Does anyone know the URL of the latest Fossil Gen 6 OTA image file?
What is the code name of fossil gen 6?
I believe the Gen 6's codename is hoki. At least, that's what ro.product.device is set to.
Toys Samurai said:
I believe the Gen 6's codename is hoki. At least, that's what ro.product.device is set to.
Click to expand...
Click to collapse
I am unable to find the kernel source for this device. Seems they didn't uploaded yet.
Too bad. Thanks for your help anyway. Guess I just have to wait for the next update to capture.
Not available for now
OTA URL for Fossil HOKI (gen6) https://r5---sn-25glen7r.gvt1.com/p...25glen7r&ms=au&mt=1650816540&mv=m&mvi=5&pl=44
hope this will help, i'm trying to root the watch but with no success there's no ramdisk in boot so we need recovery.img and ota update doesnt include it
maassi0076 said:
OTA URL for Fossil HOKI (gen6) https://r5---sn-25glen7r.gvt1.com/p...25glen7r&ms=au&mt=1650816540&mv=m&mvi=5&pl=44
hope this will help, i'm trying to root the watch but with no success there's no ramdisk in boot so we need recovery.img and ota update doesnt include it
Click to expand...
Click to collapse
https://forum.xda-developers.com/t/twrp-twrp-for-fossil-gen-6-aka-hoki.4474863 I managed to build the TWRP recovery. Still some bugs, but you can install magisk
I have two more OTA urls:
- https://android.googleapis.com/packages/ota-api/package/aa51cebed7932ebf5ad1717595e13c609bb4a71b.zip (PFHD.211201.010 -> PFHD.211201.019)
- https://android.googleapis.com/packages/ota-api/package/a569fe07dfdcb4edea85f9535d592b9af4621cd1.zip (PFHD.211201.019 -> RFHC.220929.012)
These were taken from a brand new Fossil Gen 6 (hoki)
The previously shared link from @maassi0076 appears to be broken.
https://android.googleapis.com/packages/ota-api/package/230d380c72f87f94cbd4e43b944afd70700d6ffd.zip (PFHD.211201.017) seems to be identical and works fine on my end.
MagneFire said:
I have two more OTA urls:
- https://android.googleapis.com/packages/ota-api/package/aa51cebed7932ebf5ad1717595e13c609bb4a71b.zip (PFHD.211201.010 -> PFHD.211201.019)
- https://android.googleapis.com/packages/ota-api/package/a569fe07dfdcb4edea85f9535d592b9af4621cd1.zip (PFHD.211201.019 -> RFHC.220929.012)
These were taken from a brand new Fossil Gen 6 (hoki)
The previously shared link from @maassi0076 appears to be broken.
https://android.googleapis.com/packages/ota-api/package/230d380c72f87f94cbd4e43b944afd70700d6ffd.zip (PFHD.211201.017) seems to be identical and works fine on my end.
Click to expand...
Click to collapse
Any chance I could get some guidance on how to flash these? I haven't been able to successfully flash anything over fastboot or from TWRP and am a bit lost now.
Another user and I are both interested over in this thread: https://forum.xda-developers.com/t/fossil-gen-6-flashing-wear-os-2-instead-of-wear-os-3.4509785/
How are you able to get those URLs? I couldnt without rooting my watch. @MagneFire
At any chance, do you guys know how to convert system.new.dat / system.patch.dat / system.transfer.list from the OTA ? I need system.img to fastboot it (watch bricked)
@Arkbird1000 @MagneFire @maassi0076 @Malvik
Arkbird1000 said:
Any chance I could get some guidance on how to flash these? I haven't been able to successfully flash anything over fastboot or from TWRP and am a bit lost now.
Another user and I are both interested over in this thread: https://forum.xda-developers.com/t/fossil-gen-6-flashing-wear-os-2-instead-of-wear-os-3.4509785/
Click to expand...
Click to collapse
I don't think you can flash these directly, unless your base system matches the expected signature of the OTA image. Remember that the links I posted only consists of delta's/binary diffs.
Standalone they might not be that useful.
Malvik said:
How are you able to get those URLs? I couldnt without rooting my watch. @MagneFire
Click to expand...
Click to collapse
Without updating I did a factory reset and enabled USB debugging during the setup (before it has a network connection).
Then it's just a matter of gathering a complete adb logcat. The OTA url is listed in there.
Here is an example:
Code:
11-28 23:25:14.919 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:14.921 1450 1949 I chatty : uid=10036(com.android.vending) bgExecutor #0 identical 1 line
11-28 23:25:14.923 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:14.928 1062 2455 I NetworkScheduler.Stats: Task com.google.android.gms/com.google.android.gms.stats.PlatformStatsCollectorService finished executing. cause:5 result: 1 elapsed_millis: 246 uptime_millis: 246 exec_start_el
apsed_seconds: 134 [CONTEXT service_id=218 ]
11-28 23:25:14.932 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:14.982 1218 3498 I SystemUpdate: [Control,InstallationControl] Update URL changed from "https://android.googleapis.com/packages/ota-api/package/aa51cebed7932ebf5ad1717595e13c609bb4a71b.zip" to "https://android.googleapis.com/packages/ota-api/package/a569fe07dfdcb4edea85f9535d592b9af4621cd1.zip".
11-28 23:25:14.994 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:15.014 1450 1949 I chatty : uid=10036(com.android.vending) bgExecutor #0 identical 11 lines
11-28 23:25:15.017 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:15.079 1450 1949 I Finsky : [125] kxu.a(1): [PLUS] Syncing for users with urgency above: HYGIENE
Neil_Armstrong_ said:
At any chance, do you guys know how to convert system.new.dat / system.patch.dat / system.transfer.list from the OTA ? I need system.img to fastboot it (watch bricked)
@Arkbird1000 @MagneFire @maassi0076 @Malvik
Click to expand...
Click to collapse
I have a complete dump of version RFHC.221031.015
However I would recommend to make a complete backup of the entire filesystem using TWRP:https://forum.xda-developers.com/t/twrp-twrp-for-fossil-gen-6-aka-hoki.4474863/
Here's part of the dump: https://we.tl/t-Yqnp1gH1ne
Let me know if you need more partitions (and use at your own risk, I haven't tested them).
MagneFire said:
I have a complete dump of version RFHC.221031.015
However I would recommend to make a complete backup of the entire filesystem using TWRP:https://forum.xda-developers.com/t/twrp-twrp-for-fossil-gen-6-aka-hoki.4474863/
Here's part of the dump: https://we.tl/t-Yqnp1gH1ne
Let me know if you need more partitions (and use at your own risk, I haven't tested them).
Click to expand...
Click to collapse
i fooled around few days ago and wasnt able to backup my partitions (lol) edit : i went the YOLO mode and didnt backup
You are probably my savior because i was dead a$$ stuck with these system compressed files
Would you mind sending the 13 others partitions ? this way i ensure every partition is from the same wear OS version ?
Thanks a lot !!
MagneFire said:
Without updating I did a factory reset and enabled USB debugging during the setup (before it has a network connection).
Then it's just a matter of gathering a complete adb logcat. The OTA url is listed in there.
Here is an example:
Code:
11-28 23:25:14.919 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:14.921 1450 1949 I chatty : uid=10036(com.android.vending) bgExecutor #0 identical 1 line
11-28 23:25:14.923 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:14.928 1062 2455 I NetworkScheduler.Stats: Task com.google.android.gms/com.google.android.gms.stats.PlatformStatsCollectorService finished executing. cause:5 result: 1 elapsed_millis: 246 uptime_millis: 246 exec_start_el
apsed_seconds: 134 [CONTEXT service_id=218 ]
11-28 23:25:14.932 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:14.982 1218 3498 I SystemUpdate: [Control,InstallationControl] Update URL changed from "https://android.googleapis.com/packages/ota-api/package/aa51cebed7932ebf5ad1717595e13c609bb4a71b.zip" to "https://android.googleapis.com/packages/ota-api/package/a569fe07dfdcb4edea85f9535d592b9af4621cd1.zip".
11-28 23:25:14.994 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:15.014 1450 1949 I chatty : uid=10036(com.android.vending) bgExecutor #0 identical 11 lines
11-28 23:25:15.017 1450 1949 I Finsky : [125] kxk.apply(9): [PLUS] Adding payload
11-28 23:25:15.079 1450 1949 I Finsky : [125] kxu.a(1): [PLUS] Syncing for users with urgency above: HYGIENE
Click to expand...
Click to collapse
Ohk, got it. BTW can anyone social engineer their way to getting firmware from fossil ?
Related
Hi,
Currently I'm compiling OmniRom for Samsung Galaxy Mega GT-I9205.
When I try to boot it for the first time, the Omni is stuck at the boot animation...
May I know what is the general failure for this particular issue? and how to solve it?
logcat F/
Code:
12-29 19:01:06.722 F/MediaProfiles( 287): frameworks/av/media/libmedia/MediaProfiles.cpp:324 CHECK(quality != -1) failed.
12-29 19:01:06.722 F/libc ( 287): Fatal signal 6 (SIGABRT) at 0x0000011f (code=-6), thread 287 (zygote)
logcat /E
Code:
12-29 19:01:07.513 E/QualcommCamera( 754): Qint android::get_number_of_cameras(): E
...
12-29 19:01:07.513 I/AudioPolicyManagerBase( 754): loadAudioPolicyConfig() loaded /system/etc/audio_policy.conf
12-29 19:01:07.523 D/ALSADevice( 754): ALSA module opened
12-29 19:01:07.533 D/AudioHardwareALSA( 754): AudioHardware: DLOPEN successful for ACDBLOADER
12-29 19:01:07.533 D/ACDB-LOADER( 754): ACDB -> ACDB_CMD_INITIALIZE
12-29 19:01:07.533 E/ ( 754): [ACDB RTC]->rtc init done!->result [0]
12-29 19:01:07.533 E/Diag_Lib( 754): actp_diag_init: call diag init function with B5F20ECD
12-29 19:01:07.533 E/Diag_Lib( 754): Diag_LSM_Init: Failed to open handle to diag driver, error = 13
12-29 19:01:07.533 E/Diag_Lib( 754): actp_diag_init: diag init failed
12-29 19:01:07.533 E/ ( 754): [ACDB ACPH]->actp diag init done!
---
I suspect the media_profiles.xml is corrupted... but nope...
anywhere this is the comparison of media_profiles.xml between
melius >> https://github.com/Grarak/android_d...mon/blob/android-4.4/media/media_profiles.xml
hammerhead >> https://github.com/omnirom/android_device_lge_hammerhead/blob/android-4.4/media_profiles.xml
Diff >> http://diffchecker.com/ghjvhy51
and the device mk file
Code:
https://github.com/Grarak/android_device_samsung_melius-common/blob/android-4.4/melius-common.mk
# Media Profile
PRODUCT_COPY_FILES += \
$(LOCAL_PATH)/media/media_profiles.xml:system/etc/media_profiles.xml
# Note: Didnt have media_codecs.xml
Code:
https://github.com/omnirom/android_device_lge_hammerhead/blob/android-4.4/device.mk
PRODUCT_COPY_FILES += \
device/lge/hammerhead/media_codecs.xml:system/etc/media_codecs.xml \
device/lge/hammerhead/media_profiles.xml:system/etc/media_profiles.xml
Try using hammerhead (or another closer similar Qcom device)'s media_codec.xml and media_profiles.xml (or remove those files)
Thank your for the suggestion... look like i have to test on hammerhead xml afterall :crying:
but b4 that,
Im hoping someone able to tell me the logcat diagnostic
coz this file is currently used in CM11 (I9205) and they didnt have issue for this particular matter
Great news...
I managed to get it working... now omnirom have another working device in his pocket
Solutions: use media codec + profile from hammerhead... media codec + profile by touchwiz wont work
---
but i still have some problem
i able to get the camera to work, but the video recording is recording black screen...
EDIT:
The problem was that i was trying to read a line from the inputreader, when there was no line, so it was waiting for a response there...
Hello,
I am currently building an app to fix a little problem that exists on some devices with the wifi-mac and bluetooth addresses constantly changing (for me it's a N4 but I read somewhere that there are other devices with that problem too)
The thing the app should do is (steps taken from another xda thread: http://forum.xda-developers.com/showpost.php?p=43164157&postcount=1 )
- Mount /persist
- create the folders wifi and bluetooth
- create a text file in each of these directories containing the addresses that should be used in future
- fix the owners and permissions of these files and directories
- execute /system/bin/conn_init as su
The app is mostly done but somehow not working at all.
Everything from generating random adresses to saving them in a temporary file seems to work fine, but as soon as I try to mount the persist directory, the app stops to react.
At first, this was the first thing done by the SU Shell class that I wrote for executing su shell commands, so I thought that might be not working, but when I let that execute echo test it returns test just fine...
The code that is used could be expressed like that (this is missing some debug info and strings that get passed, but it should technically have the same result):
Code:
try {
shell = Runtime.getRuntime().exec("su");
outputStream = new DataOutputStream(shell.getOutputStream());
inputStream = new BufferedReader(new InputStreamReader(shell.getInputStream()));
outputStream.writeBytes("mount /dev/block/mmcblk0p20 /persist");
outputStream.flush();
} catch (IOException e) {
e.printStackTrace();
}
The attached zip file contains my main activity and the before mentioned su shell.
The complete source code of the app is available via my git server: http://greensserver.redirectme.net/greenchris/WiFi-MAC-and-Bluetooth-Adress-Fix.git
Does anybody have an idea why this isn't working?
Greetings
GreenChris
Edit:
I forgot to add the logcat...
Code:
04-09 23:33:21.289 3903-3903/com.janchristiangruenhage.macfixer I/art﹕ Late-enabling -Xcheck:jni
04-09 23:33:21.791 3903-3949/com.janchristiangruenhage.macfixer D/OpenGLRenderer﹕ Render dirty regions requested: true
04-09 23:33:21.797 3903-3903/com.janchristiangruenhage.macfixer D/Atlas﹕ Validating map...
04-09 23:33:21.951 3903-3949/com.janchristiangruenhage.macfixer I/Adreno-EGL﹕ : QUALCOMM Build: 10/28/14, c33033c, Ia6306ec328
04-09 23:33:21.953 3903-3949/com.janchristiangruenhage.macfixer I/OpenGLRenderer﹕ Initialized EGL, version 1.4
04-09 23:33:21.985 3903-3949/com.janchristiangruenhage.macfixer D/OpenGLRenderer﹕ Enabling debug mode 0
04-09 23:33:22.318 3903-3903/com.janchristiangruenhage.macfixer I/Timeline﹕ Timeline: Activity_idle id: [email protected] time:14543691
04-09 23:33:31.781 3903-3919/com.janchristiangruenhage.macfixer I/art﹕ Background sticky concurrent mark sweep GC freed 11333(680KB) AllocSpace objects, 3(44KB) LOS objects, 13% free, 4MB/5MB, paused 5.706ms total 39.550ms
04-09 23:33:31.843 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ address-bytes generated
04-09 23:33:43.923 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ save .bdaddr
04-09 23:33:43.925 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ address written: .bdaddr
04-09 23:33:43.954 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ su shell started
04-09 23:33:43.955 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ added outputstream
04-09 23:33:43.957 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ added inputstreamreader
04-09 23:33:43.957 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ echo test
04-09 23:33:43.973 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ test
04-09 23:33:43.974 3903-3903/com.janchristiangruenhage.macfixer D/macfixer﹕ mount /dev/block/mmcblk0p20 /persist
Brief synopsis
Bootloader unlock isn't likely. Amazon provide the facility to unlock the bootloader, but there is no way of getting the key.
The program which is locking the bootloader appears to be specific to MediaTek and Amazon, therefore, there isn't any source code.
The partitions with an Android bootimg header are all signed with two Amazon certificates. This includes the Little Kernel (LK) and the kernel itself.
The preloader is custom built for Amazon. The preloader doesn't respond to SP Flash Tool because it's constantly in a reboot loop when in 'META mode'. I presume it's intentional; a different version can however be installed (See 'However...').
However...
@bibikalka has found some strings in tz.img refering to a bootloader unlock. There is an amzn_unlock_verify function in lk too.
There must be a is a way to get the preloader to work properly with SP Flash Tool. However, this won't allow you custom ROMs, just reinstall Amazon's software. The software installed is still verified during the boot process. See this unbrick guide to install a different preloader. The preloader is not signed or checked by the boot process.
There is a small chance some part of the boot process could be fooled.
Downgrade potential
An anti-rollback program appears to have been built in to the bootloader which prevents any attempt at downgrading the software on the device. This is rather irritating, and means that downgrading is almost impossible. Only the preloader seems to be unaffected by this anti-rollback system – so, if you attempted to downgrade, and caused your device to become bricked, then you can restore the version you left.
Note that I vaguely reference to the preloader, uboot and lk collectively as 'the bootloader'.
Original post
I previously had downloaded the 5.0.1 and 5.1.1 LK versions, and thought, why not run these through binwalk?
For the old, 5.0.1 bootloader, putting lk.bin through binwalk gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204256 0x31DE0 SHA256 hash constants, little endian
292292 0x475C4 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
330144 0x509A0 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
330752 0x50C00 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
334248 0x519A8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
339912 0x52FC8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
341028 0x53424 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
350360 0x55898 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
351732 0x55DF4 Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
353656 0x56578 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
369736 0x5A448 CRC32 polynomial table, little endian
397548 0x610EC LZMA compressed data, properties: 0x91, dictionary size: 33554432 bytes, uncompressed size: 134217728 bytes
Whilst the 5.1.1 bootloader's lk.bin gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204960 0x320A0 SHA256 hash constants, little endian
293720 0x47B58 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
332024 0x510F8 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/cry
332628 0x51354 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/mem
336096 0x520E0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/asn
341712 0x536D0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/evp
342820 0x53B24 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/obj
352064 0x55F40 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/x50
353420 0x5648C Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
355344 0x56C10 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
371656 0x5ABC8 CRC32 polynomial table, little endian
So there you go! The bootloader uses OpenSSL to check the partition against two DER format certificates. Ignore the LZMA header for now; binwalk thinks almost everything is LZMA compressed.
Can you run binwalk with -e and post the 5.1.1 certs here
benwaffle said:
Can you run binwalk with -e and post the 5.1.1 certs here
Click to expand...
Click to collapse
Look at the thread about the 5.1.1 lk.bin in this forum and download the binary so you can run binwalk on it yourself.
Here is the lk.bin file, zipped. You can try and run '-e' on this binary.
The extracted certificates appear to contain format strings for decompression/compression error and debug messages. It doesn't look right. But the top of the files are valid certificate headers (or appear to be to the untrained eye).
Thanks @benwaffle.
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
bibikalka said:
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
Click to expand...
Click to collapse
Thanks @bibikalka!
Yes – Amazon must have a way of flashing firmware. I wonder if there is a JTAG header on the board as well. The Fire HD 6 had a 'JDEBUG' port, as seen in iFixit's teardown photographs: https://www.ifixit.com/Teardown/Kindle+Fire+HD+6+Teardown/29815#s70239
There might be a bootloader unlock then! It might need someone to decompile uboot to see how to trigger the unlock.
I've only managed to get the preloader_prod.img at this moment in time (I haven't taken preloader.img off). The SHA256 hash starts at around 95% (117KB out of 121KB) of the file, according to binwalk.
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
stargo said:
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
Click to expand...
Click to collapse
How interesting. Thanks @stargo! I've updated the OP accordingly to your findings. Yes, it seems more complex than previously thought. I'll upload my 5.1.1 rpmb binary soon.
Hi there! As se en within I read mtk is a very hard platform to work with, because they are very closed, and they hardly ever release any source, so most Roms are ports of a similar decide. I'll have a search for a device with this same soc to ser if i can come back with related info. That's why I'm surprised we have cm here!
Hi , I have finished building AOSPA for Zenfone 5 , but it bootloop , I need help !!!!
Logcat : https://drive.google.com/file/d/1hFQm7QUijLEuPnFLw6YzgpxQC1P3ZY4-/view?usp=sharing
WVMExtractor: Failed to open libwvm.so: dlopen failed: cannot locate symbol "_Z8WV_SetupRP9WVSessionP12WVFileSourceRKSsR13WVCredentials14WVOutputFormatmPv" referenced by "/system/vendor/lib/libwvm.so"...
01-17 23:03:59.008 221 221 E linker : /system/lib/libmfldadvci.so: has text relocations
01-17 23:03:59.011 221 221 E HAL : load: module=/system/lib/hw/camera.vendor.redhookbay.so
01-17 23:03:59.011 221 221 E HAL : dlopen failed: /system/lib/libmfldadvci.so: has text relocations
MediaPlayer-JNI: dlopen failed: library "libextmedia_jni.so" not found
nguyenhung9x said:
Hi , I have finished building AOSPA for Zenfone 5 , but it bootloop , I need help !!!!
Logcat : https://drive.google.com/file/d/1hFQm7QUijLEuPnFLw6YzgpxQC1P3ZY4-/view?usp=sharing
WVMExtractor: Failed to open libwvm.so: dlopen failed: cannot locate symbol "_Z8WV_SetupRP9WVSessionP12WVFileSourceRKSsR13WVCredentials14WVOutputFormatmPv" referenced by "/system/vendor/lib/libwvm.so"...
01-17 23:03:59.008 221 221 E linker : /system/lib/libmfldadvci.so: has text relocations
01-17 23:03:59.011 221 221 E HAL : load: module=/system/lib/hw/camera.vendor.redhookbay.so
01-17 23:03:59.011 221 221 E HAL : dlopen failed: /system/lib/libmfldadvci.so: has text relocations
MediaPlayer-JNI: dlopen failed: library "libextmedia_jni.so" not found
Click to expand...
Click to collapse
Please don't tell me that you abandoned LineageOS 15 project for this one?
nheolinkin said:
Please don't tell me that you abandoned LineageOS 15 project for this one?
Click to expand...
Click to collapse
I did not give up, but I did not fix ril, I'm researching it , please wait
Hellow guys, i have an hP laptop with 16 gigs of ram and enough hdd space. also i am running xubuntu 16.04 where i was previously able to compile custom roms. however recently my hard drive had crashed and i had to recover using easeUS. then i formatted it to exFat. Xubuntu as such is giving me write operations on exFat devices. my problem is now whenever am using repo sync a custom rom source it gives error like
Code:
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$ repo init -u https://github.com/PixelExperience/manifest -b oreo-mr1
Get https://gerrit.googlesource.com/git-repo/clone.bundle
Get https://gerrit.googlesource.com/git-repo
remote: Finding sources: 100% (5/5)
remote: Total 5 (delta 0), reused 5 (delta 0)
Unpacking objects: 100% (5/5), done.
From https://gerrit.googlesource.com/git-repo
cf7c083..0f2e45a master -> origin/master
Get https://github.com/PixelExperience/manifest
Traceback (most recent call last):
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 531, in <module>
_Main(sys.argv[1:])
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 507, in _Main
result = repo._Run(argv) or 0
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 180, in _Run
result = cmd.Execute(copts, cargs)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 399, in Execute
self._SyncManifest(opt)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 171, in _SyncManifest
m._InitGitDir(mirror_git=mirrored_manifest_git)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2292, in _InitGitDir
self._UpdateHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2312, in _UpdateHooks
self._InitHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2341, in _InitHooks
os.symlink(os.path.relpath(stock_hook, os.path.dirname(dst)), dst)
OSError: [Errno 38] Function not implemented
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$
any help would be recommended and appreciated
Ayan Uchiha Choudhury said:
Code:
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$ repo init -u https://github.com/PixelExperience/manifest -b oreo-mr1
Get https://gerrit.googlesource.com/git-repo/clone.bundle
Get https://gerrit.googlesource.com/git-repo
remote: Finding sources: 100% (5/5)
remote: Total 5 (delta 0), reused 5 (delta 0)
Unpacking objects: 100% (5/5), done.
From https://gerrit.googlesource.com/git-repo
cf7c083..0f2e45a master -> origin/master
Get https://github.com/PixelExperience/manifest
Traceback (most recent call last):
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 531, in <module>
_Main(sys.argv[1:])
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 507, in _Main
result = repo._Run(argv) or 0
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 180, in _Run
result = cmd.Execute(copts, cargs)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 399, in Execute
self._SyncManifest(opt)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 171, in _SyncManifest
m._InitGitDir(mirror_git=mirrored_manifest_git)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2292, in _InitGitDir
self._UpdateHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2312, in _UpdateHooks
self._InitHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2341, in _InitHooks
os.symlink(os.path.relpath(stock_hook, os.path.dirname(dst)), dst)
OSError: [Errno 38] Function not implemented
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$
any help would be recommended and appreciated
Click to expand...
Click to collapse
Wrong place to ask but yeah, have you installed the latest version of repo and python2 ?
Or before that try `rm -rf .repo` and then init again.
Android Building queries can be discussed here:
https://forum.xda-developers.com/chef-central/android/guide-android-rom-development-t2814763
Yes yes I did both. I also created a new directory and tried repo init. But still
emmm....
Ayan Uchiha Choudhury said:
Yes yes I did both. I also created a new directory and tried repo init. But still
Click to expand...
Click to collapse
Have you found anything to solution ?
SchafferWang said:
Have you found anything to solution ?
Click to expand...
Click to collapse
Exfat was the problem. Formatted to NTFS to fix it