Better Mobile App

Hardbricked G5

Hello,
A friend of friend of mine unlocked bootloader on his G5, then some magical stuff probably happened, because secure boot got stuck on boot verification failrue with probably most common issue, signature length mismatch. We're trying to get it to work now, but we can't seem to find a solution to it. Fastboot doesn't work, because secure boot gets tripped in every bootmode. Does anybody have an idea which pins to short out on motherboard for boarddiag operation or something? I'd really appreciate that.

Download Mode should still work.. even with the secure boot tripped msg.. as long as they didn't mess with the download mode partition on purpose before this all happened.
The unique programmers required for the G5 for BoardDiag to work are not public so forcing your way into 9008 won't get you anywhere.

He isn't able to fire up download mode either. He says that it prints different_hash error there. I'd probably have to take another one of the same model(H850, I believe) and mirror kernel and bootloader from it, but I don't have eMMC programmer, nor physical access to that phone.

[/COLOR]
autoprime said:
Download Mode should still work.. even with the secure boot tripped msg.. as long as they didn't mess with the download mode partition on purpose before this all happened.
The unique programmers required for the G5 for BoardDiag to work are not public so forcing your way into 9008 won't get you anywhere.
Click to expand...
Click to collapse
Keij0 said:
He isn't able to fire up download mode either. He says that it prints different_hash error there. I'd probably have to take another one of the same model(H850, I believe) and mirror kernel and bootloader from it, but I don't have eMMC programmer, nor physical access to that phone.
Click to expand...
Click to collapse
Keij0 said:
He isn't able to fire up download mode either. He says that it prints different_hash error there. I'd probably have to take another one of the same model(H850, I believe) and mirror kernel and bootloader from it, but I don't have eMMC programmer, nor physical access to that phone.
Click to expand...
Click to collapse
bumping old thread, i know. Did we ever establish either board diag files for g5 or any solution to No download mode issue with it reporting Different Hash when attempting to enter it? My phone boots fine but no DL mode......backstory: I have a RS988 that i attempted to repair for a friend after they locked it with frp, i removed the frp, via creating a apparently incorrectly modified firmware via my z3x's firmware maker feature(it copies the partitions available on the device into a new firmware file). it doesn't have rs988 listed as a model available to edit so(like normally works with devices, i used vs986(or whatever verizon's variation was, i know rookie mistake) but I believe i have screwed up because since writing the modified firmware i can get into the OS fine but can not enter DL mode again without the "Different Hash" issue. I believe shortwire plus board diag fix could be resolution but could use some feed back . @autoprime Anything i can do to rewrite those partitions manually with the RS988 variant's original kdz and any type of serial connection/jtag/virtual com ports/tty/AT+/linux computer, lol anything? I'm pretty much equipped for anything except jtag but even that can be arranged lol

The impossible mission of rooting or oem unlocking BLU NEO XL (120K phones affected!)

Hello XDA Forums,
I have been a guest on the website for a while now when looking for android knowledge and I usually grasp a good amount of whatever I am trying to accomplish. However, the issue I am currently having I feel is considered IMPOSSIBLE to fix and I want to confirm that by this community.
Phone: Blu
Model: NEO XL N110U
Android build version: 6.0
Custom build version (It’s a stock a downloaded, ill explain in a sec)” BLU_N110U_V10_GENERIC_MARSHMALLOW 05-08-2016 16:30
What happened is that about a year ago or so I updated the android version from lollipop to marshmallow using the OTA update (which is the wireless update). Worst decision ever as I found out that this update gave me 4 specific viruses that sends my information over to a Chinese server. Here are links on the virus:
https://www.droid-life.com/2016/11/15/blu-security/
https://blog.malwarebytes.com/cybercrime/2016/11/mobile-menace-monday-adups-old-and-new/
https://android.gadgethacks.com/new...be-affected-by-adups-chinese-spyware-0175014/
With this problem, I thought “I can just root my device and delete the files… right”? I never rooted a device before, but I have jail broken iphones, modded psps, and ds so I felt like this would be easy……Turns out its impossible if you already updated to that wireless update with marshellow. I also tried unlocking bootloader and that failed super hard as well! Here is what I tried:
1. Tried Kingroot app – failed
2. Tried kingroot on pC – failed
3. Went into developer options and enabled usb debugging and oem unlocking to TRY and unlock the bootloader. – that part worked……HOWEVER
4. Went into the recovery and choice reboot to bootloader. Then connected my Blu phone to my PC, went into Command prompt and typed, “fastboot oem unlock” (I believe I had to download fastboot and adb tools first). – This was painful for me. It gave me the option to unlock the bootloader using the up and down volume buttons. I need to press “Volume up” on my phone to confirm the OEM unlock……..HOWEVER THAT HAS BEEN COMPLETELY DISABLED. The buttons work, but when I need to confirm the oem unlock, it doesn’t allow me to do this. THIS I BELIEVE HAS BEEN PURPOSELY DONE.
5. I downloaded a stock version of my phone’s rom but at a lower android number (5.1) and tried to flash it to the phone using SP Flash tools. – Failed. It would stay illuminated black and the intro sound would come on but I wouldn’t see anything. I looked into that and I believe that is because there is something called version binding where if I update the version build, I can’t downgrade to use the same exploit.
6. Since the phone was bricked, I wanted to try to bring it back to life by downloading the stock rom for my phone at the same virus build version I’m at now and flash it to the phone. – It worked with viruses and all.
7. I Then thought, “Can’t I use open the rom file and delete the viruses I want, then flash it to the phone?” So I tried that by using mtk extractor which allowed me to open the system.img file for the stock rom which contains the android data. From there I went into the apps folder and deleted the 4 virus apps. Then I packaged the system.img back together into one file and then used that system.img when I used sp flash tool to flash the rom onto the phone. – It was stuck on the logo……I can still access the recovery fine and still doesn’t allow me to oem unlock.
This is where I have given up. At this point, I feel like I would need to learn more about the system.img file and what it looks for in the beginning. I just want to fool it into booting without those apps. I know there is something stopping it from booting because when I go into the recovery part and select the option to do a “root integrity check” it tells me those specific apps are missing. Is there any way to change the root integrity check to not look for those apps?
So I know this a lot of information but I need to write this down for all the steps I toke. I hope that this thread can help anyone with a Blu Neo XL device come to some information. If I can confirm from this forum that there is nothing that can be done. I feel then a law suit with Blu is in order and everyone should throw out there compromised phones. I have seen numerous other posts on this subject and so far NO ONE HAS ANSWERED EVEN ONCE. One pore guy had to keep bumping his thread of months until he gave up; atleast tell me its not possible! Here are the link I saw on this from here:
https://forum.xda-developers.com/android/help/tried-to-root-sort-blu-neo-xl-t3559702
Here are my main questions:
Is it possible to access the root (either via pc with command prompt or linux with terminal or even on the device itself) without rooting or unlocking the bootloader (since both seem to be impossible).
Can you extract a system.img file, modify it, then put it back to get together to flash it to a device without unlocking bootloader?
Infact can you modify any part of the rom or .imgs and flash it to spflash tools? (Or maybe I was doing wrong?)
Is there anyway to figure out how to modify the tamper bit if I have to find a way to get around the virus bug on my device that doesn’t allow me to use the “Volume up” button to confirm that I want to unlock the bootloader? (I’m not even sure if this phone has that, I just saw that for this oneplus and thought maybe it can be on all phones in a different way?) Here is a link on that-
https://forum.xda-developers.com/oneplus-one/development/mod-reset-unlock-tamper-bit-t2820912
The goal is get rid of the virus that sends my data back to Chinese servers. Also, the goal is to get an answer from the community here to put this to rest.
If you need any information on this or want me to upload anything please let me know.
Thank you for your time!

Bump as I need hope.
I understand people may not have this phone but I need some sort of reply to confirm that this isn't possible. I want this thread to be the first post anyone sees if they type in "Blu Neo XL" for rooting purposes.
Even if anyone that has a phone that is similar that is affected, that would be anyone who has:
R1 HD
Energy X Plus 2
Studio Touch
Advance 4.0 L2
Neo XL
Energy Diamond

bump

Waited around for awhile but now its time be obnoxious. I will bump my other thread as well and just start hi-jacking other threads until mods ban me or someone answers me for once.

bump

bump

bump again and again and ****ing again!

another day, another bump

another day, another bump

another day, another bump

another day, another bump

another day, another bump

another day, another bump

another day, another bump

another day, another bump
Also, I got a Moto G5S Plus instead finally. It toke me awhile to save the money because I don't make much but atleast I have phone that isn't sending my data over to china.....or maybe it still is sending my data who knows where. Either way, Bump.

Hey man, I didnt read through your entire post. But can't you just downgrade the version to one that is possible to root?
Or you can also get another phone that does have root as an option. Also, I don't think you should bump your own threads. Just wait it out, or ask in other threads for help.

Edit: Oh Man, I didn't even notice someone responded to this! Awesome.
It says in the rules to ask here. So I decided to ask here espcially since this phone doesn't have its own dedicated forum. I got a new phone about a month ago and its pretty good so far.
This is more of a lost cause but I bring this up just in cause other people get affected. I believe the Blu company had to pay the Justice department for this so they got away with it and thats no big deal now of days. lol

erickkg said:
Hey man, I didnt read through your entire post. But can't you just downgrade the version to one that is possible to root?
.
Click to expand...
Click to collapse
Also for those of you out there suffering, the above statement is not possible because the newer versions of Android OS have "version binding" so downgrading to an OS that is lower that way you upgraded to wont allow the phone to get pass the bios or whatever the android bios recovery start name is. (I don't remember right now) Even if you mod the recovery or bios file.

So here it is almost a year later from you writing this post and I have found myself in the same predicament you were once in and was hoping there was answers somewhere, but from the looks of it I am guessing I'm better off just breaking this phone in half and getting myself a new, virus free, root-able phone. Am I correct?

[HELP] New LG phones not booting into recovery or fadtboot[HELP]

Hi
I just got a third LMX210 today to add to my collection. Lol really im just trying to solve a problem. I bought a ulma to replace cm and i came across a ulm model and decided to just replace my cm today. The problem is that all three of these phone which normally have easily unlockable bootloaders will not boot into fastboot. The fortune 2 will not even boot into recovery. They all will boot into a blank screen with the android robot and will boot into download mode.
The natural solution would be to install an older or even plain stock firmware. But say you dont have a windows 10 or Mac computer. I havent found a way to flash lg firmware using a linux distribution yet.
On the other phones i tried removing the laff partition to force the phone into fastboot by plugging into pc while holding the volume up button. This did nothing but repeat the logo until the button released.
Yes usb debugging was enabled and adb was used to try these procedures. The drones at lg know nothing and ask to send the phones in for repair.
Short of re-installing the stock firmware there has to be way to get past this. And to tell you the truth i dont have a way to flash the stock firmware so i dont even know if that will work.
Ok guys got any ideas?

Update.
Ok spent 4 hours on a windows pc today trying to flash firmware and install qcom drivers thinking the download errors were due to the drivers. Then at the last moments went to Tecknights page and downloaded and installed the lgup dual mode program.
So the bastitches of higher android office decided to screw everyone out of bootloader unlocking. The ARB numbers have recently (like in the past 3 months) been changed to 003. Meaning you cannot flash firmware with an ARB number lower than 003.
But that doesnt stop us completely. Two ideas initially popped into my head. Hex edit the .kdz so that the ARB number matches the phone. Or lol split the .kdz into its seperate partition images then wipe the partitions and use qdl or lgup to repair the now bricked phone. No device data no ARB no problem.
Im hoping the former works over the latter but ill keep you informed.
But really guys thats extreme and i cant see too many folks going through the wipe process to enable fastboot. So we have to find an easier way.

Is there any way to know what partition the ARB protection resides in? If those parts could be wiped im thinking it might fool the flashtool into thinking that there isnt any protection.

one of your devices is MTK isn't it? can't you use SP Flash Tool like for other Mediatek devices? you should be able to flash images to emmc_user with locked bootloader, for example boot, recovery, system, ... all you need is a correct scatter file (which you could create with WwR MTK)

So your saying finish porting my recovery and use sp flash tools to install it. See i have been curious about that procedure and how not having an unlocked bootloader would effect flAshing from recovery. I was thinking brick. But its worth a try if it wont brick and i get full Root with magisk. Ty

Btw when i was porting my recovery i ran into a rather large well too large problem. When i went repack using abdroid image studio which i have used in the past with out problem, it would not shrink the image back down even though i was only trading a few files. How do i fix that

start with readback boot / recovery. then try to unpack, so you will know the scatter is right (at least, for this partitions) or compare files with your already existing backup files
no problems here with unpacking/ repacking with AIK

IDEA:::: ok so for the Qcom boards i have a solution possibly. I know that the older software versions have working fastboot and recovery going and can be boot loader unlocked. That tells me that a fota uodate is screwing things up.
PROBLEM:::: ARB my fortune 2 will not let me install at all anything before ARB3.
ARB_location:::: bootloader
Solution:::: download and extract the stock .kdz for device with working features. Wipe parts bootloader and laf using qpst and reinstall. Solves two problems in one go. Allows fastboot and and bootloader unlock and future re-install of stock firmware

may work but remember your bootloader is locked and you need to by-pass this via testpoint (or at least previously enabled oem unlocking and don't lost these setting) otherwise sahara will fail

well it was an idea. I just did some fact checking and also looked at the files dumped from the .dz dump of the fortune 2 stock rom. PBL or primary bootloader cannot be removed or flashed according to a thread it is a pernanent installation.
But upon more reading i can flash my recovery and boot.img using qfil in qpst along witn every thing else. But i need to know wether qfil reads ARB info and if so where i can find it in the firmware so i dont flash that img but instead pull it from phone as is.

i would really like to know what the twitterpating deal is with these LMX210 phones. ok when i firsr got my fortune 2 i bought it for two reasons the rootability of the device and the fact that tje msm8937 board came pre-installed with otg software by default which in my eyes meant no more freaking computer to use adb.
Well it is all there the drivers the software. but guess what. it doesnt work. i have no idea whats stopping it all from working but even lsusb doesnt bring a twitch or hint of reading any thing over the usb.
does any one know how to fix this

Yo. There is definitely ways to flash on linux using virtual machines, wine etc to run windows apps but you got ahold of a windows box to use. IF it is in EDL mode (Qualcomm mode with a driver saying 9008 in it..) then there is still faith you can revive it. You will need the firmware dumped from someone then youll need to run a program creating XML files for the phones firmware parition files. Youll next need a firehose which is what they call the programmers for EDL that send through the commands and firmware in a low low level that these programs like LGUP just do not do yet (don't know why..... Im waiting for someone to program the LGUP dev version with an EDL mode using emmcdl along with a way to create XML files too. Who knows maybe it will happen if we bring it up enough. The hardest problem youll have is getting a proper emmc programmer for the phone. I can source a lot so if teknight doesnt have something to help with EDL just get ahold of me and ill see what I have and send you some stuff.

Man i have been trying to unbrick the LMX-210 CV1 devices since last year. Tek has nothing but supports the work in hope of finding a solution. I have a ton of fire hoses and saharas all of which have cost me nothing but frustration. I have almost every qpst made and have tried them all with my firehose and saharas. Thr only thing i havent done is pull the mbns off my phones and try them. Trust me system dumps are crap.
The only sign of life i came by was flashing an sd card with the gpt and then flashing each partition manually using ubuntu. In return i got the battery logo but thats it.
Would love to figure it out though
By the way I have been compiling kernels. I call it the jokerfish kernel. Its packed full of drivers and debugging features plus gpu idlers boosters and all those crazy fishy thIngs. Its got governors and wire guard. Otg support. Io schedulars and overclocks. Cpu hotplugging and fast charge.
Now i cant figure out how to get fast charge to work but its set up for msm-otg phy-msm-otg qpnp-smbcharger and smb135x.
All that and not a single panic to reboot in over a week and 1/2 which is how long its been compiled. I used tweaks from the dragonheart kernel source and ported them over and did a lil c++ magic.
It has kcal too but n0 app supports it. All kinds of media and sound codecs as well. You think it would be slow but my compiling and coding skills are as mad as me. Hahahaha.'
But dont Take my word for as the gentle over there on your couch. See that smile? Hes as happy as fish in a pond.
Just remember Duhjoker is in no way responsible for bricked devices so try it at the risk to yourself.
This particular fishy thingy works for msm8917 cv1 devices like aristo 2 and k8+ which have been tested by the madman himself.
If you like you could thank me but the permanent smiles on your faces will be just as loved.

lol so fast_charge is working on the kernel but you have to add a custom tunable to a kernel app to get it going. Just add the path
/sys/class/power_supply/usb/uevent
Then you will get a choice of values to manipulate

[HELP]Flash preloader for mt6750 on LG device[HELP]

hi
the other day i tried to dd in a bootloader to add fastboot to my K8+ (2018) LMX210ULMA and wiped my preloader. The device uses an mt6750 chipset and i had made a back up so i have the approriate software to restore it, i even have the scatter file.
The problem is that there is no da_pl.bin file for lg phones to use sp flashtool, i have no download mode and no fastboot.
i have two pc`s one running ubuntu the other windows 7.
i would appreciate any help

any help at all

ok so ive found some versions of sp flash tool that are supposed to get around the authorization stuff and i have an auth file but i keep getting brom errors. the same one in fact. on linux ifs 0x00. ive been looking at and following the tutorials ivs made android rules and all kinds of things but i cant get it to flash. it started to befote i added the stuff in the tutorials. The red line would go acrross the bottom but now i just get the brom errots.

Thumb up for boldness... :good:
Now you have some interesting project there.
Keep us update if you manage to find out any solution.
No idea how to help but Good luck!
https://blog.hovatek.com/so-whats-all-this-talk-about-meditek-secure-boot-and-da-files/
https://ifindhub.com/download-mtk-secure-boot-da-loader-files-mtk-devices.html

ill get there eventually. I have been looking at all the config and ini files and i hate to say it but security might be essier than you think to overcome. just have to erase a few lines here and there and teplace some as needed. idk ty. Dont worry ill keep you guys posted
i really think sometime we over think and see past the easiest solutions. but what do i know im trying to flash an mtk preloader on an lg phone.

im actually trying to unbrick a few phones. two qc `s and the mtk. I kinda bricked one of my lmx210`s on purpose not thinking it would brick. well jokes on me.
Im have a couple questions maybe somebody can help with. In the past couple months on my journey through madness i have tried a few hindred different ways and more flashtools than you could imagine. So far nothing has worked but ive learned alot of theory.
so far though i know that the mtk board is in bootrom mode. We will get back to that as i have an idea....
ok on the qc boards we have the dreaded 9008 mode. I made some progress today. i wanted to see if the LMX210 could boot from SD card instead of the internal. I believe it can but im having trouble with what to do next. p
i used dd to flash the gpt on my sdcard then formatted the partitions to the proper filesystem. when i plugged it in to the usb it lit up but did not boot. But it lit up for the first time since bricking.
But it only lights up with usb plugged in. Add the batrery and it goes dead. It also doesnt show 9008 mode any more.
i went back and changed the boot and recovery images to reflect using the mmcblk system and now windows device manager can see it. But no boot. im wondering first if i might need a special boot loader to boit from sd and two if i might be able to use the same trick to get the mtk running

Some LG firmwares include some files for SPFT, like LGX240ARAT and LGX230HAT.
but do they work with MT6750? In LGX240ARAT there is a dll that mentions MT6755,
but not MT6750. Newer versions probably needed. Or maybe you could hack it. ??...

part of my problem is not knowing what scatter file to use. these phones have thier info all twaktup. the mtk gives several different board/chip types. like we have 6722, 6755, 6750, 6736 and so on. im pretty sure though its a 6750 board with 6755 chipset but do i use the scatter for the board or the chipset.

Ok idea!!
I can pick the phone up as bootrom mode on port in my ubuntu as /dev/ttyACM0.
That means i can write to it. How can i dd the preloader.bin to the right place on there

Duhjoker said:
Ok idea!!
I can pick the phone up as bootrom mode on port in my ubuntu as /dev/ttyACM0.
That means i can write to it. How can i dd the preloader.bin to the right place on there
Click to expand...
Click to collapse
As I don't know much about but have played a bit with these.
https://gitlab.com/zeroepoch/aftv2-tools
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And there is tools like eMMC Pro, etc. that might work too... ?
I think the m250 did answer to some handshake but there was some problems
because I didn't continue testing those py scripts...
I would try what I could read from it first. From those scatter files I guess that
preloader is on its own partition. The other one should start with partition table, pgpt .. ??

CXZa said:
As I don't know much about but have played a bit with these.
https://gitlab.com/zeroepoch/aftv2-tools
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And there is tools like eMMC Pro, etc. that might work too... ?
I think the m250 did answer to some handshake but there was some problems
because I didn't continue testing those py scripts...
I would try what I could read from it first. From those scatter files I guess that
preloader is on its own partition. The other one should start with partition table, pgpt .. ??
Click to expand...
Click to collapse
Hi,
If you can reach bootROM mode by pressing any of the volume keys while you connect the phone (Mediatek Inc. MT6627) you should be able write and read the EMMC with amonet.
The tool needs some modifications in order to make it work to MT6750. You can probably try with the mt6753 version which may work for MT6750:
https://github.com/Dinolek/amonet
For reference, use this commit:
https://github.com/R0rt1z2/amonet/commit/6b57d0a99f42739d3b3b2ce962b32ecb8fefd950
Contains all the stuff that needs to be edited in order to make it work for that phone
Regards!

Thank you i can give it a try. Its already in bootrom mode though and accepts the handshake. The problem is that the py command that flashes the preloader and stuff on it also wants to flash other stuff as well that i dont have or does not work with the board.
The py command needs to be modified to only flash the preloader, lk.bin, laf and twrp. If those items only could be flashed i could bring the rest of the device up using lgup
I have tried to modify the commands myself to include just those items but it errors. I dont know enough about the python language to be able to do it on my own.

Duhjoker said:
Thank you i can give it a try. Its already in bootrom mode though and accepts the handshake. The problem is that the py command that flashes the preloader and stuff on it also wants to flash other stuff as well that i dont have or does not work with the board.
The py command needs to be modified to only flash the preloader, lk.bin, laf and twrp. If those items only could be flashed i could bring the rest of the device up using lgup
I have tried to modify the commands myself to include just those items but it errors. I dont know enough about the python language to be able to do it on my own.
Click to expand...
Click to collapse
PM me if you need help editing the python script
Regards.

I really appreciate your offer for help. I was looking at the reference for porting and now that i can see the things that would need changing why not go ahead and unlock the bootloader while we are at it. We could save a ton of devices and at the same time give them th3 extra value of being able to twrp and root them.
I have been looking for some way to unLock the bootloader on these phones for days and though it will be some work being able to reflash the preloader AND unlock the bootloader which was my main intent when i bricked it would be worth the extra effort.

Rortiz2 said:
PM me if you need help editing the python script
Regards.
Click to expand...
Click to collapse
I couldnt post the main.py script in the pm but i can attach it here. Thank you so much.

Here is the raw preloader extracted using salt on my pc.

Ok so i went through your source code for the meizu m2 amonet to match it with source code for the mt6750 and i only had to change a couple things. Its pretty much identical to the commit you pointed me too.
As far as i can see your amonet should work just fine with the sp200/lm-x210ulma boards. I did add my .img files to the bin folder though.
Any way i keep getting errors.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 501, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:

Rortiz2 said:
Hi,
Contains all the stuff that needs to be edited in order to make it work for that phone
Regards!
Click to expand...
Click to collapse
Hi,
Didn't continue experiments but now also @Duhjoker might be interested about this last new development...
[EXPLOIT] [BOOTLOADER] Mediatek based LG K10 2017 M250 bootloader secure boot bypass. by @OficerX
https://forum.xda-developers.com/lg-k10/how-to/exploit-mediatek-based-lg-k10-2017-m250-t4183545

MT6755 and MT6750 are essentially the same, MT6750 is cheaper and slower version of MT6755, these are compatible, you can use tools for 6755 on 6750.
Here (https://github.com/arturkow2000/lgk10exploit) you have tools that can help you flash preloader (write_boot0.py), these should work on your device.
Open config.py set BR_DEV_PATH to /dev/ttyACM0
then write: python write_boot0.py --brom path_to_your_preloader_bin
This is slow process, may take few minutes (you will see progress while flashing).

[Hisense A9] Root - How easy? (Snapdragon 662)

Hisense just released a new device called the A9. Since this phone has Snapdragon 662 I was wondering how easy it would be to root this device. I know there is an EDL for this CPU. The Hisense A5 series was also rootable. Not sure what method was used.
The Onyx Boox Note Air 2 (a 10.3" tablet), which I have, also runs on the same Snapdragon 662 and can be rooted via Magisk. I used the EDL to dump the boot.img on the Note Air 2 to root it via Magisk.
Disclaimer: I'm not a developer or super technical guy, but have rooted a few devices by following guides.
Does anyone know how easy or fast a root would be available? I'm assuming they didn't lock the bootloader on this device as most Chinese devices.

Hello, could you share with us how to root boox device please?

It would be great if GAPPS could be used.

Replying to bump this thread. I have the Hisense A9 and would love to be able to root. It has an option to unlock the bootloader in the developer options if that is helpful.

formeriphoneuser said:
Does anyone know how easy or fast a root would be available? I'm assuming they didn't lock the bootloader on this device as most Chinese devices.
Click to expand...
Click to collapse
Hello and good morning, @formeriphoneuser
I hope you'll always find and get the support you require.
However, prior to your next posting please read the guidances that are stuck on top of every forum like
[Read Before Posting]QUESTIONS DO NOT BELONG IN GENERAL
Hello Everybody, In order to attempt to keep this forum neat and tidy the moderation team is asking you to post your questions into the Questions and Answers (Q&A) forum and not into the General section. You can find the Q&A forum by clicking...
forum.xda-developers.com
and the others. I've moved the thread to Android Q&A.
Thanks for your cooperation!
Regards
Oswald Boelcke
Senior Moderator

I recently good a Hisense A9, and I've been trying to extract the boot.img and / or recovery.img from it (since I can't find either of those online yet). So far I've been trying to get boot.img from EDL mode using this EDL tool. I can boot into EDL mode fine, but when I try to run an EDL command there are lots of errors. It's possible I'm using the wrong Firehose file, but I think it's right. (I'll post a link to the logs below). I've been following this guide mainly. Is anyone else working on this?
*Edit* the firehose file I'm using is 0014d0e100000000_d40eee56f3194665_FHPRG.bin.
Anyway, OP - hopefully I, or someone, can get the boot image or recovery image soon, then we should be able to patch it with Magisk fairly easily and install Google Services etc.
A word of warning to anyone who wants to try working on this - every time I restart after being in EDL mode, the phone goes into a boot loop of sorts. I enter the 6-digit pin at boot-up, and the phone says something in Chinese (which Google translates as something like "optimising the system, please wait", from memory), and then keeps showing the desktop screen for a second, then looping back to the pin code input, then showing the message, and then repeat. If you hold down volume down, it'll go into safe mode, but then the same thing happens when you restart. I've always managed to get out of it, but I'm not 100% sure how! Something like holding the power key down for about 10 seconds while it's looping... The phone vibrates, but doesn't turn off, and then the loop stops and you can enter your 6-digit pin again and it's back to normal. If that doesn't work, then try turning the phone off, then back on again, but holding the power key down so it keeps restarting without fully booting. Last time I made it restart ~5 times, and then it was back to normal. Maybe it cleared some kind of system cache...?
These are the errors I get from the EDL tool when I try to extract the boot image.
https://pastebin.com/ejXfCJs9
https://pastebin.com/5CqUPB0a
https://pastebin.com/LMmEmm6v

RunnyYolk said:
I recently good a Hisense A9, and I've been trying to extract the boot.img and / or recovery.img from it (since I can't find either of those online yet). So far I've been trying to get boot.img from EDL mode using this EDL tool. I can boot into EDL mode fine, but when I try to run an EDL command there are lots of errors. It's possible I'm using the wrong Firehose file, but I think it's right. (I'll post a link to the logs below). I've been following this guide mainly. Is anyone else working on this?
Anyway, OP - hopefully I, or someone, can get the boot image or recovery image soon, then we should be able to patch it with Magisk fairly easily and install Google Services etc.
A word of warning to anyone who wants to try working on this - every time I restart after being in EDL mode, the phone goes into a boot loop of sorts. I enter the 6-digit pin at boot-up, and the phone says something in Chinese (which Google translates as something like "optimising the system, please wait", from memory), and then keeps showing the desktop screen for a second, then looping back to the pin code input, then showing the message, and then repeat. If you hold down volume down, it'll go into safe mode, but then the same thing happens when you restart. I've always managed to get out of it, but I'm not 100% sure how! Something like holding the power key down for about 10 seconds while it's looping... The phone vibrates, but doesn't turn off, and then the loop stops and you can enter your 6-digit pin again and it's back to normal. If that doesn't work, then try turning the phone off, then back on again, but holding the power key down so it keeps restarting without fully booting. Last time I made it restart ~5 times, and then it was back to normal. Maybe it cleared some kind of system cache...?
These are the errors I get from the EDL tool when I try to extract the boot image.
https://pastebin.com/ejXfCJs9
https://pastebin.com/5CqUPB0a
https://pastebin.com/LMmEmm6v
Click to expand...
Click to collapse
Maybe try this loader. This is for sure the one I used for my NA2. Otherwise, you have quite some errors that relate to python. Not sure what the issue is there.

formeriphoneuser said:
Maybe try this loader. This is for sure the one I used for my NA2. Otherwise, you have quite some errors that relate to python. Not sure what the issue is there.
Click to expand...
Click to collapse
Awesome, thanks! I should have mentioned which loader I was using (different to the one you linked). I'll edit my post to say what I used before.

I tried the loader that @formeriphoneuser suggested, but with a similar result. (https://pastebin.com/ucMkEkeW). I also tried with the flag --memory="ufs" in case the device has UFS memory, but similar result.
But the good new is, I've just discovered a reliable way to avoid the boot loop after leaving EDL mode. So to leave EDL mode, make sure any running commands have ended, unplug the device from the computer, and press and hold the eink button (on the left of the phone), volume-up, and power button. Keep them all pressed until the first vibration (after about 15 seconds or so, then release the power button only). Keep the other two pressed while the phone boots, and even while you're entering your 6 digit pin code. When you see the main screen you can release the buttons and your phone shouldn't enter the boot loop. I have no idea how much of that is necessary, but something in there works for me.
I've added an Issue to the github repo for the EDL tool I'm using. Other than that, I think I've hit a brick wall and won't be able to do any more for now. Unless anyone knows how to check that the firehose file is correct for my device, and update it if it's not. Hopefully Hisense will release the stock firmware, or send us an OTA update or something.

Does this work? if the Bootloader could be unlocked.

Arthurliao said:
Does this work? if the Bootloader could be unlocked.
Click to expand...
Click to collapse
The problem with a GSI is that Android doesn't have partial refresh support for the eInk display, which means a driver has to be written from scratch, otherwise the display will be verrrrrry slow.

RunnyYolk said:
I tried the loader that @formeriphoneuser suggested, but with a similar result. (https://pastebin.com/ucMkEkeW). I also tried with the flag --memory="ufs" in case the device has UFS memory, but similar result.
But the good new is, I've just discovered a reliable way to avoid the boot loop after leaving EDL mode. So to leave EDL mode, make sure any running commands have ended, unplug the device from the computer, and press and hold the eink button (on the left of the phone), volume-up, and power button. Keep them all pressed until the first vibration (after about 15 seconds or so, then release the power button only). Keep the other two pressed while the phone boots, and even while you're entering your 6 digit pin code. When you see the main screen you can release the buttons and your phone shouldn't enter the boot loop. I have no idea how much of that is necessary, but something in there works for me.
I've added an Issue to the github repo for the EDL tool I'm using. Other than that, I think I've hit a brick wall and won't be able to do any more for now. Unless anyone knows how to check that the firehose file is correct for my device, and update it if it's not. Hopefully Hisense will release the stock firmware, or send us an OTA update or something.
Click to expand...
Click to collapse
Bit of a long shot here, but I vaguely remember having trouble with EDL on my Oneplus 6T and I think the solution was to use a USB2 port instead of USB3.

RunnyYolk said:
I tried the loader that @formeriphoneuser suggested, but with a similar result. (https://pastebin.com/ucMkEkeW). I also tried with the flag --memory="ufs" in case the device has UFS memory, but similar result.
But the good new is, I've just discovered a reliable way to avoid the boot loop after leaving EDL mode. So to leave EDL mode, make sure any running commands have ended, unplug the device from the computer, and press and hold the eink button (on the left of the phone), volume-up, and power button. Keep them all pressed until the first vibration (after about 15 seconds or so, then release the power button only). Keep the other two pressed while the phone boots, and even while you're entering your 6 digit pin code. When you see the main screen you can release the buttons and your phone shouldn't enter the boot loop. I have no idea how much of that is necessary, but something in there works for me.
I've added an Issue to the github repo for the EDL tool I'm using. Other than that, I think I've hit a brick wall and won't be able to do any more for now. Unless anyone knows how to check that the firehose file is correct for my device, and update it if it's not. Hopefully Hisense will release the stock firmware, or send us an OTA update or something.
Click to expand...
Click to collapse
Also, looking at your pastebins, It seems you are running Ubuntu via a Parallels Virtual Machine. I would suggest using the LiveDVD from the EDL github repo and running it on bare metal to rule out any system related issues. Given that the pastebins show errors relating to libusb1.py, there is a good chance your issues are due to the emulated USB controller provided by Parallels.

matteqa said:
Also, looking at your pastebins, It seems you are running Ubuntu via a Parallels Virtual Machine. I would suggest using the LiveDVD from the EDL github repo and running it on bare metal to rule out any system related issues. Given that the pastebins show errors relating to libusb1.py, there is a good chance your issues are due to the emulated USB controller provided by Parallels.
Click to expand...
Click to collapse
I tried booting the liveDVD from the repo in Parallels, but it wouldn't boot, saying something like Ubuntu was missing. But I'll try it as a bootable USD drive. I won't be able to do it until next weekend at the earliest, but I'll report back when I've tried that method. Thanks for your suggestions!

So I bought a USB drive and flashed the liveDVD from the repo to it, but my only computers are Macs and will recognise the USB drive as bootable - I've tried Fat32 / HFS+ file systems, made sure it's a GUID partition table, and used both Etcher GUI and terminal's `dd` to burn the image to the drive, but still the USB never shows up in the startup utility. Anyway, I've hit a roadblock on this for now - I think my next options are to either pick up a cheap Windows laptop, or put a bounty out for boot.img (or preferably full root! )

RunnyYolk said:
So I bought a USB drive and flashed the liveDVD from the repo to it, but my only computers are Macs and will recognise the USB drive as bootable - I've tried Fat32 / HFS+ file systems, made sure it's a GUID partition table, and used both Etcher GUI and terminal's `dd` to burn the image to the drive, but still the USB never shows up in the startup utility. Anyway, I've hit a roadblock on this for now - I think my next options are to either pick up a cheap Windows laptop, or put a bounty out for boot.img (or preferably full root! )
Click to expand...
Click to collapse
Just checking, have you tried the macOS version of the EDL tool? All of your pastebins are from ubuntu parallels, however there is also a native macOS version in the github repo.

matteqa said:
Just checking, have you tried the macOS version of the EDL tool? All of your pastebins are from ubuntu parallels, however there is also a native macOS version in the github repo.
Click to expand...
Click to collapse
Ah, that's a good call! I did try the native Mac version on one machine, but it wasn't able to find libusb library, so I started using parallels / ubuntu, and then basically forgot that the native mac version existed! So thanks for the reminder - I tried it yesterday on an older Mac, and the native EDL client seems to be working properly. Unfortunately I think the firehose / loader files I have aren't correct. When I ran it with a loader I get sahara - [LIB]: Unexpected error on uploading, maybe signature of loader wasn't accepted ?
type object 'req' has no attribute 'image_id', and then I tried running it without any loader and got sahara - [LIB]: Couldn't find a loader for given hwid and pkhash (0014d0e100430000_56d3f3c74a52172b_[FHPRG/ENPRG].bin) :(.
So I guess we need the correct loader for the A9. I'm pretty clueless about how these files come to exist in the first place (do they have to come from the manufacturer, or can we build them ourselves?), but anyway I'll open a new issue on Github and see if the developer of the client can help.
For completeness' sake, here are logs from each attempt at reading boot_a (I tried three different loaders, each one with and without --skipresponse, and then once with no loader).
https://pastebin.com/AA9d5Tdh
https://pastebin.com/gXHS9pYN
https://pastebin.com/6e5FeWDc
https://pastebin.com/8dGWFNau
https://pastebin.com/iTd8ZsVH
https://pastebin.com/2esPvxyX
https://pastebin.com/Pvz9YxfE
https://pastebin.com/D47mPKt6
*edit* This is the issue on Github: https://github.com/bkerler/edl/issues/303

RunnyYolk said:
Ah, that's a good call! I did try the native Mac version on one machine, but it wasn't able to find libusb library, so I started using parallels / ubuntu, and then basically forgot that the native mac version existed! So thanks for the reminder - I tried it yesterday on an older Mac, and the native EDL client seems to be working properly. Unfortunately I think the firehose / loader files I have aren't correct. When I ran it with a loader I get sahara - [LIB]: Unexpected error on uploading, maybe signature of loader wasn't accepted ?
type object 'req' has no attribute 'image_id', and then I tried running it without any loader and got sahara - [LIB]: Couldn't find a loader for given hwid and pkhash (0014d0e100430000_56d3f3c74a52172b_[FHPRG/ENPRG].bin) :(.
So I guess we need the correct loader for the A9. I'm pretty clueless about how these files come to exist in the first place (do they have to come from the manufacturer, or can we build them ourselves?), but anyway I'll open a new issue on Github and see if the developer of the client can help.
For completeness' sake, here are logs from each attempt at reading boot_a (I tried three different loaders, each one with and without --skipresponse, and then once with no loader).
https://pastebin.com/AA9d5Tdh
https://pastebin.com/gXHS9pYN
https://pastebin.com/6e5FeWDc
https://pastebin.com/8dGWFNau
https://pastebin.com/iTd8ZsVH
https://pastebin.com/2esPvxyX
https://pastebin.com/Pvz9YxfE
https://pastebin.com/D47mPKt6
*edit* This is the issue on Github: https://github.com/bkerler/edl/issues/303
Click to expand...
Click to collapse
Have you tried to read from "boot" instead of "boot_a". Maybe hisense isn't using A/B partitions since they don't care about google play certification. Also, have you tried using --memory=ufs.
Otherwise, it may be that the loader has a custom signature. As far as I know, the loader is proprietary and you have to get it from the manufacturer.

@RunnyYolk
I've also just found a patched version of a SDM662 loader on another forum that might work.
I've reuploaded it here: https://cloud.matteqa.com/index.php/s/M6MxgPFDsYwaKP6

matteqa said:
@RunnyYolk
I've also just found a patched version of a SDM662 loader on another forum that might work.
I've reuploaded it here: https://cloud.matteqa.com/index.php/s/M6MxgPFDsYwaKP6
Click to expand...
Click to collapse
Thanks! I tried this loader, and also the --memory=ufs flag / "boot" alternatives as you suggested, but had the same errors as before. I'm pretty sure I saw boot_a and boot_b directories somewhere when I was exploring the filesystem in adb shell, but I'll double check again when I have time.
Are there any other avenues I could try to root this device? I wonder if there's any point trying to boot TWRP from an A7? Am I right in thinking I can `fastboot boot recover.img` without risk of bricking the phone? (Ie just booting rather than flashing.)... Maybe I'm clutching at straws...