Related
NEW - March 2011
A method of booting custom kernels (using kexec) has been developed. Thanks Bin4ry, zdzihu, MrHassell, blagus, and all other devs who are working hard to make this stable.
The bootloader protection has been bypassed!
zdzihu said:
Bootloader is broken/bypassed!
Big bad huge font to avoid confusion =)
@Goroh_kun:
Buddy, I know you're still reading this forums so... I just want you to know that you are absolutely BRILLIANT. You're a STAR.
BIG thanks for all your contributions into this project! Nothing, and I mean NOTHING would happen without you.
@devs:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
@SE: lads, it's your turn now - please unlock it already. I promise we won't brick our phones
@all: DON'T ask for details. I will post here when I'm ready to do so. Today (I guess?) is the Arc release date and stuff, I don't want to mess around...
Still busy working abroad,
Cheers,
z
Click to expand...
Click to collapse
Link to 2.1 alpha kernel (2.6.29)
http://forum.xda-developers.com/showpost.php?p=12578251&postcount=848
OLD
Important info!
http://forum.xda-developers.com/showpost.php?p=12298790&postcount=811
Link to FlashTool
http://forum.xda-developers.com/showthread.php?t=920746
Here are some posts:
MrHassell said:
Yes and yes - while rebooting and as zdzihu previously reported kexec is viable.
http://forum.xda-developers.com/showpost.php?p=8714275&postcount=407
zdzihu
override partition table using kernel command line. Tried (via kexec) and it worked.
Code:
mtdparts=msm_nand:[email protected](appslog),[email protected](cache),[email protected](system),[email protected](userdata),[email protected](loader)
Bin4ry - tawrite - http://forum.xda-developers.com/showpost.php?p=8931422&postcount=442
cat /proc/mtd
mtd0 cache
mtd1 appslog
mtd2 userdata
mtd3 system
My final post on the subject. Have better things to do now the media have landed au reviour.
Click to expand...
Click to collapse
Bin4ry's kexec kit posts
http://forum.xda-developers.com/showpost.php?p=12240639&postcount=708 - V1
http://forum.xda-developers.com/showpost.php?p=12245719&postcount=711 - V2
http://forum.xda-developers.com/showpost.php?p=12260334&postcount=724 - V3
MrHassell's V3 test log
http://forum.xda-developers.com/showpost.php?p=12261764&postcount=729
21st March 2011, onwards
Bin4ry said:
Can you try to run it on chargemon script instead of xRec?
So that we can run it at the very beginning of boot process. Maybe this is a solution!
This should work in the chargemon script:
exec /data/local/tmp/run.sh
WARNING!
JUST TRY THIS IF YOU KNOW WHAT YOU ARE DOING !
Regards
Click to expand...
Click to collapse
Androxyde said:
chargemon the safer way :
Just before recovery if then else :
if [ -e /data/local/tmp/kexec ]
then
rm -r /data/local/tmp/kexec
exec /data/local/tmp/run.sh
fi
so from the OS, touch /data/local/tmp/kexec the reboot and it will boot the kexec script and remove the kexec file so that the next boot or reboot will go fine
Click to expand...
Click to collapse
Bin4ry said:
So, 2 users with bb58 had booted fine then WLOD.
Seems the initial idea is working
Now fix the problems and all is good ?
Regards
Click to expand...
Click to collapse
DooMLoRD's test
http://forum.xda-developers.com/showpost.php?p=12266289&postcount=750
Bin4ry's edited chargemon file
http://forum.xda-developers.com/showpost.php?p=12266422&postcount=753
Comment from DooMLoRD - actually about the above file.
DooMLoRD said:
just an additional comment...
the following chargemon will work only for recovery flashed through Flashtool v0.2.8 for stock roms only
also please do not try that chargemon on CM7RC2 roms (u wont be able to get into the OS cause recovery on CM7RC2 is shifted to /system/recovery/
also the line chroot / /init will work for 2.3 roms but is not compatible with 2.2 roms... for 2.2 roms u need /system/bin/chroot / /init
Click to expand...
Click to collapse
x10b's test
x10b said:
boot.img installed >> boots normal got my radio, wifi , everything works fine...
FW : 2.1.1.A.0.16
BB : 2.1.58
test ok......
Click to expand...
Click to collapse
x10b's test video
http://forum.xda-developers.com/showpost.php?p=12287032&postcount=798
DooMLoRD's edited (universal) chargemon file
http://forum.xda-developers.com/showpost.php?p=12267053&postcount=762
Important for 'non-devs' - also look at DooMLoRD's post ahead
wolfilein said:
@all
you shouldn't flash the file with xrecovery!
you should extract it to
/data/local/tmp/
on you phone
and replace the /system/bin/chargemon with the one bin4ry has posted some posts ago
after that make it executable
with
chmod 755 /system/bin/chargemon
then create the file /data/local/tmp/kexec
with
touch /data/local/tmp/kexec
and then reboot you phone should load the new kernel
Click to expand...
Click to collapse
DooMLoRD's post in reply to above:
http://forum.xda-developers.com/showpost.php?p=12267467&postcount=766
jerpelea said:
cm7 boots with custom kernel
Click to expand...
Click to collapse
More testing:
DooMLoRD said:
test with Stock SE ROM FW: 2.1.A.0.435 | BB: 2.1.54
booted into OS but no radio, strange question mark symbol on top of battery symbol (in notification bar)... phone rebooted in few seconds couldnt get into "About Phone"... though no LED notifications of any sort... even have made a video of boot up process [it look good on handset ] will post it here in a while
EDIT:
on second attempt tried to get to "About Phone" asap... under "Kernel Version" it was "unknown"... and then the system immediately rebooted...
keep up the great work Bin4ry and all other devs...
Click to expand...
Click to collapse
DooMLoRD's bootup video
http://forum.xda-developers.com/showpost.php?p=12269301&postcount=775
Androxyde said:
I am on stock firmware A.0.16
I modded my chargemon to implement booting cust kernels from it and a gscript script shortcut on the desktop to reboot.
I tried these :
Reboot custom kernel with stock BB .58 : booted / no radio / reboot in less than 1 minute
Reboot custom kernel with BB 55 : same as with .58
Reboot custom kernel with BB 52 : booted / no radio / no reboot
Reboot stock rom with BB 52 : no radio
So with my last try I cannot conclude anything about the "no radio"
Will keep you informed with my further tests
Click to expand...
Click to collapse
More tests from DooMLoRD
http://forum.xda-developers.com/showpost.php?p=12272634&postcount=784
http://forum.xda-developers.com/showpost.php?p=12282471&postcount=789
http://forum.xda-developers.com/showpost.php?p=12303304&postcount=812
Bin4ry's kernel patches, config and build script from zdzihu:
http://forum.xda-developers.com/showpost.php?p=12272201&postcount=781
Bin4ry's kernel based on SE .435 kernel sources
http://forum.xda-developers.com/showpost.php?p=12275044&postcount=786
Aeny's tests
Aeny said:
x10i | J's CM7 RC2 V10a | BaseBand 2.0.46 | boot.img: 22.03.11-00_25
-Same behavior as BB 2.0.52
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10i | J's CM7 RC2 V10a | BaseBand 2.0.49 | boot.img: 22.03.11-00_25
-Same behavior as BaseBand 2.0.52
x10i | J's CM7 RC2 V10a | BaseBand 2.0.52 | boot.img: 22.03.11-00_25
-Screen not waking up by pressing any buttons, to wake up press any button, then press the screen. If "Screen-on" and/or "Screen-off" animations are enabled in CM-Settings then screen cannot be woken up at all.
-Battery shows a percentage, but does not indicate charging, however the battery level is going up.
-Time seems to update once every few (10~11) minutes instead of every minute & always starts counting from 1/1/1970 -1h:00m at boot.
-WiFi shows "error" under settings but does magically work, just can't be turned off.
-Bluetooth doesn't want to turn on.
-Baseband: "Unknown".
-Kernel Version: 2.6.29Bin4ry "[email protected] #1".
-no reboots (running 15minutes).
-screen doesn't auto-turn off but dims instead.
-Battery status shows as "unknown" under settings -> about phone -> status.
-No USB.
-LED doesn't light up while charging.
x10i | J's CM7 RC2 V10a | BaseBand 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10a | J's CM7 RC2 V10a | BB 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds->reboot(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
Click to expand...
Click to collapse
Aeny said:
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.58 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.55(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
Back to CM7 for me, SE's rom felt like playing a game @ 2FPS.
~Aeny
Click to expand...
Click to collapse
Ahmed radi's tests
Ahmed radi said:
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.1.54
its work great !
boot normaly then radio work and WiFi also work !
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.0.52
freeze on SE logo fo about 5~9 sec | no radio (insert SIM) | Wifi work
@ Bin4ry
good look bro
Click to expand...
Click to collapse
Ahmed radi said:
@ DooMLoRD
good now we have conferm that bin4ry kernel work with .54
i try also 52 but there is no radio !
i reflash the phone with 54 BB but also get no signal !
any idea about this ?
@bin4ry
could we convert the .img to .sin ?
Click to expand...
Click to collapse
Bin4ry said:
No, sin is the signature header. For that we need the signing key and we don't have it!
Regards
Click to expand...
Click to collapse
Ahmed radi said:
good lack Bin4ry !
test report :
X10 2.1 .435
BB54
run gr8 ,with Xda then reboot in se rom with radia and i test wifi and its work also!
edit :
BB58 also just like above !
>after we have sacsesfully loud Bin4ry kernel , could we have muiltitouch(not just dual) ? thanx
Click to expand...
Click to collapse
More info from Bin4ry
http://forum.xda-developers.com/showpost.php?p=12285626&postcount=795
shyvue's test
shvyue said:
I'm new to this but what i did is, copy all files from bootkit to /data/local/tmp
adb shell
$ su
# chmod 06755 run.sh
# ./run.shls
Phone shows fast-usb reboot, then a cute dog at top-left, then xda-developer with brown background.
SE stock image:
2.1.A.435
x10i-2.1.58 white led after xda-developer image then reboot with SE logo, etc
x10i-2.1.54 white led after xda-developer image then reboot with SE logo, etc
Click to expand...
Click to collapse
mpasanthosh's test
http://forum.xda-developers.com/showpost.php?p=12311351&postcount=816
Starting from 14th January 2011
blagus said:
Hi to all developers!
I haven't read whole thread, but I'm sure bootloader hasn't been cracked yet.
I spoke to a source who know really a lot about SE phones. He has been investigating X10 a lot and I got some info from him. He might be able to give me some further info but only if you are willing to read and try to accept my post and not just tell me "Xperia is different SE phone".
Believe me, he knows a lot about how X10 boots/works, and what's happening inside it (software part). He's been investigating phones since DB2020, and knows something about phones even before that.
As first, when I told him about "bootloader" he wasn't 100% sure what is that.
Most correct structure of X10 boot process and all "parts" involved is:
first, "real" ROM, which is actually one time programmable and can't be ever reprogrammed, is started.
In EROM, there's signature which is checked by ROM at beginning of boot - if signature is OK, ROM proceeds with running EROM and leaves it to continue boot process.
That is: checking signatures of everything that it runs directly, and then launches it if signatures are OK.
He also said that ROM is very incorrect name for phone's firmware - because ROM is actually thing that I mentioned above. Of course, you don't have to rename all ROMs to FW now, however it would be good if at least here in development thread correct names are used because that would help you, me in understanding what you're talking about - because I have knowledge from A1/A2 series and now he proved me that I was right about what I was saying - and him in understanding and possibly some further small tips.
He said that the thing that launches actual firmware - Android, is S1Boot, and it actually is in some structural way connected with A1's EROM and A2's SEMCBOOT.
(That is the thing I've been trying to say some time ago however no one was listening to me, nor wanted to check it - everyone was just saying "No, this phone is different from other SE phones.)
That then means that getting developer (more understandable - "brown") loader.sin - which actually contains S1Boot, or as you probably call it, bootloader - won't help you because in that S1Boot, there are flags that define if brown image will be accepted or not.
Also, in ROM there is root certificate (Qualcomm), "first in the chain" he said, not Red - retail, or Brown - developer one. S1Boot is also signed with that root certificate, and even existing S1Boot in our Xperias contain both Red and Brown certificates (unlike on A1/A2, where there is either red which accepts just red flashes, or brown which accepts them all), and only thing that differs is flags which tells EROM/S1Boot should it accept brown flash or not.
Note: Do not mix root certificate that is S1Boot signed with, and Red/Brown located inside it!
You can easily check this by opening existing, "usual" available for download here loader.sin in Notepad and you'll first find few certificates - S1_loader_root, S1_EROM_root, etc. and after that S1_loader_test, S1_EROM_test, etc. - same names, but instead of root it says test - this proves that there are both red and brown certificates.
He also said that
"brown sin-s can be self-produced... usually the brown RSA keys are available".
That means that if we put brown RSA key before header of pre-patched loader.img, we would get brown signed loader.sin, and we would just have to find a way to change flag to make the phone accept that brown image.
About pre-patching: yes, S1Boot has to be patched in order to accept unsigned flashes - whether it's just changing those flags, or rewriting it - however in that case still original root certificate must stay inside because it's checked by ROM.
And last thing is that he said that "SE used to disable Jtag on retail phones".
I remember that someone here mentioned Jtag but I don't know what was the result.
To receive further help/tips from him, following questions must be answered:
Question 1: To what exactly do you refer when speaking about bootloader? Now when I explained about S1Boot, can we actually say that bootloader = S1Boot (similar to) > A1's EROM (similar to) > A2's SEMCBOOT?
Question 2: What's contained in boot.img, if S1Boot is inside loader.img/loader.sin?
Best regards
Click to expand...
Click to collapse
25th January 2011
Bin4ry said:
Anyone wants to try my modded kexec-tool? I hope i have found a solution, but don't know yet, because my netbook still compiles the kernel ..... (for another 20 hours )
Regards
Bin4ry
Click to expand...
Click to collapse
Bin4ry said:
Since Maxrfon didn't answered my last mail again (he's very busy now) i had spare time and worked on this little tool once more =)
I hope we can boot another kernel with kexec-tool now.
for that we need a zImage and a initrd + some bootparameters for the kernel (root partition)
So if anyone want to try i would be lucky. My compilation was broken and now i have to start again :'(
So i anyone here wants help to try i would be lucky =)
Regards
Click to expand...
Click to collapse
26th January 2011
Bin4ry said:
Yes a initrd is needed, because i have not found the initrd location in virtual memory now, so i cannot point to it from kexec
Code:
kexec -l /zImage --apend="root........" --file="/initrd"
kexec -e -f
also you should appen the root partition.
It would be nice if someone could upload a zImage, i'm still stuck in compiling it *LoL* ****ing netbook is compiling 15 hours and then it aborts with some errors ^^
Regards
Click to expand...
Click to collapse
blagus said:
Put kexec in /system, chmod 777
Put ramdisk_orig.tgz and zImage to / and chmod 777
Code:
# kexec-tool -l /zImage --append="/" --initrd="/ramdisk_orig.tgz"
# kexec-tool -fe
After reboot zImage and initrd dissapear from /
Maybe if I put them in /system... I'll try that and let you know result.
Click to expand...
Click to collapse
Bin4ry said:
@Shamux thanks for the kernel.
@blagus:
You have to append the root partition to kernel parameters, else it will not detect it!
It's just like you want to boot a normal kernel on pc
Try adding --append="root=/dev/blablabla rw"
check which one is root partition (don't know now) and then check again if it works.
What we really neew is some kmsg log or smth.
Also Z mentioned to compile the kernel with semc-es209ra-capk config.
A minimal config will be a better way to start because something is breaking up we cannot find it.
But if we can boot minimal kernel, we can try to add more and more step by step and find the problem =)
Regards
Click to expand...
Click to collapse
blagus said:
Hmm... then, a little bit of experimenting is required...
I've got new info regarding bootloader cracking, from my source again
In theory it's very simple and you probably know that already: we calculate prime numbers that public key is made from - one key is enough, second can be calculated with
key ÷ 1st prime formula. But, you already know that.
Now, how to get these keys? Probably you know that too but let me repeat:
with OpenSSL we can get certificates from loader.sin. For example, this is interesting part of S1_loader_root (root certificate):
Code:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ea:a5:f7:7d:bd:67:21:33:04:00:ea:91:b0:c6:
cd:38:6c:aa:da:60:c1:77:e2:24:67:be:b7:da:4f:
e6:e5:92:fd:5b:b4:1a:97:54:cb:2f:7d:b1:63:e3:
d4:43:b9:a6:91:70:36:9f:5f:3a:7a:0e:2c:a7:44:
3b:40:84:0f:40:79:4a:b7:e8:58:d7:47:15:29:79:
07:b7:65:7b:d3:6d:40:10:29:78:c5:8f:51:b0:6e:
38:a9:97:1c:ff:1e:e5:bc:0d:22:1c:08:22:db:ad:
40:6f:2f:28:8a:8f:5c:38:d3:2a:96:72:48:66:28:
07:80:11:f1:62:f9:d3:40:a7
Exponent: 65537 (0x10001)
Modulus here is public key.
Just give this modulus to the CPUs and GPUs and let them calculate primes.
With these primes, calculation of private key should be trivial.
Update: this key is what we need to crack, that's it. Then, we can even make our own certificate - just like now there are, for example, s1_loader (Red, retail) and s1_loader_test (Brown, developer), we can make our own s1_loader_xda... and then, if it's issuer is S1_Loader_Root_f851 (like it is in root certificate attached here), and it is present in all parts of loader.sin (signature, signature of loader payload data) then phone will accept it.
Yes, that's right: this "Modulus" number above is the one that we need to crack in order to modify bootloader.
Update: if there's something confusing in this certificate, it's probably the fact that it's issuer and subject are same: yes, it's self-signed. But unfortunately, it won't work if we make our self-signed certificate
Click to expand...
Click to collapse
arkedk said:
Don't know if this is any help or useful info for any of the devs.
But managed to check the code in the lib_s1_verification.so file
Here's the boot sequence.
These files is what I know has something to do with the s1:
/lib/lib_s1_verification.so
/bin/linker
/bin/s1_verification_test
I don't know what I'm looking at here, but just wanted to see if I could make some kind of contribution to get the bootloader opened up.
Also attached the dedexed files from within semc_bootinfoif.jar if those are useful to anyone.
Assuming this is the Booting Sequence:
Click to expand...
Click to collapse
I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Very good idea to start a new thread. Please someone of the moderators delete all future comments that are not related to root!
I finally compiled the tardis program but it doesn't work
Here my original post :
-----
This didn't work on X10. But possibly someone will try it on other devices.
Usage: ./tardis <BIG FILE>
Big file should be ~ 100mb
------
-Bin4ry
Gathered Information about the kernel and mount points so far:
Kernel Version: Linux version 2.6.29-rel ([email protected]) (gcc version 4.2.1) #2 PREEMPT Wed Mar 10 16:53:36 JST 2010
(notice it's been compiled on march 10 so it might have been patched until february)
Internal flash partitions:
/dev/block/mtdblock2 /system yaffs2 ro 0 0
/dev/block/mtdblock3 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock1 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/loop0 /cdrom iso9660 ro 0 0
4Mb ramdisk: tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
Inside the software update package, there are a lot of files:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
preset.ta ->
Inside there's this:
Code:
// preset.ta has same format as TA file generated by FXTool
// Specification document: 69/159 35-LXE 108 116 Uen, Rev PA3
// Format:
// [TAPartition<HEX8>]{1}
// [UnitID<HEX32> UnitSize<HEX16> Data<HEX8>{UnitSize}]{n}
// (c) Sony Ericsson Mobile Communications AB, 2009
02
000008FD 0010 00 00 08 00 05 00 00 00 0E 00 00 00 08 00 00 00
00000961 0004 FE FF FF FF
amss_fs.sin -> no idea...but it seems empty as the cache 639 byte
apps_log.sin -> template for wiping mtdblock0 partition? (639 byte)
cache.sin -> template for wiping cache partition (like data partition, 639 byte)
fota0.sin -> ?
fota1.sin -> ?
boot.sin -> our beloved boot.img? (5.4 mbytes)
recovery.sin -> it looks like we have a recovery mode after all (not just safe mode)
dsp1.sin -> dsp firmware?
amss.sin -> Radio firmware?
metadata.dat -> 536 bytes, I guess it will be package metadata
simlock.ta -> 1,3 kb
system_S1-SW-LIVE....sin -> 195Mb, system partition
userdata_S1-SW-LIVE....sin -> 4,8kb, template for wiping data partition, maybe it has some file in there... haven't checked yet.
Things I tried so far:
m7 exploit. It seems fixed on this kernel (that or it might need some tinkering to the code)
exit_notify() local root exploit. suid_dumpable is 0 on /proc, so useless
h00ly**** exploit. Bin4ry tried this, but it seems it didn't work either.
Good thing: Sony Ericsson update service is programmed in java, and lollylost100 has already managed to make the program dump update images decrypted, so we might have a chance with that.
Also, bootloader starts if you take out the battery, plug usb and then turn it back in. It goes on for 10 seconds, after that, it times out and reboots to normal. So maybe if we don't mess with the bootloader we can restore it no matter what happens to the rest of the flash (don't trust this much)
About the mtd partitions, there are only four visible to Android, but there have to be more.
Radio partition, recovery partition (if it flashes it will be somewhere, unless its just a kernel+ramdisk that boots when in 'safe mode'), bootloader and such. Where are they hidden?
I have a copy of the running configuration for the kernel from .16 version, if anybody wants, I can put it somewhere.
If you wan't to retrieve it from your phone just do:
cat /proc/config.gz > /sdcard/config.gz
from adb/local terminal.
@HunteronX: that error it gives you is because you need a dev firmware, or being able to do a 'su', to get root access, it's not a driver problem. If you do "adb shell" you get a terminal with user id 2000 (shell), but no way of getting id 0 (root) with official firmware (unless hacking).By the way, that post you pasted from me is very outdated and there's not much useful information so you can remove it from the first post Thanks for starting a new thread, hopefully we'll manage to keep it clean!
Regards, Biktor
biktor_gj said:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
Click to expand...
Click to collapse
Code:
<?xml version="1.0" encoding="utf-8" ?>
<UPDATE>
<NOERASE>amss_fs.sin</NOERASE>
</UPDATE>
HunteronX said:
I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Click to expand...
Click to collapse
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data
sim-value said:
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data
Click to expand...
Click to collapse
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
funfobia said:
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
Click to expand...
Click to collapse
Ok, thanks for telling me that - looks like i've got a lot to learn...
@biktor_gj I've hopefully now removed all the information you wanted.
/data is not the only place where you can run binaries, you can also execute them from /sqlite_stmt_journal ramdisk. The only issue is after rebooting the phone files will disappear, but /data has the nosuid flag enabled on the mount command, but that flag doesn't exist on the sqlite tmpfs.
Regards
I just sniffed yesterday the packets when SEUS is connecting to the Sonyerricsson Serve.
What I found out is that SEUS is requesting following IP: 195.95.193.10
If you enter this in your browser it returns following:
ma3.extranet.sonyericsson.com
There you can download a software called EMMA. Someone knows what's that for a software?
goroh_kun said:
I uploaded mtd dump program for xperia with my mtd_nand_ex module.
It includes souce code, and static linked binary.
http://hotfile.com/dl/52240500/a1a6e72/mtd_raw_dump.zip.html
With normal mtd-utils(nand-dump), you can't rip complete nand image.
so I have to change mtd mode to RAW MODE.
the raw image includes OOB(Out Of Band) area, so we have to
calculate ECC(Error Correction Code) to get its executable image.
Click to expand...
Click to collapse
I write program to rip original image from mtd raw image.
http://hotfile.com/dl/52522564/4d776ac/mtd_analyze.zip.html
I'm working to figure out how oob area works.
if you have any information please contact me, or write message here!
Try another method to run modified kernel.
hi, all
I found that the method modifying boot or recovery area is not good way,
because these partition are signed with SE signature, and it seems that
bootloader check its SHA hash and signature everytime on boot process.
so I try another approach that
execute another kernel, from original SE kernel like kexec method.
but original SE kernel is not configured with CONFIG_KEXEC.
so I have to modify kexec interfaces from system calls to proc filesystem
access.
http://hotfile.com/dl/52604229/240e97c/kexec_ex.zip.html
http://hotfile.com/dl/52609760/96288b5/kexec-tools.tgz.html
It seems work to boot new kernel. you have to build kernel with initrd image.
wait for details..
we have 2 options
patch loader or go kexec
flash tools for x10 nand
happy play
http://hotfile.com/dl/53734913/3b68720/flash_tools.tar.bz2.html
rosco16 said:
Great!!!
If you had flashed NAND ...is it correct to say that x10 is root 100% already ??
cheers
Click to expand...
Click to collapse
NO
- we can dump and flash nand (tested tools)
- SE boot (kernel is signed like .sin files) and our boot is not signed so it will not boot
WE need kexec to load our kernel or patch bootloader not to check for signed kernel
@custom rom Cyanogen V6 alpha is compiled but we can not boot it
zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
)
you are so funny
if it was that simple we would do it
zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
First, bootloader and fota applications have some kind of lock and cannot be read (unlike boot, recovery amss & dsp). Second, to patch a bootloader you need to disassemble it, find all the points where it checks for signatures, and patch them. Then you need to test it, and if you mess it once, 400$ phone to the trash. Much more useful to have kexec working, since with it you could, in theory, boot the bootloader from ram, to check if patching goes good and do all the testing withour breaking anything. And you could run a kernel of choice.
Things aren't as easy as that I'm affraid...
How to dump bootloader
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.
goroh_kun said:
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.
Click to expand...
Click to collapse
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?
biktor_gj said:
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?
Click to expand...
Click to collapse
yep is full
thanks goroh
but dump seems to be wrong
after 0x3000 is padding
next block is at 0x100000
@kexec we need to somehow patch it to load the loader
Hi all
I'm trying to compile kernel for A10 Aurora i have a couple of questions.
I'm using this guide for make a custom kernel.Compiled allwinner-v3.0-android-v2.Btw my laptop is running ubuntu 32 bit 2 cores 30gb hdd on VMware workstation.
I made zImage, uImage and modules without getting any errors but how to flash them to the device?Using adb? making boot.img making cwm zip how to pack them?
Also my compiled files is here.
And terminal output is here:
Code:
OBJCOPY arch/arm/boot/Image
Kernel: arch/arm/boot/Image is ready
GZIP arch/arm/boot/compressed/piggy.gzip
AS arch/arm/boot/compressed/head.o
CC arch/arm/boot/compressed/misc.o
CC arch/arm/boot/compressed/decompress.o
SHIPPED arch/arm/boot/compressed/lib1funcs.S
AS arch/arm/boot/compressed/lib1funcs.o
AS arch/arm/boot/compressed/piggy.gzip.o
LD arch/arm/boot/compressed/vmlinux
OBJCOPY arch/arm/boot/zImage
Kernel: arch/arm/boot/zImage is ready
UIMAGE arch/arm/boot/uImage
Image Name: Linux-3.0.31+
Created: Sat Jun 9 15:25:49 2012
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 3932980 Bytes = 3840.80 kB = 3.75 MB
Load Address: 0x40008000
Entry Point: 0x40008000
Image arch/arm/boot/uImage is ready
Thanks in advance
Best regards.
kelleci said:
Hi all
I'm trying to compile kernel for A10 Aurora i have a couple of questions.
I'm using this guide for make a custom kernel.Compiled allwinner-v3.0-android-v2.Btw my laptop is running ubuntu 32 bit 2 cores 30gb hdd on VMware workstation.
I made zImage, uImage and modules without getting any errors but how to flash them to the device?Using adb? making boot.img making cwm zip how to pack them?
Also my compiled files is here.
Thanks in advance
Best regards.
Click to expand...
Click to collapse
in fact 3 ways
1.by fastboot
2.by flashing a .zip file that include boot.img and modules
3.by flashing a zip file that is your ROM updated with new kernel/modules
the question is : do you have this ROM in .zip format or this is stock ROM ?
zImage is the new kernel included in boot.img
uImage=? maybe kernel from recovery.img
usually if you have boot.img the easy way to flash is
Code:
fastboot erase boot
fastboot flash boot boot.img
the problem is that you have a lot of modules so the easy way is to flash a .zip file
(without modules included you are missing wifi/sound etc)
you will need some scripts to compile/pack a boot then flash it
(I have these scripts)
also modules has to be added to /modules folder and give rights you should locate it maybe /system/lib/modules ?
also post output from
Code:
cat /proc/mtd
after your answer we can decide the simple way to make changes
but if you have a zipped ROM this is the easy way
Hi thanks for reply
I m on cm9 in this link.
Also have source.Synced this github link.
Thanks in advance.
Did you ever succeed in compiling and running a custom kernel?
Kelleci,
Did you ever succeed?
Alt
No i havent succeed yet.
I think here maybe gets some help for making recovery for HTC J.
This phone isn't sell on EU and US, only on Japan, Taiwan, and Hong Kong.
I tried to build recovery on Recovery Builder, but it failed when I flashed into my phone.
It reboot when entering into recovery.
Now I'm trying to build it manually, but I got poor knowledge and tools about that.
Does anyone can help for this? I can give original files.
Besides, HTC J is using MSM8660A, that means maybe can use One S's recovery (One S is MSM8260A)
Is that possible?
CWM recovery porting
missile0407 said:
I think here maybe gets some help for making recovery for HTC J.
This phone isn't sell on EU and US, only on Japan, Taiwan, and Hong Kong.
I tried to build recovery on Recovery Builder, but it failed when I flashed into my phone.
It reboot when entering into recovery.
Now I'm trying to build it manually, but I got poor knowledge and tools about that.
Does anyone can help for this? I can give original files.
Besides, HTC J is using MSM8660A, that means maybe can use One S's recovery (One S is MSM8260A)
Is that possible?
Click to expand...
Click to collapse
(Sorry for link restriction. Please add http : // or w w w to head.)
You're right. It's possible. Japanese users used recovery for One S and fixed for J.
Build Process
1. get default recovery.img of J (mmcblk0p22 ? fix for your J)
2. get CWM recovery.img for OneS
3. extract recovery.img for J(using split-bootimg.pl)
4. modify recovery.img-ramdisk folder
--4.1 replace init.rc with OneS CWM's init.rc
--4.2 replace sbin/* with OneS CWM's /sbin/*
--4.3 copy ueventd.rc from default boot.img of J
--4.4 modify default.prop
< ro.secure=1
< ro.allow.mock.location=0
< ro.debuggable=0
< persist.service.adb.enable=0
---
> ro.secure=0
> ro.allow.mock.location=1
> ro.debuggable=1
> persist.service.adb.enable=1
--4.5 modify /etc/recovery.fstab
# This configuration is for Japanese J.
# Please fix for your J.
# mount point fstype device [device2]
/recovery emmc /dev/block/mmcblk0p22
/boot emmc /dev/block/mmcblk0p21
/cache ext4 /dev/block/mmcblk0p37
/data ext4 /dev/block/mmcblk0p38
/sdcard vfat /dev/block/mmcblk1p1 /dev/block/mmcblk1
/internal_sdcard vfat /dev/block/mmcblk0p39
/system ext4 /dev/block/mmcblk0p36
/misc emmc /dev/block/mmcblk0p23
5. If your device has felica (like NFC, standard in Japan) or protected feature, CWM restore are failed because kernel protection.
In this case, you must build kernel that is disabled security feature and replace default kernel with it.
Otherwise, you have to
-----5.1 get CyanogenMod repository
-----5.2 modify recovery source. (backup and restore should be done by dd)
-----5.3 build
-----5.4 replace /sbin/recovery with new one
but this method is difficult.
6. repack
mkbootfs ./recovery.img-ramdisk | gzip -9 > custom-ramdisk.gz
mkbootimg --kernel recovery.img-kernel --ramdisk custom-ramdisk.gz --cmdline 'console=ttyHSL0,115200,n8' --base 0x80400000 --ramdiskaddr 0x81800000 -o custom_recovery.img
You can get mkbootfs and mkbootimg from CyanogenMod build.
7. fastboot flash
These process are from this forum (anago.2ch.net/test/read.cgi/smartphone/1338050087/) and my article (d.hatena.ne.jp/td2sk/20120615/1339780557).
###########
Its CWM recovery for Japanese J.
mediafire.com/?qiddodjf0p0xsc5
We fixed some points that is not discussed here because Japanese J has some own features.
(dd restore, fix felica_permissions, etc)
So this may not work well for your device.
###########
Japanese users are porting CWM and CyanogenMod10 for J.
If you want to know more detail, japanese forum are useful.
anago.2ch.net/test/read.cgi/smartphone/1338050087/
twitter.com/#!/search/%23valentewx
(But all articles are written in Japanese )
Some of the results that contain CMW and Cyanogenmod10 are published in my repository.
github.com/td2sk
good luck.
td2sk - twitter.com/td2sk
(Edit)
Got it, I use another tool to unpack, now it work
WIP
After building from One S recovery, now Iflash my own recovery in J
But now my phone stuck at white HTC with red words.
Maybe is protection problem?
CWM recovery porting
missile0407 said:
After building from One S recovery, now Iflash my own recovery in J
But now my phone stuck at white HTC with red words.
Maybe is protection problem?
Click to expand...
Click to collapse
Kernel protection works after boot. So I don't think that would cause any problems.
You should replace some more files , or should NOT replace some files.
How about our prebuilt recovery?
-- mediafire.com/?qiddodjf0p0xsc5
If your J boot, please unpack and survey differences.
If J don't, you must build from source.
In this case, CyanogenMod and my repository(github.com/td2sk) are useful.
There is more details of build process in my article( d.hatena.ne.jp/td2sk/ ).
td2sk said:
Kernel protection works after boot. So I don't think that would cause any problems.
You should replace some more files , or should NOT replace some files.
How about our prebuilt recovery?
-- mediafire.com/?qiddodjf0p0xsc5
If your J boot, please unpack and survey differences.
If J don't, you must build from source.
In this case, CyanogenMod and my repository(github.com/td2sk) are useful.
There is more details of build process in my article( d.hatena.ne.jp/td2sk/ ).
Click to expand...
Click to collapse
Oh !! I got my phone root with this recovery!
Now I'll match how diffience between this and I made
Thanks for help.
I think I found a problem.
When I unzip ramdisk.gz the cpio can't unzip some files.
Maybe this is a point.
I'll find how to solve this problem.
CWM recovery porting
I forgot newest recovery.img.
http : / / kie.nu/q8_
This is the newest version but may not work well.
td2sk said:
I forgot newest recovery.img.
http : / / kie.nu/q8_
This is the newest version but may not work well.
Click to expand...
Click to collapse
Haha, I got a problem solved! Because I'm using vmware share folder to unzip.
It can't unzip symlink at share folder.
And thanks for new recovery, but what means may not work well? Is that means not work well at installation?
Hello, I made it!
I use One S CWM to make a recovery, base on 5.8.3.1
But I only do is, change zImage, ueventd.rc, recovery.fstab to J
I'll try another way to do other things.
http://kie.nu/qb_
CWM recovery porting
missile0407 said:
Haha, I got a problem solved! Because I'm using vmware share folder to unzip.
It can't unzip symlink at share folder.
And thanks for new recovery, but what means may not work well? Is that means not work well at installation?
Click to expand...
Click to collapse
Sorry, correct newest recovery is: http : / / kie.nu/p-x
"may not work well" means that it's unstable version.
Older recovery is a stable version and we have tested it enough.
But the version is v5.5.0.4.
The newest one is version v6.0.1.4. This is not from OneS' CWM. We build it from source.
But this is now developping. We don't test it enough.
In this version, after CWM boot, power button as select key is disable. You can select CWM menu by pushing HOME key.
Can root or CWM for HTC J (version 1.31.970.1)?
I got a HTC J (version 1.31.970.1) after OTA released. Is any process fixed for the new one?
td2sk said:
(Sorry for link restriction. Please add http : // or w w w to head.)
You're right. It's possible. Japanese users used recovery for One S and fixed for J.
Build Process
1. get default recovery.img of J (mmcblk0p22 ? fix for your J)
2. get CWM recovery.img for OneS
3. extract recovery.img for J(using split-bootimg.pl)
4. modify recovery.img-ramdisk folder
--4.1 replace init.rc with OneS CWM's init.rc
--4.2 replace sbin/* with OneS CWM's /sbin/*
--4.3 copy ueventd.rc from default boot.img of J
--4.4 modify default.prop
< ro.secure=1
< ro.allow.mock.location=0
< ro.debuggable=0
< persist.service.adb.enable=0
---
> ro.secure=0
> ro.allow.mock.location=1
> ro.debuggable=1
> persist.service.adb.enable=1
--4.5 modify /etc/recovery.fstab
# This configuration is for Japanese J.
# Please fix for your J.
# mount point fstype device [device2]
/recovery emmc /dev/block/mmcblk0p22
/boot emmc /dev/block/mmcblk0p21
/cache ext4 /dev/block/mmcblk0p37
/data ext4 /dev/block/mmcblk0p38
/sdcard vfat /dev/block/mmcblk1p1 /dev/block/mmcblk1
/internal_sdcard vfat /dev/block/mmcblk0p39
/system ext4 /dev/block/mmcblk0p36
/misc emmc /dev/block/mmcblk0p23
5. If your device has felica (like NFC, standard in Japan) or protected feature, CWM restore are failed because kernel protection.
In this case, you must build kernel that is disabled security feature and replace default kernel with it.
Otherwise, you have to
-----5.1 get CyanogenMod repository
-----5.2 modify recovery source. (backup and restore should be done by dd)
-----5.3 build
-----5.4 replace /sbin/recovery with new one
but this method is difficult.
6. repack
mkbootfs ./recovery.img-ramdisk | gzip -9 > custom-ramdisk.gz
mkbootimg --kernel recovery.img-kernel --ramdisk custom-ramdisk.gz --cmdline 'console=ttyHSL0,115200,n8' --base 0x80400000 --ramdiskaddr 0x81800000 -o custom_recovery.img
You can get mkbootfs and mkbootimg from CyanogenMod build.
7. fastboot flash
These process are from this forum (anago.2ch.net/test/read.cgi/smartphone/1338050087/) and my article (d.hatena.ne.jp/td2sk/20120615/1339780557).
###########
Its CWM recovery for Japanese J.
mediafire.com/?qiddodjf0p0xsc5
We fixed some points that is not discussed here because Japanese J has some own features.
(dd restore, fix felica_permissions, etc)
So this may not work well for your device.
###########
Japanese users are porting CWM and CyanogenMod10 for J.
If you want to know more detail, japanese forum are useful.
anago.2ch.net/test/read.cgi/smartphone/1338050087/
twitter.com/#!/search/%23valentewx
(But all articles are written in Japanese )
Some of the results that contain CMW and Cyanogenmod10 are published in my repository.
github.com/td2sk
good luck.
td2sk - twitter.com/td2sk
Click to expand...
Click to collapse
fayevirgo said:
I got a HTC J (version 1.31.970.1) after OTA released. Is any process fixed for the new one?
Click to expand...
Click to collapse
If you can unlock your J, it isn't necessary to fix any processes.
You can use the same processes and make your own version.
You can also use our prebuilt recoveries.
- old and stable version is here: mediafire.com/?qiddodjf0p0xsc5
- the newest and unstable version is here: kie.nu/p-x
In Japan, J can't be unlocked after OTA update.
I don't know how to unlock Japanese J after OTA.
Can your J be unlocked in your country?
td2sk said:
If you can unlock your J, it isn't necessary to fix any processes.
You can use the same processes and make your own version.
You can also use our prebuilt recoveries.
- old and stable version is here: mediafire.com/?qiddodjf0p0xsc5
- the newest and unstable version is here: kie.nu/p-x
In Japan, J can't be unlocked after OTA update.
I don't know how to unlock Japanese J after OTA.
Can your J be unlocked in your country?
Click to expand...
Click to collapse
You say offcial unlock from HTCdev?
If so, My J is Taiwan device, and it version is 2.18, it can unlock by HTCdev without special works, maybe Hong Kong's device can unlock, too.
td2sk, Thank you for your blog. I've been following your blog and fnoji's blog for a while. I made custom ROM based on MIUI for One S.
td2sk said:
If you can unlock your J, it isn't necessary to fix any processes.
You can use the same processes and make your own version.
You can also use our prebuilt recoveries.
- old and stable version is here: mediafire.com/?qiddodjf0p0xsc5
- the newest and unstable version is here: kie.nu/p-x
In Japan, J can't be unlocked after OTA update.
I don't know how to unlock Japanese J after OTA.
Can your J be unlocked in your country?
Click to expand...
Click to collapse
unfortunately, I could not unlock my J in Japan. I got a new one with new version after OTA update.
fayevirgo said:
unfortunately, I could not unlock my J in Japan. I got a new one with new version after OTA update.
Click to expand...
Click to collapse
If you can get temp-root, you can also unlock.
But now, We can't get temp-root for new J.
Root, unlock bootloader for 2.50.970.3
fayevirgo said:
unfortunately, I could not unlock my J in Japan. I got a new one with new version after OTA update.
Click to expand...
Click to collapse
You can try this for newest version 2.50.970.3 http://htcsoku.info/?page_id=662
new cwm
After OTA, we can get root and unlock again
And now, this is the newest cwm recovery. (v6.0.1.5)
http : / / kie.nu/uhO
It supports
+ backup/restore to ext_sd
+ adb sideload ( flash zip without sd )
source code: [email protected]
td2sk said:
After OTA, we can get root and unlock again
And now, this is the newest cwm recovery. (v6.0.1.5)
http : / / kie.nu/uhO
It supports
+ backup/restore to ext_sd
+ adb sideload ( flash zip without sd )
source code: [email protected]
Click to expand...
Click to collapse
Thanks ur new Recovery.
Very fast and staible
Hi,
can anyone point me to any 7.0 OTA Location I can download it from? Especially for the RETEU branch, because I messed up some flashing and need the Modem, BT, etc. firmware files to reflash them.
The files in urgent need are:
NON-HLOS.bin
fsg.mbn
BTFM.bin
adspso.bin
boot.img
oem.img
NVM. Fixed the issue by myself!
I need them too!
Issue fixed
where did you get them?
You can get them yourself with a php script [1] or curl command.
(You may also want to look at this thread by @erfanoabdi: [TOOL] Motorola OTA Link Generator Tool)
For cenvenience, he hosted this as a web page:
http://motorola.erfanabdi.ir/
Enter the details of your device and current os exactly as reported by "fastboot getprop all", device=XT1650 (not XT1650-03).
e.g.
Model: XT1650
Software Version: Blur_Version.24.21.46.griffin.retail.en.US
Carrier: reteu
==> These entries then produce this link:
http://motorola.erfanabdi.ir/?model=XT1650&sv=Blur_Version.24.21.46.griffin.retail.en.US&carrier=reteu
You will get OTA updates from there on that you have to install sequentially. (Download, then scroll down and get the next OTA..)
If you found this useful, go to @erfanoabdi's thread [2] an press on 'thanks' ...
[1] @erfanoabdi's source code on Github: Motorola-OTA-Link-Generator-Tool
[2] @erfanoabdi's xda thread: [TOOL] Motorola OTA Link Generator Tool
nevermind
Hi everyone, this is a short guide on how to flash a GSI on the A7 Lite (without TWRP).
Its a nice little tablet for the price but it doesn't have a very powerful SOC and for me the One UI is barely usable on this device. The launcher and the whole system UI feel extremely laggy, but apps generally run fine.
I tried phhusson's custom Android 12 GSI and the device was almost resurrected. Much much less UI lag and the battery life is the same as stock ROM. The only thing i found not working is MTP but i don't need it.
Since i saw a couple users here asking about GSIs i decided to make a very simple guide.
As always do this at your own risk. You may brick your device. You will void your warranty.
Follow the guide only if you know what your are doing. Read each step carefully and avoid copy pasting stuff randomly.
I won't go deep into details as i believe you should have some basic knowledge if you decide to do this.
The procedure sould work for both T220 and T225 (i tested it on a T220).
I did this on Windows using WSL for some of the steps.
Sources
Thanks to @kkoo and @Brepro1 for the useful info
- https://forum.xda-developers.com/t/...sing-odin-without-twrp-phh-lineageos.4114435/
- https://forum.xda-developers.com/t/...r-img-and-flashing-our-modifications.4196625/
Requirements
- Unlocked bootloader
If you haven't done this already follow the steps in parts 1-2 from:
[TUTORIAL] How To Unlock & Root Tab A7 Lite T220/T225, & Install LSPosed, Magisk, Mods
While some of these instructions are copied from other sources, I combined all the different things I learned, because no one guide was sufficient, and all needed additional info, so I expanded it all to one place. Part I is partly from...
forum.xda-developers.com
- Latest official ROM
I used T220XXU1AVE1 for EUX region
Samsung Galaxy Tab A7 Lite Firmware Download SM-T220 Free Download
Samsung Galaxy Tab A7 Lite Firmware Download SM-T220 Free Download ⭐ Official and fast update ⭐ Max speed and free download ⭐ Best Samsung Galaxy website
samfw.com
- Download your preferred GSI
I used AOSP 12.1 v414 with gapps from phhusson
Releases · phhusson/treble_experimentations
Notes about tinkering with Android Project Treble. Contribute to phhusson/treble_experimentations development by creating an account on GitHub.
github.com
- Clean vbmeta.img from Google
https://dl.google.com/developers/android/qt/images/gsi/vbmeta.img
Tools
- lz4
Releases · lz4/lz4
Extremely Fast Compression algorithm. Contribute to lz4/lz4 development by creating an account on GitHub.
github.com
- simg2img
[DEV][Tools] simg2img for Windows
Hello, although I'm working in Linux (VM too) I rewrote the SIMG2IMG so far for Windows (PE32, x86) Usage: simg2img.exe -i -o Optional: -d for debugging messages, listing all chunks of the image...
forum.xda-developers.com
- lpunpack and lpmake
[GUIDE] OTA Tools LPUnpack
Please see this URL https://android.googlesource.com/platform/build.git/+/eec4a7cba4face3370acb6293ab357879920b467 and this for more information. Hi everyone. I'm surprised I havent seen a thread about ota tools yet and lpunpack. This zip file...
forum.xda-developers.com
- tar-md5-script-tool
Use the attached tar-md5-script-tool.zip
Steps
1. Extract official ROM files (BL, AP, CP, CSC)
2. Extract AP .tar.md5
3. Decompress the extracted super.img.lz4
Code:
lz4 -d super.img.lz4 super.img
4. Convert the sparse super.img
Code:
simg2img super.img super.ext4.img
5. Unpack super.ext4.img
Code:
lpunpack super.ext4.img
I got 4 partitions in my image (should be the same for all T220/T225 ROMs):
- odm.img
- product.img
- system.img
- vendor.img
6. Replace system.img with your GSI (rename it to system.img)
7. Get the size of all partitions and the size of the original super.ext4.img (not the sparse super.img)
Code:
stat -c '%n %s' IMG_FILE.img
8. Repack super.img
Code:
lpmake --metadata-size 65536 \
--super-name super \
--metadata-slots 2 \
--device super:ORIGINAL_SUPER_IMG_SIZE \
--group main:SUM_OF_ALL_PARTITIONS_SIZES \
--partition odm:readonly:ODM_PARTITION_SIZE:main \
--image odm=./odm.img \
--partition product:readonly:PRODUCT_PARTITION_SIZE:main \
--image product=./product.img \
--partition system:readonly:SYSTEM_PARTITION_SIZE:main \
--image system=./system.img \
--partition vendor:readonly:VENDOR_PARTITION_SIZE:main \
--image vendor=./vendor.img \
--sparse \
--output ./super_new.img
Replace ORIGINAL_SUPER_IMG_SIZE, SUM_OF_ALL_PARTITIONS_SIZES, ODM_PARTITION_SIZE, PRODUCT_PARTITION_SIZE, SYSTEM_PARTITION_SIZE, VENDOR_PARTITION_SIZE with the values you obtained in step 7.
Read lpmake docs for a more detailed expalation of the args used above:
partition_tools - platform/system/extras - Git at Google
9. Compress the repacked super_new.img
Code:
lz4 -B6 --content-size super_new.img super_new.img.lz4
10. Compress the clean vmbeta.img
Code:
lz4 -B6 --content-size vbmeta.img vbmeta.img.lz4
11. Extract tar-md5-script-tool.zip
12. Put all the *.img.lz4 files extracted from AP .tar.gz in tar-md5-script-tool dir
13. Replace super.img.lz4 and vbmeta.img.lz4 in tar-md5-script-tool dir with your repacked and compressed super_new.img.lz4 (rename it to super.img.lz4) and the clean compressed vbmeta.img.lz4
14. Run batch.bat in tar-md5-script-tool dir
You will find the new AP .tar.md5 in the temp-folder subdir
15. Flash your custom AP .tar.md5 with Odin along with BL, CP, CSC from original ROM
16. Reboot into recovery and do a factory reset
17. Done
Can you share screenshot as I think treble projects are only stable on SD chipset.
Abish4i said:
Can you share screenshot as I think treble projects are only stable on SD chipset.
Click to expand...
Click to collapse
System lang is italian but should be easy to understand.
I found only a couple bugs so far in phhusson's GSI:
- in the launcher dragging apps from drawer to homescreen doesn't always work (just use another launcher)
- crashed once while searching in settings app
I use the tablet only for media consumption and some retrogaming, so there are probably other bugs i haven't noticed.
This is a generic guide, it won't include a "known issues" section since it largely depends on what GSI you choose.
I haven't tested this on the LTE version so i can't say for sure if mobile network works or not.
Unfortunately i don't have the time to make a custom ROM, test it and keep it updated here on the forum but maybe if there is enough interest someone will do it.
I hope other users will try to flash a GSI and share their experience here so we can gather some info on working/broken stuff, especially on the LTE model since i can't test that.
Hello,
I'm sorry but what am I missing here?
I'm a little fustrated cause after hours and hours of headaches I got to the second to last step which involves tar-md5-script-tool
I simply put all the .img.lz4 files from AP and replace super & vbmeta files which the ones that I converted and try to run the batch.bat as instructed.
However nothing happens and this is what the program spits out.
On the tar tool xda forum it says that it convers .img files, not .img.lz4 . Are we supposed to extract all the .img files from inside the .lz4 files?
I appreciate the guide but there are a lot of missing details I had to fill in and figure out myself, like the fact that from step 4 to step 8 you need to use WSL or a Linux distro (using simg2img for Windows messes things up so please use the one from otatools inside a linux bash)
Also for people that are not familiar with linux you need to type "./" in front of directed commands ( in this case ./simg2img ./lpunpack ./lpmake)
I'm not a developer or a programmer, maybe you wrote this guide for people more inclined to that, but for me this was pretty hard.
Noob here, but I'm running the "simg2img super.img super.ext4.img" and nothing happens for 5 min and when I'm aborting I'm getting a "Error reading sparse file header".
Any suggestions?
DanneSwe said:
Noob here, but I'm running the "simg2img super.img super.ext4.img" and nothing happens for 5 min and when I'm aborting I'm getting a "Error reading sparse file header".
Any suggestions?
Click to expand...
Click to collapse
Are you using the Windows version of simg2img? If yes, use the one from otatools inside Windows Subsystem for Linux
ReubenMCSM said:
Are you using the Windows version of simg2img? If yes, use the one from otatools inside Windows Subsystem for Linux
Click to expand...
Click to collapse
I can confirm simg2img doesn't seem to work on Windows, i used WSL.
@ReubenMCSM i will update the guide with more details in the future but i don't have much time right now.
For you specific issue, try to use the attached tar-md5-script-tool.
Great thanks!
What's the process with tar-md5-script-tool? Just moving the super.img to the folder and running the batch.bat didn't work the output file in the temp folder is 11 kb. Tried to change super.img to super.tar but no change.
Thanks for the tool, but unfortunately the output is the same, like the problem @DanneSwe has
It looks like the batch.bat script from the tar md5 tool linked in the guide is a bit different from the one i used. I will update the guide.
Try again with the version i attached in the post above.
- Extract the AP tar md5 from official rom
- Copy all .img.lz4 files in the tar-md5-script-tool folder
- Replace super.img.lz4 and vbmeta.img.lz4 (step 13)
- Launch batch.bat, output should look like this
- You will find AP_TAR_MD5_CUSTOM_FILE_ODIN.tar.md5 in temp-folder
It finally worked! I redid everything and also moved my folder to drive C instead of drive D, maybe this made the difference
ReubenMCSM said:
It finally worked! I redid everything and also moved my folder to drive C instead of drive D, maybe this made the difference
Click to expand...
Click to collapse
What GSI did you pick and could you upload the files you flashed?
I got simg2img to work by using
.\simg2img -i super.img -o super.ext4.img
packed img filename: super.img
output img filename: super.ext4.img
Wrote "super.ext4.img"
The lpunpack and lpmake step isnt working for me ive been at this for days, no luck.
Can someone please help me out by uploading custom AP .tar.md5(file with GSI, the modded one) along with BL, CP, CSC from original ROM to google drive?
thanks!
ramz.pa said:
The lpunpack and lpmake step isnt working for me ive been at this for days, no luck.
Can someone please help me out by uploading custom AP .tar.md5(file with GSI, the modded one) along with BL, CP, CSC from original ROM to google drive?
thanks!
Click to expand...
Click to collapse
I had the same issue. :/
Can someone help me with the T225 LTE model by compiling the AP please? Because for some reason the tar-md5-script tool isnt working for me
Thanks.
Successfully flashed GSI with magisk on my T220 following the OP's procedure. MTP is not working as the OP said. However, I can use my flash drive so I don't really miss MTP.
I chose "system-squeak-arm64-ab-vndklite-gapps-secure.img.xz" for GSI. "Treble Info" app can tell you what image would be compatible with your device.
If you want to use a different launcher like Nova instead of the default one, change the "Smallest width" setting from 600 to 598 in Developer options to hide the annoying taskbar.
AOSP-Mods and "Project Themer - Android 12+" work fine for me.
Here is my build for my device SM-T220 (SM-T220_EUX_T220XXU1AVE1):
GSI: system-squeak-arm64-ab-vndklite-gapps-secure.img.xz
Custom AP: https://www.filehosting.org/file/details/7045394/AP_TAR_MD5_CUSTOM_FILE_ODIN.tar.md5
Custom AP with Magisk patch: https://www.filehosting.org/file/details/7045714/magisk_patched-25101_cauJQ.tar
You can extract BL and Home_CSC from SM-T220_EUX_T220XXU1AVE1.
Notes: My device is actually SM-T220 XAR, but I have been updating it with SM-T220 EUX firmware versions without any issue.
Pleasance said:
Can someone help me with the T225 LTE model by compiling the AP please? Because for some reason the tar-md5-script tool isnt working for me
Thanks.
Click to expand...
Click to collapse
Here is the custom AP based on the following. Since I don't have SM-T225 device, can't verify it. However, I compiled the AP the same way I did for my SM-T220.
- SM-T225_EUX_T225XXU1AUJ1
- GSI: system-squeak-arm64-ab-vndklite-gapps-secure.img.xz
https://www.filehosting.org/file/details/7046296/AP_TAR_MD5_CUSTOM_FILE_ODIN.tar.md5
xpdragon said:
Here is the custom AP based on the following. Since I don't have SM-T225 device, can't verify it. However, I compiled the AP the same way I did for my SM-T220.
- SM-T225_EUX_T225XXU1AUJ1
- GSI: system-squeak-arm64-ab-vndklite-gapps-secure.img.xz
https://www.filehosting.org/file/details/7046296/AP_TAR_MD5_CUSTOM_FILE_ODIN.tar.md5
Click to expand...
Click to collapse
Thank you so much for compiling the AP for me bro but when i try to flash it with odin i get this error
<ID:0/004> Firmware update start..
<ID:0/004> SingleDownload.
<ID:0/004> preloader.img.lz4
<ID:0/004> FAIL!
For your information the current OS build on my tablet is INS with the baseband version of T225XXU1AVB2 and security patch of 1 Feb 2022 hope this helps you.
DanneSwe said:
What GSI did you pick and could you upload the files you flashed?
I got simg2img to work by using
.\simg2img -i super.img -o super.ext4.img
packed img filename: super.img
output img filename: super.ext4.img
Wrote "super.ext4.img"
Click to expand...
Click to collapse
GSI-12_SM-T220_EUX_T220XXU1AVE1_fac.zip
drive.google.com
Use this ONLY on SM-T220 (without SIM card) and on EUX version.
Pleasance said:
Thank you so much for compiling the AP for me bro but when i try to flash it with odin i get this error
<ID:0/004> Firmware update start..
<ID:0/004> SingleDownload.
<ID:0/004> preloader.img.lz4
<ID:0/004> FAIL!
For your information the current OS build on my tablet is INS with the baseband version of T225XXU1AVB2 and security patch of 1 Feb 2022 hope this helps you.
Click to expand...
Click to collapse
Here is GSI build for SM-T225_INS_T225XXU1AVB2
https://www.filehosting.org/file/details/7129248/GSI-12_SM-T225_INS_T225XXU1AVB2.zip