Related
Finally the race is over and some brave devs managed to get root on the tattoo and some were able to reproduce it on their own devices already. But notice: We are in an early stage of development. There is no one-klick-get-root app at the moment and there is still much work to be done until we get custom roms.
I will try to keep track of the ongoing development and update this post periodically. I've you find a mistake or get something new, let us know but we can't give support to every linux-nob at this point of development!
At the moment beeing root on the tattoo does NOT enable you to use the usual applications like Wifi Tethering that need root out of the box. You are also unable to write to /system by default. Now there is a new hack to make /system writable (look at the bottom of this post)
[size=+2]Status[/size]
Last update: 26.02.2010 - 12:55 MEZ
[size=+1]Rooting[/size]
The tattoo was successfully rooted the first time on 19.02.2010 ( http://forum.xda-developers.com/showpost.php?p=5672597&postcount=93 ). It was reproduced by some other users already, there is some work to be done make the exploit work more easily.
Because it has been asked many times: If there will ever be an OFFICIAL update with android 2.1 by HTC for the Tattoo (nobody knows definitively), this root-exploit will NOT work! You will lose root then!
It was done by porting this exploit http://www.milw0rm.com/exploits/8678 to the arm plattform and the tattoo. It uses a security hole in kernel 2.6.29 that wasn't patched in tattoos kernel. All began here on 10.2.2010 (the first post doesn't has to do anything with this): http://forum.xda-developers.com/showthread.php?t=631540
Kudos to zanfur, bftb0, mainfram3, HT123 and others (sorry if I forgot an important one).
The exploit was tweaked to deliver root more reliable.
[size=+1]Flashing custom roms[/size]
To develop custom roms won't be the problem, but the tattoo has got some extra security mechanisms that don't make it trivial to flash a new rom even now we have root. There is work going on to solve this.
[size=+1]Howto get root-privileges[/size]
I think it is save to follow but this is done at your own risk. Don't blame me if you Tattoo explodes, eats your hamster or make your girlfriend leave you.
Remember: We're in an early state of development, this is no Klick-an-Run-app, linux knowledge is needed.
Newbis on Windows should follow this howto made by Coburn64, its much easier than this one: http://forum.xda-developers.com/showthread.php?t=637927
Download this to your PC and unzip: View attachment 285070
(the older release was called m6 and can be found here: View attachment r00t.zip)
m7 is the binary. Push m7 to your Tattoo using adb:
Code:
adb push m7 /data/local/bin/m7
adb chmod 755 /data/local/bin/m7
Start a shell:
Code:
adb shell
Start the exploit in the shell:
Code:
cd /data/local/bin
while `true` ; do /data/local/bin/m7; done
The new m7 is an improved version of the old m6, it now should bring you root much more reliable.
With the old m6 while it is running, bring up and close random apps via task manager on the tattoo. This might not be necessary with m7. After a while the exploit should report success and come up with a root-shell. The promt should change from
Code:
$
to
Code:
#
Sometime the exploit stopps but no shell ('#') comes up. Just terminate it with ^C and try again.
You did it, you should be root now!
Let's set some variables:
Code:
export LD_LIBRARY_PATH=/system/lib
export PATH=/system/bin
When you got your shell, check if you are really root:
Code:
id
You should get something like this:
Code:
# id
uid=0(root) gid=1000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
uid=0(root) is important.
To get a root-shell more easily next time, we have to make su work.
Take this su binary and push it in your tatto: http://www.fileuploadx.de/45656
Code:
adb push su /data/local/bin/su
Remount /data without the nosuid-option
Code:
# mount -o rw,remount /dev/block/mtdblock3 /data
Change the owner to root and set the suid-bit
Code:
# chown root.root /data/local/bin/su
# chmod 4755 /data/local/bin/su
Now you don't have to run the exploit again, just open a normal shell and run
Code:
$ /data/local/bin/su
Now you should be root!
Attention: If you reboot your phone, you have to run the exploit and the mount command again because /data will be mounted nosuid again!
Thats it!
Some suggestions for going on. When you run mount, you will see that some partitions are mounted read-only and/or with the nosuid-option. You can change this by running:
Code:
mount -o rw,remount /dev/block/mtdblockYOUWANT /DIRtoREMOUNT
[size=+2]Other developer stuff[/size]
Here I will list all other thinks, more dangerous and not with all steps described in detail because you should know how to do this if you want to
New: Make /system writeable
This is a dangerous part, it might break you system forever unless you don't know what you are doing! Don't try it unless you are a dev! That is the reason why the steps you have to do are not described in a more detailed way. If you don't know what to type in, you shouldn't try this hack!
Download View attachment 286072
1. Copy tattoo-hack.ko from the zip to /data/local/bin
2. # insmod /data/local/bin/tattoo-hack.ko
3. Remount system partition to be writeable
Now you can do everything with /system until you reboot. /system is the only partition that is mounted without nosuid after reboot, so copy su over to /system/bin/ to keep root permanently. To be able to use programs like setcpu you have to replace /system/bin/su with this su:
View attachment 286154
Flashing a custom recovery image
This is in alpha-state but we are able to flash custom recovery images what is the determining step to flashing custom roms. Don't ask how to flash android 2.x (we didn't do it right now) or when it will be ready. It will bes sometimes...
http://forum.xda-developers.com/showthread.php?t=639486
Have a lot of fun!
-bm-
BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.
Great - bm - thank you very much
-bm- said:
-bm-
Click to expand...
Click to collapse
This is a great day, it's really amazing how people could work together searching the good way to root this awesome little phone. Just to say I've really appreciated your work... I followed all you guys day by day... Thank you everyone, sorry for the OT.
Anyway... risks of bricks?
elvisior said:
BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.
Click to expand...
Click to collapse
Youre right, busybox makes further development more handy. But I think it isn't needed for /data/local/bin to exist, because for me it was there and I've got no busybox on my tattoo
chdir /data/local/bin
Click to expand...
Click to collapse
instead of
chdir to /data/local/bin
Click to expand...
Click to collapse
Thanks Man.
Nice team work.
stupid noobie question how Push m6 to your Tattoo using adb! can anyone possible make a noobie tutorial?!
@zoko : Use your favorite linux distribution.
please can you help me?when I do .m6 in shell i get
Code:
[ Overwritten 0xb0000100
but no #, any help for me?
ApotheoZ said:
@zoko : Use your favorite linux distribution.
Click to expand...
Click to collapse
You don't need Linux. Windows or even Mac OS will do just fine.
Zoko, grab adb.exe from the Android SDK. To install m6, just run:
Code:
adb push m6 /data/local/bin/m6
chusen said:
please can you help me?when I do .m6 in shell i get
Code:
[ Overwritten 0xb0000100
but no #, any help for me?
Click to expand...
Click to collapse
As I try to say in my howto (okay, my english is not the best ;-) ): That happens quite often. Just stop it with ^C ([control]+C) and start the exploit again until you have luck!
zoko said:
stupid noobie question how Push m6 to your Tattoo using adb! can anyone possible make a noobie tutorial?!
Click to expand...
Click to collapse
Hi zoko!
Please use google to find a tutorial for pushing files using adb, there are many out there and using adb is not tattoo-specific!
We don't have time to provide more service at the moment ;-)
By the way: I'm happy about everybody testing, but I wonder what you want to do with a root-shell I you even didn't use adb before. But learning and trying is always a good thing but please consider learning by googling also ;-)
Have a lot of fun!
-bm-
thanks but i try and try and try... and same result, more ideas or only try it?
Is there any way to mount /data r/w on boot?
I doubt it because the exploit should be run first... hmm
So now we need a custom rom with root privileges
...first a recovery.. i think
after i run the exploit once I have to reboot the phone to be able run it again or i get
HTML:
$ usage: reboot [-n] [-p] [rebootcommand]
.
any option to be able to run it more than once without rebooting the phone?
The Tattoo Root (kit)
Here's a small installation batch, to make it easier for everyone.
Download the supplied zip (TattooRoot).
Run 'install-tattoo-root'.
Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin
STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done
The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt
STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su
I think the comments are self-explanatory. If you can't get the m6 into your Tattoo, even with the help of this batch, I suggest you wait a little longer for a more foolproof way to free your Tattoo
Everytime you reboot your Tattoo you'll have to execute steps 1 and 2 again.
@mainfram3 i dont get same results
Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin
STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done
The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt
STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------
where are my error?
chusen said:
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------
where are my error?
Click to expand...
Click to collapse
Chusen,
That is allright.
Now, launch a adb shell by typing
Code:
adb shell
and then try the exploit
Code:
$ while `true` ; do /data/local/bin/m6; done
until your greeted with:
Code:
[ Overwritten 0xb0000100
# <---- This # indicates you got root
Greeting all,
First of, I would like to thanks all of you for the amount of info I have found in this forum.
This is trully amazing and, so far, allowed me to sucessfully:
- Unlock my phone
- Root my phone
- Install a custom recovery image
I know that I am creating a new post on a very known and discussed subject BUT after 2 days of google seach nothing I have tried has permitted me to sucessfuly delete this £$%^&*() of script.
As you all know, it needs to be deleted to launch the custome recovery image (at the moment, I am stucked with the exclamation mark with the little Droid when I try).
IMPORTANT: I currently run the Froyo android 2.2 official ROM.
To delete this scipt, I have tried 2 approaches:
- Console mode from windows using ADB
- directly form the phone using a File explorer
#1: From the console:
As mentionned in many previous posts, I have tried the following commands once connected to the nexus
adb shell
su
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
I beleive this command is either incorrect OR no longer working with Froyo 2.2 as I get the following message which looks fishy (I am not a Linux specialist...):
Usage: mount [-r] [-w] [-o options] [-t type] device directory
When I try to delete the scripe with the commande below, I am kindly informed that it failed as it is still a read only file system
rm /system/etc/install-recovery.sh
#2: From the phone
I read that SUFBS, a very nice file explorer was available on the market allowing to mount both system AND data in RW would allow me to do it.
I have had several try at it enabling RW at different moment (System then etc then directly when I am in the folder and see the script I want to delete) and whatever I do, each time I select the command delete, it looks like it works (little pacman eating) but the script from the dark side is sill there like nothing happened...
As I am close to give it the microwave treatment to see if it works better ;-) I thought I give it a try on the forum to see if any Android/Linux god would spend 5 minutes to explain to me what I am doing wrong...
Thanks a lot in advance!
BooToo
Try this:
mount -o rw,remount /system
I can't guarantee that works with Froyo but it's all I've ever used and I don't remember it giving me any problem when I used Froyo.
Umm I think it should be mount -o remount,rw then type the rest
You can also try this mount -o remount,rw /dev/block/mtdblock3 /system
Sent from my Nexus One using XDA App
adb is supposed to have it's own remount command for doing this, but I've only used adb once when I rooted so I'm no help there.
Other than that, try doing: ls -l /system/xbin/mount to see if mount is a link to busybox. If it is, the last part of the output will look like this: /system/xbin/mount -> busybox
If it is, type busybox | head -n1 to see what version of busybox you have.
ilostchild said:
Umm I think it should be mount -o remount,rw then type the rest
Click to expand...
Click to collapse
Heh, I never realized I had those backwards compared to how people usually do it, but the order doesn't actually matter. It's not necessary to specify the device as the remount option doesn't change the mount point or device.
# mount | grep system
/dev/block/mtdblock3 on /system type yaffs2 (ro,relatime)
# mount -o rw,remount /system
# mount | grep system
/dev/block/mtdblock3 on /system type yaffs2 (rw,relatime)
Well...
I am an ass...
I did not have enabled the "USB debugging" on the phone...
Problem soved with the exact command lines I put at the beginning...
After rooting, flashing clockworkmod through ROM manager it was still going into stock recovery mode. Then I deleted /system/etc/install-recovery.sh and got my phone(HTC magic - 32A) bricked. Now it starts, shows rogers logo for 5-6 seconds and restarts and repeats untill i take out battery. I tried all combinations(power+back , power+home, Power+volume, Menu+home+power, menu+call+power) for quickboot and recovery mode but no success. Anyone has any idea about this issue?
If you have an HTC Magic, you're in the wrong forum...
Sent from my Nexus One using XDA App
just rename the script and you're done!
1) Bump 6 month old thread
2) Post in the completely wrong forum
3) Posts: 1 Join Date: Feb 2011
UGH.
error while loading new compiled Linux kernel image into the android emulator(1.5)
I am sorry, that i am asking my question in "reply" but i am not able to make a new post.
I have successfully compiled Linux kernel for android:
[email protected]:~/common# ARCH=arm CROSS_COMPILE=~/mydroid/prebuilt/linux-x86/toolchain/arm-eabi-4.4.0/bin/arm-eabi- make
CHK include/linux/version.h
make[1]: `include/asm-arm/mach-types.h' is up to date.
CHK include/linux/utsrelease.h
.
.
.
SYMLINK include/asm -> include/asm-arm
CALL scripts/checksyscalls.sh
<stdin>:1097:2: warning: #warning syscall fadvise64 not implemented
<stdin>:1265:2: warning: #warning syscall migrate_pages not implemented
<stdin>:1321:2: warning: #warning syscall pselect6 not implemented
<stdin>:1325:2: warning: #warning syscall ppoll not implemented
<stdin>:1365:2: warning: #warning syscall epoll_pwait not implemented
CHK include/linux/compile.h
Kernel: arch/arm/boot/Image is ready
Kernel: arch/arm/boot/zImage is ready
Building modules, stage 2.
MODPOST 157 modules
[email protected]:~/common#
but i get the following error while loading this images in the emulator:
[email protected]:~/android-sdk-linux_x86/tools# ./emulator -avd avd1.5 -kernel ~/common/arch/arm/boot/zImage -show-kernel -verbose
emulator: found SDK root at /home/preetam/android-sdk-linux_x86
emulator: root virtual device file at /home/preetam/.android/avd/avd1.5.ini
.
.
.
yaffs_read_super: isCheckpointed 0
sh: can't access tty; job control turned off
# init: cannot find '/system/bin/playmp3', disabling 'bootsound'
init: cannot find '/system/bin/dbus-daemon', disabling 'dbus'
eth0: link up
init: untracked pid 578 exited
init: untracked pid 579 exited
warning: `rild' uses 32-bit capabilities (legacy support in use)
init: untracked pid 601 exited
init: untracked pid 592 exited
init: untracked pid 605 exited
init: untracked pid 602 exited
init: untracked pid 609 exited
init: untracked pid 606 exited
init: critical process 'servicemanager' exited 4 times in 4 minutes; rebooting into recovery mode
save exit: isCheckpointed 1
save exit: isCheckpointed 1
Restarting system with command 'recovery'.
Reboot failed -- System halted
and the emulator didn't start with the new kernel image(emulator didn't reboot). what is the problem here..?? and how can i replace my emulator's image with newly compiled Linux permanently??
please help. thank you!
I did everything as the guy who initiated this post under windows vista, and I have the same problem. However, I don't know how to go about deleting or renaming that scrip. Can you, give me a step by step procedure? Thank you
Flash this through recovery to delete the script...
http://db.tt/ooDaCnU
Hi,
I am sort of new to this. how do I flash using the above script?
How to install ubuntu on the Droid 4
Note to mods: this thread is a branch off of this thread
Huge thanks to zacthespack for creating the ubuntu installer app and original boot script and to zeroktal for modifying the script to work on the D4 and helping me get it working on my device.
I decided to take my experience in setting this up and put it into a how-to so that others could enjoy the experience of having ubuntu on the Droid 4. If zackthespac or zeroktal have any problems with me making and putting this guide up, please let me know and I will remove it.
Knowledge Required:
working knowledge of command line
working knowledge of vi
OR the ability to learn how to use both
Tools Required:
A rooted Motorola Droid 4
BusyBox (Android Market)
Terminal Emulator (Android Market)
Android VNC Viewer (Android Market)
Ubuntu Installer App (Android Market)
zeroktal's ubuntud4.zip file (attached to this post and mediafire)
Vi Cheat Sheet (lagmonster.org)
Step by Step:
Install BusyBox, Terminal, and Android VNC Viewer
Install and run Ubunutu Installer App
Follow the on-screen instructions and click next
Download either the Small or Large image to your phone, (use zeroktal's ubuntud4.zip file instead of the boot script provided in the guide) after the image downloads (will take a while because the file is HUGE) click next
For this screen, the instructions differ from the app.
1. With your D4 plugged into your PC in USB Mass Storage, create a directory (folder) called ubuntu in the EXTERNAL sdcard's root*
2. Extract the image you downloaded to that directory
3. Download and extract the attached .sh (ununtud4.zip) to that directory
4. Disconnect your phone from your PC
5. Open terminal and run the following commands:
su [ENTER]
mount -o remount,rw,exec,suid /dev/block/vold/179:1 /mnt/sdcard-ext [ENTER]
cd /mnt/sdcard-ext/ubuntu [ENTER]
sh ubuntud4.sh [ENTER]
960x540 [ENTER]**If you get an error message: ubuntud4.sh: 45: syntax error: end of file unexpected (expecting "then") see troubleshooting section below.killall -TERM Xtightvnc [ENTER]
vncserver :1 -geometry 960x540 [ENTER]**6. Open androidVNC app and enter the following settings:
Nickname: Anything you want
Password: ubuntu
Address: localhost
Port: 5901
Color Format: 24-bit color (4 bpp)
7. Hit connect
8. Hit your menu soft button and then set input mode to touchpad
9. You have ubuntu on your Droid 4!
To "shut down" ubuntu:
press the menu button, select disconnect in VNC
In terminal type this command 3 times (terminal will close itself when you are done):
exit [ENTER]
To "start up" ubuntu again:
Follow steps 5-8 above
Troubleshooting:
If you get the error message: ubuntud4.sh: 45: syntax error: end of file unexpected (expecting "then") you are about to have fun with vi at the command line.
Do the following from inside terminal:
su [ENTER]
cd /mnt/sdcard-ext/ubuntu [ENTER]
vi ubuntud4.sh [ENTER]If you see ^M or ^ at the end of any line (remember to scroll all the way to the right to see the end of long lines) remove it. once you do that, everything should work just fine. (See the Vi Cheat Sheet above for help with Vi)
Note: Vol Up + E is [ESC] by default in this terminal emulator
Notes:
* It does not have to be on the external SD, but if you put it on the internal SD you will have to modify things as needed-- if you dont know what needs to be changed, just put it on the external SD.
** Screen size can be whatever you want it to be, but 960x540 is the size of the D4 screen.
*** This is a fairly involved process... especially when it comes to editing the .sh file in vi things can get very frustrating and hard, but just take your time and you will get it. As always, doing anything with root access on your phone, especially on the command line has risks. I am not responsible if anything goes wrong with your phone... proceed at your own risk!
greekchampion04 said:
Notes:
* It does not have to be on the external SD, but if you put it on the internal SD you will have to modify things as needed-- if you dont know what needs to be changed, just put it on the external SD.
** Screen size can be whatever you want it to be, but 960x540 is the size of the D4 screen.
*** This is a fairly involved process... especially when it comes to editing the .sh file in vi things can get very frustrating and hard, but just take your time and you will get it. As always, doing anything with root access on your phone, especially on the command line has risks. I am not responsible if anything goes wrong with your phone... proceed at your own risk!
Click to expand...
Click to collapse
I actually got it up and running on my internal sdcard partition. Pretty much just have to modify the Mount remount command, and a few lines in the script.
Here's the original command
Code:
mount -o remount,rw,exec,suid /dev/block/vold/179:1 /mnt/sdcard-ext
And the modified one
Code:
mount -o remount,rw,exec,suid /dev/block/vold/179:57 /mnt/sdcard
Only things you have to change are the device location(179:57) and mount location(drop the -ext after sdcard)
Now, after that you also have to modify the script a bit. Just go through it, and anywhere that you see sdcard-ext, drop the -ext off the end.
thanks for putting that up for everybody! like i said, if you know what you are doing its not a hard swap to make.
Is anyone else getting just a gray screen when they remote in? What could be causing this?
i had that same problem at first... did you use zeroktal's ubuntud4.zip file? or did you use the ubuntu.sh file included in the app?
I used the sh file included. I did however fix the problem, when mounting at the start i confused vold with void. I did not get the file system mounted properly. This method does work!! however I am currently trying to get bash on my droid to replace sh as the shell. I've checked the forums but have not found anything yet about someone installing bash on the droid 4. With no way for nandroids I feel i should wait before I kill sh.
Sent from my DROID4 using XDA App
If you mod your init.sh in your root directory to the following, your vnc will work on startup without issue. It will also shutdown vnc on exit.
#!/bin/bash
#############################################
# Asks User to screen size and saves as REZ #
#############################################
#echo "Now enter the screen size you want in pixels (e.g. 800x480), followed by [ENTER]:"
#read REZ
##############################################
# Pick which desktop environment to use, this#
# is done by having a xstartup file for each #
# desktop, then renaming the one you want to #
# use to 'xstartup' before boot #
##############################################
echo "Please select which Desktop environment you want to use, type the number to select it then press [ENTER]"
echo "1 - LXDE"
echo "2 - Gnome"
echo "Make your Selection:"
read DESKTOP
if [ $DESKTOP == 1 ]
then
mv /root/.vnc/lxstartup /root/.vnc/xstartup
fi
if [ $DESKTOP == 2 ]
then
mv /root/.vnc/gxstartup /root/.vnc/xstartup
fi
###########################################
# Tidy up previous LXDE and DBUS sessions #
###########################################
rm /tmp/.X* > /dev/null 2>&1
rm /tmp/.X11-unix/X* > /dev/null 2>&1
rm /root/.vnc/localhost* > /dev/null 2>&1
rm /var/run/dbus/pid > /dev/null 2>&1
############################################################
# enable workaround for upstart dependent installs #
# in chroot'd environment. this allows certain packages #
# that use upstart start/stop to not fail on install. #
# this means they will have to be launched manually though #
############################################################
dpkg-divert --local --rename --add /sbin/initctl > /dev/null 2>&1
ln -s /bin/true /sbin/initctl > /dev/null 2>&1
###############################################
# start vnc server with given resolution and #
# DBUS server, (and optionally an SSH server) #
###############################################
dbus-daemon --system --fork > /dev/null 2>&1
/etc/init.d/ssh start
vncserver :1 -geometry 960x540
echo
echo "If you see the message 'New 'X' Desktop is localhost:1' then you are ready to VNC into your ubuntu OS.."
echo
echo "If VNC'ing from a different machine on the same network as the android device use the 1st address below:"
##########################################
# Output IP address of android device #
##########################################
ifconfig | grep "inet addr"
echo
echo "If using androidVNC, change the 'Color Format' setting to 24-bit colour, and once you've VNC'd in, change the 'input mode' to touchpad (in settings)"
echo
echo "To shut down the VNC server and exit the ubuntu environment, just enter 'exit' at this terminal - and WAIT for all shutdown routines to finish!"
echo
###############################################################
# Spawn and interactive shell - this effectively halts script #
# execution until the spawning shell is exited (i.e. you want #
# to shut down vncserver and exit the ubuntu environment) #
###############################################################
/bin/bash -i
#########################################
# Disable upstart workaround and #
# kill VNC server (and optionally SSH) #
# Rename used xstartup to its first file#
#########################################
killall -TERM Xtightvnc
/etc/init.d/ssh stop
Also save the follow lines between ### as remount.sh on your system partition. Then chmod 755 /system/remount.sh. Now you can just run run from a terminal /system/remount.sh and voila it remounts correctly and starts ubuntu(with the above fixes). Im still working on the unmounts.
####### for the internal sd card
mount -o remount,rw,exec,suid /dev/block/vold/179:57 /mnt/sdcard
/mnt/sdcard/ubuntu/ubuntu.sh
######
OR
####### for the external sd card
mount -o remount,rw,exec,suid /dev/block/vold/179:1 /mnt/sdcard-ext
/mnt/sdcard-ext/ubuntu/ubuntu.sh
#######
great stuff!
feel free
Feel free and take, modify, repost or edit anything I touch.
QUESTION:
After I delete all the ^M and ^ what do i do next? I try to hit the command ":x" to exit and save changes but it just creates another line. Also when I press VOL UP + E to escape nothing happens.
PhanTuhC said:
QUESTION:
After I delete all the ^M and ^ what do i do next? I try to hit the command ":x" to exit and save changes but it just creates another line. Also when I press VOL UP + E to escape nothing happens.
Click to expand...
Click to collapse
In vi, the command to save and exit is :wq (probably short for write and quit).
remember, read up on the vi quick-reference guide: http://www.lagmonster.org/docs/vi.html
OK I fixed it but now its not letting me connect with androidVNC. All the settings entered is correct but when I try to connect it says:
"VNC connection failed!" localhost/127.0.0.1:5901 - Connection refused"
ok, i've gone thru this a few times (slowly and deliberately) and must be missing something...the directions seem pretty straightforward! here's what i know...
busy/terminal/vnc are all installed
small 2.5gb image is unzipped in /sdcard-ext/ubuntu directory
the attached .sh file from page 1 is in the same directory
i removed all ^M using vi
but when I try sh ubuntud4.sh i get an error...
"mkdir failed for /data/local/mnt/ubun, No such file or directory"
(plus a few other errors)
should the directory be "ubun" or "ubuntu"? am I typing something incorrectly?
copy and paste new script
Copy and paste the new scripts I posted. They will fix your problem. Remember to use the remount script from /system/ the rest will work perfectly if you are root. I'll check back later on your progress.
Ok, well I started from scratch (deleted both .img and .sh files) and it's still not working.
I have all the apps installed (and yes rooted, SU works just fine)
I used Ubuntu Installer app to download the image zip (tried both the large and small img)
I downloaded the .sh file from the first post
The /sdcard-ext/ubuntu/ folder now has two files: "ubuntu.img" and "ubuntud4.sh"
All ^M characters have been removed from .sh file
Still no joy...
Ideas? What am I missing?
In terminal, I can set SU permissions and the mount/cd commands work just fine...it's the last sh command that spits out a bunch of errors about not being able to create/find the directories.
I'm going to format the sdcard and try again...any help is appreciated.
Update: Even after re-formatting the SD and following the steps exactly, no luck!
Did you remember to remount the sdcard with exec and suid permissions?
Andbuntu will work much better than this method. It works on every single phone with modification to the "environmental variables".
http://code.google.com/p/andbuntu/
Follow the directions in the script to make the process much easier than the first post.
instructions:
generate an image with rootstock on an ubuntu computer.
put it on /sdcard/ubuntu/ubuntu.img
run the script on your phone with "sh /path/to/script"
Here is the script. http://andbuntu.googlecode.com/svn/trunk/uboot
Also, run "firstRun" to make things like terminals work properly.
Adamoutler: That didnt work for me. The permissions were incorrect on the mounted partitions.
Sent from my DROID4 using XDA App
Hi there.... yeah, Im a newb too in this business, but the only one thing that I know, that the DEVS gett pissed off when we report bugs without LOGCATs
We dont understand it but they do SO LETs hear them and do it like we should do it.
Every time when you get into the thread and post something like "aaaaaa, the power button doesent work, or Play Store wont open...", this is just a cup of crapy words for the devs (correct me if Im wrong).
Of course theres a ADB version for doing logs, but I think for the START, this one is just fine.
Click to expand...
Click to collapse
What is logcat?
Logcat is the command to view the internal logs of the Android system. Viewing logs is often the best way to diagnose a problem, and is required for many issues. This way you'll find out what apps are doing in the background without you noticing.
Advantages of Logcat
Debugging
Debug your apps. Find error stacktraces. See what your phone is saying about you behind your back. It's all there in the system log, aka logcat!
Click to expand...
Click to collapse
DOWNLOAD APP
I was googleing around and I found the best app for doing it for us newbs.
Download the FREE app called CATLOG.
Click to expand...
Click to collapse
HOW TO USE IT
After you installed it, RUN it and click the options button, there youll get a record options. Click on the record button and let it run in the background. If you had problems with Play Store, just run the PS again and when the ERROR comes, the CATLOG recorder is recording. After you did that, just go back to the app, hit the options key and press STOP RECORDING. There you GO, you have a .txt catlog of your problem.
This is just a example with the PLAY STORE fc...
Use some file manager or something like that so you can go into your sdcard / catlogs / and there should be your TXT saved log. Now just select it, press on share and put it on the FORUM or the DEVs mail. It depends on each developer. (Correct me again if Im wrong.)
Click to expand...
Click to collapse
Hope it helps out!
DO IT PEOPLE !
Heres is the more advanced but not so hard way to LOGCAT!
All credits goes to paxChristos who made this awesome tutorial HOW TO LOGCAT!
Original post: http://forum.xda-developers.com/showthread.php?t=1726238
paxChristos said:
Here's how to use logcat:
There are two main ways to do a logcat, within android, and through adb.
Logcat within android can be done one of two ways, through a Logcat app:
Here are two good examples are either: aLogcat or Catlog
I prefer catlog, because in my opinion it has a little bit nicer UI. Both of these programs can dump their logs to a txt file, which is very useful for debugging. Or, you can do it in terminal emulator (same rules as running through adb(see below))
From Moscow Desire:
On the other hand, using adb to run logcat, in my opinion is much more useful, because you can start using it when android boots (i.e. once the boot animation appears.)
The code for logcat to output to a file is
Code:
adb logcat > name of problem.txt
you can also do
Code:
adb logcat -f name of problem.txt
how I prefer to do it is this way:
Code:
adb logcat -v long > name of problem.txt
with the -v flag & the long argument, it changes output to long style, which means every line of logcat will be on its own line (makes it a little neater, imo)
Note: When outputting to a file, you will see a newline, but nothing printed, this is normal. To stop logcat from writting to a file, you need to press ctrl+c.
Here's where using logcat (via adb makes life really easy)
Lets say you find a problem you're having after looking at a logcat.
For example:
When I was trying to use a different ramdisk, wifi wouldn't work so I got a logcat that's almost 1300 lines long (a lot of stuff happens in the background)
So if you are searching for an error in the logcat file (it's always e/ for error, f/ for fatal. Those are the two main things that will break a system.)
Code:
D/dalvikvm( 871): GC_CONCURRENT freed 472K, 6% free 10224K/10823K, paused 1ms+6ms
V/AmazonAppstore.DiskInspectorServiceImpl( 871): Available blocks: 21981, Block size: 4096, Free: 90034176, Threshold: 5242880, withinThreshold? true
D/AmazonAppstore.UpdateService( 871): Received action: null from intent: Intent { cmp=com.amazon.venezia/com.amazon.mas.client.framework.UpdateService }
W/AmazonAppstore.UpdateService( 871): Confused about why I'm running with this intent action: null from intent: Intent { cmp=com.amazon.venezia/com.amazon.mas.client.framework.UpdateService }
D/dalvikvm( 890): GC_CONCURRENT freed 175K, 4% free 9375K/9671K, paused 2ms+3ms
V/AmazonAppstore.ReferenceCounter( 871): Reference (MASLoggerDB) count has gone to 0. Closing referenced object.
E/WifiStateMachine( 203): Failed to reload STA firmware java.lang.IllegalStateException: Error communicating to native daemon
V/AmazonAppstore.UpdateService( 871): runUpdateCommand doInBackground started.
V/AmazonAppstore.UpdateService( 871): Running UpdateCommand: digitalLocker
V/AmazonAppstore.UpdateCommand( 871): Not updating key: digitalLocker from: 1334228488057
V/AmazonAppstore.UpdateService( 871): Finished UpdateCommand: digitalLocker
V/AmazonAppstore.UpdateService( 871): Running UpdateCommand: serviceConfig
V/AmazonAppstore.MASLoggerDB( 871): performLogMetric: Metric logged: ResponseTimeMetric [fullName=com.amazon.venezia.VeneziaApplication_onCreate, build=release-2.3, date=Wed Apr 11 13:10:55 CDT 2012, count=1, value=1601.0]
V/AmazonAppstore.MASLoggerDB( 871): onBackgroundTaskSucceeded: Metric logged: ResponseTimeMetric [fullName=com.amazon.venezia.VeneziaApplication_onCreate, build=release-2.3, date=Wed Apr 11 13:10:55 CDT 2012, count=1, value=1601.0]
W/CommandListener( 118): Failed to retrieve HW addr for eth0 (No such device)
D/CommandListener( 118): Setting iface cfg
D/NetworkManagementService( 203): rsp
D/NetworkManagementService( 203): flags
E/WifiStateMachine( 203): Unable to change interface settings: java.lang.IllegalStateException: Unable to communicate with native daemon to interface setcfg - com.android.server.NativeDaemonConnectorException: Cmd {interface setcfg eth0 0.0.0.0 0 [down]} failed with code 400 : {Failed to set address (No such device)}
W/PackageParser( 203): Unknown element under : supports-screen at /mnt/asec/com.android.aldiko-1/pkg.apk Binary XML file line #16
D/wpa_supplicant( 930): wpa_supplicant v0.8.x
D/wpa_supplicant( 930): random: Trying to read entropy from /dev/random
D/wpa_supplicant( 930): Initializing interface 'eth0' conf '/data/misc/wifi/wpa_supplicant.conf' driver 'wext' ctrl_interface 'N/A' bridge 'N/A'
D/wpa_supplicant( 930): Configuration file '/data/misc/wifi/wpa_supplicant.conf' -> '/data/misc/wifi/wpa_supplicant.conf'
D/wpa_supplicant( 930): Reading configuration file '/data/misc/wifi/wpa_supplicant.conf'
D/wpa_supplicant( 930): ctrl_interface='eth0'
D/wpa_supplicant( 930): update_config=1
D/wpa_supplicant( 930): Line: 4 - start of a new network block
D/wpa_supplicant( 930): key_mgmt: 0x4
(mind you, that's 29 lines out of 1300ish, just for example)
I then could do the following with logcat:
Code:
adb logcat WifiStateMachine:E *:S -v long > name of problem.txt
and this will only print out any errors associated with WifiStateMachine, and anything which is fatal, which makes it about a million times easier to figure out what's going on!
In WifiStateMachine:E, the :E = to look for Errors, the full list of options is as follows:
V — Verbose (lowest priority)
D — Debug
I — Info (default priority)
W — Warning
E — Error
F — Fatal
S — Silent (highest priority, on which nothing is ever printed)
You can replace the :E with any other letter from above to get more info.
In order to filter out anything other than what you are looking for (in this case, WifiStateMachine) you must put a *:S after your last command (i.e. WifiStateMachine:E ThemeChoose:V ... ... AndroidRuntime:E *:S)
Sources: http://developer.android.com/tools/help/logcat.html
http://developer.android.com/tools/help/adb.html
Update for windows users:
Thank go to FuzzyMeep Two, Here's what he's posted for windows
(If you used his tool, here's his post, thank him for his work!)
Click to expand...
Click to collapse
Adding some LogCats for CM10 nightly
Powerbutton
http://forum.xda-developers.com/showpost.php?p=33593548&postcount=1130
no sound - poor in/out sound on CALLs
http://forum.xda-developers.com/showpost.php?p=33630013&postcount=1395
blinking screen on "screen off"
http://forum.xda-developers.com/showpost.php?p=33629455&postcount=1391
Hope it helps!
Good thread.
My favourite app for logs on the go is Lumberjack.
For logcatting at the PC I think "adb logcat" via cmd / terminal is better than an app (see torq1337's second post).
What's important: A normal logcat can be useless in some cases.
For audio, calls and anything else radio related you should add a radio logcat as well. (adb logcat -b radio).
If you got a bsod, kernel panic, or sth else that results in a bsod or phone restarting than you should post the last_kmsg.
Get it with Lumberjack or manually in the Terminal by typing "su" and "cat /proc/last_kmsg > /sdcard/last_kmsg.txt"
Dont forget to logcat
I updated my previous post now.
I am posting again to push this thread as I personally belive that most people are unable to do so because that some people out there in our nation don't have maps and that I belive that our education people who are flashing custom ROMs should know how to give developers some valid feedback - and you can learn how to logcat in 5 minutes.
tonyp said:
I updated my previous post now.
I am posting again to push this thread as I personally belive that most people are unable to do so because that some people out there in our nation don't have maps and that I belive that our education people who are flashing custom ROMs should know how to give developers some valid feedback - and you can learn how to logcat in 5 minutes.
Click to expand...
Click to collapse
Im gonna cry xDxDxDxD
Sent from my LG-P990 using xda app-developers app
Hi, maybe you would like to include my tool as well, AIOlog, as it not only logs logcat(with the -b radio for radio issues as well), but dmesg, kmsg and last_kmsg as well
tonyp said:
If you got a bsod, kernel panic, or sth else that results in a bsod or phone restarting than you should post the last_kmsg.
Get it with Lumberjack or manually in the Terminal by typing "su" and "cat /proc/last_kmsg > /sdcard/last_kmsg.txt"
Click to expand...
Click to collapse
What /proc/last_kmsg? (It doesn't appear to exist, on my phone at least.)
withoutwings said:
What /proc/last_kmsg? (It doesn't appear to exist, on my phone at least.)
Click to expand...
Click to collapse
It would be removed in a restart but still, you can retrieve the /proc/kmsg instead(better than none, I suppose, just more work for the devs )
wcypierre said:
It would be removed in a restart but still, you can retrieve the /proc/kmsg instead(better than none, I suppose, just more work for the devs )
Click to expand...
Click to collapse
No, /proc/kmesg is reset upon a restart. The whole point of last_kmesg is in the case of a crash, it is there upon the next boot so you can find out what happened. But on CM10 it doesn't appear to exist. I read somewhere this could mean the RAM Console isn't set up properly?
Thanks to @Jirmd for letting me use his post as a reference.
Original post: https://forum.xda-developers.com/nexus-7/general/unbrick-nexus-7-tegra-3-device-t4078627
Alternative Method:
1. https://github.com/tofurky/tegra30_debrick
2. https://forum.xda-developers.com/t/...-without-another-n7-or-tegra30-device.4305955
(Both methods do not require another Nexus 7)
Requirements:
1. Linux-based OS (I use Ubuntu 18.04)
2. NvFlash and Wheelie (You can download the Linux version down below)
3. A USB cable (A good and sturdy one)
4. Nerve of steel lol
5. Must have APX driver installed.
6. Another Nexus 7 (Ask someone that have it or ask me)(MUST BE ROOTED AND HAVE TWRP RECOVERY INSTALLED)
7. ADB (platform-tools)
1. DUMP SBK VIA USB
Step 1: Download fusee-launcher for Nexus 7 from this link and extract it to a folder:
http://www.mediafire.com/file/sgwsa79idk24z8u/fusee-launcher-n7.zip/file
Step 2: Open a terminal inside of the folder then type:
Code:
sudo apt-get install python-usb python3-usb
Wait for it to complete. After that, type:
Code:
pip install pyusb
Step 3: Connect your device to a USB 3.0 port (REQUIRED). You can check for connection using "lsusb". There must be a "NVidia Corp" in the list.
Step 4: Type:
Code:
sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin
Something like this should appear:
Code:
05f4a5d01'
Stack snapshot: b'0000000000000000100000003c9f0040'
EndpointStatus_stack_addr: 0x40009f3c
ProcessSetupPacket SP: 0x40009f30
InnerMemcpy LR stack addr: 0x40009f20
overwrite_len: 0x00004f20
overwrite_payload_off: 0x00004de0
payload_first_length: 0x00004de0
overwrite_payload_off: 0x00004de0
payload_second_length: 0x0000c7b0
b'00a0004000300040e04d0000b0c70000'
Setting rcm msg size to 0x00030064
RCM payload (len_insecure): b'64000300'
Setting ourselves up to smash the stack...
Payload offset of intermezzo: 0x00000074
overwrite_payload_off: 0x00004de0
overwrite_len: 0x00004f20
payload_overwrite_len: 0x00004e5c
overwrite_payload_off: 0x00004de0
smash_padding: 0x00000000
overwrite_payload_off: 0x00004de0
Uploading payload...
txing 73728 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
txing 4096 bytes (20480 already sent) to buf[1] 0x40005000
txing 4096 bytes (24576 already sent) to buf[0] 0x40003000
txing 4096 bytes (28672 already sent) to buf[1] 0x40005000
txing 4096 bytes (32768 already sent) to buf[0] 0x40003000
txing 4096 bytes (36864 already sent) to buf[1] 0x40005000
txing 4096 bytes (40960 already sent) to buf[0] 0x40003000
txing 4096 bytes (45056 already sent) to buf[1] 0x40005000
txing 4096 bytes (49152 already sent) to buf[0] 0x40003000
txing 4096 bytes (53248 already sent) to buf[1] 0x40005000
txing 4096 bytes (57344 already sent) to buf[0] 0x40003000
txing 4096 bytes (61440 already sent) to buf[1] 0x40005000
txing 4096 bytes (65536 already sent) to buf[0] 0x40003000
txing 4096 bytes (69632 already sent) to buf[1] 0x40005000
txing 4096 bytes total
txing 4096 bytes (0 already sent) to buf[0] 0x40003000
Smashing the stack...
sending status request with length 0x00004f20
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!
b'4445414442454546'
DEADBEEF
b'3030303030303030'
00000000
b'3030303030303030'
00000000
b'3034303030303930'
04000090
b'4634314330433241'
F41C0C2A
b'3133333731333337'
13371337
b'3535353535353535'
55555555
b'3430303033303030'
40003000
b'3430303035303030'
40005000
b'4141414141414141'
AAAAAAAA
b'3131313131313131'
11111111
b'3030303030303236'
00000026
b'3232323232323232'
22222222
b'68656c6c6f2c20776f726c640a00'
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
Traceback (most recent call last):
File "./fusee-launcher.py", line 823, in <module>
buf = switch.read(USB_XFER_MAX)
File "./fusee-launcher.py", line 530, in read
return self.backend.read(length)
File "./fusee-launcher.py", line 134, in read
return bytes(self.dev.read(0x81, length, 3000))
File "/usr/local/lib/python3.6/dist-packages/usb/core.py", line 988, in read
self.__get_timeout(timeout))
File "/usr/local/lib/python3.6/dist-packages/usb/_debug.py", line 60, in do_trace
return f(*args, **named_args)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
timeout)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.6/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out
Search for the line "hello, world" inside of your log. It looks like this in this example:
Code:
hello, world
b'e57de3bab6cb499d874d5772cb219f0101042c20'
The last 8 characters are not your SBK. This is the first 8 numbers of your Device ID. Delete this and delete the b' at the start and also the ' at the end.
The result should look like this:
Code:
e57de3bab6cb499d874d5772cb219f01
Congratulation, you have successfully dump your device SBK via USB.
2. GETTING YOUR CPU UID
Step 1: Download Wheelie and NvFlash then extract it to a folder.
Step 2: Download this broken blob.bin file (REQUIRE)
http://www.mediafire.com/file/32cxvjv2wajokqf/blob.bin/file
Then place it inside of the Wheelie and NvFlash folder.
Step 3: Open a terminal inside of the folder then type:
Code:
./wheelie --blob blob.bin
After that, something like this should appear:
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
[=] Chip UID: 0x98254853062001158
[-] Incorrect SBK or SBK type selected. nverror: 0x4.
Search for "Chip UID", remove the "0x" at the beginning. The result should look like this:
Code:
98254853062001158
Congratulation, you got your chip UID
3. GENERATE BLOB FILES USING ANOTHER NEXUS 7
Step 1: Download MkNvfBlob from this link:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/precompiled/precompiledN7.tar.xz
Note: Extract this to your Nexus 7.
Step 1.1: Reboot into TWRP recovery.
Step 2: Open a terminal inside of you ADB folder then type:
Code:
adb shell
After that:
Code:
su
Type this command after that:
Code:
mkdir /AndroidRoot
Last one:
Code:
cat /proc/cpuinfo > /AndroidRoot/cpuinfo
Pull the cpuinfo file using this command:
Code:
adb pull /AndroidRoot
Note: You could copy your cpuinfo file to your PC using MTP (IDK how to do this so search Google lol)
Open your ADB folder and there should be a AndroidRoot folder with a cpuinfo file inside of it.
Open cpuinfo using a Text Editor. Something like this should be inside:
Code:
Processor : ARMv7 Processor rev 9 (v7l)
processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
processor : 2
BogoMIPS : 1993.93
processor : 3
BogoMIPS : 1993.93
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : grouper
Revision : 0000
Serial : 015d4a5f202c0401
Replace the Serial line with your Chip UID.
After that, place the cpuinfo file back to the /AndroidRoot folder on your device using this command:
Code:
adb push AndroidRoot /
After you are done, don't close the ADB windows.
Step 3: Download bootloader.xbt:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bootloaders/bootloader.grouper.XBT
And BCT for your device:
https://github.com/GeorgeMato4/nvcrypttools/blob/forN7/bct/n7.bct
And copy these two files to the /AndroidRoot folder on your device.
Step 4: Type this command on the ADB windows:
Code:
cd /AndroidRoot
After that, type:
Code:
chmod 777 ./mknvfblob
After that, type:
Code:
./mknvfblob -W -K <your SBK> --blob /AndroidRoot/test.blob --bctin /AndroidRoot/n7.bct --bctr /AndroidRoot/testr.bct --bctc /AndroidRoot/testc.bct --blin /AndroidRoot/bootloader.grouper.XBT --blout /AndroidRoot/test.ebt
Wait for it to do its job.
After that, go to your /AndroidRoot folder and copy all the file that just got generated (testr.bct, testc.bct. test.ebt, test.blob) to your PC using the adb pull command on Step 2
Congratulation, you have successfully generate blob for your bricked device.
4. UNBRICK YOUR DEVICE (The fun part )
Step 1: Boot your bricked device into APX mode either using Power button or Power + Vol UP.
Step 2: Open a terminal inside of the folder where you place your NvFlash folder (move the blob file inside of that folder, all of them)
Step 3: Open a terminal inside of your Wheelie and NvFlash folder. Type:
Code:
sudo ./nvflash --bl test.ebt --bct testr.bct --blob test.blob
If you got this command:
Code:
command error: no command found
Then try this one instead:
Code:
./nvflash --setbct --create --configfile <your flash.cfg> --bl test.ebt --bct testr.bct --blob test.blob
If you got the NvError, its fine.
Something like this should appear (the first command):
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d2bc285340e0f
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d2bc285340e0f
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: recovery.bct
- 6128/6128 bytes sent
recovery.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.ebt
- 2146912/2146912 bytes sent
bootloader.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
A Google Logo should appear on your device screen with the text "Battery is too low" on the upper left corner. Unplug the battery and replug it. After that, plug it into a wall charger for atleast 4 hour.
Step 4: Unplug the battery and boot into APX mode again using the button combination.
Step 5: Type this command while holding down the Vol DOWN button:
Code:
sudo ./nvflash --resume --download 8 boot.img
Replace "boot.img" with your ROM boot.img file. If you download another boot.img that isn't for your ROM, your device will bootloop.
Step 6:
Type:
Code:
sudo ./nvflash --resume --download 4 bootloader.img
Replace "bootloader.img" with your bootloader.img file name (You could get it inside of the Factory Image)
And after its done, your device should technically unbrick now. But I still recommend you re-flash stock ROM.
Step 7: The final step
Boot into your OS using the command below:
Code:
sudo ./nvflash --resume --go
If your device boot back into APX mode, maybe you have done something wrong. Try again.
If you got a Google logo on your device then congratulation! Your device is now unbricked.
Note: If step 7 didn't work, try booting this recovery image using this command:
Code:
fastboot boot flatline_grouper.img
Link for the recovery image is in the "Links" section.
Note: To get into Fastboot, add the "--go" line at the end of the command in Step 5
Code:
sudo ./nvflash --resume --download 8 boot.img --go
HOLD DOWN VOL DOWN while doing this command, you should get into fastboot at
After you are in the Flatline recovery, navigate to the "Advanced" section using the VOL buttons. Select it using the POWER button.
Select the "wheelie" at the end of the list.
Select "I agree".
After that, select "Step 1: Flash AndroidRoot.mobi custom bootloader." IGNORE Step 2 because it won't gonna work anyways.
Your device should reboot and the Google logo should appear, that means that your device is unbricked.
Note: If you wanted to flash stock ROM, open the "image-*******.zip" inside of the factory image and open the android-info.txt file. Edit the "require-bootloader" line to "4.13". After that, it should work.
Links:
flash.cfg: http://www.mediafire.com/file/j90hc1dfz58aytq/flashcfg.zip/file
flatline_grouper.img: https://www.mediafire.com/file/z1jvgy6km33f7bf/flatline_grouper.img/file
Wheelie, NvFlash and platform-tools (For ADB) (Works for both Linux and Windows): https://www.mediafire.com/file/0nuy4indgvagq3v/nvflash-and-platformtool.zip/file
Download the Factory Image for your Nexus 7 incase you want to re-flash stock ROM (nakasi or nakasig): https://developers.google.com/android/images#nakasi
That is. If you need any help, message me.
Update: After a few days of troubleshooting, fixing and updating my post, it seems like the step to unbrick your Nexus 7 2012 may depends on how did you brick it, what OS version you are running or the condition of your device. So you may have to "think outside the box" sometimes in this guide.
Update #2: Some helpful advice from @Jirmd with some minor change:
When you get this error :
Code:
Nvflash v1.10.76762 started
Using blob v1.13.00000
chip uid from BR is: 0x0000000000000000015d4a5f202c0401
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d4a5f202c0401
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 2
device config fuse: 17
sdram config strap: 1
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
after this command :
Code:
./nvflash --configfile flash.cfg --create --bct testr.bct --setbct --bl test.ebt --blob test.blob --sync
Probably you have broken your internal storage!
You can probably flash:
Bootloader image (bootloader.img)
Kernel image (boot.img)
Recovery image (recovery.img aka TWRP)
But you CAN'T flash a new system via TWRP or fastboot, because the bootloader or the recovery was unable to connect to the partitions table.
You can try this command to erase bad blocks:
Code:
./nvflash --resume --configfile flash.cfg --obliterate
Reboot to APX mode and try the above command again.
But, broken internal storage is pretty much unrepairable.
There is some possibility of disassembly your device and overheat your memory IC, but this method is not easy and need more technical skill.
And in my case this did not help.
Click to expand...
Click to collapse
In my case, this command also gives me the nverror 0x4 but it also did something to my Nexus 7 as it was required for the next step.
Update #3: Updated the guide and removed some unessacery steps.
Update #4: Updated.
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
zak4 said:
Hello Enderzip,
Thank you so much for this very good an detailed tuto.
I followed cautiously your instructions but I am blocked @ step 3.
The command "mkdir /AndroidRoot" returns "mkdir : '/AndroidRoot' : Read-only file system".
I suspect Android system partition as read only but does know way to change.
I would appreciate your clever support.
Thank you in advance.
Envoyé de mon Nexus 4 en utilisant Tapatalk
Click to expand...
Click to collapse
You could manually create the folder if you have root. By using those Root File explorer on Google Play Store.
I recommend you using this one: https://play.google.com/store/apps/details?id=com.clearvisions.explorer
Open the app then go to the root section, create a new folder name: AndroidRoot
And you are good to go.
If the above method didnt work, type these command one by one:
Code:
adb shell
su
mount -o rw,remount /system
You can mount your /system back to Read-Only using this command:
Code:
mount -o ro,remount /system
GedBlake said:
Hi, enderzip...
I've been keeping track of the recent developments regarding bricked Nexus 7's, APX mode and nvFlash, here on XDA. There's currently quite a few threads on this topic.
As I understand it, you've been motivated by a desire to recover data from your bootloader bricked Nexus 7. So my question is simple...
'Have you been successful?'
Have you actually resurrected a bricked Nexus 7 with no functioning bootloader AND with no originally created flatline wheelie blobs?
If so, you have done what I thought could not be done! I tip my hat to you, with your tenacity and your technical understanding of the complex issues involved.
If I had a Linux system myself, I'd be half-minded to dig out my old Nexus 7, deliberately bugger up the bootloader, and follow your instructions for the sheer technical challenge!
--------------------------------------
Some general thoughts...
The Nexus 7 is old (c.2012), and likely not many people use it anymore, but that's not what's important here. What is important is the persistence, the huge technical ability, and the sheer bloody minded refusal ~ by some ~ to let their Nexus 7 die... to go into what the poet Dylan Thomas called that 'good night'...
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light."
https://poets.org/poem/do-not-go-gentle-good-night
And in so doing, mayhap enderzip and others, have provided potential clues for other devices, other hardware, other phones or tablets, when faced with similar hard brick problems. One can but hope.
The above post by enderzip is technically way beyond me, and I have no immediate use for it, but it's a fundamental distillation of everything XDA stands for - namely, experimentation and creativity.
It's basically, amazing!
Thanks enderzip
Rgrds,
Ged.
Click to expand...
Click to collapse
Yes, I have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Deleted.
@enderzip
Thank you Enderzip. I succeeded the creation of AndroidRoot with the command for write permission on system.
I have another issue about extraction of SBK of my bricked Nexus 7. I prepared everything (download of fusee-launcher, pyusb installation ...), checked connection of my device through APX (see below) but when I type sudo ./fusee-launcher.py –tty dump-sbk-via-usb.bin I got :
[email protected]:~/Downloads/fusee-launcher-n7$ lsusb
Bus 002 Device 096: ID 058f:6362 Alcor Micro Corp. Flash Card Reader/Writer
Bus 002 Device 061: ID 0955:7330 NVIDIA Corp.
Bus 002 Device 004: ID 046d:0805 Logitech, Inc. Webcam C300
Bus 002 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...
[email protected]:~/Downloads/fusee-launcher-n7$ sudo ./fusee-launcher.py --tty dump-sbk-via-usb.bin
sudo: ./fusee-launcher.py : command not found
Sorry to be blocked again.
@enderzip
I found a solution to my issue by allowing the "execution of the file as program" in the permissions of fusee-launcher.py file.
Fusee-launcher started but quickly stopped before application stack dumping : message delivered by fusee-launcher is to use USB 3.0 and I realized that I have only USB 2.0 on my old desk computer.
Does someone know how to patch EHCI driver ? Is it a possible solution ?
Thanks for your advice.
enderzip said:
Yes, i have successfully unbrick my Nexus 7 WITHOUT any type of blob file i have generated before.
And no, you should thank @Jirmd instead of me. If he didn't post his thread, my Nexus is still probably a paperweight.
Click to expand...
Click to collapse
enderzip, wow, you soo good and cool. I am totaly glad for this, how you make your tutorial. And we must give thanks for AndroidRoot team and Jenkinsen. Without this people, we all have only paperweight.
Now, i will try make my moded mknvfblob worked standalone. Without Tegra 3, only on linux X86 PC.
And, i will try make tutorial for nexus 7 , how boot linux from usb, without multiboot. ( For case, when is your internal storage totaly unreparable damaged.)
Deleted.
Thank you Enderzip. I will follow your advice and buy a USB 3.0 PCI Express card and try later.
Again many thanks to you and Jmrd for your tutorial that will enable us to revive our bricked Nexus 7.
Envoyé de mon Nexus 4 en utilisant Tapatalk
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
gormatrax said:
I know this might be a stupid question, but what is the boot.img at step 6? The grouper factory image contains a "bootloader-grouper-4.23.img" and a zip containing a "boot.img", I guess that's the file we should flash?
Click to expand...
Click to collapse
The boot.img is inside the .zip inside of the factory image. I think the name is "image-nz---.zip"
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
gormatrax said:
Step 5 works and returns the same as in the guide, the tablet shows the google logo, without the battery too low in the corner.
However, at step 6, i get this:
Code:
Nvflash v1.13.87205 started
[resume mode]
command failure: Error querying partition type (bad data)
bootloader status: partition table is required for this command (code: 8) message: nverror:0x5 (0x1000005) flags: 0
what should i do?
edit: for good measure this is the result from step 5:
Code:
Nvflash v1.13.87205 started
Using blob v1.13.00000iles ┼§˛■q
chip uid from BR is: 0x0000000000000000015d25689b3c1019
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x83
chip uid: 0x0000000000000000015d25689b3c1019
macrovision: disabled
hdcp: enabled
jtag: disabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 1
device config fuse: 17
sdram config strap: 0
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: test.ebt
- 2146896/2146896 bytes sent
test.ebt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 0 3
failed executing command 11 NvError 0x120002
command failure: create failed (bad data)
bootloader status: specified device is invalid (code: 6) message: nverror:0x4 (0x4) flags: 0
Click to expand...
Click to collapse
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
enderzip said:
In this case, uss this command instead:
Code:
sudo ./nvflash --setbct --create --configfile <flash.cfg file name> --resume --download 8 boot.img --go
It may or may not work.
Click to expand...
Click to collapse
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
gormatrax said:
It doesn't work, it says that --resume must be first in the command. I moved it to the front, but then it said that it needed the bct file:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
bct file required for this command
command failure: create failed
I tried passing the testr.bct to it, but it looks even worse:
command:
Code:
nvflash --resume --setbct --create --configfile flash16.cfg --bct testr.bct --download 8 boot.img --go
result:
Code:
Nvflash v1.13.87205 started
[resume mode]
sending file: testr.bct
- 6128/6128 bytes sent
testr.bct sent successfully
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: module is in invalid state to perform the requested operation
(code: 4) message: nverror:0x8 (0x8) flags: 0
When executing each command, the tablet was showing the Google logo, after performing part 4 step 4.
Note that I also get the error that @steffenm82 is getting when running
Code:
wheelie --blob test.blob
, however that didn't stop the next step from working...
Click to expand...
Click to collapse
Hmm, have you tried switching the USB port? Maybe the USB cable too.
steffenm82 said:
@enderzip thank you so much for this detailed guide. Now I was able to generate the image (blobs) myself. When flashin the images (blobs), both the ones generated by you and the ones generated by me, following error is received... Could you help on this?
Code:
Wheelie 0.1 - Preflight for nvflash.
Copyright (c) 2011-2012 androidroot.mobi
========================================
Waiting for device in APX mode...
[=] Chip UID: 0x15d16897a500403
[=] RCM Version: 0x30001
[=] CPU Model: Tegra 3
[+] Sending bootloader...
[-] Error 3 sending command
Thanks Steffen
Click to expand...
Click to collapse
Sorry for my late reply, in this case, try skipping to the next step.
I must say that @enderzip guide make my nexus 7 back on it´s feet despite not having previously generated blobs. After some days of research and some nights via PM and FB messenger he managed to bring my Nexus back on. So Yes @GedBlake he managed to unbrick a nexus 7 with no previous generated blobs. But the mentor of this tutorial was @Jirmd. In adittion, thanks to this 2 wonderful persons that make my Nexus 7 back to it´s gold years!!!