Related
-----------PROJECT HAS BEEN ABANDON AND IS OBSOLETE----------
-----------PROJECT HAS BEEN ABANDON AND IS OBSOLETE----------
-----------PROJECT HAS BEEN ABANDON AND IS OBSOLETE----------
WORKS ON 5.1.1 ALSO!
(Link in next reply)
Fully automated and noob friendly. :3
Done:
Root
BusyBox
Disable OTA
Change Launcher
Install full Google Play Functionality
Autoinstall flash player
build.prop optimizations
A few more features...
This may be compatible with other fires, but I have only tested it on the Fire 7" 5th generation.
This is a script I wrote in my spare time.
This script will optimize, root, install google play, and debloat your device.
Enjoy :3 Don't forget to hit thanks.
STEPS
1. In device options, tap on serial number until the developer options appear. If required (which it is likely not, but for some it is. DON'T DO THIS IF IT'S ALREADY WORKING.) install the ADB driver by going into the device manager of windows and rightclick update driver on your device under unkown devices, then point it to the driver folder included in this zip, or, you know, try the driver installer .exe included. Make sure driver signature enforcement is disabled in Windows!
2. Go into the developer options of android and enable Debugging
3. Go to the homescreen on the tablet, EXTRACT the zip on your computer, and run the script 1_ROOT_FIRE.bat in the zip on your computer.
This should only take around five minutes too complete.
YOUR DEVICE WILL REBOOT SEVERAL TIMES.
Easy enough, right? :3
Troubleshooting:
Unless you are running Fire OS 5 or higher, using this script probably won't get you playstore access, but it may root it. This was made primarily for the Amazon Fire 5th Generation 7" Tablet. (The "50 dollar tablet")
Don't run as root or admin.
If your device gets stuck in fastboot:
When the device reboots and goes into fastboot mode the drivers didn't recognise it. Leave the script running and go into Device Manager. Your Kindle will be listed as "Fire" with a yellow icon. Follow same steps to install drivers but instead of directing it to the "usb driver" folder contained in the zip file - select "let me pick from a list of drivers". Then pick adb interface then scroll to the bottom and select the last option.
The script hangs on adb daemon started:
If it hangs there, android debugging on your device isn't communicating with your computer. The fix can range from reconnecting your device, making sure android debugging is enabled in the Device> Developer options, making sure adb drivers are installed, or restarting the script.
Keep in mind, if you give this tablet to a non tech savvy user, open SuperSU, go to options, and click full unroot.
XDA:DevDB Information
AutoRootScript, Tool/Utility for the Amazon Fire
Contributors
glitch3yf0x, JaboJG, KennBr, k4y0z
Version Information
Status: Stable
Current Stable Version: 4.14
Created 2015-12-30
Last Updated 2016-04-08
Secondary Download Mirror
(Recommend) REGULAR VERSION:
https://www.androidfilehost.com/?fid=24352994023705981
NO DEBLOAT version:
https://www.androidfilehost.com/?fid=24391638059059079
Read the post below to choose the version right for you.
Version diffrences
Regular version: Choose this if you want the full android experience to your tablet with the added features of the script. This will remove all the unwanted Amazon bloatware that fills up the internal storage and will make your tablet feel more like an android tablet.
No debloat version: Choose this if you want to keep the Amazon experience with the added features of the script. This will leave Amazon's features and will make your tablet feel more like an Amazon tablet.
Notice: this script will not wipe or touch any of your files on the internal storage or sd card
Fully stable!
Great news! All bugs have been fixed! As of version 4.14 uploaded 1/5/16, all OS versions have been tested and are confirmed working properly. Enjoy!
If anything goes wrong, such as a USB cable being unplugged or the battery dying, pretty much anything can be fixed by booting into recovery and adb sideloading the latest firmware.bin from amazon.
Thanks for Donating:
Lorenzo
@BarbaraaK
So was the Mac OS X issues fixed?
pride0929 said:
So was the Mac OS X issues fixed?
Click to expand...
Click to collapse
I believe so [Old post. Issue fixed with 4.14, if there was one.]
I ran the script using OS X, everything seemed to go well. But the Fire is stuck booting at the "fire" logo.
Mac OS X
jmallow said:
I ran the script using OS X, everything seemed to go well. But the Fire is stuck booting at the "fire" logo.
Click to expand...
Click to collapse
Updated issue. [Issue fixed with 4.14, if there was one.]
glitch3yf0x said:
Give it 10 minutes before force rebooting. It may be rewriting cache. This is very odd. Any error messages on the computer?
Don't worry about your tablet. We can adb sideload if anything wen't wrong.
What OS is your tablet running? Is your tablet the Fire 7? It may be an issue with build.prop. I'm retesting it now using the Mac OS X source files. In the mean time, tell me if your Fire boots.
Click to expand...
Click to collapse
It's a 5th gen Fire 7 (the one that was released in Sept 2015). I side loaded to get back to factory, but mistakenly used the fire hd .bin file...and now it won't turn on at all. Lol. Might be a dead battery though I think, so its plugged in now. Will try again after a bit.
jmallow said:
It's a 5th gen Fire 7 (the one that was released in Sept 2015). I side loaded to get back to factory, but mistakenly used the fire hd .bin file...and now it won't turn on at all. Lol. Might be a dead battery though I think, so its plugged in now. Will try again after a bit.
Click to expand...
Click to collapse
Alright. Best of luck. I tested it on my fire again and there were no problems. If you have problems the second time tell me.
Any results?
glitch3yf0x said:
Any results?
Click to expand...
Click to collapse
I bricked it by installing the wrong version by mistake.
Hopefully Amazon warranty will replace it without question.
I've just run the script for my daughters fire 6 5th gen running 5.1.1 and all went smoothly. Has the look and feel of a great wee device now!
Thanks for your efforts ☺
Thread moved from http://forum.xda-developers.com/amazon-fire/general/root-fire-5th-gen-autoroot-script-noob-t3276923
Just installed this without a hitch. So far so good!! Thank you!!
Worked really well on 5.1.1 Thank you so much!
Now the only issue I have is that I want to use Google Now Launcher in place of Nova. Is there a way to do it?
EDIT: Never mind, it asked me which home to set after a reboot.
thehrushi said:
Worked really well on 5.1.1 Thank you so much!
Now the only issue I have is that I want to use Google Now Launcher in place of Nova. Is there a way to do it?
EDIT: Never mind, it asked me which home to set after a reboot.
Click to expand...
Click to collapse
I should post a poll. Google Now or Nova.
glitch3yf0x said:
I should post a poll. Google Now or Nova.
Click to expand...
Click to collapse
Just add a selector in the script and have it push the appropriate apk
BaT420 said:
Just add a selector in the script and have it push the appropriate apk
Click to expand...
Click to collapse
I was gonna suggest the same. Nova after rooting makes sense, since the widgets work. But I like Google Now on left swipe.
Yeahhh
Very good. Fire 7 2015 5.1.1.
Now I've an Android table not a garbage :good:
thanks a lot.
Hi there,
I have recently ported postmarketOS [1] to the HTC Desire Z. postmarketOS is a Linux distribution for mobile devices based on Alpine Linux and the primary platform for KDE's Plasma Mobile desktop.
Note that this work is nowhere near ready for productive use, at least not as a phone. It boots, the weston demo UI starts and you can ssh into it via USB or Wifi (use nmtui or nmcli to configure it), but that's pretty much it. I'm posting here in the hope that other developers might be interested in joining this effort. It might be useful as small server for personal use, perhaps to host a NextCloud instance or something like that.
For installation instructions, refer to the Installation Guide at [3] and the wiki page for the HTC Desire Z at [4]. It should be possible to run postmarketOS without installing anything at all on the phone (other than an unlocked bootloader) by installing onto a microSD card and booting via the `fastboot boot` command.
[1] https://postmarketos.org/
[3] https://wiki.postmarketos.org/wiki/Installation_guide
[4] https://wiki.postmarketos.org/wiki/HTC_Desire_Z_(htc-vision)
P. S. If you're wondering why I didn't put this in the developers' section where it belongs: It's because I'm not allowed to post there due to being a new member, and for the same reason I can't post proper links. In order to prevent spam, new users are required to spam 10 posts in order to be able to do perfectly legitimate things. How ironic :silly:
First of all, thank you for your time working this out and notifying us, I really appreciate all the people that keep my fine (but old) hardware usable.
I have 3 Desire-Z's (now running cyanogenmod), and would like to try PostMarketOS on one of them.
What is the state of the device? Can I use PostmarketOS to safely browse the web?
Do you have any specific instructions for the microSDcard installation? Is it just installing/running the pmbootstrap command on my linux machine with the correct sdcard device, insert the sdcard into my Desire Z and then starting it with volume-down button pressed, until the (in my case already unlocked) bootloeader menu appears and then running 'fastboot boot <what parameter goes here?>' from the connected linux computer?
Hi C-Base,
Thanks for your interest! I should mention again that this is pretty much a developer thing for now… But in case you want to get your hands dirty and maybe hack on the device a bit, here are my answers:
– What is the state of the device? Please refer to the wiki page, the state is documented there.
– Does it run a browser? I don't know, I've never tried, but I'd guess it wouldn't work. Even if it runs somehow, I'd guess it would probably be unusably slow because I haven't made the hardware graphics acceleration work yet
– Regarding sdcard installation: yes, you pretty much got it right! The last step would be to type "pmbootstrap flasher boot", which is essentially a wrapper for fastboot that will figure out the correct parameters for you. If that doesn't work, you can try "pmbootstrap export". That will copy a bootable image to /tmp/postmarketOS-export/boot.img-htc-vision. You should be able to boot that using "fastboot boot /tmp/postmarketOS-export/boot.img-htc-vision"
If you want to help out, there's a couple things you could do!
– document on the wiki page everything you feel would be helpful to anybody who wants to try this
– get graphics acceleration working with hybris. This is needed for Plasma mobile to run and shouldn't be too hard. You just need to make sure that the relevant hybris packages are installed (GLES, EGL, maybe others) and that the android drivers are in the right place (the relevant binaries should be in this repo: https://github.com/milaq/android_device_htc_vision).
One more thing: for all I know you'd be the first person other than myself to try this on a Desire Z, so definitely let me know if you can get it to boot! I've actually never tried the SD card installation, so it would be nice to hear if that works, and also if the on-screen keyboard (to type in the disk encryption password works).
mberndt said:
One more thing: for all I know you'd be the first person other than myself to try this on a Desire Z, so definitely let me know if you can get it to boot! I've actually never tried the SD card installation, so it would be nice to hear if that works, and also if the on-screen keyboard (to type in the disk encryption password works).
Click to expand...
Click to collapse
Hi!
I have pmOS running on my HTC Desire Z and SD card installation works just fine I haven't tested on-screen keyboard so I don't know does that work.
BTW, is there any change this gets mainlined sometime in the future?
Hey jyrithe,
I'm happy to hear that it works for you!
Regarding your question: the SoC is a Qualcomm MSM7230, and the mainline kernel doesn't currently support that. So somebody would have to port the relevant drivers etc. to a modern kernel. I think that this would require access to the serial console, and while that is documented for some Android phones (e. g. many recent Sony Xperia models), the Desire Z doesn't seem to be one of them – at least I haven't been able to find such documentation. I also haven't been able to find public documentation about the actual SoC, and I suspect one would have to figure out how the hardware works by reading the driver code. Given that this is also a rather old SoC at this point, I suspect it's not going to happen. I personally just don't have the time or the knowledge to be able to do this.
Here's a kernel tree that might be of interest though:
https://github.com/msm7x30/android_kernel_qcom_msm7x30
That one is based on Linux 4.4, so it's a much newer version than the 3.0.101 kernel that I used for the pmOS port. Based on the name it seems to support the SoC, but it doesn't include support for the specific board – one would have to write a devicetree file to make that work.
Hi I am trying to boot it up with the HTC Desire Z. I boot up nicely with the nice logo, but after that everything is black. I use "westron" in the pmbootstrap installation and I use android zip recovery way to do this, using with the cwm 6.0.5.
I hope you can help me. I love your energy into this project!!
Hi Dr.RR,
I haven't done any work on this device lately, and I don't plan to. The problem is that afaik there's really only one “useful” UI to run on postmarketOS, and it's KDE plasma mobile. But it's too large to fit on the system partition of this device, so it's impossible to install it until LVM support is in place (this allows to create a root file system that spans several flash partitions, i. e. system and userdata partitions). If you want to get your hands dirty, check this out: https://gitlab.com/postmarketOS/pmbootstrap/issues/60 . (sdcard installations aren't affected by this, but I currently don't have a spare).
Read this whole guide before starting.
This is for the 5th gen Fire and 7th gen Fire
Current Version
5th gen: amonet-ford-v1.4.1.zip
7th gen: amonet-austin-v1.4.1.zip
What you need:
A Linux installation or live-system
A micro-USB cable
If your Fire is on a newer preloader-version (or a 7th gen) you may also need:
Something conductive (paperclip, tweezers etc)
Something to open the tablet.
There is an alternative for opening the tablet (only 5th gen), which is described below.
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
If you're lucky and have an old preloader (Up to FireOS 5.3.2, thanks @MontysEvilTwin), you can just hold the left volume button while plugging the device in.
If you're on a newer preloader, there are two options:
Open the device and short the pin marked in the attached photo to ground while plugging in.
(Only 5th gen) Downgrade to 5.0.1 firmware via adb sideload in Amazon recovery, then proceed to use the left volume button to enter boot-rom.
NOTE: Using option two will brick your device until you have successfully finished the process.
1. Extract the attached zip-file "amonet-ford-v1.4.1.zip" (use "amonet-austin-v1.4.1.zip" for 7th gen) and open a terminal in that directory.
2. start the script:
Code:
sudo ./bootrom-step.sh
It should now say Waiting for bootrom.
3. If you have an old preloader or used option 2 above:
Hold the left volume-button and plug the device in.
If you chose option 1, short the device according to the attached photo and plug it in.
NOTE: Make sure the device is powered off, before plugging it in.
NOTE: If you have issues getting a 7th gen into bootrom, read this post by @hwmod
NOTE: For hints, how to access the pins on a 7th gen without removing the shield, check Post 1075 by @shelleyfrank
NOTE:
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.
dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
4. When the script asks you to remove the short, remove the short and press enter.
5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.
6. Your device should now reboot into unlocked fastboot state.
7. Run
Code:
sudo ./fastboot-step.sh
8. Wait for the device to reboot into TWRP.
9. Use TWRP to flash custom ROM, Magisk or SuperSU
To return back to stock, Go into hacked fastboot-mode, then run
Code:
sudo ./stock-recovery.sh
Your device should reboot into amazon recovery. Use adb sideload to install stock image from there.
NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.
NOTE:
fastboot-step flashes the 5.6.3 boot.img, if your device hangs at the orange fire logo, try wiping cache first.
If that doesn't help, your system is probably incompatible with that image, just flash the right boot.img via TWRP.
NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks also to @ANDROID2468 and @bibikalka for testing things.
Thanks to @mateo121212 and @hwmod for debugging 7th gen.
Thanks to @MontysEvilTwin for figuring out volume-button access works up to FireOS 5.3.2, and for figuring out that 5.3.2 PL/TZ fix prime video.
Features.
Uses 5.3.2 Preloader/TZ for easy access to bootrom (using left volume button/only 5th gen)
Uses 5.6.3 LK for full compatibility with newer kernels.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (need to be patched)
Sets androidboot.unlocked_kernel=true (enables adb root-shell)
For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.
Version 1.4 (25.03.2019)
Update TWRP to twrp-9.0 sources
Implement downgrade-protection for LK/PL/TZ
Add scripts to enter fastboot/recovery in case of bootloop
Automatically restore boot-patch when you boot into recovery
Version 1.3 (20.03.2019)
Fix Prime Video for ford (5th gen), thanks @MontysEvilTwin (See Post #537 for more info).
Version 1.2.1 (17.02.2019)
Fix bug in 7th gen.
16.02.2019
Now also unlock for the 7th gen
Version 1.2 (14.02.2019)
Updated TWRP to contain new microloader..
Added TWRP shell command reboot-amonet to reboot into hacked fastboot.
Version 1.1 (14.02.2019):
Fixed bug, caused when flashing large images via hacked fastboot.
Include stock recovery.img and script to flash back.
Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/android_bootable_recovery
Nice job.
Anyone who wants to update to the latest FW without undoing the unlock you can get it here
I'm also releasing a customized fire os that I'm calling "fire os revamped" ( comes with nova launcher and other enhancements) it will be on xda soon
edit: here it is.
Sent from my VS986 using XDA Labs
So I can do this without opening it up if I'm on a newer version?
---------- Post added at 06:44 PM ---------- Previous post was at 06:34 PM ----------
So my 5.1.1 Fire, which I believe was originally on 5.0.1 worked.
---------- Post added at 06:51 PM ---------- Previous post was at 06:44 PM ----------
I mean it worked without having to brick or open it up.
k4y0z said:
Read this whole guide before starting.
...
Click to expand...
Click to collapse
@k4y0z awesome work ! My congratulations again for the great achievement and implementation.
Your solution is letting users revive their "bricks" and make them free to use their gadget as they wishes.
There is still some quirk I have on the 7th Gen tablets with the "microloader" code, though it works well
with the 5th Gen, so I am assuming that something can be improved on the 7th Gen and maybe in general.
Your work opens up to new ROMS and other possible use of the tablet for things I have been dreaming about
for long time, having Linux load from µSDCard, from SSD on OTG or from the network (BOOTP/DHCP/NFS ... ).
I know this will take some time and effort but now more than ever I feel the target objective is on sight.
The first thing would be rebuild a completely modular kernel, maybe a more recent one (4.x).
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
...
Click to expand...
Click to collapse
In all Linux OS the correct way for a normal user to gain read/write access to the serial ports (UARTs) is to make himself a member of the "dialup" group.
You can do this by issuing once the following command (two alternatives given here, use only one):
Code:
sudo adduser MY_USER_NAME dialout
or
Code:
usermod -a -G dialout MY_USER_NAME
This avoids using "sudo" and having to type password several times to gain permission to access the serial device,
it also solved many issues I was having due to multiple concurrent access to the Serial Ports and/or USB Ports from
various software and devices (Bluetooth, Camera, Phones, Digital Signing, Crypto Cards, Prolific/FTDI serial converters ... ).
And this is another suggestion for those continuously testing phones and tablets ...
To avoid trashing the tablet connectors due to continuous connect/disconnect of the USB cables I highly recommend
using the following type of USB Multiport Hub with power switches or similar (there are both USB 2.0 and USB 3.0 versions)
they are inexpensive and really unique in its type having an on/off switch for every port effectively help to avoid damaging connectors.
Have a good hacking night. :good:
.:HWMOD:.
---------- Post added at 02:34 AM ---------- Previous post was at 02:17 AM ----------
Pix12 said:
So I can do this without opening it up if I'm on a newer version?
---------- Post added at 06:44 PM ---------- Previous post was at 06:34 PM ----------
So my 5.1.1 Fire, which I believe was originally on 5.0.1 worked.
---------- Post added at 06:51 PM ---------- Previous post was at 06:44 PM ----------
I mean it worked without having to brick or open it up.
Click to expand...
Click to collapse
This is the proof that it was possible to make the hack available to a bigger group of users.
Another big achievement obtained by the awesome @k4y0z though in my tests this is not
always possible yet, more testing will probably reveal the reason and let's improve on that.
This is especially annoying on the 7th Gen tablets but I keep hoping a simpler way would help there.
Disconnecting the battery does the difference at times and that means just removing two small screws.
.:HWMOD:.
k4y0z said:
Read this whole guide before starting.
This is for the 5th gen Fire.
It can also be used to root a 7th gen, but there are some differences.
It's best you wait for a separate guide how to use this to root your 7th gen.
:
:
Very special thanks to @xyz' for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks also to @[email protected] and @bibikalka for testing things.
Click to expand...
Click to collapse
Outstanding contribution. Clear, concise and relevant to a broad community with appropriate acknowledgements. This is what XDA is all about.
hwmod said:
@k4y0z
There is still some quirk I have on the 7th Gen tablets with the "microloader" code, though it works well
with the 5th Gen, so I am assuming that something can be improved on the 7th Gen and maybe in general.
Click to expand...
Click to collapse
What quirks other than the non-functional screen?
Have you tested what I suggested in the other thread?
In all Linux OS the correct way for a normal user to gain read/write access to the serial ports (UARTs) is to make himself a member of the "dialup" group.
Click to expand...
Click to collapse
That would be the "correct" way of course, I just assumed people where using live-systems, so sudo seems like the easier solution.
k4y0z said:
What quirks other than the non-functional screen?
Have you tested what I suggested in the other thread?
That would be the "correct" way of course, I just assumed people where using live-systems, so sudo seems like the easier solution.
Click to expand...
Click to collapse
Yes I tried to use the file "boot.7th.patched.img" you shared and the UART but the tablet doesn't boot up,
it crashes as soon as the "microloader.bin" is executed, the logs says something like "undefined, aborting"
instead of printing the heading "microloader by xyz. Copyright 2019" as it does with the 5th Gen.
It doesn't print the message "Something went horribly wrong!" that the code print if an error is detected.
It seems the error has to do with a wrong load address, after the error the processor registers are dumped.
Two things I noticed the first shouldn't be a problem but all the image wrappers contains a residual
from the mt8163 platform, the parameters "bootopt=64S3,32N2,32N2". It is present also in "microloader.bin".
I understand that probably it doesn't do anything bad on our Fire mt8127 platform but removing these would
also ensure that possible behaviours are also removed and we don't have that "cmdline" parameter hanging
around without a precise scope.
The second thing is that it seems to me the "boot.7th.patched.img" you shared and asked me to try doesn't
come from version 5.6.3 of the firmware and that may be another point which might break the loading
process and the version mismatches I am seeing on the 7th Gen.
So we don''t have a native "preloader" for the 7th Gen that allow booting images as we have for the 5th Gen so
we are forced to use the one we have from 5th Gen but the we have no matching secondary loader and that
might be another reason we are having a hard time replicating the process that run smoothly on the 5th Gen.
However, even on the 7th we have gained "root" by using the "SuperSu" and also the TWRP seems to be working
well and following that path also the touch screen problems do not show up and everything run natively correct.
Now, what's happen when we face the update route is still unknown, however we will soon learn that since this
evening my 5th Gen downloaded as much as 18 components that needed to be updated on 5.6.3.
I captured them all and have saved the 18 pieces, all are "apk" files, no ".zip" and no ".bin" files.
I am going to download the update version you released today and the patched TWRP and
tomorrow I will restart testing everything again and will let you know if something changes and if there are
further improvements for the 7th Gen.
One request I have is: where can I put more kernel "cmdline" parameters as you did with "printk_disable_uart=0" ?
That's all for now, thank you again for the nice surprises !
.:HWMOD:.
hwmod said:
Yes I tried to use the file "boot.7th.patched.img" you shared and the UART but the tablet doesn't boot up,
it crashes as soon as the "microloader.bin" is executed, the logs says something like "undefined, aborting"
instead of printing the heading "microloader by xyz. Copyright 2019" as it does with the 5th Gen.
It doesn't print the message "Something went horribly wrong!" that the code print if an error is detected.
It seems the error has to do with a wrong load address, after the error the processor registers are dumped.
Click to expand...
Click to collapse
Ok that shouldn't happen, it should at least get further than that.
You are testing it with the 5th gen preloader/lk correct?
Maybe I messed something up creating the image.
I have attached a new one from the 7th 5.6.3 firmware.
Please use the new version 1.1 of the package I just updated a few minutes ago.
(It uses different addressing).
hwmod said:
Two things I noticed the first shouldn't be a problem but all the image wrappers contains a residual
from the mt8163 platform, the parameters "bootopt=64S3,32N2,32N2". It is present also in "microloader.bin".
I understand that probably it doesn't do anything bad on our Fire mt8127 platform but removing these would
also ensure that possible behaviours are also removed and we don't have that "cmdline" parameter hanging
around without a precise scope.
Click to expand...
Click to collapse
I don't think that will cause any issues, the kernel should at least load and print something to UART.
It's not even loading the microloader correctly. (which should work, since it works for TWRP)
hwmod said:
One request I have is: where can I put more kernel "cmdline" parameters as you did with "printk_disable_uart=0" ?
Click to expand...
Click to collapse
I will have to think about that, the flags would need to be stored somewhere.
Sadly the 5.6.3 bootloader doesn't suppoert "oem append-cmdline" anymore.
k4y0z said:
Ok that shouldn't happen, it should at least get further than that.
You are testing it with the 5th gen preloader/lk correct?
Maybe I messed something up creating the image.
I have attached a new one from the 7th 5.6.3 firmware.
Please use the new version 1.1 of the package I just updated a few minutes ago.
(It uses different addressing).
I don't think that will cause any issues, the kernel should at least load and print something to UART.
It's not even loading the microloader correctly. (which should work, since it works for TWRP)
I will have to think about that, the flags would need to be stored somewhere.
Sadly the 5.6.3 bootloader doesn't suppoert "oem append-cmdline" anymore.
Click to expand...
Click to collapse
What about "fastboot --cmdline" that is in the help of newer version ?
I have never been able to use that. Can that be made to work in some way ?
hwmod said:
What about "fastboot --cmdline" that is in the help of newer version ?
I have never been able to use that. Can that be made to work in some way ?
Click to expand...
Click to collapse
I haven't tried, my fastboot doesn't support this option.
If the 5.6.3 LK supports it, it should work in hacked fastboot mode.
k4y0z said:
I haven't tried, my fastboot doesn't support this option.
If the 5.6.3 LK supports it, it should work in hacked fastboot mode.
Click to expand...
Click to collapse
Here it is !
Taken from Fedora 29 should work on any recent Linux.
See the line I have made in bold in the included help output here.
Seems to indicate that "fastboot" will pass the "cmdline" parameter,
obviously it needs to be implemented in the target platform though.
Code:
# fastboot --help
usage: fastboot [OPTION...] COMMAND...
flashing:
update ZIP Flash all partitions from an update.zip package.
flashall Flash all partitions from $ANDROID_PRODUCT_OUT.
On A/B devices, flashed slot is set as active.
Secondary images may be flashed to inactive slot.
flash PARTITION [FILENAME] Flash given partition, using the image from
$ANDROID_PRODUCT_OUT if no filename is given.
basics:
devices [-l] List devices in bootloader (-l: with device paths).
getvar NAME Display given bootloader variable.
reboot [bootloader] Reboot device.
locking/unlocking:
flashing lock|unlock Lock/unlock partitions for flashing
flashing lock_critical|unlock_critical
Lock/unlock 'critical' bootloader partitions.
flashing get_unlock_ability
Check whether unlocking is allowed (1) or not(0).
advanced:
erase PARTITION Erase a flash partition.
format[:FS_TYPE[:SIZE]] PARTITION
Format a flash partition.
set_active SLOT Set the active slot.
oem [COMMAND...] Execute OEM-specific command.
boot image:
boot KERNEL [RAMDISK [SECOND]]
Download and boot kernel from RAM.
flash:raw PARTITION KERNEL [RAMDISK [SECOND]]
Create boot image and flash it.
[B] --cmdline CMDLINE Override kernel command line.[/B]
--base ADDRESS Set kernel base address (default: 0x10000000).
--kernel-offset Set kernel offset (default: 0x00008000).
--ramdisk-offset Set ramdisk offset (default: 0x01000000).
--tags-offset Set tags offset (default: 0x00000100).
--page-size BYTES Set flash page size (default: 2048).
--header-version VERSION Set boot image header version.
--os-version MAJOR[.MINOR[.PATCH]]
Set boot image OS version (default: 0.0.0).
--os-patch-level YYYY-MM-DD
Set boot image OS security patch level.
Android Things:
stage IN_FILE Sends given file to stage for the next command.
get_staged OUT_FILE Writes data staged by the last command to a file.
options:
-w Wipe userdata.
-s SERIAL Specify a USB device.
-s tcp|udp:HOST[:PORT] Specify a network device.
-S SIZE[K|M|G] Break into sparse files no larger than SIZE.
--slot SLOT Use SLOT; 'all' for both slots, 'other' for
non-current slot (default: current active slot).
--set-active[=SLOT] Sets the active slot before rebooting.
--skip-secondary Don't flash secondary slots in flashall/update.
--skip-reboot Don't reboot device after flashing.
--disable-verity Sets disable-verity when flashing vbmeta.
--disable-verification Sets disable-verification when flashing vbmeta.
--wipe-and-use-fbe Enable file-based encryption, wiping userdata.
--unbuffered Don't buffer input or output.
--verbose, -v Verbose output.
--version Display version.
--help, -h Show this message.
.:HWMOD:.
hwmod said:
Here it is !
Taken from Fedora 29 should work on any recent Linux.
See the line I have made in bold in the included help output here.
Seems to indicate that "fastboot" will pass the "cmdline" parameter,
obviously it needs to be implemented in the target platform though.
Click to expand...
Click to collapse
Just noticed in mine there is
-c <cmdline> Override kernel commandline.
Click to expand...
Click to collapse
I don't think it's supported by LK.
I suppose you could just rebuild a kernel-image with the appropriate cmdline.
k4y0z said:
Just noticed in mine there is
I don't think it's supported by LK.
I suppose you could just rebuild a kernel-image with the appropriate cmdline.
Click to expand...
Click to collapse
Yes that was another form of of passing the same arguments in a previous version of "fastboot".
I am keeping a collection of "fastboot" version and by looking to the "lk" binaries I see there are
still a lot of referrals string related to "cmdline" handling.
If there is a way to still pass some parameter it might be feasible to inject some on the "cmdline".
Another thing I have been exploring is the MISC partition which contains the ENV variable of "lk".
There is a parameter written in the "lk" environment which reside in that MISC partition which is
"off-mode-charge=1", that parameter is followed by a simple CRC sum of the bytes of the string.
I thought that maybe by writing more parameters in MISC it would result to a parameter injection
but I didn't have the success I hoped, maybe I didn't test well enough or failed something, anyway
that MISC partition is almost empty and maybe it can be used too as extra persistent memory should
we need to save something bigger than a couple of kilobytes.
Have fun !
.:HWMOD:.
~
k4y0z said:
If you're on a newer preloader, there are two options:
Open the device and short the pin marked in the attached photo to ground while plugging in.
Downgrade to 5.0.1 firmware via adb sideload in Amazon recovery, then proceed to use the left volume button to enter boot-rom.
Thanks also to @[email protected]
Click to expand...
Click to collapse
Wasn't exactly clear on this, so on the 7th gen we can sideload the 5.0.1 firmware (bricking the device) then we're able to enter boot-rom and are able to continue with the rest of the the steps?
Rortiz2 said:
@hwmod finally I rooted the fire 7 7th gen! Thanks to @mateo121212 !
Click to expand...
Click to collapse
with the new files k4y0z posted i am working on streamlining the process to make a simpler method for the 7th gen. also the SU 2.82 sr5 edits the .sh file that rebuilds the recovery. thats why some people lose there recovery even if they flash both system and boot from same FW.
.
~
This thread is note to self. Feel free to follow, but it's not meant for beginners.
The idea is to change build.prop to older build #s (on a rooted device with TWRP !), and force Amazon to provide some earlier versions as well which are otherwise obfuscated. On existing not freshly reset devices, Amazon seems to do updates in sequence in order to avoid unhappy users if jumpy updates disable the apps, thus providing older versions as well in the sequence. This approach was tested on Fire stick 2, and the links to 2 very old versions were recovered as a proof of concept:
Fire TV Stick 2 Firmware and apps. Official Cloud Front direct links
@rbox, @0815hoffi, @Sus_i, @Kramar111, @k4y0z, @Ighor, @Pretoriano80 and others, Let's do a thread similar to 4k. Please contribute the cloudfront links you have for other versions. Sharing is caring! Let me seed a few links, the 2 very early...
forum.xda-developers.com
But this should work fine for other rooted Fire TV devices with TWRP, such as Fire 4k.
In comparison, another method inflates the version numbers, as to avoid any updates ( @aftvnews ):
How to block updates on a rooted Fire TV or Fire TV Stick by setting a custom Fire OS version number
This is a new method of blocking software updates on a rooted Fire TV or Fire TV Stick. It involves setting a custom software version number in the device's build.prop configuration file. Rbox came up with this idea and asked me to test if it works.
www.aftvnews.com
To simplify things, I assume you have build.prop for the current FireOS and the old one you want to "upgrade":
Code:
grep -v ro.build build.prop.current > build.prop.tmp
grep ro.build build.prop.old >> build.prop.tmp
Once you have the hybrid build.prop.tmp, copy it into /system/build.prop . Reboot. Start logcat watch:
How to grab URL ota update of any android device??
Sent from my AO5510 using XDA Free mobile app
forum.xda-developers.com
Check for updates in the menu. It should start downloading an old version. It may do an incremental one. Wait for it to fail in TWRP. If it fails immediately (without a reboot to TWRP), clear /cache and /dalvik (via a reboot to TWRP), and try again. Once an incremental version fails properly in TWRP, it will try to download the full one. Soon enough, you'll be able to fish out the link to the full old version from logcat (grep cloudfront).
It's possible only 1 line in build.prop needs to be changed, but I have not tested if 1 variable ( ro.build.version.number ?) really works on its own. That's why I was replacing all "ro.build" lines.
Howdy!
I have gone through the painstaking process of contacting Epson about kernel source for the BT-200 as the only Android version available officially is Android 4.
Having jumped through these hoops, I have gotten an OFFICIAL copy of the Kernel source code required to create a custom ROM.
Now the fun parts begin!
Bootloader needs to be unlocked (assuming it's locked to begin with), a flashing process needs to be established, and security checks need to be bypassed, and we'll finally be free from an old, oppressive Android environment!
I understand the community surrounding the BT-200 is quite small developer wise. I am going to be working on my own to do this assuming my attempt to reverse-engineer the display fails (seems to be MIPI DPI, possible to drive but not exactly ideal) and update with whatever progress I make.
The official link for the kernel source can be found HERE
Archive.org link HERE in case the above is removed for any reason.
SHA-1: 827B9352DB3001F4D018EF743CED2441AAF5589B
File hash was calculated off of my original download. Any copies you get from the official or separate sources should match it, if you are worried about the file's integrity.
I'm not sure the above is meant to be public but I doubt I can be punished for sharing a public facing link.
Feel free to ask for any additional information here, whether related to ROM development or hardware reverse-engineering. I am working on this from a hobby standpoint but I am excited to see this device get a new lease on life!
Can you please keep me informed of the developments?
Hiya, any updates on this front? The ancient Android 4 on my rooted BT-200 really does make it quite useless as most apps simply can't run on the thing due to the old Android. And now my Play Store won't sign in to Google anymore. (Not sure if there's a way to fix that with a more up-to-date but not fully up-to-date enough to not work on Android 4 at all version of the Play Store)
I wish I could help out but I know nothing about Android ROM development. I've built the Linux kernel and made some custom distros for PC x86, but as far as Android goes, I don't know much about it's internals other than how to use ADB.
EDIT:
In case anyone's curious how I got mine, since there seem to be so few owners of these out there, I thought I'd tell the tale. Classic story really, tech startup has big dreams of taking the world by storm with their totally genius idea that's never been tried before, buys like 50 advanced (*at the time, probably) AR goggles, develops apps for it, goes bust after like 5 minutes, liquidates their assets, and gives away whatever they can't sell for free.
Funnily enough, I know a guy who got a free Google Glass the exact same way. Yep, the startups never learn. Hold on, I also know someone working for a company doing Hololens stuff... Uh oh.
I recently bought one of this devices as used one. Now it is open and its resistance against being hacked is crumbling away.
I plan to port postmarketos to it, I have brought some initial support for half a dozen ebookreaders to mainline linux kernel (and mostly full support in pmOS for some of them).
So the BT200 will probably have to give up its resistance quickly.
What kind of device do you have? The retail one (without adb initially) or the developer one (with adb).
There is gpio-138 to turn on (by shorting it to GND, pin is configured with internal pullup) serial console (the group of 4 holes on the board, 1.8V!!!). Not found where it is yet, but at least console output can be enabled from a running system using
devmem2 0x4A100144 h 0x118
devmem2 0x4A100146 h 0x0
I am wondering what JP1 on the board is for, it looks quite interesting. That is a little braindump.
I hopefully found some more time this weekend to verify some more information I have.
andi44 said:
I recently bought one of this devices as used one. Now it is open and its resistance against being hacked is crumbling away.
I plan to port postmarketos to it, I have brought some initial support for half a dozen ebookreaders to mainline linux kernel (and mostly full support in pmOS for some of them).
So the BT200 will probably have to give up its resistance quickly.
What kind of device do you have? The retail one (without adb initially) or the developer one (with adb).
There is gpio-138 to turn on (by shorting it to GND, pin is configured with internal pullup) serial console (the group of 4 holes on the board, 1.8V!!!). Not found where it is yet, but at least console output can be enabled from a running system using
devmem2 0x4A100144 h 0x118
devmem2 0x4A100146 h 0x0
I am wondering what JP1 on the board is for, it looks quite interesting. That is a little braindump.
I hopefully found some more time this weekend to verify some more information I have.
Click to expand...
Click to collapse
I'm not sure if mine is a retail unit or not, but if adb is only enabled on dev units then it must be a dev unit, it in fact comes with developer mode already enabled, even when you do a factory reset. So I was able to adb into it fine. Makes sense mine was a dev unit given where it comes from, too.
I've also got it rooted now, though like I mentioned the Play Store won't sign in.
Still, sounds like some awesome reverse engineering you're doing there. I had to open mine up just to unplug and replug the battery cable. It was so dead that it wouldn't charge or come on, but that seemed to kick it back to life and now it holds a charge.
I played a bit around with reconfiguring boot order via software (persists until next cold boot),
Serial console output:
[ 110.104614] SysRq : Emergency Remount R/O
[ 110.116455] EXT4-fs (mmcblk0p8): re-mounted. Opts: (null)
[ 110.133239] EXT4-fs (mmcblk0p11): re-mounted. Opts: (null)
[ 110.155792] EXT4-fs (mmcblk0p9): re-mounted. Opts: (null)
[ 110.165161] EXT4-fs (mmcblk0p10): re-mounted. Opts: (null)
[ 110.172668] Emergency Remount complete
[ 111.113891] SysRq : Resetting
[...]
-> Some oopses left out
[ 111.233093] r7:c08601a0 r6:600001d3 r5:00000001 r4:c0825Android+ ([email protected]) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #1 SMP PREEMPT Sun Feb 22 04:57:56 UTC 2015
[ 111.258514]
-> last words from the old kernel
[email protected]!
-> serial boot recovery protocol, but timed out and boot starts from uSD
U-Boot SPL 2022.10-dirty (Nov 05 2022 - 21:04:17 +0100)
OMAP4460-GP ES1.1
Trying to boot from MMC1
-> apparently RAM is at least a bit correctly setup, main uboot is not ready yet,
SPL was at 0x20000 of uSD.
Conclusion: you can boot bootloaders without cryptographic protection on that device.
The tool for reconfiguring boot order (including source) until next power cycle is attached. It can be executed on adb shell as root. It also prints out some debug information on boot order wired in the hardware, reconfigures boot order and reboots.
If I understand it correctly it is: 0b110110 MMC2(1) USB(1) UART MMC1
MMC2 = internal eMMC, MMC1= uSD slot, USB(1)= some TI specific usb recovery boot. So if we provoke a failure on eMMC boot on some way, probably in the end the uSD is examined.
My tools sets the order to UART, USB, uSD card. Without opening the device, you will see the usb device for a few seconds. I guess the battery does *NOT* get charged in that situation (and then maybe you have to detach/reattach the battery to have it started again, happened to me), so power off the device by moving the power switch for a long time after playing with this tool and then you can power it on as usual to boot to the original system.
I have managed to port u-boot 2022.10 to that device, so that it can load stuff from the uSD card. I will add some documentation, but for now it is just the branch v2022.10-epson on https://github.com/akemnade/u-boot
There is omap4_embt2ws_defconfig and a script install-epson-bt200-sdcard.sh to install it to a uSD card.
It is still quite rough.
Next thing I will do is start kernel hacking with that device.
I will keep you up to date on further progress.
Some updates, the most interesting things, Pointers to further documentation will follow.
Progress is a bit slower than expected. But by playing around with alternate pullup and pulldown in pinmux setting of gpio-138 I could find the signal on the pcb. It is indeed at JP1 (backside of PCB near volume down button).
If you short it, also factory U-Boot begins talking. The 1.8V serial console is at CN1. You can break into u-boot and start e.g. fastboot. u-boot also reads the file sdboot.scr from the first fat partition of the inserted uSD-card and executes that as u-boot script if it passes censorship by the check_code command. That means that if that censorship is understood and not too hard, installation/booting of alternative systems can be started by if just inserting a specially-crafted uSD-Card before boot. No need to open the case or do any rooting before.
Anyone seen the source code of factory u-boot? What was the process to get the kernel source?
I could use help on reverse-engineering that check_code command or maybe just some creative ideas what might be accepted.
I have also managed to boot a patched 6.0.2 kernel now, but not many things are working yet.
I have finally put together some documentation here:
Epson Moverio BT-200 (embt2ws) - postmarketOS
wiki.postmarketos.org
Home
Linux kernel source tree. Contribute to akemnade/linux development by creating an account on GitHub.
github.com
Home
"Das U-Boot" Source Tree. Contribute to akemnade/u-boot development by creating an account on GitHub.
github.com
Display backlight is working now, next thing to tackle is really the display.