MoFo - Image Modification Methods
I have been helping people with other devices to make rooted ext4 images for their devices using @btdownloads7's method here:
http://forum.xda-developers.com/showpost.php?p=60389310&postcount=177
Works great. If they have the system images as sparse chunks, you can use @tal.aloni's SparseConverter.exe found here:
http://forum.xda-developers.com/showthread.php?t=2749797
to make an ext4 single image system.img but you have to use a hex editor to remove the header and the footer following tal.aloni's instructions in the thread, which I summarized here:
http://forum.xda-developers.com/showpost.php?p=61130622&postcount=41
Then you can use btdownloads7's method above to root it.
The problem is that for some devices like the XT1058 there was only the fxz available as a single file system.img, which is not an ext4 file. I don't know how to convert it to an ext4 image but I have an unlocked XT1060 and at least for the XT1058 what I found I could do was flash the XT1058 system.img to my XT1060 using mfastboot, then boot into recovery and go to Mount and check System. Then from an adb shell run the mount command. That told me where the system image was. On the XT1060 it was /dev/block/mmcblk0p38. Then from the adb shell I ran the command:
dd if=dev/block/mmcblk0p38 of=/sdcard/new_image.img
where if = input file, of = output file and dd is a command that copies the data in the input file to the output file.
Then I exited the adb shell and ran the command
adb pull /sdcard/new_image.img
to get the new_image.img on my computer. new_image.img is an ext4 file that you can flash using mfastboot if your bootloader is unlocked or mofo.exe if your bootloader is locked.
Since my XT1060's bootloader is unlocked and the XT1058 image boots on the XT1060, I could mod the XT1058 image while running android - install Xposed, busy box, etc. - then boot into recovery and run the commands above. I am sure I can also install a custom ROM in TWRP and then pull the image. The point being that for the XT1058 and the non-Dev Ed XT1060's,, which have locked bootloaders, I can modify the images using this method. My XT1060 won't work as a phone running an XT1058 image, but I can use wifi to connect to the playstore to download apps and then install them.
So, I was hoping that this would work the same for the XT1095 and our XT1096 devices. I can boot the Pure Edition XT1095 ext4 image fine on my XT1096 after flashing it with mofo.exe (although it won't make calls) so I think the XT1096 image would run on the XT1095. If someone has an XT1095, they should be able to make a nandroid of their sytem, do all of that above, add in whatever we want to the XT1096 image while running it, then boot into recovery, do the steps above and pull it as an ext4 file using adb, then restore their phone using the nandroid.
To summarize the method:
1) Make a nandroid of XT1095;
2) Use mfastboot to flash XT1096 system.img to XT1095;
3) Boot into TWRP recovery, wipe cache and data partitions, adb push SuperSU zip to /sdcard, install SuperSU zip and then boot into system;
4) Enable USB Debugging, add in Xposed, CFLumen, etc. while running Android and reboot as necessary;
5) Boot into Recovery;
6) Open an adb shell and type the command mount to determine where /system is in /dev/block;
7) Run the command dd if=dev/block/correctplace of=/sdcard/new_image.img, where correctplace is wherever /system is in /dev/block;
8) Exit adb shell and run command adb pull /sdcard/new_image.img; and
9) Restore the XT1095 to its previous state using the nandroid backup.
new_image.img would be an XT1096 rooted ext4 mofo.exe flashable file with Xposed, CFLumen, etc. baked in. In step #1, I would also copy the nandroid to my computer so that I would have a backup copy in case anything strange happened. It shouldn't but it is always better to be safe.
Note that my qe converts to 2/1 when I flash a different model's image but it returns to 1/1 once I reflash an XT1096 image.
How To Make an Ext4 Image from a Single File System.img
Requires an Android device of the same model as the system.img is for with an unlocked bootloader and TWRP installed as the custom recovery.
1) Flash the system.img using mfastboot;
2) Boot into TWRP, start an adb shell and run the command mount - note what folder /system is in /dev/block;
3) From the adb shell run the command:
dd if=dev/block/correctplace of=/sdcard/new_image.img
where correctplace is the folder you noted in Step #2.
4) Exit the adb shell and run the command
adb pull /sdcard/new_image.img
to get the new_image.img onto your computer. new_image.img is an ext4 file that you can flash using mfastboot if your bootloader is unlocked or mofo.exe if your bootloader is locked.
How To Make an Ext4 Image From Sparse Chunks
If you have the sparse chunks for your model - i.e., system.img_sparsechunk1, etc. - then you can use SparseConverter.exe to make a single file ext4 system.img that is flashable by mfastboot and mofo.exe:
http://forum.xda-developers.com/showthread.php?t=2749797
The command is:
SparseConverter.exe /decompress C:\system.img_sparsechunk1 C:\system.img
And it is run from the directory where SparseConverter.exe is. Of course, if your sparse chunks aren't in c:\ you would put in the path to where they are in the command above. And sometimes the first sparse chunk is not sparsechunk1 but rather sparsechunk0 and if so, of course you would start with sparsechunk0.
The system.img you make using SparseConverter.exe will have a header and a footer in it that need to be removed before the system.img is flashable by mfastboot and mofo.exe. The instructions for how to do that are here.
How to Root an Ext4 Image - Requires a Bootloader Unlocked Android Device With TWRP
Requires an Android device with an unlocked bootloader and TWRP installed as the custom recovery. Originally posted here.
btdownloads7 said:
Yes, but there was a slight change in the process (at least on the Nexus 7) from they way I described it originally. Since the image is huge, and wouldn't fit onto the system partition of the Nexus 7, i couldn't just flash it as a system image from fastboot. Here's what I ened up doing:
1. Make sure that you have at least 6 GB free on the SD card, and boot into TWRP
2. Copy the clean ext4 image file to the SD card (the links are a few pages back in this thread)
3. Create a "supersu" folder on the SD card
4. Download the SuperSU update zip (the current version is 2.46)
5. Extract the "armv7" and "common" folders from the update zip to the "supersu" folder from Step 3.
6. Extract the "update-script" binary from the attached zip, and copy it to the same "supersu" folder. It's a script from tha update binary that I modified for our purposes.
7. In TWRP gui, wipe the system partition (this may not have been necessary, but I did it just in case)
8. In TWRP gui, unmount the system partition from the TWRP menus
9. open ADB shell
10. run "rm -r /system", and disregard any errors that it gives you. This will clear the mount point for our image
11. run "mkdir /system", and ignore any errors it gives you
12. run "mount -t ext4 -o loop /sdcard/system.img /system"
13. run "chmod +x /sdcard/supersu/update-script"
14 run "cd /sdcard/supersu" followed by "./update-script". You might see some errors when it's running, but you can disregard them
15. In ADB shell, run "mount", and that should list all the partitions. Remember which path is for the system partition (on my end it was "/dev/block/loop0")
16. run "dd if=dev/block/loop0 of=/sdcard/new_image.img". Obviously replace "/dev/block/loop0" with whatever you got in the previous step
And thats it. Copy the new image back to your PC, and you're ready to flash it with mofo
Click to expand...
Click to collapse
General Info On Modding Images Using Linux
@Ekkoria's tutorial here provides general information on how to mod images using linux.
@ClydeDroid - can you give a synopsis of what needs to be done to add a symlink for the AdAway hosts files? I would like to add it to this thread. Thanks!
Adding Free WiFi Tether to a System Image
To add free WiFi tether to a system image, the /system/build.prop file needs to be edited to include the following line:
net.tethering.noprovisioning=true
The line can be added anywhere in the build.prop file. Please note that editing the build.prop file in some instances resulted in HDR camera problems (force close when a picture was taken with HDR on). Be sure to use NotePad++ to edit the build.prop file, not another editor.
Adding Xposed for Lollipop to a System Image
Here and here are the instructions for @mikeoswego's method for installing Xposed for Lollipop in a system image.
You need to download both the apk and the zip from this thread:
http://forum.xda-developers.com/showthread.php?t=3034811
as well as the script that is attached to this post (unzip the script).
mikeoswego said:
1) You must mount the image that you want to install Xposed to /system on your Linux box (or edit the script some more.)
2) Make the script executable (chmod 755) and then run the script like this:
sudo [full path to script] [full path to zip file]
On my system it looks like this:
sudo /home/mike/InstallXposed /home/mike/xposed-sdk21-arm-20150430.zip
There will be some chcon errors but it still sets the permissions correctly.
3) Before you flash the image having Xposed in it to your device, download the XposedInstaller apk to your phone from the first post in this thread: http://forum.xda-developers.com/showthread.php?p=58948978#post58948978 and delete the following folders from your /data partition:
/data/dalvik-cache/arm
/data/dalvik-cache/profiles
4) On reboot, it will take a little longer at the red Verizon screen, then it will upgrade/optimize apps claiming a very large number of apps to process but most of them go by very quickly. On subsequent reboots it upgrades/optimizes one app each time. Otherwise I've not noticed any other problems or side effects.)
Click to expand...
Click to collapse
reserved 7
JulesJam said:
reserved 4
@btdownloads7 Is it possible for you to write up a synopsis of how you got Busy Box and SQLite into the image? It doesn't have to be a step by step guide, but whatever insight you could give even a high level summary would be appreciated. Thanks!
Click to expand...
Click to collapse
Sqlite is easy -- you just put the binary into /system/xbin, and chmod 755 it.
Busybox is harder. The overall process is very similar to rooting it, but you have to run most of the script in a virtual machine, and one command in TWRP. You have to get the update zip for it, extract the proper binaries for the arm7 architecture, and extract the update script. Then modify the update script to remove any mention of the mounting/dismounting of partition, and to move the the extracted binaries instead of having the script extract them. At the very end of the script, it runs a "busybox --install" command, and that has to be run on the actual device (in TWRP).
@mikeoswego - did I get the instructions correct here? I wanted to combine 2 of your posts into 1 set of instructions. Please let me know if I paraphrased you correctly, thanks!
JulesJam said:
@mikeoswego - did I get the instructions correct here? I wanted to combine 2 of your posts into 1 set of instructions. Please let me know if I paraphrased you correctly, thanks!
Click to expand...
Click to collapse
Looks good!
---------- Post added at 06:45 PM ---------- Previous post was at 06:41 PM ----------
JulesJam said:
net.tethering.noprovisioning=true
Click to expand...
Click to collapse
I'm not sure this works for carriers other than Verizon.
mikeoswego said:
I'm not sure this works for carriers other than Verizon.
Click to expand...
Click to collapse
AFAIK it works for ATT but the problem is that ATT is not subject to the Block C license restrictions so if you enable it, you still need to hide the fact that you are tethering from ATT. There are ways to modify the /system partition to do that but idk how to do it.
If you have UDP and don't tether very much, from all I have read, ATT lets it go. But if you are going to use lots of data per month tethering, they send you a letter telling you that you are violating their TOS and if you don't stop, they will take away your UDP or terminate your contract, I can't remember which. So those with UDP have to hide that they are tethering somehow.
JulesJam said:
6) Open an adb shell and type the command mount to determine where /system is in /dev/block;
7) Run the command dd if=dev/block/correctplace of=/sdcard/new_image.img, where correctplace is wherever /system is in /dev/block;
Click to expand...
Click to collapse
Just so you know, there's an easier way to do this part. The directory "/dev/block/platform/msm_sdcc.1/by-name" contains links to all the partitions so you don't have to remember weird numbers like "mmcblk0p38". The app "DiskInfo" can also show you which partitions map to which block devices, and it doesn't even need root. Hope this helps.
Mmcblk0p38 on my XT1095
btdownloads7 said:
Sqlite is easy -- you just out the binary into /system/xbin, and chmod 755 it.
Click to expand...
Click to collapse
Where do you get the binary and what is "out"?
JulesJam said:
Where do you get the binary and what is "out"?
Click to expand...
Click to collapse
I don't remember where I originally got the binary, but if you do a google search, you should be able to easily find it. Here's a good place to start.
And "out" was a typo. Should have said "put"
btdownloads7 said:
And "out" was a typo. Should have said "put"
Click to expand...
Click to collapse
I thought so but I wanted to make sure in case it was some linux command I am not familiar with, lol!
I'm trying to do something that should be very simple using the Linux method: change the boot animation. No matter what bootanimation.zip I put into /system/media, set permissions to 644 and ownership to root:root, the animation seems to default to a pulsating text "android" logo. When I also change the bootanimation file in /system/bin I only get the pre-boot Motorola logo until boot up is complete.
Pulling a MoFo Flashable Image From an XT1095
This is useful for the AT&T XT1097. You can flash modified XT1095 images to an AT&T XT1097 since they both work on AT&T. Here is how you can pull a MoFo flashable image from an XT1095.
Open an adb shell by typing adb shell at the command prompt. Then type the command su. Then run this command:
dd if=/dev/block/mmcblk0p38 of=/sdcard/system.img
Then pull the image using the adb pull command:
adb pull /sdcard/system.img c:\
joshnat said:
I'm trying to do something that should be very simple using the Linux method: change the boot animation. No matter what bootanimation.zip I put into /system/media, set permissions to 644 and ownership to root:root, the animation seems to default to a pulsating text "android" logo. When I also change the bootanimation file in /system/bin I only get the pre-boot Motorola logo until boot up is complete.
Click to expand...
Click to collapse
@mikeoswego may be able to explain to you how to do it.
Related
One thing I've noticed is there isn't a lot of documentation for getting set up and unlocking your bootloader on a Linux OS. Setting up your machine to get adb and fastboot to recognize your device takes a tiny bit of extra work on a Linux operating system, but what exactly needs to be done may not be clear to everyone. Whether it's because you're new to the Android SDK/adb, somewhat new to Linux, or can't simply can't seem to find the Vendor Code for the Nexus S. (For those who are looking specifically for this, it's '18d1', and I assume will be the same on all Nexus devices to come; If this means nothing to you right now, read on.)
Disclaimer: I take no responsibility if something goes wrong (if it does, it should be fixable though), Unlocking your bootloader voids your warranty (but you can lock it back), Unlocking the bootloader will wipe your entire phone, including USB Storage; so make a copy of all those family photos and other files you may have put onto the USB storage if you want to keep them.
For the sake of sanity, this guide assumes you are using Ubuntu. If you're using something else (or different applications), there are terminal commands offered, and you probably have an idea on how to adapt the given instructions to your Linux OS.
Preparation: Installing the Android SDK, ADB, Fastboot & Setting Up Your Nexus S to be Recognized
1. Download the Android SDK for Linux: http://dl.google.com/android/android-sdk_r08-linux_86.tgz
2. Save it in a folder of your choice. I chose to keep it in my Downloads folder, myself. If you'd like, you can rename it to the simpler name of 'AndroidSDK.tgz'. The rest of the guide will assume that you did, because I'm lazy, and it makes things simpler; it will also assume you saved it in Downloads. If you feel that you have the intuition to rename and edit the path names based on your own choices, then fine; but if you're utterly lost here, just stick with what I'm doing; download to 'Downloads', rename to 'AndroidSDK.tgz'.
3. Now that you have it, navigate to the folder you downloaded it to, right-click, and click 'Extract' to unzip it. If for some reason you cannot do this, open up a terminal and try this command:
Code:
tar zxvf /home/<your-user-name>/Downloads/AndroidSDK.tgz
You may have to adjust the command if you didn't save it under Downloads or didn't rename the file to AndroidSDK.tgz.
4. Now, we'll install adb and some other software packages by starting up the Android SDK and AVD Manager. Start it either by:
- Navigating to your AndroidSDK folder, going to the 'tools' folder and double-clicking the file called 'android'; if a popup opens asking you what you want to do with it click 'Run'.
- Using this command:
Code:
/home/<your-user-name>/Downloads/AndroidSDK/tools/android
5. In Android SDK and AVD Manager, click on "Available packages". Check the box next to "Android SDK Tools, revision 8" and "Android SDK Platform-tools", and click on "Install Selected" then "Install". When prompted click "Yes" to restart ADB.
6.You should now have a folder in /home/<your-user-name>/Downloads/AndroidSDK/ called "platform-tools".
7. Download fastboot here: http://developer.htc.com/adp.html
- Save it to the aforementioned platform-tools folder.
- Now, navigate to the file, right click it, click 'Properties', go to the 'Permissions' Tab and check 'Allow executing file as program'. Alternatively, run this command:
Code:
chmod +x /home/<your-user-name>/Downloads/AndroidSDK/platform-tools/fastboot
8. Now to set things up so adb and fastboot recognize your Nexus.
- Type this command into a terminal:
Code:
gksudo gedit /etc/udev/rules.d/51-android.rules
- Paste this into the blank file:
Code:
SUBSYSTEM=="usb", SYSFS{idVendor}=="18d1", MODE="0666"
- Click save and close.
- Then, type the following terminal command:
Code:
sudo restart udev
9. Almost done with preparations! Run this command:
Code:
gedit .bashrc
And add this line to the top of the file:
Code:
#AndroidDev PATH
export PATH=${PATH}:/home/<your-user-name>/Downloads/AndroidSDK/tools:/home/<your-user-name>/Downloads/AndroidSDK/platform-tools
Then save the file and close.
10. Download this file and save it to /home/<your-user-name>/Downloads/AndroidSDK/platform-tools: http://www.mediafire.com/?4pe5y906zr67nfh
10.We're ready to go!
Unlocking the Bootloader on your Nexus S and Rooting
Once again, unlocking your bootloader wipes everything on your device, including USB storage. Make a backup of any files you want to keep.
1. On your Nexus S, go to Menu>Settings>Applications. Select "Development" and check the box next to "USB debugging"
2. Power off the phone, and then hold down the Volume Up button and the Power button simultaneously to get into Bootloader/Fastboot mode. Connect your Nexus to the computer via USB.
3. Run this command to unlock your bootloader: (Once again WIPES EVERYTHING!)
Code:
fastboot oem unlock
Hit Enter and on your phone you will be prompted to confirm the action. (Use Volume +/- buttons to choose, power button to confirm choice) Confirm. At this point you will have an unlocked bootloader.
4. Copy/paste the following into the Terminal window:
Code:
fastboot flash recovery /home/<your-user-name>/AndroidSDK/platform-tools/recovery-clockwork-herring.img
5. Use the Volume +/- buttons to choose the Recovery option, then press the power button.
6. In Recovery, go to 'mounts and storage' and choose 'mount USB storage'.
7. Go to this page: http://forum.xda-developers.com/showthread.php?t=682828
About 1/5 of the way down on that page, find the link for "su-2.3.6.1-ef-signed.zip", which is the link for the Froyo version of Superuser. Control-click (right click) on that link and choose "Download Link As..." Save that file to your desktop and then copy it to the main directory of your mounted phone.
8. Click 'Unmount'. Go back to 'mounts and storage' and choose 'mount /system'. Then Go Back and choose 'install zip from sdcard'>'choose zip from sdcard'>su-2.3.6.1-ef-signed.zip
9. When it's finshed installing, reboot. You are now rooted.
Special Thanks
Amin Sabet; I used your Mac guide as a reference and copy/pasted some things for convenience.
Koush; For first posting the unlocking information, developing ClockworkMod Recovery, and ROM Manager. You should probably hook him up with a donation. https://www.paypal.com/us/cgi-bin/w...63663d3faee8d9384d85353843a619606282818e091d0
Michael.B.; for suggesting adding the platform-tools folder to the .bashrc file.
Linus Torvalds; Without which we'd have neither Android nor Ubuntu.
Feel free to leave your comments on the guide below.
Good guide for beginners, I would throw in how to update their path so they can just type adb or fastboot
On Linux, edit your ~/.bash_profile or ~/.bashrc file. Look for a line that sets the PATH environment variable and add the full path to the tools/ and platform-tools directories to it. If you don't see a line setting the path, you can add one:
export PATH=${PATH}:/home/<your-user-name>/Downloads/AndroidSDK/tools:/home/<your-user-name>/Downloads/AndroidSDK/platform-tools
Click to expand...
Click to collapse
Be sure to update your username above.
Thanks a lot man, great guide. I didn't get my NS yet but this is gonna be very useful soon
ps: someone please stick this
Michael.B. said:
Good guide for beginners, I would throw in how to update their path so they can just type adb or fastboot
Be sure to update your username above.
Click to expand...
Click to collapse
Thanks for the tip. I added your tip and instructions for marking fastboot as executable.
Stuck due to the thread's usefulness
I forgot to ask: will this work for 64 bit systems?
nicholasbgr said:
I forgot to ask: will this work for 64 bit systems?
Click to expand...
Click to collapse
It should work just fine.
Thanks, got me rooted nice and quickly.
BlackOtaku said:
It should work just fine.
Click to expand...
Click to collapse
Yes but don't forget to install 32 libs.
Thanks for guide
Useful !
I'm waiting for cyanogen ROM so i'll able to install
Cheers
To confirm, yes it works on 64bit. I am running that
Thanks for the confirmation, guys
Good stuff, much appreciated.
I'm working on a simple shell script that should automate some of the more menial tasks while holding the user's hand through the process. I should have it up later today.
UPDATE: It's up! Link on the first page.
Sent from my Nexus S using XDA App
question:
If I use
Code:
fastboot boot recovery.img
instead of
Code:
fastboot flash recovery recovery.img
will i get OTA updates?
confiq said:
question:
If I use
Code:
fastboot boot recovery.img
instead of
Code:
fastboot flash recovery recovery.img
will i get OTA updates?
Click to expand...
Click to collapse
Or, I don't get OTA until i change OS with zip file (ex: su app) ?
confiq said:
Or, I don't get OTA until i change OS with zip file (ex: su app) ?
Click to expand...
Click to collapse
You shouldn't flash the recovery in the boot partition, I think that will cause problems with the phone period. :S
If you flash a custom boot.img (which this guide doesn't cover, though the script will flash Superboot) or kernel like Paul's Superboot, Supercurio's Voodoo Kernel, or Koush's insecure boot.img, OTA updates will fail to install. OTA updates will also reflash your recovery back to stock. One of the devs around here will probably start modifying them so they don't check the boot.img or reflash the recovery though.
Thanks for this! Worked perfectly
Hi all,
I have a strange problem. I can install ClockworkMod recovery but, when I reboot the phone, I don't have superuser installed and su doesn't work. If I reboot the phone, I have to install the recovery every time. It seems it isn't permanent.
Thanks
Matroska
matroska said:
Hi all,
I have a strange problem. I can install ClockworkMod recovery but, when I reboot the phone, I don't have superuser installed and su doesn't work. If I reboot the phone, I have to install the recovery every time. It seems it isn't permanent.
Thanks
Matroska
Click to expand...
Click to collapse
To fix the problem, before selecting zip file, you have to select mount /system. Then go to apply update.zip and proceed as usual.
Thanks
ok im stock
with this part fastboot oem unlock ware i put this code in my terminal of my pc ,,i put the cell in fasboot , i intall everiting if i put that code in my terminal
bash: /home/toshiba/.bashrc: line 2: syntax error near unexpected token `('
bash: /home/toshiba/.bashrc: line 2: `export PATH=${PATH}:/home/<your-user-name>/Downloads/AndroidSDK/tools:/home/<your-user-name>/Downloads/AndroidSDK/platform-tools# ~/.bashrc: executed by bash(1) for non-login shells.'
[email protected]:~$ fastboot oem unlock
fastboot: command not found
[email protected]:~$
what can i do or im doing wrong
This guide assumes you are already rooted on 5.0.3.1 (this will work for future updates as well if @zeroepoch push out new rooted images) I will just need to update the hash check accordingly
Now before I go any further **this can brick your device** so you assume all risk associated with this method.
I have tested this on 2 of my AFTV2 devices no less than 50 times so it was safe for me. There are factors that cant be accounted for such as bad blocks on the nand. I have put in a lot of checks into this script to go off without a hitch. If something doesn't match up the script will tell you and drop you back to terminal. The safest method to date is using @zeroepoch diff and waiting 2 hours.
Or wait until someone like @rbox comes up with a custom recovery solution.
This method came down to necessity for me as I wasn't getting the 5.0.4 update (waited a week on each of my devices)
Plus I cant stand waiting around for 2 hours. @xenoglyph started this off by being the first to use the dd method and after seeing his success I figured I would automate the process because some users bricked their device because of a simple mistake (failing to unpack the .gz for the images).
I have only tested this over USB (use over network at your own risk but if you happen to please report back if it works)
How to:
All-in-One package - https://mega.nz/#!1YJXDbJa!jzy1g78qIUdsRwY4Pzw2yLLyH9pB2uo9imDaskbotY0
Mega decryption key - !jzy1g78qIUdsRwY4Pzw2yLLyH9pB2uo9imDaskbotY0
Script only package is below (you will need to download and decompress all images)
MicroSD Method:
1. Extract the .zip to a microSD card and place the card in the AFTV
2. Plug in your USB A to A cable
3. Turn on USB Debugging
4. Make sure your system sees the AFTV (adb devices) (or over wifi/wired adb connect 192.168.1.xxx -=tested see post #7 & #28=-)
5. Open adb shell (adb shell)
6. Enter the commands one at a time below
Code:
su
cd /storage/sdcard1
chmod 775 root.sh
sh ./root.sh
The device will reboot when finished (if for some reason it doesn't reboot on its own and drops you the terminal after the 60 second message, you can just pull the plug)
Internal Storage Method:
1. Extract 5.3.0.1-5.0.4-local-script.zip and adb push it to /data/local/tmp (this is the script, busybox, and verify.md5 only) you have to push images (see below)
2. Plug in your USB A to A cable
3. Turn on USB Debugging
4. Make sure your system sees the AFTV (adb devices) (or over wifi/wired adb connect 192.168.1.xxx -=tested see post #7 & #28=-)
5. Open adb shell (adb shell)
6. Enter the commands one at a time below
Code:
su
cd /data/local/tmp
chmod 775 root.sh
sh ./root.sh
The device will reboot when finished (At the moment reboot and busybox reboot aren't working. The script will give you a message when to reboot at the end)
After the device reboots disable OTA again just to be on the safe side:
Code:
adb shell
su
pm disable com.amazon.device.software.ota
I have a class 10 microSD and the process takes exactly 3 mins from the second you run root.sh
If you have a slower card expect it to take up to 5 mins.
If the script is tampered with it will error on the hash check
Here are the hashes for each file:
MicroSD Method md5:
Code:
c230711c59ec66a67229449afbf84291 verify.md5
e7c105e97a797f451c1e6ca7a1d950d6 root.sh
dedf4203ca67fa067dc658c8a1325b4f busybox
Local Storage Method md5:
Code:
ef110ab79458f3263fbdba4492125f48 verify.md5
e40dafa35b7d694f8c13b95446b84a3a root.sh
dedf4203ca67fa067dc658c8a1325b4f busybox
5.0.4 Image md5:
Code:
4cc42c5a4ded1eb4d9529b2aede1dfb7 boot.img
f0b05f68cbcecb96722a4637eb06a8a0 lk.img
53649663ee0fa2f7c434b5acdbfddcda preloader.img
3aa70baba1bbb8b29f7d2fa7428e4e1e recovery.img
57bad37f08489b228ae71fc1246adb53 system.root.img
Images for script only download:
http://download.zeroepoch.com/aftv2/5.0.4/boot.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/lk.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/preloader.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/recovery.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/system.root.img.gz
I will maintain the script until a custom recovery arrives.
Special thanks to @zeroepoch for rooting the AFTV2 and maintaining a git/wiki
Also thanks to everyone else working on the AFTV(2)
@rbox, @ImCoKeMaN, @xenoglyph
Nice, thanks for this guide and script!
I just manually updated and did the 2 hr method last night or I would have done this. It's nice to have a way to do the updates as they happen, thanks for sharing your work
thanks for doin it proper man, been super busy
xenoglyph said:
thanks for doin it proper man, been super busy
Click to expand...
Click to collapse
No problem
Thanks for being the first one to risk bricking with this method!
Thanks @aboshi and @xenoglyph!
aboshi said:
This guide assumes you are already rooted on 5.0.3.1
Click to expand...
Click to collapse
1) Does this script assume anything besides firmware 5.0.3.1 rooted? (see EDIT below)
2) Does it matter that apps may have altered /system after the 5.0.3.1 root? (for instance I have AdAway which edits /system/etc/hosts)
3) You said this takes only 3 minutes to run. Does that mean you can successfully run sync after dd?
4) The Mega link asks for a decryption key to download. Are you making this available only to a select group of people?
EDIT: Noticed that busybox is part of this rooting package. If I already have busybox on the box, should I uninstall that before running this script?
@Patrick_445
The script doesn't need to assume firmware version currently, it will only verify the script, .md5, busybox, and images being used.
Im sure I can put in a verify build prop but I have not done that yet. The only reason that would be needed is if someone downgraded when new FW comes out and that might brick their system and I believe it amazon burns fuses now so you cant downgrade.
I posted the decryption key for Mega. I don't know why it was asking you for one because the whole link includes the key.
It doesn't matter that apps alter anything in /system because its getting overwritten/upgraded anyway.
Yes it runs sync at the very end. As for time running it's really only 2 mins. I added a 60 sec sleep at the end right before the reboot just to be safe.
You do not need to delete busybox if you installed it already. busybox is included to run everything statically from the same dir and it must be present or the script will exit as soon as it does the hash check. I have done it this way because I felt it was safer than just linking.
adb over network
Hi aboshi,
first of all I want to thank you for your script. It makes updating the AFTV2 quite painless.
Otherwise I'd like to report that I did the update using adb over the network (wired) which thankfully worked, but not completely perfect.
When I ran your script in the networked adb shell it did everything as expected up to writing
"Copying system.root.img"
to the screen. Then nothing further seemed to happen. I expected that step to run a little longer, since system.root.img is by far the largest file to be written. But after some minutes, I started to get nervous. I tried to ping my AFTV2, but it wasn't reachable over the network anymore. When I looked at the TV, which is connected to my AFTV2 (different room), I could see, that the AFTV2 had rebooted and it was stuck at the colored amazon logo. I waited for about 20 further minutes, but nothing changed.
Reading about all the brick-stories here, I feared my AFTV2 was dead now. So I gave it a last chance and powercycled my AFTV2. At that second boot, the AFTV made it and after some minutes of "optimizing apps aso." it really came up. I checked the os version and I had 5.04.
So I can only guess what had happened. While writing the system image obviously the network connection got lost and thus the adb shell session terminated. The script probably continued to run, because it managed to write enough of the system image to create a working system. Probably it even ran until the end, since my AFTV2 rebooted by itself. BUT, I can't be sure about it, because I never saw the correspondig lines in my adb shell and the first reboot didn't really work out.
So my conclusion: I wouldn't recommend using the script over the network unless you are a very adventurous person or you have no other possibility. In my case I was to lazy to carry my laptop over to the AFTV2 and to install the USB drivers and adb on it. Also I just hoped the update would work. In the end I did carry my laptop over and repeated the update over USB, just to be sure. This time it worked perfect.
Greets,
Christian
@skyball2
Thank you for testing over network. I knew more than likely something like that would happen and thats why it should be done over USB.
It is due to all system files being overwritten and linking. You might have also noticed when it upgraded from 5.0.3.1 to 5.0.4 that the system black screens in the middle of the copy (but not when overwriting 5.0.4 to 5.0.4). Thankfully the script finished its job and you have a working system.
Im sure it can be done over network for others as a last resort, but I wouldn't do it personally because we have no recovery options at the moment. If anyone else wants to do this over network I HIGHLY suggest that you wait at least 10 mins before you reboot after you lose network connection, and after the reboot I would wait another 10 mins before power cycling again if stuck at the amazon logo. (so in other words UPDATE OVER USB!)
aboshi said:
This guide assumes you are already rooted on 5.0.3.1 (this will work for future updates as well if @zeroepoch push out new rooted images) I will just need to update the hash check accordingly
Now before I go any further **this can brick your device** so you assume all risk associated with this method.
I have tested this on 2 of my AFTV2 devices no less than 50 times so it was safe for me. There are factors that cant be accounted for such as bad blocks on the nand. I have put in a lot of checks into this script to go off without a hitch. If something doesn't match up the script will tell you and drop you back to terminal. The safest method to date is using @zeroepoch diff and waiting 2 hours.
Or wait until someone like @rbox comes up with a custom recovery solution.
This method came down to necessity for me as I wasn't getting the 5.0.4 update (waited a week on each of my devices)
Plus I cant stand waiting around for 2 hours. @xenoglyph started this off by being the first to use the dd method and after seeing his success I figured I would automate the process because some users bricked their device because of a simple mistake (failing to unpack the .gz for the images).
I have only tested this over USB (use over network at your own risk but if you happen to please report back if it works)
How to:
All-in-One package - https://mega.nz/#!5JhhWJjJ!7ziTq93zhvlyPYnZtH1H4xXQBl1yWxQG5zD8Ezn0ldY
Mega decryption key - !7ziTq93zhvlyPYnZtH1H4xXQBl1yWxQG5zD8Ezn0ldY
Script only package is below (you will need to download and decompress all images)
1. Extract the .zip to a microSD card and place the card in the AFTV
2. Plug in your USB A to A cable
3. Turn on USB Debugging
4. Make sure your system sees the AFTV (adb devices) (or over wifi/wired adb connect 192.168.1.xxx -=tested see post #7=-)
5. Open adb shell (adb shell)
6. Enter the commands one at a time below
Code:
su
cd /storage/sdcard1
chmod 775 root.sh
sh ./root.sh
The device will reboot when finished (if for some reason it doesn't reboot on its own and drops you the terminal after the 60 second message, you can reboot manually just type reboot or pull the plug)
I have a class 10 microSD and the process takes exactly 3 mins from the second you run root.sh
If you have a slower card expect it to take up to 5 mins.
If the script is tampered with it will error on the hash check
Here are the hashes for each file:
Code:
c230711c59ec66a67229449afbf84291 verify.md5
e7c105e97a797f451c1e6ca7a1d950d6 root.sh
dedf4203ca67fa067dc658c8a1325b4f busybox
4cc42c5a4ded1eb4d9529b2aede1dfb7 boot.img
f0b05f68cbcecb96722a4637eb06a8a0 lk.img
53649663ee0fa2f7c434b5acdbfddcda preloader.img
3aa70baba1bbb8b29f7d2fa7428e4e1e recovery.img
57bad37f08489b228ae71fc1246adb53 system.root.img
Images for script only download:
http://download.zeroepoch.com/aftv2/5.0.4/boot.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/lk.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/preloader.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/recovery.img.gz
http://download.zeroepoch.com/aftv2/5.0.4/system.root.img.gz
I can modify the the script to use /data/local/tmp
So if you want to push all files to the AFTV over adb because you don't have a microSD card let me know.
I believe @zeroepoch will host this on the git as well. I will maintain the script until a custom recovery arrives.
Special thanks to @zeroepoch for rooting the AFTV2 and maintaining a git/wiki
Also thanks to everyone else working on the AFTV(2)
@rbox, @ImCoKeMaN, @xenoglyph
Click to expand...
Click to collapse
Hello,
when I enter the command: chmod 775 root.sh I get the following error: Unable to open root.sh No such file or directory
any ideas why? I checked that fire tv is connected using adb devices. Also entered adb shell with no problems as well as su, and
cd /storage/sdcard1
thanks
Edit: btw I'm on Windows 7 64 bit. Fire TV 2 shows up in Device Manager as Portable Device
Don't know why you're having an issue with chmod but just do this:
Code:
su
mount -o rw,remount /storage/sdcard1
cd /storage/sdcard1
chmod 775 root.sh
sh ./root.sh
aboshi said:
Don't know why you're having an issue with chmod but just do this:
Code:
su
mount -o rw,remount /storage/sdcard1
cd /storage/sdcard1
chmod 775 root.sh
sh ./root.sh
Click to expand...
Click to collapse
thanks for the reply. Still same error after chmod.... no error when mount -o rw,remount /storage/sdcard1 though just at the chmod command.
dk1keith said:
thanks for the reply. Still same error after chmod.... no error when mount -o rw,remount /storage/sdcard1 though just at the chmod command.
Click to expand...
Click to collapse
Still don't see how you're having an issue but try this and let me know:
Instead of chmod 775 root.sh type this:
chmod 775 ./root.sh
And there's no need to remount sdcard1 because the script will handle that.
aboshi said:
Still don't see how you're having an issue but try this and let me know:
Instead of chmod 775 root.sh type this:
chmod 775 ./root.sh
Click to expand...
Click to collapse
I just looked again at the files on the sdcard and there is no root.sh file. Should I try and download the all in one package again?
the zip file I downloaded doesn't have root.sh in the archive? Or am I downloading the wrong file?
I'll DL the zip right now and look.
*edit*
The zip contains root.sh, verify.md5, and busybox
Make sure your are copying them all to the microsd.
I will now go back and edit my other posts because there is no reason to remount anything for the end user.
aboshi said:
Still don't see how you're having an issue but try this and let me know:
Instead of chmod 775 root.sh type this:
chmod 775 ./root.sh
And there's no need to remount sdcard1 because the script will handle that.
Click to expand...
Click to collapse
I'm being a bone head.....I didn't download the script and unzip it to the sdcard just unzipped the all in one file. I just unzipped the script file and put root.sh on the sdcard
dk1keith said:
I'm being a bone head.....I didn't download the script and unzip it to the sdcard just unzipped the all in one file. I just unzipped the script file and put root.sh on the sdcard
Click to expand...
Click to collapse
I just copied the root.sh from the script file to the sdcard the chmod command worked and I am on 5.0.4
---------- Post added at 06:01 PM ---------- Previous post was at 05:59 PM ----------
aboshi said:
I'll DL the zip right now and look.
*edit*
The zip contains root.sh, verify.md5, and busybox
Make sure your are copying them all to the microsd.
I will now go back and edit my other posts because there is no reason to remount anything for the end user.
Click to expand...
Click to collapse
Yes. Sorry if I wasn't clear. I only downloaded the all-in-one zip file. I didn't download the file with the script in it so the script wasn't on the sdcard. I got it sorted and I am on 5.0.4. Thanks for the help
dk1keith said:
I just copied the root.sh from the script file to the sdcard the chmod command worked and I am on 5.0.4
---------- Post added at 06:01 PM ---------- Previous post was at 05:59 PM ----------
Yes. Sorry if I wasn't clear. I only downloaded the all-in-one zip file. I didn't download the file with the script in it so the script wasn't on the sdcard. I got it sorted and I am on 5.0.4. Thanks for the help
Click to expand...
Click to collapse
The all in one has the script as well.
Everything works perfectly except at the end I got "Reboot not found" I just rebooted manually and after booting the screens displays "optimizing system storage and aplications... this will take 10 min"
Now I am back in business but what is the difference with 5.04 version ?
aboshi said:
The all in one has the script as well.
Click to expand...
Click to collapse
Not sure if my anti virus blocked it but I downloaded the all in one zip twice and I didn't get the script file when I extracted the files to sdcard. I then downloaded the script.zip unzipped it and copied the root.sh to sdcard. In any case I am on 5.0.4 and I really appreciate your help and all your work on this root method.
No you are correct, I am repacking the all in one zip now, it was missing root.sh
I will update the OP with the new link.
*Update*
Ok repacked with root.sh and updated new link on OP
Hallo.Thanks for watching.
I am rooting Android's Z581KL.
I am rooting Android's Z581KL.
Here, I download and unpack the file ....
hZtZtpsZ://wZwZwZ.axfc.net/u/3777377
Z←remove
(PASS Z581KL) (差分=Difference,キーワード=KEYWORD,ダウンロード=Download,こちら=HERE,cacheに置くもの=Things to put in the cache)
Turn USB debug mode on,
adb reboot recovery
Enter recovery at.
After that, mount the system using the terminal volume button and the power button
adb push dirtycow /tmp/
adb push run-as /tmp/
adb shell
cd /tmp
chmod 777 dirtycow
chmod 777 run-as
./dirtycow ./run-as /system/bin/run-as
run-as
dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
This will dump boot to /tmp/boot.img.
According to the developer, I am introducing SuperSU systemly by twinkling the boot area.
Since this model is recovery so that SELinux is permissive and adb can be used,
You can rewrite the boot area by using dirtycow.
So dump the boot area once and raise it to the PC and then install SuperSU
You can manually apply the script and write back to the terminal.
As a point of note, if the size of initrd differs from the original, it will not start,
It is necessary to adjust the size by erasing and compressing unnecessary files.
After dumping boot.img with exploit and developing it appropriately
Supersu's systemless script adapted locally
After re-packing it will be written in the same place with dd in reverse to extraction.
I have never read the script of supersu, but write the arm64 file
You can manually execute a place where apk is placed in the data area or something.
Perhaps by default / data is encrypted so place the file in / cache.
The file of arm64 will create an image file called su.img in ext4 and put it in it.
I mean, I do not know the procedure after dd if = / dev / block / mmcblk 0p 41 of = / tmp / boot.img.
So, if you let me know, it will be helpful.
this method won't work on lastest firmware (3.3.20) - they patched dirtycow exploit
Sorry to forget writing. I am doing at 3.3.18. 3.3.18 What about?
NOW THE TABLET IS UPGRADED TO ANDROID 7
any method for rooting this version?
All firmware versions are provided on ASUS website. Can it be downgraded?
from asus page: "Software update cannot transfer the software SKU and downgrade the software version."
official firmware V3.3.20.0 zip includes boot.img
Can not you edit this and use it?
I can't wait to root this tablet. It has so much bloat (that cannot be disabled) that its 2 GB of RAM feel like 1...
I posted rooting method.
ttps://forum.xda-developers.com/android/help/guides-links-how-to-root-asus-zenpad-3-t3602408
Doesn't that work only for <= 3.3.18? Mine came from factory with 3.3.20...
doberek said:
from asus page: "Software update cannot transfer the software SKU and downgrade the software version."
Click to expand...
Click to collapse
I just tried to downloaded the 3.3.18.0 firmware and rename it 5.3.9.0. I was able to downgrade by updating it from 3.3.20.0 back to 3.3.18.0.
However, I don't get the instruction here: ttps://forum.xda-developers.com/android/help/guides-links-how-to-root-asus-zenpad-3-t3602408
Anyone who is able to successfully root the device please help for a more vulgar guide.
I already upgraded to Nougat 5.3.9.0. Could I downgrade to 3.3.18 without bricking it?
After and reboot Recovery, the tablet reboot normaly and non enter in recovery, solution????
ot
i own a z581 by vodafone (still on android MM), is there a way to flash the ww image from asus website?
The guide below is depreceatred and should NOT be used.
Please use the guide in this thread instead. - https://forum.xda-developers.com/g6-play/how-to/guide-t3929928
Code:
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards, fires, rigged elections,
* thermonuclear war, or you getting fired because the alarms failed and you could not call in.
Please
* Ensure you have an advanced understanding of this device before flashing it! YOU are choosing to make these modifications or your own free will.
*/
This has been confirmed to work on:
XT1922-3 Model
XT1922-4 Model
XT1922-5 Brazilian Model
XT1922-7 Boost Mobile variant of this device with the code name JETER with Android 8.0.0 Build OCP27.91-23
XT1922-9 Model
Links to all boot images have been removed at the request of Motorola.
If you have done an OTA for your Device these boot.img's may not work for your device. We will need a newer boot.img to patch.
Please make backups using TWRP. Right now there is no ROM from moto for these devices that I've found. So proceed with caution.
Just make sure to download the correct boot.img for your device.
If you have another model please follow the first few steps to grab the stock boot.img and post it here and I can patch it.
The steps listed in this process WILL wipe your userdata. If you have anything you need to save back it up first.
Prerequisites:
Unlocked bootloader.
ADB/Fastboot installed on your machine ( https://developer.android.com/studio/releases/platform-tools ) If you have issues with commands make sure you have a current build of ADB and fastboot.
Step 1.) Download _ this TWRP image to the ADB/Fastboot folder on your computer.
Step 2.) Reboot to your bootloader. You can do this by turning on your device and holding power and both volume buttons at the same time.
Step 3.) Once the device reboots to the bootloader type the following from your computer with your phone connected via USB.
Code:
fastboot boot moto-g6-play-jeter-patched-twrp.img
Step 4.) Once TWRP boots from your computer type (it may take a bit to boot because it is trying to decrypt your userdata, but it will fail and prompt for a password. Just click cancel):
Code:
adb pull /dev/block/platform/soc/7824900.sdhci/by-name/boot stockboot.img
adb pull /dev/block/platform/soc/7824900.sdhci/by-name/recovery stockrecovery.img
This will backup your stock boot and recovery images if you to revert to stock later.
Step 5.) Now type:
Code:
adb reboot bootloader
Step 6.) Download either XT1922-9_no_dm-verity_boot.img or XT1922-7_no_dm-verity_boot.img or XT1922-5_no_dm-verity_boot.img or XT1922-4_no_dm-verity_boot.img or XT1922-3_no_dm-verity_boot.img patched dm-verity boot image depending on which device you have and download it into the ADB/Fastboot folder on your computer.
Step 7.) Run the following command from your computer to install the relevant boot image to your device.
Code:
fastboot flash boot XT1922-9_no_dm-verity_boot.img
OR
Code:
fastboot flash boot XT1922-7_no_dm-verity_boot.img
OR
Code:
fastboot flash boot XT1922-5_no_dm-verity_boot.img
OR
Code:
fastboot flash boot XT1922-4_no_dm-verity_boot.img
OR
Code:
fastboot flash boot XT1922-3_no_dm-verity_boot.img
Step 8.) Run the following command from your computer to install the TWRP image to your device.
Code:
fastboot flash recovery moto-g6-play-jeter-patched-twrp.img
Step 9.) Use the volume keys on the device to select boot to recovery and TWRP will boot up again. When it prompts for a decryption password select cancel again.
Step 10.) From your computer type the following into your command prompt/terminal from your adb/fastboot folder:
Code:
adb shell mount -o,rw /dev/block/platform/soc/7824900.sdhci/by-name/vendor /vendor
Step 11.) Download this patched fstab.qcom boot image into the ADB/Fastboot folder on your PC.
Step 12.) Run the following command from command prompt/terminal on your computer:
Code:
adb push fstab.qcom /vendor/etc/fstab.qcom
Step 13.) Next click the "Wipe" button in TWRP and slide "Swipe to Factory Reset" THIS WILL WIPE YOUR DATA ON YOUR PHONE. Ensure you have backup.
Step 14.) Download the Magisk zip file https://github.com/topjohnwu/Magisk/releases/ to your ADB/Fastboot folder.
Step 15.) Run the following command to push the boot image to your device
Code:
adb push Magisk-vXXX.zip /tmp
This will push the Magisk-vXXX.zip to your /tmp folder
Step 16.) Flash Magisk-v16.4.zip from TWRP using the install option and navigate to the /tmp folder to select it and install it.
Step 17.) Reboot your device
Step 18.) It will say N/A in the top corner of your device for a few seconds. Then it will boot the the Motorola boot screen and you can setup your device as a new phone.
Step 19.) Verify Magisk Manager is installed and the root functionality works.
Step 20.) ???
Step 21.) Profit
Credits:
CodyF86 and his Moto E5 thread for clues as to what it would take to turn off DM-Verity
Reserved
1st....
Thanks for your guide!
i can confirm this works perfectly on my boost model if you do everything exactly as the tutorial say. will be posting screenshots once i re download xda labs on phone. using computer as i type this
---------- Post added at 01:40 AM ---------- Previous post was at 01:00 AM ----------
alright so until this thread is able to work on the app i cant post screenshots but magisk safety net protection works. my kernel adiutor settings stuck on boot. the only things thats not working is being able to uninstall some bloatware and useless system apps. o theres no device encryption on boot anymore which is nice.
Hi @kwiksi1ver,
Thank you for your guide! :highfive:
However, I recomend to do one of these two things:
- Option 1: Add to your guide a link for download the original "boot.img" and "recovery.img". This is required for restoring the original state of the device in case of some error.
- Option 2: Instead of directly "flash" the "recovery.img" in the step 3, you can recommend to use a simple "boot". This doesn't replace the recovery and it's more safe. Then you can instruct to the user to make a backup of his stock boot & recovery partitions. See my guide about G6+: https://forum.xda-developers.com/moto-g6/how-to/moto-g6-root-guide-start-pro-users-t3795197
If you do it, then some users can rollback when some trouble appear. For example, someone here: https://forum.xda-developers.com/showpost.php?p=76789160&postcount=27 needs your help (I have a G6+, so I can't help him).
Regards. :angel:
Sweat
So here is confirming. This works 100% alas i can only confirm the boost version as well.
THANK YOU
I Can confirm this works on the boost mobile variant of the jeter if you follow every step exactly. Magisk works, and safety net is good, and magisk hide works tried Pokemon go and it was successful. Modules I used on my Moto g4 play work on my g6 play. Only thing I've noticed is the bloatware and certain system apps ( like Facebook) refuse to be uninstalled. Screenshots provided. Kernel aduitor settings also stayed when I used the apply on boot option
manos78 said:
Hi @kwiksi1ver,
Thank you for your guide! :highfive:
However, I recomend to do one of these two things:
- Option 1: Add to your guide a link for download the original "boot.img" and "recovery.img". This is required for restoring the original state of the device in case of some error.
- Option 2: Instead of directly "flash" the "recovery.img" in the step 3, you can recommend to use a simple "boot". This doesn't replace the recovery and it's more safe. Then you can instruct to the user to make a backup of his stock boot & recovery partitions. See my guide about G6+: https://forum.xda-developers.com/moto-g6/how-to/moto-g6-root-guide-start-pro-users-t3795197
If you do it, then some users can rollback when some trouble appear. For example, someone here: https://forum.xda-developers.com/showpost.php?p=76789160&postcount=27 needs your help (I have a G6+, so I can't help him).
Regards. :angel:
Click to expand...
Click to collapse
Cheers. I've added the stock files to the second post in the thread and I'll see what I can do about updating with the fastboot boot twrp.img steps and have the user backup their stuff first.
I wish I could help the user your referenced too, but they have different device. They have a G6, I have a G6 Play, and you have a G6+.
ninjakira said:
Only thing I've noticed is the bloatware and certain system apps ( like Facebook) refuse to be uninstalled.
Click to expand...
Click to collapse
You can run "adb shell" then "su" then type "pm disable com.facebook.system", "pm disable com.facebook.katana", "pm disable com.facebook.appmanager", "pm disable com.ironsource.appcloud.oobe", "pm disable com.lookout" etc which will disable the apps.
Alternatively you could use a file manager with root access and delete the various files and reboot. Make sure to keep a backup just in case you need them:
/oem/app/FcbkAppManagerSprint/FcbkAppManagerSprint.apk
/oem/app/FacebookStubSprint/FacebookStubSprint.apk
/oem/priv-app/FcbkInstallerSprint/FcbkInstallerSprint.apk
/oem/priv-app/LookoutSprint/LookoutSprint.apk
/data/app/com.ironsource.appcloud.oobe-mMdx9tUtxjFcQlRhjRmqrQ==/base.apk
kwiksi1ver said:
Cheers. I've added the stock files to the second post in the thread and I'll see what I can do about updating with the fastboot boot twrp.img steps and have the user backup their stuff first.
I wish I could help the user your referenced too, but they have different device. They have a G6, I have a G6 Play, and you have a G6+.
You can run "adb shell" then "su" then type "pm disable com.facebook.system", "pm disable com.facebook.katana", "pm disable com.facebook.appmanager", "pm disable com.ironsource.appcloud.oobe", "pm disable com.lookout" etc which will disable the apps.
Alternatively you could use a file manager with root access and delete the various files and reboot. Make sure to keep a backup just in case you need them:
/oem/app/FcbkAppManagerSprint/FcbkAppManagerSprint.apk
/oem/app/FacebookStubSprint/FacebookStubSprint.apk
/oem/priv-app/FcbkInstallerSprint/FcbkInstallerSprint.apk
/oem/priv-app/LookoutSprint/LookoutSprint.apk
/data/app/com.ironsource.appcloud.oobe-mMdx9tUtxjFcQlRhjRmqrQ==/base.apk
Click to expand...
Click to collapse
I just mainly want to remove Facebook as a system app and remove it's automatic updates and just reinstall it on play store as a regular app lol. I did try a couple root uninstallers and the failed to remove anything from the system. Also used a file manager with root and the results were the samr. The phone automatically resets when there's an attempt at removing system apps. I'll try to get a logcat for ya
I removed it all without any tools except for adb and it doesn't come back. Here is the code I used.
Code:
adb shell
su
cp -r /oem/app/FcbkAppManagerSprint /sdcard
cp -r /oem/app/FacebookStubSprint /sdcard
cp -r /oem/priv-app/FcbkInstallerSprint /sdcard
cp -r /oem/priv-app/LookoutSprint /sdcard
cp -r /data/app/com.ironsource.appcloud.oobe-mMdx9tUtxjFcQlRhjRmqrQ==/base.apk /sdcard
mount -o rw,remount /oem
mount -o rw,remount /data
mount -o rw,remount /system
rm -rf /oem/app/FcbkAppManagerSprint
rm -rf /oem/app/FacebookStubSprint
rm -rf /oem/priv-app/FcbkInstallerSprint
rm -rf /oem/priv-app/LookoutSprint
rm -rf /data/app/com.ironsource.appcloud.oobe-mMdx9tUtxjFcQlRhjRmqrQ==
reboot
If you run all of those command it will backup your annoying APK's to the /sdcard folder if you need them later and then delete the originals and then it reboots your device.
The ironsource appcloud apk is the thing that reinstalls the Sprint bloatware apps over and over again, so removing or disabling that is key to keeping the crap gone.
Will rooting Boost mobile variant unlock the phone ?
piesladowy said:
Will rooting Boost mobile variant unlock the phone ?
Click to expand...
Click to collapse
No it does not sim unlock the phone. Sprint/boost will unlock your sim provided you are with them for a year with the same device
XT1922-5
Hi Guys. I've tried use this procedure on XT1922-5 (Brazilian varianty) however, how I imaginated, it did not work. After the Step 18 my phone stay freez on Motorola boot screen (freezed in M). After that I did a full restore to stock and now phone is ok.
Some one her that have this same Moto g 6 Play variant (XT1922-5) could help me to create a recovery + root process too?
Best regards, GESATEC
Stock Firmware file?
Does any one have a stock frimware file for the
JETER??
I have a 100% stock JETER
If some one can help me I'll post the frimware file ones I get it
FizzyAps said:
Does any one have a stock frimware file for the
JETER??
I have a 100% stock JETER
If some one can help me I'll post the frimware file ones I get it
Click to expand...
Click to collapse
Hi,I believe that there is another Topic with JETER rom:
https://forum.xda-developers.com/moto-g6/development/firmware-stock-moto-g6-play-aljeter-t3792868
Please, check If your stock file os different before post
GESATEC said:
Hi,I believe that there is another Topic with JETER rom:
https://forum.xda-developers.com/moto-g6/development/firmware-stock-moto-g6-play-aljeter-t3792868
Please, check If your stock file os different before post
Click to expand...
Click to collapse
that's got the unlocked model not sprint/boost
JETER
FizzyAps said:
that's got the unlocked model not sprint/boost
Click to expand...
Click to collapse
Ok, I understood . I would lik JETER rom too.
Can u put files on Google Drive?
GESATEC said:
Hi Guys. I've tried use this procedure on XT1922-5 (Brazilian varianty) however, how I imaginated, it did not work. After the Step 18 my phone stay freez on Motorola boot screen (freezed in M). After that I did a full restore to stock and now phone is ok.
Some one her that have this same Moto g 6 Play variant (XT1922-5) could help me to create a recovery + root process too?
Best regards, GESATEC
Click to expand...
Click to collapse
Hi, can you post your stockboot.img file that you backed up during step 4? I can modify that and then I see if we can make it work for the XT1922-5 as well.
kwiksi1ver said:
Hi, can you post your stockboot.img file that you backed up during step 4? I can modify that and then I see if we can make it work for the XT1922-5 as well.
Click to expand...
Click to collapse
Manu thanks. Let me arrive at my home and I'll post it
ninjakira said:
No it does not sim unlock the phone. Sprint/boost will unlock your sim provided you are with them for a year with the same device
Click to expand...
Click to collapse
If you managed to get the boost version onto sprint, in theory it should be eligible for a sim unlock w/50 days of service.
DO NOT FOLLOW THIS GUIDE IF YOU HAVE ANDROID 12
Visit this thread for more information
________________________________________________________
CAVEAT
I've only tested this on my device running Android 11 (KB2005 / KB05AA), but it should be universally helpful as it's using your own boot.img so there's no need to find a matching package for your variant and os version.
CREDIT
The steps were buried across a few threads, I'm posting this so it'll be easier for others to find the information. All credit goes to xb360, FullOfHell, and TheUnkn0wn.
INFOThe basic rundown is:
Use the semi-broken TWRP package to give yourself temporary su access through adb.
Extract the boot.img your phone is currently using to your pc.
Reboot to OxygenOS, copy over the boot.img you just extracted and then use Magisk to patch it.
Copy the boot.img back to your pc and use adb to temporarily boot your phone with it, giving you root access until reboot.
Use your temporary root access to allow Magisk to patch your internal as-yet unmodified boot.img to give you permanent root.
There seems to be some confusion in the thread, I'll try to clear up what's happening and why:
The primary issue at hand is that you can't root your device without already having root privileges, for security reasons. Without a custom recovery like TWRP, there are a few more steps than usual (but mostly simple stuff).
Because we don't flash anything with this guide, it shouldn't cause any permanent bootloops if you use the wrong boot.img, if you get stuck in one just power cycle your phone.
Updating with OTAs should be the same process as the other guides here.
Because of changes in Android, devices that launched with Android 10 and above will not allow you to modify the system partition, even with root. This is not a fault of this rooting method.
Prerequisites:
ADB and Fastboot installed.
An unlocked bootloader and USB debugging enabled.
Android 11. (Android 12 introduced problems with this method, per other users. See link at top of page)
________________________________________________________
STEPS:
1. Connect your phone to your pc and boot it into fastboot mode. You can leave it connected throughout this guide.
2. On your computer open a terminal/cmd prompt. Set the directory (on your pc) you want to work from, I'm using the desktop:
for Windows, type cd C:\Users\Yourname\Desktopfor Mac, type cd desktop or cd /Users/yourname/Desktop
Spoiler: How to set up adb and fastboot properly
To usb adb and fastboot commands outside of the folder those programs are located in, you'll need to add their location to the PATH list so your terminal can still find them when it's pointing to a different folder. If you want to skip this step, set the directory to the folder that contains adb instead of the desktop.
3. Next, use the terminal to check which A/B partition is active on your phone:
Code:
fastboot getvar all
a. You'll find it on this line: (bootloader) current-slot:a/bb. For simplicity I'll be referring to boot_a.img throughout the guide, make sure to use boot_b.img if that's the one marked as active on your device.
4. Download the semi-broken TWRP package to your desktop. We'll be using it to extract a copy of your active boot_a.img. It will give you temporary su access via adb, but there won't be a gui. Only boot from it, DO NOT FLASH IT:
Code:
fastboot boot recovery.img
adb shell
dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img
exit
adb pull /sdcard/boot_a.img boot_a.img
adb reboot
5. Copy the extracted boot_a.img file to a user accessible area of your phone, like your downloads folder.
6. Install the latest Magisk Canary apk on your phone. Open it and:
a. Select the Install option.b. Use Select and Patch a File on boot_a.img
7. Copy the patched magisk_patched_a.img file back to your computer. In terminal, type adb reboot bootloader to get back to fastboot mode.
8. Temporarily boot with the patched image that corresponds to the active partition, DO NOT FLASH IT:
Code:
fastboot boot magisk_patched_a.img
Spoiler: Why we're booting and not flashing.
You could flash this boot.img, but it's safer to temporarily boot from it without overwriting your existing image in case anything went wrong along the way. The effect is that you still get root access without modifying your device, and then you can use the much safer Magisk direct install option, which has some safeguards in place.
9. By booting with the patched image, you now have temporary root access. To make it permanent open Magisk:
a. Select the Install option.b. Use Direct Install (Recommended) to root your internal boot.img
10. Reboot and verify it worked.
Forgot to tag it... if an admin is able to do so I'd appreciate it.
Just applied for a bootloader unlock today. When i get approved ill attempt this guide.
I am currently on T-Mobile 11.0.5.7.KB09CB.
Unlike other methods prvoided here for the 8T I got this method to work. Thank you very much!
clarification update: I own the t-mobile kb2007 model of phone
a couple of notes for any either newBs or old OPO users rejoining the party with a new onplus phone..
Some prework I had to do for my OnePlus 8T KB2005
-ensure you have the correct ADB driver installed, I installed the "15sec adb installer 1.4.2" found here on xda, watch the videos provided.
-ensure to unlock your bootloader first (*this will wipe your device.. didn't think about that..no pain no gain...)
-With device in bootloader/fastboot, run: fastboot flashing unlock
-verify with your phone to accept
-phone will reboot, just through the setup, I just skipped it all and opted for offline setup..
-renable OEM lock and USB debug
-restart back into bootloader/fastboot
-now you are ready to root
Just came here to say that this is the most genius way to go about it and thanks OP for this solution. To add your screen would flicker in TWRP but you just want to type adb reboot bootloader after you are done copying off the boot files from your phone. Thanks OP!
After performing this, I am unable to write to /system even with root?
Unable to get through with es explorer, root explorer pro, or even use a app like Titanium to move a user app to system,unable to get r/w access.
Thanks in advance
lordxcom said:
After performing this, I am unable to write to /system even with root?
Unable to get through with es explorer, root explorer pro, or even use a app like Titanium to move a user app to system,unable to get r/w access.
Thanks in advance
Click to expand...
Click to collapse
I'm having the same issue although its more tied in with removing youtube as a system app for vanced
lordxcom said:
After performing this, I am unable to write to /system even with root?
Unable to get through with es explorer, root explorer pro, or even use a app like Titanium to move a user app to system,unable to get r/w access.
Thanks in advance
Click to expand...
Click to collapse
Actually Is not possible on devices borned with android 10 or above.
giacomowrc said:
Actually Is not possible on devices borned with android 10 or above.
Click to expand...
Click to collapse
To be clear, you're saying this isn't a fault with this root method and is just a security measure since Android 10?
Mpolo87 said:
To be clear, you're saying this isn't a fault with this root method and is just a security measure since Android 10?
Click to expand...
Click to collapse
Yes of course.
Mpolo87 said:
CAVEAT
I've only tested this on my device (KB2005 / KB05AA), but it should be universally helpful as it's using your own boot.img so there's no need to find a matching package for your variant.
CREDIT
The steps were buried across a few threads, I'm posting this so it'll be easier for others to find the information. All credit goes to xb360, FullOfHell, and TheUnkn0wn.
INFOThe basic rundown is:
Use the semi-broken TWRP package to give temporary su access through adb.
Extract boot_a.img and boot_b.img to your computer.
Reboot into OxygenOS and copy boot_a.img and boot_b.img back to your phone.
Use Magisk to patch both images.
Copy the patched images back to your computer.
Use fastboot to temporarily boot using the patched image, giving you temporary root.
Use Magisk to direct install for permanent root.
Prerequisites:
ADB and Fastboot installed.
An unlocked bootloader and USB debugging enabled.
________________________________________________________
STEPS:
1. Get the semi-broken TWRP .img. This won't give you a gui but will give you su access over adb. You DON'T want to flash this, we're just booting with it temporarily.
2. Restart your phone into fastboot mode.
3. On your computer open a terminal/cmd prompt and set the directory where you want to dump the files (ex: cd /your/path/here). Run the following:
Code:
fastboot boot recovery.img
adb shell
dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img
dd if=/dev/block/by-name/boot_b of=/sdcard/boot_b.img
exit
adb pull /sdcard/boot_a.img boot_a.img
adb pull /sdcard/boot_b.img boot_b.img
4. Copy the extracted files to a user accessible area of your phone.
5. Install the latest Magisk Canary release to your phone.
a. Select the Install option.b. Use Select and Patch a File on both boot_a.img and boot_b.imgc. You should rename them or make note of the new names given by Magisk. You'll need to use one or the other depending on which partition is active.
6. Copy the patched .img files back to your computer.
7. Restart your phone back into fastboot mode.
8. On your computer, run:
Code:
fastboot getvar all
9. Find which A/B partition is active on this line: (bootloader) current-slot:a/b
10. Temporarily boot with the patched image that corresponds to the active partition, DO NOT FLASH IT:
Code:
fastboot boot patched-boot-a/b.img
11. You now have temporary root access, to make it permanent open Magisk:
a. Select the Install option.b. Use Direct Install (Recommended) to root your internal boot.img
12. Reboot and verify it worked.
Click to expand...
Click to collapse
hey there! I was just about to try this method but confused with this syntax -- don't mind the quotes
"On your computer open a terminal/cmd prompt and set the directory where you want to dump the files (ex: cd /your/path/here)"
I'm painfully confused about this: cd /your/path/here. is this done during fastboot? I know fastboot commands but adb is where my brain doesn't get it. Please elaborate further and thanks.
sameog said:
hey there! I was just about to try this method but confused with this syntax -- don't mind the quotes
"On your computer open a terminal/cmd prompt and set the directory where you want to dump the files (ex: cd /your/path/here)"
I'm painfully confused about this: cd /your/path/here. is this done during fastboot? I know fastboot commands but adb is where my brain doesn't get it. Please elaborate further and thanks.
Click to expand...
Click to collapse
When you open a terminal or command prompt on your computer it is, by default, 'pointing' to a certain folder. Since we're pulling files from the phone to pc it'll dump there, so it's easiest to set the location in advance, for your own convenience. You can just make a folder on your desktop and drag it onto the terminal window to automatically input that path after typing cd, which just means 'change directory'. This isn't a fastboot or adb thing, just a feature of terminals, so you'd do this in advance.
Mpolo87 said:
When you open a terminal or command prompt on your computer it is, by default, 'pointing' to a certain folder. Since we're pulling files from the phone to pc it'll dump there, so it's easiest to set the location in advance, for your own convenience. You can just make a folder on your desktop and drag it onto the terminal window to automatically input that path after typing cd, which just means 'change directory'. This isn't a fastboot or adb thing, just a feature of terminals, so you'd do this in advance.
Click to expand...
Click to collapse
Attached are 2 photos -- the 1st photo is the "before" I dragged my intended folder into command prompt. the 2nd photo is the "after" I dragged my intended folder into command prompt. Still hella confused.
Please note: I love this guide. It's cohesive and well-written. I just need pictures to "see" on what and where to do. I'm visual.
UPDATE: I followed the tuturial to the best of my ability and I got nothing. I'm giving up and taking a step back.
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./fastboot boot recovery.img
Sending 'boot.img' (64964 KB) OKAY [ 1.660s]
Booting OKAY [ 0.084s]
Finished. Total time: 1.939s
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully
OnePlus8T:/ # dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img
196608+0 records in
196608+0 records out
100663296 bytes (96 M) copied, 0.194981 s, 492 M/s
OnePlus8T:/ # dd if=/dev/block/by-name/boot_b of=/sdcard/boot_b.img
196608+0 records in
196608+0 records out
100663296 bytes (96 M) copied, 0.185497 s, 518 M/s
OnePlus8T:/ # exit
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb pull /sdcard/boot_a.img boot_a.img
/sdcard/boot_a.img: 1 file pulled, 0 skipped. 27.7 MB/s (100663296 bytes in 3.470s)
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb pull /sdcard/boot_b.img boot_b.img
/sdcard/boot_b.img: 1 file pulled, 0 skipped. 32.0 MB/s (100663296 bytes in 2.997s)
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb reboot
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows>
sameog said:
Attached are 2 photos -- the 1st photo is the "before" I dragged my intended folder into command prompt. the 2nd photo is the "after" I dragged my intended folder into command prompt. Still hella confused.
Click to expand...
Click to collapse
You're missing the command "cd" before the path to change the directory to the new one. It should be cd C:\Users\Mr. Lew\Desktop\oneplus 8t boot image then press enter. Now you can reference any file in that folder by just the name without its entire path as a prefix being required.
A difficult method
zengin said:
Diğer yöntemden hiç de kolay değil.
Click to expand...
Click to collapse
huh?
Honestly, if there's a kind of soul out there who can share their unpatched kb2007 boot image (tmobile version), I would greatly appreciate it. I'm been banging my head on the wall with this for about 2 months with no help. I've received TONS of half-baked one liner answers but no "full-scale" tutorial. I'm giving up on this.
NOTE: I'm just frustrated guys. Not bashing the OP. It shouldn't be this hard but it became this way.
sameog said:
Honestly, if there's a kind of soul out there who can share their unpatched kb2007 boot image (tmobile version), I would greatly appreciate it. I'm been banging my head on the wall with this for about 2 months with no help. I've received TONS of half-baked one liner answers but no "full-scale" tutorial. I'm giving up on this.
NOTE: I'm just frustrated guys. Not bashing the OP. It shouldn't be this hard but it became this way.
Click to expand...
Click to collapse
While this is a temporary solution, it is also a bad solution because you can land with not being able to boot your phone every time an incremental update comes along.