Walked in B&N today to upgrade to a NST to root knowing that I wouldn't be tempted by the Glowlight versions out May 7th but the B&N Nook guy said, "hey we already have them and a couple of people cancelled their pre-orders, do you want one?"
I couldn't resist and brought it home.
so far I have found no one trying to root a NST-GL yet so here are my observations (but not a review) about the new 1.1.5 firmware on it and the Glowlight hardware after a couple of hours.
the basic menu now has a Glowlight item on the basic "n" press menu which brings up the brightness slider. there is also a little lightbulb always there in the top taskbar next to the wifi icon which shows on/off. I am hoping these are only additional programs and updated menu that wouldn't be affected by root.
press and hold for 2 seconds and toggle the light on/off as reviews have said. it really seems like a hardware function as it works even with the screen locked (but not asleep). I am not ready to try Nooter on it because of this special "n" function and wonder if it would work with the current version of NookColor Tools to get to the adw launcher.
also, just letting everybody know these are in stores already if someone wants to be first to root.
Just attempted to touchnooter the NST Glow. No luck. Here is what happened...
Downloaded Touchnooter-2-1-31
Used WinImage to create the microSD boot "disc"
Powered off Nook and inserted microSD card
Powered Nook on, showed Touchnooter instructions on boot (black flash, remove, reboot, etc.)
Removed microSD and rebooted
Came up to normal "Nook - Read Forever" initial boot screen
Displayed "Nook" boot screen (the one with 5 dots)
Counted through the dots a few times, sorry I didn't get the exact count
Glow light comes on and stays on
Screen will flash black and it will count 3 dots, then flash again and repeat
I let the unit stay on this "stuck loop" for several minutes (at least 10) and nothing changed.
I ended up doing the 8 failed boots restore and the unit is functional again, and "unrooted", so I didn't brick it. But it looks like there is a little work that needs to be done to root the NST Glow.
Thanks for the update David... I'm anxiously awaiting a new nooter
All those "Super Nooters" bash jars.
Jars are version dependent.
The Nook Glow is using 1.1.5 not 1.1.2
Try plain Noogie.
Noogie will most likely work just fine, I don't actually have a nook with Glow Light so I can't do any development toward rooting it, I can't imagine a lot has changed, so you can probably replace the correct jar files mentioned above with modified ones and it'd work. I'll see if I can get my hands on one of the new devices in the next few weeks.
thanks for charging forward on this...
I'm curious about this as well. I have a rooted Nook Color that, since getting a TouchPad, I only use as an eReader for stuff from B&N and Amazon. I'm considering selling it and getting a Simple Touch Glowlight for my eReader duties but would like to be able to use Kindle Reader on it as well as the Nook app. I'll be watching this thread to see if/when folks get it rooted.
NSTG 1.1.5
I also am interested in rooting the Glowlight, my wife got one for her birthday and wants to load a couple of apps on it. I'm tempted to try Noogie, but I can't risk bricking her device. Is there a reliable path for restoring a NST if rooting via Noogie fails?
Praeluceo said:
... but I can't risk bricking her device. Is there a reliable path for restoring a NST if rooting via Noogie fails?
Click to expand...
Click to collapse
If you apply Noogie and made a backup of your Nook - then you have a copy and you didn't touch or modify anything on your nook. Once having a backup, you should be fine. Read the thread related to this (backup) and WATCH out for the size of your backup image !!!
I think, that I would go or the MinimalTouch rooting method (once I place my hands on this new one )
B&N v1.1.5 uRamdisk
Renate NST said:
The Nook Glow is using 1.1.5 not 1.1.2
Try plain Noogie.
Click to expand...
Click to collapse
When I used Noogie to root my Nook Touches, the accompanying thread (which I will find in a few moments) said to just replace the default boot uRamdisk with one of two possibilities: one for USB ADB access, and one for WiFi access. That worked fine on my Nook Touches !!
Using the same uRamdisk for my Nook Glow disabled the GlowLight, but allowed the extraction of "factory.zip":
http://www.mailpen.com/download/bnFirmware/touch/factory-v1.1.5.zip (108MB)
Hopefully it can be "patched" to provide uRamdisks for USB and WiFi access (I prefer the latter).
DeanGibson said:
When I used Noogie to root my Nook Touches, the accompanying thread (which I will find in a few moments) said to just replace the default boot uRamdisk with one of two possibilities: one for USB ADB access, and one for WiFi access. That worked fine on my Nook Touches !!
However, I'm a bit reluctant to use the same uRamdisk for my Nook Glow, especially since as you note, it is a different B&N release (despite the sizes being almost identical). So, for those that know what was done, but don't have a Nook Glow, the link below provides the one I extracted from my Nook Glow (via Noogie).
http://www.mailpen.com/download/uRamdisk-1_1_5.zip
Hopefully it can be "patched" to provide uRamdisks for USB and WiFi access (I prefer the latter).
Click to expand...
Click to collapse
A copy of the factory.zip would be even more helpful.
GabrialDestruir said:
A copy of the factory.zip would be even more helpful.
Click to expand...
Click to collapse
I agree !!! The "Noogie" that I booted only gave me USB file access to the BOOT partition, and I can get you other stuff in that partition, if that helps.
Is there a bootable SD card image that would give me ADB root command-line access, so that I could mount arbitrary partitions on the device and extract factory.zip and anything else you and/or I desired?
Edit: See my response in the related thread. Now that I know that it is safe to use the modified 1.1.0 uRamdisk to at least get root access, I can extract factory.zip and post a link to it, probably (assuming nothing goes wrong, goes wrong, goes wrong, ...) in about an hour.
Here we go, uRamdisk for NTG is attached.
Should enable ADB permanently without affecting anything else.
A good swap !!!
GabrialDestruir said:
Here we go, uRamdisk for NTG is attached.
Should enable ADB permanently without affecting anything else.
Click to expand...
Click to collapse
Just what I wanted !!!
And here we go w/ factory.zip (renamed for download):
http://www.mailpen.com/download/bnFirmware/touch/factory-v1.1.5.zip (108MB)
DeanGibson said:
Just what I wanted !!!
And here we go w/ factory.zip (renamed for download):
http://www.mailpen.com/download/factory-1_1_5.zip
Click to expand...
Click to collapse
This will help people who modify .jar files for TouchNooter and MinimalNooter meaning once they get this downloaded they should be able to modify all the right files and the NTG will get fully rooted.
I spoke too soon ...
GabrialDestruir, your uRamdisk in uRamdisk.zip:
When copied to the boot partition, booted fine, and the GlowLight works.
However, I do not have root ADB access (like I did with the uRamdisk for the Touch 1.1.0 on both the Touch and the Glow).
DeanGibson said:
GabrialDestruir, your uRamdisk in uRamdisk.zip:
When copied to the boot partition, booted fine, and the GlowLight works.
However, I do not have ADB access (like I did with the uRamdisk for the Touch 1.1.0 on both the Touch and the Glow).
Did you enable ADB over USB or over WiFi? I tried to connect using both connection methods. If you provided a WiFi version, I can ping it, but "adb connect ..." doesn't connect. Note that the uRamdisk (for WiFI) for the original Touch allows connections just fine (but alas, no GlowLight).
Click to expand...
Click to collapse
It should be USB enabled from the changes I made.
New version with default.prop modified uploaded below.
Also posted the changed files.
Modified init.rc in this version:
Code:
on init
loglevel 3
# setup the global environment
export PATH /sbin:/system/sbin:/system/bin:/system/xbin
export LD_LIBRARY_PATH /system/lib
export ANDROID_BOOTLOGO 1
export ANDROID_ROOT /system
export ANDROID_ASSETS /system/app
export ANDROID_DATA /data
export EXTERNAL_STORAGE /sdcard
export INTERNAL_STORAGE /media
export BN_PURCHASED_CONTENT /data/media
export BOOTCLASSPATH /system/framework/core.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar
export DSP_PATH /system/lib/dsp
export DEFAULT_BASEIMAGE /system/lib/dsp/baseimage.dof
export QOSDYN_FILE /system/lib/dsp/qosdyn_3430.dll64P
export PM_TBLFILE /system/etc/policytable.tbl
# setup TSLIB environment
export TSLIB_CONSOLEDEVICE none
export TSLIB_FBDEVICE /dev/graphics/fb0
export TSLIB_TSDEVICE /dev/input/event2
export TSLIB_CALIBFILE /etc/pointercal
export TSLIB_CONFFILE /etc/ts.conf
export TSLIB_PLUGINDIR /system/lib/ts/plugins
# Location of BT firmware files
export BT_FW_PATH /system/lib/firmware
# Backward compatibility
symlink /system/etc /etc
# create mountpoints and mount tmpfs on sqlite_stmt_journals
mkdir /system
mkdir /tmp 0777
mkdir /data 0771 system system
mkdir /cache 0770 system cache
mkdir /media 0777 system system
mkdir /sdcard 0777 system system
mkdir /sqlite_stmt_journals 01777 root root
mkdir /rom 0770 root root
mount tmpfs tmpfs /sqlite_stmt_journals size=4m
mount rootfs rootfs / ro remount
write /proc/sys/kernel/panic_on_oops 1
write /proc/sys/kernel/hung_task_timeout_secs 0
write /proc/cpu/alignment 4
write /proc/sys/kernel/sched_latency_ns 10000000
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
# mount MMC partitions
mount vfat /dev/block/mmcblk0p2 /rom sync noatime nodiratime uid=1000,gid=1000,fmask=117,dmask=007
# Mount /system rw first to give the filesystem a chance to save a checkpoint
mount ext2 /dev/block/mmcblk0p5 /system
mount ext2 /dev/block/mmcblk0p5 /system ro remount
# We chown/chmod /data again so because mount is run as root + defaults
mount ext3 /dev/block/mmcblk0p8 /data nosuid nodev noatime nodiratime
chown system system /data
chmod 0771 /data
# Same reason as /data above
mount ext3 /dev/block/mmcblk0p7 /cache nosuid nodev noatime nodiratime
chown system cache /cache
chmod 0770 /cache
# This may have been created by the recovery system with odd permissions
chown system system /cache/recovery
chmod 0770 /cache/recovery
# create basic filesystem structure
mkdir /data/misc 01771 system misc
mkdir /data/misc/hcid 0770 bluetooth bluetooth
mkdir /data/misc/keystore 0700 keystore keystore
mkdir /data/misc/wifi 0771 wifi wifi
mkdir /data/misc/wifi/sockets 0771 wifi wifi
mkdir /data/misc/dhcp 0777 wifi wifi
mkdir /data/misc/udhcpd 0777 wifi wifi
mkdir /data/local 0771 shell shell
mkdir /data/local/tmp 0771 shell shell
mkdir /data/data 0771 system system
mkdir /data/app-private 0771 system system
mkdir /data/app 0771 system system
mkdir /data/property 0700 root root
# BN PurchasedContent
mkdir /data/media 0777 media system
mkdir /data/media/B\&N\ Downloads 0777 media system
mkdir /data/media/B\&N\ Downloads/Books 0777 media system
mkdir /data/media/B\&N\ Downloads/Magazines 0777 media system
mkdir /data/media/B\&N\ Downloads/Newspapers 0777 media system
mkdir /data/media/B\&N\ Downloads/Extras 0777 media system
# make sure folder has correct owner and access if the folder exists
chown media system /data/media
chown media system /data/media/B\&N\ Downloads
chown media system /data/media/B\&N\ Downloads/Books
chown media system /data/media/B\&N\ Downloads/Magazines
chown media system /data/media/B\&N\ Downloads/Newspapers
chown media system /data/media/B\&N\ Downloads/Extras
chmod 0777 /data/media
chmod 0777 /data/media/B\&N\ Downloads
chmod 0777 /data/media/B\&N\ Downloads/Books
chmod 0777 /data/media/B\&N\ Downloads/Magazines
chmod 0777 /data/media/B\&N\ Downloads/Newspapers
chmod 0777 /data/media/B\&N\ Downloads/Extras
# create dalvik-cache and double-check the perms
mkdir /data/dalvik-cache 0771 system system
chown system system /data/dalvik-cache
chmod 0771 /data/dalvik-cache
# create the lost+found directories, so as to enforce our permissions
# mkdir /data/lost+found 0770
# mkdir /cache/lost+found 0770
# change permissions for alsa nodes
symlink /dev/snd/pcmC0D0c /dev/pcmC0D0c
symlink /dev/snd/pcmC0D0p /dev/pcmC0D0p
symlink /dev/snd/controlC0 /dev/controlC0
symlink /dev/snd/timer /dev/timer
chmod 0777 /dev/pcmC0D0c
chmod 0777 /dev/pcmC0D0p
chmod 0777 /dev/controlC0
chmod 0777 /dev/timer
# change permissions for modem
chmod 0660 /dev/ttyS0
chown radio radio /dev/ttyS0
# change permissions for bridge. Symlink search directory
chmod 0777 /dev/DspBridge
# change permissions for Camera
chmod 0777 /dev/video5
chmod 0777 /dev/video0
# change permissions for Overlay
chmod 0777 /dev/video1
chmod 0777 /dev/video2
# change permissions for overlay managers and display devices
chmod 0777 /sys/devices/platform/omapdss/manager0/name
chmod 0777 /sys/devices/platform/omapdss/manager1/name
chmod 0777 /sys/devices/platform/omapdss/display0/name
chmod 0777 /sys/devices/platform/omapdss/display1/name
chmod 0777 /sys/devices/platform/omapdss/display0/enabled
chmod 0777 /sys/devices/platform/omapdss/display1/enabled
chmod 0777 /sys/devices/platform/omapdss/display1/timings
chmod 0777 /sys/devices/platform/omapdss/display0/timings
chmod 0777 /sys/devices/platform/omapdss/overlay0/manager
chmod 0777 /sys/devices/platform/omapdss/overlay1/manager
chmod 0777 /sys/devices/platform/omapdss/overlay2/manager
chmod 0777 /sys/devices/platform/omapdss/overlay0/enabled
chmod 0777 /sys/devices/platform/omapdss/overlay1/enabled
chmod 0777 /sys/devices/platform/omapdss/overlay2/enabled
# change permissions for calibration
chmod 0666 /sys/devices/platform/i2c_omap.2/i2c-adapter/i2c-2/2-0050/forcecal
# change permissions for display jni ioct
chmod 0666 /dev/graphics/fb0
# change permissions for Previewer and Resizer
chmod 0777 /dev/omap-previewer
chmod 0777 /dev/omap-resizer
# double check the perms, in case lost+found already exists, and set owner
chown root root /lost+found
chmod 0770 /lost+found
# chown root root /data/lost+found
# chmod 0770 /data/lost+found
# chown root root /cache/lost+found
# chmod 0770 /cache/lost+found
#Owners, Modes for Bluetooth
chmod 0660 /dev/ttyS1
chown bluetooth bluetooth /dev/ttyS1
chmod 0660 sys/class/rfkill/rfkill0/state
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
write sys/class/rfkill/rfkill0/state 0
# Needed when building with DDK
chown system system /data/data
chown system system /data/system
chown system system /data/app
chown system system /data
on boot
# basic network init
ifup lo
hostname localhost
domainname localdomain
# set RLIMIT_NICE to allow priorities from 19 to -20
setrlimit 13 40 40
# Set timeout value for rmnet stats.
write /sys/devices/virtual/net/rmnet0/timeout_suspend 5000000
# Define the oom_adj values for the classes of processes that can be
# killed by the kernel. These are used in ActivityManagerService.
# setprop service.adb.tcp.port 5555
setprop ro.FOREGROUND_APP_ADJ 0
setprop ro.VISIBLE_APP_ADJ 1
setprop ro.SECONDARY_SERVER_ADJ 2
setprop ro.BACKUP_APP_ADJ 2
setprop ro.HOME_APP_ADJ 4
setprop ro.HIDDEN_APP_MIN_ADJ 7
setprop ro.CONTENT_PROVIDER_ADJ 14
setprop ro.EMPTY_APP_ADJ 15
# Define the memory thresholds at which the above process classes will
# be killed. These numbers are in pages (4k).
setprop ro.FOREGROUND_APP_MEM 1536
setprop ro.VISIBLE_APP_MEM 2048
setprop ro.SECONDARY_SERVER_MEM 4096
setprop ro.BACKUP_APP_MEM 4096
setprop ro.HOME_APP_MEM 4096
setprop ro.HIDDEN_APP_MEM 5120
setprop ro.CONTENT_PROVIDER_MEM 5632
setprop ro.EMPTY_APP_MEM 6144
# Enable auto-mounting of USB mass storage
setprop persist.service.mount.umsauto 1
# Write value must be consistent with the above properties.
# Note that the driver only supports 6 slots, so we have HOME_APP at the
# same memory level as services.
write /sys/module/lowmemorykiller/parameters/adj 0,1,2,7,14,15
write /proc/sys/vm/overcommit_memory 1
write /proc/sys/vm/min_free_order_shift 4
write /sys/module/lowmemorykiller/parameters/minfree 1536,2048,4096,5120,5632,6144
# Set init its forked children's oom_adj.
write /proc/1/oom_adj -16
# Copying hostapd.conf (WLAN soft AP)
copy /system/etc/wifi/softap/hostapd.conf /data/misc/wifi/hostapd.conf
chown wifi wifi /data/misc/wifi
# Enabling Power Management features
# Enabling sleep in idle path
write /sys/power/sleep_while_idle 1
# Enabling OFF mode
write /sys/power/enable_off_mode 1
# Enabling Voltage OFF in idle path
write /sys/power/voltage_off_while_idle 1
# Enablig DVFS with conservative governor
write /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor conservative
# Enabling SmartReflex for Zoom3 OMAP3630
write /sys/power/sr_vdd1_autocomp 0
write /sys/power/sr_vdd2_autocomp 0
# Permissions for System Server and daemons.
chmod 0444 /system/usr/keychars/omap_twl4030keypad.kcm.bin
chmod 0444 /system/usr/keychars/TWL4030_Keypad.kcm.bin
chmod 0444 /system/usr/keychars/gpio-keys.kcm.bin
chmod 0444 /system/usr/keychars/qwerty.kcm.bin
chown radio system /sys/android_power/state
chown radio system /sys/android_power/request_state
chown radio system /sys/android_power/acquire_full_wake_lock
chown radio system /sys/android_power/acquire_partial_wake_lock
chown radio system /sys/android_power/release_wake_lock
chown radio system /sys/power/state
chown radio system /sys/power/wake_lock
chown radio system /sys/power/wake_unlock
chmod 0660 /sys/power/state
chmod 0660 /sys/power/wake_lock
chmod 0660 /sys/power/wake_unlock
chown system system /sys/class/timed_output/vibrator/enable
chown system system /sys/class/leds/keyboard-backlight/brightness
chown system system /sys/class/leds/lcd-backlight/brightness
chown system system /sys/class/leds/lcd-backlight/dim_brightness
chown system system /sys/class/leds/lcd-backlight2/dim_brightness
chown system system /sys/devices/platform/i2c_omap.2/i2c-adapter/i2c-2/2-0040/dim_start
chown system system /sys/class/leds/button-backlight/brightness
chown system system /sys/class/leds/jogball-backlight/brightness
chown system system /sys/class/leds/red/brightness
chown system system /sys/class/leds/green/brightness
chown system system /sys/class/leds/blue/brightness
chown system system /sys/class/leds/red/device/grpfreq
chown system system /sys/class/leds/red/device/grppwm
chown system system /sys/class/leds/red/device/blink
chown system system /sys/class/leds/red/brightness
chown system system /sys/class/leds/green/brightness
chown system system /sys/class/leds/blue/brightness
chown system system /sys/class/leds/red/device/grpfreq
chown system system /sys/class/leds/red/device/grppwm
chown system system /sys/class/leds/red/device/blink
chown system system /sys/class/timed_output/vibrator/enable
chown system system /sys/module/sco/parameters/disable_esco
chown system system /sys/kernel/ipv4/tcp_wmem_min
chown system system /sys/kernel/ipv4/tcp_wmem_def
chown system system /sys/kernel/ipv4/tcp_wmem_max
chown system system /sys/kernel/ipv4/tcp_rmem_min
chown system system /sys/kernel/ipv4/tcp_rmem_def
chown system system /sys/kernel/ipv4/tcp_rmem_max
chown root radio /proc/cmdline
# Set default dim speed to 500ms
write /sys/devices/platform/i2c_omap.2/i2c-adapter/i2c-2/2-0040/dim_time 500
# Define TCP buffer sizes for various networks
# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.wifi 4095,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040
setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680
# Define modem related settings
setprop ro.radio.use-ppp yes
setprop keyguard.no_require_sim 1
setprop ro.config.nocheckin yes
# Set EPD Flushing Update percentage for AUTO Mode.
write /sys/class/graphics/fb0/epd_percent 85
# Set EPD Flush elimination window (ms) for AUTO Mode.
write /sys/class/graphics/fb0/epd_delay 100
class_start default
start omap-edpd
# start console
## Daemon processes to be run by init.
##
service console /system/bin/sh
console
# load DSP firmware
service baseimage /system/bin/cexec.out /system/lib/dsp/baseimage.dof
user root
group audio
oneshot
# Responsable of DSP recovery
service bridged /system/bin/bridged
user root
group system
oneshot
service omx_pm /system/bin/OMXPolicyManager
oneshot
service omx_rm /system/bin/OMXResourceManager
oneshot
# adbd is permanent
service adbd /sbin/adbd
service bootanim /system/bin/bootanimation
user graphics
group graphics
disabled
oneshot
#service mux /system/bin/gsm0710muxd -s /dev/ttyS1 -n 3 -m basic
#service mux /system/bin/gsm0710muxd -v -s /dev/ttyS0 -b 460800 -n 3 -m advanced
# user radio
# group radio cache inet misc
# oneshot
service servicemanager /system/bin/servicemanager
user system
critical
onrestart restart zygote
onrestart restart media
service vold /system/bin/vold
socket vold stream 0660 root mount
#service mountd /system/bin/mountd
# socket mountd stream 0660 root mount
service debuggerd /system/bin/debuggerd
# Start of SGX driver
service pvrsrv /system/bin/sh /system/bin/sgx/rc.pvr start
user root
oneshot
#service ril-daemon /system/bin/rild -l /system/lib/libidcc6071-ril.so -- -d /dev/pts/0
#service ril-daemon /system/bin/rild -l /system/lib/libenforaedg308-ril.so -- -d /dev/pts/0
# socket rild stream 660 root radio
# socket rild-debug stream 660 radio system
# user root
# group radio cache inet misc
#service pppd_gprs /etc/init.gprs-pppd /dev/pts/1
# user root
# group radio cache inet misc
# disabled
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
socket zygote stream 666
onrestart write /sys/android_power/request_state wake
service media /system/bin/mediaserver
user media
group system audio camera graphics inet net_bt net_bt_admin
#service fw3a /system/bin/fw3a_core
# user root
# group root
#service bootsound /system/bin/playmp3
# user media
# group audio
# oneshot
service dbus /system/bin/dbus-daemon --system --nofork
socket dbus stream 660 bluetooth bluetooth
user bluetooth
group bluetooth net_bt_admin
#service bluetoothd /system/bin/bluetoothd -d -n
# socket bluetooth stream 660 bluetooth bluetooth
# socket dbus_bluetooth stream 660 bluetooth bluetooth
# # init.rc does not yet support applying capabilities, so run as root and
# # let hcid drop uid to bluetooth with the right linux capabilities
# group bluetooth net_bt_admin misc
# disabled
# oneshot
#service uim /system/xbin/uim /dev/ttyS1 3000000 1 /sys/uim/pid 19
# user root
# group media bluetooth
# oneshot
#service hciattach /system/bin/hciattach -l
# user root
## changing user to root from bluetooth is a potential security issue
## service hciattach_legacy is used instead of hciattach because, we dont
## have nodes named ttyHS0
# group bluetooth net_bt_admin misc
# disabled
# oneshot
#service hciattach_legacy /system/bin/hciattach -n /dev/ttyS1 texas 3000000
# user root
## changing user to root from bluetooth is a potential security issue
# group bluetooth net_bt_admin misc
# disabled
# oneshot
#service hfag /system/bin/sdptool add --channel=10 HFAG
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
#service hsag /system/bin/sdptool add --channel=11 HSAG
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
#service opush /system/bin/sdptool add --channel=12 OPUSH
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
#service pbap /system/bin/sdptool add --channel=19 PBAP
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
service installd /system/bin/installd
socket installd stream 600 system system
service flash_recovery /system/bin/flash_image recovery /system/recovery.img
oneshot
service wlan_loader /system/bin/tiwlan_loader \
-f /system/etc/wifi/firmware.bin \
-i /system/etc/wifi/tiwlan.ini \
-e /rom/devconf/WiFiBackupCalibration
disabled
oneshot
service ifcfg_ti /system/bin/ifconfig tiwlan0 up
disabled
oneshot
service wpa_supplicant /system/bin/wpa_supplicant -Dtiwlan0 -itiwlan0 -c/data/misc/wifi/wpa_supplicant.conf -dd
socket wpa_tiwlan0 dgram 660 wifi wifi
disabled
oneshot
service dhcpcd /system/bin/dhcpcd -ABKL -d tiwlan0
disabled
oneshot
# TI WLAN Soft AP related services and configuration
service wlan_ap_loader /system/bin/tiap_loader \
-f /system/etc/wifi/softap/firmware_ap.bin \
-i /system/etc/wifi/softap/tiwlan_ap.ini
disabled
oneshot
service udhcpd /system/bin/udhcpd /system/etc/udhcpd/udhcpdWlan.conf
disabled
oneshot
service hostapd /system/bin/hostapd -dd /data/misc/wifi/hostapd.conf
disabled
oneshot
service keystore /system/bin/keystore /data/misc/keystore
user keystore
group keystore
socket keystore stream 666
# TODO: load waveform file from ROM token /rom/devconf/EpdWaveform instead
service omap-edpd /system/bin/omap-edpd.elf -n --timeout=2 -pV220 --fbdev=/dev/graphics/fb0 -s /system/lib/dsp/subframeip_snode_dsp.dll64P -w /rom/devconf/EpdWaveform,/system/etc/default_waveform.bin
oneshot
disabled
on property:dev.bootcomplete=1
start bootcnt
service bootcnt /system/bin/clrbootcount.sh
disabled
oneshot
service debuglog /system/bin/debuglog.sh
user root
Modified default.prop in this version:
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=0
ro.allow.mock.location=0
ro.debuggable=0
persist.service.adb.enable=1
Works with root access now
GabrialDestruir said:
It should be USB enabled from the changes I made.
New version with default.prop modified uploaded below.
Click to expand...
Click to collapse
GlowLight works, but still unable to access via USB as does root ADB access. However, I really need a WiFi version.
Edit: I forgot the "Delete the standard 'USB Composite Device', then update the driver for the displayed 'Nook Simple Touch' to be 'Android Composite ADB Interface." Now works as per above edit.
Many, many thanks to Gabrial for his hard and continuing work!
I copied in his second uRamdisk and am now rooted w/ADB support over wifi.
Copy in adb wireless to your /data/apps folder, and a launcher (both while booted from noogie, with a linux host mounting up the filesystems.) Set up /system properly for su, again just copying in from your stock ST. Enable ADB over wireless using that tool - persistent would be cool, but being able to turn it on at all is great.
I have an alternate launcher, adb over wifi, su installed.
Repartiitioning is done, symlinks are done. I didn't get the partitions exactly how I wanted them, but I have 880
mb of internal storage for myself, the unit is registered and is downloading to /media so I can fish the files I want
back out.
Win, except that the illumination is pretty uneven on my unit.
Does that improve over time?
I haven't tried getting the G market running, but I did just set up the Amazon market and it is running with no trouble at all.
I see with interest that the glowworm has a browser built into it still, exposed once you install a launcher and Button Savior.
Thanks roustabout. I might give that a try tonight.
I tried using the adb usb uRamdisk, but can never seem to get it working on my Linux box.
I am sure as others update their rooting packages a permanent adb wifi uRamdisk will emerge. It only a matter of time.
Hello, everyone!
I used NST (BNRV300) for a few years and everything was fine. But then I got battery problems - it started switching off randomly when charge goes down for more than 50%. I ordered a new battery in hope to replace it. Unfortunately, it was a fake battery, and even worse, it had a fitting connector with + and - pins switched. When I connected it, it burned my charge controller.
Now, the reader loads and works as usually, but discharges waaaay too fast - in a hour or two. Even when it's not working. Even when switched off. And it discharges the battery completely - to less than 1 volt. Of course it also doesn't charge it at all. Replacement of the controller is a huge pain - I cannot solder/unsolder it, because I don't own a hot air soldering gun and I cannot find exactly the same part for replacement. Repair guys ask about $30 for replacing the controller, and I think it's just too much for an old gadget.
I thought about buying a whole motherboard, and "powerbookmedic" place even has it for cheap, but they don't deliver in my country (Russia).
I thought about using an external charge controller, like those cheap TP4056-based boards from aliexpress. It would allow me to charge the battery and prevent it from full discharge, but what to do with the fast discharging? Maybe there is some way to exclude the onboard controller from work at all and use external one?
The problem with the quick discharge could either be that the battery is junk or that the blown charge controller is leaking a lot.
With the NST in suspend mode the leakage current should be around 1 mA.
Sure, you could throw on a separate LiPo charger.
Renate NST said:
The problem with the quick discharge could either be that the battery is junk or that the blown charge controller is leaking a lot.
With the NST in suspend mode the leakage current should be around 1 mA.
Sure, you could throw on a separate LiPo charger.
Click to expand...
Click to collapse
Thank you very much! I measured current in suspended and power off modes, and both gave me whopping 0.1 A! I identified the controller - it's TI BQ24072.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So, I decided to mutilate the mainboard for a bit and get rid of the faulty controller. That's what I got:
But it didn't work. Current remained to be 100 mA. Then I touched components of the PCB and found out, that the nearest IC gets really hot even when the reader switched off. I identified it as TI bq27520-G1 fuel gauge. Unfortunately, it's not just some dumb IC that I can get rid off, but a micro controller that monitors battery health and communicates with the CPU by i2c protocol... Even worse, it has LDO functions, but I'm not sure it's actually used. But, I think maybe the system actually able to run without it? Anyway, this controller sniffs when the battery is connected and signals outside (by putting one of its pins to active low level) if the battery can be used. The pin itself is unaccessible, because it's under the component. But I bet one of these testing pads on PCB connected to it. Don't you know, for any chance, which one could it be?
The NST takes about a peak of 300 mA on boot up.
See: http://forum.xda-developers.com/showthread.php?p=46801874#post46801874
(Read further and there is a reference to the battery connector.)
Battery health gets checked in two places (if I remember correctly).
uboot checks it and refuses to proceed if there is no battery at all.
The charger daemon will power down the NST if the battery is unhealthy.
You can try disabling the charger daemon by commenting out the line in init.rc or else deleting the file.
I'm not sure if you can get things to work like that.
Obviously, you can not do this to the internal flash on a device that won't boot.
You can either write a bootable SD (we still have that luxury on the NST)
or else use OmapLink to feed a boot image over USB.
When doing low-level stuff like this, there are two ways of getting feedback.
You can watch the current consumption with it's characteristic startup signature.
You can use the UART console to watch the boot up messages.
The standard UART out on the NST is at 1.8V levels, so you may need to hack a buffer.
(There is also a 3.3V UART, but you'd have to configure it and the buffer is not even enabled until much later.)
I'll try disabling the charger daemon on my NST later and see if it still works.
Well, the device boots and works, and I guess I can disable the deamon, as you said, but I don't think it will resolve anything for now.
If it was possible to switch off battery check for uboot, that would be promising. But I have no idea how to do anything about it.
I still think, that if I could put low level on BAT_GOOD pin of fuel gauge IC, that maybe would make the uboot to allow system to start normally.
Not sure what use I can make from UART feed, but may be cool to take a look on it. I found that thread about making 3.3 UART working during boot. Maybe it would work.
Since you're dealing with low-level problems and since the uboot and the kernel are separately configured and already configured for the 1.8V UART, I'd stick with that.
Okay, I didn't build the level shifter to use uart yet, but I found out that the Fuel Gauge needs to be powered only certain moments. If the device loaded, I can power it directly, excluding the gauge from circuit. So, I installed a switch to power it temporary and then it resolved current leakage problem. Unfortunately, after a long sleep it also uses the gauge, and I guess the charger daemon does it.
Here is my init.rc:
Code:
on init
loglevel 3
# setup the global environment
export PATH /sbin:/system/sbin:/system/bin:/system/xbin
export LD_LIBRARY_PATH /system/lib
export ANDROID_BOOTLOGO 1
export ANDROID_ROOT /system
export ANDROID_ASSETS /system/app
export ANDROID_DATA /data
export EXTERNAL_STORAGE /sdcard
export INTERNAL_STORAGE /media
export BN_PURCHASED_CONTENT /data/media
export BOOTCLASSPATH /system/framework/core.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar
export DSP_PATH /system/lib/dsp
export DEFAULT_BASEIMAGE /system/lib/dsp/baseimage.dof
export QOSDYN_FILE /system/lib/dsp/qosdyn_3430.dll64P
export PM_TBLFILE /system/etc/policytable.tbl
# setup TSLIB environment
export TSLIB_CONSOLEDEVICE none
export TSLIB_FBDEVICE /dev/graphics/fb0
export TSLIB_TSDEVICE /dev/input/event2
export TSLIB_CALIBFILE /etc/pointercal
export TSLIB_CONFFILE /etc/ts.conf
export TSLIB_PLUGINDIR /system/lib/ts/plugins
# Location of BT firmware files
export BT_FW_PATH /system/lib/firmware
# Backward compatibility
symlink /system/etc /etc
# create mountpoints and mount tmpfs on sqlite_stmt_journals
mkdir /system
mkdir /tmp 0777
mkdir /data 0771 system system
mkdir /cache 0770 system cache
mkdir /media 0777 system system
mkdir /sdcard 0777 system system
mkdir /sqlite_stmt_journals 01777 root root
mkdir /rom 0770 root root
mount tmpfs tmpfs /sqlite_stmt_journals size=4m
mount rootfs rootfs / ro remount
write /proc/sys/kernel/panic_on_oops 1
write /proc/sys/kernel/hung_task_timeout_secs 0
write /proc/cpu/alignment 4
write /proc/sys/kernel/sched_latency_ns 10000000
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
# mount MMC partitions
mount vfat /dev/block/mmcblk0p2 /rom sync noatime nodiratime uid=1000,gid=1000,fmask=117,dmask=007
# Mount /system rw first to give the filesystem a chance to save a checkpoint
mount ext2 /dev/block/mmcblk0p5 /system
mount ext2 /dev/block/mmcblk0p5 /system ro remount
# We chown/chmod /data again so because mount is run as root + defaults
mount ext3 /dev/block/mmcblk0p8 /data nosuid nodev noatime nodiratime
chown system system /data
chmod 0771 /data
# Same reason as /data above
mount ext3 /dev/block/mmcblk0p7 /cache nosuid nodev noatime nodiratime
chown system cache /cache
chmod 0770 /cache
# This may have been created by the recovery system with odd permissions
chown system system /cache/recovery
chmod 0770 /cache/recovery
# create basic filesystem structure
mkdir /data/misc 01771 system misc
mkdir /data/misc/hcid 0770 bluetooth bluetooth
mkdir /data/misc/keystore 0700 keystore keystore
mkdir /data/misc/wifi 0771 wifi wifi
mkdir /data/misc/wifi/sockets 0771 wifi wifi
mkdir /data/misc/dhcp 0777 wifi wifi
mkdir /data/misc/udhcpd 0777 wifi wifi
mkdir /data/local 0771 shell shell
mkdir /data/local/tmp 0771 shell shell
mkdir /data/data 0771 system system
mkdir /data/app-private 0771 system system
mkdir /data/app 0771 system system
mkdir /data/property 0700 root root
# BN PurchasedContent
mkdir /data/media 0777 media system
mkdir /data/media/B\&N\ Downloads 0777 media system
mkdir /data/media/B\&N\ Downloads/Books 0777 media system
mkdir /data/media/B\&N\ Downloads/Magazines 0777 media system
mkdir /data/media/B\&N\ Downloads/Newspapers 0777 media system
mkdir /data/media/B\&N\ Downloads/Extras 0777 media system
# make sure folder has correct owner and access if the folder exists
chown media system /data/media
chown media system /data/media/B\&N\ Downloads
chown media system /data/media/B\&N\ Downloads/Books
chown media system /data/media/B\&N\ Downloads/Magazines
chown media system /data/media/B\&N\ Downloads/Newspapers
chown media system /data/media/B\&N\ Downloads/Extras
chmod 0777 /data/media
chmod 0777 /data/media/B\&N\ Downloads
chmod 0777 /data/media/B\&N\ Downloads/Books
chmod 0777 /data/media/B\&N\ Downloads/Magazines
chmod 0777 /data/media/B\&N\ Downloads/Newspapers
chmod 0777 /data/media/B\&N\ Downloads/Extras
# create dalvik-cache and double-check the perms
mkdir /data/dalvik-cache 0771 system system
chown system system /data/dalvik-cache
chmod 0771 /data/dalvik-cache
# create the lost+found directories, so as to enforce our permissions
# mkdir /data/lost+found 0770
# mkdir /cache/lost+found 0770
# change permissions for alsa nodes
symlink /dev/snd/pcmC0D0c /dev/pcmC0D0c
symlink /dev/snd/pcmC0D0p /dev/pcmC0D0p
symlink /dev/snd/controlC0 /dev/controlC0
symlink /dev/snd/timer /dev/timer
chmod 0777 /dev/pcmC0D0c
chmod 0777 /dev/pcmC0D0p
chmod 0777 /dev/controlC0
chmod 0777 /dev/timer
# change permissions for modem
chmod 0660 /dev/ttyS0
chown radio radio /dev/ttyS0
# change permissions for bridge. Symlink search directory
chmod 0777 /dev/DspBridge
# change permissions for Camera
chmod 0777 /dev/video5
chmod 0777 /dev/video0
# change permissions for Overlay
chmod 0777 /dev/video1
chmod 0777 /dev/video2
# change permissions for overlay managers and display devices
chmod 0777 /sys/devices/platform/omapdss/manager0/name
chmod 0777 /sys/devices/platform/omapdss/manager1/name
chmod 0777 /sys/devices/platform/omapdss/display0/name
chmod 0777 /sys/devices/platform/omapdss/display1/name
chmod 0777 /sys/devices/platform/omapdss/display0/enabled
chmod 0777 /sys/devices/platform/omapdss/display1/enabled
chmod 0777 /sys/devices/platform/omapdss/display1/timings
chmod 0777 /sys/devices/platform/omapdss/display0/timings
chmod 0777 /sys/devices/platform/omapdss/overlay0/manager
chmod 0777 /sys/devices/platform/omapdss/overlay1/manager
chmod 0777 /sys/devices/platform/omapdss/overlay2/manager
chmod 0777 /sys/devices/platform/omapdss/overlay0/enabled
chmod 0777 /sys/devices/platform/omapdss/overlay1/enabled
chmod 0777 /sys/devices/platform/omapdss/overlay2/enabled
# change permissions for calibration
chmod 0666 /sys/devices/platform/i2c_omap.2/i2c-adapter/i2c-2/2-0050/forcecal
# change permissions for display jni ioct
chmod 0666 /dev/graphics/fb0
# change permissions for Previewer and Resizer
chmod 0777 /dev/omap-previewer
chmod 0777 /dev/omap-resizer
# double check the perms, in case lost+found already exists, and set owner
chown root root /lost+found
chmod 0770 /lost+found
# chown root root /data/lost+found
# chmod 0770 /data/lost+found
# chown root root /cache/lost+found
# chmod 0770 /cache/lost+found
#Owners, Modes for Bluetooth
chmod 0660 /dev/ttyS1
chown bluetooth bluetooth /dev/ttyS1
chmod 0660 sys/class/rfkill/rfkill0/state
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
write sys/class/rfkill/rfkill0/state 0
# Needed when building with DDK
chown system system /data/data
chown system system /data/system
chown system system /data/app
chown system system /data
on boot
# basic network init
ifup lo
hostname localhost
domainname localdomain
# set RLIMIT_NICE to allow priorities from 19 to -20
setrlimit 13 40 40
# Set timeout value for rmnet stats.
write /sys/devices/virtual/net/rmnet0/timeout_suspend 5000000
# Define the oom_adj values for the classes of processes that can be
# killed by the kernel. These are used in ActivityManagerService.
# setprop service.adb.tcp.port 5555
setprop ro.FOREGROUND_APP_ADJ 0
setprop ro.VISIBLE_APP_ADJ 1
setprop ro.SECONDARY_SERVER_ADJ 2
setprop ro.BACKUP_APP_ADJ 2
setprop ro.HOME_APP_ADJ 4
setprop ro.HIDDEN_APP_MIN_ADJ 7
setprop ro.CONTENT_PROVIDER_ADJ 14
setprop ro.EMPTY_APP_ADJ 15
# Define the memory thresholds at which the above process classes will
# be killed. These numbers are in pages (4k).
setprop ro.FOREGROUND_APP_MEM 1536
setprop ro.VISIBLE_APP_MEM 2048
setprop ro.SECONDARY_SERVER_MEM 4096
setprop ro.BACKUP_APP_MEM 4096
setprop ro.HOME_APP_MEM 4096
setprop ro.HIDDEN_APP_MEM 5120
setprop ro.CONTENT_PROVIDER_MEM 5632
setprop ro.EMPTY_APP_MEM 6144
# Enable auto-mounting of USB mass storage
setprop persist.service.mount.umsauto 1
# Write value must be consistent with the above properties.
# Note that the driver only supports 6 slots, so we have HOME_APP at the
# same memory level as services.
write /sys/module/lowmemorykiller/parameters/adj 0,1,2,7,14,15
write /proc/sys/vm/overcommit_memory 1
write /proc/sys/vm/min_free_order_shift 4
write /sys/module/lowmemorykiller/parameters/minfree 1536,2048,4096,5120,5632,6144
# Set init its forked children's oom_adj.
write /proc/1/oom_adj -16
# Copying hostapd.conf (WLAN soft AP)
copy /system/etc/wifi/softap/hostapd.conf /data/misc/wifi/hostapd.conf
chown wifi wifi /data/misc/wifi
# Enabling Power Management features
# Enabling sleep in idle path
write /sys/power/sleep_while_idle 1
# Enabling OFF mode
write /sys/power/enable_off_mode 1
# Enabling Voltage OFF in idle path
write /sys/power/voltage_off_while_idle 1
# Enablig DVFS with conservative governor
write /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor conservative
# Enabling SmartReflex for Zoom3 OMAP3630
write /sys/power/sr_vdd1_autocomp 0
write /sys/power/sr_vdd2_autocomp 0
# Permissions for System Server and daemons.
chmod 0444 /system/usr/keychars/omap_twl4030keypad.kcm.bin
chmod 0444 /system/usr/keychars/TWL4030_Keypad.kcm.bin
chmod 0444 /system/usr/keychars/gpio-keys.kcm.bin
chmod 0444 /system/usr/keychars/qwerty.kcm.bin
chown radio system /sys/android_power/state
chown radio system /sys/android_power/request_state
chown radio system /sys/android_power/acquire_full_wake_lock
chown radio system /sys/android_power/acquire_partial_wake_lock
chown radio system /sys/android_power/release_wake_lock
chown radio system /sys/power/state
chown radio system /sys/power/wake_lock
chown radio system /sys/power/wake_unlock
chmod 0660 /sys/power/state
chmod 0660 /sys/power/wake_lock
chmod 0660 /sys/power/wake_unlock
chown system system /sys/class/timed_output/vibrator/enable
chown system system /sys/class/leds/keyboard-backlight/brightness
chown system system /sys/class/leds/lcd-backlight/brightness
chown system system /sys/class/leds/lcd-backlight/dim_brightness
chown system system /sys/class/leds/lcd-backlight2/dim_brightness
chown system system /sys/devices/platform/i2c_omap.2/i2c-adapter/i2c-2/2-0040/dim_start
chown system system /sys/class/leds/button-backlight/brightness
chown system system /sys/class/leds/jogball-backlight/brightness
chown system system /sys/class/leds/red/brightness
chown system system /sys/class/leds/green/brightness
chown system system /sys/class/leds/blue/brightness
chown system system /sys/class/leds/red/device/grpfreq
chown system system /sys/class/leds/red/device/grppwm
chown system system /sys/class/leds/red/device/blink
chown system system /sys/class/leds/red/brightness
chown system system /sys/class/leds/green/brightness
chown system system /sys/class/leds/blue/brightness
chown system system /sys/class/leds/red/device/grpfreq
chown system system /sys/class/leds/red/device/grppwm
chown system system /sys/class/leds/red/device/blink
chown system system /sys/class/timed_output/vibrator/enable
chown system system /sys/module/sco/parameters/disable_esco
chown system system /sys/kernel/ipv4/tcp_wmem_min
chown system system /sys/kernel/ipv4/tcp_wmem_def
chown system system /sys/kernel/ipv4/tcp_wmem_max
chown system system /sys/kernel/ipv4/tcp_rmem_min
chown system system /sys/kernel/ipv4/tcp_rmem_def
chown system system /sys/kernel/ipv4/tcp_rmem_max
chown root radio /proc/cmdline
# Set default dim speed to 500ms
write /sys/devices/platform/i2c_omap.2/i2c-adapter/i2c-2/2-0040/dim_time 500
# Define TCP buffer sizes for various networks
# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.wifi 4095,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040
setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680
# Define modem related settings
setprop ro.radio.use-ppp yes
setprop keyguard.no_require_sim 1
setprop ro.config.nocheckin yes
# Set EPD Flushing Update percentage for AUTO Mode.
write /sys/class/graphics/fb0/epd_percent 85
# Set EPD Flush elimination window (ms) for AUTO Mode.
write /sys/class/graphics/fb0/epd_delay 100
class_start default
start omap-edpd
# start console
## Daemon processes to be run by init.
##
service console /system/bin/sh
console
# load DSP firmware
service baseimage /system/bin/cexec.out /system/lib/dsp/baseimage.dof
user root
group audio
oneshot
# Responsable of DSP recovery
service bridged /system/bin/bridged
user root
group system
oneshot
service omx_pm /system/bin/OMXPolicyManager
oneshot
service omx_rm /system/bin/OMXResourceManager
oneshot
# adbd is permanent
service adbd /sbin/adbd
service bootanim /system/bin/bootanimation
user graphics
group graphics
disabled
oneshot
#service mux /system/bin/gsm0710muxd -s /dev/ttyS1 -n 3 -m basic
#service mux /system/bin/gsm0710muxd -v -s /dev/ttyS0 -b 460800 -n 3 -m advanced
# user radio
# group radio cache inet misc
# oneshot
service servicemanager /system/bin/servicemanager
user system
critical
onrestart restart zygote
onrestart restart media
service vold /system/bin/vold
socket vold stream 0660 root mount
#service mountd /system/bin/mountd
# socket mountd stream 0660 root mount
service debuggerd /system/bin/debuggerd
# Start of SGX driver
service pvrsrv /system/bin/sh /system/bin/sgx/rc.pvr start
user root
oneshot
#service ril-daemon /system/bin/rild -l /system/lib/libidcc6071-ril.so -- -d /dev/pts/0
#service ril-daemon /system/bin/rild -l /system/lib/libenforaedg308-ril.so -- -d /dev/pts/0
# socket rild stream 660 root radio
# socket rild-debug stream 660 radio system
# user root
# group radio cache inet misc
#service pppd_gprs /etc/init.gprs-pppd /dev/pts/1
# user root
# group radio cache inet misc
# disabled
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
socket zygote stream 666
onrestart write /sys/android_power/request_state wake
service media /system/bin/mediaserver
user media
group system audio camera graphics inet net_bt net_bt_admin
#service fw3a /system/bin/fw3a_core
# user root
# group root
#service bootsound /system/bin/playmp3
# user media
# group audio
# oneshot
service dbus /system/bin/dbus-daemon --system --nofork
socket dbus stream 660 bluetooth bluetooth
user bluetooth
group bluetooth net_bt_admin
#service bluetoothd /system/bin/bluetoothd -d -n
# socket bluetooth stream 660 bluetooth bluetooth
# socket dbus_bluetooth stream 660 bluetooth bluetooth
# # init.rc does not yet support applying capabilities, so run as root and
# # let hcid drop uid to bluetooth with the right linux capabilities
# group bluetooth net_bt_admin misc
# disabled
# oneshot
#service uim /system/xbin/uim /dev/ttyS1 3000000 1 /sys/uim/pid 19
# user root
# group media bluetooth
# oneshot
#service hciattach /system/bin/hciattach -l
# user root
## changing user to root from bluetooth is a potential security issue
## service hciattach_legacy is used instead of hciattach because, we dont
## have nodes named ttyHS0
# group bluetooth net_bt_admin misc
# disabled
# oneshot
#service hciattach_legacy /system/bin/hciattach -n /dev/ttyS1 texas 3000000
# user root
## changing user to root from bluetooth is a potential security issue
# group bluetooth net_bt_admin misc
# disabled
# oneshot
#service hfag /system/bin/sdptool add --channel=10 HFAG
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
#service hsag /system/bin/sdptool add --channel=11 HSAG
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
#service opush /system/bin/sdptool add --channel=12 OPUSH
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
#service pbap /system/bin/sdptool add --channel=19 PBAP
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot
service installd /system/bin/installd
socket installd stream 600 system system
service flash_recovery /system/bin/flash_image recovery /system/recovery.img
oneshot
service wlan_loader /system/bin/tiwlan_loader \
-f /system/etc/wifi/firmware.bin \
-i /system/etc/wifi/tiwlan.ini \
-e /rom/devconf/WiFiBackupCalibration
disabled
oneshot
service ifcfg_ti /system/bin/ifconfig tiwlan0 up
disabled
oneshot
service wpa_supplicant /system/bin/wpa_supplicant -Dtiwlan0 -itiwlan0 -c/data/misc/wifi/wpa_supplicant.conf -dd
socket wpa_tiwlan0 dgram 660 wifi wifi
disabled
oneshot
service dhcpcd /system/bin/dhcpcd -ABKL -d tiwlan0
disabled
oneshot
# TI WLAN Soft AP related services and configuration
service wlan_ap_loader /system/bin/tiap_loader \
-f /system/etc/wifi/softap/firmware_ap.bin \
-i /system/etc/wifi/softap/tiwlan_ap.ini
disabled
oneshot
service udhcpd /system/bin/udhcpd /system/etc/udhcpd/udhcpdWlan.conf
disabled
oneshot
service hostapd /system/bin/hostapd -dd /data/misc/wifi/hostapd.conf
disabled
oneshot
service keystore /system/bin/keystore /data/misc/keystore
user keystore
group keystore
socket keystore stream 666
# TODO: load waveform file from ROM token /rom/devconf/EpdWaveform instead
service omap-edpd /system/bin/omap-edpd.elf -n --timeout=2 -pV220 --fbdev=/dev/graphics/fb0 -s /system/lib/dsp/subframeip_snode_dsp.dll64P -w /rom/devconf/EpdWaveform,/system/etc/default_waveform.bin
oneshot
disabled
on property:dev.bootcomplete=1
start bootcnt
service bootcnt /system/bin/clrbootcount.sh
disabled
oneshot
service debuglog /system/bin/debuglog.sh
user root
Can you please tell me where is the charger daemon? Because no service possibly looks like it to me.
Hmm, it's been a while, but I don't see anything there.
On later stuff it's either chargerd or healthd.
It may be built right into the kernel.
**UPDATE**
Here is my collection of scripts for rooting, blocking updates, and all kinds of stuff for ALL fire tv:
https://github.com/pwntrik/firetv/
Here's the video (2 parts) on howto root Fire TV 1st gen using soldering:
https://youtu.be/yhwYfudGiM8
https://youtu.be/Kn7zmXf08bk
**/UPDATE**
Greetings, AFTV hackers!
I have successfully soldered an emmc reader to the Fire TV 1st Gen, and I have complete r/w access. However, the tutorial for rooting appears to be a bit dated as the hacker (@maximus64) at the time was able to just copy the su binary to /system/xbin, modify the permissions, and run it.
Since FireOS 5.2.0.0, however, SELinux now prevents the binary from being executed:
(At this point, I have already copied su binary, chmod 6755 it, chown 0:0 it)
Code:
[email protected]:/ $ ls -la /system/xbin/su
ls -la /system/xbin/su
/system/xbin/su: Permission denied
1|[email protected]:/ $ su
su
/system/bin/sh: su: not found
127|[email protected]:/ $ ls -ld /system/xbin
ls -ld /system/xbin
drwxr-xr-x root shell 2017-01-05 01:35 xbin
[email protected]:/ $ ls -l /system/xbin/
ls -l /system/xbin/
-rwxr-xr-x root shell 63880 2016-05-27 17:00 dexdump
-rwxr-xr-x root shell 49816 2016-05-27 17:00 sqlite3
lstat '/system/xbin//su' failed: Permission denied
-rwxr-xr-x root shell 813248 2016-05-27 17:00 tcpdump
-rwxr-xr-x root shell 9384 2016-05-27 17:00 trapz
-rwxr-xr-x root shell 46456 2016-05-27 17:00 vitals_collection_agent
And just to make sure I did everything correctly, I hooked it up again then checked the binary:
Code:
[email protected]:/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b1/xbin# ls -la
total 1092
drwxr-xr-x. 2 root 2000 4096 Jan 5 04:35 .
drwxr-xr-x. 16 root root 4096 Jan 6 17:07 ..
-rwxr-xr-x. 1 root 2000 63880 May 27 2016 dexdump
-rwxr-xr-x. 1 root 2000 49816 May 27 2016 sqlite3
-rwsr-sr-x 1 root root 112576 Jan 5 04:31 su
-rwxr-xr-x. 1 root 2000 813248 May 27 2016 tcpdump
-rwxr-xr-x. 1 root 2000 9384 May 27 2016 trapz
-rwxr-xr-x. 1 root 2000 46456 May 27 2016 vitals_collection_agent
So at this point, I did some research and it seems that SELinux prevents this from being run. Does anyone have a workaround or could tell me how to give this binary permission? I have zero experience with SELinux, and even if anyone can point me to a similar thread for rooting when you have full r/w access, that'd be excellent..
Thanks!
cancelyourcable said:
Greetings, AFTV hackers!
I have successfully soldered an emmc reader to the Fire TV 1st Gen, and I have complete r/w access. However, the tutorial for rooting appears to be a bit dated as the hacker (@maximus64) at the time was able to just copy the su binary to /system/xbin, modify the permissions, and run it.
Since FireOS 5.2.0.0, however, SELinux now prevents the binary from being executed:
(At this point, I have already copied su binary, chmod 6755 it, chown 0:0 it)
Code:
[email protected]:/ $ ls -la /system/xbin/su
ls -la /system/xbin/su
/system/xbin/su: Permission denied
1|[email protected]:/ $ su
su
/system/bin/sh: su: not found
127|[email protected]:/ $ ls -ld /system/xbin
ls -ld /system/xbin
drwxr-xr-x root shell 2017-01-05 01:35 xbin
[email protected]:/ $ ls -l /system/xbin/
ls -l /system/xbin/
-rwxr-xr-x root shell 63880 2016-05-27 17:00 dexdump
-rwxr-xr-x root shell 49816 2016-05-27 17:00 sqlite3
lstat '/system/xbin//su' failed: Permission denied
-rwxr-xr-x root shell 813248 2016-05-27 17:00 tcpdump
-rwxr-xr-x root shell 9384 2016-05-27 17:00 trapz
-rwxr-xr-x root shell 46456 2016-05-27 17:00 vitals_collection_agent
And just to make sure I did everything correctly, I hooked it up again then checked the binary:
Code:
[email protected]:/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b1/xbin# ls -la
total 1092
drwxr-xr-x. 2 root 2000 4096 Jan 5 04:35 .
drwxr-xr-x. 16 root root 4096 Jan 6 17:07 ..
-rwxr-xr-x. 1 root 2000 63880 May 27 2016 dexdump
-rwxr-xr-x. 1 root 2000 49816 May 27 2016 sqlite3
-rwsr-sr-x 1 root root 112576 Jan 5 04:31 su
-rwxr-xr-x. 1 root 2000 813248 May 27 2016 tcpdump
-rwxr-xr-x. 1 root 2000 9384 May 27 2016 trapz
-rwxr-xr-x. 1 root 2000 46456 May 27 2016 vitals_collection_agent
So at this point, I did some research and it seems that SELinux prevents this from being run. Does anyone have a workaround or could tell me how to give this binary permission? I have zero experience with SELinux, and even if anyone can point me to a similar thread for rooting when you have full r/w access, that'd be excellent..
Thanks!
Click to expand...
Click to collapse
bueller_recovery_v2.zip begins with a shell script. If you open it in a text editor, you can see it. mkdir /system/recovery, unzip the contents of that zip to /system/recovery, and do the mv and ln commands. Make sure the selinux contexts of /system/recovery and it's contents match the other contents of /systems.
And also make sure the contents are chmod 755.
rbox said:
bueller_recovery_v2.zip begins with a shell script. If you open it in a text editor, you can see it. mkdir /system/recovery, unzip the contents of that zip to /system/recovery, and do the mv and ln commands. Make sure the selinux contexts of /system/recovery and it's contents match the other contents of /systems.
And also make sure the contents are chmod 755.
Click to expand...
Click to collapse
Thanks, rbox! I've managed to rewrite the script to do all that, but how do I make sure the SELinux contexts match? Sorry, not familiar with SELinux.
Is this the ACTUAL partition table, or is this the way the eMMC reader loads it?
Code:
[email protected]:/media/root# ls 5*
57f8f4bc-abf4-655f-bf67-946fc0f9f25b:
adb backup hostapd property system?
anr bugreports key_provisioning prReset time
app connectivity local radio tombstones
app-asec dalvik-cache logd resource-cache user
app_ext data lost+found securedStorageLocation vitals
app-lib debug_service media securestop webcrypto
app_ms dontpanic mediadrm security wiper
app-private dpm misc shared wpstiles
audio drm playready ssh
autotrace fota proffline system
57f8f4bc-abf4-655f-bf67-946fc0f9f25b1:
data lost+found usf
57f8f4bc-abf4-655f-bf67-946fc0f9f25b2:
com.amazon.avod.apk lost+found
com.amazon.venezia.apk recovery
com.amazon.vizzini-550901810.apk signed_com.amazon.kso.blackbird-1550000810.apk
dalvik-cache signed_CSAppFireTV-fireOs-release_v112.apk
57f8f4bc-abf4-655f-bf67-946fc0f9f25b3:
data lost+found usf
57f8f4bc-abf4-655f-bf67-946fc0f9f25b4:
app etc lib priv-app sqfs vendor
bin fonts lost+found recovery-from-boot.p tts xbin
build.prop framework media security usr
I ask because /system/bin is actually on a completely separate partition using this method. Is it possible to copy the actual init2stub in place of e2fsck instead of symlinking it? (in case the symlink doesn't work)
Here's my modified version of your script:
Code:
# Put your `recovery' folder in here, unzipped
SHARED="/media/sf_Shared"
# This is the directory created by the MMC reader
LABEL="/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b"
SYSTEM="${LABEL}/system"
BIN="${LABEL}4/bin"
echo "Copying recovery..."
cp -rf $SHARED/recovery $SYSTEM
echo "Chmodding..."
chmod -R 755 $SYSTEM/recovery
echo "Backup the old e2fsck..."
mv $BIN/e2fsck $BIN/e2fsck.real
echo "Symlink e2fsck to 2ndinitstub..."
# If symlink doesn't work, can I copy 2ndinitstub completely?
ln -sf ../recovery/2ndinitstub $BIN/e2fsck
echo "Done."
Thanks for your help otherwise I'd be so SCREWED! :laugh:
cancelyourcable said:
Thanks, rbox! I've managed to rewrite the script to do all that, but how do I make sure the SELinux contexts match? Sorry, not familiar with SELinux.
Is this the ACTUAL partition table, or is this the way the eMMC reader loads it?
Code:
[email protected]:/media/root# ls 5*
57f8f4bc-abf4-655f-bf67-946fc0f9f25b:
adb backup hostapd property system?
anr bugreports key_provisioning prReset time
app connectivity local radio tombstones
app-asec dalvik-cache logd resource-cache user
app_ext data lost+found securedStorageLocation vitals
app-lib debug_service media securestop webcrypto
app_ms dontpanic mediadrm security wiper
app-private dpm misc shared wpstiles
audio drm playready ssh
autotrace fota proffline system
57f8f4bc-abf4-655f-bf67-946fc0f9f25b1:
data lost+found usf
57f8f4bc-abf4-655f-bf67-946fc0f9f25b2:
com.amazon.avod.apk lost+found
com.amazon.venezia.apk recovery
com.amazon.vizzini-550901810.apk signed_com.amazon.kso.blackbird-1550000810.apk
dalvik-cache signed_CSAppFireTV-fireOs-release_v112.apk
57f8f4bc-abf4-655f-bf67-946fc0f9f25b3:
data lost+found usf
57f8f4bc-abf4-655f-bf67-946fc0f9f25b4:
app etc lib priv-app sqfs vendor
bin fonts lost+found recovery-from-boot.p tts xbin
build.prop framework media security usr
I ask because /system/bin is actually on a completely separate partition using this method. Is it possible to copy the actual init2stub in place of e2fsck instead of symlinking it? (in case the symlink doesn't work)
Here's my modified version of your script:
Code:
# Put your `recovery' folder in here, unzipped
SHARED="/media/sf_Shared"
# This is the directory created by the MMC reader
LABEL="/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b"
SYSTEM="${LABEL}/system"
BIN="${LABEL}4/bin"
echo "Copying recovery..."
cp -rf $SHARED/recovery $SYSTEM
echo "Chmodding..."
chmod -R 755 $SYSTEM/recovery
echo "Backup the old e2fsck..."
mv $BIN/e2fsck $BIN/e2fsck.real
echo "Symlink e2fsck to 2ndinitstub..."
# If symlink doesn't work, can I copy 2ndinitstub completely?
ln -sf ../recovery/2ndinitstub $BIN/e2fsck
echo "Done."
Thanks for your help otherwise I'd be so SCREWED! :laugh:
Click to expand...
Click to collapse
That is /data. Not /system. ls -lZ will show you contexts.
rbox said:
That is /data. Not /system. ls -lZ will show you contexts.
Click to expand...
Click to collapse
Well, not sure exactly what happened but I booted it back up and /system/recovery doesn't exist. Even if that's normal behavior, it didn't run TWRP.
The shell script I pasted above, it runs chcon and chmod, but perhaps chcon has no effect since it's being run on a host system (linux), instead of the actual android system (I kinda expected that.)
Code:
[email protected]:/system/bin $ ls -Z e2*
ls -Z e2*
e2fsck: Permission denied
e2fsck.real: Permission denied
Is there an init file I can edit to run chcon or completely disable selinux? Seems like that's probably preventing it. I can't see log files as user, but I feel like that might be part of it.
Thanks
cancelyourcable said:
Well, not sure exactly what happened but I booted it back up and /system/recovery doesn't exist. Even if that's normal behavior, it didn't run TWRP.
The shell script I pasted above, it runs chcon and chmod, but perhaps chcon has no effect since it's being run on a host system (linux), instead of the actual android system (I kinda expected that.)
Code:
[email protected]:/system/bin $ ls -Z e2*
ls -Z e2*
e2fsck: Permission denied
e2fsck.real: Permission denied
Is there an init file I can edit to run chcon or completely disable selinux? Seems like that's probably preventing it. I can't see log files as user, but I feel like that might be part of it.
Thanks
Click to expand...
Click to collapse
Did you properly unmount the filesystem after you were done changing it? That's really the only way the changes wouldn't stick and recovery wouldn't be there. You definitely need to verify all the permissions and contexts manually before booting back in. Don't just assume a script worked. Also, I think chcon isn't going to work, now that I think about it. I remember when I was messing around with this stuff with the Fire TV 2 I wound up having to use extended attributes manually. This page: http://unix.stackexchange.com/quest...on-mounted-ext4-image-from-non-selinux-system explains how to do. As for disabling selinux... that's half the whole point of 2ndinit
rbox said:
Did you properly unmount the filesystem after you were done changing it? That's really the only way the changes wouldn't stick and recovery wouldn't be there. You definitely need to verify all the permissions and contexts manually before booting back in. Don't just assume a script worked. Also, I think chcon isn't going to work, now that I think about it. I remember when I was messing around with this stuff with the Fire TV 2 I wound up having to use extended attributes manually. This page: http://unix.stackexchange.com/quest...on-mounted-ext4-image-from-non-selinux-system explains how to do. As for disabling selinux... that's half the whole point of 2ndinit
Click to expand...
Click to collapse
Ya, definitely unmounted it. I'm like 99% sure it's because of this selinux thing. Ideally if I can get these extended attributes to work and run either `su' or get the recovery to load, that'd be best.
But /system and /recovery are on two separate partitions. When I look at the layout from linux when I mount it using the soldering method, it looks like this:
Code:
# /dev/sdb1 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b3 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb19 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b2 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb2 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b1 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb20 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb18 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b4 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
And from the firetv using adb shell, here's all the mounts:
Code:
[email protected]:/ $ mount
mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,nobarrier,commit=20,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/loop0 /mnt/sqfs squashfs ro,context=u:object_r:squashfs_file:s0,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 rw,context=u:object_r:persist_file:s0,nosuid,nodev,noatime,data=ordered 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/shell/emulated/0 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
It looks very different. Like the /bin that appears in /system on the fire tv is actually on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b4, yet /system appears on a completely separate partition /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b it's weird. Copying e2fsck did make it appear there, yet adding /system/recovery did nothing:
Code:
[email protected]:/ $ cd /system/recovery
cd /system/recovery
/system/bin/sh: cd: /system/recovery: No such file or directory
Not sure whether this is the firetv or the emmc reader which is displaying it oddly.
I'll wire it back up tomorrow and see if I can get extended permissions as well as try to figure out why the recovery dir is not showing up at all.
Thanks!
cancelyourcable said:
Ya, definitely unmounted it. I'm like 99% sure it's because of this selinux thing. Ideally if I can get these extended attributes to work and run either `su' or get the recovery to load, that'd be best.
But /system and /recovery are on two separate partitions. When I look at the layout from linux when I mount it using the soldering method, it looks like this:
Code:
# /dev/sdb1 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b3 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb19 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b2 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb2 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b1 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb20 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
# /dev/sdb18 on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b4 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
And from the firetv using adb shell, here's all the mounts:
Code:
[email protected]:/ $ mount
mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,nobarrier,commit=20,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/loop0 /mnt/sqfs squashfs ro,context=u:object_r:squashfs_file:s0,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 rw,context=u:object_r:persist_file:s0,nosuid,nodev,noatime,data=ordered 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/shell/emulated/0 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
It looks very different. Like the /bin that appears in /system on the fire tv is actually on /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b4, yet /system appears on a completely separate partition /media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b it's weird. Copying e2fsck did make it appear there, yet adding /system/recovery did nothing:
Code:
[email protected]:/ $ cd /system/recovery
cd /system/recovery
/system/bin/sh: cd: /system/recovery: No such file or directory
Not sure whether this is the firetv or the emmc reader which is displaying it oddly.
I'll wire it back up tomorrow and see if I can get extended permissions as well as try to figure out why the recovery dir is not showing up at all.
Thanks!
Click to expand...
Click to collapse
You're not looking for a partition with a directory called system in it. The partition IS /system. So the partition with 'bin' and 'xbin' is the /system partition. That other one is /data.
rbox said:
You're not looking for a partition with a directory called system in it. The partition IS /system. So the partition with 'bin' and 'xbin' is the /system partition. That other one is /data.
Click to expand...
Click to collapse
Alright, so I made some big progress
Here's my script which successfully installed your TWRP zip:
Code:
# Put your `recovery' folder in here, unzipped
SHARED="/media/sf_Shared"
# This is the directory created by the MMC reader
LABEL="/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b"
# WARNING: this CHANGED from 4 to 3. Always CHECK FIRST
SYSTEM="${LABEL}3"
if [ ! -e "${SYSTEM}/xbin" ]; then
echo "ERROR: couldn't find /system/xbin - is the mount point correct?"
exit 1
fi
echo "Copying recovery..."
cp -rf $SHARED/recovery $SYSTEM
echo "Backup the old e2fsck..."
cp -i $SYSTEM/bin/e2fsck $SHARED/e2fsck.real
mv -i $SYSTEM/bin/e2fsck $SYSTEM/bin/e2fsck.real
echo "Chmodding and chconing RECOVERY..."
chown -R 0:2000 $SYSTEM/recovery
chmod -R 755 $SYSTEM/recovery
chcon -R --reference=$SYSTEM/bin $SYSTEM/recovery
echo "Copying, chmodding and chconing SU (in case recovery doesn't work out)..."
cp $SHARED/su $SYSTEM/xbin/
chown 0:2000 $SYSTEM/xbin/su
chmod 6755 $SYSTEM/xbin/su
chcon --reference=$SYSTEM/xbin/trapz $SYSTEM/xbin/su
echo "Symlink e2fsck to 2ndinitstub..."
ln -sf ../recovery/2ndinitstub $SYSTEM/bin/e2fsck
echo "Done."
Then I booted into TWRP successfully.
However, when I tried to install your bueller-5.2.1.1-rooted_r1 I got this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
After a long time it was clearly hung, so I rebooted and now it's bricked. But I did do a `dd if=/dev/sdb123 of=system.img` so i have that.
Would it be possible to just overwrite that partition with your system prerooted image while I have it connected to the emmc reader?
Thanks again for all the help!
cancelyourcable said:
Alright, so I made some big progress
Here's my script which successfully installed your TWRP zip:
Code:
# Put your `recovery' folder in here, unzipped
SHARED="/media/sf_Shared"
# This is the directory created by the MMC reader
LABEL="/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b"
# WARNING: this CHANGED from 4 to 3. Always CHECK FIRST
SYSTEM="${LABEL}3"
if [ ! -e "${SYSTEM}/xbin" ]; then
echo "ERROR: couldn't find /system/xbin - is the mount point correct?"
exit 1
fi
echo "Copying recovery..."
cp -rf $SHARED/recovery $SYSTEM
echo "Backup the old e2fsck..."
cp -i $SYSTEM/bin/e2fsck $SHARED/e2fsck.real
mv -i $SYSTEM/bin/e2fsck $SYSTEM/bin/e2fsck.real
echo "Chmodding and chconing RECOVERY..."
chown -R 0:2000 $SYSTEM/recovery
chmod -R 755 $SYSTEM/recovery
chcon -R --reference=$SYSTEM/bin $SYSTEM/recovery
echo "Copying, chmodding and chconing SU (in case recovery doesn't work out)..."
cp $SHARED/su $SYSTEM/xbin/
chown 0:2000 $SYSTEM/xbin/su
chmod 6755 $SYSTEM/xbin/su
chcon --reference=$SYSTEM/xbin/trapz $SYSTEM/xbin/su
echo "Symlink e2fsck to 2ndinitstub..."
ln -sf ../recovery/2ndinitstub $SYSTEM/bin/e2fsck
echo "Done."
Then I booted into TWRP successfully.
However, when I tried to install your bueller-5.2.1.1-rooted_r1 I got this:
View attachment 3996750
After a long time it was clearly hung, so I rebooted and now it's bricked. But I did do a `dd if=/dev/sdb123 of=system.img` so i have that.
Would it be possible to just overwrite that partition with your system prerooted image while I have it connected to the emmc reader?
Thanks again for all the help!
Click to expand...
Click to collapse
UPDATE...
I flashed my original system.img and brought it back to a working state. After that, I set up recovery again then tried to install bueller-5.2.1.1-rooted_r1.zip. Same as before, it froze, but this time at 80%:
Here's the only "log" I could find:
Code:
[email protected]:/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b4/recovery# cat log
Installing new recovery image: failed
So now I have the emmc reader connected again, and I'm *hoping* I can just flash the image in your bueller-5.2.1.1-rooted_r1.zip directly to the mmc using `dd if=system.new.dat of=/dev/sdb19`
But I thought I'd run it by your first before I brick it again :laugh:
Thanks again, @rbox
cancelyourcable said:
UPDATE...
I flashed my original system.img and brought it back to a working state. After that, I set up recovery again then tried to install bueller-5.2.1.1-rooted_r1.zip. Same as before, it froze, but this time at 80%:
View attachment 3997946
Here's the only "log" I could find:
Code:
[email protected]:/media/root/57f8f4bc-abf4-655f-bf67-946fc0f9f25b4/recovery# cat log
Installing new recovery image: failed
So now I have the emmc reader connected again, and I'm *hoping* I can just flash the image in your bueller-5.2.1.1-rooted_r1.zip directly to the mmc using `dd if=system.new.dat of=/dev/sdb19`
But I thought I'd run it by your first before I brick it again :laugh:
Thanks again, @rbox
Click to expand...
Click to collapse
The thread for TWRP talks about what to do if it hangs. You can use adb. You'll need to check the log while it's running. /tmp/recovery.log. The image in the rom is sparse, so you'll have to run sdat2img.py on it. And then you'll have to do all the steps listed in the updater-script. The image itself is 100% pure stock.
rbox said:
The thread for TWRP talks about what to do if it hangs. You can use adb. You'll need to check the log while it's running. /tmp/recovery.log. The image in the rom is sparse, so you'll have to run sdat2img.py on it. And then you'll have to do all the steps listed in the updater-script. The image itself is 100% pure stock.
Click to expand...
Click to collapse
I discovered your "updater-script" so I understand the process a lot better now (wish I had found this earlier)
How do I know which image to use for boot: boot.img or boot_unlocked.img? I'm running from a host system so I can't check the value of ro.boot.unlocked_kernel from within linux.
Thanks!
P.S. Almost finished a bash script others can use to flash your image from an emmc reader - I will post a guide on here!
cancelyourcable said:
I discovered your "updater-script" so I understand the process a lot better now (wish I had found this earlier)
How do I know which image to use for boot: boot.img or boot_unlocked.img? I'm running from a host system so I can't check the value of ro.boot.unlocked_kernel from within linux.
Thanks!
P.S. Almost finished a bash script others can use to flash your image from an emmc reader - I will post a guide on here!
Click to expand...
Click to collapse
Since it's running OS5, you have to use the regular boot.img, since your bootloader isn't unlocked.
cancelyourcable said:
P.S. Almost finished a bash script others can use to flash your image from an emmc reader - I will post a guide on here!
Click to expand...
Click to collapse
I would really appreciate this.
zexma said:
I would really appreciate this.
Click to expand...
Click to collapse
It's almost done! Will post very soon
cancelyourcable said:
It's almost done! Will post very soon
Click to expand...
Click to collapse
Don't want to bother, you
Is there any progress to expect, cause I'm stuck at the very same point, SELinux prevents loading su
(/system/xbin//su' failed: Permission denied)
Thanks in advance.
pwntrik said:
It's almost done! Will post very soon
Click to expand...
Click to collapse
Any progress on this?
zexma said:
Any progress on this?
Click to expand...
Click to collapse
Yes, it works 100%. Literally just ordered an overhead camera tripod for recording a video of the whole process. Sit tight -- I promise it's coming soon!
@pwntrik : any tricks to have your Linux (Ubuntu) box recognizing the FireTV in fastboot mode?
I can get it to connect in fastboot with Win7 on the same machine, but in Ubuntu 16.04 I'm not able to.
I did add ATTR{idVendor}== "1949" and ATTR{idProduct}=="0401" to /etc/udev/51-android.rules and rebooted, but no luck...
My FireTV (1st gen, last firmware was 5.0.5, rooted) is currently , after unsuccessful flash of "rooted-5.0.5_r1" ROM in TWRP stuck at this screen:
.
I know it's a longshot to recover it, but I have patience....
Sent from space
kozmo2k4 said:
@pwntrik : any tricks to have your Linux (Ubuntu) box recognizing the FireTV in fastboot mode?
I can get it to connect in fastboot with Win7 on the same machine, but in Ubuntu 16.04 I'm not able to.
I did add ATTR{idVendor}== "1949" and ATTR{idProduct}=="0401" to /etc/udev/51-android.rules and rebooted, but no luck...
My FireTV (1st gen, last firmware was 5.0.5, rooted) is currently , after unsuccessful flash of "rooted-5.0.5_r1" ROM in TWRP stuck at this screen:
.
I know it's a longshot to recover it, but I have patience....
Sent from space
Click to expand...
Click to collapse
I've been using Win10 for that. I only use Linux for writing the images.