Better Mobile App

[Q/A]Coolpad 5560s - MegaThread: We are now ROOTED.

Coolpad 5560s - MegaThread: Info / Root
We are now ROOTED. I think we are the first too.
If you have any additional info, binaries, etc -- feel free to contribute!
USE AT YOUR OWN RISK
*** UPDATE ***
Fellow XDA'r stevenmirabito put together an all-in-one tool! If you wanna dig into the technical stuff follow directions below if not... check out his post!
*** UPDATE ***
USE AT YOUR OWN RISK​
Updates:
17 Feb 2015
The fun begins ...
---> USE AT YOUR OWN RISK --->​DOWNLOADS:
ALL TOOLS AND DOCUMENTS ARE for non-commercial, personal, and educational use only.
You assume all risks and liabilities.​<--- USE AT YOUR OWN RISK <---​​
Big thank you to: stevenmirabito, keebler64,.. and all the other folks that contributed.
Proof of Concept
Code:
- Root is pre-cooked into the image.
- Root survives reboot.
- Note that the superuser daemon is.. rigged into one of the init.qcom.post-boot.sh files -- may break things. :P
[U]Removed:[/U]
- system/priv-app/Cota*.apk/odex
- system/app/CP_*.apk/odex
- system/etc/security/otaupdates.zip.
- system/etc/ recovery-data.dat (not the exact name -- but removed)
[U]Added: [/U]
- system/app: fdroid.apk, es file manager.apk
- system/xbin/su, system/bin/su (linked), /system/app/Superuser.apk ---> Clockworkmod's Superuser. :)
[U]BUGFIX for Proof-Of-Concept:[/U]
- From: stevenmirabito: --> see [URL="http://forum.xda-developers.com/showpost.php?p=58913680&postcount=55"]post #55[/URL]. <--- the Setup Wizard was disabled.. somehow... :P
It does work.. you can dump the partitions.. and it [U]appears[/U] that you *can* write to the boot/recovery.
HOWTO: Creating your own a custom system.img for flashing with the sda-flashtool
Code:
# Remove the following hex sequences from the stock system.img
# These are the only thing that stop the image from being a normal ext4 raw image.
"30 3C 38 30 30 30 30 30 2E 2E 2E 2E" (Three total)
"30 30 32 39 3D 39 36 38 2E 2E 2E 2E" (One)
# Convert the now fixed system.img to a raw ext4 image to mount using simg2img (linux or possibly windows)
simg2img system.img system.raw
# Mount the raw image using loop (linux)
mkdir rawsystem
mount -t ext4 -o loop system.raw ./rawsystem/
# When you are finished making changes - create a new_system.img using the 4096 sparse format.
make_ext4fs -s -l 1024M -b 4096 -a system new_system.img rawsystem/
# move the new_system.img to the sda-flashtool directory (in windows) :)
# run sda-flashtool
sda-flashtool
# note that the sda-flashtool takes care of the injecting the headers --- even with file size changes..
# semi-major bug right now is the new_system.img needs to be at least 600mb. Will be fixed soon?..
# Have fun!
Recovery / Fastboot Modes
Code:
[I]Recovery Mode[/I]
Power-off, Pull Battery, Press VOL UP & VOL DOWN then Hold Power until Logo. Release Power. Recovery Mode should start in 5-10 seconds.
[I]Fastboot Mode[/I]
Power-off, Pull Battery, Connect USB to computer, Screen should read: "FASTBOOT".
To enable developer options / ADB Debug
Code:
Menu -> Settings -> System -> About Phone -> Tap the 'Build Number' about 5-10 times -> a Message should pop up 'you are now a developer'
OTA / Calling home urls to block in your router (stock image)
Code:
*51coolpad.com, *izatcloud.net, *cootek.com, and *coolpadfuns.com << OTA test server.
Old Root / Progression Log -- moved here for clarity
Code:
16 Feb 2015
[LIST]
[*] System images now flashable. :D
[/LIST]
11 Feb 2015
[LIST]
[*] New Header calculations now verified against all the known stock headers. :good:
[*] Footers: 2 bytes of :confused:
[/LIST]
10 Feb 2015
[LIST]
[*][STRIKE]The headers are back on the todo list.[/STRIKE] FIXED. :)
-Due to the way Bless (hex editor) formats its conversion table, it appeared like the images headers first 4 bytes were converted to a hex string which became the 2nd set of 4 bytes and those bytes summed to the 2e 2e 2e 2e. It looked like it was a simple subtraction/mask issue. Its a bit more. :/
-[STRIKE]Also it appears that both the bootloader and the recovery have a seperate ramdisk partition which is an overlay(?) and so it needs to be flashed as well.[/STRIKE]
[*][STRIKE] Figured out the Headers. Now to the footers.[/STRIKE]
[*] Now able to transfer data w/o being timed out.
[*] Very close to a working custom flash tool.
[/LIST]
06 Feb 2015
[LIST]
[*] More OTA servers to block: *51coolpad.com, *izatcloud.net, *cootek.com, and *coolpadfuns.com << OTA test server.
[/LIST]
28 Jan 2015
[LIST]
[*] Posted older CPB file format found on google translate.
[*] [URL]https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.in189.com%2Fforum.php%3Fmod%3Dviewthread%26tid%3D814196&edit-text=&act=url[/URL]
[*] [STRIKE]Posted a method that would easily brick the phone, but does allow flashing recovery.[/STRIKE] <--- don't do this.. very possible to brick the modem areas of the phone. What you are actually doing when using this method is transferring the remaining bytes of a modem/sbX transfer .. that was already in progress.
[*] University started up so been a bit busy.
[/LIST]
16 Jan 2015
[LIST]
[STRIKE][*] Alright well, found a method that may end up working... I was able to flash the stock 5560s CPB without bricking my 5560s. :D[/STRIKE]
[*] At this point it looks like we either need to create a custom system image w/ SuperUser.apk and busybox pre-installed OR we need to create a custom CWM for the coolpad 5560s.
[STRIKE][*] It appears that as a part of the process of flashing the CPB, we can override the recovery.img with another recovery.img BUT we'd have to create a custom CWM. If we have enough information about the partition layouts.. hopefully.. a non-bricking custom recovery.img can be created. :D[/STRIKE]
[*] REF: [url]http://modaco.com/topic/373530-guide-ygdp-tool-for-flashing-stock-42-44-roms/[/url]
[/LIST]
16 Jan 2014
[LIST]
[*][STRIKE]Tested some (Chinese?) 5217 rooting methods on the 5560.. nothing worked so far.[/STRIKE]
[*]Per suggestions below-- tested a ton of modstrings for towelroot. -- Was unable to gain even temporary root. :/
[*]A fellow XDA'r (Dunno if he wanted pub credit or not) got the CPB file.. poking it with a stick. :)
[/LIST]
08 Jan 2014
[LIST]
[*]Testing some of the other coolpad rooting tools on the 5560.
[*]Tried: SRSRoot v1.7.3, Root Genius v1.9.6.. no luck.
[/LIST]
24 Dec 2014
[LIST]
[*]Xmas time-- gonna be outta it for a few days.
[*]Phone is vulnerable to CVE-2014-7911 - Not sure if helpful, as CVE-2014-7911 crashes JVM. It may be possible to take over one of the factory apks that does have root permissions and inject SU. :)
[/LIST]
22 Dec 2014
[LIST]
[*]Couldnt use the 9976A rooting method-- couldnt pull the MTK scatter. Hmm.
[*]Theres an internal test server but the apk is passworded-- messn around with it.
[/LIST]
20 Dec 2014
[LIST]
[*]Discovered some [B] Coolpad / 5560s Dialer Codes[/B]
[*]*#*#*20060606*#*#* -> EngMode -> Phone Settings -> [B][COLOR=Red]ENABLE Download Mode[/COLOR][/B]
[*]*#*#*9527*#*#* -> FactoryTest -> Some interesting things here..
[*]*#*#*4636*#*#* -> Testing -> Phone Info -> Just like the HTC Hidden Diag Screen, can turn off Radio / set prefered network type.
[/LIST]

slashdevandroid said:
Hi all, my question is... does anyone have any rooting experience with the Coolpad 5560S'? Also-- If you have any additional information on these phones feel free to respond as well!
Click to expand...
Click to collapse
I don't have much experience, but just got one of these and would like to root it so I hope you get some replies. Thanks.

If you manage to find anything out about this I am super interested. Just got one because... why not, it was 10 bucks lol. If you need a guinea pig im down.

Hope we can find root for this phone soon, many are trying current root tools, but none are working, I have tried like 5-6 different ones so far, none working as of yet. im sure in a few more days - someone will have an update on there tool for this to be rooted.

Nevermind.

I have 4 of them now, so hope we can find a way to root them soon, I also wanted to get the bootloader unlocked if possible.

NeoGodSpeed said:
I have 4 of them now, so hope we can find a way to root them soon, I also wanted to get the bootloader unlocked if possible.
Click to expand...
Click to collapse
Opened up one of my 5560s' (Arise) and it looks like it's almost identical to the Coolpad 5217 which happens to have a root and various ROMs available to download. I don't have much time available to start porting ROMs, but someone here might go ahead and give it a look. I'll try to find some time later today to post photos of the PCB.

keebler64 said:
Opened up one of my 5560s' (Arise) and it looks like it's almost identical to the Coolpad 5217 which happens to have a root and various ROMs available to download. I don't have much time available to start porting ROMs, but someone here might go ahead and give it a look. I'll try to find some time later today to post photos of the PCB.
Click to expand...
Click to collapse
That would be great

Have you tried towelroot?

towelroot does not work just tried it

I've been playing around with this device and I figured I would share the progress I've made. I also obtained the CPB file (along with the official USB drivers) from Coolpad and was able to extract it with YGDP, the result of which can be found at the link below:
https://drive.google.com/folderview?id=0B4t9dt63rRpXaHo0XzNqVy1WT00&usp=sharing
Based on the extracted boot.img and the partition information pulled from a running phone I attempted a build of CWM for the 5560S - which can also be found at the link above. I haven't had any luck getting YGDP to flash the custom recovery.img and attempting to flash it via Fastboot hangs on "Writing..." Perhaps someone with a little more time on their hands will be able to get this working.
A few notes:
Coolpad uses a custom USB device ID that is not recognized by the fastboot command automatically. You must use the following flag while issuing fastboot commands:
Code:
fastboot -i 0x1EBF <command>
Attempting to flash the stock CPB file via YGDP will result in a "soft-brick" where the phone will hang on a screen that says "1. modem" with up/down on the side. You can access the phone via ADB in this mode and issue the following command to reboot normally (which differs from the advise you may find online for other Coolpad models):
Code:
adb reboot system
Attempting to replace the recovery.img in the temporary folder YGDP creates (which only happens after modifying its configuration for the phone) does not seem to cause it to flash the custom image instead, unlike other Coolpad models
Attempting to replace the recovery.img in the CPB file with the custom recovery.img in a hex editor causes YGDP to complain about the checksum not matching. I'm not sure where this checksum is stored or if it's modifiable.
Hope this helps! :fingers-crossed:

Has anyone figured this I out yet?
Just wondering if root is available yet?

stevenmirabito said:
Attempting to flash the stock CPB file via YGDP will result in a "soft-brick" where the phone will hang on a screen that says "1. modem" with up/down on the side. You can access the phone via ADB in this mode and issue the following command to reboot normally (which differs from the advise you may find online for other Coolpad models):
Code:
adb reboot system
Attempting to replace the recovery.img in the temporary folder YGDP creates (which only happens after modifying its configuration for the phone) does not seem to cause it to flash the custom image instead, unlike other Coolpad models
Attempting to replace the recovery.img in the CPB file with the custom recovery.img in a hex editor causes YGDP to complain about the checksum not matching. I'm not sure where this checksum is stored or if it's modifiable.
Hope this helps! :fingers-crossed:
Click to expand...
Click to collapse
Awesome! TYVM!
I soft-bricked my 5560 as well-- ended up using adb's shell to reboot into the stock recovery, clear both the data and cache, then rebooted and.. it started up fully stock with no issues that I can see..
Quick question -- how did you get the YGDP to actually extract the *.imgs? Using procmon I've seen YGDP read from the CPB but never write to any files..

Coolpad 5560S Pics
Here are some crappy pics of the insides, I didn't see any specific headers for any UART or JTAG, but they could be multiplexed with other pins. I'll get around to actually desoldering the RF shields some day and using the Nikon D90 for the pics instead of the iPhone.
i.imgur.com/8Ywkt0l.jpg
i.imgur.com/UUiyKXa.jpg
i.imgur.com/EnVfhWM.jpg
i.imgur.com/M2XzlCi.jpg
i..imgur.com/8Ywkt0l.jpg

slashdevandroid said:
Awesome! TYVM!
I soft-bricked my 5560 as well-- ended up using adb's shell to reboot into the stock recovery, clear both the data and cache, then rebooted and.. it started up fully stock with no issues that I can see..
Quick question -- how did you get the YGDP to actually extract the *.imgs? Using procmon I've seen YGDP read from the CPB but never write to any files..
Click to expand...
Click to collapse
The XML config for the phone that presumably tells YGDP how to flash it is stored in dProdRes.dll. Using Resource Hacker or another resource editing application you can edit the XML value for UnzipCPB to "1" in the 5560S section, which causes YGDP to extract (more accurately "split" since the file isn't compressed in any way) the CPB file into the DownloadFiles directory. I've added my modified version of dProdRes.dll to the Google Drive folder referenced above - the md5sum for the original file should be 1041E39DF18B86E9945B4A8601E6ACD7 and the modified file should be E3C5538235B0742425B84D97DF066972.

keebler64 said:
Here are some crappy pics of the insides, I didn't see any specific headers for any UART or JTAG, but they could be multiplexed with other pins. I'll get around to actually desoldering the RF shields some day and using the Nikon D90 for the pics instead of the iPhone.
i.imgur.com/8Ywkt0l.jpg
i.imgur.com/UUiyKXa.jpg
i.imgur.com/EnVfhWM.jpg
i.imgur.com/M2XzlCi.jpg
i..imgur.com/8Ywkt0l.jpg
Click to expand...
Click to collapse
Awesome ty!

stevenmirabito said:
The XML config for the phone that presumably tells YGDP how to flash it is stored in dProdRes.dll. Using Resource Hacker or another resource editing application you can edit the XML value for UnzipCPB to "1" in the 5560S section, which causes YGDP to extract (more accurately "split" since the file isn't compressed in any way) the CPB file into the DownloadFiles directory. I've added my modified version of dProdRes.dll to the Google Drive folder referenced above - the md5sum for the original file should be 1041E39DF18B86E9945B4A8601E6ACD7 and the modified file should be E3C5538235B0742425B84D97DF066972.
Click to expand...
Click to collapse
Outstanding -- thanks for the explanation.
Playing around a bit today noticed:
-YGDP ignores the unzipped files and procmon shows even if YGDP unzips the CPB it still simply reads from the CPB. Tried playing around with the downmod="" section in the XML but YGDP still ignores the zips.
-Did notice that a few of the other coolpads had custom CPB's that only had the recovery in them. Perhaps its time to reverse engineer a file format..

slashdevandroid said:
Did notice that a few of the other coolpads had custom CPB's that only had the recovery in them. Perhaps its time to reverse engineer a file format..
Click to expand...
Click to collapse
I noticed that too, and it seems that the community for other models had figured out how to do exactly that. Unfortunately, I couldn't find any documentation or tutorials online and didn't receive a response from the one or two people that I contacted.

stevenmirabito said:
I noticed that too, and it seems that the community for other models had figured out how to do exactly that. Unfortunately, I couldn't find any documentation or tutorials online and didn't receive a response from the one or two people that I contacted.
Click to expand...
Click to collapse
Same.. We'll keep lookin!
Ty again for all your input in this.. sometimes we all have a bit of the puzzle.

Why cxant anyone figure this out?
It seems that since this is a excellent phone that can literally be purchased for $9.99 at King Soopers, that a lot of people would have them even if just for a backup phone. I figured there would be a lot of ROM's, Recovery's, ect... ANYONE, PLEASE HELP US!!!:good:

How To Change The Splash Screen or Boot Logo In Huawei Honor 7?

Hello Everyone!
After i managed to change the boot animation, i started researching some ways to change the boot logo or the splash screen that appears before the boot animation.
Boot animations and splash screens are two different things. The splash screen is the first static frame that you see the moment you turn on your phone. It is displayed before boot animation and it is usually much harder to change.
To change your boot animation, view my post at: http://forum.xda-developers.com/honor-7/help/how-to-change-boot-animation-huawei-t3247851
Back to the splash screen, so far I know the following:
1. The image file must be stored in RGB565 format. Photoshop and Paint.Net (with a plugin) are capable of saving in this format. In Photoshop, you can find it from the advanced options of .bmp.
2. There is a file called "oemlogo.mbn" which i think is responsive for the boot logo. After changing it though, it did not have any affect on the boot logo or splash screen.
If someone knows which file is responsive for the splash screen or he/she can point out a way to change that, it would be greatly appreciated.
Thanks in advance for your help!
Best Regards,
Ken

Here is the solution​
All the credits goes to Ziolek67 and Kostyan_nsk, I just made the zip to revert back to our stock logo, and made his guide compatible to our device. Thanks to @kenshiwara for helping me.
**TAKE NANDROID BACKUP VIA TWRP RECOVERY BEFORE DOING THIS**
1. Install adb and fastboot in your PC.
2. Dump your "oeminfo" partition by executing this command
Code:
adb shell su -c "dd if=/dev/block/platform/hi_mci.0/by-name/oeminfo of=/sdcard/oeminfo"
this will be saved in your internal storage as "oeminfo". Saving this to PC is recommended. To do that execute this command
Code:
adb pull /sdcard/oeminfo oeminfo
3. Now, Ziolek67 mentioned to edit the pulled "oeminfo" but in our case I tried and got error "resolution mismatch", so I pulled out his provided stock "oeminfo" of Huawei Ascend P7, which works fine, the sizes are also same of both the "oeminfo". Download this tool, extract and save it to the folder having adb and fastboot.
4. Make your own image with extension *.bmp. The resolution of the image should match your device resolution (1080x1920 pixels). Put it to adb folder.
5. Download OEMinfo.zip extract it and put "oeminfo" in adb folder.
6. Put your *.bmp image in "oeminfo" by executing this command.
Code:
OEM_logo.exe oeminfo *your_logo.bmp*
7. Push new "oeminfo" to your internal storage by executing this command
Code:
adb push oeminfo /sdcard/oeminfo
8. Put new "oeminfo" with new logo in your device by executing this command
Code:
adb shell su -c "dd bs=32768 if=/sdcard/oeminfo of=/dev/block/platform/hi_mci.0/by-name/oeminfo"
**UPDATED THE ABOVE COMMAND, THANKS TO @sminki
9. Now reboot your device to see your changed logo.
10. To revert back to stock Honor logo simply flash this file using TWRP recovery.
You can get more info here thanks to Kostyan_nsk.
How to make a compatible *.bmp image​
Create a new file in Adobe Photoshop with these parameters:
Width: 1080 pixels
Height: 1920 pixels
Resolution: 72 pixels/inch
Color Mode: RGB Color, 8-bit
Click to expand...
Click to collapse
After making your image save it with these parameters:
Extension: *.bmp
File Format: Windows
In "Advanced Options"
Select R5 G6 B5 from 16-bit depth options.
Click to expand...
Click to collapse

The Android Hero Of Today! ~ Amazing guide. Thank you very much!

Thank you @kenshiwara

it should be noted that in the wrong hands dd can brick your device, you are writing directly to the block device and dd does not care what you are doing.. especially if you do not add bs and/or count

I don't think adding bs would do any good, as dd automatically stops when the input of blocks runs out, in our case that is 32768, it can't go forever . Hope this was what you were pointing out, if no then please explain, I don't know much about other attribs and if the commands need any improvements then please suggest it so that I can add it.
Thank you

no it's fine, just giving general advice
when i said "you" i didn't mean you
you never know who is reading these things and what they might do, dd can be very dangerous, as you (DigiGoon) know... Man that was confusing

Oh, Okay

I have just written a clearer version of your solution, at my post here:
http://forum.xda-developers.com/honor-7/general/guide-beginners-how-to-root-update-fix-t3255452
Everything is the same, i just made it bit more organized for the absolute beginners to understand.
Thank you @DigiGoon and @sminki for writing and updating this guide.

Anytime buddy @kenshiwara

My (custom-made) kernel fails to boot from bootloader menu but works from fastboot

Hi everyone,
I have recently been trying to port Ubuntu Touch to our beloved surnia.
I'm using the phablet-5.1 tree with AOSP-5.1 device, vendor, kernel and other repositories.
I managed to finish the build with the kernel config adapted to work with Ubuntu. (using jamino's phablet-porting-scripts (on github) and patching some files about uid/gid errors). But this isn't the problem, the default defconfig causes the same problems.
I can confirm my kernel/e3 recovery both work and can mount partitions etc, but only when I'm using the
Code:
fastboot boot recovery.img
command AND my custom boot.img isn't flashed to the device.
When trying to boot the recovery directly from the phone I get a
Code:
Error: Failed to load kernel!
error message in the bootloader log.
If my boot.img is flashed to the phone, whatever file I try to load with
Code:
fastboot boot
, I get an error from my computer :
Code:
booting...
FAILED (remote failure)
but no error from the phone
I had to replace the prebuilt gcc toolchains in the android source tree with my system's ones, could it cause the problem?
I'm quite new to android development and all so please don't blame me if the fix is obvious.
Thanks in advance

iplay 7t (sc9832e processor) root / unlock bootloader suggestions

Recently purchased an iplay 7t after reading the xda review. This is replacing an LG v400 tablet that I had rooted. I updated the iplay to build T701_V1.20_20191112, enabled developer options, enabled oem unlock bootloader, found the corresponding firmware pac, installed magisk and used it to patch boot.img. So far so good.
I entered fastboot, then I attempted to flash the modified boot.img and was told:
Code:
target didn't report max-download-size
sending 'boot' (18584 KB)...
OKAY [ 0.593s]
writing 'boot'...
FAILED (remote: Flashing Lock Flag is locked. Please unlock it first!)
finished. total time: 0.608s
I tried various options to unlock the bootloader:
Code:
> fastboot getvar unlocked
unlocked:
finished. total time: -0.000s
> fastboot oem unlock
...
FAILED (remote: unknown cmd.)
finished. total time: -0.000s
> fastboot oem unlock-go
...
FAILED (remote: unknown cmd.)
finished. total time: 0.002s
> fastboot flashing get_unlock_ability
...
FAILED (remote: Not implement.)
finished. total time: -0.000s
> fastboot flashing unlock
...
FAILED (remote: Not implemet.)
finished. total time: -0.000s
> fastboot flashing unlock_critical
...
FAILED (remote: Not implement.)
finished. total time: 0.016s
> fastboot flashing unlock_bootloader
fastboot: usage: unknown 'flashing' command unlock_bootloader
> fastboot flashing unlock_bootloader_nonce
fastboot: usage: unknown 'flashing' command unlock_bootloader_nonce
Okay ... fine. I fired up SPD Research tool and attempted to use it to flash the modified boot.img. It transfers the image and then times out.
As a sanity check I used SPD Research tool to flash the original boot.img and that worked fine.
I'll note the modified image is smaller than the original, however padding the modified image with zeros to the same size didn't seem to help. Using SPD Research tool to flash the padded image still timed out.
I am looking to open a request up on the Alldocube support site (currently their registration form is giving me an error), in the meantime ... suggestions? Has anyone successfully flashed a modified boot.img on this device / rooted this device?

in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.

DR.Doyle said:
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
Click to expand...
Click to collapse
Yes ... I have that enabled.

Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.

jwehle said:
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
Click to expand...
Click to collapse
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.

wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery.
Click to expand...
Click to collapse
Thanks for supplying the modified PAC and for explaining the changes.
Your PAC seemed to work fine and now that I have a better understanding
of things I should be able build my own PAC when I have a chance.
Your time and effort in explaining things is appreciated.

What's the significance of removing the encryption for the vendor partitions?

jwehle said:
What's the significance of removing the encryption for the vendor partitions?
Click to expand...
Click to collapse
the vendor img in my pac，just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
fstab.sp9832e_1h10：
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="DarkOrange"]fileencryption[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]fileencryption[/COLOR]=aes-256-xts
---------->
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts

wangyiling said:
the vendor img in my pac，just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
Click to expand...
Click to collapse
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.

jwehle said:
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
Click to expand...
Click to collapse
Just for twrp to read the data partition, convenient for personal use。

It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Code:
vbmeta
boot
recovery
What was happening is when the system started normally it saw that recovery image had been modified so it checked if the boot image was the factory standard image. Since I hadn't touched the boot image the OS went ahead and attempted to replace the recovery image I flashed with a standard recovery image generated on the fly from the factory standard boot image. This caused a soft-brick when I rebooted into recovery since that recovery image wasn't signed using the public key specified by my replacement vbmeta.
By also flashing a newly signed boot image because the signature is different from what's it knows about the system no longer attempts to use it to refresh the recovery image.
Here's an outline of what I did to successfully root the device:
Use the Qin 2 Pro instructions / tools to unlock the boot loader.
Flash the appropriate factory standard firmware to establish a know starting point. I used iplay7t(T701)-Android9.0-ALLDOCUBE-191112 from the Alldocube web site.
Use SPD Rsearch Tool to extract vbmeta-sign.img, boot.img, and recovery.img.
Use avbtool (with the below patch) to extract the public keys from vbmeta-sign.img like so:
Code:
avbtool info_image --image vbmeta-sign.img.
Use make (with the below makefile) to sign vbmeta, boot, and recovery using a new key.
Flashed vbmeta, boot, and recovery.
Booted into recovery, saw that it worked, and did a factory reset.
Used magisk to patch recovery.img in the normal fashion, signed the patched recovery using the new key, and flashed the patched recovery.
Proceed to finish installing magisk in the normal fashion.
Notes:
rsa4096_vbmeta.pem is the private key mentioned in the Qin 2 Pro article.
The dhtbsign-vbmeta command is basically the dhtb signing python script from Qin 2 Pro article.
Here's the trival patch for avbtool to dump the public keys.
Code:
--- avbtool 2020-02-22 22:11:55.107787032 -0500
+++ avbtool.dumpkeys 2020-02-22 22:15:36.046283077 -0500
@@ -1657,6 +1657,10 @@ class AvbChainPartitionDescriptor(AvbDes
Arguments:
o: The object to write the output to.
"""
+ kfd = open(self.partition_name, "w");
+ kfd.write(self.public_key);
+ kfd.close();
+
o.write(' Chain Partition descriptor:\n')
o.write(' Partition Name: {}\n'.format(self.partition_name))
o.write(' Rollback Index Location: {}\n'.format(
Here's the makefile I used for signing the images.
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: Makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key ../rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
dhtbsign-vbmeta vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
avbtool add_hash_footer --image recovery-sign.img \
--partition_name recovery --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096

@ jwehle，Very grateful for your detailed sharing

Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.

MissAyako said:
Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.
Click to expand...
Click to collapse
Seems the issue was with Windows. I thought I would be able to get the unlock token with Windows and then use WSL to do the rest of the signing, but apparently not.
Luckily I had an old laptop lying around. I threw Linux Mint on it and it worked just fine.
It didn't seem to work just using a live USB; I had to install Linux to the hard disk, but YMMV.

jwehle said:
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Click to expand...
Click to collapse
This was wonderful, thank you! I've added some of my own notes below as an experience of what I encountered when attempting this process myself (spoiler'd because it is a lot).
I do not have enough post count to add links, but titles to the relevant articles has been added.
Follow steps in Article "Guide: How to Unlock Xiaomi Qin 2 (Pro) and Install Custom ROMs" from step 1 to (and including) step 10 (Unlocking section).
Notes:
- A Linux PC is necessary.
- You'll have to mark the "fastboot" file from the "Android_device_unlock.rar" archive as executable (chmod +x).
- Run the "fastboot" file as root.
- Getting the "SPD Research Tool" to pick up the tablet and not let the tablet try to move to either the charging
screen or the bootlogo is difficult, but do-able. Press and hold Power+Vol_Up and release when Windows does its
USB device detected chime.
- Flashing takes a few minutes (I think around 300 seconds).
- The SPD Research Tool extracts the PAC file contents into a folder. Grab the system images from there.
- The "avbtool" is available to be cloned via git from Google's repo
- The avbtool is a python script that is patched with three lines of code at line 1776:
Code:
kfd = open(self.partition_name, "w");
kfd.write(self.public_key);
kfd.close();
- When you use the patched avbtool on the vbmeta-sign.img file you copied (avbtool info_image --image vbmeta-sign.img)
it will produce several partitions with relative public keys that need to be stored in separate files for the next step.
The contents of the files are simply the public key and the partition name as the file name. Store the files in a folder named "keys".
- When creating the makefile, ensure that proper indentation is used. The code segment below is properly formatted (hopefully). If you get make errors, remove and re-indent the lines.
- If your "rsa4096_vbmeta.pem" keyfile is not placed alongside the makefile, ensure the --key flag points to this file.
- The makefile exists in the same directory as the system images.
- I had to insert local paths to the avbtool, as it was not installed to the system PATH.
- The dhtbsign-vbmeta.py command is located below. Make sure to mark this as executable as well.
Everything else is rather straightforward.
# makefile
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
./dhtbsign-vbmeta.py vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
# dhtbsign-vbmeta.py file (from "How I Unlocked Xiaomi Qin 2 Pro and Installed Phh GSI")
Code:
#!/usr/bin/env python
import hashlib
import sys
f = open(sys.argv[1], "rb")
b = f.read()
sha = hashlib.sha256(b).digest()
f.close()
f = open("vbmeta_signed.img", "wb")
f.write(b)
f.seek(1048576 - 512)
f.write(b'\x44\x48\x54\x42\x01\x00\x00\x00')
f.write(sha)
f.write(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00')
f.seek(1048576 - 1)
f.write(b'\x00')
f.close()

wuxianlin has build a twrp device for T701.
i think this will be a help .

Help me
Sir help pliz same problem my device ,same chipset , Symphony i95 ,pliz sir modify my pac file pliz....

wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
Click to expand...
Click to collapse
can i just flash the pac without unlocking the bootloader.
thanks in advances

hidroela said:
can i just flash the pac without unlocking the bootloader.
thanks in advances
Click to expand...
Click to collapse
yes,just falsh pac

wangyiling said:
yes,just falsh pac
Click to expand...
Click to collapse
i did unlocked the bootloader and flash the pac and follow the instructions for magisk to work, but after a third reboot Root was gone.
i don't know what I am missing.

Signing release for "fastboot update"?

Device in question, although likely not relevant to the issue I am having: Pixel 2 XL (Taimen). Let me know if there's any info I may have missed sharing that could help solve this.
My overarching goals here are:
1. Build vanilla AOSP "user" variant without root or any other additions
2. Sign the build with my own release keys
3. Be able to git-checkout release tags at a later time, build again, and produce OTA updates for this vanilla AOSP build
So far, I have been able to successfully build the latest release and flash it to my device using:
Code:
fastboot flashall
The device boots and runs as you would expect.
However, that is all using the test-key. I have followed the official documentation for generating release keys:
hxxps://source.android[.]com/devices/tech/ota/sign_builds#release-keys
The same documentation page provides the following listing for generating the release image:
Code:
make dist
./build/make/tools/releasetools/sign_target_files_apks \
-o \ # explained in the next section
--default_key_mappings ~/.android-certs out/dist/*-target_files-*.zip \
signed-target_files.zip
Apparently SignApk.jar doesn't work with password-encrypted keys (it throws an exception then swallows it which causes the whole thing to fail at a later point), and signing the APKs in the target files ZIP fails. Fine, I'm willing to use an unencrypted key for testing this project.
So I successfully get a signed-target_files.zip.
Lastly, the documentation provides the following for producing the release image:
Code:
./build/make/tools/releasetools/img_from_target_files signed-target-files.zip signed-img.zip
This also works successfully (minus the typo with the filename, switching the '_' character for '-'), so I use this to install:
Code:
fastboot update -w signed-img.zip
Then I get symptoms of the problem:
1. Warning that the bootloader is unlocked (fine)
2. White screen with "Google" logo
3. Reboot to bootloader
I never see the "android" splash screen after 2. like when I
Code:
fastboot flashall
to install the test-key version which does work.
So something else that I decided to try was to create an "unsigned-img.zip." I basically used img_from_target_files on the original, unsigned target_files.zip. and did a
Code:
fastboot update -w unsigned-img.zip
. This also booted successfully.
=====================
To recap:
1. Building is successful
2. "fastboot flashall" is successful
3. "fastboot update unsigned-img.zip" is successful
4. "fastboot update signed-img.zip" is NOT successful and always reboots back to the bootloader
Is there something I'm missing with regards to the image signing? If I'm doing this and having this issue on an unmodified AOSP branch, shouldn't everyone else be having these signing issues, as well?
Any help is appreciated.

It worked for me without -w argument:
Code:
fastboot update signed-img.zip