Related
I have mine rooted, there is something very interesting about the way Samsung did this. This phone has like 20 different partitionssee below, however I think I know how the phone is able to restore root and the recovery after boot. These 20 partitions include copies of each other. For example if you do su on terminal emulator and then you type "cat /proc/partitions" it will list all the partitions. Notice how some partitions have different labels but are the same size. These are the respective back ups(i think). The only partition that I know is "stl9" or "st9" is the system.
I tried flash_image recovery and said it wasn't a recognized partition as the BH2 also does not have mtd. cat /proc/mtd produces nothing. Hope this helps.
Oh 1 last thing it seems I may have found an exploit with the device management.apk. It has the option to run a bootloader/bootstrap test, could this be exploited to install customer recovery? Its just a thought...
Can someone with root, compile busybox for install on the Behold 2. I am sorry I only have Windows 7.
Terminal Output:
See the areas highlighted in BOLD. The G1 has half the number of partitions and mtd has output.
$ export PATH=/data/local/bin:$PATH
$ su
# cat proc/partitions
major minor #blocks name
137 0 513024 bml0/c
137 1 2048 bml1
137 2 512 bml2
137 3 512 bml3
137 4 1024 bml4
137 5 23040 bml5
137 6 6144 bml6
137 7 23040 bml7
137 8 6144 bml8
137 9 226304 bml9
137 10 8192 bml10
137 11 512 bml11
137 12 40960 bml12
137 13 1024 bml13
137 14 173568 bml14
138 9 210432 stl9
138 12 25088 stl12
138 14 157696 stl14
179 0 1982464 mmcblk0
179 1 1982338 mmcblk0p1
#
Click to expand...
Click to collapse
Samsung is doing their best to screw us here aren't they?
I have an ubuntu partition, but it will be a bit before I can compile. I'm writing up guides to overhaul the current UI.
having trouble with adb in ubuntu. I'll retry tomorrow, but this could take a while. Probably best for someone else to take this one on.
What's the output for 'mount'?
I posted this on alldroid.org today ,,, samsung seem to have used some of its bada OS and or UI in the behold 2 ,.,,.,. I was wondering if someone could download their SDK and see what they can find out ,.,,., maybe it could help us with ROOT .,.,....,.,
SDK link http://developer.bada.com/apis/docs/commonpage.do?menu=MC01040000&mtb1=&mtb2=
''Re: Important Behold 2 Discovery / 1st step to Custom Roms
They are similar but for that method you need 'new PcStudio', which does not recognize the behold 2,.,..,.,.,
BTW the galaxy (( samsung i7500 )) is almost the same as the behold 2 ,,,, same hardware but the behold 2 has a lot more memory ,.,,..
http://androidforums.com/samsung-i7500/ ... rom-s.html
one interesting thing i did find this weekend while doing some research was that (I think ) samsung has implemented some of its BADA Os on the behold 2 look at the video and let me know what you think
http://www.gsmarena.com/samsung_finally ... s-1311.php ''''
PS:;: (thanks to yatimameiji) this was just found and hopefully it can help you look in the right place '''''To get the recovery menu ,.,,.,. when you do vol. down+call button+power and the triangle comes up .,. then do home + power ., recovery menu,''''''' I got it up but cant select anything and there's the e:can;t open cache and some others
Finally some posts back. I thought no one was going to respond and I was going to delete this thread. So this is great news that we can now enter recovery mode. Also I know whats plauging the device with the battery issue. It seems the phone is reading the battery as 1440 mah and the battery is tagged 1500mah. This can be confirmed by using BetterCut and adding the shortcut Battery read.
dan0zone said:
I posted this on alldroid.org today ,,, samsung seem to have used some of its bada OS and or UI in the behold 2 ,.,,.,. I was wondering if someone could download their SDK and see what they can find out ,.,,., maybe it could help us with ROOT .,.,....,.,
SDK link http://developer.bada.com/apis/docs/commonpage.do?menu=MC01040000&mtb1=&mtb2=
Click to expand...
Click to collapse
It seems so close to the Android Developer Site. Did AOSP give some code to Samsung as a base?
I believe so ,I remember reading that it was going to be like the OPhone project , but samsung wants to use this like they use touchwiz on all their touch screen phones ,.,..,.,
ok so i was playing around with my samsung behold2 today, all i found was recovery mode (voldown+call+power) and fastboot (dpadleft+power). im currently installing the android sdk as we speak, after that will play around with this a bit more.
We had a good look at this over at androidforums (behold and galaxy sub forums).
It seems they are using some secure bootloader, and those other partitions (which almost corespond in size) seem to be the original partition in a security container.
I had assumed that on boot if the main partition is modified it would simply reflash it. However we have now been able to 'persistant root' the phone. (check in the behold section on androidforums). We hijack the playlogo file, and insert the shell commands to execute the exploit executable on every boot. This happens after init.rc so making custom roms is going to be a bit of a headache.
Whats strange tho is why it doesnt recognise the system partition was changed when we mod playlogo. Perhaps it just wipes the bin and xbin directories and reextracts them. That would make life alot easier.
I was going to sell my galaxy and switch to a behold, but I couldnt find one cheap enough. So i've stopped looking at all this now.
Hope that helps anyway.
well we have made some head way ..,,.,., we can now flash between builds for the behold2 via ODIN_flasher . For now we have two builds an older build and the one shipped with the phone .,.,.,. so what i think we need is a way to edit the .tar files within the flasher but keep the partition structure that samsung has in_place .,,,. What i have notice is that if you connect to ddms , and go to the system info tab or allocation tracker , you will see that samsung has renamed every thing as a kernel, even the browser .,.,., if we get our hands on sammy's build environment maybe we can make sense of their madness,.,.,..
Odin isnt actually anything new. We've been using it with the galaxy for a while now.
The phones' bootloader contains a download mode, which also forwards to the AMSS's OEMBL in download mode. Odin simply forwards the files to this bootloader without doing anything clever. This is why you can take ANY update from NPS and apply it using odin as is.
We have tried flashing galaxy partitions onto the behold, but as i said in an earlier post there is a secure bootloader and it simply rejects the images.
I havnt downloaded this H6 leaked behold image, but it probably just contains yafs images, probably in a security container. You could unyaffs them, modify and yaffs them up again. Just modifying them is trivial. I'm pretty sure that the bootloader will just reject any modified images tho. Sorry but I don't think this is going to get you anywhere.
On a security unlocked phone like the galaxy we just edit the system or recovery images and flash them back using Odin. Similarly fastboot can also do it. On the behold however i'm pretty sure it wont accept anything that isnt signed.
The only interesting thing to try would be to try to flash the galaxy bootloader onto the behold using odin. We have both the arm9 and arm11 bootloaders if you'd like to try. This is VERY VERY VERY risky and in all likelyhood will brick your phone. But if it works you should be able to manage partitions simply like with the galaxy.
The very first thing you guys should look at is to compare the system image of the galaxy and the behold. Check if there is a security container around the behold one or not. If there is, attempt to exploit it (change length fields, change offsets, create oversized image - the usual stuff).
I think there are only 2 routes to acheive what you want:
- quick route
Use a userland exploit, like the current root. Then use the persisitant root idea to run a script which modified your filesystem on boot - possibly extracting a custom rom from the sdcard onto the system partition.
- Slow route
Try to find a flaw in the secure bootloader, or some other exploit to allow you to flash a modified bootloader.
You're idea of just editing the firmware files directly is really unlikely to work.
Thanks for your input Kam ..well it just a thought , I knew the signing would of been the issue ( same as with the G1 roms and themes ) .,.,., I know someone will figure it out .,.,.. I would love to help with getting this going , but I work 14 hour days ,., I should get a second behold2 soon so I can use one for testing ,,, well till i brick it .........
I'm gonna browse some of the galaxy forums to see how they doing it ,., I """think""" the galaxy is closer to stock android than the behold2 is .,.
BTW , H6 image you talking about , is that one posted by sammydroid ? because he also has a J6 image , H6 is older .
Yeah thats the one. I have a galaxy, and not a behold so my interest in this is kinda limited. I only really got into it because i was going to switch to the behold.
Personally I think you guys are better off just using the persistant root to modify the OS after boot for now.
Samsung Source Code
Does this help at all?
http://opensource.samsungmobile.com/download/OpenSource/SGH-T939_OpenSource.zip
Appears to be the build source for the existing rom. Don't have access to a *nix box to dig into it right now...
Here's the tutorial to install busybox for behold 2.
http://www.myhangoutonline.com/2010/01/08/install-busybox-on-behold-ii/
kam187 said:
Odin isnt actually anything new. We've been using it with the galaxy for a while now.
The phones' bootloader contains a download mode, which also forwards to the AMSS's OEMBL in download mode. Odin simply forwards the files to this bootloader without doing anything clever. This is why you can take ANY update from NPS and apply it using odin as is.
We have tried flashing galaxy partitions onto the behold, but as i said in an earlier post there is a secure bootloader and it simply rejects the images.
I havnt downloaded this H6 leaked behold image, but it probably just contains yafs images, probably in a security container. You could unyaffs them, modify and yaffs them up again. Just modifying them is trivial. I'm pretty sure that the bootloader will just reject any modified images tho. Sorry but I don't think this is going to get you anywhere.
On a security unlocked phone like the galaxy we just edit the system or recovery images and flash them back using Odin. Similarly fastboot can also do it. On the behold however i'm pretty sure it wont accept anything that isnt signed.
The only interesting thing to try would be to try to flash the galaxy bootloader onto the behold using odin. We have both the arm9 and arm11 bootloaders if you'd like to try. This is VERY VERY VERY risky and in all likelyhood will brick your phone. But if it works you should be able to manage partitions simply like with the galaxy.
The very first thing you guys should look at is to compare the system image of the galaxy and the behold. Check if there is a security container around the behold one or not. If there is, attempt to exploit it (change length fields, change offsets, create oversized image - the usual stuff).
I think there are only 2 routes to acheive what you want:
- quick route
Use a userland exploit, like the current root. Then use the persisitant root idea to run a script which modified your filesystem on boot - possibly extracting a custom rom from the sdcard onto the system partition.
- Slow route
Try to find a flaw in the secure bootloader, or some other exploit to allow you to flash a modified bootloader.
You're idea of just editing the firmware files directly is really unlikely to work.
Click to expand...
Click to collapse
Have a second unit on hand now (for about a week) so bricking isn't a concern and can/will try these options... but need guidance. can jump on irc for assistance... anyone interested? The above seems totally possible.... but out of my league without help.
Thanks to MobileBand we had some succees Managed to get the galaxy system onto the behold. Force close problem at the moment but stay tuned.
PS. its fastttttttttttttttttttt
Let me publicly state that kam187 ROCKS! Kudos on the work last night!
Behold owners; start getting hyped... this is the break we've been looking for!
love the work
love you guys work man i have 140mb free on my behold 2 thats with out task manager its blazin fast but always wanted to do something differnent with it can you pleaseeeeeeeeeeee lol ( : ) : post a rom and turt
I am wondering if there's a working temp root (or even perm root without bricking Android 6.0 OS) for this Verizon exclusive ASUS Zenpad z10, as I am now looking for a way to unlock the bootloader as most of unlock commands are intact in the bootloader itself - only "Allow OEM unlock" tab is missing, so I will have to extract the bootloader partition and system configuration partitions - the problem is root.
That way I can get started on putting TWRP after unlocking the bootloader.
Already tried temp root the manual way; running su in /data/local/tmp after giving it the correct permission. All I got was "1" in shell, basically along the line, "f*** you, I am not letting you run as root." Why temp root? I have to do it so I don't accidentally brick the tablet - all I want to do right now is to extract the vital partitions and examine every single of them to see if I can indeed get "Allow OEM Unlock" or some bootloader unlock approval commands so I can get ASUS ZenPad z10 unlocked. And there's absolutely NO ASUS update RAW file extractor tool to date.
Apparently it looks like ASUS and several other OEMs don't bother going the extra miles getting the bootloader locked down as tightly as Evil Moto, or worse, Samsung. They just simply remove "Allow OEM Unlock" tab and call it a day. (Beware, though, Qualcomm second stage bootloader varies so much among OEMs which is why I have to take a peek into the partition image and see what I can find.)
Although I'm of no help to you, I will be following this. I just picked up one of these today. There's simply not a lot of information out there.
Sent from my SM-N920V using XDA-Developers mobile app
Apparently, due to the way Android Marshmallow security system works, all I can do is wait (and probably trawl the forums, although I doubt it will happen unless I pull the kernel from the eMMC SSD which is technically a catch-22 situation, as I have to root before I can touch the kernel or even "Allow OEM Unlock" configuration file in some partition - a bit like chicken and egg paradox).
UNLESS there is a temporary root that works by abusing the Dirty Cow exploits, and allows me to pull the eMMC SSD partitions so I can look through the files contained within the pulled partitions.
Discovered that this tablet do have root detection system - it basically tattle to Verizon. Those bastards. Nevertheless, I would need to find a way to allow OEM unlocking (which I had gut feeling that it's there somewhere) without it getting all antsy.
The more I dig into it, the more I just want the bootloader itself to be unlocked. It never cease to amaze me how far Verizon will do anything to be so nosy.
Slightly off topic, but since you seem to be the only other person here who has this tablet... Have you attempted to figure out a simultaneous charge and data option? I've tried several different cables and adapters so far without much luck.
Sent from my SM-N920V using XDA-Developers mobile app
Good question, however I don't really have a computer with USB-C port, if you meant that (been considering doing a new computer build at some point which then I get better idea how this tablet function on USB-C doing general stuff via USB - it may be by the time this tablet is running CM 14.x, once we figure out how to unlock the bootloader, so it may be hard to say how it will function with stock ROM). On the other hand, regular USB is usually limited to 500 milliamps (1/4 that of bundled charger), so may not charge because of the current requirements that may have to be met within the power management firmware (meaning about 1 Amp - which many DIY PC motherboards now meet the minimum specifications).
However, the screen backlight consume the most juice so you may try turning off the screen after you have mounted the MTP drive (due to MTP security in Android - it will stay mounted after you plug it into computer and turn off the screen however), which then you may be able to charge it. It will take a while as there's a huge battery inside (7.8 Amp hour rating). You would have better luck with a computer that conforms to USB Power Delivery specifications (USB 3.x already support that - USB 3.x ports are usually blue, BTW, so it's kind of hard to miss).
Finally extracted the files from ASUS' Verizon ROM image - ZArchiver Pro apparently can read ASUS' RAW image file, much to my delight. Now, I will have to figure out how to treat the Qualcomm second-stage bootloader (aboot.img) and few other partition images as a disk drive so I can figure out how to enable OEM unlock so I can get this thing unlocked (and I will disassemble the Linux kernel - boot.img - and recovery toolkit - recovery.img - so I can get ball rolling).
Tried to unpack the boot.img and recovery.img - the boot unpacker failed with "Android boot magic not found". Oh well, I will try to keep at it.
Alright, I think it's because the kernel is compiled in ARM64 assembly codes (thus not really standard as far as most Linux kernel boot.img unpackers are concerned), so now I will try one that can and will touch 64-bit kernel image. Then keep on probing the entire recovery and boot images for potential clues to the OEM unlock configuration (and as well as system.img - one problem is, Linux refuse to touch the system.img even though it is evidently the EXT4 FS SSD image).
Anyone who know of decent multi-faceted disk image extractor (the ones that can touch the non-standard disk image, including boot.img and recovery.img which doesn't have the standard "ANDROID!" magic), let me know. I have been googling anywhere, and it's difficult to pull the vital files which I can look for important files. System image, however, may have to be analyzed for type of fuse file system (if it's not sparse file system, then it's definitely an odd SSD image).
Another ZenPad owner checking in. I had to go to asus's site to say this thing even is. The model number P00l is absolutely worthless.
Anyways I've ordered a laptop with native USB 3.0 so will poke around where I don't belong soon.
I absolutely hate this UI, who is to blame? Asus? Verizon?
Verizon. They usually make the call in firmware development (Can you say who locked the bootloader?) and yeah, they're famous for horrible stock firmware. Hence, I am figuring out how to unlock the bootloader just so we can get rid of garbage on the tablet. ZenUI is on ASUS though.
Nice hardware, bad software. That's kind of a shame. It will hurt even less when we get CyanogenMod 14.x operating system on it.
EDITED: the model number is zt500kl, not superfluous "P00l" - I had to figure it out, and GSM Arena had the model number (and bootloader apparently confirmed that).
Did a bit researching in how the "Enable OEM Unlock" tab in other devices' Developer Option works; the toggle goes into persistent data block (hitting home in PersistentDataBlockService.java file), thus going into factory device configuration file in the syscfg partition (mmcblk0p28) - however, I will need to successfully extract the system.img in the ASUS Verizon OTA, or if we can successfully root this thing, I can go ahead and pull some apps and files and see how Allow OEM Unlock can be accomplished.
Correction: it's actually config (mmcblk0p13) as the build.prop said ro.frp.pst points to /dev/block/bootdevice/by-name/config - this is where it will get tricky; the config.img file is actually blank - it's on the physical soft efuse partition on the eMMC SSD itself, which there will be some legit data. Which is essentially untouchable until we get shell root of some kind to extract it. After I get to it, all I have to do is to find out the magic value to "blow" the last value sector in soft efuse partition to allow OEM unlock (note - soft efuse is just that, you can relock the bootloader when you write blank partition image to reset the efuse values contained herein, so beware the official OTA update image package).
Asus ZenPad ZT500KL
I just purchased this tablet yesterday. If you need me to test anything feel free to pm me.....
Thanks for working on this, if I can be of any help. do not hesitate to ask.
Dr. Mario said:
Did a bit researching in how the "Enable OEM Unlock" tab in other devices' Developer Option works; the toggle goes into persistent data block (hitting home in PersistentDataBlockService.java file), thus going into factory device configuration file in the syscfg partition (mmcblk0p28) - however, I will need to successfully extract the system.img in the ASUS Verizon OTA, or if we can successfully root this thing, I can go ahead and pull some apps and files and see how Allow OEM Unlock can be accomplished.
Correction: it's actually config (mmcblk0p13) as the build.prop said ro.frp.pst points to /dev/block/bootdevice/by-name/config - this is where it will get tricky; the config.img file is actually blank - it's on the physical soft efuse partition on the eMMC SSD itself, which there will be some legit data. Which is essentially untouchable until we get shell root of some kind to extract it. After I get to it, all I have to do is to find out the magic value to "blow" the last value sector in soft efuse partition to allow OEM unlock (note - soft efuse is just that, you can relock the bootloader when you write blank partition image to reset the efuse values contained herein, so beware the official OTA update image package).
Click to expand...
Click to collapse
Due to a potential brick risk due to entering the wrong magic value, I'd rather that we have temporary root or shell root first so we can pull the soft efuse partition and some setting files from ASUS settings.apk / systemui.apk to figure out the FRP values just so we don't accidentally lock ourselves out or worse.
Once we find out what it is, we can go ahead and test that (kind of wish I have extra money to get a sacrificial tablet to take a jab at the bootloader, as Verizon love to make it risky).
Oh, and BTW, this tablet also have several hardware disabled by Verizon, like the fingerprint scanner (home button). All the reasons to get CyanogenMod, crDroid and any of the favorite CyanogenMod derivatives on it.
Dr. Mario said:
Oh, and BTW, this tablet also have several hardware disabled by Verizon, like the fingerprint scanner (home button). All the reasons to get CyanogenMod, crDroid and any of the favorite CyanogenMod derivatives on it.
Click to expand...
Click to collapse
I'm within my 14 day return period ...., send me a pm
Sent from my iPhone using Tapatalk
Give me a bit time and I will figure out what to poke in config partition and we can go from thereon. Some one-click root (like KingRoot) are questionable so it's hard to know as of yet, due to secure boot which will prevent the tablet from booting all the way to password request lockscreen if it notice something (and there's a root detection app inside /system/priv-app directory - even though Verizon doesn't care about me, whether I hacked it or not, given my history of hacking several Qualcomm-based smartphones, especially RAZR M, even though it may probably be because I paid all my bills on time).
Dr. Mario said:
Give me a bit time and I will figure out what to poke in config partition and we can go from thereon. Some one-click root (like KingRoot) are questionable so it's hard to know as of yet, due to secure boot which will prevent the tablet from booting all the way to password request lockscreen if it notice something (and there's a root detection app inside /system/priv-app directory - even though Verizon doesn't care about me, whether I hacked it or not, given my history of hacking several Qualcomm-based smartphones, especially RAZR M, even though it may probably be because I paid all my bills on time).
Click to expand...
Click to collapse
Sounds good. Didn't even know the tablet had a fingerprint reader ( home button)
Sent from my iPhone using Tapatalk
Hello, I have an m050 head unit and a USB flash stick as well as sdcard for music storage. The problem is that when the unit starts from a cold boot it starts up the built in music app and attempts to play where it left off but it starts quicker than the storage mounts so it doesn't initially find anything and defaults into shuffle mode. Then a few seconds later the storage auto mounts and starts playing random playlists. Is there a way to make the storage mount prior to the interface launcher running? The head unit is rooted.
^^ Bump. Nobody else has this issue where media mounts too late for apps that restore themselves on cold boots? I've tried searching quite a bit but have gotten nowhere useful.
Still nobody on this? Or anybody have a hint on what I should be searching for? Or maybe I should be posting in a different forum? I'm having no luck. Basically I'm looking for a way to cause the USB and sdcard's media to mount as early as possible even if that means it's recognized as permanent media instead of auto mounting as removable just so it mounts and is available before the launcher starts when all the other apps that want to access it and the media scanner want to scan it so they don't error for not having the media available.
onedumslack said:
Still nobody on this? Or anybody have a hint on what I should be searching for? Or maybe I should be posting in a different forum? I'm having no luck. Basically I'm looking for a way to cause the USB and sdcard's media to mount as early as possible even if that means it's recognized as permanent media instead of auto mounting as removable just so it mounts and is available before the launcher starts when all the other apps that want to access it and the media scanner want to scan it so they don't error for not having the media available.
Click to expand...
Click to collapse
This is very hard to do. It is in the init.rc file in your ramdisk image in your boot image. If you create a new boot.img with inside the modified ramdisk.img image you can tweak this. However, on every new ROM you need to rework that image again. And you need to be able read/write in the android init language, which is used in this init.rc file.
And by the way: there are more of these init.*.rc files in the ramdisk giving you the ability to tweak your system (or brick it).
Edit: If you find entries to Cyanogenmod giving you other options: That is correct as Cyanogenmod uses a more Linux-like approach giving you way more options to tweak your system. This doesn't work on non-Cyanogenmod ROMs.
surfer63 said:
This is very hard to do. It is in the init.rc file in your ramdisk image in your boot image. If you create a new boot.img with inside the modified ramdisk.img image you can tweak this. However, on every new ROM you need to rework that image again. And you need to be able read/write in the android init language, which is used in this init.rc file.
And by the way: there are more of these init.*.rc files in the ramdisk giving you the ability to tweak your system (or brick it).
Edit: If you find entries to Cyanogenmod giving you other options: That is correct as Cyanogenmod uses a more Linux-like approach giving you way more options to tweak your system. This doesn't work on non-Cyanogenmod ROMs.
Click to expand...
Click to collapse
Thank you, I think I'm getting headed in the right direction. I started reading "Android Internals A Confectioner's Cookbook" and I'll be working with an already prerooted ROM. However, it is not a cyanogenmod ROM. Are you saying getting the sdcard and/or USB drive to mount from the ramdisk via the init.rc file is only possible on a cyanogenmod ROM? Or did you mean something else? For this use case I don't think I'll mind the work to rebuild the ramdisk and boot image if it's possible since I won't be getting updates often since it's on a head unit and if I can get the media player to stop going into random shuffle every time it boots up I will be so happy cause it's driving me crazy that it can't resume.
onedumslack said:
Thank you, I think I'm getting headed in the right direction. I started reading "Android Internals A Confectioner's Cookbook" and I'll be working with an already prerooted ROM. However, it is not a cyanogenmod ROM. Are you saying getting the sdcard and/or USB drive to mount from the ramdisk via the init.rc file is only possible on a cyanogenmod ROM? Or did you mean something else? For this use case I don't think I'll mind the work to rebuild the ramdisk and boot image if it's possible since I won't be getting updates often since it's on a head unit and if I can get the media player to stop going into random shuffle every time it boots up I will be so happy cause it's driving me crazy that it can't resume.
Click to expand...
Click to collapse
No that is not what I meant. I meant to say that you might have found easy solutions, but those were most possibly for Cyanogenmod. Within Cyanogenmod you have more easy options.
It is relatively easy to modify the ramdisk.img and boot.img (I did it many times when I still built ROMs for other tablets). However, there is always the chance to (soft-)brick your device. Fortunately these intel devices can only be soft-bricked and it is only necessary to flash your device again with a "standard" rom.
Note that all tools are Linux tools. Maybe some are available for Windows as well.
If you want to continue with this you should download the pack/unpack tools for boot images (but you can find these on many places).
And something I did not yet do on these Joying devices, so search for yourself:
- Replace the original boot.img with your modified boot.img in your unzipped Joying ROM and flash your unit (I think this is the simplest one).
(- Or write the boot.img directly to your unit using rkflashtools (and this requires knowledge of the partitions on your system, but I do not even know whether these Rockchip flashtools als work on the Inte/Rockchip sofia units))
surfer63 said:
No that is not what I meant. I meant to say that you might have found easy solutions, but those were most possibly for Cyanogenmod. Within Cyanogenmod you have more easy options.
It is relatively easy to modify the ramdisk.img and boot.img (I did it many times when I still built ROMs for other tablets). However, there is always the chance to (soft-)brick your device. Fortunately these intel devices can only be soft-bricked and it is only necessary to flash your device again with a "standard" rom.
Note that all tools are Linux tools. Maybe some are available for Windows as well.
If you want to continue with this you should download the pack/unpack tools for boot images (but you can find these on many places).
And something I did not yet do on these Joying devices, so search for yourself:
- Replace the original boot.img with your modified boot.img in your unzipped Joying ROM and flash your unit (I think this is the simplest one).
(- Or write the boot.img directly to your unit using rkflashtools (and this requires knowledge of the partitions on your system, but I do not even know whether these Rockchip flashtools als work on the Inte/Rockchip sofia units))
Click to expand...
Click to collapse
Thanks a bunch, I appreciate that. I'm gonna see if I can get traction today on replacing the boot.img route. I should be fine with the utilities, I'm on osx and can create a Linux VM as well as having a Windows too. Any recommendations on mount point paths for the the sdcard and USB stick? Currently the auto mounter puts them in /mnt/external_sd1 and /mnt/external_usb1. So I was wondering if I should put them in the same location or put them in /system or my guess is I should put them on new paths in /mnt as I believe I saw the init.rc creates /mnt on the root filesystem on every boot.
Post deleted. My answer was for a joying intel head unit. The head unit in this topic is not an joying intel head unit.
surfer63 said:
One thing I forgot which makes your task almost impossible if you want a "straight" ROM update.
the boot.img is inside the 5009_20.zip. As such you can easily replace that boot.img but the 5009_20.zip is a signed zip. You never get the original signing back which means that you won't be able to create your own "custom" rom as the ROM upgrade/update process will not accept it.
In other words: you need to do some direct replacing of the boot.img.
something like
Code:
adb connect <unit ap-address>
adb root
adb shell cp boot.img /sdcard/
adb shell dd if=/sdcard/boot.img of=/dev/block/mmcblk0p9
adb shell reboot
Note: I did NOT test this this!! Always check beforehand which block device you need to replace!
Click to expand...
Click to collapse
I'm not sure this applies to mine? I've since found that I need to use the imgrepackerrk tool for unpacking and repacking for my specific ROM for RK chips. So far I've successfully unpacked everything so I can test out editing but I have not been successful yet due to the utility having a bug that affects just my ROM on repacking. The bug has been fixed in his windows version of the utility but not on the Linux so I need to set up my windows VM to repack in windows which I haven't done yet. I'll be trying it out this weekend.
onedumslack said:
I'm not sure this applies to mine? I've since found that I need to use the imgrepackerrk tool for unpacking and repacking for my specific ROM for RK chips. So far I've successfully unpacked everything so I can test out editing but I have not been successful yet due to the utility having a bug that affects just my ROM on repacking. The bug has been fixed in his windows version of the utility but not on the Linux so I need to set up my windows VM to repack in windows which I haven't done yet. I'll be trying it out this weekend.
Click to expand...
Click to collapse
Sorry. my mistake. I have an intel joying and I'm constantly in intel joying threads. Above does indeed not apply to you. I will remove it.
Hello team,
I have the same problem with my Joying unit, and I don't find solution. I have a lot of MP3 in a usb key, but always the same issue when I start my car : music player starts but playlist is lost, mp3 not available. I need to wait a lot of seconds/minutes to load all MP3.
For info, I used original media player, but also Pi & Pulsar ... same issue
I tested with usb key, smal, medium, large, hard drive SSD ... but nothing
Did you find a solution to start music correctly when unit starts ?
Thanks.
THESE COOKED ROMS ASSUME YOU HAVE ALREADY AN UNLOCKED BOOTLOADER AND TWRP AS RECOVERY SYSTEM. You can flash them using TWRP, after wiping ART, cache, data, boot and system partitions.
FINAL RELEASE: Well... this is the final release from me and it is specifically for the WiFi model. I hope it is worth it for you. It is more stable and somewhat updated, anyway, if you use a X90F (wifi model) you will probably like it. The other versions are still up for whatever reason. Here's the link. Follow this guide by @Quardah if you are coming from a factory ROM. Go to post 46 if you can't get past the setup wizard. A barely tested (by @Nuihc88) version for the 3G (X90L) model can be found here.
NOTICE: If you find this work useful, mirror it. I won't be hosting it for free forever and it is becoming a burden to my Nextcloud installation. One would say this is a pretty much forgotten thread, but I'm seeing almost daily download activity. I'm putting the ROM files offline now and getting away from XDA for a while. Please don't DM me for the files. If you are looking for them, ask others in this thread. Good bye.
||||||||||||||||||| FROM HERE IS JUST INFORMATION YOU PROBABLY DON'T NEED |||||||||||||||||||
Spoiler: NEWS THAT ARE NOT ANYMORE.
APRIL 9, 2021: You can find in these links a new version of the cooked ROM.
The link for the updated cooked ROM is: https://centsoarer.ddns.net/s/Y8o3eoBK4Ryx5RP. This is a version with GAPPS updated: https://centsoarer.ddns.net/s/FPKjgQcmW3CHZCw. Feel free to mirror, unless you are afraid of Lenovo's lawyers, but don't forget to share the link.
My personal version... even more debloated (if you don't need chinese, japanese, korean, or russian input support/apps) and with CPU tweaks for my own usage: https://centsoarer.ddns.net/s/jcCDAgNedryGRjo
KNOWN ISSUES AND SOLUTIONS:
1) One random reboot after the first boot will happen and it is normal.
2) I'd reccommend to stay with Magisk 21.4 for a while, Magisk Manager >21.4 won't manage your extensions.
3) If you can't get past the initial Setup Wizard check post 46. Basically you have to boot into bootloader, erase the config partition and format it again.
4) Needs confirmation, but versions with signature spoofing patches seem to break Lenovo's SmartSide Bar.
JUNE 12: Fast update on the Cooked ROM and TWRP and KERNEL. They are not as universal as I implied before. Proceed carefully since they may not work four your device/firmware. Make a Nandroid backup and only flash with testing purposes.
JUNE 5: So, I know this is not what everybody who owns this tablet wants to have (that is Android 9 or 10 of course) but, in recent weeks Lenovo updated the firmware of this tablets. It still is a Marshmallow one and it still sucks big time but I took it as a base and cooked it to deliver a newer TWRP recovery with compression, a flashable modified kernel and a cooked flashable stock ROM to free the owners of this tablets from the treacherous path of making this hardware to work properly. If you want a better overall experience and are in stock firmware you just need to Unlock your bootloader, flash TWRP, Format data partition (not only wipe), Wipe Cache, Dalvik/ART, System and DATA and flash the Cooked ROM to put this tablet in a sweeter spot. For details go to post #2!
JUNE 3: Been trying to get to know some of the source code available for Cherry Trail devices and I am fairly lost at building TWRP from source. Anyway, I ported a newer TWRP recovery IMG file for the YT3-X90F (maybe L, X, Y and Z) from the TWRP image for the Chuwi Hi10 Pro tablet from here, using AIK-Linux. The result is in the second post labeled as beta, since I only tested in the YT3-X90F model, running lollipop firmware. So far, it works fine flashing ZIP archives, backing up and restoring backups. Advantages? Well, backups are way lighter if you enable compression (like half the size), higher resolution, twrp turns off the screen with a timeout and whatever made them bump from version 2 to 3. While I could port a newer TWRP version, I just wanted to have lighter backups with compression... so maybe it is what it is .
ORIGINAL POST STARTS HERE. This is general information that I collected for geeks or desperate users that bricked their tablets. When I started this post it wasn't intended to produce a cooked ROM that would include most of these hacks. You don't need this if your tablet boots to Android or TWRP. You also don't need this if you are ready to flash the cooked ROM.
(This is a lenghty post. I suggest you to navigate by section header and find the one you might need.)
There are several Lenovo Yoga 3 tablet models out there and, while some of them enjoy of prime community support as the Yoga Tab 3 Plus, this Intel Atom powered tablet is pretty much forgotten and, at the same time, users were recently buying this tablet, which is a great piece of hardware but has the most terrible support by Lenovo.
Spoiler: WHAT LENOVO TABLET(S) IS THIS GUIDE FOR?
Basically, this is that Lenovo tablet with an attached projector and an Intel Atom Cherry Trail x5 Z8500. There are several models, though, to my knowledge they vary in their code names in the last letter, the two most basic ones (2GB RAM, 32 GB ROM) are the YT3-X90F and the YT3-X90L, the former connects to the internet by WiFi and the latter being the one with LTE/Phone capabilities. There are other models, though, and they vary on the amount of RAM and internal storage. Apparently, the YT3-X90[YX] models (the 4/64 GB refresh) have some use for these firmwares we describe, but in a very specific way, if you own a Y or X model, keep reading, especially the next section.
Spoiler: EXPLAINING HOW TO FIND THE RIGHT STOCK FIRMWARE
Lenovo support has been terrible (there are no words to describe it, really), so they launched this tablet with Android 5.1 Lollipop and they maintained it for a while but were very slow to deliver Android 6.0 Marshmallow. In fact, there was already Android Nougat, when they sent the Marshmallow update. Nevertheless, the update was bad. Performance issues were always a thing and some functionality went lost in the update (less intuitive multiple windows, a crippled recents activity/screen, and a laggy overall experience). Bottom line, they launched a curated Android Lollipop 5.1 firmware with security updates until March 2016 (striked because the last lollipop update f*cks up my sensors, except the light one) and a half-assed Android Marshmallow 6.0.1 firmware.
Of course, at the time, I'm guessing most of us upgraded to Android Marshmallow 6.0.1, hoping the upgrade would fix the issues in Lollipop or with security patches in mind. The reality was that Android 6.0.1 wasn't nearly as maintained as 5.1 and security ambitions went nowhere. So, we got the upgrade all right, but at this point, both Android versions can be considered inherently insecure and we really shouldn't be using it for sensitive work.
OK, there are several Android 5.1 and 6.0 firmwares, you can recognize them because they are all over the internet typically in a compressed format. For example, this firmware hosted in androidhost.ru named:
YT3-X90F_ENG_S100265_1601281130_WW24_ROW
Is a firmware for the Lenovo Yoga Tab 3 (YT3) Pro (X90) Wifi Version (F). The ENG part is an indication of the build type, ENG is an engineer build while USR is probably a firmware for the end user (this is common now that I know a bit more about AOSP source code), it is a Lollipop firmware (S1, Marshmallow would be a S2) with update version (00265), date of compilation and a good estimate of its security patch (1601281130), the WW24 is the weekly release version of the Android kernel for Intel devices (the latest, in May 2020, being WW31 which is exactly the same as WW28 and not updated since 2016), the final part means it is the global ROM version (ROW, opossed to the Chinese version CN). This is the latest Lollipop firmware I am aware of, so, as an example, an imaginary Android Marshmallow Chinese firmware for the LTE version of the Yoga Tab 3 would look like:
YT3-X90L_USR_S200013_1610141535_WW24_CN
As an additional note the Chinese ROMS, I presume, are not trusty but they are also Google-free for what it's worth. On the other hand, they ship with a "Lenovo Services Framework" that should be as intrusive as the Google Play Services. Oh, also, baidu and yandex, and, really, any less traditional search engine can help you find a fitting firmware.
Spoiler: EXPLAINING HOW TO FLASH A STOCK FIRMWARE (DOWNGRADE TO LOLLIPOP AND UNBRICK)
I did test several firmwares, chinese and global, lollipop and marshmallow and the safest and easiest way to flash them is by using the Intel Platform Flash Tool Lite . I can't say I trust in this site, but it hosts a handy tutorial on how to use it, though, is pretty intuitive. The software exists for Mac, Windows and Linux, be sure you are in, at least, the 5.8.x version, this is important to avoid the need to install some special drivers separately as a pre-requisite. Grossly, Intel Flash Tool Lite works like this:
0) Turn off your tablet if it is on.
1) Launch Intel Platform Flash Tool Lite.
2) If your downloaded firmware is in zip format load it with the blue "Browse..." button.
2 bis) OR, if your firmware is in other compressed formats, uncompress it first. After this use the "Browse..." button to load the "flash.json" file.
3) In Configuration option select "blank" if it isn't set already. Optionally, un-tick the "On-demand flash" option to have more control of this process. Also, maybe you can use the "erase" configuration here.
4) Start your tablet in DNX mode. To do this, press Vol- and hold it, then Vol+ and keep holding both, then press the Power button until it turns on and you see the Lenovo logo and some text indicating you are in said mode.
5) Connect your Yoga Tablet with a USB cable and your Intel Platform Flash Tool Lite windows should show it as detected. Now you can proceed using the blue "Start to flash" button.
6) Keep an eye on your tablet, since some firmwares will prompt to set some more options. Unless you know what you are doing, answer "Yes" to any question.
7) Reboot and wait.
If a couple hours have passed and the tablet hasn't booted, maybe you should try another firmware.
IMPORTANT NOTE AND INSTRUCTIONS FOR YT3-X90Y AND POTENTIALLY YT3-X90X USERS: I don't know the rules in xda about linking to other forums but in certain forum there is an answered question about the Y model (the 4/64 GB WiFi only refresh) on how to flash a firmware. Instructions are the same as I gave in this section, except, apparently, you need to do it twice, first with the ENG version and the second time with the USR version except you are not using the flash.json file, this time you'll browse for the flash_factory_1st_stage.json one and the factory1st configuration in fastboot. It is not clear what are the consequences of not doing it this way or what if you combine different firmware versions (it would be interesting to have a tester here). Notice please, these firmwares are marked for the YT3-X90F model. So, clarifying:
1) Follow the instructions above to flash the YT3-X90F_ENG firmware.
2) Power off your tablet.
3) Boot into bootloader (not in DNX, you need to boot into bootloader by powering on while holding Vol+).
4) From the YT3-X90F_USR firmware folder use Intel Platform Flashing Tool Lite to load the flash_factory_1st_stage.json and select the factory1st configuration.
5) After flashing the USR firmware, reboot and you should be good to go.
METANOTE: This wasn't tested by me, please do this only when you are hopeless with your hardware. This is just an educated guess but I bet it works the same with the YT3-X90L (the LTE version 2/32 GB Yoga Tab 3 Pro) and the YT3-X90X (the 4/64 GB refresh).
ALTERNATIVE WAY TO FLASH A STOCK FIRMWARE (ADVANCED USERS, requires fastboot)
Well, there is no need, really, to use that Intel tool. In my search for a lollipop firmware (I wanted to downgrade from Marshmallow) I found the firmware YT3-X90F_USR_S100195_1512052308_WW24_ROW in www.firmware247.com or www.androidfilehost.com (IMPORTANT: please read the note on downgrading to Android 5.1 Lollipop in the note at the end of this section). This firmware was special since, if you are in Windows and have fastboot executable ready and in place, you can run a script (run_me.bat) in the Windows terminal (CMD) or Powershell to flash the firmware semi-automatically. I think this firmware was modified, though, since I found differences in the boot.img when compared with stock firmwares. This script is credited to XDA members @ionioni and @joesnose and you can replicate its steps if you:
0) Turn off your tablet if it is on.
1) Start your tablet in DNX mode. To do this, press Vol- and hold it, then Vol+ and keep holding both, then press the Power button until it turns on and you see the Lenovo logo and some text indicating you are in said mode.
2) Connect your tablet to your fastboot enabled PC using a USB cable.
3) Input "fastboot flash osloader loader.efi"
4) Wait 5 seconds to be sure the loader flash finishes.
5) Reboot into Bootloader. If you don't know how, one way is to hold Vol+ and Power on your tablet.
6) Input "fastboot oem unlock" and confirm using Vol keys to select the right option and the Power button to enter it.
7) Input "fastboot flash system system.img"
8) Input "fastboot flash boot boot.img"
9) Input "fastboot flash recovery recovery.img"
10) Input "fastboot flash bootloader bootloader.img"
Follow your instincts, since I don't know if these IMG files are always named the same. You can get these IMG files from downloaded sources or dump them yourself using dd command.
NOTE ON DOWNGRADING TO ANDROID LOLLIPOP 5.1: So, one of my main concerns has been to go back to Android Lollipop. There is a last version of Lollipop from where you can upgrade to Marshmallow with a security patch from March 2016. Nevertheless, you MAY end up loosing other sensors except the light one. If this happens, you need to use a complete firmware flash using Intel Platform Flash Tool Lite. In my experience, some boot images are not compatible with other weird partitions like country or misc.
Spoiler: TWEAKS ALREADY IN THE COOKED ROM
The first boot takes some time even amounting for the time of the setup itself. By the time you are in the launcher tapping on app's icons you think there's nothing wrong with our device, but after some apps are in memory, you notice some lag. You think "OK, it is updating, but soon it'll settle", but it does not. So, you reboot again after updates and fire up a terminal emulator and connect to your tablet using a USB cable with USB debugging turned on and issue a free command to find something like this:
Code:
total used free shared buffers
Mem: 1950372 1820964 129408 0 7756
Swap: 524284 10740 513544
Total: 2474656 1831704 642952
Which means you have a total of ~2.5 GB (this is the 2 GB model). So, did I download that extra half GB of RAM or Lenovo was feeling generous? Well, no. The issue here is Lenovo built the kernel with zRAM support which is a technology included in Linux that reserves space in RAM to quickly compress and uncompress pages of data exceeding our physical amount of RAM installed (2 GB). This is not Virtual Memory as in a swap file/partition or Windows' Page File inside storage media. zRAM literally reserves a fixed amount of physical RAM space (blocks) to expand it by compressing data. The consequence is you loose "fast RAM" (THE RAM) and gain some "slow RAM" (the zRAM). You also sacrifice some CPU power to compress/decompress data and, with this, some battery juice is also lost.
That does not sound like a terrible trade-off for a RAM-limited device, one would think. Another interesting thing would be WHEN to send this piling data in "fast RAM" to the compressed space and WHEN to get it back. Two parameters control the WHENS, one is called "swappiness" (when to send it to the compressed space, the "slow RAM") and the other may be the "vfs_cache_pressure" (when to uncompress it and send it back to the "fast RAM"). And this is where the main problem is, really, because the kernel, Linux, is pressing the RAM constantly to send some less prioritary data to "slow RAM" and, at the same time, is trying constantly to send compressed data back to the "fast RAM". Summarizing, this kernel behavior is practically minimizing the fast RAM amount and usage while maximizing the "slow RAM" usage. This is nuts, by default a swappiness and a vfs_cache_pressure of 100 are not even default for servers, these parameters extremely prioritize that processes can get done no matter how slow they get, and they are even more nuts when Android is designed to work without swap space.
What that free command is telling us is the tablet is using the "slow RAM" even when we only just turned it on. Fortunately there are two ways to fix this problem: one is to completely disable zRAM, the other one is to use ZRAM a whole lot less by tweaking the swappiness and vfs_cache_pressure parameters. This can be easily done with the following sentences in a rooted tablet:
Code:
# echo 5 > /proc/sys/vm/swappiness
# echo 50 > echo 5 > /proc/sys/vm/vfs_cache_pressure
Or, to regain the whole fast RAM:
Code:
# swapoff /dev/block/zram*
One caveat of the first method, reducing swappiness, is there is still a lot of RAM (one quarter of the whole RAM in a 2 GB device) reserved as "slow RAM".
SOME ROMS DID NOT ENABLE KERNEL SAMEPAGE MERGING, UNFORTUNATELY
Additional to the sorry implementation of zRAM, some firmwares support a fabulous Linux tool to reduce RAM usage called Kernel Samepage Merging (KSM) but they don't use it by default. This software runs at kernel level, so, it really is CPU-wise inexpensive and, opposite to zRAM it can actually recover some RAM usage by reducing the amount of data flagged as redundant in physical RAM by merging it. KSM is good for you and you should have it always enabled by issuing the following command as root:
Code:
# echo 1 > /sys/kernel/mm/ksm/run
STOP WRITING AND FIX MY RAM! PLEASE!
Well... are there any people interested on this? With the above information you can write a script to execute at boot. Something like this should work in any version of the firmware:
Code:
#!/system/bin/sh
# Mount system as rw
busybox mount -o remount,rw -t auto /system
# Tweaking swappiness in zram
echo "5" > /proc/sys/vm/swappiness
echo "50" > /proc/sys/vm/vfs_cache_pressure
# Activating Kernel Samepage Merging
echo 1 > /sys/kernel/mm/ksm/run
# Remount system as ro. noatime option for faster and volatile system
# busybox mount -o ro,remount,noatime /system
busybox mount -o ro,remount /system
exit 1
Or, you can unpack the boot.img and modify the init.cht_ffd.rc (lollipop) or the init.r2_cht_ffd.rc (marshmallow) files to write these values as default... or, if there is interest for something easier, I can produce this boot.img files for you to flash using fastboot.
ROOTING THE LENOVO YOGA TAB 3 PRO (YT3-X90[FL])
Here I am not gonna write a lot. Instructions were given in this thread. I'd only recommend to put vm.targetutilization at 0.8 top 0.85 in system/build.prop
After rooting, debloat your firmware. I use the app "/system/app mover" from Fdroid to convert to user apps and uninstall them. Also, if rooting is not your cup of tea, you can install AppOps software to freeze all those apps that you don't use regularly. Also, I couldn't patch my services.jar for Signature Spoofing with Nanodroid patcher in the most recent lollipop firmware, but it did work in Marshmallow... anyway I'll do it manually.
ARE YT3-X90F AND YT3-X90L FIRMWARES INTERCHANGEABLE?
I own a WiFi only device (YT3-X90F) so I can't assert they are interchangeable. If I owned the LTE version and use a WiFi firmware I would expect to loose LTE functionality. Now, on the other direction is more interesting because I've been using a LTE firmware version for weeks (as a matter of fact, the one joesnose linked in his How-To debrick this tablet, flashed with the instructions I posted for advanced users it even updated to recent 2020 firmwares). The only tweak you need for this to work well is to add "ro.ril.disable=1" in the build.prop file. So, yes, firmware for the LTE version work in the WiFi version but kind of not vice versa.
Spoiler: YT3-X90(FL) UN-DEVELOPMENT
No news here. All capable people interested on developing for this device are all done with Lenovo and their attitude against Open Source. Don't expect your situation to change.
I'm happy to know there are still a couple of developers interested on this device. I won't cite them by linking their names but they are OOEvil and alquez, the first guy is trying to make a Generic System Image (GSI) ROM compatible with our tablet, I don't know the details so I wouldn't go further. Alquez has been active in this thread and, while he is trying to figure out how to build a kernel, he believes the best way to start having some alternative to official Lenovo firmware is by using a firmware kernel (a prebuilt kernel) to, first, build a more up-to-date TWRP recovery.img and from there try to build CyanogenMod 13, which was based on Android Marshmallow 6.0.1. My guess is newer Android versions wouldn't work if we can't build the kernel from source.
PHOTO ALBUM OF YT3/X90Y BIOS
This photo album documenting every screen option in the BIOS of the Yoga Tab 3 Pro may or may not help someone, but it contains a lot of useful hardware information and guidance for those attempting to boot something else than the original Android 5 or 6 firmware. Using this options, that are accessible through F2 at boot with an attached USB keyboard, you could try Linux distributions on the tablet or even attempt to run Windows, @alquez informs it works fine with a recent distro but the mainline kernel is lacking touchscreen and battery support. This is absolutely his work and he asked me to share it. I hope it serves someone. It is hosted in a rather obscure website but it was the only reasonable placeholder I could find for the 321 photos.
Hope this helps someone, I just didn't want to keep it to myself. Have a nice day!
Just remember, if your tablet is 3G capable I strongly suggest that you modify the line "ro.lenovo.tablet=wifi" to "ro.lenovo.tablet=3gdata" and remove the line "ro.radio.noril=true" to your build.prop file in /system. To do this you can use the section Build.prop Editor of the Kernel Adiutor app or you can do it manually if you have already a method to modify system files. If you do not use mobile data at all, you may leave the build.prop as it is, you'll save a lot of battery by using only wifi.
Spoiler: Some old info here, but maybe useful
ONLY FOR TESTING: Cooked ROM, newer TWRP and tweaked kernel
ONLY TRY THESE FOR TESTING PURPOSES, THE TWEAKS ARE ALL SAFE TO USE BUT ONLY FLASH FOR TESTING PURPOSES, PLEASE. FIRST, TRY TO USE FASTBOOT TO BOOT THE boot.img FILE WITHOUT FLASHING: IF IT BOOTS GO AHEAD AND TRY THE OTHER FILES (fastboot boot boot.img). THE TWRP IS NOT AS STABLE AS THE OTHER ONE HERE AT XDA BUT ALLOWS TO USE ZIP COMPRESSION IN BACKUPS. I AM NOT GONNA BE AROUND. IF YOU TRY SOMETHING MAKE A BACKUP FIRST. THIS DEVICE IS MESSY AS F*CK.
Spoiler: Some old info here, but maybe useful
I wrote a very detailed guide about these files I uploaded to my Nextcloud that include the newer TWRP-3.0.2, a TWRP flashable Cooked ROM and a separate kernel (boot.img) in case your system is already setup, but the post went to some XDA void and didn't upload. These are based on the YT3-X90L latest firmware, but they work on the X90F model too. The TWRP should work with Lollipop and Marshmallow firmwares.
I can't write everything again, so, the kernel contains better management of RAM and emmc (internal) memory, a 256 MB zRAM space instead of 512 and a more conservative approach to LowMemoryKiller.
The cooked ROM includes the described kernel and debloated apps, it's already rooted with Magisk (you can unroot with Magisk Uninstaller), an updated Busybox build, su.d support (I plan to use it with AFWall+), zipaligned apps, etc. It is for the X90L but possibly works for the other Yoga Tab 3 Pro models. It works for the X90F but it will reboot once after the first boot because the RIL configuration times out. To install the cooked ROM you need to:
0) Know that by doing this you will loose pretty much everything in your tablet. You start from scratch if everything goes smooth, if not you could possibly end up with a system without an OS. The usual stuff when you are customizing your system.
1) Boot into TWRP and make a Nandroid backup. IT IS IMPORTANT because @joesnose had problems with a "random reboot" and lost Bluetooth/WiFi after it. I am trying to look into this. The only difference is his tablet has 4 GB RAM and probably a different firmware.
2) Wipe cache, Dalvik/ART, System and Data in TWRP - Wipe, Advanced Wipe menu. If your tablet is encrypted, or in factory firmware you also need to explicitly use the button "Format Data partition" and confirm writing "yes" in the format procedure prompt. You will loose any configuration made to your tablet.
3) Install the superr_stockMM.zip wich is flashable by selecting the file from your Internal tablet memory, using the Install button in the main TWRP interface.
FOUR IMPORTANT NOTES TO COMMON ISSUES:
If you come from a stock firmware your data partition is encrypted. You need to pass a blank password in TWRP to continue to use the custom recovery. You also need to format data partition before flashing the cooked ROM.
If your tablet is WiFi-only I strongly suggest that you modify the line "ro.lenovo.tablet=3gdata" to "ro.lenovo.tablet=wifi" and add the line "ro.radio.noril=true" to your build.prop file in /system. To do this you can use the section Build.prop Editor of the Kernel Adiutor app or you can do it manually if you have already a method to modify system files. In Lollipop firmware you use "ro.ril.disable=1" instead of "ro.radio.noril=true" to get the same effect: sort of a conversion to WIFI-only tablet from LTE models. I'd argue this is useful to do if you are gonna be without LTE connection/service for long periods of time and I can think a couple of other uses.
Do not use stock Lenovo launcher unless you uninstall Magisk... they are incompatible for reasons I don't care to know and the Launcher will constantly FC (it is a pain in the arse).
If you are still expecting better performance I am sure there are some tweaks left in RAM management but it wont go too much further in 2 GB devices. Instead, you may consider to lower your display resolution and pixel density to something reasonable as 1400x2240 or even 1200x1920 maintaining the same aspect ratio. To do this you do not need to have root but you need to interact with the tablet using ADB. First change the size of your display:
Code:
adb shell wm size 1400x2240
Then adjust your density:
Code:
adb shell wm density 260
If still is not enough you can go even further with 1200x1920 and 224, use the same method to go back to stock with 1600x2560 and 300 to 302. This won't need a reboot but will probably cause an inconsistent UI that will lead to FCs and random reboot. You can just reboot after applying these tweaks. Unless you are really sight-gifted you won't notice a lot has changed but you will be dealing with 2.x Mpixels instead of 4.x Mpixels and that will help with your overall performance as well as your battery life sacrificing a pixel count that most of the people wouldn't even notice. If you did this correctly, in the next boot sequences you'll notice an offset on the Lenovo orange logo.
It is important to say that your display supports 1600x2560 pixels physically, but I'm assuming the GPU has no dedicated RAM and uses the device's, so, by reducing the quantity of pixels the GPU needs to deal with, the pressure on the device's RAM is also reduced.
EXTRA TIP: If boot annoys you just delete /system/media/boot.wav, bootanimation.zip and shutdownanimation.zip and you'll get a silent boot and the generic android boot animation.
Hope you enjoy your tablet!
TWRP-3.0.2.0- BETA: Again, this is not a flashable zip. Uncompress first and test the recovery system using "fastboot boot twrp_yt3-x90f_beta.img". If everything works for you, you may want to flash it permanently rebooting to bootloader and flashing with "fastboot flash recovery twrp_yt3-x90f_beta.img". Remember I did not test this in Marshmallow yet.
FEATURES:
- Fixed RAM issues (swapiness 10, vfs_cache_size 50 and disabled dynamic low memory killer tweaks and minfree values).
- Reduced zRAM size to only 256 MB.
- Tweaked interactive CPU scheduler to use other than min and max frequencies (but still responsive). The tweaks are based on the Advanced Interactive Governor Tweaks Guide. This may save battery life.
- Max frequency capped to 2.08 GHz (this is not great if you are a gamer). This tablet throttles when using max frequency for a long time, so, to save battery and keep it cooler I tweaked the CPU to run slower.
- Tweaked I/O schedulers to use deadline governor and read ahead cache to 640 kb (used benchmarks to get to this value).
- Force encryption disabled (to avoid applying ionioni script after flashing). Still needs to format data partition. You can encrypt your data partition later through Configuration -> Security user interface.
- Implemented native init.d support (not su.d anymore and no need to root the main OS).
- Busybox updated.
- Rooted with Magisk by default ( you can use Magisk uninstaller to unroot).
- Debloated apps. I also deleted Lenovo User Experience Program which was asking for root privileges even when you don't opt in to the Lenovo UE Program at setup wizard. I find this behavior shady.
-Multi-window mode is available in Developer Options and needs to be activated by you. In this mode if an app is compatible with multi-window mode you can double-tap on its title bar to enable Window mode. This function was more transparent in Lollipop firmware but it is still there in Marshmallow firmware if you change the build type to userdebug instead of user in build.prop (that's how I enabled it in the Cooked ROM).
- There are also other tweaks in VM and KSM.
And that's it, I'm not trying to change a lot, only the fundamental issues. But I suggest some other tweaks up there.
Such a shame. I love my Yoga Tab 3 Pro. Great hardware. But the software. Thanx anyway for your work.
Very nice write up. Thanks.
joesnose said:
Very nice write up. Thanks.
Click to expand...
Click to collapse
You're welcome. Thanks to you, while learning about this hardware your username pops everywhere.
jahfaby said:
Such a shame. I love my Yoga Tab 3 Pro. Great hardware. But the software. Thanx anyway for your work.
Click to expand...
Click to collapse
It really, really sucks. Let's hope something interesting happens after these strange and recent updates.
CENTSOARER said:
V1: The zip name boot_mod_mm.zip is based on the latest boot IMG provided by Lenovo. You need to first uncompress and flash it using fastboot (this is not a TWRP flshable zip). If you are uncomfortable flashing, you can test it only by issuing "fastboot boot boot_mm_march20_mod.img" once uncompressed, or, if you feel fine using it you can flash it permanently by using the command "fastboot flash boot boot_mm_march20_mod.img". This boot IMG will only work with Marshmallow firmwares in both YT3-X90(FL).
FEATURES:
- Fixed RAM issues (swapiness, vfs_cache_size and low memory killer tweaks).
- Reduced zRAM size to only 128 MB.
- Tweaked interactive CPU scheduler to use other than min and max frequencies (but still responsive). This saves battery life.
- Max frequency capped to 2.08 GHz (this is not great if you are a gamer). This tablet throttles when using max frequency for a long time, so, to save battery and keep it cooler I tweaked the CPU to run slower.
- Tweaked I/O schedulers to use deadline governor.
- Force encryption disabled (it's unnecesary to apply ionioni script now). Still needs to format data partition. You can encrypt your data partition later through Configuration->Security user interface.
Click to expand...
Click to collapse
Thanks for this. Going to take it for a spin.
joesnose said:
Thanks for this. Going to take it for a spin.
Click to expand...
Click to collapse
Please, please provide feedback and don't forget to wipe caches.
alquez said:
"No news here. All capable people interested on developing for this device are all done with Lenovo and their attitude against Open Source. Don't expect your situation to change."
https://github.com/intel/ProductionKernelQuilts this repository containts patches necessary to create base 3.14.55 and 3.14.64 uefi/cht-m1stable kernel tree. The same tree that was butchered by Lenovo in their OPEN_SOURCE "release".
Check this file https://github.com/intel/ProductionKernelQuilts/blob/master/uefi/cht-m1stable/ChangeReport.md and the WW24 part in the "YT3-X90F_ENG_S100265_1601281130_WW24_ROW" will become more clear
Quilt manual: https://elinux.org/images/7/74/Maintaining_Multiple_Android_Linux_Kernels_at_Intel.pdf
If someone would be looking for a good piece to start: the best would be to recreate 3.14.55 or 3.14.64 from the quilts, use the x86_64 defconfig and build a kernel which can be booted. In order to test this, the best solution is to repack TWRP with the new kernel and do "fastboot boot" without flashing, until it boots and the touch screen is working. There's no other way i'm afraid.
I have prepared complete photo documentation of UEFI Bios, i can share, currently moving to different google photos account. Its over 300 photos.
Please, set up a Discord channel if you want to proceed. The first month will be quite boring and daunting because it's going to be build -> repack -> boot -> rant
Click to expand...
Click to collapse
In my defense, when I wrote that sentence was after taking a peek on your github profile, I figured you were just done with the Yoga Tab 3 Pro. I am really, really glad you're still trying and I recognize you are very capable of changing things for this device. I appreciate the sources you link but I am afraid I am useless as a developer, partly because of a lack of time and partly because of a lack of adequate training. I will try to help as much as I can, though. Thanks for the post.
alquez said:
No worries, however if anyone is interested how to actually crunch this one: we have a working prebuild kernel which can be pulled of boot image, and we have a working TWRP, however it looks like TWRP wasn't actually built from source, but cooked using android kitchen so we're still missing a device tree, which in my opinion is a good place to start, because you can use prebuilt kernel to build recovery and lineageos/aosp (it's deprecated but we're talking about android 6 aka cm-13.0/lineage 13.0). If I can create a most basic device tree which is capable of building recovery from scratch useing binary kernel and modules, i'd say were' good, because the next part would be adding more binary blobs from the official software, and we can skip the kernel source part for now until we have lineageos build 13 working). I started experimenting on xiaomi latte tree because it wasnt split like Z00A. It's not gonna be a proper port but it should work from now (i think)
@joesnose did you cook or compile TWRP? It's important
Ok, I'm at the stage i have two folders. The one is unpacked working TWRP, the other one is unpacked compilation i'm building, which means im able to build TWRP from source with binary kernel, but it's not working yet. The goal is make the left one look like the right one by adjusting various parts in BoardConfig.mk and copying files.. If someone has right partition sizes for BoardConfig.mk that would be really helpful, the values i calculated suck and don'y boot yet
Click to expand...
Click to collapse
Uhmmm, I've been there and took some notes with some "GNU shell Fu". What sizes are you using right now?
And regarding the WW part of the name I've noticed the recent updates are marked as WW17 opposed to WW28 which was the latest stable with any changes. Any idea why Lenovo used WW17 to update the Yoga Tab 3 Pro recently?
alquez said:
update, ive managed to boot vanilla android-x86 x64 6.0.1 build without touching the kernel yet and different TWRP (3.1.1.0) with kernel swap
Click to expand...
Click to collapse
Geez, I was excited because I read Ubuntu booted on this hardware but then I realized it was the Yoga 3 tablet but not the Yoga Tab 3, goddamnit. Keep up the good work!
alquez said:
Um Ubuntu 20.04 boots with working accelerometer so the screen rotation works + wifi, and probably audio i forgot to play youtube video, the stuff missing is battery, touchscreen and projector.
To test it you need to connect a usb hub using usb otg, put ubuntu and a keyboard in the hub, boot, and press f2 really fast if you haven't enabled slow boot yet. You can even boot
Xubuntu to ram and remove flash drive. It's a pc architecture after all and most of the processor related stuff is in the linux mainline since 4.11
Recently i was checking why the Windows 10 installer crashes on ACPI Error.
Click to expand...
Click to collapse
Oh, I will have fun doing this kind of stuff at the end of the year. It must run swiftly with i3, provided you won't get touchscreen support.
alquez said:
Geting TS and a battery running is a mandatory, the next is the projector. The rest is pretty much working. I'm building generic celadon x86 atm and the beast is huge it's like 18% now after two hours on -j8 on i7. Maybe we can give this old monster a new life
edit:
And i need to add 480gb drive ;/
Code:
/dev/sdc1 229G 210G 6,7G 97% /home/android
Click to expand...
Click to collapse
I am afraid those are the peripherals that will keep you in 3.14.55/64 Linux, at least for a while , unless you know something more (wouldn't be surprised).
Are those GB for source code or for cache? Both? Jesus... the thing is huge but reading the unpacked boot.img makes much more sense now.
It was ionioni who made the twrp for the device. I dont have the foggiest how he did it.
---------- Post added at 01:23 AM ---------- Previous post was at 01:18 AM ----------
Wow! I missed lot, looks like you have made some serious progress here. very well done.
alquez said:
I contacted my friend and he told me to compare these two folders:
https://github.com/alquez/lenovo_yt...l/cht/arch/x86/platform/intel-mid/device_libs
https://github.com/torvalds/linux/tree/master/arch/x86/platform/intel-mid/device_libs
the new files in "lenovo tree" are the modules we're after, mostly and it's a place to start
I need to ask inioni about twrp.
Click to expand...
Click to collapse
I will guess it was ported from the Yoga Tab 2. I will edit this post soon.
alquez said:
Nice! There's big chance the modules are reused somewhere. We can compare these. I think the two folders in
https://github.com/alquez/lenovo_yt3_x90_osc/tree/master/kernel/cht/drivers/input/touchscreen
which are missing from vanilla tree are two separate drivers and one is for "any pen" driver. Can you ask someone porting modules recently
to help us refresh my memory
[edit]
I've got in touch with TeamBliss of BlissRoms , they are working on cherrytrail tree
Click to expand...
Click to collapse
Nah, I couldn't confirm it was ported. A lot of posts were removed when XDA enforced the GPL measures to its developers.
About BlissRoms, it just makes sense they are working on Cherry trail. I hope you and those guys can achieve something soon. I mean, it's a 2 GB RAM device but the display, projector and dolby audio system are worth for a better fate than Lenovo's plans.
alquez said:
4GB of ram 4 cpu cores, Hardware virtualization support, fast gpu and fast emmc memory. It's a beast, way ahead of it's time.
Click to expand...
Click to collapse
Well, I have the 2 GB RAM model, so my expectations are conservative. Anyway, don't believe I'm a hardcore user, so it's plenty enough for me, considering I won't even flash Google apps. I am now settled with Lollipop, since I need apps not getting killed by damn Doze. It is a shame how OEMs can limit a device like this one. Crond, init.d, bad zRAM, shell, even busybox... frequently the OS is crippled. I read somewhere Doze can be disabled in build.prop or something but one thing I just hate is the recents screen in Marshmallow firmware (my God, is terrible!) and can't be easily changed for something like OmniSwitch. I mean, for a mobile device you have an unusual architecture, why limit it further? Damn, I wish BlissRoms come up with a working build.
Hey, @alquez, have you tried Linux 5.7 on the tablet? I saw this article and seems like the touchscreen may work with the next mainline kernel release. I mean, right now is on RC7, should be stable enough to compile and try (I'd try it, but can't get to my workstations thanks to the virus).
EDIT: Ah... I was looking into my device and it comes with a HiDeep touchscreen (cat /dev/input/event3), the linked news is for the Goodix driver / devices. At least, I guess, it will attract others to this platform... anyway, I was wondering and also confused, shouldn't touch screen work with the hideep driver using this config already?
Thanks for the new feel.
This is great, glad to see a developer picking up this tablet. It's a fine machine with an unfortunately small user base and has never really seen any development apart from ionioni s efforts and he didn't even own one, lol.
Edit: *Thank for the new twrp * auto correct!
I love this device! For me it's the perfect device for vacation just because of the projector!
I am so happy that you guys are working on it again. the ram and display tweak works like a charme for me. Had to reset my background screen though
thx for all your help. As soon as you guys have light rom, i'll install it on my 2GB device.
hello how to flash your twrp please ?
can someone upload adb drivers for the yt3-x90f please ? because i try to flash in dnx fastboot mode but commands don't work, even "fastboot devices" don't show me the yoga tab 3 pro
Has anyone looked at the H1_Aladeng Smartwatch? Can root be achieved?
It is advertised mostly as kids smartwatch/tracker but the it's features are nearer to a full smartphone on wrist than most Android Smartwatches.
The Micro-SD slot and 1080mAH battery allows me to listen to music through bluetooth for about 5 hours straight.
And oh yes, I installed MX Player so I can sort the music/videos as I wish.
They say it is 32GB max for micro-SD card, but I have a 400GB installed and it reads fine. And some apps can be installed on SD card. The Sim card slot works so I can get texts, browse and stuff.
No it is not specialized in fitness tracking. Only footsteps counter.
Music sound quality over bluetooth improves after installing Noozxoid. However, If root can be found, I would install ViperXHiFi to increase music quality (I have been able to Magisk root and install ViperXHiFi on Microwear H5 4g Smartwatch which gave up the ghost a few weeks ago).
&oot4peace said:
Has anyone looked at the H1_Aladeng Smartwatch? Can root be achieved?
It is advertised mostly as kids smartwatch/tracker but the it's features are nearer to a full smartphone on wrist than most Android Smartwatches.
The Micro-SD slot and 1080mAH battery allows me to listen to music through bluetooth for about 5 hours straight.
And oh yes, I installed MX Player so I can sort the music/videos as I wish.
They say it is 32GB max for micro-SD card, but I have a 400GB installed and it reads fine. And some apps can be installed on SD card. The Sim card slot works so I can get texts, browse and stuff.
No it is not specialized in fitness tracking. Only footsteps counter.
Music sound quality over bluetooth improves after installing Noozxoid. However, If root can be found, I would install ViperXHiFi to increase music quality (I have been able to Magisk root and install ViperXHiFi on Microwear H5 4g Smartwatch which gave up the ghost a few weeks ago).
Click to expand...
Click to collapse
Have found only the way how to get developers mode and enter to engineer menu
1. Click on the build version many times until Developers mode will be enabled
2. In calling type *#*#83781#*#* - you will open Developers menu.
To connect sclock with adb:
Engineer_Menu - tab Debug&Log - USB Debug (enable) - sclock will be able to connect to pc thrue adb.
~Searcher~ said:
Have found only the way how to get developers mode and enter to engineer menu
1. Click on the build version many times until Developers mode will be enabled
2. In calling type *#*#83781#*#* - you will open Developers menu.
To connect sclock with adb:
Engineer_Menu - tab Debug&Log - USB Debug (enable) - sclock will be able to connect to pc thrue adb.
Click to expand...
Click to collapse
Hey. Thanks.
Yes I was able to access developers options and other many settings after installing QuickShortcutMaker.
After enabling developer options and usb debugging you I can also issue basic commands like "reboot to bootloader" (reboots to fastboot, usb driver must be installed otherwise device not detected).
Not sure what you mean by sclock, probably new to the term.
&oot4peace said:
Not sure what you mean by sclock, probably new to the term.
Click to expand...
Click to collapse
smartwatch
regarding fastboot: I have tried all available recoveries for SC9832E:
[TWRP] TWRP Recovery for Symphony I72 (spd sc9832e, android version: 8.1)
Hey guyz;),,I got a TWRP recovery for Symphony I72 Version:3.1.0 :cool: twrp ported by: jemmini & Team Hovatek,, I'm a new user in xda so i cant provide links directly, then just grap twrp from the following link;)-- shrtz.me/XCRMlc although...
forum.xda-developers.com
Meizu C9/C9 Pro - Обсуждение - 4PDA
Meizu C9/C9 Pro - Обсуждение, Смартфон, 5.45
4pda.ru
the smartwatch just boots normally as reboot.
adb reboot bootloader - brings it to fastboot
fastboot boot ANYRECOVERY.img just equal to reboot.
no any success to start Recovery via fastboot.
there is also not any firmware to research it.
~Searcher~ said:
smartwatch
regarding fastboot: I have tried all available recoveries for SC9832E:
[TWRP] TWRP Recovery for Symphony I72 (spd sc9832e, android version: 8.1)
Hey guyz;),,I got a TWRP recovery for Symphony I72 Version:3.1.0 :cool: twrp ported by: jemmini & Team Hovatek,, I'm a new user in xda so i cant provide links directly, then just grap twrp from the following link;)-- shrtz.me/XCRMlc although...
forum.xda-developers.com
Meizu C9/C9 Pro - Обсуждение - 4PDA
Meizu C9/C9 Pro - Обсуждение, Смартфон, 5.45
4pda.ru
the smartwatch just boots normally as reboot.
adb reboot bootloader - brings it to fastboot
fastboot boot ANYRECOVERY.img just equal to reboot.
no any success to start Recovery via fastboot.
there is also not any firmware to research it.
Click to expand...
Click to collapse
Yea I dont see anything about SP9820e yet.
Also using the QuickShortcutMaker app, I can see a number of apps installed but hidden, gmail, fm radio...
The FM radio app launches and asks for earphone to be plugged in but does nothing when I plug in micro-usb earphones.
I was able to pull build.prop using ADB and I saw a line with FM radio mentioned, but commented out.
After editing build.prop, of course it would not allow me to push back to system, with Read Only error, because of no root.
&oot4peace said:
because of no root.
Click to expand...
Click to collapse
looks that the only possible way to get root - to read firmware via SPD Flash tool, but there is no scatter file (partitioning of mmcblock*)
in default firmware all block devices available only to root, so is not even possible from console to grab in sectors begin-end of partitions.
Hi All,
For rooting this smartwatch: unfortunately in original firmware there is no any permission for block devices and it is impossible to read partitions size via linux (android).
there is also no any bin of firmware, besides written in flashmemory chip, there is no even dump of this chip
there is no any working recovery for SC9832E, that is possible to run temporally through fastboot boot Recovery.img. Default recovery shows "No command" - there is no known way how to bypass it. OEM is unlocked, there is only 1 button on smartwatch.
If someone could suggest smth or reference to any progress relevant to this device or at least to SC9832E based devices - that will be really great and many thanks in advance !
~Searcher~ said:
Hi All,
For rooting this smartwatch: unfortunately in original firmware there is no any permission for block devices and it is impossible to read partitions size via linux (android).
there is also no any bin of firmware, besides written in flashmemory chip, there is no even dump of this chip
there is no any working recovery for SC9832E, that is possible to run temporally through fastboot boot Recovery.img. Default recovery shows "No command" - there is no known way how to bypass it. OEM is unlocked, there is only 1 button on smartwatch.
If someone could suggest smth or reference to any progress relevant to this device or at least to SC9832E based devices - that will be really great and many thanks in advance !
Click to expand...
Click to collapse
Do you think if the stock frimware can be obtained from manufacturer, the boot.img can be magisk patched then flashed to gain root?
If yes that would be a goot place to start. I cannot find the firmware/rom anywhere though.
ALADING_H1-E-ALADENG-PRO_L709_9832E_2+16_V1.1_20211124.zip
drive.google.com
742.35 MB file on MEGA
mega.nz
There is a firmware, but there is no instruction on how to flash it, it does not have volume buttons
Finally there is the firmware. Great news! Now we need an enthusiastic modder to get the best out of this smartwatch. It would be great if this would work in a better way than it does now. I'd also like to keep the tracking stuff for my kid.