necessary as 'voltage dividers', with a value between 1.8v and 3.3 OK. These simply place a logic '1' on recovery and USB-OTG to 'tell' the SOM to go into OTG recovery mode.
R1 | R2
-------------------
1K | 1.8K
2.2K | 3.3K
10K | 18K
12K | 22K
Get Windows Driver [Driver assistant - v5.11] and [RKDevTool 2.93] for direct/OTG SOM flashing:
1. From a chinese Firefly site here
or
2. My Google Drive here
[RKDevTool] .ini file is set English, otherwise tool will be rendered in Chinese.
This tool for dumping / getting full backup of SOM
Excellent tool, thanks @RedScorpioXDA
Note - all tools and driver have equivalent Linux versions.
26.06.2023 - Android Tool is now RkDevTool
PX5 Android 9 Update.img - suitable for flashing via rockchip tools - https://yadi.sk/d/umCvHqCDzHccr/RockChip PX5 Android 9/YB
The image is located in px5 android 9/yb. The file has "_img_" listed in the filename.
Note Android 10 has an img file too - located in px5 android 10/chs.
PX5 Android 8 Oreo full Partition extract suitable for recovering SOM, flashing via rockchip tools - https://drive.google.com/drive/folders/1P703unZDA_TdRzl6fjkkb-YUB-KpTViW
Using the RockChip RKDevTool:
For OREO: Unzip and flash all partitions in the ZIP file [px5_OREO_Full_13032018-UseToRecoverOrCreateNew.7zip here
For Android 6, flash the latest update.img file in RKDevTool
There are guides to partition flashing found on the internet, would be great if anyone could contribute by posting step-by-step instructions or a video to assist others (there are now posts in this thread...)
A generic guide to the RockChip RKDevTool, flashing partitions or image files is here as previously posted.
Credit (thanks!) to @scorillo_ro for the detailed image/connections diagram.
Worst case - SOM doesn't respond - force 'maskrom' detailed here explaining what MaskRom is and here on how to for your PX5 (px3 is similar.) Steps are: Power Off SOM and disconnect USB to PC. Use Tweezers, apply power/connect USB. Hold until Windows Device chime is heard (within about 2 seconds of power on.) See attached pic.
Warning : Use thin pins for OTG cable in order to avoid the damage of the SOM connectors, although along the thread it has been noted many times that damage to the SOM socket is very likely to happen if thick pins are used...OR buy SOM header from Aliexpress, digikey etc.[/COLOR]
17/11/2019 - Edit: Corrected URL for Windows and Linux Rockchip tools
04/04/2020 - link to px5 android 9 full update.img
20.06.23 - Update broken links to driver and tool. Update Name of tool (was) Android Tool - (now) RKDevTool
Nice work @marchnz !
A full step by step and pictures howto should be made now and all those PX5 users without sdcard slots will be able to use this method to get Android8!
LE. I drew a schema
scorillo_ro said:
Nice work @marchnz !
A full step by step and pictures howto should be made now and all those PX5 users without sdcard slots will be able to use this method to get Android8!
LE. I drew a schema
Click to expand...
Click to collapse
So with this methon, will be possible to flash on 6.0 unity, the recovery and the system of android 8.0?
lucajust said:
So with this methon, will be possible to flash on 6.0 unity, the recovery and the system of android 8.0?
Click to expand...
Click to collapse
Absolutely! I've done it a bunch of times. You can either use the sdupdate.img from the Oreo upgrade thread to load the Oreo recovery and then install the oreo .zip from recovery OR a full set of partition images.
I have a full set of partition images if needed, they're about 25gb but should compress right down (that 25gb includes [user] partition which is an empty partition.
Good... I'll try... But the process Need a PC no? Becouse with the unit with SD card slot needs PC only to prepare the sd card for android 8 recovery
Inviato dal mio Mi A1 utilizzando Tapatalk
lucajust said:
Good... I'll try... But the process Need a PC no? Becouse with the unit with SD card slot needs PC only to prepare the sd card for android 8 recovery
Inviato dal mio Mi A1 utilizzando Tapatalk
Click to expand...
Click to collapse
Yes, PC. I've updated the post to include links to tools and driver. Driver 4.5 & Android tool works on Win7 - Win 10, x86 and x64.
For those without SDCard wanting to upgrade to Oreo:
You could try OTG flashing the Oreo sdupdate.img, fit SOM back to headunit and then try loading the Full Oreo update.zip from USB. Otherwise I will need to upload the full Oreo partitons dump with instructions....over the next few days....
marchnz said:
Yes, PC. I've updated the post to include links to tools and driver. Driver 4.5 & Android tool works on Win7 - Win 10, x86 and x64.
For those without SDCard wanting to upgrade to Oreo:
You could try OTG flashing the Oreo sdupdate.img, fit SOM back to headunit and then try loading the Full Oreo update.zip from USB. Otherwise I will need to upload the full Oreo partitons dump with instructions....over the next few days....
Click to expand...
Click to collapse
Thanks... What are the "SOM"?
Inviato dal mio Mi A1 utilizzando Tapatalk
It is my understanding that I can flash the SOM without the rest of the board?
So just disconnect the SOM then hook up the USB as per the diagram and it will be detected by windows. Use android tool / RockChip Batch Tool with a android 6/8 recovery.
The issue I have is that the nand doesn't look like its recognised after an attempt to flash oreo. Please see attached picture.
Harsesis said:
It is my understanding that I can flash the SOM without the rest of the board?
So just disconnect the SOM then hook up the USB as per the diagram and it will be detected by windows. Use android tool / RockChip Batch Tool with a android 6/8 recovery.
The issue I have is that the nand doesn't look like its recognised after an attempt to flash oreo. Please see attached picture.
Click to expand...
Click to collapse
Yes, you understood correctly. This method may save you...
scorillo_ro said:
Yes, you understood correctly. This method may save you...
Click to expand...
Click to collapse
You mentioned a full partition dump. I'm hoping I don't need this. I remember reading that the partition structure needed to be changed for android 8. Do you have any idea how to do this via the tools? I remember reading about something called a storagemap that rockchip uses.
Harsesis said:
You mentioned a full partition dump. I'm hoping I don't need this. I remember reading that the partition structure needed to be changed for android 8. Do you have any idea how to do this via the tools? I remember reading about something called a storagemap that rockchip uses.
Click to expand...
Click to collapse
Wait for @marchnz to put this information here. Meanwhile you can start building your USB JIG.
Will try this, just have to buy resistord.
One question... How to download from Github?
Regards
Edit: Found it
Clandaries said:
Will try this, just have to buy resistord.
One question... How to download from Github?
Regards
Click to expand...
Click to collapse
Move one level up to https://github.com/rockchip-linux/rkbin then use the green "Clone or download" button, then select "Download ZIP"
Finally I hear the Windows connecting sound. But my Device is still not detected. It says "usb device not recognized". I thaught it would be the driver but I installed the v4.5 Driver. Any Ideas?
Maybe you need to switch green and white usb data wires...
scorillo_ro said:
Maybe you need to switch green and white usb data wires...
Click to expand...
Click to collapse
Yeah already tried that. Also tried it with a different PC both Windows 10 but same problem. I also tried to a other SoM but this one got the same problem. I really dont know anymore what to do
Malle355 said:
Yeah already tried that. Also tried it with a different PC both Windows 10 but same problem. I also tried to a other SoM but this one got the same problem. I really dont know anymore what to do
Click to expand...
Click to collapse
Strange. I only used Windows 7.
You can also try using a powered usb switch. Maybe the USB ports you used does not provide sufficient power? This is just an assumption.
Or, as @marchnz said, you can try enter maskrom mode.
scorillo_ro said:
Strange. I only used Windows 7.
You can also try using a powered usb switch. Maybe the USB ports you used does not provide sufficient power? This is just an assumption.
Or, as @marchnz said, you can try enter maskrom mode.
Click to expand...
Click to collapse
My Device is only getting detected in MaskRom Mode. Its not getting detected in Normal Mode. But as I said it says "usb device not recognized".
Malle355 said:
My Device is only getting detected in MaskRom Mode. Its not getting detected in Normal Mode. But as I said it says "usb device not recognized".
Click to expand...
Click to collapse
Did you try to upload a firmware image from maskrom mode? The other mode, not working for you, is called loader mode and is provided by software that might be corrupted.
scorillo_ro said:
Did you try to upload a firmware image from maskrom mode? The other mode, not working for you, is called loader mode and is provided by software that might be corrupted.
Click to expand...
Click to collapse
Cant upload the Firmware from MaskRom Mode. I got the "usb device not recognized" error. I never goth my the device in the loader mode. My PC never detected the SoM in loader mode.
These tablets were sold with certain Vizio TVs in mid-2016 into 2017, primarily used for Smartcast to the TV.
They are now obsolete since Vizio released firmware for their TVs turning them into normal Smart TVs, requiring the owners of these TVs to get new remotes and the tablets stopped being useful for this function.
Here in 2019, one can buy these tablets, at the low price end, in working condition, for $25 (for the M series) to $40 (for the P series) shipped.
The specs are as follows:
XR6M10:
Snapdragon 410 1.2GHz quadcore APQ8016
2GB RAM
8GB Storage
1280x720 IPS display
802.11n, Bluetooth 4.0
2740mAh battery
MicroUSB for charging, Qi Charging built-in for bundled charge pad or any compatible charging solution
XR6P10:
Snapdragon 615 1.45GHz octocore APQ8039
2GB RAM
16GB Storage
1920x1080 IPS display
802.11n, Bluetooth 4.0
2740mAh battery
MicroUSB for charging, Qi Charging built-in for bundled charge pad or any compatible charging solution
Both tablets feature side-firing stereo speakers, a headphone jack, and NO cameras. The size of the tablet is comparable to the size of a Galaxy Note 9, give or take.
Both tablets came with Android 5.1.1, and OTA updates upgraded them to 6.0.1. There are ZERO available stock ROM files available for the tablets. I've tried sniffing the updater and they seem to go to a dead website.
The stock ROM is fairly clean, and only has the Vizio Smartcast app which needs disabling upon setting up. Aside from this, there is no other bloatware on the tablet to speak of after running a fine-tooth comb through the system apps. You get a clean and snappy tablet.
The problem:
There's no stock ROM file available, neither for Android 5.1.1 or for 6.0.1. Vizio does not have any sort of download for either on their site, nor did in the past. The updater checked a third-party website affiliated with Vizio to manage the tablet's updates, as it does with their TVs. Since the website is inert, it can be safely said that Vizio is no longer interested in their existence at all, especially since the warranty on every single one of these tablets is now up.
The tablet seems it can have the bootloader unlocked, the developer options has the toggle for that, but there's no way to get into fastboot. Holding VOL UP+DOWN+POWER at boot or sending the "adb reboot bootloader" command sends it into a "Qualcomm HS-USB QDLoader 9008" mode under USB. This, from what I understand, is behavior persistent with the locked bootloader, but I have no idea of how to get it out of this and just into fastboot. Stock recovery does not have a fastboot option either.
The desires list:
Have someone that knows the intricacies of the MSM8916 platform and the APQ8016/APQ8039 get their hands on these tablets
Get a ROM dump of both tablets in stock form so people with bricked tablets can flash them with it
Get Root (Patch level on the 6.0.1 stock ROM is from October 2016, shouldn't be hard)
Get the bootloader unlocked, somehow, and if not, figure a way to get something like Safestrap running on it if the out-of-the-box kernel allows for it
Custom ROMs? LineageOS would be sweet, especially with some of the tablet-specific fixes that have dropped in the past couple months overall.
so I ask: is there any interest in the freeing of these super cheap tablets? The price to spec ratio is not bad (once again, I got my 6M10 for $25 shipped, and the seller has like 7 more as of the time of this writing), and it doesn't seem like it would be all too hard to unlock the bootloader and get it rooted (at least, from my perspective, that of a novice in this specific hardware field). There are plenty of these in the wild in the hands of people that bought the TVs and plenty in the hands that bought them from ebay when the tablets became obsolete.
This link contains screenshots of CPU-Z and the About Tablet settings section from the tablet, uploaded to imgur. If anyone needs more information on this tablet that needs an app or adb command, I can make this happen.
Board Pic of the XR6M10, XR6P10 should be the same inside:
(click for larger image)
Update: I have temp root.
I have temp root!-the latest kingroot (NOT Kingoroot) APK seemed to have done the trick. I was able to fire up adaway and get the hosts file set up with adblocks to keep the thing safer.
The root is still temporary so it goes away after a reboot. The rooting process involves it doing the root process once, then rebooting, then failing, then you reboot once more, and then retry rooting from the app. From here, 80% of the time, it works and you're able to get temporary root for that boot session.
Once you're done with anything you need root for, you should reboot and then uninstall Kingroot, which you then need to deactivate the device administrator priveleges for, before it will allow you to cleanly uninstall it.
I also made a huge discovery that may turn out better for anyone that can help getting this thing properly rooted and the bootloader unlocked... it seems the file manager included in the stock ROM is v3.0.0 from Cyanogenmod 12.1.
This makes me think that the ROM creator either used that since it was opensource and readily available than come up with their own solution, or that this ROM has some cyanogenmod roots.
I also found this post from another Q&A thread in this section:
TheDrive said:
This device have made by Chinese/Indian company Borqs. The code name Bennu-M. Platform is Qualcomm APQ8016 (MSM8916 w/o modem). There should work standard method to bring EDL mode. Hold Vol+ and Vol- at power on (press power). Then connect to the PC. Thus device will stay look dead, however should be detected as Qualcomm QDLoader 9008 on the PC side. This is the factory described method.
You can flash factory firmware from this mode using external bootloader (programmer) for MSM8916 firehose protocol. This procedure is described in the thousands of manuals around the net. Qualcomm tools like QPST or QFIL can be used as good as many 3rd party utils to flash and manage any another available way. Many professional 'box' tools should support this device too but only as 'generic' msm8916 (if applicable).
However I can't find the firmware package for this device anywhere. You should ask and require the manufacturer/distributor to publish firmware, the source code and all the corresponding matherials to be able to flash and rebuild firmware from sources in any manner you want without any limitations as required by GNU/GPL free open source software licenses this firmware is obligated to.
Everyone who have the device working or software dead, can try to dump the current firmware and data, stored on the internal eMMC memory module in part(s) or in whole image using free QTools project utilities and suitable external bootloader with ability to dump eMMC, not only to flash as many factory supplied programmers do. There are programmer(s) for MSM8916 available in the project repo. Read and understand manuals carefully before trying anything!
There is definitely another ways to root, dump, flash, manage the device in any manner YOU WANT, not only the way you are "allowed" to use your own device by manufacturer/distributor. FTA!
You can root the device then dump all the multiple partition images manually (dd if=/dev/block/mmbblk0...... of=/sdcard/......) or using built custom recovery like CWM/TWRP for your device. Please note, kernel sources are important but not mandatory to build e.g. CWM. You can build one using CWM image from the similar device and the kernel (boot/recovery) image binaries from your device. There are good manuals and image repacking utils available around like e.g. AndImgTool.
There are the way to produce factory image from the eMMC/partitions dump(s). Use utils like R-Studio to dump particular partition images from the eMMC dump (it's like whole HDD or UFD image with all the sectors raw, one by one, w/o any modifications/compression/etc) Manuals / utils are avavailable to make e.g. sparse and xml scripts set which is flashable by the programmer in the EDL mode (i.e. from any damaged state, because EDL is built in to the PBL and masked to the internal CPU ROM, thus can not be damaged in any manner, except firing the CPU up).
You can also flash partition images from the more common Fastboot mode, unless eMMC GPT and bootloaders (SBL/RPM/TZ/ABoot) stay intact (logo showed). You can't dump from fastboot, which is common due to the (foolish) 'safety' requirements. It's security by obscurity and is definitely not for your favor, but for the corps control over you and force to send valuable private data to foreign clouds.
Please share eMMC full and/or partitions dumps using reliable 'neverending' file cloud/hosting since there is no factory firmware available yet (ever). I do not own this device and never seen being overseas, so I can't share.
Click to expand...
Click to collapse
This gives a little bit more information but seems to be more waffle than helpful. Still need someone, or some individuals, that can get one of these devices into their hands and work on a way to get the bootloader unlocked, the eMMC dumped, and ROMs going.
Update file?
I THINK I have the update file for 6.0.1. I did a packet sniff on a 5.1.1 tablet using a mitm packet sniffer and I ran the system updater, and was able to get this URL:
http://updatev.vo.llnwd.net/v1/idownload/64821.bin
The filesize is 570MB or so, and it looks like it might be the real deal. since it's a .bin file and 7zip can't read it, I won't be able to see what it really is without going over to the box that has a copy of universal extractor installed.
I'll be doing this momentarily and editing this post once I figure out what the contents are or if it's even readable to that extent. Knowing vizio, it could very well be encrypted and need decrypting by the updater application.
Update: it seems to be encrypted. oh joy.
Update 2: I got together with a friend on discord and we successfully decompiled the updater app to a point.
This MEGA link contains all the files thus far and a copy of the tablet's /system/framework folder for decompiling purposes.
However, it doesn't seem we're getting anywhere. the file is still encrypted and I still can't figure out what's needed to decrypt it. Hopefully someone with more knowledge on this can lend a hand.
Sudosftw said:
I THINK I have the update file for 6.0.1. I did a packet sniff on a 5.1.1 tablet using a mitm packet sniffer and I ran the system updater, and was able to get this URL:
http://updatev.vo.llnwd.net/v1/idownload/64821.bin
The filesize is 570MB or so, and it looks like it might be the real deal. since it's a .bin file and 7zip can't read it, I won't be able to see what it really is without going over to the box that has a copy of universal extractor installed.
I'll be doing this momentarily and editing this post once I figure out what the contents are or if it's even readable to that extent. Knowing vizio, it could very well be encrypted and need decrypting by the updater application.
Update: it seems to be encrypted. oh joy.
Update 2: I got together with a friend on discord and we successfully decompiled the updater app to a point.
This MEGA link contains all the files thus far and a copy of the tablet's /system/framework folder for decompiling purposes.
However, it doesn't seem we're getting anywhere. the file is still encrypted and I still can't figure out what's needed to decrypt it. Hopefully someone with more knowledge on this can lend a hand.
Click to expand...
Click to collapse
Just out of curiosity, with the temp root, have you tried using dd to get the recovery image off? If we can do that, we might be able to work on getting a custom recovery built.
Qiangong2 said:
Just out of curiosity, with the temp root, have you tried using dd to get the recovery image off? If we can do that, we might be able to work on getting a custom recovery built.
Click to expand...
Click to collapse
It's not possible to get a proper recovery image from within the system files so far as I know, but my take so far has been that there is no proper way to get that at this time without decrypting that file grabbed from the update server. I'd do it on a 5.x ROM since that will get me permaroot, but the issue is getting and keeping root on a 6.x ROM.
Although encrypted (so far as I can tell) the image linked above is the real deal, and I've given all I can to get it decrypted. A proper exploit to take care of this tablet's vulnerabilities and get temp root (on 6.x) that isn't kingo is what is really needed at this point so to not hinder going around the system with crudware and shady background apps, shouldn't be hard since the security patch level for the 6.x ROM is 2016-10-01.
Even if the ROM is extracted or a recovery image found, custom recovery won't be possible until the bootloader is unlocked, and this isn't doable until someone figures out how the qualcomm qdloader9008 stuff works with this specific tablet. Fastboot is unreachable and I'm almost sure I'm doing something wrong.
I'll get temp root and see about dd'ing stuff later on. What exactly would be needed for me to dd off? Whole disk and then go through it elsewhere? I could definitely see if rsync exists and dd over rsync to another box.
Sudosftw said:
It's not possible to get a proper recovery image from within the system files so far as I know, but my take so far has been that there is no proper way to get that at this time without decrypting that file grabbed from the update server. I'd do it on a 5.x ROM since that will get me permaroot, but the issue is getting and keeping root on a 6.x ROM.
Although encrypted (so far as I can tell) the image linked above is the real deal, and I've given all I can to get it decrypted. A proper exploit to take care of this tablet's vulnerabilities and get temp root (on 6.x) that isn't kingo is what is really needed at this point so to not hinder going around the system with crudware and shady background apps, shouldn't be hard since the security patch level for the 6.x ROM is 2016-10-01.
Even if the ROM is extracted or a recovery image found, custom recovery won't be possible until the bootloader is unlocked, and this isn't doable until someone figures out how the qualcomm qdloader9008 stuff works with this specific tablet. Fastboot is unreachable and I'm almost sure I'm doing something wrong.
I'll get temp root and see about dd'ing stuff later on. What exactly would be needed for me to dd off? Whole disk and then go through it elsewhere? I could definitely see if rsync exists and dd over rsync to another box.
Click to expand...
Click to collapse
I found this today: https://forum.xda-developers.com/axon-7/development/edl-emergency-dl-mode-twrp-unlock-t3553514
The miflash tool seems promising (it works with nearly any device)
For the dd stuff, you can usually figure out the partitions easily with the fstab file in /. However, getting a raw dump is always useful.
Really, the big 3 would be the recovery.img, the boot.img, and the system.img. We can work from there
Qiangong2 said:
I found this today: https://forum.xda-developers.com/axon-7/development/edl-emergency-dl-mode-twrp-unlock-t3553514
The miflash tool seems promising (it works with nearly any device)
For the dd stuff, you can usually figure out the partitions easily with the fstab file in /. However, getting a raw dump is always useful.
Really, the big 3 would be the recovery.img, the boot.img, and the system.img. We can work from there
Click to expand...
Click to collapse
I've had that installed whilst trying to figure the image out and the qdloader stuff, it doesn't do anything for this tablet sadly :/
Sudosftw said:
I've had that installed whilst trying to figure the image out and the qdloader stuff, it doesn't do anything for this tablet sadly :/
Click to expand...
Click to collapse
Hmmm. Which tablet do you have? The M or the P?
Qiangong2 said:
Hmmm. Which tablet do you have? The M or the P?
Click to expand...
Click to collapse
this is the M. the P was out of my price range ($40 shipped over $25 shipped) when I was looking at them, but now the Ms are going for around 25 bucks but 15 shipping from another seller, bringing the price up to 40 bucks where the P was. ended up buying the other Ms from the one seller and gave them out to family members because I was so impressed... but I really should have set some money aside for one of the Ps as well and didn't.
Sudosftw said:
this is the M. the P was out of my price range ($40 shipped over $25 shipped) when I was looking at them, but now the Ms are going for around 25 bucks but 15 shipping from another seller, bringing the price up to 40 bucks where the P was. ended up buying the other Ms from the one seller and gave them out to family members because I was so impressed... but I really should have set some money aside for one of the Ps as well and didn't.
Click to expand...
Click to collapse
Okay. You said miflash doesn't do anything, does the device show up in the application and not function? Or does it not show up at all?
Qiangong2 said:
Okay. You said miflash doesn't do anything, does the device show up in the application and not function? Or does it not show up at all?
Click to expand...
Click to collapse
just doesn't show up at all. and yet installing the qualcomm qdloader drivers says it's connected in device manager, so something's up. tried on two different boxes, different cables, no dice.
Sudosftw said:
just doesn't show up at all. and yet installing the qualcomm qdloader drivers says it's connected in device manager, so something's up. tried on two different boxes, different cables, no dice.
Click to expand...
Click to collapse
Hmmm. That's unusual. Are you running it in win 7 compatibility mode?
It would be nice to see community roms for these devices. I have the XR6P. If you need any info from this device, just tell me what to do.
I'm very interested in this as I have one of these tablets that I would like to use in my vehicle as a display for my piggyback ECU tuner. It doesn't currently support USB OTG, but I read that if I can gain root access I can add the file to give it USB Host functionality. Can anyone confirm this? I have tried several apps to get it rooted including Kingroot as you were able to get a temp root with that. Unfortunately Kingroot, as all the others I have tried, won't even install on the tablet. Again, I'm only looking to get this thing to be OTG capable. If anyone here has any suggestions, I would be very grateful! Thanks all!
I just bought an M remote to replace my broken P remote. My P remote had Android 6. My M remote has Android 5, and the OTA updater says there's no update. Any way to get Android 6 on this?
I have factory firmware for Bennu P and Bennu M , but take some time to upload the file.
ALANCHONG said:
I have factory firmware for Bennu P and Bennu M , but take some time to upload the file.
Click to expand...
Click to collapse
Hey. You can lay out the firmware for XR6M10
XR6M10 and XR6P10 firmware
konog said:
Hey. You can lay out the firmware for XR6M10
Click to expand...
Click to collapse
Mega Link: mega.nz/#F!n65kVYIT!PKH8A1WoD_Nc4DU_-9dbiQ
ALANCHONG said:
Mega Link: mega.nz/#F!n65kVYIT!PKH8A1WoD_Nc4DU_-9dbiQ
Click to expand...
Click to collapse
All the time, an error pops up at 12 seconds
Flash fail (-4002)
Log:
21:59:03.576 Arrival: \\?\USB#VID_05C6&PID_9008#5&13a74b18&0&11#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
21:59:03.591 Thread '_PortDownloadThread' started
21:59:04.610 Get Port ...
21:59:04.610 _GetDevicePortName (0): COM5
21:59:04.630 _ComPort: COM5
21:59:04.640 Get Port (0)
21:59:04.650 Flash ...
21:59:09.668 _Connect (0)
21:59:09.668 Downloading flash programmer: C:\_qcMUP\v8016-SIGNED-VIZIO-user-IMAGES\v8016-SIGNED-VIZIO-user-IMAGES\prog_emmc_firehose_8916.mbn
21:59:14.669 Failed to read the command from the opened port
21:59:14.669 _FlashProgrammer (-4002)
21:59:15.700 Flash (-4002)
21:59:15.700 Flash fail (-4002)
21:59:15.731 Download ended: -4002
21:59:15.763 Thread '_PortDownloadThread' ended
konog said:
All the time, an error pops up at 12 seconds
Flash fail (-4002)
Log:
21:59:03.576 Arrival: \\?\USB#VID_05C6&PID_9008#5&13a74b18&0&11#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
21:59:03.591 Thread '_PortDownloadThread' started
21:59:04.610 Get Port ...
21:59:04.610 _GetDevicePortName (0): COM5
21:59:04.630 _ComPort: COM5
21:59:04.640 Get Port (0)
21:59:04.650 Flash ...
21:59:09.668 _Connect (0)
21:59:09.668 Downloading flash programmer: C:\_qcMUP\v8016-SIGNED-VIZIO-user-IMAGES\v8016-SIGNED-VIZIO-user-IMAGES\prog_emmc_firehose_8916.mbn
21:59:14.669 Failed to read the command from the opened port
21:59:14.669 _FlashProgrammer (-4002)
21:59:15.700 Flash (-4002)
21:59:15.700 Flash fail (-4002)
21:59:15.731 Download ended: -4002
21:59:15.763 Thread '_PortDownloadThread' ended
Click to expand...
Click to collapse
Please check if the driver is installed
hi
the other day i tried to dd in a bootloader to add fastboot to my K8+ (2018) LMX210ULMA and wiped my preloader. The device uses an mt6750 chipset and i had made a back up so i have the approriate software to restore it, i even have the scatter file.
The problem is that there is no da_pl.bin file for lg phones to use sp flashtool, i have no download mode and no fastboot.
i have two pc`s one running ubuntu the other windows 7.
i would appreciate any help
any help at all
ok so ive found some versions of sp flash tool that are supposed to get around the authorization stuff and i have an auth file but i keep getting brom errors. the same one in fact. on linux ifs 0x00. ive been looking at and following the tutorials ivs made android rules and all kinds of things but i cant get it to flash. it started to befote i added the stuff in the tutorials. The red line would go acrross the bottom but now i just get the brom errots.
Thumb up for boldness... :good:
Now you have some interesting project there.
Keep us update if you manage to find out any solution.
No idea how to help but Good luck!
https://blog.hovatek.com/so-whats-all-this-talk-about-meditek-secure-boot-and-da-files/
https://ifindhub.com/download-mtk-secure-boot-da-loader-files-mtk-devices.html
ill get there eventually. I have been looking at all the config and ini files and i hate to say it but security might be essier than you think to overcome. just have to erase a few lines here and there and teplace some as needed. idk ty. Dont worry ill keep you guys posted
i really think sometime we over think and see past the easiest solutions. but what do i know im trying to flash an mtk preloader on an lg phone.
im actually trying to unbrick a few phones. two qc `s and the mtk. I kinda bricked one of my lmx210`s on purpose not thinking it would brick. well jokes on me.
Im have a couple questions maybe somebody can help with. In the past couple months on my journey through madness i have tried a few hindred different ways and more flashtools than you could imagine. So far nothing has worked but ive learned alot of theory.
so far though i know that the mtk board is in bootrom mode. We will get back to that as i have an idea....
ok on the qc boards we have the dreaded 9008 mode. I made some progress today. i wanted to see if the LMX210 could boot from SD card instead of the internal. I believe it can but im having trouble with what to do next. p
i used dd to flash the gpt on my sdcard then formatted the partitions to the proper filesystem. when i plugged it in to the usb it lit up but did not boot. But it lit up for the first time since bricking.
But it only lights up with usb plugged in. Add the batrery and it goes dead. It also doesnt show 9008 mode any more.
i went back and changed the boot and recovery images to reflect using the mmcblk system and now windows device manager can see it. But no boot. im wondering first if i might need a special boot loader to boit from sd and two if i might be able to use the same trick to get the mtk running
Some LG firmwares include some files for SPFT, like LGX240ARAT and LGX230HAT.
but do they work with MT6750? In LGX240ARAT there is a dll that mentions MT6755,
but not MT6750. Newer versions probably needed. Or maybe you could hack it. ??...
part of my problem is not knowing what scatter file to use. these phones have thier info all twaktup. the mtk gives several different board/chip types. like we have 6722, 6755, 6750, 6736 and so on. im pretty sure though its a 6750 board with 6755 chipset but do i use the scatter for the board or the chipset.
Ok idea!!
I can pick the phone up as bootrom mode on port in my ubuntu as /dev/ttyACM0.
That means i can write to it. How can i dd the preloader.bin to the right place on there
Duhjoker said:
Ok idea!!
I can pick the phone up as bootrom mode on port in my ubuntu as /dev/ttyACM0.
That means i can write to it. How can i dd the preloader.bin to the right place on there
Click to expand...
Click to collapse
As I don't know much about but have played a bit with these.
https://gitlab.com/zeroepoch/aftv2-tools
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And there is tools like eMMC Pro, etc. that might work too... ?
I think the m250 did answer to some handshake but there was some problems
because I didn't continue testing those py scripts...
I would try what I could read from it first. From those scatter files I guess that
preloader is on its own partition. The other one should start with partition table, pgpt .. ??
CXZa said:
As I don't know much about but have played a bit with these.
https://gitlab.com/zeroepoch/aftv2-tools
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And there is tools like eMMC Pro, etc. that might work too... ?
I think the m250 did answer to some handshake but there was some problems
because I didn't continue testing those py scripts...
I would try what I could read from it first. From those scatter files I guess that
preloader is on its own partition. The other one should start with partition table, pgpt .. ??
Click to expand...
Click to collapse
Hi,
If you can reach bootROM mode by pressing any of the volume keys while you connect the phone (Mediatek Inc. MT6627) you should be able write and read the EMMC with amonet.
The tool needs some modifications in order to make it work to MT6750. You can probably try with the mt6753 version which may work for MT6750:
https://github.com/Dinolek/amonet
For reference, use this commit:
https://github.com/R0rt1z2/amonet/commit/6b57d0a99f42739d3b3b2ce962b32ecb8fefd950
Contains all the stuff that needs to be edited in order to make it work for that phone
Regards!
Thank you i can give it a try. Its already in bootrom mode though and accepts the handshake. The problem is that the py command that flashes the preloader and stuff on it also wants to flash other stuff as well that i dont have or does not work with the board.
The py command needs to be modified to only flash the preloader, lk.bin, laf and twrp. If those items only could be flashed i could bring the rest of the device up using lgup
I have tried to modify the commands myself to include just those items but it errors. I dont know enough about the python language to be able to do it on my own.
Duhjoker said:
Thank you i can give it a try. Its already in bootrom mode though and accepts the handshake. The problem is that the py command that flashes the preloader and stuff on it also wants to flash other stuff as well that i dont have or does not work with the board.
The py command needs to be modified to only flash the preloader, lk.bin, laf and twrp. If those items only could be flashed i could bring the rest of the device up using lgup
I have tried to modify the commands myself to include just those items but it errors. I dont know enough about the python language to be able to do it on my own.
Click to expand...
Click to collapse
PM me if you need help editing the python script
Regards.
I really appreciate your offer for help. I was looking at the reference for porting and now that i can see the things that would need changing why not go ahead and unlock the bootloader while we are at it. We could save a ton of devices and at the same time give them th3 extra value of being able to twrp and root them.
I have been looking for some way to unLock the bootloader on these phones for days and though it will be some work being able to reflash the preloader AND unlock the bootloader which was my main intent when i bricked it would be worth the extra effort.
Rortiz2 said:
PM me if you need help editing the python script
Regards.
Click to expand...
Click to collapse
I couldnt post the main.py script in the pm but i can attach it here. Thank you so much.
Here is the raw preloader extracted using salt on my pc.
Ok so i went through your source code for the meizu m2 amonet to match it with source code for the mt6750 and i only had to change a couple things. Its pretty much identical to the commit you pointed me too.
As far as i can see your amonet should work just fine with the sp200/lm-x210ulma boards. I did add my .img files to the bin folder though.
Any way i keep getting errors.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 501, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Rortiz2 said:
Hi,
Contains all the stuff that needs to be edited in order to make it work for that phone
Regards!
Click to expand...
Click to collapse
Hi,
Didn't continue experiments but now also @Duhjoker might be interested about this last new development...
[EXPLOIT] [BOOTLOADER] Mediatek based LG K10 2017 M250 bootloader secure boot bypass. by @OficerX
https://forum.xda-developers.com/lg-k10/how-to/exploit-mediatek-based-lg-k10-2017-m250-t4183545
MT6755 and MT6750 are essentially the same, MT6750 is cheaper and slower version of MT6755, these are compatible, you can use tools for 6755 on 6750.
Here (https://github.com/arturkow2000/lgk10exploit) you have tools that can help you flash preloader (write_boot0.py), these should work on your device.
Open config.py set BR_DEV_PATH to /dev/ttyACM0
then write: python write_boot0.py --brom path_to_your_preloader_bin
This is slow process, may take few minutes (you will see progress while flashing).
So, i hope someone can help me with my project, or else i can kiss my plans goodbye...
A while ago i bought a Google Nest Hub (1st gen) to run my own software/dashboard. At first i tried to 'Cast' it as webpage to the device, but that is not fully stable. Especially now that they updated the Hub to run Fuchsia OS.
So, my plan is to OR alter the Google firmware to run my own stuff on top of Fuchsia. Maybe create my own Flutter app or something. OR build linux from source, which is available for the S905D2 u200, which is the CPU of the Nest Hub. The latter gives me more control but i would have to get all hardware running in linux.
Both options give me some problems though:
The hub has a USB port under the foot. If you press both volume buttons while booting, you get the Amlogic Worldcup device where you can talk to it with the Amlogic burn tool. You can flash firmware here or even dump firmware from it. Problem is: Google password protected this so you first have to upload a password.bin file before you can use the tool. Something that i presume is not possible to bruteforce...
When you push one of the volume buttons while booting, you boot to Fastboot mode. Hey, that's familliar. So i tried some commands. fastboot unlock, does not work. flashing an own rom, not allowed. Flashing my own recovery image is allowed and completes succesfully. But, while trying to boot to recovery it sais: "Hash of data does not match digest in descriptor.". So it verifies the image which it cannot do.
The other volume button boots to the recovery image, which is a google's own thing where you can reset the device to factory defaults if you want..
The pcb viewed from the backside of the device.Notice the two wires next to the pink heat gum stuff. That's my RX and TX(?). Two pins next to each other seemed like a logical attempt.
So i teared the device down, got to the PCB and found a RX/TX port. At least, i noticed that i got uart data when connecting to it. But, i can only read, it does not respond to keyboard presses. I don't know if the other pin is just no TX pin or that there is no software that will respond to keypresses.
My question, what else can i try, or did Google just lock it's hard-/software very well? Of course i could chip-off the NAND chip, but then reflowing it on the device after altering the NAND is almost impossible, especially if you have to do it a lot of times... What else can i do?
keerttttt said:
So, i hope someone can help me with my project, or else i can kiss my plans goodbye...
...
Click to expand...
Click to collapse
You ever get anywhere with this? Just curious, thanks.
Hi there. Longtime XDAer (back to the OG Moto Droid) but new account. I am a OnePlus devotee that has converted to Pixel 6. I have used Qualcomm's EDL mode with the MsmDownloadTool in the past, is there an equivalent for the Tensor chip? I have no current need for it, but I like to have the appropriate tools ready for future issues, especially in light of the dumb Android 13 bootloader rollback issue some people seem to have.
FWIW, before posting I searched for EDL but that did not return anything. And the PixelFlasher appears to just be a adb/fastboot GUI, is that correct?
There's none afaik, and yes, PixelFlasher is just an GUI for easier operation
Can someone please tell me what EDL is
taanh1412 said:
There's none afaik, and yes, PixelFlasher is just an GUI for easier operation
Click to expand...
Click to collapse
Thank you for your reply! Bummer, I hope someone updates the forum if/when it gets released. As of right now, there'd be no way to fix a real brick if we don't have a EDL type of mode other than sending back to Google. Maybe one of their engineers could leak a version of it someday
bush911 said:
Can someone please tell me what EDL is
Click to expand...
Click to collapse
A very small embedded OS on Qualcomm chips, think of it kind of like a motherboard controller. Very handy when you have completely FUBAR'd the storage OS or bootloader, essentially bricking the device. EDL allows you to gain very low level SoC access to reflash stock images, thus unbricking. It has no printed screen, it just stays black. You have to use a PC tool to flash
centifanto said:
A very small embedded OS on Qualcomm chips, think of it kind of like a motherboard controller. Very handy when you have completely FUBAR'd the storage OS or bootloader, essentially bricking the device. EDL allows you to gain very low level SoC access to reflash stock images, thus unbricking. It has no printed screen, it just stays black. You have to use a PC tool to flash
Click to expand...
Click to collapse
And since Tensor is a modified Exynos (Samsung) processor there almost certainly is no EDL mode. How Google restores bricked units is anyone's guess, but Samsung does have a dedicated download mode that, combined with Odin / Heimdall on a PC / Mac, allows for flashing of stock images.
EDL is Emergency DownLoad mode on Qualcomm processors.
There's a ROM in Qualcomm processors that is always present and is the first step to booting.
In normal operation it will load the SBL/XBL (secondary bootloader) which will load the aboot (Android application bootloader).
If something goes wrong in booting (or if you configure it by test points or boot config) it can load a diagnostic program which is basically a replacement for the SBL/XBL.
That program (which in Qualcomm parlance is called a "loader") allows you to read/write partitions and even memory.
The difficulty comes that a lot of this is securely signed so there can be problems finding a loader that works.
Other brands have ROMs built in which do the same thing but are all incompatible with each other.
MediaTek has MTK mode, Allwinner has FEL mode...
Note: By "ROM" I mean truly read-only memory built into the processor chip itself.
(I think the casual usage of "ROM" to mean an OS loaded onto R/W flash is misleading.)
Strephon Alkhalikoi said:
And since Tensor is a modified Exynos (Samsung) processor there almost certainly is no EDL mode. How Google restores bricked units is anyone's guess, but Samsung does have a dedicated download mode that, combined with Odin / Heimdall on a PC / Mac, allows for flashing of stock images.
Click to expand...
Click to collapse
Interesting. The only Samsung I have messed with was the old Galaxy S5 that luckily had a bootloader exploit. Was a PIA to root though and after that I swore I'd never buy their junk. Nowadays they are impossible unlock and modify, as Exynos versions don't fully work in the US so you have to buy their Snapdragon variants which are locked down like crazy.
Maybe Google will release the download mode procedures and tooling
Renate said:
EDL is Emergency DownLoad mode on Qualcomm processors.
There's a ROM in Qualcomm processors that is always present and is the first step to booting.
In normal operation it will load the SBL/XBL (secondary bootloader) which will load the aboot (Android application bootloader).
If something goes wrong in booting (or if you configure it by test points or boot config) it can load a diagnostic program which is basically a replacement for the SBL/XBL.
That program (which in Qualcomm parlance is called a "loader") allows you to read/write partitions and even memory.
The difficulty comes that a lot of this is securely signed so there can be problems finding a loader that works.
Other brands have ROMs built in which do the same thing but are all incompatible with each other.
MediaTek has MTK mode, Allwinner has FEL mode...
Note: By "ROM" I mean truly read-only memory built into the processor chip itself.
(I think the casual usage of "ROM" to mean an OS loaded onto R/W flash is misleading.)
Click to expand...
Click to collapse
Wow, this is an amazing reply! Thank you! So much detailed and insightful information I didn't know. This is what makes the XDA forums amazing.
And yes, I have always been confused why the word ROM become the standard for the OS installed on Android phones, precisely for the reason you pointed out. Android ROMs are anything but read only
centifanto said:
Interesting. The only Samsung I have messed with was the old Galaxy S5 that luckily had a bootloader exploit. Was a PIA to root though and after that I swore I'd never buy their junk. Nowadays they are impossible unlock and modify, as Exynos versions don't fully work in the US so you have to buy their Snapdragon variants which are locked down like crazy.
Maybe Google will release the download mode procedures and tooling
Click to expand...
Click to collapse
Yeah, Google won't do that. As for Samsung, the Galaxy S4 I own did have a locked bootloader until I used Chainfire's RegionLock Away to permanently unlock the bootloader. The root process for that device was relatively painless, requiring Odin and - at the time - a specialized recovery payload that would root the device as there was no TWRP.
Well for one y'all are missing the fact that since the chip has an exposed serial unit, we can do some reverse engineering on the bootrom and find jump points to certain addresses in memory. Such as the recovery mode. Google host the gs101 and oriel kernel repositories in its open source git repositories. I've found a tone of useful information in there. Ghirda is a good program for reverse engineering.
EDL for Exynos uses Exynos Dead Boot Mode. After changing the USB mode and using dwusb3 drivers we should have enough range to write/send bytes to chipset
NonStickAtom785 said:
Well for one y'all are missing the fact that since the chip has an exposed serial unit, we can do some reverse engineering on the bootrom and find jump points to certain addresses in memory. Such as the recovery mode. Google host the gs101 and oriel kernel repositories in its open source git repositories. I've found a tone of useful information in there. Ghirda is a good program for reverse engineering.
EDL for Exynos uses Exynos Dead Boot Mode. After changing the USB mode and using dwusb3 drivers we should have enough range to write/send bytes to chipset
Click to expand...
Click to collapse
Wow, this is amazing info! Thanks for sharing, I had no idea about this boot mode. I found these comments in this link:
USB download mode is only accessible if first boot method has failed...Once the first boot method fails, USB download mode can be accessed by pressing and holding power button.
This link also looks interesting.
All of this sounds like only someone with advanced knowledge would be able to figure it out, and with the high risk of truly bricking their device.