Related
There is an updated thread now for rooting the AFTV2 that supports both 5.0.3.1 and 5.0.4 and maybe others in the future, see http://forum.xda-developers.com/fire-tv/general/root-amazon-fire-tv-2-updated-t3277556. The new method is simpler than this method and requires less to download and less steps to run.
To be safe run checkver.py every time you handshake since 5.0.4 is starting to roll out! Checkout the 5.0.3.1 tag in order to use this older method.
If you were able to root your AFTV2 we'd appropriate if you report your success on the poll located here.
NOTE: Root was obtained a few weeks ago so... this procedure is not the most time efficient, but it is just a few simple steps that anyone with a technical background can follow. There are ideas and some work in progress to make it easier. It depends also on serial port stability, which is somewhat random luck. Linux experience will be beneficial. The usual disclaimers apply, which means this rooting procedure comes with some risks and the scripts involved haven't been tested in all environments. Any harm that may come from rooting your device using this procedure is at your own risk and I assume no responsibility for any damage it may cause. I will do my best to help you get through it and recover if possible.
Root the Device
It's taken quite a bit of effort, but I've finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below YOU MUST BE RUNNING 5.0.3.1. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial port buffer), start the handshake script, then turn on the device. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times. If it keeps hanging try a different computer.
To get started you will need a system that meets the following requirements:
Linux (Mac OS X or Windows w/ changes)
Python 3.x
PySerial
sudo yum install python3-pyserial # Fedora or RedHat
sudo apt-get install python3-serial # Ubuntu or Debian
USB Male A to Male A cable
R/W access to /dev/ttyACM0 (or use sudo)
ADB USB access (optional, but helpful)
Stop ModemManager (if you have it setup, which blocks handshaking)
Now run the following sequence of commands:
Code:
git clone --branch 5.0.3.1 https://gitlab.com/zeroepoch/aftv2-tools.git
cd aftv2-tools
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
gunzip system.root.img.gz
gunzip system.diff.gz
adb reboot ; ./handshake.py # or restart but run ./handshake.py first
./checkver.py # STOP if it reports NO!
./patch_mmc.hs 0x00000000058e0000 system.root.img system.diff # takes ~2 hours
# last address is 0x50dce600
For Macs (see post #115, thanks @ians325) to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run "sudo pip3 install pyserial" to install pyserial. Instead of "wget $URL" use "curl -O $URL".
Windows is working now, but it's constantly improving to make it easier for novice users. The bash script has been ported to a batch file (no cygwin needed) and the serial port has some auto-detection built in now. The files needed for Windows have already been added to the repo but the README is constantly evolving. @ImCoKeMaN (big thanks) and myself are working to improve the process and make it easier for Windows users.
Anyone interested in rooting using an Ubuntu VM should watch the YouTube video by @ultimate_spy_binns, https://www.youtube.com/watch?v=CZQqLoO6ojM. There is also a script to help automate the process if you are doing this on an Ubuntu live CD/USB found here (by @BagiMT).
To test that root is working you should first connect to adb shell and then run the command "su". You will need to accept a prompt on the screen (HDMI port) at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.
If you would like to disable updates after rooting you can use the following commands:
Code:
adb shell
su
pm disable com.amazon.device.software.ota
To go back to stock in case you want to update or for whatever other reason:
Code:
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.orig.img.gz
gunzip system.orig.img.gz
adb push system.orig.img /data/local/tmp
adb shell
su
pm enable com.amazon.device.software.ota
dd if=/data/local/tmp/system.orig.img of=/dev/block/platform/mtk-msdc.0/by-name/system bs=1m
sync
reboot
I don't always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.
Background Info
This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you'd need to obtain limited root access first using a much much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.
The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. Unfortunately the preloader is writable and could potentially be updated. The entire boot chain is cryptographically signed from what I've been able to inspect including the preloader. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec built-in of course, but modules/device drivers can be loaded) and create ROMs not based on stock. @rbox has been working on getting kexec working as a module but no ETA yet. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.
Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.
Tips
If you want to disable the pop-up message when becoming root you can change notify=1 to notify=0 in /data/data/eu.chainfire.supersu/files/supersu.cfg. You need to reboot the device after making this change. It's also suggested to make the file read-only because it seems to get reset sometimes. (Thanks @ultimate_spy_binns)
Special Thanks
@qwertytical
@budokaiboy
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
reiteravi said:
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
Click to expand...
Click to collapse
Yeah, mine pre-ordered one is still in a box so I'd need to update it too. I guess I can do that tonight before a new version comes out.
reiteravi said:
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
Click to expand...
Click to collapse
Unfortunately you will need to do a normal update first before patching the system partition. It just takes too long to flash a full system image, original or modified, using the methods we have available to us now. Also the boot partition and other partitions are updated with each OTA. I hope we can continue to provide rooted versions of updated system images, but as you know there is no guarantee of that. I'd update now before there is any new updates and then root it. We could in theory root the older versions as well and even before first boot, but without the OTA updates and applying them in reverse I can't go back and patch the older releases. I strongly think the method used to write the system partition can not be fixed since I believe the preloader code is in a ROM.
Mac Update
A few notes for Mac users willing to experiment a little:
I installed python 3.5.0 for Mac OS X from python.org and then ran "sudo pip3 install pyserial" to install pyserial for python 3.x. The final change I needed to make was to change PORT in handshake.py and read_mmc.py/write_mmc.py (only tested reading the boot partition, but everything else should work). In my case the PORT was /dev/cu.usbmodem1430. The device filename seems to be based on the USB port it's connected to. I'm not sure if there is an easier way to find the device filename besides scanning /dev and looking for new devices matching a given pattern. Maybe others on this forum have some better ideas. The final caveat was I need to unplug and replug the USB cable after the handshake completed otherwise the read_mmc.py script would hang on the first read.
I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:
Code:
0e450c032ddce170667ba3ddc26cb960 DKB
a3ad800f012a153953b403ef1fa36e14 EXPDB
d693da95eb68b40e4315333bcf74918b KB
50f24ce4c7ac388b33310bff6f79636a LOGO
59071590099d21dd439896592338bf95 MISC
f9b5ef697fde92c42bbbec35e5a6cad4 PRO_INFO
8a9d058f87711c2e8ccc698647f5026b TEE1
eda2733e1d0214873d9cb9d78c68425f TEE2
97a2ccdb7a02838b26b9a57e4f31d51d boot
fbd20aa58cd63c07392080cad7627e18 lk
74f0bac463bae8141acf20594987a559 recovery
a06c3d6a8c73923ed5c38b479c4410d3 system
So my DKB, KB, and system partitions are different from yours.
NaturalBornHaxor said:
I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:
Code:
0e450c032ddce170667ba3ddc26cb960 DKB
a3ad800f012a153953b403ef1fa36e14 EXPDB
d693da95eb68b40e4315333bcf74918b KB
50f24ce4c7ac388b33310bff6f79636a LOGO
59071590099d21dd439896592338bf95 MISC
f9b5ef697fde92c42bbbec35e5a6cad4 PRO_INFO
8a9d058f87711c2e8ccc698647f5026b TEE1
eda2733e1d0214873d9cb9d78c68425f TEE2
97a2ccdb7a02838b26b9a57e4f31d51d boot
fbd20aa58cd63c07392080cad7627e18 lk
74f0bac463bae8141acf20594987a559 recovery
a06c3d6a8c73923ed5c38b479c4410d3 system
So my DKB, KB, and system partitions are different from yours.
Click to expand...
Click to collapse
That is awesome news! The first confirmed case I've heard of someone else repeating my success
About the DKB and KB partitions being different it makes me wonder what those partitions are for? I didn't include cache and userdata in the MD5SUM of course, which you noticed, because those change all the time. NVRAM when I looked inside appeared to have a few things that looked to be device specific. The system partition being different is actually expected because I found every time I rebooted my system partition changed checksums. Also that is the MD5SUM of the unmodified system partition. I noticed this weird MD5SUM behavior when I was first gaining root and doing some sanity checks. It happens right after daemonsu is started. My best guess is that the SuperSU tools mount the system r/w quickly and that causes the last mounted timestamp to change. Don't know for sure what causes it, but don't worry that's not unexpected. The main reason I kept those hashes in the repo was so when the next version comes out I know which partitions were changed and need to be updated by users who wish to maintain root.
------------------SOLVED-----------------
Please read on if you have problems with handshake script looping forever...
-----------------------------------------------
Hi zeroepoch,
meanwhile I received my Fire TV 2 and tried your scripts but unfortunately without success.
As far as I can see, there are 2 problems:
- The /dev/ttyACM0 device appears on rebooting the Fire TV, but only for some 100th of a second, then it disconnects again.
- If I give it another try, the device will appear as /dev/ttyACM1, next time /dev/ttyACM2, aso.. So I either have to update the handshake script for every try or reboot my computer (then it starts with /dev/ttyACM0 again).
When I first tried it, the handshake-script ran forever, it just missed the short time of availability of /dev/ttyACM0. So I reduced the sleep-timeout in the script from 0.25 to 0.001. Now the handshake script detects the serial device but runs into an I/O Error during one of the next steps (each time different, seems to be a "race condition").
Can you offer any advice? Could my Laptop be too slow somehow or is there some trick to make the Fire TV keep the port open for a longer time?
Greetings, Christian
Code:
shell:
[email protected]:~/aftv2-tools# adb reboot ; ./handshake.py
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Traceback (most recent call last):
File "./handshake.py", line 17, in <module>
dev = serial.Serial(PORT, BAUD)
File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 261, in __init__
self.open()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 282, in open
self._reconfigurePort()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 413, in _reconfigurePor t
termios.tcsetattr(self.fd, TERMIOS.TCSANOW, [iflag, oflag, cflag, lflag, ispeed, ospeed , cc])
termios.error: (5, 'Input/output error')
Code:
/var/log/syslog;
Nov 11 11:25:41 DeepThought systemd[1111]: Reached target Default.
Nov 11 11:25:41 DeepThought systemd[1111]: Startup finished in 15ms.
Nov 11 11:27:28 DeepThought kernel: [ 217.460463] usb 8-2: USB disconnect, device number 2
Nov 11 11:27:31 DeepThought kernel: [ 220.608049] usb 8-2: new high-speed USB device number 3 using ehci-pci
Nov 11 11:27:31 DeepThought kernel: [ 220.741857] usb 8-2: New USB device found, idVendor=0e8d, idProduct=2000
Nov 11 11:27:31 DeepThought kernel: [ 220.741860] usb 8-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 11 11:27:31 DeepThought kernel: [ 220.741862] usb 8-2: Product: MT65xx Preloader
Nov 11 11:27:31 DeepThought kernel: [ 220.741864] usb 8-2: Manufacturer: MediaTek
Nov 11 11:27:31 DeepThought mtp-probe: checking bus 8, device 3: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:31 DeepThought mtp-probe: bus: 8, device: 3 was not an MTP device
Nov 11 11:27:31 DeepThought kernel: [ 220.855737] cdc_acm 8-2:1.1: ttyACM0: USB ACM device
Nov 11 11:27:31 DeepThought kernel: [ 220.884047] usbcore: registered new interface driver cdc_acm
Nov 11 11:27:31 DeepThought kernel: [ 220.884050] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
Nov 11 11:27:31 DeepThought kernel: [ 220.924931] usb 8-2: USB disconnect, device number 3
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (ttyACM0): tcgetattr() error: 5
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (ttyACM0): port attributes not fully set
Nov 11 11:27:31 DeepThought kernel: [ 220.928861] cdc_acm 8-2:1.1: failed to set dtr/rts
Nov 11 11:27:31 DeepThought ModemManager[511]: <info> (tty/ttyACM0): released by modem /sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Cinterion) [ttyACM0] error when checking support: '(Cinterion) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Nokia) [ttyACM0] error when checking support: '(Nokia) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Iridium) [ttyACM0] error when checking support: '(Iridium) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn> (Plugin Manager) (Generic) [ttyACM0] error when checking support: '(Generic) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:33 DeepThought ModemManager[511]: <warn> Couldn't find support for device at '/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2': not supported by any plugin
Nov 11 11:27:35 DeepThought wpa_supplicant[837]: nl80211: send_and_recv->nl_recvmsgs failed: -33
Nov 11 11:27:36 DeepThought kernel: [ 226.092142] usb 8-2: new high-speed USB device number 4 using ehci-pci
Nov 11 11:27:37 DeepThought kernel: [ 226.225936] usb 8-2: New USB device found, idVendor=1949, idProduct=0241
Nov 11 11:27:37 DeepThought kernel: [ 226.225945] usb 8-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
Nov 11 11:27:37 DeepThought kernel: [ 226.225951] usb 8-2: Product: FireTV
Nov 11 11:27:37 DeepThought kernel: [ 226.225956] usb 8-2: Manufacturer: Amazon
Nov 11 11:27:37 DeepThought kernel: [ 226.225961] usb 8-2: SerialNumber: G070GV05544205DE
Nov 11 11:27:37 DeepThought mtp-probe: checking bus 8, device 4: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:37 DeepThought mtp-probe: bus: 8, device: 4 was an MTP device
After taking a closer look at my syslog and doing some research on problems with /dev/ttyACM0, I finally found the problem. It's the modemmanager. That service immmediately "grabs" the device and tries to do some invalid settings, which leads to an near immediate disconnect.
After I uninstalled the modemmanger (which seemed preinstalled in debian jessie, at least I never installed it on purpose) with
Code:
apt-get remove modemmanager
both of my problems were gone. The device stayed up for 3 seconds and after reboot of the Fire TV it had the same devicename /dev/ttyACM0 again. So I could undo my changes to the handshake script and had instant success with it.
Now I'll try rooting. WHOOT!
Thank you very much for your efforts!
I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?
I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?
I can just follow your steps above and root the FTV2?
gu3stZA said:
Thank you very much for your efforts!
I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?
I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?
I can just follow your steps above and root the FTV2?
Click to expand...
Click to collapse
Yes, you're right. No need to solder anything. You just need the tools stated in the instructions.
Hardware:
- a computer running Linux (or something very close)
- a A to A USB cable
Software:
- python3 and python3-serial packages
- adb package (not necessary but recommended)
- zeroepochs scripts and patchfiles
That said, a certain amount of base knowledge regarding Linux doesn't hurt .
Thanks! I've played around with Linux but would definitely classify myself as a beginner. I guess we'll see how user-friendly the instructions are
This is good news, definitely progress, could this be integrated into ADBFire for windows
Jay794 said:
This is good news, definitely progress, could this be integrated into ADBFire for windows
Click to expand...
Click to collapse
This would be perfect. Or even adb. I've just never used Linux
zeroepoch said:
It has only been tested on a US device and I don't know at this point if non US devices are different, maybe not.
Click to expand...
Click to collapse
Hi zeroepoch,
I just used your rooting scripts successfully on a non US (in my case German) version of the Fire TV 2!
Greets,
Christian
skyball2 said:
Hi zeroepoch,
I just used your rooting scripts successfully on a non US (in my case German) version of the Fire TV 2!
Greets,
Christian
Click to expand...
Click to collapse
Thanks for the feedback. Glad to hear it worked!
Successful root under arch Linux! Thanks for your hard work.
By any chance does this root work for the original fire TV ?
Sent from my SM-N910F using Tapatalk
Savage13 said:
By any chance does this root work for the original fire TV ?
Click to expand...
Click to collapse
No. It's MediaTek specific. It may work on most MediaTek devices though.
how can u tell handshake is ok and start patching ?
reiteravi said:
how can u tell handshake is ok and start patching ?
Click to expand...
Click to collapse
It will print "Handshake Complete". Also the serial device will remain present rather than disappear after a few seconds.
Hey guys,
I recently bought a Joying headunit (JY-UM138P2) and I am wondering if there is a way to root my device.
I tried Kongoroot and it failed. Joying Extra Tools won't work beacuse it is not a Sofia Model. And as far as I can tell there is no custom firmware for this model availabile.
Android Version: 6.0.1
CPU: ARM Cortex A53 eight-core 2+32GB PX5, GPU: PowerVR G6110
Info on System: APP 1024*600 2017-01-11 19:13:52
MCU Version: 2017-11-06 17:57:54 JY_(R68)__26_C26_6026_CAN(All)
Which is the main problem as I cannot tell from this if it is an MTCC, MTCD or MTCE unit.
In general I actually do only want to have read and write acceess to the system/media folder to be able to switchout the bootanimation.zip for a custom one that I created.
Thank you!
MrAbstoss said:
Hey guys,
I recently bought a Joying headunit (JY-UM138P2) and I am wondering if there is a way to root my device.
I tried Kongoroot and it failed. Joying Extra Tools won't work beacuse it is not a Sofia Model. And as far as I can tell there is no custom firmware for this model availabile.
Android Version: 6.0.1
CPU: ARM Cortex A53 eight-core 2+32GB PX5, GPU: PowerVR G6110
Info on System: APP 1024*600 2017-01-11 19:13:52
MCU Version: 2017-11-06 17:57:54 JY_(R68)__26_C26_6026_CAN(All)
Which is the main problem as I cannot tell from this if it is an MTCC, MTCD or MTCE unit.
In general I actually do only want to have read and write acceess to the system/media folder to be able to switchout the bootanimation.zip for a custom one that I created.
Thank you!
Click to expand...
Click to collapse
That's an fyt SoM... Solutions soon? Standby
MrAbstoss said:
In general I actually do only want to have read and write acceess to the system/media folder to be able to switchout the bootanimation.zip for a custom one that I created.
Click to expand...
Click to collapse
So far the Joying units were rooted on linux/adb level.
So if you can make an adb connection over WiFi to your unit, you already have root terminal access via adb.
That is enough for doing what you want.
Well, so far I managed to establish an ADB via wifi connection (without using an usb cable, as I dont have a male to male usb cable).
But it lists my headunit as an unauthorized device.
MrAbstoss said:
Well, so far I managed to establish an ADB via wifi connection (without using an usb cable, as I dont have a male to male usb cable).
But it lists my headunit as an unauthorized device.
Click to expand...
Click to collapse
Try this
MrAbstoss said:
Well, so far I managed to establish an ADB via wifi connection (without using an usb cable, as I dont have a male to male usb cable).
But it lists my headunit as an unauthorized device.
Click to expand...
Click to collapse
Hello, I just got my new HU (same as yours) I was able to root with kingoroot over usb adb. Go to Developer options (pw 3368), In the top right corner, underneath the back button is a menu icon. Tap and then tap "USB computer connection." Then select the bottom option. I believe only the left side USB will work (when facing front of HU) and you may need to toggle the USB debugging switch. Windows, adb based kingoroot will work.
Only problem, root will not stick after reboot...I was able to install xposed framework, and install xposed Additions. Additions still works after loss of root, so not so bad. I use a RcJoyCon to HW keyboard for my SWC I am still experimenting with other apps.
Does loss of root mean a locked bootloader?
I also had no male to male USB, just made my own. Just twisting the wires together worked fine.
Please share if you learn of any ways to retain root.
Will monitor this thread, as Im looking for root for JY-UM135P2 too. Will try the usb method soon.
EDIT: tried to make custom male to male usb. Connected the 5 wires. Laptop and hu doesnt recognise the cable.
steef84 said:
Will monitor this thread, as Im looking for root for JY-UM135P2 too. Will try the usb method soon.
EDIT: tried to make custom male to male usb. Connected the 5 wires. Laptop and hu doesnt recognise the cable.
Click to expand...
Click to collapse
My usb mod only involved 4 wires. Not sure whats going on with the extra wire, that may be the issue. Double check your connections.
Was able to re-root today using my X98 tablet, Good news for the future, when needed after car install. Its rare that you would need to reboot anyways, after all the software mods have been done . Deep sleep retains root, and the device is only drawing 0.01Amps(limit of measure)
I'll have more to share for these non MTCD/E, PX5 units in the future. Have found a way to keep user apps in memory, after deep sleep by using xposed modules. Tasker now stays active.
Oke today tried again. Bought male to male usb. Still the cable js not recognised in both usb ports. Enabled usb debugging and tried lower and upper option in the chinese menu from developer options. So no clue for now
Experimental and untested
As some of you might know I created a windows and linux script to install seSuperuser onto the Joying Sofia3GR Intel units.
I just compiled su and the Superuser.apk for the PX5 models. I do not have a PX5 and therefore this is completely untested!
Prerequisites:
- You need to have adb over tcpip working.
- (Linux) You need to have adb installed (but you have otherwise the line above would not be possible)
- Have a Joying PX5 ROM available so you can reflash if necessary.
On your pc:
Download the attached Superuser-JoyingPX5-Arm.zip onto your pc/laptop.
Unzip it somewhere on your pc/laptop.
On Windows: Run CMD.exe as Administrator.
On Linux like OSes: Open a terminal.
Change to the folder where you unzipped the files and change to the folder where the install.sh and install.bat are located.
On Windows: Run the install.bat script with the IP address of your Head Unit as a parameter: install.bat 192.168.178.50 (for example)
On linux: Run the install.sh script with the IP address of your Head Unit as a parameter: ./install.sh 192.168.178.50 (for example)
Wait until the script finishes.
Reboot your Head Unit.
gtxaspec said:
That's an fyt SoM... Solutions soon? Standby
Click to expand...
Click to collapse
Hi gtxaspec,
Are you planning to make an custom rom for these Rockchip PX5, FYT 6026 bases headunits?
I have your GTX joying ROM V9a3an on a Joying FYT6021 intel SoFIA and it works so much better than the stock rom.
Keep up the good work!
surfer63 said:
Try this
Click to expand...
Click to collapse
i finally got my device connected and also got the unauthorized message:
"This adbd's $ADB_VENDOR_KEYS is not set; try 'adb kill-server' if that seems wrong.
Otherwise check for a confirmation dialog on your device."
I tried everything i could find on the net and in your link but still had no luck...
Does anybody have an idea what else I could try?
The thing with my device is - in order to be able to connect to it with adb I had to change something in the developer options menu: in the top right corner there are 3 dots (even above the On/off switch) and there you can only choose "USB computer connection" - if you click on that a popup menu appears "USB MODE" and 2 chinese options to choose from. It was set on the first option but only works if set on the second option (it's chinese so i can not read it)
Hi, I was searching the net and did not find anything, so maybe android gurus here can help.
I have Tesla style head unit based on autochips AC8227 processor cortex a53 quad core processor. I have android 4.4.4 installed on head unit, despite the fact it says it's android 6.0. I've rooted it or it was rooted initially, do not know, however I have access to the system files.
So what I need^
1) I need the best way to make backup of the firmware in case I brick something manipulating with system files.
2) I need to be able to redirect whole sounds to external USB sound card in particular to USB DAC based on PCM2704 with SPDIF output.
from searching the net I found that if I enter commands in terminal emulator:
su
ls /dev/snd
I'll get all sound devices recognized and used by android system and there should be USB sound system listed as well (if it's recognized of cause) However external sound card is not there. So I need to add modules (drivers) for it into the system.
Where to get them and how to prepare to be usable with AC8227 processor I have no clue.
Please help me to find solution to my challenging questions.
thanks
Flyaudio in Russia sells head units for a variety of cars that are also based on the Intel Airmont CPU, similar, but not equal to Joying latest Intel Airmont head units (see https://forum.xda-developers.com/an...ying-android-8-1-intel-airmont-eight-t3897206 and https://forum.xda-developers.com/an...ing-finally-head-unit-digital-output-t3891087 )
I purchased a G4909R unit, a 10 inch (=no knobs) unit for Volkswagen Passat B7 (https://flyaudio-shop.ru/products/g4909r-magnitola-android-volkswagen-passat-b7-2010-2015)
Youtube video https://www.youtube.com/watch?v=HZhE30W5ej8
Similarities to Joying’s units:
- Android 8.1.0 “user” build with its limitations for rooting, adb, debugging, etc.
- DSP with quite a lot of equalizer settings, but it seems to be a slightly different DSP
- FYT/SYU system apps (oh dear…)
Differences to Joying:
- No SPDIF audio output
- No 3G/4G modem
- Different BT chip
- Completely different form-factor (see video linked above at timestamp 6:06 https://youtu.be/HZhE30W5ej8?t=366 )
Passwords
Factory Settings: 3368
Developer Settings: 3368
Backlight current adjustment: 5768
Door lock interference: 0000
I was able to root it with the same approach (but not using the ready-made files!) as documented for the Joying units https://forum.xda-developers.com/an.../howto-root-joying-sc9853i-head-unit-t3915530
I noticed that some apps that I used on Intel Sofia and Rockchip PX5 units without problems now run into crashes on this unit, actually ANRs (Application Not Responding).
Actually, the Android 8.1 version on this unit is quite different compared to a “stock” Android 8.1, both from its UI and also “internally”.
SYU has created a monster of a Settings app. Car related settings and standard Android settings are all mixed without any structure. Not very clever at all!
Another Android modification: The steering wheel controls for PREV and NEXT only work when used in the SYU system apps (e.g. FM radio and Music player). No other standard app works, also not my DAB-Z app. Reason is that the FYT middleware is circumventing the Android framework MediaSession handling completely and thus the MediaControl interfaces in apps don’t work.
The SYU Bluetooth app still kills Google contacts, a bug that existed already 3 years ago in the Intel Sofia units with Android 6.01. They have not done anything about it!
My conclusion after some days with the unit on my desk, and now in the car for about a week:
Nice hardware, but the software is crippled more than ever…
realzoulou said:
Similarities to Joying’s units:
- Android 8.1.0 “user” build with its limitations for rooting, adb, debugging, etc.
I was able to root it with the same approach (but not using the ready-made files!) as documented for the Joying units https://forum.xda-developers.com/an.../howto-root-joying-sc9853i-head-unit-t3915530
Click to expand...
Click to collapse
Now that you have it rooted, you can make the /system read-writable from a rooted terminal.
Code:
su
mount -o remount,rw /system
Can you change the build.prop?
Code:
ro.build.type=user
to
Code:
ro.build.type=userdebug
and add:
Code:
persist.adb.tcp.port=5555
ro.debuggable=1
ro.adb.debuggable=1
And reboot?
Maybe you can then adb over tcpip?
I'm not sure whether this will work, but you can try.
On a normal user build adbd is not enabled/started. So it also might require the addition of "start adbd" in the "/system/bin/install-recovery.sh".
(But maybe when you set the debuggable properties, it is started automatically. I should take a look at the rc files in the boot image)
I enabled adb over WiFi persistently. However, it was a bit tricky.
1. Enable USB device mode in Developer Menu (very well hidden: First click on "..." on uper right corner, then the second option in the Chinese dialog)
2. Connect head unit to PC via USB (not all USB ports of the device allow adb, so try out all of them)
3. Use "adb shell" to execute
Code:
su
setprop persist.adb.tcp.port 5555
After a reboot you can connect via adb over WiFi.
The property ro.build.type is set usually by the kernel. You cannot set it via build.prop.
realzoulou said:
I enabled adb over WiFi persistently. However, it was a bit tricky.
1. Enable USB device mode in Developer Menu (very well hidden: First click on "..." on uper right corner, then the second option in the Chinese dialog)
2. Connect head unit to PC via USB (not all USB ports of the device allow adb, so try out all of them)
3. Use "adb shell" to execute
Code:
su
setprop persist.adb.tcp.port 5555
After a reboot you can connect via adb over WiFi.
The property ro.build.type is set usually by the kernel. You cannot set it via build.prop.
Click to expand...
Click to collapse
i know this is old, but...
I have adb over wifi enabled... when i connect to ADB i get device unauthorized. I shouldn't need usb drivers since its wifi, right? I am 99% sure its device related and not my laptop or software, because I have an 8227 headunit that connects fine. Is there anyway to authorize my TS9 Topway unit through terminal without root?
Hello,
I'm new with the Head Unit based on Android and If someone could help me answer some questions it could help me a lot.
I have this unit
In short:
Allwinner T8 board
MCU: T8.3.19-167-10-A43101-190504
System: V9.3.1_20181106.155925_CLC1-FD
Android 8.1
I'm trying to modify the ROM... and I don't care If I loose all the pre-installed crap inside.
So far, this is what I can do with this rom:
- Install APKs...
- Remove APKs...
- Connect via ADB over network
if beforehand inside the device I type "setprop service.adb.tcp.port 5555" in a terminal, then turn off and on the debug option in the developper menu. Thanks to serious manufacturers, all passwords seem to be shared between various if not all unit buyable over internet. The command and developper option trick must be done after EACH reboot, wich is fantastic behavior.
- Reboot to bootloader or recovery using adb
- In recovery, I can do nothing since there is no hardware key appart "reset"..., USB keyboard seem to not work either (I cry when I see the non reachable "mount /system" option ...).
- Use a hand made USB A-A cable to communicate with the device, when in bootloader. If "in rom" or recovery, adb or fastboot don't see the device.
So basically I can do nothing.
- I searched for firmwares, but I only find direct links to various site that provide update.zip or update.img or similar, but no flashable firmware from fastboot.
- If I found update firmware for T8 based board, my manufacturer version code (CLC1-FD) match none of those available here or on russian forums (AKW1-FD, JP1, TW2-FD,....).
- I can not use su (not allowed, setgid failed), to make boot and system image backup that I can eventually modify
- I tried KingRoot, Magisk (but I have no boot image ...) none work
- I tried "fastboot oem unlock[or whatever]", which just freeze fastboot and make it unusable until another reboot
So in the end, if someone know something about this hardware, if the another firmwares (AKW1-FD, JP1, etc) are compatible between devices, or if you know where I could ask for original firmware (oem image), or if it is possible to unpack the updates files to extract something exploitable (already tried for hours using basically all tools available like kitchen simg2img etc), please help me.
I have another device that will come to me, the ownice C800, but I think it will be the same problem. Unmodifiable over locked device.
I am working in a business where we need this kind of hardware inside a car, and we wanted to use one of the unit to make a proof of concept so we cannot afford custom hardware right now.
Thanks you if you had the patience to read this. Hope you can help.
Update and file recovery for Allwinner T8
Hello,
Do you find or have rom, firmware for Allwinner T8 and any app radio for testing?
Do you know? How make file *.img rom from my Unit?
Tomek