Related
Here is a zip file containing a modified recovery and boot image, as well as a few other things:
http://rapidshare.com/files/166164961/AndroidMod.zip
http://jf.nyquil.org/AndroidMod.zip
http://android-dls.com/forum/index.php?f=24&t=191&rb_v=viewtopic (see post for actual link to file)
NOTE: if you need a complete RC30 to v1.3 guide, see this page.
The recovery image (recovery_testkeys.img) uses the test keys that are distributed with the android platform source. This means that an OTA update or an update.zip update must be signed with the test key in order for it to install. In other words, it will no longer install OTA updates from t-mobile. You don't want them stealing back root access from you now do you? .
I've also included the test keys and the SignApk.jar tool, so you can sign your own update scripts (for use only with the modified recovery image). You can resign any image, even if it has been signed before. So for example, if you needed to install an "official" t-mobile update, you must re-sign it with the test keys first.
Another bonus in this recovery image is that ADB is enabled while in recovery mode. You can't adb into a shell (no sh binary), but you can at least use it to push and pull files from the device. For example, you could push an update.zip file to the sdcard.
The boot image (boot_nosecure.img) has been modified so that adb has root access by default. So when you do an adb shell, you automatically get a root shell. You can remount the system image using adb, and then push files directly to the system partition.
Finally, the "update - Restore Original RC29 Boot Image.zip" file is an update.zip file signed with the test keys, which will restore your boot partition back to the stock RC29 image. Useful if you accidentally hose your boot partition..
To install the recovery image onto your phone:
Code:
D:\Android\AndroidMod>adb push recovery_testkeys.img /data/local/recovery.img
912 KB/s (0 bytes in 1767424.001s)
D:\Android\AndroidMod>adb shell
$ su
su
# mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
# cd /system
cd /system
# cat /data/local/recovery.img > recovery.img
cat /data/local/recovery.img > recovery.img
# flash_image recovery recovery.img
flash_image recovery recovery.img
#
Note: You must place the recovery image at /system/recovery.img. the init.rc boot script automatically flashes the recovery partition with that file every time you boot up the phone.
At this point, it's probably a good idea to reboot the phone into recovery mode, and make sure it loads OK. If the recovery image is corrupt somehow, it will throw you back into SPL mode (the multi-color bootloader screen). If that happens, just boot the phone normally, and reflash recovery image.
Once it boots into recovery mode, press alt+L, and the next to top line of text should say something like "using test keys.". If it doesn't, then you're still using the original recovery image.
Note: If you are planning on installing the modified RC30 update, you can ignore the following - there is no need to install the boot image. The update already has a newer, modified boot image.
Now that you know you have the modified recovery image loaded, you can install the boot image:
Code:
D:\Android\AndroidMod>adb push boot_nosecure.img /data/local/boot.img
939 KB/s (0 bytes in 1533952.001s)
D:\Android\AndroidMod>adb shell
$ su
su
# flash_image boot /data/local/boot.img
flash_image boot /data/local/boot.img
# rm /data/local/boot.img
rm /data/local/boot.img
#
Now reboot the phone and let it boot normally. If the boot image was corrupted, it will boot into recovery mode instead. You can use the included update zip file to reload the original RC29 boot image.
Otherwise, if it boots up normally, open a command prompt however you like (telnet, adb, terminal emulator app, etc.) and type "getprop ro.secure". If it says 0, then you're running the modified boot image. Otherwise, if it says 1, you're still running the original boot image.
Attachement..
Hmm. It doesn't look like the attachment made it.. Does anyone have some space I could throw the file up at? It's around 5mb.
JesusFreke said:
Hmm. It doesn't look like the attachment made it.. Does anyone have some space I could throw the file up at? It's around 5mb.
Click to expand...
Click to collapse
I should have some space let me know
JesusFreke said:
Hmm. It doesn't look like the attachment made it.. Does anyone have some space I could throw the file up at? It's around 5mb.
Click to expand...
Click to collapse
Sent you an email with u/p if you need space.
test
anyway to test and make sure i did this correctly.. other than my phone booted and is not a paperweight
jriley60 said:
anyway to test and make sure i did this correctly.. other than my phone booted and is not a paperweight
Click to expand...
Click to collapse
To check the boot image, boot the phone normally, and then get a shell with adb. Type "id", and see if you are root
To check the recovery image, boot up the phone into recovery mode. Once you're in recovery mode, Press alt-l to show the text. The next to top line should say something like "using test keys"
JesusFreke said:
To check the boot image, boot the phone normally, and then get a shell with adb. Type "id", and see if you are root
To check the recovery image, boot up the phone into recovery mode. Once you're in recovery mode, Press alt-l to show the text. The next to top line should say something like "using test keys"
Click to expand...
Click to collapse
When will we see the files? Can you just upload to RS and we will mirror?
neoobs said:
When will we see the files? Can you just upload to RS and we will mirror?
Click to expand...
Click to collapse
Look at the original post. I added a link for the zip file..
boot.img is in correct. assuming typing id in telnet returning uid=0(root) gid=0(root) means i'm root then i'm good, thank you so much. looks like i really should install the emulator it might make things a little easier
JesusFreke said:
Look at the original post. I added a link for the zip file..
Click to expand...
Click to collapse
thank you. Sorry
jriley60 said:
boot.img is in correct. assuming typing id in telnet returning uid=0(root) gid=0(root) means i'm root then i'm good, thank you so much. looks like i really should install the emulator it might make things a little easier
Click to expand...
Click to collapse
Well, that does mean you have root, but that doesn't say anything about whether the boot.img was installed correctly. If you're telneting in, then you would have root access regardless of whether you are running a stock boot image or my modified one.
My boot image allows adb to connect to the phone as root. If you don't use adb, there's no reason to install my modified boot image.
Actually, there's an easier way to tell if you're running my boot image. Get to a command prompt (telnet, adb, terminal emulator app, whatever), and type
getprop ro.secure
If it says 0, then you correctly installed my boot image. Otherwise, if it says 1, you're still running the stock image.
Thanks! Was waiting for this.
Now to screw with my phone like crazy
Not that I don't trust you... but...
Ok... I don't trust you implicitly enough to reflash my phone with your stuff
Any chance you can post diffs against the android source tree so I can apply your changes and build it myself?
No offense - I just like to know what's going on...
RyeBrye said:
Ok... I don't trust you implicitly enough to reflash my phone with your stuff
Any chance you can post diffs against the android source tree so I can apply your changes and build it myself?
No offense - I just like to know what's going on...
Click to expand...
Click to collapse
Not at all
The recovery tool is just a stock build (almost) from the android source, using the test keys, which is the default if you don't specify keys of your own. The only change I made was to make it print out "using test keys" when it runs, just to make it easy to tell if it's running. I can give you a diff if you really want.. but it's a simple change though, and doesn't affect the actual functionality.
For the boot image, I replaced the initramfs image in the boot.img included in the official RC29 update, with the initramfs image from a default build of the android source, which has the ro.secure property set to 0.
I first tried the boot.img that was generated by the default android build, but I had issues with getting wifi to work, so I tried merging the initramfs image with the RC29 boot.img, and it seems to work fine.
I suspect you could accomplish the same thing by extracting the initramfs image from the RC29 boot.img, un-gzipping and un-cpioing it, and then modifying the default.prop file to set ro.secure to 0. Then you would have to package it back up and stick it back into the RC29 boot.img.
ro.secure is the property that the adb service looks at to determine if it should use root user, or drop to the shell user. When ro.secure is 0, adb will run as root.
It can be a bit of a pain to get the android source to build though. Make sure you get the dream specific product files (they aren't downloaded by default when you do a "repo sync"). You'll also encounter issues where it can't find libaudio.so or librpc.so. You'll have to copy these from the phone to a couple of output folders in order for the build to proceed.
If you get stuck, feel free to give me a holler and I'll try and help out.
Be warned.. the build takes quite a while.. on the order of an hour or two at least. But then again, I was doing it in a VM.. it may be faster if you do it on a native linux box.
i cant get it to work i know I'm doing something wrong can you(everyone)help me out(i have Vista 64) i get this error
this i what i type# C:\Android\AndroidMod>adb push recovery_testkeys.img /data/local/recovery.img
this is the errorC:AndroidAndroidMod: not found
please and thank you
EDIT: could we do it off the sdcard?
EDIT2: i think i found my own mistake this cant be done in Windows i need to have shell with adb meaning time to whip out VM
JesusFreke said:
For the boot image, I replaced the initramfs image in the boot.img included in the official RC29 update, with the initramfs image from a default build of the android source, which has the ro.secure property set to 0.
I first tried the boot.img that was generated by the default android build, but I had issues with getting wifi to work, so I tried merging the initramfs image with the RC29 boot.img, and it seems to work fine.
Click to expand...
Click to collapse
Can you talk more about this step of the process? How did you do this "merging"? Did you use mkbootimg?
JesusFreke said:
I suspect you could accomplish the same thing by extracting the initramfs image from the RC29 boot.img, un-gzipping and un-cpioing it, and then modifying the default.prop file to set ro.secure to 0. Then you would have to package it back up and stick it back into the RC29 boot.img.
Click to expand...
Click to collapse
And this could be done without going through the whole process of doing an Android build, right? I'm just thinking about how one might build a simple utility to allow editing of the ramdisk.
alansj said:
Can you talk more about this step of the process? How did you do this "merging"? Did you use mkbootimg?
Click to expand...
Click to collapse
I just used the good ol hex-editor. The gzip file starts with a few specific bytes (don't remember them offhand..), so you can search through the image. There are 2 gzip files, the initramfs is the last one. In mine, it starts at offset 0x00154000.
Once you find it, just cut it out and dump the new one in (there is some 00 padding after the gzip file ends.. not sure if you need to keep the padding or not). You also have to update the size of the initramfs, which is at offset 0x00000010.
alansj said:
And this could be done without going through the whole process of doing an Android build, right? I'm just thinking about how one might build a simple utility to allow editing of the ramdisk.
Click to expand...
Click to collapse
Yes.
Anyway to make this using the update.zip sd card method?
JesusFreke, per some requests in #android on freenode I have setup a wiki (not a device wiki like xda's but more like an "information about android/g1 and how to tweak it" wiki) and would like to put this on there. Let me know if you care (unless you would like to add it in your own words), the wiki is http://android-dls.com/wiki and its still very new, but im trying to to get it built up (RyeBrye is doing most of the work).
humble said:
i cant get it to work i know I'm doing something wrong can you(everyone)help me out(i have Vista 64) i get this error
this i what i type# C:\Android\AndroidMod>adb push recovery_testkeys.img /data/local/recovery.img
this is the errorC:AndroidAndroidMod: not found
please and thank you
EDIT: could we do it off the sdcard?
Click to expand...
Click to collapse
First of, you do know that when we refer to "C:\..." we refer to windows via a command prompt (or "cmd") and when you see "# ..." we refer to a shell connection to the Android phone.
Second, you do have the Android SDK right? If not download it HERE. Now extract that to a folder, preferably close to the C: root. (ex. C:\AndroidSDK)
1)Either extract/copy the files from the "AndroidMod.zip" to the Android Tools folder from the SDK (ex. C:\AndroidSDK\Tools) OR copy "adb.exe" and "AdbWinApi.dll" from the Android Tools folder from the SDK (ex. C:\AndroidSDK\Tools)to the folder where you have extracted the "AndroidMod.zip" to.
2)Open up a command prompt. Start -> Run (or Windows key + R) and type "cmd"
3)CD to the directory where the files are.
EXAMPLE:
C:\Users\[your_user_name_here]> cd \
C:> cd androidsdk\tools
C:\AndroidSDK\Tools>
4) Now follow the Instructions.
Could anyone help me obtain a system.mbn dump from a rooted XT1080 running SU4-21?
I'm going to try using the http://forum.xda-developers.com/droid-ultra/general/droid-mini-maxx-ultra-root-pogress-100-t3071609 method to flash it and then run sunshine for bootloader unlock.
Sunshine should already work in SU4-21.... Doesn't it?
hazam1992 said:
Sunshine should already work in SU4-21.... Doesn't it?
Click to expand...
Click to collapse
Only if you're already rooted. Sunshine can't grab temproot on it's own. At least not the latest version.
FYI - If anyone is willing, these are the commands to run:
Code:
set sBD="%date%-%time:~0,2%.%time:~3,2%"
adb wait-for-device
adb shell su -c "dd if=/dev/block/mmcblk0p38 of=/sdcard/system.mbn"
adb pull /sdcard/system.mbn ./%sBD%/system.mbn
pause
Any luck? I am going to post in General to see if we can get some results here.
jyusta said:
Any luck? I am going to post in General to see if we can get some results here.
Click to expand...
Click to collapse
YES!! I grabbed the FXZ from motorola, and found some instructions elsewhere on this forum on how to unpack it. I then added SuperSU and followed the instructions people have been using with the SU6-7 release only modified to use my new 4-21 files. Everything worked fine and I was able to run Sunshine successfully.
I'm going to bed now, but I'll upload the files when I get a chance.
tl;dr: I got everything to work and unlocked my Droid Maxx.
little2slo said:
YES!! I grabbed the FXZ from motorola, and found some instructions elsewhere on this forum on how to unpack it. I then added SuperSU and followed the instructions people have been using with the SU6-7 release only modified to use my new 4-21 files. Everything worked fine and I was able to run Sunshine successfully.
I'm going to bed now, but I'll upload the files when I get a chance.
tl;dr: I got everything to work and unlocked my Droid Maxx.
Click to expand...
Click to collapse
...actually, here's a link to the files I used http://www.4shared.com/zip/9UOyljqaba/_Root_SU4-21_Stock.html
little2slo said:
...actually, here's a link to the files I used ...
Click to expand...
Click to collapse
Thank you sooo much!
I'm going to try this, time to install some tools. Hopefully I don't brick my only device!
It worked perfectly for me! I got my Droid Maxx yesterday with 4.21, and I am so happy I realized I shouldn't update. I used those files (remember, the mine folder should be renamed to _root) and it worked (don't worry about time, it took about 40 min for it to finish for me). I then used sunshine and now I'm unlocked!
little2slo said:
YES!! I grabbed the FXZ from motorola, and found some instructions elsewhere on this forum on how to unpack it. I then added SuperSU and followed the instructions people have been using with the SU6-7 release only modified to use my new 4-21 files. Everything worked fine and I was able to run Sunshine successfully.
I'm going to bed now, but I'll upload the files when I get a chance.
tl;dr: I got everything to work and unlocked my Droid Maxx.
Click to expand...
Click to collapse
Can you give us the link to the 4-21 fxz?
elicik said:
It worked perfectly for me! I got my Droid Maxx yesterday with 4.21, and I am so happy I realized I shouldn't update. I used those files (remember, the mine folder should be renamed to _root) and it worked (don't worry about time, it took about 40 min for it to finish for me). I then used sunshine and now I'm unlocked!
Click to expand...
Click to collapse
How different is rooting 4.21 from 6.7? Want to be absolutely sure before rooting mine since I don't have a backup phone.
---------- Post added at 12:45 PM ---------- Previous post was at 12:26 PM ----------
cohomology said:
How different is rooting 4.21 from 6.7? Want to be absolutely sure before rooting mine since I don't have a backup phone.
Click to expand...
Click to collapse
Also in the original rooting 6.7 thread, op said one has to flash a special non OTA 6.7 image before rooting. Do we have to do sth similar to 4.21?
---------- Post added at 12:57 PM ---------- Previous post was at 12:45 PM ----------
I got mine working last night, I have not purchased sunshine yet but the tool says it is ready to unlock bootloader
So the difference is you need to flash a different ROM in step 00
[URL="https://yadi.sk/d/MCliEyCPfj7ZZ"]https://yadi.sk/d/MCliEyCPfj7ZZ[/URL]
In the folder for your device there is a SU4.21-release-keys.xml that you need to use.
The other difference is after step
"01 Unzipp everything to C:\Python27."
rename the "mine" folder from little2slo to "_root"
Then follow the rest of the steps and you should be good to go.
Thanks again for releasing this to the rest of us OP!
jyusta said:
I got mine working last night, I have not purchased sunshine yet but the tool says it is ready to unlock bootloader
So the difference is you need to flash a different ROM in step 00
[URL="https://yadi.sk/d/MCliEyCPfj7ZZ"]https://yadi.sk/d/MCliEyCPfj7ZZ[/URL]
In the folder for your device there is a SU4.21-release-keys.xml that you need to use.
The other difference is after step
"01 Unzipp everything to C:\Python27."
rename the "mine" folder from little2slo to "_root"
Then follow the rest of the steps and you should be good to go.
Thanks again for releasing this to the rest of us OP!
Click to expand...
Click to collapse
Sorry for my ignorance -- but when do I flash "_Root_SU4-21_Stock.zip" linked by little2slo?
Alright first of all thanks to little2slo for this!
Second of all before i do anything i just want to make sure im understanding everything and what i plan to do is correct so if the steps i post below are wrong in any way please let me know!
1) Instal python 2.7 Pyserial and RSD lite then copy all the below files to the C:/python27 folder
2) Reboot the phone into fastboot and use RSD lite to flash the 4.21 release keys version from here https://yadi.sk/d/MCliEyCPfj7ZZ
3) Rename the mine folder in zip from little2slo to _root
4) boot into fast mode again and then run the blbroke.bat from the folder little2slo posted
5) run Run_root.bat from the folder little2slo posted
And then i should be rooted and can use sunshine to unlock the bootloader correct?
Here's what I did.
1. Install RSD Lite
2. Install python27 and pyserial from "Soft_and_Drivers.rar"
3. boot into fastboot and flash 1FF-obakem_verizon-user-4.4.4-SU4.21-release-keys.xml.zip using RSD Lite
3. run BLBROKE.bat from _Root_SU6-7_Stock.rar (either needs python in your path or you can copy the contents of that rar file into the python install dir)
4. your phone should now boot into the QHSUSB_DLOAD mode
5. When prompted for drivers point them to the drivers in the "windows_drivers_QHSUSB_DLOAD" folder from the "Soft_and_Drivers.rar" archive
5a. I actually ended up waiting for the automatic install to fail, opening device manager, finding the failed device, selecting upgrade drivers and pointing it to the correct folder this way
5b. make sure you use the correct 32/64bit folder
6. either rename the "mine" folder to "_root" OR change the line in RUN_Root.bat from "python qdloadRoot.py MPRG8960.bin -ptf _root/partitions.txt" to "python qdloadRoot.py MPRG8960.bin -ptf mine/partitions.txt"
7. execute the RUN_ROOT.bat file
8. Wait for everything to flash. It took me about an hour.
9. Your phone should reboot automatically, and now have root
10. You should now be able to run Sunshine and unlock your bootloader
If anyone cares, I used the ImgExtractor.exe from http://forum.xda-developers.com/showthread.php?t=2707111 to convert the system.img in the FXZ file into a system.mbn file. The system.mbn is a direct ext4 filesystem image so I copied it, mounted the copy, baked in SuperSU, unmounted, split both copies, diff'd to see what was different, and then modified the qdloadRoot.py script to only look for those files.
Relevant commands:
ImgExtractor.exe system.img system.mbn -conv
sudo mount -t ext4 -o loop system.mbn /mnt
sudo umount /mnt
split -a 3 -b 16777216 --numeric-suffixes=1 system.mbn system
find . -name "system0" -exec mv {} {}.mbn \;
find . -name "system1" -exec mv {} {}.mbn \;
to do the diff I used checksums
sum system*.mbn > sums.txt
diff sums.txt modified/sums.txt
Note: ImgExtractor runs on windows, everything else are linux commands
Hopefully someone else finds this helpful since I spent over an hour just trying to find out how to convert the system.img from the motorola FXZ into an ext4 image I could modify. Turns out motorola has some special sauce so most tools and scripts I looked at wouldn't work.
little2slo said:
If anyone cares, I used the ImgExtractor.exe from http://forum.xda-developers.com/showthread.php?t=2707111 to convert the system.img in the FXZ file into a system.mbn file. The system.mbn is a direct ext4 filesystem image so I copied it, mounted the copy, baked in SuperSU, unmounted, split both copies, diff'd to see what was different, and then modified the qdloadRoot.py script to only look for those files.
Relevant commands:
ImgExtractor.exe system.img system.mbn -conv
sudo mount -t ext4 -o loop system.mbn /mnt
sudo umount /mnt
split -a 3 -b 16777216 --numeric-suffixes=1 system.mbn system
find . -name "system0" -exec mv {} {}.mbn \;
find . -name "system1" -exec mv {} {}.mbn \;
to do the diff I used checksums
sum system*.mbn > sums.txt
diff sums.txt modified/sums.txt
Note: ImgExtractor runs on windows, everything else are linux commands
Hopefully someone else finds this helpful since I spent over an hour just trying to find out how to convert the system.img from the motorola FXZ into an ext4 image I could modify. Turns out motorola has some special sauce so most tools and scripts I looked at wouldn't work.
Click to expand...
Click to collapse
I sure am glad you found the file before me, sounds painful!
My maxx is rooted now! Thank you all for the great work. And now on my way to unlock the BL!
---------- Post added at 11:06 PM ---------- Previous post was at 10:21 PM ----------
cohomology said:
My maxx is rooted now! Thank you all for the great work. And now on my way to unlock the BL!
Click to expand...
Click to collapse
I just unlocked the BL with sunshine and couldn't be happier!
Thanks for getting back to me with the steps you took little2slo and thanks for letting us know how you got to that point! I really appreciate your work here and im about to try this as soon as the obakem file downloads. Ill return with results. Hopefully my tmobile service will work a bit better with the CM rom available for the ultra.
Alright guys got the rooted image flashed over no problem. Installed sunshine and now the bootloader is unlocked! IM SO HAPPY. Ive had this device just laying in the drawer for about 6 months now i can finally do something with it. Next is to figure out how to flash the CM rom available.
Preface: I'm currently using this device and really like it, and as you all may have realised, that this device is considered as a low activity device on XDA, and no developers that I know of have taken a crack at this phone. This thread is to consolidate all information pertaining to the device.
If some area are empty, they will have more content in the future as we progress with this awesome device.
Feel free to post any mods that have worked (preferably in systemless mode)
Table of Contents:
Post 1) Rooting, TWRP and useful Links
Post 2) Info for Developers
Post 3) Roms & Mods
Post 4) Reserved
Useful Links:
My Github (Matt07211) containing kernel source code, to keep with the GPL licenses.
Samsung Kernel Source Code 4.4.4/5.1.1 and 6.0.1
Firmware Samsung xCover 3 and Samsung xCover 3 Value Edition
TWRP for Samsung xCover3 (Kit Kat)
TWRP for Samsung xCover3 Value Edition Credits: @Heledir for the link
SuperSU
Prerequisites:
ADB Installed
USB Debugging Enabled
Samsung USB Drivers Installed
Samsung ODIN (Preferably Odin3_v3.10.7 or above)
A Brain that can use common sense, or Google
Disclaimer:
Anything you do with your own phone is done at your own risk. Don't complain if you accidentally brick your phone. Fix it by using Google, flash back stock firmware or post on XDA for help.
Knox will probably be voided, and so will your warranty.
We cannot say what works for us, may or may not work for you.
Good luck
Using ODIN:
1) Enable USB Debugging, and OEM Unlock (If available), these can be reached from the developer menu. The develpoer menu can be activated by taping "Build Number" 7 times in the about section.
Don't disable OEM Unlock (Ever) once modifing your phone, because FRP (Factoy Reset Protection) will be activated, and then you will be forced into reinstalling stock firmware, aalnd losing all your data in the process.
2) Turn phone off, boot into download mode (Power + Volume Down + Home) and then press Volume Up to use download mode when greeted with a yellow warning.
3) Launch ODIN, and plug phone into Computer. You should see some text like this "ID:COM" in blue.
4) Click the AP button (If it says PDA then you have an older version of ODIN, and are recommended to use a newer version) and Select the file that will be flashed. E.g. TWRP or a Boot.img. Making sure the only options ticked are "F.Reset Time" and "Auto-Reboot". If you are flashing a recovery (E.g. TWRP) then make sure "Auto-Reboot" is unticked, and when ODIN says successful flash then you'll have to then reboot the phone your self(Either by holding any combination of Volume Keys (Any one) + Power + Home or Removing the Battery and Placing back in) and reboot straight into recovery (at least once, else the stock recovery will replace TWRP on a normal boot bu a script called "install-recovery.sh").
5) If "Auto-Reboot is ticked, then the phone will automatically reboot once flashing has been completed.
Root:
SM-G388f:
KitKat:
1) Enable USB Debugging
2) Download the Newest TWRP from the above TWRP Link (the one marked with KitKat), making sure you download the file with the .img.tar extension.
3) Download the Newest SuperSu and place on the internal phone memory.
4) Flash the downloaded TWRP file, make sure "Auto-Reboot" is unticked (Refer to "Using ODIN" if needed). Click Start
5) Once flashed, reboot into recovery (Power + Volume Up + Home) straight away and Flash SuperSu.zip via the Flash Zip section.
Congrats you got root on KitKat
Lollipop:
Installation:
1) Make sure you have the prerequisites installed, and "xcover3-lollipop-root.zip"
unzipped. Then type
Code:
adb devices
to make sure adb recognises the phone and that its authorized.
2) Type (or copy) exaclty as below. *Please be paitent, as the first command
takes about 20 seconds to complete.
Code:
adb push su.img /data/local/tmp
adb install Superuser.apk
3) Once thats completed, turn off the device and then boot into download
mode (Volume Down + Home + Power).
4) Open the ODIN program, click "AP" then navigate to the "boot.tar.md5"
file that is in the "xcover3-lollipop-root: folder, then click open/okay.
Click start to flash.
5) The phone should auto-reboot. Once its fully booted, reboot once more
(perferabbly twice), this is to allow the script placed in the ramdisk to
move the su.img to /data.
6) Profit? Yay you've now got root. You can go and test it out by downloading
terminal emulator and typing "su", you then should be prompted to grant root
permissions to the app. Once granted, the "$" symbol will change to "#" to
signify root.
Thanks to:
@akuhak Thanks for build the custom tools necessary to modify the boot.img
@proguru Thanks for compiling a custom kernel for me, (for testing purposes) allowing me to test various things.
@kniederberger Thanks for providing the boot.img and su.img from the Value edition of the phone, allowing me to base my work around what was done on the value editon.
SM-G389f:
Marshmallow:
*Verified by @Heledir and @kniederberger
A user has uploaded a YouTube video HERE in case anyone wants a video tutorial.
1) Enable "OEM UNLOCK" and "USB Debugging" in developer settings (This can be found by tapping build number 7 times, then developer mode will be activated) then procedded to Flash TWRP.
2) Flash the Value Edition version of TWRP, Link at the top of this thread, making sure it has ".img.tar" extension (Refer to "Using ODIN" if needed).
3) Flash SuperSu.zip inside of TWRP via the Flash Zip section
Update to Newer Firmware while rooted:
Note: You'll lose root (re-root via relevant method) and modifications done to /system, but you're Apps and Data (/data and internal storage) will remain untouched.
0)Although you won't lose any apps/data, it's always recommended to make a backup. Perferrable a Nandroid backup or the backup of apps and data via the means of Titanium Backup and such.
1) Download Newest firmware matching the phones region and carrier (basically if the phone is from one country, dont download the firmware intended for a different country. Links at top of OP/Thread.
2) Out phone into download more, launch Odin and Flash the firmware package Downloaded. (Refer to the Using Odin section as needed.)
3) Give it some time for the inital reboot, and allow it to get setup and booted.
Optional) Re-root via relevant methods.
Un-root Samsung XCover 3 Devices:
1) Click un-root from SuperSu APP
*5.1.1 and 6.0.1: Flash Stock boot.img (Found in stock firmware) (Will post a Link for stock boot.tar.md5 soon, or read on in the next post to figure out how to create your own boot.tar.md5 file)
TWRP:
KitKat: Working
Lollipop: Not Working (I'm looking into it) The is a hacked together version of TWRP HERE, in case people want to flash files. I wouldn't recommend it for anything else other then flashing, as i would perfer to build a proper working TWRP for lollipop.
Note: You'll have to hold, Volume Up + Home + Power buttons straightafter flashing from Odin, keep hold of the key combo untill you see the TWRP logo (2 reboots).
Marshmallow: Working
Flash Stock Firmware:
1) Download the stock firmware from above links, making sure the version and region matches your phone
2) As with the other steps, boot into download mode and connect it to Odin, click the AP button and click on the stock firmware. Then Click Start. (Refer to "Using ODIN" if needed)
3) Give it some time after flashing (Max 10mins) to boot and setup for the first time, if it doesn't after a long time, re-flash the stock firmware again.
FAQ:
- Where is a ROM/Custom Kernel/ TWRP(for lollipop) for our devices? I currently can't provide/make these due to internet limitations, and no access to a 64 bit computer(of course these may change for me in the future). Feel free to build and provide these, and they can get linked to one of the opening pots for easy access.
- What is this thread? It aims to bring all the current work being done on this device into a single thread, so its easily accessible for everyone
- XYZ App doesn't detect root (systemless root)? These apps haven't been updated to work with systemless root, and therefor require SuperSu compatibility mode to be enabled to work with systemless root. Refer to the Troubleshooting section below to fix.
- My Device is sluggish/slow at each boot, how can I fix this? I have noticed that certain apps when used, E.g. CF.Lumen, Livebootetc. require patching the sepolicy at each boot, and this is a memory intensive task. This may not be the only cause for sluggishness, other things can include alot of apps checking for notifcations by pinging their servers, or alot of apps auto starting at boot. There are two different ways about fixing this, one, uninstall offending apps (or disbale their automatic launch), or two, live with it, just wait a couple of minutes after booting before unlocking and using the phone, becuse by then their tasks should be done and android should have cleared up some RAM.
- I keeping getting notifications that my device is unsafe/had unautorized actions have taken place, how to stop this notification/warning? Refer to the Troubleshooting section below to fix.
Troubleshooting:
- XYZ App doesn't detect root (systemless root):
For Value Edition (Android 6.0.1):
1) Type "(or paste)
Code:
echo "BINDSYSTEMXBIN=TRUE" >> /data/.supersu[/CODE
2) Reflash the latest SuperSu.zip via TWRP][/INDENT]
[INDENT][B]For the Normal/Original xCover 3[/B] [I](Android 5.1.1., using my root method)[/I]:
Note: This fix is for the root developed by me, once/if we get a working TWRP for lollipop, then the above instructions should suffice. These 2 scripts creates and mounts a folder to xbin, allowing for apps that check for system root to work properly with systemless. Also daemonsu should mount the folder at boot automatically, but I was having problems with it, so that's why I have a second script to automatically mount the needed folder. Now to the instructions :)
1) Download the "systemless-compatability-fix-lollipop.tar.gz" onto the device and unzip it
2) Using a file explorer that works with systemless root, E.g. Solid Explorer, Copy and paste the 2 files inside the "/su/su.d" directory, making sure it's permissions is "0700" or "700", if the permissions are incorrect you can use the file explorer or terminal emulator and "chmod 0700" on both of the files, Refer to both of the files below for reference.
[img]http://forum.xda-developers.com/attachment.php?attachmentid=3948945&d=1480154633[/img]
[img]http://forum.xda-developers.com/attachment.php?attachmentid=3948946&d=1480154633[/img][/INDENT]
Now all root apps should work (I'm loooking at you Secure Settings and ES File Explorer Pro)
- I keeping getting notifications that my device is unsafe/had unauthorized actions have taken place, how to stop this notification/warning:
I haven't formmaly looked into the cause of this problem as of yet, but some users reported that disabling/removing "SecurityLogAgent" and/or "Smart Manager" Fixs the problem. This can be achieved using Titanium Backup (or similar apps).
[I][B]Planned Work:[/B][/I]
[HIDE]
- Do the next post write up on how to modify the boot.img (or other files) of the devices.
- Get working TWRP on Lollipop
- Get Magisk v9 working
- Look it what is need to flash MM from the xCover 3 Value Edition devices onto the Normal xCover 3 Most users have. (Might be difficult, as they have different hardware)
- Get some ROM creators onto this device [/HIDE]
Anything else?
Development for the xCover3
By Matt07211
This post aims to cover some relevant info for developers, aspiring developers, or tinkers that are missing a crucial piece or knowledge need for it to work on this device (xCover3). This thread will be more bias towards the Original xCover 3 running Lollipop, this just means my knowledge might be lacking in some areas due to differences in hardware (They have different chip-sets)therefor a difference in procedure. This Post assumes your using Linux and is biased towards Ubuntu, as its easiest for anyone to setup.
These post will be split up into categories, and when needed will indicate a difference in procedure between the devices.
Table of Contents:
1) General Setup (Dependices and Tools)
2) Boot and Recovery Modifications
3) System image modification (Also applicable to cache and hidden images found in firmware package)
4) Miscellaneous
Links:
- XCover3:
android_device_samsung_xcover3ltexx(To be added)
platform_manifest (To be added)
local_manifests (To be added)
android_kernel_samsung_xcover3ltexx
proprietary_vendor_samsung(To be added)
- XCover3 Value Edition:
android_device_samsung_xcover3ltexxve(To be added)
platform_manifest (To be added)
local_manifests (To be added)
android_kernel_samsung_xcover3ltexxve(To be added)
proprietary_vendor_samsung(To be added)
- General Setup
# Installing dependices (assuming Ubuntu >=15.04).
A 64-bit Operating system is needed when compiling ROMS, Kernels or Recoverys.
The dependices used are gathered from Android Establishing a Build Enviromentpage and Android Image Repack tools thread.
Code:
sudo apt-get update
sudo apt-get install git git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev libncurses5-dev x11proto-core-dev libx11-dev lib32z-dev ccache libgl1-mesa-dev libxml2-utils xsltproc unzip openssl libsdl-dev libesd0-dev valgrind libreadline6-dev x11proto-core-dev libz-dev gawk texinfo automake libtool cvs libsdl-dev
# Create Working Directory
It is also recommended to create a working directory for when working with android, keeping everything centeralized is helpful.
Code:
cd ~
mkdir android
# Compiling Android Image Repack Tools: Android Image Repack Tools is a kit of utilites for unpack/repack of android ext4 and boot images(Useful for working with android).
Refer to the thread linked above on different examples/instructions on using the binary files.
Note: I've provdided a copy of the precompiled binary files, compiled agianst android-5.1.1 branch on a 32-bit machine (meaning compatabile with 64/32 bit machines).
For Marshmallow:
Code:
cd ~/android
git clone https://github.com/ASdev/android_img_repack_tools
cd android_img_repack_tools
git checkout android-6.0.1
chmod +x configure
./configure
make
This creates the directory, downloads the source code, and creates the binary files.
For Lollipop (@AkuHaks version, extra tools included for the SM-G388F):
Code:
cd ~/android
git clone https://github.com/AkuHAK/android_img_repack_tools
cd android_img_repack_tools
chmod +x configure
./configure
make
# mkbootimg_tools, from xiaolu (Use for Value edition)
Code:
cd ~/android
git clone https://github.com/xiaolu/mkbootimg_tools
- Boot and Recovery Modifications
# Unpack boot and recovery
For Marshmallow:
Code:
cd ~/android/mkbootimg_tools
mkdir boot
./mkboot boot.img boot
usage: mkboot
unpack boot.img & decompress ramdisk:
mkboot [output dir]
[/INDENT]
Example output:
[CODE]
dt.img
img_info
kernel
ramdisk
ramdisk.cpio.gz
[/CODE]
For [B]Lollipop[/B]:
[CODE]
cd ~/android/android_img_repack_tools
mkdir boot
./pxa1088-unpackbootimg -i boot.img -o boot -p 2048
[/CODE]
Example output:
[CODE]
boot.img-base
boot.img-cmdline
boot.img-dt
boot.img-pagesize
boot.img-ramdisk.gz
boot.img-ramdisk_offset
boot.img-second
boot.img-second_offset
boot.img-signature
boot.img-tags_offset
boot.img-uImage
boot.img-unknown
[/CODE]
# Repack boot and recovery
For [B]Marshmallow[/B][I](Example, substitute names as necessary)[/I]:
[B]Note:[/B] I have yet to try a repacked boot.img on a Value Edition Variant
[CODE]
cd ~/android/mkbootimg_tools
./mkboot boot boot-new.img
[/CODE]
usage: mkboot
Use the unpacked directory repack boot.img(img_info):[INDENT]
mkboot [unpacked dir] [newbootfile]
[/INDENT]
For [B]Lollipop[/B][I](Example, substitute names as necessary)[/I]:
[CODE]
cd ~/android/android_img_repack_tools
./pxa1088-mkbootimg --kernel boot.img-uImage --ramdisk ramdisk-custom-supersu.cpio.gz --dt boot.img-dt --signature boot.img-signature --unknown 0x3000000 -o ../boot-supersu.img
[/CODE]
usage: mkbootimg [INDENT]
--kernel <filename>
[ --ramdisk <filename> ]
[ --second <2ndbootloader-filename> ]
[ --cmdline <kernel-commandline> ]
[ --board <boardname> ]
[ --base <address> ]
[ --pagesize <pagesize> ]
[ --dt <filename> ]
[ --ramdisk_offset <address> ]
[ --second_offset <address> ]
[ --tags_offset <address> ]
[ --id ]
[ --signature <filename> ]
-o|--output <filename>
[/INDENT]
# Ramdisk Unpack/Repack
Unpack
[CODE]
mkdir ramdisk
cd ramdisk
gunzip -c ../ramdisk.cpio.gz | cpio -i
[/CODE]
Repack
For [B]Marshmallow[/B]:
[B]Note:[/B] I have yet to repack the Value-edition/Marshmallow ramdisk so cannot verify it works (unlike lollipop), so if any errors please contact me. Feel free to try and unpack/repack the Value editon ramdisk/boot.img with lollipop instructions, if below doesn't work.
[CODE]
find . | cpio -o -H -R 0.0 newc | gzip > ../ramdisk-new.cpio.gz
[/CODE]
For [B]Lollipop[/B]:
[CODE]
./mkbootfs ramdisk-directory-name | ./minigzip > ramdisk-new.cpio.gz
[/CODE]
# Compile Kernel
Assumes kernel source is like "~/android/kernel" adapt paths as necessary.
For [B]Marshmallow[/B]:
[CODE]
cd ~/android
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9
export CROSS_COMPILE=~/android/arm-linux-androideabi-4.9/bin/arm-linux-androideabi-
cd kernel
make ARCH=arm xcover3velte_eur_defconfig
# You can run "make menuconfig" now if you want to customize the config file. E.g. Adding driver support, enable other features etc.
make ARCH=arm -j<number-of-cpus>
# E.g. "make ARCH=arm -j4"
[/CODE]
[B]Note:[/B] Replace the "<number-of-cpus>" in "-j<number-of-cpus>" with the number of processors you have plus one. For example if you have 4 cores then enter 5. If your getting errors then rebuild it with "-j1" then scroll up till you found the source of the error.
If the compile succeded the you should see "kernel: arch/arm/boot/zImage is ready"
For [B]Lollipop[/B]:
[CODE]
cd ~/android
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.8
export CROSS_COMPILE=~/android/aarch64-linux-android-4.8/bin/aarch64-linux-android-
cd kernel
make ARCH=arm64 pxa1908_xcover3lte_eur_defconfig
# You can run "make menuconfig" now if you want to customize the config file. E.g. Adding driver support, enable other features etc.
make ARCH=arm64 -j<number-of-cpus>
# E.g. "make ARCH=arm64 -j4"
[/CODE]
[B]Note:[/B] Replace the "<number-of-cpus>" in "-j<number-of-cpus>" with the number of processors you have plus one. For example if you have 4 cores then enter 5. If your getting errors then rebuild it with "-j1" then scroll up till you found the source of the error.
If the compile succeded the you should see "kernel: arch/arm64/boot/Image.gz is ready"
# Package Kernel into uImage (SM-G388F ONLY)
[CODE]
mkimage -A arm64 -O linux -T kernel -C gzip -a 01000000 -e 01000000 -d Image.gz -n "pxa1928dkb linux" "boot.img-uImage.new"
[/CODE]
# Generate kernel Specific device tree table (From Kernel Sources, Post-Compile)
[B]NOTE:[/B] This shouldn't need to be done as stock dt.img is the same, so use that. This is only here for educational purposes.
This assumes ~/android/kernel/ is you kernel source code directory. Substite paths as neccessary
For [B]Marshmallow[/B]:
Place either dtbTool or dtbToolCM (Depending on what your using), into ~/android/kernel/scripts and run the binary files from there.
If unable to create use the below binarys then try the lollipop instructions.
dtbTool
[CODE]
cp ~/android/mkbootimg_tools/dtbTool ~/android/kernel/scripts
cd ~/android/kernel
scripts/dtbTool -s 2048 -o arch/arm/boot/dt.img -p scripts/dtc/ arch/arm/boot/
[/CODE]
usage: DTB combiner:
Output file must be specified
dtbTool [options] -o <output file> <input DTB path>
options:
--output-file/-o output file
--dtc-path/-p path to dtc
--page-size/-s page size in bytes
--verbose/-v verbose
--help/-h this help screen
OR
dtbToolCM (support dt-tag & dtb v2/3)
[CODE]
cp ~/android/mkbootimg_tools/dtbTool ~/android/kernel/scripts
cd ~/android/kernel
scripts/dtbToolCM -s 2048 -d "htc,project-id = <" -o arch/arm/boot/dt.img -p scripts/dtc/ arch/arm/boot/
[/CODE]
For [B]Lollipop[/B]:
[CODE]
cd ~/android/android_img_repack_tools
./pxa1088-dtbTool -o boot.img-dt-new -p kernel/scripts/dtc kernel/arch/arm64/boot/dts/
[/CODE]
# Repack as Flashable Odin File (Substitute name as neccessary)
tar -H ustar -c boot.img > boot.tar
md5sum -t boot.tar >> boot.tar
mv boot.tar boot.tar.md5
[/CODE]
[/HIDE]
- System image modifcation
[HIDE]
<To be ADDED>
[/HIDE]
- Miscellaneous
[HIDE]
<To be ADDED>
[/HIDE]
Kernels:
- MyKernel - Custom power kernel series ! (SM-G389f) (Originally called: Devhost97 Kernel's ....) @Devhost97
-DiXCOVERy kernel (SM-G388f) @IXgnas
Roms:
- Flint & Steel ROM (Modded Firmware), planned realse is hopefully at beginning of next year. Follow its progress at the post HERE . Creator is @Matt07211 (Me)
Recommended Mods:
- Xposed using wanam's framework (Lollipop & Marshmallow),HERE, and use the newest XposedInstaller apk from, HERE. Flash the framework via TWRP.
- Arise Sound Mod, HERE. Flash via TWRP.
Recommend Root Apps, by Matt07211:
- Liveboot
- CF.Lumen
- Titanium Backup
- Adaway
- Kernel Auditor
- Terminal Emulator
Recommend Xposed Apps, by Matt07211
- <To be added>
Miscellaneous:
- Debloater Thread by @Sonof8Bits
<Reserved for Future Use>
<Reserved for Future Use>
Problem
Matt07211 said:
Preface: I'm currently using this device and really like it, and as you all may have realised, that this device is considered as a low activity device on XDA, and know developers I know of have taken a crack at this phone. This is where I come in, I like hacking into stuff for the challenge it presents, and I have set myself the challenge that is this device. This is a continuous learning experience for me and all, so I am by far not considered an expert.
If some area are empty, they will have more content in the future as we progress with this awesome device.
Feel free to post any mods that have worked (preferably in systemless mode)
Table of Contents:
Post 1) Root and TWRP
Post 2) Mods (Mostly Systemless versions)
Post 3) Roms
Post 4) --Reserved for future use--
Useful Links:
My Github (Matt07211) to keep with the GPL licences I will upload evrything onto my github (Also its a shameless plug )
My Github Pages Blog for guide on how I manually applied systemless update to boot.img (To be linked)
Samsung Kernel Source Code 4.4.4/5.1.1 and 6.0.1
Firmware Samsung xCover 3 and Samsung xCover 3 Value Edition
TWRP
SuperSU
Prerequisites:
ADB Installed
USB Debugging Enabled
Samsung USB Drivers Installed
Samsung ODIN
A Brain that can use common sense or google
Disclaimer:
Anything you do with your own phone is done at your own risk. Don't complain if accidentally brick your phone, use google, flash back stock firmware or post on XDA for help.
Knox will probably be voided, and so will your warranty.
We cannot say what works for use may work for you.
Good luck
Root:
KitKat:
1) Download the Newest TWRP from the above links, making sure you download the file with the .img.tar extension
2) Download the Newest SuperSu and place on the internal phone memory
3) Turn on USB Debugging
4) Turn phone off, boot into download mode (Power + Volume Down + Home) and then press Volume Up for use when greeted with a yellow warning.
5) Launch ODIN, and plug phone into Computer. You should see some text like this "ID:COM" in green
6) Click the AP button and Select the Downloaded TWRP file, make sure "re-partition" is unticked. Click Start
7) Once flashed, reboot into recovery and Flash SuperSu.zip
Congrats you got root on KitKat
Lollipop (Systemless Root) (EXPERIMENTAL, USE WITH CAUTION):
NOTE: This is currently in the experimental phase as I need users to test and verify that this works
1) Turn on USB Debugging and Download "xCover3-Lollipop-Root-Matt07211.zip" from here.
2) Turn phone off, boot into download mode (Power + Volume Down + Home) and then press Volume Up for use when greeted with a yellow warning.
5) Launch ODIN, and plug phone into Computer. You should see some text like this "ID:COM" in green
6) Click the AP button and Select the Downloaded ".tar.md5, make sure "re-partition" is unticked. Click Start
7) Once flashed, reboot the phone normally, making sure USB Debugging is turned on
8) Copy over "su.img", "Superuser.apk" and "xCover3-root.bat" (For Windows Users) or "xCover3-root.sh" (For Linux Users) into your ADB directory (E.g. android-sdk\platform-tools)
9) Open up a command prompt in the ADB Directory and type either "xCover-root.bat" for windows and for Linux run "xCover-root.sh"
10) Your Device should reboot, and you should have root. Now get an app and verify its existence
NOTE: This is EXPERIMENTAL so this might not work, or will take a few trys to get working, please post if this has worked for you.
Marshmallow:
*To Be looked into, please be patient
Un-root Lollipop and Marshmallow Devices:
1) Click un-root from SuperSu APP
2) Flash Stock Firmware or Stock boot.img (Will post a Link for stock boot.tar.md5 soon)
TWRP:
KitKat: Working
Lollipop: Not Working (I'm looking into it)
Marshmallow: Not Working (I'm looking into it)
Flash Stock Firmware:
1) Download the stock firmware from above links, making sure the version matches your phone
2) As with the other steps, boot into download mode and connect it to Odin, click the AP button and click on the stockfirmware. Then Click Start
3) Give it some time (Max 10mins) to boot and setup for the first time, if it doesn't after a long time, reflash the stockfirmware again.
Now look at the next post
Click to expand...
Click to collapse
When I click on AP in Odin and choose boot_systemless_root_matt07211.tar.md5 ,it just says md5 error binary is invalid. (tested on ODIN 3.12.3 and 3.10)
Oh sorry you said its not working nvm
EzChillzz said:
When I click on AP in Odin and choose boot_systemless_root_matt07211.tar.md5 ,it just says md5 error binary is invalid. (tested on ODIN 3.12.3 and 3.10)
Oh sorry you said its not working nvm
Click to expand...
Click to collapse
I tryed the root for Lollipop. Odin will no flash the tar.md5. There is one mistake by md5. If you rename the file to *.tar odin accept the file. if try to flash odin hang of with outprint analyse file. i wait on this for 10 min nothing goes happen.
I can try to flash with heimdall. for this i need the *img file
sorry for my bad english
EzChillzz said:
When I click on AP in Odin and choose boot_systemless_root_matt07211.tar.md5 ,it just says md5 error binary is invalid. (tested on ODIN 3.12.3 and 3.10)
Oh sorry you said its not working nvm
Click to expand...
Click to collapse
yy1 said:
I tryed the root for Lollipop. Odin will no flash the tar.md5. There is one mistake by md5. If you rename the file to *.tar odin accept the file. if try to flash odin hang of with outprint analyse file. i wait on this for 10 min nothing goes happen.
I can try to flash with heimdall. for this i need the *img file
sorry for my bad english
Click to expand...
Click to collapse
Well I'm stupid when I created it I was pretty tired, so I only included the md5 hash of the .tar file but not the .tar file itself as @yy1 has stated, it should be reuploaded in a couple of minutes. It should all work then, and now you have the file to flash and an md5 hash to compare it to make sure it isn't courrupt. Good luck and please report back to me of it was succesful @yy1 and @EzChillzz
Try to flash your boot.img. Reboot stop with KERNEL IS NOT SEANDROID ENFORCING (Android 5.1.1.)
yy1 said:
Try to flash your boot.img. Reboot stop with KERNEL IS NOT SEANDROID ENFORCING (Android 5.1.1.)
Click to expand...
Click to collapse
The question is does it boot up? If so then that message can be ignored, if not then I will look into it. Just flash original boot.img or firmware to go back to a useable phone. Thanks for testing
Did you get a message with both these sentences in or just the first sentence"KERNEL IS NOT SEANDROID ENFORCING. Custom binary blocked by FRP Lock" ???
It doesn't boot up. Black screnn with boot logo and red warning on top. i flash the original boot.img anything okay.
what means fap lock?
yy1 said:
It doesn't boot up. Black screnn with boot logo and red warning on top. i flash the original boot.img anything okay.
what means fap lock?
Click to expand...
Click to collapse
Was ment to FRP not FAP, autocorrect strikes again. FRP = Factory Rest Protection.Google it if you want more info, basically another barrier to stop thieves. As I reading up on this user's are stating (in a sepolicy patch thread) that when flashing boot.img via odin their phone wouldn't boot up, but said flashing bootmimg via TWRP works.
Questions:
1) When you flash the custom boot.img, does it freeze and nothing happens? Or does it reboot automatically?
2) are you using heimdall or Odin?
Tasks:
1) Flash the boot.img via Heimdall (if you've been using odin) and report back if it was a succes.
2) if possible, if adb is running, can you pull the dmesg off the device before restoring the original boot.img as this will help in debugging this problem.
E.G. "G:\" is the hard drive plugged into my computer, adjust as necessary.
Code:
adb shell dmesg >> G:\dmesg.txt
3) ALSO TRY, after you flash the custom boot.img can you try booting into recovery (Volume Up + Home + Power Button) and try wiping cache before trying to properly boot the phone. Maybe you could also when in recovery tell me what the log files say? @yy1
Still currently searching what is blocking the custom boot.img from booting the phone.
I really appreciate the help
Flash your boot.img via heimdall once again. with no reboot option. go to recovery and wipe cache. after start the phone boot anytime in recovery. flash via heimdall original boot img anyhing okay.
adb not work. there are logfiles in recovery but i don't know they way to put that from phone to pc. Sorry for that.
yy1 said:
Flash your boot.img via heimdall once again. with no reboot option. go to recovery and wipe cache. after start the phone boot anytime in recovery. flash via heimdall original boot img anyhing okay.
adb not work. there are logfiles in recovery but i don't know they way to put that from phone to pc. Sorry for that.
Click to expand...
Click to collapse
I won't be able to look into it today as i have important stuff happening. Will post back later with some more info, sorry about the wait then. Thanks for the help
===================================
Can you try this, as it will greatly help in diagnosing the problem.
Flash the custom boot.img, don't boot the phone yet. Then can you run
Code:
adb start-server
In a terminal/command prompt, then turn on the phone with the adb dmesg command from the previous post already in the terminal for you to hit enter when needed.
Turn on the phone now, and hit enter to run the above command before the phone stops and reboots itself.
Thanks.
Edit 2: When devloping the boot.img, I had to use chainfires supolicy binary to patch the sepolicy in boot.img, with one of it tasks is to patch the recovery from enforcing to permissive mode.
So in an educated geuss, and with information in other forms (user reported that they are unable to flash a custom boot.img via odin but able to via TWRP), that we may be able to flash the boot.img via recovery. See instructions for testing this below.
1) Download both the 3.0.2-1 and 2.0.8-* version of twrp (.img.tar) as we should try both of them <Linked in original post>
2) Flash my custom boot.img and then the twrp files with auto reboot turned off
3) once they both flash, boot into recovery (give it 5-10 mins, if nothig happens then it didn't work)
4) if it actually worked and booted into recovery, flash the custom boot.img in TWRP and try rebooting normally
5) If it managed to get this far, then continue from my original post by tuning either the root script/bat file
Please Report how far you got in this process or if it worked.
===================================
I am currently trying different versions of my boot.img, will post once I have it working properly
No way for me to give you adb log-file, because adb find no device if phone in download- or recovery-mode.
try the second way. Flash boot.img and recovery.img (TWRP) start the phone in recovery-mode. red warning on top RECOVERY IS NOT SEANDROID ENFORCING.
wait 5 minutes phone starts automatic in normal-mode.
yy1 said:
No way for me to give you adb log-file, because adb find no device if phone in download- or recovery-mode.
try the second way. Flash boot.img and recovery.img (TWRP) start the phone in recovery-mode. red warning on top RECOVERY IS NOT SEANDROID ENFORCING.
wait 5 minutes phone starts automatic in normal-mode.
Click to expand...
Click to collapse
Yea thanks for that, I had been trying a bunch of combinations yesterday with none of them working. And when trying to find what blocks custom boot.img from booting up, all I come across is stuff staying to flash back stock firmware, but nothing for the reasons why.
But I have some stuff to look in to and will replie back when done (if I'm succesful or not)
These include:
- looking more into pains secure download mode and what it does
- having a go with exploiting a bug that had happend with stock recovery. Running 4.0 (we are not running this version of android) and recovery version 3e(our stock recovery version ) where you could flash updates.zip signed with testkeys instead of the manufacturers keys
- OR try getting TWRP to run on lollipop (probably have to rebuild it) this leaves us with two options in twrp. 1) Flash SuperSu and get system install (probably won't be able to unpack the boot.img) or then flash my customized boot.img for the Systemless version of root.
Either way it may be a little while before lolipop root is working.
I have important exams coming up so this project is gonna have to be out onto the backburner for about 4 weeks or so, meaning I won't be putting much effort into this for a while, but will continue it after the exams. @yy1
- '
@yy1 I belive I have found out why the phone won't boot when using the custom boot.img
I belive it has to do with the unpacking/repacking of the ramdisk.cpio.gz file. When ever I try to boot an image with a repacked ramdisk the phone won't boot.
I know that the phone can boot custom boot.img 's as I removed the word "SEANDORID" from the original and flashed it to my phone. My phone booted up, even when the red text (KERNEL IS NOT SEANDROID ENFORCING) was shown at the top of my phone.
So once I got it got it booting I will post back here.
My previous post, was somewhat on par. What I mean by this is yes, the ramdisk was a reason why it was not boot, but not for any reasons like permissions, ownership or the like, it was in fact that when unpacking and repacking the cpio archive increase the size, and from what I have reduced from my trial and errors is when the boot.img size is changed by even one byte in size it won't boot. But you are able to modify its contents with a hex editor, E.G. Zeroing out the word SEANDROIDENFORCING at the bottom of the raw image file, would still let the phone boot fully with the text show "KERNEL is not SEANDROIDENFORCING" and it showing up as a custom binary in Download more. I belive it may be becuse of some outside security verifying the boot.img. maybe download mode (it's in secure mode, haven't looked into it yet) or some script, I am not sure. And its all most impossible to get any errors logs or dmesg via adb or otherwise, with my only way to read them is via stock recovery, which is a bit impractical and inelegant reading as it speeds past lines you want to read when trying to scroll down (if anyone knows how to pull these logs from cache without a custom recovery or root, please tell me.
Now when I try to replace the ramdisk in boot.img via hex editor the size increase and thus unable to boot. When I try to repack it with various versions of mkbootimg, including Google's python script, other bi nary compiled versions of it by various people and mkbootimg's binary modified to also with with Device Tree Files which get appended onto the boot.img. I have analysed and reverse enginered the boot.img file, and analyzed the other files included with the stock firmware downloadable from sites like sammobile, sam-firmware etc.
I will be updating one of the is original post with all the information that I have uncovered, I'm great detail and when my internet situation allows (my mobile data is running low, lol), upload the reversed enginered files of boot.img for anyone else to inspect and have a crack at creating their own custom kernel/boot.img.
TL;DR: Uploading detailed information and reverse enginered files of boot.img. Any of my custom boot.img's won't boot if the size changes at the minimum one byte from the original boot.img, but the phone can boot a custom version if the size of the file size deos not change a single byte.
Hi;
TWRP is ready for SM-G389F :
https://twrp.me/devices/samsunggalaxyxcover3ve.html
Heledir said:
Hi;
TWRP is ready for SM-G389F :
https://twrp.me/devices/samsunggalaxyxcover3ve.html
Click to expand...
Click to collapse
This currently only works for Kit Kat, after I unpacked it I read the files at it was aimed at android 4.4.4. I am, after I have my exams in the next few weeks I am gonna try and get TWRP working on lollipop (after I got root )
Software for Samsung Galaxy Xcover 3 VE (SM-G389F) is Android 6.0, so I think it's for MM. The links:
- Device Tree / files
https://github.com/TeamWin/android_device_samsung_xcover3velte
Say its Android 6.0 branch.
I've install it yesterday with Odin and it works fine on my SM-G389F.
But i haven't find root for SM-G389F and MM.
Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
Current version: amonet-suez-v1.1.2.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @retyre for porting the bootrom-exploit and for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks also to @bibikalka and everyone who donated
Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.
Unbricking
If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.
If your device shows one of the following symptoms:
It doesn't show any life (screen stays dark)
You see the white amazon logo, but cannot access Recovery or FireOS.
If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
Make sure the device is powered off, by holding the power-button for 20+ seconds
Start bootrom-step.sh
Plug in USB
In all other cases you will have to open the device and partially take it apart.
Follow this guide by @retyre until (including) step 8..
At Step 6. you will replace
Code:
sudo ./bootrom.sh
with
Code:
sudo ./bootrom-step.sh
Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).
If the script succeeded, put the device back together.
When you turn it on, it should start in hacked fastboot mode.
You can now use
Code:
sudo ./fastboot-step.sh
This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.
Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.
dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
Changelog
Version 1.1.2 (26.03.2019)
Fix regenerating GPT from temp GPT
Version 1.1.1 (26.03.2019)
Fix unbricking procedure
Version 1.1 (25.03.2019)
Update TWRP-sources to twrp-9.0 branch
TWRP uses kernel compiled from source
Add scripts to use handshake2.py to enter fastboot/recovery
Features.
Uses 5.6.3 LK for full compatibility with newer kernels.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (no patching needed)
TWRP protects from downgrading PL/TZ/LK
For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
Source code:
https://github.com/chaosmaster/amonet/tree/mt8173-suez
https://github.com/chaosmaster/android_device_amazon_suez
https://github.com/chaosmaster/android_kernel_amazon_suez
https://github.com/chaosmaster/android_bootable_recovery
First unreserved !!!
bibikalka said:
First unreserved !!!
Click to expand...
Click to collapse
You are quick
Now we need custom kernels and/or roms, any advice where to start?
Murcielagoz99 said:
Now we need custom kernels and/or roms, any advice where to start?
Click to expand...
Click to collapse
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
---------- Post added at 09:04 PM ---------- Previous post was at 08:58 PM ----------
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!
sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?
BRAVO!! Fantastic work, my friend! I'm looking forward to the customization and ROMs that will soon follow.
Rortiz2 said:
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
Click to expand...
Click to collapse
Or start with the (minimal) TWRP device tree I linked to.
Rortiz2 said:
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!
Click to expand...
Click to collapse
I just forgot to update the Readme fixed it.
Michajin said:
sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?
Click to expand...
Click to collapse
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?
k4y0z said:
Or start with the (minimal) TWRP device tree I linked to.
I just forgot to update the Readme fixed it.
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?
Click to expand...
Click to collapse
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....
Michajin said:
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....
Click to expand...
Click to collapse
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.
k4y0z said:
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.
Click to expand...
Click to collapse
SuperSU Pro v 2.82
Michajin said:
SuperSU Pro v 2.82
Click to expand...
Click to collapse
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.
k4y0z said:
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.
Click to expand...
Click to collapse
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes
Michajin said:
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes
Click to expand...
Click to collapse
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.
k4y0z said:
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.
Click to expand...
Click to collapse
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).
Michajin said:
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).
Click to expand...
Click to collapse
Great you got it to work. Not sure why it didn't in Ubuntu.
Did you end up using mtk-su or SuperSu?
Magisk 18.1 is working fine for me, what FireOS-Version are you on?
k4y0z said:
Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
I have only tested it on the 32GB-model, but it should also work on the 64GB-model ....
Click to expand...
Click to collapse
Outstanding 'win' presented with clarity and humility. Not to mention timely given the short time you've had the target hardware. A fantastic ROI for those who underwrote the device and for uncounted others who will benefit from your work (along with those of several others noted in your full post) for years to come.
:good:
Read this whole guide before starting.
This is for the 7th gen Fire HD8 (douglas).
Current version: amonet-douglas-v1.2.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-douglas-v1.1.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on a firmware newer than 5.6.4.0, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
WARNING: Do not use bootrom-step-minimal.sh if you bricked using brick(-9820).sh!
You will need to use bootrom-step.sh.
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-douglas-return-to-stock.zip" into the same folder where you extracted "amonet-douglas-v1.0.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
sudo fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.4.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks to @t0x1cSH and @breakfastofsecrets for testing.
Reserved #1
Changelog
Version 1.2 (15.10.2019)
Increase boot.hdr size to avoid crashes with leftovers of boot.img
Version 1.1 (02.09.2019)
Add system_image to TWRP
Add serialno to GPT-folder to avoid mixups between 16G and 32G
Add scripts to fix GPT
Features.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (no patching needed)
TWRP protects from downgrading PL/TZ/LK
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
Reserved #3
Awesome!
if you can't get in the recovery by long pressing the volume buttons and power button simultaneously, during the boot keep both the volume buttons and fastly tap the power button
i had some problems getting by long pressing in the recovery and this worked every time
ty k4y0z
Works perfectly. Thank you very very much!
On a rooted device with a locked bootloader, if I back up system and data only with Flashfire, will I be able to restore these partitions with TWRP after unlocking? Presumably I wouldn't restore the boot partition?
MontysEvilTwin said:
On a rooted device with a locked bootloader, if I back up system and data only with Flashfire, will I be able to restore these partitions with TWRP after unlocking? Presumably I wouldn't restore the boot partition?
Click to expand...
Click to collapse
I think that you can. TWRP supports flashfire backups but as you say don't restore boot.img neither recovery.img.
MontysEvilTwin said:
On a rooted device with a locked bootloader, if I back up system and data only with Flashfire, will I be able to restore these partitions with TWRP after unlocking? Presumably I wouldn't restore the boot partition?
Click to expand...
Click to collapse
Rortiz2 said:
I think that you can. TWRP supports flashfire backups but as you say don't restore boot.img neither recovery.img.
Click to expand...
Click to collapse
Haven't tested, but should work fine, also boot.img should give no issues when restoring.
Only userdata is erased during unlocking, so it should be enough to restore userdata.
k4y0z said:
Haven't tested, but should work fine, also boot.img should give no issues when restoring.
Only userdata is erased during unlocking, so it should be enough to restore userdata.
Click to expand...
Click to collapse
Doesn't the unlock procedure include a factory reset which will wipe settings and apps? By 'userdata' do you mean 'data' or data plus internal storage (user files and photos etc.) or just internal storage?
MontysEvilTwin said:
Doesn't the unlock procedure include a factory reset which will wipe settings and apps? By 'userdata' do you mean 'data' or data plus internal storage (user files and photos etc.) or just internal storage?
Click to expand...
Click to collapse
Yes it does wipe data/userdata including the internal storage.
But it doesn't touch the system-partition.
Everything went super smooth. Many thanks for this, and all your unlocks.
Also, I was able to flash my flashfire system and usedata backups in TWRP with no issues.
Kctucka said:
Everything went super smooth. Many thanks for this, and all your unlocks.
Also, I was able to flash my flashfire system and usedata backups in TWRP with no issues.
Click to expand...
Click to collapse
How do you flash Flashfire backups? I now am unlocked and have TWRP installed, but when I try to restore, TWRP can see the backup folders but does not see any backed-up partitions.
---------- Post added at 10:49 AM ---------- Previous post was at 10:36 AM ----------
OK. I've got it figured out. You have to install the relevant 'twrp.zip' archives from the Flashfire backups.
dear friends
I make backup with twrp ( just system ) and transfer it to other device but when restore system the device stock on amazon i try to flash system by hacked BL flash success but when reboot also stock on amazon logo
deathlessster said:
dear friends
I make backup with twrp ( just system ) and transfer it to other device but when restore system the device stock on amazon i try to flash system by hacked BL flash success but when reboot also stock on amazon logo
Click to expand...
Click to collapse
Maybe you need to do a wipe of userdata and flash the latest boot.img.
thank you Rortiz2 i will try
---------- Post added at 03:36 PM ---------- Previous post was at 03:30 PM ----------
k4y0z said:
Read this whole guide before starting.
This is for the 7th gen Fire HD8 (douglas).
Current version: amonet-douglas-v1.0.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-douglas-v1.0.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on a firmware newer than 5.6.4.0, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-douglas-return-to-stock.zip" into the same folder where you extracted "amonet-douglas-v1.0.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.4.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks to @t0x1cSH and @breakfastofsecrets for testing.
Click to expand...
Click to collapse
I do this method on windows 10 with linux shell and i get success thank you very much
I have unlocked three tablets now. It is very easy, thanks @k4y0z for making it that way. The only problem I had was with my first try on step 1, but that was because my adb and fastboot drivers needed updating.
Is a similar unlock planned for the HD 8, 2016/ 6th gen. Giza?
I still have problem in twrp restore my device now stock on amazon logo please help me
[email protected]:/mnt/c/Users/aimya/Downloads/Compressed/amonet-douglas-v1.0_2/amonet$ sudo ./step-1.sh
[sudo] password for aimyafi:
* daemon not running; starting now at tcp:5037
* daemon started successfully
Stuck at there! What's the problem?