Better Mobile App

[Technical discussion] Stack overflow on hermes SPL

stepw discovered a stack overflow vulnerability that affects ALL Trinity SPL versions up to now, I implemented an exploit for it, see details here.
The same bug is present in Hermes SPL versions >= 1.11, and all SPLs using HTC common base 1.51, so probably newer Breeze SPLs are vulnerable too.
Sadly for hermes users this bug can't be exploited the same way it's done on Trinity, this is the memory layout on Trinity:
Code:
0x80b00000 | xxxxxxxxxxx | \
.... | xxxxxxxxxxx | > wdata buffer
0x80b10000 | xxxxxxxxxxx | /
+-------------+
| . |
| . |
+-------------+
0x8c000000 | SPL-begins | \
.... | SPL SPL SPL | ME
.... | SPL SPL SPL | MO <--- how_far
.... | SPL SPL SPL | RY
.... | SPL SPL SPL | /
0x8c040000 | SPL-ends |
+-------------+
| . |
| . |
+-------------+
| . | \
0x8c08cb90 | . | s
.... | | t /\
.... | | a ||
.... | | c ||
.... | | k ||
0x8c08db90 | | /
| |
By doing recusrive 'ruustart' calls we can overflow the stack and set arbitrary bytes in 0x64 bytes buffer (size of command buffer in ruu mode).
We first try to detect how far the overflow should go, this varies on each SPL version. Then we put a known pattern on the stack and use the 'checksum' command to determine offsets of current stack top and size of stack frame of ruustart and normal command mode.
Then we load our unsigned code using wdata, of course we get an "invalid cert error" from bootloader, but the data we send is stored at 0x80b00000 (wdata buffer). We place here a modified IPL to skip loading SPL from NAND, and the custom SPL we want to load.
Then we calulate how many recursions we need to reach the spl end at 0x8c040000, the first recursions are padded with 0's as they are useless, only need them to overflow the stack, we put our shellcode here, the shellcode is a handler which executes the loader that resides in ram (0x80b00000) which copies patched IPL, SPL to RAM, disables ARM instruction caching and virtual addressing and branches to 0 offset to start IPL.
After placing the shellcode, we send the next ruustart calls with padding that contains branch instructions (relative jumps to the handler), we calculate how many calls we need based on target offset, initial stack offset and stack frame size.
Finally we need to jump to our patched code, to do this we call a function which has its entry point properly aligned with the overflown stack frame (we only control 0x64 bytes out of the frame size for ruustart which is tipically 0xe0), this also varies in each SPL version.
Now let's see the problem we're facing in hermes, this is the Hermes memory layout:
Code:
| . | \
| . | s /\
| | t ||
.... | | a ||
| | c ||
.... | | k
0x8c033b90 | | /
+-------------+
| . |
| . |
+-------------+
0x8c080000 | SPL-begins | \
.... | SPL SPL SPL | ME
.... | SPL SPL SPL | MO <--- how_far; we never reach here :(
.... | SPL SPL SPL | RY
.... | SPL SPL SPL | /
0x8c0c0000 | SPL-ends |
+-------------+
| . |
As you can see here, the stack grows up in the same direction as trinity, but the SPL code is placed below the stack so we can't overwrite it, thus we can't call a function that branches to our code.
So this is a call for developers & researchers, we need to find what else is between the stack and the ram top in hermes and see if there's something there that could be exploited, or if there's a pointer in ram that code branches to, we can exploit it by replacing the pointer.
You can use the Trinity exploit code with '-m hermes' hidden flag to test things on Hermes, feel free to modify / adapt the source for your tests on hermes.
Any ideas are welcome, have fun!

Damn pof your a real wacko and a genious, nice job man congrats!!

Re: spl overflow
Cool!
Congratz to stepw for this amazing research and exploit!
pof! GOOD work and nice code! Hope caffeine let you sleep some day!
Tonight we have to celebrate this with some beers!
heheh

thanks, keep up the good works, hope this software be develope as soon as posible so that our bricked phone be alive again.

I don't Understand
i'm using dopod 838 pro....where the memory layout mus edit?

LG Optimus L3 II E430 E431 E425 E435 ? [ROOT/BOOTLOADER/kernel/rom][TEAM OPTIMA]

E430​
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
DESCRIPTION:
Code:
GENERAL 2G Network GSM 850 / 900 / 1800 / 1900
3G Network HSDPA 900 / 2100
SIM Mini-SIM
Announced 2013, February
Status Available. Released 2013, April
BODY Dimensions 102.6 x 61.1 x 11.9 mm (4.04 x 2.41 x 0.47 in)
Weight 107 g (3.77 oz)
DISPLAY Type IPS LCD capacitive touchscreen
Size 240 x 320 pixels, 3.2 inches (~125 ppi pixel density)
Multitouch Yes
SOUND Alert types Vibration, MP3 ringtones
Loudspeaker Yes
3.5mm jack Yes
MEMORY Card slot microSD, up to 32 GB
Internal 4 GB (1.6 GB user available), 512 MB RAM
DATA GPRS Class 12 (4+1/3+2/2+3/1+4 slots), 32 - 48 kbps
EDGE Class 12
Speed HSDPA, 7.2 Mbps; HSUPA, 5.76 Mbps
WLAN Wi-Fi 802.11 b/g/n, Wi-Fi hotspot
Bluetooth Yes, v3.0 with A2DP, HS
USB Yes, microUSB v2.0
CAMERA Primary 3.15 MP, 2048 x 1536 pixels
Features Geo-tagging
Video Yes, [email protected]
Secondary No
FEATURES OS Android OS, v4.1.2 (Jelly Bean)
Chipset Qualcomm MSM7225A Snapdragon
CPU 1 GHz
GPU Adreno 200
Sensors Accelerometer, proximity, compass
Messaging SMS (threaded view), MMS, Email, Push Email, IM
Browser HTML
Radio FM radio
GPS Yes, with A-GPS support
Java Yes, via Java MIDP emulator
Colors Indigo Black, Titanium silver, White
- SNS integration
- MP4/H.264/H.263/WMV player
- MP3/WAV/WMA/eAAC+ player
- Google Search, Maps, Gmail
- YouTube, Google Talk
- Document viewer
- Photo viewer
- Organizer
- Voice memo
- Predictive text input
BATTERY Type Li-Po
Capacity 1540 mAh
Stand-by Up to 608 h (2G) / Up to 700 h (3G)
Talk time Up to 11 h 30 min (2G) / Up to 10 h (3G)
MISC SAR US 1.02 W/kg (head) 1.23 W/kg (body)
SAR EU 1.00 W/kg (head) 0.52 W/kg (body)
Warning :
Code:
* Your warranty is now void.
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features of this Kernel
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
* But since i'm a nice dude i will try to guide you anyway:)
WINDOWS ROOTING GUIDE
*this guide will work on most android phones ​
Download THIS PROGRAM (VROOT)
Install Program
Enable USB Debugging in settings (TICK CHECK-BOX IN Settings>>>Developer options>>>USB debugging)
Plug your phone to PC using usb cable in "LG software" mode
If you are connecting your phone to your pc for the first time you need to install lg drivers from first autorun when phone plugged in ( If autorun disabled navigate to lg removable drive and run LGAutoRun.exe) follow on-screen instructions or download drivers from LG Official Website HERE
Ensure all drivers have installed correctly (no yellow triangles in "Device Manager")
Run VROOT As Administrator On PC
program will connect to your phone and tell you your phone model and if phone is rooted (obviously our's is not)
Click ROOT in right bottom corner
program will install Chinese sync/managment app (you can remove app later) on your phone and install Kinguser superuser app on your phone (you can replace this with your favourite superuser app <i kept Kinguser and i'm happy>)
Your phone will reboot when completed
BOOTLOADER = UNLOCKED AND CWM READY !!!
THANKS TO Cobmaster AND PlayfulGod WE HAVE UNLOCKED BOOTLOADER AND HAVE WORKING CWM v6.0.4.8
WINDOWS INSTALLER HERE *readme.txt
LINUX-UNIVERSAL INSTALLER HERE *THANKS TO Cobmaster
.APK FOR NON PC INSTALL HERE *THANKS TO PlayfulGod
*These will unlock bootloader install and CWM recovery
YOU CAN ENTER RECOVERY USING BUTTON COMBO !!! !!!
​
1. PRESS AND HOLD "HOME" BUTTON
2. PRESS "VOL-" AND "POWER" BUTTONS TOGETHER FOR ~2.5-3 SECONDS AND RELEASE
3. KEEP HOLD OF "HOME" BUTTON UNTIL RECOVERY BOOTED​
Here you can find apk to try on other devices:
MAKE SURE YOU FULL BACKUP AND ARE READY FOR SOFT/HARD BRICK
IT MIGHT BREAK YOU PHONE !!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OK ONLY IF YOU ARE 100% SURE
WE (NO ONE BUT YOURSELF) TAKE NO RESPONSIBILITY IF THIS WILL DO ANYTHING BAD TO YOUR DEVICE
PlayfulGod said:
Heres the link to the new app build that getprops ro.product.device = vee3e or vee3
Click to expand...
Click to collapse
*if your model is E425 L3II replace boot.img with THIS ONE (1.1ghz overclock E425 S=off )
*if your model is E435 L3II Dual Sim replace boot.img with THIS ONE (1.1ghz overclock E435 S=off )
1. DEVICETREE = CWM READY THANKS TO PlayfulGod LINK HERE
NEEDS FILLING TO BUILD KERNEL/ROM'S
*i'm trying at the moment but it doesn't seems to be going anywhere
ALL AVAILABLE DATA HERE:
Dump of all the partitions using dd if= of= command DROPBOX HERE
Original JB kernel / android source DROPBOX HERE Containing kernel.tar.gz 109 MB<<<Click for tree android.tar.gz 63.8 MB<<<Click for tree
Stock boot partition extracted DROPBOX HERE *zImage and ramdisk
Cwm builder extracted STOCK recovery partition DROPBOX HERE
2. KERNEL = (DRIVERS/OVERCLOCK/DPI{smoothing?})
Yess Thanks To @Cobmaster !!!
We have 1.2Ghz Overclock also its possible to change the DPI setting (I use 105 and "roboto enchanced" font)
1.2Ghz S=off latest build for e430 ONLY. included more governors and I/O shedulers boot.img * download and "dd" flash or replace boot.img in freedom tools above
Stock JB kernel source 3.4.0 DROPBOX HERE
Modded JB kernel by cobmaster GIT HERE​
3. PORTING/MAKING CUSTOM ROM TWEAKS
SEE POST 2*Updating...
I have Ubuntu 13.10 x64 // Windows 7 x86 dual boot sdk/build environments set-up.
AND DEVICE FOR TESTING
I have managed to access few of the partitions, put a name to them Here is what i got till now: *If anyone can help resolve more partitions please do so
Code:
[B] *---------------------------- PartitionTable Info --------------------------*
Index| Partition Name | Logical Start Offset | Logical Size (KB) | File Offset | Physical Start Offset | Partition Size (KB) | Device Location
02 | QCSBL | 0xFFFFFFFF | 0x841CFBCD ( 949734KB) | 0x 100000 | 0x 0 | 0x 829 ( 1044KB) | /dev/block/mmcblk0p2
03 | OEMSBL | 0x3445474C | 0x 3033 ( 6169KB) | 0x 180000 | 0x 829 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p3
04 | EXT | 0x 0 | 0x 0 ( 0KB) | 0x 280000 | 0x 2829 | 0x 1D7D7 ( 60395KB) | /dev/block/mmcblk0p4
05 | APPSSBL | 0x 0 | 0xFFFFFFFF (4194303KB) | 0x 300000 | 0x 20000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p5
06 | WALLPAPER | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 380000 | 0x 22000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p6
07 | MODEM_BACKUP | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 380000 | 0x 24000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p7
08 | misc | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 380000 | 0x 26000 | 0x C000 ( 24576KB) | /dev/block/mmcblk0p8
09 | APPS | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 380000 | 0x 32000 | 0x 6000 ( 12288KB) | /dev/block/mmcblk0p9
10 | MODEM_ST1 | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x A00000 | 0x 38000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p10
11 | MODEM_ST2 | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x A00000 | 0x 3A000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p11
12 | MODEM | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x A00000 | 0x 3C000 | 0x E000 ( 28672KB) | /dev/block/mmcblk0p12
13 | MODEM_BACKUP | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 1D80000 | 0x 4A000 | 0x E000 ( 28672KB) | /dev/block/mmcblk0p13
14 | SYSTEM | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3100000 | 0x 58000 | 0x 1D0000 ( 950272KB) | /dev/block/mmcblk0p14
15 | PERSIST | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3D100000 | 0x 228000 | 0x 6000 ( 12288KB) | /dev/block/mmcblk0p15
16 | CACHE | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3DD00000 | 0x 22E000 | 0x 140000 ( 655360KB) | /dev/block/mmcblk0p16
17 | RECOVERY | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3DD00000 | 0x 36E000 | 0x 6000 ( 12288KB) | /dev/block/mmcblk0p17
18 | DRM | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E400000 | 0x 374000 | 0x 4000 ( 8192KB) | /dev/block/mmcblk0p18
19 | FOTA | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E400000 | 0x 378000 | 0x 6000 ( 12288KB) | /dev/block/mmcblk0p19
20 | USERDATA | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E400000 | 0x 37E000 | 0x 38C000 (1859584KB) | /dev/block/mmcblk0p20
21 | DLOAD | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E400000 | 0x 70A000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p21
22 | BOOT_LOGO_IMAGE | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E400000 | 0x 70C000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p22
23 | MPT | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E480000 | 0x 70E000 | 0x 8000 ( 16384KB) | /dev/block/mmcblk0p23
24 | ENCRYPT | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E480000 | 0x 716000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p24
25 | CUST | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 3E480000 | 0x 718000 | 0x 10000 ( 32768KB) | /dev/block/mmcblk0p25
26 | rct | 0xFFFFFFFF | 0xFFFFFFFF (4194303KB) | 0x 40280000 | 0x 728000 | 0x 2000 ( 4096KB) | /dev/block/mmcblk0p26
[/B]
Just a Tip
IF someone is pissed off like me when you plug your phone to usb and have to click 3 times before phone connects
1. DIAL 3845#*430# ]425/435[
2. UN-CHECK BOX IN: "Settings">>>"Auto run">>>"AutoRun Enable"
3. Reboot (not sure if necessary but i did)
NO MORE CHECKING FOR DRIVERS / SKIP EVERY-TIME YOU PLUG YOUR PHONE IN
EXTRA CREDITS TO :
Slipsystem
TEAM OPTIMA
x13n0114
linuxxxx
And others
*if you feel left out please pm/mention

Reserve [Updated]
1st ? MOD for E430 LG L3 II Beta State do not use unless you know what you are doing
slipsystem has managed to port he's SLIMSYSTEM MOD to our device.
for info on he's mod go here
I have tested it on my device and there is no errors as such.
some features of the mod might not work at the moment as its a alpha pre-view
please do adb pull /system (to securely fully backup) GUIDE ON ADB
before running this as we cannot confirm compatibility with every firmware yet
(we need people to test on their devices and post fw version (i.e. V10C_00) any errors logcat and screen much appreciated )
PLEASE DOWNLOAD AND RUN THIS
then zip the folder called slipsystem then upload it with a link to help us develop further
Please let us know if MOD works on your device.
Things that may not work (all to disappear)
Maybe left over apps/data from debloat
statusbar systemui
Features (more to come)
*Build.prop Tweaks
* Debloat
* Mod SystemUI
* LG Optimus G Lock
* Multi User
* App Replacements
* Init.d Support
* Ads Block
Q/A
Ota Updater is working!!.
Will we get updates?
Yes, if you guys keep in touch and send us the files that we need.
FIRST 2 ATTACHED IMAGES ARE SCREENS BEFORE
LAST 2 ATTACHED IMAGES ARE SCREENS AFTER
Also stay tuned to THIS thread
@slipsystem @AwesomeSMS

I asked lg if we are able to unlock The e430 bootloader but they said it is not Possible right now.
Sent from my Kindle Fire HD 7 using XDA Premium 4 mobile app

TESTERS
Testers for roms and such:
E430
http://forum.xda-developers.com/member.php?u=4782028 @Aimbot91
http://forum.xda-developers.com/member.php?u=5238274 @dadziokPL
http://forum.xda-developers.com/member.php?u=4302324 @Cobmaster
http://forum.xda-developers.com/member.php?u=4989941 @x13n0114
http://forum.xda-developers.com/member.php?u=3542146 @Daniolki
http://forum.xda-developers.com/member.php?u=5483119 @AwesomeSMS
E425
http://forum.xda-developers.com/member.php?u=5299788 @29y6145
if you want to be added or removed from list please quote or pm me

IGGYVIP said:
I want to unlock/bypass bootloader, probably update kernel and make/port custom rom (CM preferably)
For e430 e430
I know its a lot to do and that i will need a lot of help but it needs to be done
I know basics about the whole process
I have a lot of spare time
I have the phone for testing (not scared of bricking [i will push the life back to it])
I'm very good at research and spamming manufactures for datasheets/drivers etc.
I need some experienced dev to tell me exact what to look for
What would be EXACT steps trough the process of
1 BOOTLOADER = UNLOCKING / 2ND BOOT ?
2 KERNEL = ? (DRIVERS/OVERCLOCK/DPI{smoothing?})
3 PORTING/MAKING CUSTOM ROM (DRIVERS ETC.)
Please someone ( @-CALIBAN666- @linuxxxx @szymel0 ANYONE ) show me the right direction
@AwesomeSMS please help
Click to expand...
Click to collapse
sorry but i am at start of my android experience
i study technology in my country at high school however this is my first android smartphone
in this month i understood a lot of things maybe i can help you in somethings but i am not so big to port rom or rebuild bootloader
if you have informations tell me i would like to understand and learn

We are gonna need all the help we can get. Thank you!!

You can't have any rom
sorry
no one can develop on those, because mediatek is not developer friendly, they don't release any kind of driver for soc so ayone can compile a rom / kernel without them

my gf just bought the phone and want to see cm11 running on it like on my phone
so, how can we support your development?
we are both non it people, living a alternative live in the woods

linuxxxx said:
You can't have any rom
sorry
no one can develop on those, because mediatek is not developer friendly, they don't release any kind of driver for soc so ayone can compile a rom / kernel without them
Click to expand...
Click to collapse
LG L3 2 isn't MTK like the LG l5 2. This phone has no devs. That's Why
Sent from my LG-E430 using XDA Premium 4 mobile app

Hmmm
linuxxxx said:
You can't have any rom
sorry
no one can develop on those, because mediatek is not developer friendly, they don't release any kind of driver for soc so ayone can compile a rom / kernel without them
Click to expand...
Click to collapse
i have original JB kernel / system source
E430(Optimus L3II)_Android_JB_E43010b containing
kernel.tar.gz 109 MB
android.tar.gz 63.8 MB
aren't drivers included in this package ?

Can someone run this tool
https://dl.dropboxusercontent.com/u/51036208/Android/SlimSystem/L3 II/ForPort.zip
then zip the folder called slipsystem on your C drive
then upload it with a link

Okay! I just rooted my phone.
Sent from my LG-E430 using XDA Premium 4 mobile app

slipsystem said:
Can someone run this tool
https://dl.dropboxusercontent.com/u/51036208/Android/SlimSystem/L3 II/ForPort.zip
then zip the folder called slipsystem on your C drive
then upload it with a link
Click to expand...
Click to collapse
AwesomeSMS said:
Okay! I just rooted my phone.
Sent from my LG-E430 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
anyone interested ?
system patrtition tree list.txt
full framework.zip
e430

WOW
AwesomeSMS said:
Okay! I just rooted my phone.
Sent from my LG-E430 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
how come you didnt root b4 ?

AwesomeSMS said:
Okay! I just rooted my phone.
Sent from my LG-E430 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
nice you find a way to root the new firmware?
---------- Post added at 08:39 PM ---------- Previous post was at 08:36 PM ----------
IGGYVIP said:
anyone interested ?
system patrtition tree list.txt
full framework.zip
e430
Click to expand...
Click to collapse
nice thanks for this.
one thing I have noticed is that all the files are bigger than mine? strange I would have said it would be the other way around
---------- Post added at 08:52 PM ---------- Previous post was at 08:39 PM ----------
download taking its time. only 47 minutes left and I can start developing for your device
anyone want to be my tester?

slipsystem said:
nice thanks for this.
one thing I have noticed is that all the files are bigger than mine? strange I would have said it would be the other way around
---------- Post added at 08:52 PM ---------- Previous post was at 08:39 PM ----------
download taking its time. only 47 minutes left and I can start developing for your device
anyone want to be my tester?
Click to expand...
Click to collapse
lol it took less time to upload using my milestone 4 shared must be baaad
can you upload yours 4 compare ?
why you think yours should bigger ?
its zipped as store no compression
COUNT ME IN 4 TESTING

Ok if anyone is interested in trying. thanks to
@AwesomeSMS and @IGGYVIP for contributing there framework and apks
I managed to port my mod to your device.
for info on my mod go here
http://forum.xda-developers.com/showthread.php?t=2650588
I havent tested it yet this is a theoretical build so it might not work.
please do adb pull /system
before running this as I haven't tested it yet.
https://dl.dropboxusercontent.com/u/51036208/Android/SlimSystem/L3 II/slimsystemtest.zip
Please let me know if this works. Take some screenshots if you can.
Things that may not work
Calculator
Maybe left over apps from debloat
Features
Xperia Media Apps
Xperia Keyboard with swipe control
init.d support
Build.prop Tweaks
Quick Launch Status bar
Potato status bar gestures
Q/A
Ota Updater is not working?
I haven't added it to my ota account yet.
Will we get updates?
Yes, if you guys keep in touch and send me the files that I need.
Keyboard has switched to google voice?
you need to change the keyboard under settings.
why haven't the status bar icons changed
this mod was by gabi4175 i am still finding the icons he replaced.

slipsystem said:
Ok if anyone is interested in trying.
Click to expand...
Click to collapse
YES downloading as we speak
UPDATE:
Flashed no problem no errors
everything seems(i cannot check mobile network as my imei is damaged) to be working
ANYONE who wants to keep google chrome browser remove
Code:
rm /system/app/ChromeWithBrowser.apk
rm /system/app/ChromeWithBrowser.odex
rm /data/app/com.android.chrome-1.apk
out of slimsystem.sh
I want to keep mine
awesome work dude
after multiple reboots (by me) i have spotted it always opens browser on startup
screen included

ROOT
Rooted for a while (new software V**x_00 ?) here are screens
used superoneclick newest? and vroot superoneclick gave some errors and vroot finished proper
when i tried only with vroot it was rooted but not the shell i couldnt get su in terminal superoneclick must have done something because now i can
@AwesomeSMS

IGGYVIP said:
YES downloading as we speak
UPDATE:
Flashed no problem no errors
everything seems(i cannot check mobile network as my imei is damaged) to be working
ANYONE who wants to keep google chrome browser remove
Code:
rm /system/app/ChromeWithBrowser.apk
rm /system/app/ChromeWithBrowser.odex
rm /data/app/com.android.chrome-1.apk
out of slimsystem.sh
I want to keep mine
awesome work dude
after multiple reboots (by me) i have spotted it always opens browser on startup
screen included
Click to expand...
Click to collapse
Ok this is something to do with a init.d script. Just need to figure out which one. And to think I thought I was going crazy.

Installing gapps pico in CM12.1 fails in twrp.

After CM12.1 install I'm unable to install the gapps pico. Here's the log from gapps install.
Notice the Total System Size is only 12mb... Using tk_gapps-modular-pico-5.1.1-20150920-signed.zip
Is there any way to increase the partition size or a quick fix? The smallest pico is about 50mb and it's still going to fail with only 12mb size.
# Begin TK GApps Install Log
--------------------------------------------------------------------------------
ROM Android Version |
ROM ID |
ROM Version | non-standard build.prop
Device Recovery | TWRP 2.8.6.0
Device Name | meliuslte
Device Model |
Device Type | phone
Device CPU |
getprop Density | 240
default.prop Density | 240
build.prop Density |
Display Density Used | 240dpi [default]
Install Type | Clean[Data Wiped]
Google Camera Installedπ | Clean
Google Keyboard Installedπ | Clean
FaceUnlock Compatible | false
Google Camera Compatible | true
Google Webview Compatible | true
Current GApps Version | NO GApps Installed
Curent TK GApps Package | NO GApps Installed
Installing GApps Version | 20150920
Installing GApps Type | pico
Config Type | exclude
Using gapps-config | /external_sd/Download/gapps-config.txt
Remove Stock/AOSP Browser | false[NO_Chrome]
Remove Stock/AOSP Email | false[NO_Gmail]
Remove Stock/AOSP Gallery | false[NO_Photos]
Remove Stock/AOSP Launcher | false[NO_GoogleNow]
Remove Stock/AOSP MMS App | false[NO_Hangouts]
Remove Stock/AOSP Pico TTS | false[NO_GoogleTTS]
Total System Size (KB) | 12052
Used System Space (KB) | 4108
Current Free Space (KB) | 7944
Additional Space Required (KB) | 74904 << See Calculations Below
--------------------------------------------------------------------------------
π Previously installed with TK GApps
# End TK GApps Install Log
INSTALLATION FAILURE: Your device does not have sufficient space available in
the system partition to install this GApps package as currently configured.
You will need to switch to a smaller GApps package or use gapps-config to
reduce the installed size.
# Begin GApps Size Calculations
---------------------------------------------------------
TYPE | DESCRIPTION | SIZE | TOTAL
| Current Free Space | 7944 | 7944
Remove | Existing GApps | + 0 | 7944
Remove | Obsolete Files | + 0 | 7944
Install | Core≤ | - 28744 | -20800
Install | GMSCore≤ | - 43656 | -64456
Install | calsync≥ | - 1232 | -65688
| Buffer Space≤ | - 9216 | -74904
---------------------------------------------------------
Additional Space Required | 74904
---------------------------------------------------------
≤ Required (ALWAYS Installed)
≥ Optional (may be removed)
# End GApps Size Calculations
# Begin User's gapps-config
Books
Chrome
ClooudPrint
Docs
Earth
ExchangeGoogle
Slides
Sheets
# End User's gapps-config

Bricked phone, FireHose Error

Hey, i have a little problem and i would be grateful if someone would help me, my LeEco Le Max2 Bricked, the screen went blue , i turned it off and now it doesn't want to start at all or charge ( even the led is not functional)
I explored the forum and passed a few errors but i'm stuck at :
Total to be tansferd with <program> or <read> is 3.17 GB
22:18:04: INFO: Sending <configure>
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR: XML not formed correctly. Expected a < character at loc 0}
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR: 3. TAG not found or recognized}
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR:
There is a chance your target is in SAHARA mode!!
There is a chance your target is in SAHARA mode!!
There is a chance your target is in SAHARA mode!!
This can mean
1. You forgot to send DeviceProgrammer first (i.e. QSaharaServer.exe -s 13rog_emmc_firehose_8994_lite.mbn)
2. OR, you did send DeviceProgrammer, but it has crashed and/or is not correct for this target
Regardless this program speaks FIREHOSE protocol and your target is speaking SAHARA protcol, so this will not work
}
Writing log to 'C:\Users\Aex\AppData\Roaming\Qualcomm\QFIL\port_trace.txt', might take a minute
Log is 'C:\Users\Aex\AppData\Roaming\Qualcomm\QFIL\port_trace.txt'
Download Fail:FireHose Fail FHLoader Failrocess fail
Finish Download
Thanks

do this steps :
https://www.gizmochina.com/2016/11/20/leeco-x820-max-2-super-unbrick-guide/
---------- Post added at 12:11 AM ---------- Previous post was at 12:11 AM ----------
do this steps :
https://www.gizmochina.com/2016/11/20/leeco-x820-max-2-super-unbrick-guide/

HTC-TYTN2 said:
do this steps :
https://www.gizmochina.com/2016/11/20/leeco-x820-max-2-super-unbrick-guide/
---------- Post added at 12:11 AM ---------- Previous post was at 12:11 AM ----------
do this steps :
https://www.gizmochina.com/2016/11/20/leeco-x820-max-2-super-unbrick-guide/
Click to expand...
Click to collapse
Why not this https://forum.xda-developers.com/le-max-2/how-to/guide-hard-brick-fix-qualcomm-hs-usb-t3492949 ?

valy_cta said:
Why not this https://forum.xda-developers.com/le-max-2/how-to/guide-hard-brick-fix-qualcomm-hs-usb-t3492949 ?
Click to expand...
Click to collapse
I didn't have any experience with flashing devices , when i said i didn't managed to make it work i was talking about your tutorial, i followed all your steps and i'm getting blocked by that error .
From the log I thought it was a corrupted file or something . Do you have any other idea why i'm getting that Firehose Error? I searched google and found 0 results in how i'm supposed to fix it

fratziweru said:
I didn't have any experience with flashing devices , when i said i didn't managed to make it work i was talking about your tutorial, i followed all your steps and i'm getting blocked by that error .
From the log I thought it was a corrupted file or something . Do you have any other idea why i'm getting that Firehose Error? I searched google and found 0 results in how i'm supposed to fix it
Click to expand...
Click to collapse
if the method can not unbrick your phone, you can try the firmware , hope help you .
https://www.needrom.com/download/le...ultilanguage-rom-unbrick-phone-qfil-fastboot/

Anybody know how to solve this problem?
/*invalid image type recieved*/
is_ack_succesfull : 1031 SAHARA_NAK_INVALID_IMAGE_TYPE
sahara protocol error
uploading image using sahara protocol failed

fish555 said:
Anybody know how to solve this problem?
/*invalid image type recieved*/
is_ack_succesfull : 1031 SAHARA_NAK_INVALID_IMAGE_TYPE
sahara protocol error
uploading image using sahara protocol failed
Click to expand...
Click to collapse
Its very possible that Windows security corrupted the Qfil and damaged this file, turn off antivirus, re-download Qfil and try again.

tsongming said:
Its very possible that Windows security corrupted the Qfil and damaged this file, turn off antivirus, re-download Qfil and try again.
Click to expand...
Click to collapse
Thanks for your answer
I turene off antivirus and brandmauer.
I think the problem must be in wrong image (i used kdz, img for d325 and my phone is 325f)
Also i red on forums that d325 may have two kind of processors.It's the reason why BoardDiag showed error

Anyone has 810 qfil ?
---------- Post added at 05:23 PM ---------- Previous post was at 05:19 PM ----------
Qualcomm 810 qfil which match with this methode?

leeco max x900
Hi,
I have bought a brand new LeTV (Leeco) Max 1 (x900). I installed twrp and tried to install custom rom. Unfortunately I didnt succeed and my phone is now only going into qualcomm 9008 mode. I have tried QFIL with the previous x800 service rom which supposedly puts it into a bootloop but you can still get it into fastboot mode. I have tried and tried but I constantly get the same sahara errors over and over. From what I have been reading, Qualcomms are unbrickable. So my question is where am I going wrong? The phone has a Qualcomm 810 in it. Do I need a specific file from LeEco that is currently unattainable? Please help. This is the flashest looking brick that I have ever owned...
fratziweru said:
Hey, i have a little problem and i would be grateful if someone would help me, my LeEco Le Max2 Bricked, the screen went blue , i turned it off and now it doesn't want to start at all or charge ( even the led is not functional)
I explored the forum and passed a few errors but i'm stuck at :
Total to be tansferd with <program> or <read> is 3.17 GB
22:18:04: INFO: Sending <configure>
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR: XML not formed correctly. Expected a < character at loc 0}
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR: 3. TAG not found or recognized}
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR:
There is a chance your target is in SAHARA mode!!
There is a chance your target is in SAHARA mode!!
There is a chance your target is in SAHARA mode!!
This can mean
1. You forgot to send DeviceProgrammer first (i.e. QSaharaServer.exe -s 13rog_emmc_firehose_8994_lite.mbn)
2. OR, you did send DeviceProgrammer, but it has crashed and/or is not correct for this target
Regardless this program speaks FIREHOSE protocol and your target is speaking SAHARA protcol, so this will not work
}
Writing log to 'C:\Users\Aex\AppData\Roaming\Qualcomm\QFIL\port_trace.txt', might take a minute
Log is 'C:\Users\Aex\AppData\Roaming\Qualcomm\QFIL\port_trace.txt'
Download Fail:FireHose Fail FHLoader Failrocess fail
Finish Download
Thanks
Click to expand...
Click to collapse

fratziweru said:
Hey, i have a little problem and i would be grateful if someone would help me, my LeEco Le Max2 Bricked, the screen went blue , i turned it off and now it doesn't want to start at all or charge ( even the led is not functional)
I explored the forum and passed a few errors but i'm stuck at :
Total to be tansferd with <program> or <read> is 3.17 GB
22:18:04: INFO: Sending <configure>
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR: XML not formed correctly. Expected a < character at loc 0}
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR: 3. TAG not found or recognized}
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
22:18:04: {ERROR:
There is a chance your target is in SAHARA mode!!
There is a chance your target is in SAHARA mode!!
There is a chance your target is in SAHARA mode!!
This can mean
1. You forgot to send DeviceProgrammer first (i.e. QSaharaServer.exe -s 13rog_emmc_firehose_8994_lite.mbn)
2. OR, you did send DeviceProgrammer, but it has crashed and/or is not correct for this target
Regardless this program speaks FIREHOSE protocol and your target is speaking SAHARA protcol, so this will not work
}
Writing log to 'C:\Users\Aex\AppData\Roaming\Qualcomm\QFIL\port_trace.txt', might take a minute
Log is 'C:\Users\Aex\AppData\Roaming\Qualcomm\QFIL\port_trace.txt'
Download Fail:FireHose Fail FHLoader Failrocess fail
Finish Download
Thanks
Click to expand...
Click to collapse
This my be too late for you, but it can help people in the future with this same issue.
When using the QFIL program, you need to use the "prog_emmc_firehose_8994_lite.mbn" rather than the other .mbn (or elf) file as the program path, on my phone, I had 2 .elf files and use the wrong one, which caused me to have the same fault as you did. You must also use all program and patch files or you will get it to be in a state that it only gets to the point of the splash screen. The recovery/ bootloader is not available using the phones buttons and the device does not appear on the PC at all.
If somehow you got to that point. Leave your phone connected to the computer when it is stuck on the splash screen. In about 20 minutes ( yes, I know it is a long time.) the phone will reset with two options in recovery mode. The phone will also be picked up by the PC at this time.
Just enter cmd prompt in the adb file and enter "adb reboot edl" to bring your phone into edl mode. This will allow you to reinstall firmware using the QFIL program.

General Play-systemupdate 2021-12-01 (December)

JFYI, I just received the Play-systemupdate of Dec 1, 2021.
See screenshot.

This is what got updated (for me): packages + version (after update):
Code:
com.google.android.modulemetadata | 2021-12-01S+
com.google.android.networkstack | aml_net_3112130
com.google.android.networkstack.tethering | 12-7798439
com.google.android.odad | S.8.playstore.p
com.google.android.permissioncontroller | aml_per_3112110
com.google.android.providers.media.module | 12-7964833

Not yet for me.

I'm still on November. Is it just me?