Database Info

[ROOT] Universal (temporal) root tool for dirtycow-capable Android M devices

Hi,
I've developed an universal & stable temporal root tool for "dirtycow-capable" Android M (and N?), i.e., without the 2016-11-06 patch.
It bypasses selinux via a vdso backdoor inside the init process which is injected by a memory-only dirtycow exploit.
This approach has the following advantages:
Memory-only: does not modify the filesystem
Scalable: easy to add new kernel and/or new devices
Stable: does not affect stability of your device
Reversible: the backdoor is cleared immediately after the root shell ends, which means no reboot is required after usage
Please use version v0.1.1 instead of v0.1 which has a severe bug!
Attention:
By "SELinux bypass" I mean the payload will run in init domian even if SELinux is in enforcing mode, however, a patch to sepolicy is still needed for making init domain unconfined. Usually this means a modified boot image is required.
Details, releases, usage and the source code is available at Github.
Maybe I'll turn it into a SuperSU installer in the future. Donations are welcome.
XDA:DevDB Information
VIKIROOT, Tool/Utility for all devices (see above for details)
Contributors
hyln9
Source Code: https://github.com/hyln9/VIKIROOT
Version Information
Status: Testing
Created 2017-01-20
Last Updated 2017-01-21

Hi, I am working on the LG Tribute HD model LGLS676 and we are looking for an exploit for MM 6.0.1 build MXB48T. is it possible to create a 32-bit version of this exploit? It's exactly what we need right now for a method to gain root as not even temp is not even close to possible, lg has this one airtight. I'm running Ubuntu 16.04.01 64 bit and can help test if needed on my device. Thanks in advance for any help you can or cannot provide ?

Sands207 said:
Hi, I am working on the LG Tribute HD model LGLS676 and we are looking for an exploit for MM 6.0.1 build MXB48T. is it possible to create a 32-bit version of this exploit? It's exactly what we need right now for a method to gain root as not even temp is not even close to possible, lg has this one airtight. I'm running Ubuntu 16.04.01 64 bit and can help test if needed on my device. Thanks in advance for any help you can or cannot provide
Click to expand...
Click to collapse
Thanks for your reply.
Unfortunately, 32-bit vDSO support is not available for Android currently.

hyln9 said:
Thanks for your reply.
Unfortunately, 32-bit vDSO support is not available for Android currently.
Click to expand...
Click to collapse
Could we use a different backdoor/exploit for x86 devices?

AptLogic said:
Could we use a different backdoor/exploit for x86 devices?
Click to expand...
Click to collapse
Great idea, I'll have a try in the emulator.

Hello and thank you for this!
I am stuck and need your help here please... I'm on an LG V10 (H960A) mm, and I think I followed the instructions on GitHub correctly:
1. Extracted the "exploit" binary
2. adb push /data/local/tmp
3. adb shell (cd to /data/local/tmp and made "exploit" executable)
4. Executed the "exploit"
and now I am stuck in "waiting for reverse connect shell". Turning device on/off, toggling Bluetooth etc does nothing... How should I proceed? Thanks in advance!

ftaios said:
Hello and thank you for this!
I am stuck and need your help here please... I'm on an LG V10 (H960A) mm, and I think I followed the instructions on GitHub correctly:
1. Extracted the "exploit" binary
2. adb push /data/local/tmp
3. adb shell (cd to /data/local/tmp and made "exploit" executable)
4. Executed the "exploit"
and now I am stuck in "waiting for reverse connect shell". Turning device on/off, toggling Bluetooth etc does nothing... How should I proceed? Thanks in advance!
Click to expand...
Click to collapse
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!

@hyln9 how goes the looking for a 32bit exploit? I'm available to test any developments that have been made, using an AT&T Galaxy S5 running Android 5.0 ((I can upgrade to 5.1.1 or 6.0 if needed)
(Try exploiting wpa_supplicant )

hyln9 said:
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
Click to expand...
Click to collapse
Just sent them to you...

hyln9 said:
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
Click to expand...
Click to collapse
I also sent!!

Is there any way this can with for the at&t lg g5 h820 I believe. I hope so that is the only thing I hate with this phone. No root. So boring.

What port should we be using? When I use the non-debug version it hangs waiting for the reverse connection... using the debug version it dies before even creating a log file it says: "Internal error: unknown kernel." I'm running an AT&T G5 (H820) without the latest patches...

rvyhmeister said:
What port should we be using? When I use the non-debug version it hangs waiting for the reverse connection... using the debug version it dies before even creating a log file it says: "Internal error: unknown kernel." I'm running an AT&T G5 (H820) without the latest patches...
Click to expand...
Click to collapse
did you reboot phone?
and maybe you don't get error.

Not executable 64 bit elf file?

jcpowell said:
Not executable 64 bit elf file?
Click to expand...
Click to collapse
That means you're trying to run this 64 bit exploit on a 32 bit android system. The exploit doesn't work on 32 bit because 32bit systems don't have vdso. I'm working on a different exploit and I think this dev is too but I don't expect much out of my tests since it's mostly device specific.

iptr9 said:
did you reboot phone?
and maybe you don't get error.
Click to expand...
Click to collapse
Rebooted... running the debug
Now I get this
Syscall error: bind at line 392 with code 13.
No files are created... what port should I tell it? Thanks!

rvyhmeister said:
Rebooted... running the debug
Now I get this
Syscall error: bind at line 392 with code 13.
No files are created... what port should I tell it? Thanks!
Click to expand...
Click to collapse
maybe you have to cd into /data/local/tmp
and then ./exploit

iptr9 said:
maybe you have to cd into /data/local/tmp
and then ./exploit
Click to expand...
Click to collapse
I've done that... the interesting thing is that if I run simply
./exploit
it replies
CVE-2016-5195 POC FOR ANDROID 6.0.1 MARSHMALLOW
Usage:
./exploit port: use local terminal.
./exploit ip port: use remote terminal.
If I enter any number, it then fails...

rvyhmeister said:
I've done that... the interesting thing is that if I run simply
./exploit
it replies
CVE-2016-5195 POC FOR ANDROID 6.0.1 MARSHMALLOW
Usage:
./exploit port: use local terminal.
./exploit ip port: use remote terminal.
If I enter any number, it then fails...
Click to expand...
Click to collapse
try a port above 1024

saspipi said:
try a port above 1024
Click to expand...
Click to collapse
thanks.... it starts fine.... but then hangs waiting for the reverse shell to connect.... I've got the zip with the two debug files that I'm attaching

[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 10 2017 (suez)

Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
Current version: amonet-suez-v1.1.2.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
A Linux installation or live-system
A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:
sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.
It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:
sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:
fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @retyre for porting the bootrom-exploit and for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks also to @bibikalka and everyone who donated
Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.

Unbricking
If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.
If your device shows one of the following symptoms:
It doesn't show any life (screen stays dark)
You see the white amazon logo, but cannot access Recovery or FireOS.
If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
Make sure the device is powered off, by holding the power-button for 20+ seconds
Start bootrom-step.sh
Plug in USB
In all other cases you will have to open the device and partially take it apart.
Follow this guide by @retyre until (including) step 8..
At Step 6. you will replace
Code:
sudo ./bootrom.sh
with
Code:
sudo ./bootrom-step.sh
Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).
If the script succeeded, put the device back together.
When you turn it on, it should start in hacked fastboot mode.
You can now use
Code:
sudo ./fastboot-step.sh
This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.
Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.
dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00

Changelog
Version 1.1.2 (26.03.2019)
Fix regenerating GPT from temp GPT
Version 1.1.1 (26.03.2019)
Fix unbricking procedure
Version 1.1 (25.03.2019)
Update TWRP-sources to twrp-9.0 branch
TWRP uses kernel compiled from source
Add scripts to use handshake2.py to enter fastboot/recovery
Features.
Uses 5.6.3 LK for full compatibility with newer kernels.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (no patching needed)
TWRP protects from downgrading PL/TZ/LK
For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock

Source code:
https://github.com/chaosmaster/amonet/tree/mt8173-suez
https://github.com/chaosmaster/android_device_amazon_suez
https://github.com/chaosmaster/android_kernel_amazon_suez
https://github.com/chaosmaster/android_bootable_recovery

First unreserved !!!

bibikalka said:
First unreserved !!!
Click to expand...
Click to collapse
You are quick

Now we need custom kernels and/or roms, any advice where to start?

Murcielagoz99 said:
Now we need custom kernels and/or roms, any advice where to start?
Click to expand...
Click to collapse
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
---------- Post added at 09:04 PM ---------- Previous post was at 08:58 PM ----------
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!

sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?

BRAVO!! Fantastic work, my friend! I'm looking forward to the customization and ROMs that will soon follow.

Rortiz2 said:
Download Lineage OS Sources, create device tree, create kernel tree, create vendor tree and compile ROM.
Click to expand...
Click to collapse
Or start with the (minimal) TWRP device tree I linked to.
Rortiz2 said:
@k4y0z in the ReadMe of the amonet source code says that the exploit is for the fire hd8 2018.
Is it correct or is it an error?
On the other hand, very good work!
Click to expand...
Click to collapse
I just forgot to update the Readme fixed it.
Michajin said:
sudo ./step-1.sh
"command not found"
Got the script to run using chmod. But it doesn't reboot,
"PL version 5
LK version 2
TZ Version 263
press enter to continue...
(doesnt reboot)
Dumping GPT
....
Modifying GPT (still hasnt reboot)
What am i am missing?
Click to expand...
Click to collapse
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?

k4y0z said:
Or start with the (minimal) TWRP device tree I linked to.
I just forgot to update the Readme fixed it.
What OS are you using?
Is there no other output?
Try running
Code:
modules/gpt.py
Does that give any errors?
Click to expand...
Click to collapse
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....

Michajin said:
i had permission errors on my ubuntu 16.04. IT rebooted into recovery but nothing happened.
Testing root access...
uid=0(root) gid=0(root) context=u:r:init:s0
PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)
Your device will be reset to factory defaults...
Press Enter to Continue...
Dumping GPT
tmp-mksh: dd if=/dev/block/mmcblk0 bs=512 count=34 of=/data/local/tmp/gpt.bin: not found
tmp-mksh: chmod 644 /data/local/tmp/gpt.bin: not found
199 KB/s (17408 bytes in 0.085s)
Flashing temp GPT
246 KB/s (17408 bytes in 0.068s)
tmp-mksh: dd if=/data/local/tmp/gpt.bin.step1.gpt of=/dev/block/mmcblk0 bs=512 count=34: not found
Preparing for Factory Reset
tmp-mksh: mkdir -p /cache/recovery: not found
/system/bin/sh: can't create /cache/recovery/command": Permission denied
/system/bin/sh: can't create /cache/recovery/command": Permission denied
Rebooting into Recovery
Recovery, nothing happens.
I have root.....
Click to expand...
Click to collapse
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.

k4y0z said:
What are you using for root?
it seems like your "su" doesn't like the commands my script sends, what su are you using?
You could try disabling root/ungrant root access and use mtk-su.
Click to expand...
Click to collapse
SuperSU Pro v 2.82

Michajin said:
SuperSU Pro v 2.82
Click to expand...
Click to collapse
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.

k4y0z said:
Interesting, it seems it interprets all the arguments as one command.
I'll see if I can find a workaround to work with SuperSU, but it will take me a moment.
What should work however is if you disable root-access in SuperSU-app.
And place mtk-su into bin-folder.
Then just let it do it's thing using mtk-su.
Click to expand...
Click to collapse
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes

Michajin said:
It is showing
new UID/GID: 0/0 (over and over)
then UID/GID: 2000/2000 ( occasionally)
Then did not find own task_struct (237)
This normal? It has been about 10 minutes
Click to expand...
Click to collapse
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.

k4y0z said:
Then abort it and try again.
Make sure the screen is unlocked.
Is there no other output?
Did you use arm or arm64 mtk-su?
Also I just tested with SuperSU 2.82 su-binary, and it worked as expected.
I'm not sure why you are getting this issue.
Click to expand...
Click to collapse
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).

Michajin said:
I factory reset, no luck, I tried it on my Raspberry pi3 and it worked. Something with my ubuntu i guess? What version of magisk? i flashed 18.1 and it seems to be looping (or taking a really really long time). Rebooting into recovery is easy though (right volume and power).
Click to expand...
Click to collapse
Great you got it to work. Not sure why it didn't in Ubuntu.
Did you end up using mtk-su or SuperSu?
Magisk 18.1 is working fine for me, what FireOS-Version are you on?

k4y0z said:
Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
I have only tested it on the 32GB-model, but it should also work on the 64GB-model ....
Click to expand...
Click to collapse
Outstanding 'win' presented with clarity and humility. Not to mention timely given the short time you've had the target hardware. A fantastic ROI for those who underwrote the device and for uncounted others who will benefit from your work (along with those of several others noted in your full post) for years to come.
:good:

Incremental OTA Payload Extractor - Linux Only currently - Op8T 11.0.9.9.KB05AA Posted

FIRST OFF - THIS IS HIGHLY TECHINICAL AND NOT FOR NON-TECH INCLINED PEOPLE. YOU CAN REALLY MESS UP YOUR PHONE IF YOU DO IT WRONG. SO PAY ATTENTION OR FIND SOMEONE SMARTER THAN YOU WITH THIS ANDROID / LINUX STUFF. YOU DO THIS ON YOUR OWN - NO WARRANTIES EXPRESSED OR IMPLIED. IT'S FOR PEOPLE THAT DON'T WANT TO WAIT FOR THEIR VENDOR TO POST A FULL ROM AND UPDATE RIGHT WHEN AN OTA COMES.
So I wanted to update my rooted Op8T OOS version, and you CAN'T (haha) do it if you're rooted. That's kind of a misconception. I knew there had to be a way... so I found a dead repo out there that used to work on Incremental OTAs. And I read the issues - did not actually work. Why? Because you need to extract the prior firmware (full ROM) first with a Payload extraction tool (most are in Python, and most are Linux-only). Well, they got stuck because the original ROM has one signature (encryption), and the OTA update has another signature, so the program would break when they didn't match. So what did I do??? Well I have to give credit to the dev I forked this from, because he mentioned - of course the signatures don't match, they are different releases! So I did something kind of... well... let's put it this way, you aren't verifying any signatures anymore. So if you screw up and put the wrong ROM base (prior full ROM) and Payload extract the payload.bin, then apply the Incremental OTA, well, you're in for trouble. BE POSITIVE YOU ARE USING THE VERSION OF THE ROM THE OTA IS INTENTED TO INCREMENTALLY UPDATE!!!!
In this case, it was quite clear. I was trying to update an A11 Op8T from OnePlus. It was on 11.0.8.3 ROM and an OTA was posted that was for 11.0.9.9. SO I used a Windows tool to extract the first set of files (the full ROM is huge BTW). The incremental update came as a 150mb file zipped up, but it modified the BIG files. Once it finished, I found that system and system_ext are not flashable (grew in size, can't resize super on active slot, not updated), the rest are. And you MUST flash from fastbootd - this is kind of a mysterious new place with modern AB devices. It can be a pain to actually get there. The standard steps if you're on stock recovery are to enable developer options, USB debugging, install the Latest ADB and Fastboot https://github.com/fawazahmed0/Latest-adb-fastboot-installer-for-windows/releases/tag/v1.7 (this script will update it for you). Ignore the God references it's a batch file you can just modify it, and I don't judge. It will pull the latest versions (Minimal ADB and Fastboot are super outdated). Next steps...
Now, getting an incremental update off a rooted phone is not easy. 1) you have to flash a stock boot.img and recovery.img. 2) you have to basically uninstall Magisk, or at least the images 3) then you MAY be able to download with Oxygen Updater or the system app. It won't install though because root is fully exposed. Once it's downloaded, it appears in some very strange location with a random character string.zip I believe. So now you have to reinstall Magisk (to get adb shell SU access). So after I confirmed it downloaded (but wouldn't flash), I had to hook my phone up to the USB cable, go to the PC and Latest ADB and Fastboot folder, adb shell, su, then cd /; find . -name *.zip > /dev/null 2>&1; to cut out some of the garbage output and scroll until I found a logical zip stored somewhere (a folder than sounded like a OnePlus update folder). Then I did a: cp [random characters.zip] /sdcard/Download/OTA_Update.zip, which I could then transfer from my phone to PC with a USB cable. Developer options / default mode USB File Transfer FYI.
Okay that was one of the hard parts. Now next to more hard parts. You need a Linux environment (I used WSL2 Debian Buster). The easiest setup (after spending hours attempting to get the correct packages loaded) was to install the personal version of Anaconda Python x64 for AMD64 processors for Linux. Then I could use conda install [package name] for missing dependencies as the program would throw errors. Yes you have to read the errors or you won't be able to figure out what is actually not installed. Anyhow, the modded forked repo of python files is here: git clone the repo: git clone https://github.com/mrslezak/update_payload_extractor.git - now if git isn't setup on your Linux box, well, you're in for some trouble.
So once it's installed, you need to actually use python3 commands for each step - so anywhere you see "python" put "python3" instead as most machines have both 2.7 and 3.X installed. I used Python 3.8 something, so ignore the 3.6 it's not required. So here I took a payload.bin extracted with a Windows.exe file (available somewhere on XDA, there are severel, one is Go based) and copied them once extracted from the original ROM to the WSL instance on my Win10 PC. Now there come issues here. They need to go into an "old" directory you must create (in update_payload_extractor directory), and copying from Windows will make them root access only, so a: sudo chown user:user old/ is required to get it writable. I believe the program will make the rest of the files on its own. They will end up in "output." You just need to extract the payload.bin and payload.properties files from the incremental update you extracted and place them in the update_payload_extractor directory.
Now there is some strange stuff going on, this was always beta, and never working. So I took the note of the issues and blocked a Google certificate validation routine (just commented it out) so it doesn't verify anything. I say it again BE EXTREMELY CAREFUL THAT YOUR PRIOR FULL ROM AND OTA UPDATE ARE MEANT TO BE USED TOGETHER. Anyhow, run what it says if your system is setup:
Incremental OTA​
Copy original images (from full OTA or dumped from devices) to old folder (with part name without file extension, ex: boot, system) - I put an .sh script here if your files are .img called remove_img_extension_old.sh - note that GitHub sometimes loses the execute permission so you may have to type: sudo chmod +x remove_img_extension_old.sh. It is meant to be run from the root of the project. ./remove_img_extension_old.sh
LD_LIBRARY_PATH=./lib64/ ./extract.py --output_dir output/ --old_dir old/ payload.bin
The above line will start the extract and combine process the OTA usually does on your phone, and output the files to the output directory. Once those are generated, then you can run another helper script I wrote to add back .img to each file called add_img_extension_output.sh again meant to be run from the root folder. Now you need to copy these output files (no guarantee all are updated, it will have all of them - on Op8T system and system_ext couldn't be flashed because they grew in size, and I don't know how to expand the super partition space to enable them to flash, so they aren't in the linked file - it still updates). The files on Op8T ending in lp5 are RAM files for the newest devices that are running LPDDR5 memory, the flash.bat script will need to be modified if you have one of these (2 flashes). The way I made the file will work in 98% of devices.
Okay I run the rest from Windows, so now it gets a little tricky. You need to get into Fastbootd, which means flash boot.img (you just extracted it), flash recovery image (same), using fastboot flash boot boot.img, fastboot flash recovery recovery.img. Now getting to fastbootd can be quite perplexing. You may just have your phone on, type adb reboot bootloader, then type fastboot reboot fastboot, and be in fastbootd (it will look like stock recovery but say fastbootd on top). The other way is to boot to recovery (developer options extended boot menu makes this much easier), then select Fastboot. Sometimes you get Fastboot and sometimes Fastbootd. It seems quite random. DON'T START THE FLASH_ALL.BAT UNTIL YOU KNOW YOU ARE IN FASTBOOTD!!!!
The fastboot command to tell you if you are in fastbootd (it will report yes if so: fastboot getvar is-userspace
Otherwise, those files will NOT be allowed to flash to your device, and you will end up with some random combination of prior and updated files. That could end badly. Once you DO get to Fastbootd, run the flash_all.bat, and DON'T SWITCH SLOTS. Yes, this is an OTA, but you already patched the files. Upon successful flashing, you can reboot to fastboot and flash a patched kernel with Magisk already enabled such as my forked Radioactive here: https://github.com/mrslezak/Radioactive_kernel_oneplus8/releases/tag/v2.2.5-MOD - the .img file is a Magisk patched custom kernel, you can also flash the twrp alpha (that seems to work in my experience, it's just slow, on OOS works fine despite warnings it doesn't). https://forum.xda-developers.com/t/recovery-11-alpha-teamwin-recovery-project-8t-kebab.4302449/ fastboot commands for the kernel: fastboot flash boot image_name.img; recovery fastboot flash recovery twrp_name.img.
I successfully updated while rooted from the prior ROM version. I'm sure it will work on many phones. Best of luck to you!!! I did find out how to install "the full ROM" unreleased on a rooted phone, there is some undocument fastboot stuff I had to figure out (temp system-cow and system_ext-cow files that use up all the space in the super partition) so I added them to my batch file. Now install for whatever device you have, and watch out for those weird temp files that aren't documented anywhere that I could find. Took literally hours to get it working, but it does now!!!

BTW if anyone knows how to resize the super partition, that would complete this project. I.e. you could flash the patched system and system_ext on an Op8T.
Your phone may have no issue or no super partition, then you don't care, it's not needed. I can't recall when dynamic (resizable) partitions came out but I think in Android 10 some devices started to use them. They are developer hell in my opinion.
Some TWRP versions allow you to just resize the partition on the fly, while on my phone, it's not an added feature yet. I'm also not sure if the resize does an auto-wipe either then you could also find yourself in trouble if you couldn't immediately get to Fastbootd. Some ROMs will boot to "Device is corrupt" if things like this change, just a warning, which I tried by switching A/B slots, but I had luckily installed TWRP on the other partition and was able to switch slots there and go back to booting.
UPDATE: I was able to eventually locate why the Super partition was getting full - there are temp files created as dynamic partitions when trying to install an OTA - I had to delete any logical partitions with the extension "-cow" which existed for system and system_ext (on the Op8T I was using), I was on slot A, so they were called system_a-cow and system_ext-cow, I deleted them like this:
fastboot delete-logical-partition system_a-cow
fastboot delete-logical-partition system_ext_a-cow
To see if you have any temp files present, you type:
fastboot getvar-all
And scroll through them and see if any of these mystery -cow files are present.
(bootloader) is-logical:system_a-cow:yes
(bootloader) is-logical:system_ext_a-cow:yes
Whew! That was a pain. But no more waiting for incremental updates to become full ROMs anymore on a rooted phone!
Oh, and I put the update for OOS here: https://forum.xda-developers.com/t/...install-from-fastbootd.4316147/#post-85441161

Can I unpack Huawei firmware UPDATE.app, repack and flash it?

Hi this might be the strangest request or question you will ever see but, can I unpack Huawei firmware UPDATE.app, repack it and flash it successfully (I know unpacking then repacking and flashing could cuse problems)? I want to unpack it becuase I want to change permission of system partitons, by doing that I will be able to root my Honor 6x from PC via USB becuase of cours system files are read-only, means system files can't be modfied / Android be rooted.
Why I need to do that? because there is a adb command requires root that will let me able to access and show bootloader unlock code.
Here is the command:
su -c "grep -m1 -aoE 'WVLOCK.{14}[0-9]{16}' /dev/block/mmcblk0p7 |grep -aoE '[0-9]{16}'"

muhammadbahaa2001 said:
Hi this might be the strangest request or question you will ever see but, can I unpack Huawei firmware UPDATE.app, repack it and flash it successfully (I know unpacking then repacking and flashing could cuse problems)? I want to unpack it becuase I want to change permission of system partitons, by doing that I will be able to root my Honor 6x from PC via USB becuase of cours system files are read-only, means system files can't be modfied / Android be rooted.
Why I need to do that? because there is a adb command requires root that will let me able to access and shows bootloader unlock code.
Here is the command:
su -c "grep -m1 -aoE 'WVLOCK.{14}[0-9]{16}' /dev/block/mmcblk0p7 |grep -aoE '[0-9]{16}'"
Click to expand...
Click to collapse
Modifying the app won't allow you to root your device, that isnt how it works. Anything you try to flash using the update app won't work unless the bootloader is unlocked before it is applied.

Droidriven said:
Modifying the app won't allow you to root your device, that isnt how it works. Anything you try to flash using the update app won't work unless the bootloader is unlocked before it is applied.
Click to expand...
Click to collapse
Can I at least unpack recovery.img and patch recovery_ramdisk.img using magisk and repack it again in recovery.img/UPDATE.APP then flash it?

muhammadbahaa2001 said:
Can I at least unpack recovery.img and patch recovery_ramdisk.img using magisk and repack it again in recovery.img/UPDATE.APP then flash it?
Click to expand...
Click to collapse
You can't flash it with locked BL...
Try getting it unlocked tho - There are guys that do unlocks for 20/30$ just search for it

Can
Rstment ^m^ said:
You can't flash it with locked BL...
Try getting it unlocked tho - There are guys that do unlocks for 20/30$ just search for it
Click to expand...
Click to collapse
Can't restore it from SD card through download mode until BL is unlocked?

muhammadbahaa2001 said:
Can
Can't restore it from SD card through download mode until BL is unlocked?
Click to expand...
Click to collapse
Nope it's modified hence the signature is changed... Probably there is no verified boot since it's older device but either way you'd have to pass signature check when flashing with built in updater...
Idk much about how in built updater works tbh , but if it's older android maybe there are some exploits you could use to gain root access that don't involve flashing

muhammadbahaa2001 said:
Can I at least unpack recovery.img and patch recovery_ramdisk.img using magisk and repack it again in recovery.img/UPDATE.APP then flash it?
Click to expand...
Click to collapse
You cannot flash modified or customized software, you can only flash unmodified stock software, a locked bootloader will not allow flashing or booting anything except the software created by the manufacturer for the device.
You keep asking the same question in different ways. It doesn't matter how you change your question, the answer is still no. You will not be able to flash anything that is modified until you unlock the bootloader.
There are some PC programs and android apps that can root some devices without having to unlock the bootloader or flash modified files.
Do a Google search for:
"Universal android rooting programs for PC"
And
"Universal rooting apps for android"
If your device has android 7 or newer, these programs and apps probably won't work on your device.

How can I extract the stock firmware from my Phone without TWRP or root?

I have a new Moto G Stylus 5G 2022 (XT2215-4) that I would like to compile lineage for. However TWRP does not currently support my device and therefore I cannot find any recovery images for my phone. Since I can't use TWRP yet I also can't root my phone yet.
I am willing to attempt to compile TWRP for phone from source but I will need .img's from the stock firmware to do that.
How can I extract the stock firmware off of my phone so that I can create the recovery files for my device?

Without root you can't.

xXx yYy said:
Without root you can't.
Click to expand...
Click to collapse
So if you can't root without recovery, and you can't get recovery without having root, how does anyone ever do anything with their phone?
Quite the catch 22.
I have only found a handful of sites that claim to have the stock firmware available for download. however all of them are essentially skins of each other and in different languages. Not legit at all.
Does Motorola release their own stock firmware?

1. Android Recovery is a minimalistic Android OS what allows you to perform some basic operations, has nothing to do with Root what is an Android OS function.
2. Root since Android version 6 is part of every full fledged Android OS - keyword: Toybox.
If OEM has eliminated su binary from Toybox then you have to add su binary to Android OS at your own.

xXx yYy said:
1. Android Recovery is a minimalistic Android OS what allows you to perform some basic operations, has nothing to do with Root what is an Android OS function.
2. Root since Android version 6 is part of every full fledged Android OS - keyword: Toybox.
If OEM has eliminated su binary from Toybox then you have to add su binary to Android OS at your own.
Click to expand...
Click to collapse
I get #1 and semi understand what you are saying in #2.
Alternatively, I have been able to acquire the stock firmware for my phone from Motorola using their own rescue and assistance tool.
Now I am working on extracting the system image from the super sparse chunk files provided in the firmware.

Tokth said:
I get #1 and semi understand what you are saying in #2.
Alternatively, I have been able to acquire the stock firmware for my phone from Motorola using their own rescue and assistance tool.
Now I am working on extracting the system image from the super sparse chunk files provided in the firmware.
Click to expand...
Click to collapse
Erm actually your firmware should be on the Lenovo Recovery Tool. This is how we got the boot.img for the Moto G Stylus 5G (2021). When you select it to recover your device it downloads the devices firmware. All you have to do is extract the boot.img from the applications download folder and then patch it with magisk and flash it if you have an unlocked bootloader already. Then you can extract whatever vendor blobs you need to create a working TWRP for your device.
Would you let me know if this works?

Tokth said:
So if you can't root without recovery, and you can't get recovery without having root, how does anyone ever do anything with their phone?
Quite the catch 22.
I have only found a handful of sites that claim to have the stock firmware available for download. however all of them are essentially skins of each other and in different languages. Not legit at all.
Does Motorola release their own stock firmware?
Click to expand...
Click to collapse
Without root or TWRP, they don't/can't do anything that requires accessing/modifying anything other than user data. Extracting the "ROM" requires root or TWRP because it resides in the system partition which can't be accessed by the user without root or TWRP.
No, it isn't a "catch 22", it is the way android is designed bacause the manufacturers/carriers never intended for the user to have access to system in the first place.

Droidriven said:
Without root or TWRP, they don't/can't do anything that requires accessing/modifying anything other user data. Extracting the "ROM" requires root or TWRP because it resides in the system partition which can't be accessed by the user without root or TWRP.
No, it isn't a "catch 22", it is the way android is designed bacause the manufacturers/carriers never intended for the user to have access to system in the first place.
Click to expand...
Click to collapse
You are correct.

tnuoccaadx2 said:
If I am rooted, how do I extract the firmware without twrp?
Click to expand...
Click to collapse
With adbshell(not adb) or a terminal emulator using dd commands, you just need to make sure you correct command and location of each partition that you want to pull a copy of.
Do a Google search for:
"How to extract copy of stock recovery via adbshell"
Or
"How to extract copy of stock recovery via Terminal Emulator"

tnuoccaadx2 said:
As for the stock firmware is there a guide for the dd cmds so i may see an example and a guide on how to find partition location?
Click to expand...
Click to collapse
That was the point of doing the searches I suggested. It should get you going in the right direction learning how to use dd command and how to identify your partitions.
Also, you could just download your stock firmware and extract what you need from the firmware file.

You don't always have to make use of
Code:
adb shell "<SHELL-COMMAND-HERE>"
Running
Code:
adb exec-out "<SHELL-COMMAND-HERE>"
does the job as well. The best solution is to use adb exec-out command !
Example:
Code:
adb exec-out "dd if=/dev/block/by-name/whatever of=/sdcard/whatever"
FYI:
exec-in and exec-out are present since Android 5.
exec-in and exec-out can write/read to/from only files, not STDOUT/STDIN.
Important:
If it does not work - it means that your phone does not support the command properly.