Z4V Root Exploit? - Xperia Z4/Z3+ Q&A, Help & Troubleshooting

As most of you know already from my other postings, I have a Verizon Xperia Z4V.
I have the dreaded bootloader unlock allowed = no at the moment (even though I have a Sony Dev. fastboot unlock code from their web tool)so am looking for a method to root the phone so I can extract the cdma radio and uhd screen drivers and use various other kernel sources to compile new ROM's
I have fastboot, and adb access.
So far, NOTHING has worked. Flashtool has come closest with the service menu exploit, however I cannot re-create what it did the first time.
The device is using 5.0.2 with kernel version : 3.10.49-perf-g301bca8-01952-g67d95bb / Platform : 64bits / Build number : 28.0.E.0.570
I know the device is NOT directly supported by any scripts, but it seems to me something should work from a similar device. After all, the only differences are the cdma radio and the screen resolution.
Any ideas?
Rick
BlackIce

https://www.xda-developers.com/root/
Choose your poison

That page is very useful. But as I mentioned the Z4V isn't listed at all.
Rick
BlackIce

Aha! Even though I am not abig fan of KingRoot, I managed to get version 5.3.0 to root the Z4V. Sort Of.
Sort Of? Well, I have Flashtool running on my PC and all drivers working. KingRoot runs and achieves root. Flashtool then recognizes root and pushes files and deactivates RIC. Then I get a crash or reboot on the phone, when it returns, root is gone.
Any ideas how to get it done?
RIck
BlackIce000

If i can get root for 15 seconds is there anyway i can flash a recovery or defeat RIC so I can keep it and begin to work on this phone??
Thanks,
Rick

blackice000 said:
If i can get root for 15 seconds is there anyway i can flash a recovery or defeat RIC so I can keep it and begin to work on this phone??
Thanks,
Rick
Click to expand...
Click to collapse
15 or 30 seconds is a bit short in time ...
Prophylaxis is key first (not breaking anything): create a backup of the kernel image/partition
https://android.stackexchange.com/q...img-and-recovery-img-from-sony-xperia-e4-dual (that example is with a MediaTek chipset so mostly different still a good starting point though)
you need to find out which partitions contain what data and create a dump / dd image as a backup of boot.img
https://github.com/lygstate/lygstat...10-Extract-boot.img-from-an-android-device.md
https://stackoverflow.com/questions/26967862/how-to-make-an-image-of-android-partition-to-your-pc

blackice000 said:
As most of you know already from my other postings, I have a Verizon Xperia Z4V.
I have the dreaded bootloader unlock allowed = no at the moment (even though I have a Sony Dev. fastboot unlock code from their web tool)so am looking for a method to root the phone so I can extract the cdma radio and uhd screen drivers and use various other kernel sources to compile new ROM's
I have fastboot, and adb access.
So far, NOTHING has worked. Flashtool has come closest with the service menu exploit, however I cannot re-create what it did the first time.
The device is using 5.0.2 with kernel version : 3.10.49-perf-g301bca8-01952-g67d95bb / Platform : 64bits / Build number : 28.0.E.0.570
I know the device is NOT directly supported by any scripts, but it seems to me something should work from a similar device. After all, the only differences are the cdma radio and the screen resolution.
Any ideas?
Rick
BlackIce
Click to expand...
Click to collapse
Just a small thing you may forgot, USB debugging mode to be on (for non carrier specific Z4) and you can use Flashtool for unlocking bootloader.
Before unlocking bootloader, take backup of DRM keys and important data.

New info. I can get root with Kingroot...I can manipulate using Flashtool. RIC is deactivated...after a short while phone reboots.
Any ideas?!! I'd really like to be able to use this phone.
Flashtool LOGFILE Attached
Rick

Related

Idea on Rooting devices with BL newer than 12940

Dear all,
this is my first post in this forum and I have done lots of reading concerning the chromecast hack and recoveries. I recently bought a device with Bootoader version 12940 which means it is not hackable. I also do not have the means to open the device and add wires to the UART. But when browsing through the different flashing/updating and recovery threads an idea came into my mind on how the bootloader security could be omitted:
I got the following facts (please correct if wrong):
- The Marvell ROM code verifies the bootloader binarys signature before executing it ( see http://blog.gtvhacker.com/2013/google-tv-or-how-i-learned-to-stop-worrying-and-exploit-secure-boot/ )
=> This means that the vulnerable original bootloader version 12840 must have a valid signature
This is my assumption:
- When the system is powered on and the NAND flash is kept in reset the SoC should try to boot from an alternate source (e.g. uart or usb).
=> This might be a way to boot the properly signed vulnerable older bootloader
There seems to be some mechanism to boot from USB if the system does not find any firmware image ( http://forum.xda-developers.com/showthread.php?t=2438715)
Idea:
=> Has already someone plugged the chromecast via USB to an PC and powered it on with the NAND disabled? It would be interesting if the device identifies itself on the USB bus (the recent Freescale and TI controllers I know do exactly this) and awaits a (most probably signed) firmware image (which we already should have with the old bootloader) or if someone found the datasheets of this SoC it might be possible to alter the bootstrap pins of the SoC to get it booting from another source
Edit: Typo
I am thinking that if there is a weakness to exploit as far as rooting, it might be found in one of the Developer enabled units faster than one of the consumer devices....
Perhaps not as the Dev Mode may only remove the Whitelist but it's worth a shot...
I have noticed that the ROM Updates seem to have slowed down a bit since Xmas...
I bet most folks would be happy enough if we just found some way of bypassing the Whitelist if we can't get full root.
probutus said:
Dear all,
this is my first post in this forum and I have done lots of reading concerning the chromecast hack and recoveries. I recently bought a device with Bootoader version 12940 which means it is not hackable. I also do not have the means to open the device and add wires to the UART. But when browsing through the different flashing/updating and recovery threads an idea came into my mind on how the bootloader security could be omitted:
I got the following facts (please correct if wrong):
- The Marvell ROM code verifies the bootloader binarys signature before executing it ( see http://blog.gtvhacker.com/2013/google-tv-or-how-i-learned-to-stop-worrying-and-exploit-secure-boot/ )
=> This means that the vulnerable original bootloader version 12840 must have a valid signature
This is my assumption:
- When the system is powered on and the NAND flash is kept in reset the SoC should try to boot from an alternate source (e.g. uart or usb).
=> This might be a way to boot the properly signed vulnerable older bootloader
There seems to be some mechanism to boot from USB if the system does not find any firmware image ( http://forum.xda-developers.com/showthread.php?t=2438715)
Idea:
=> Has already someone plugged the chromecast via USB to an PC and powered it on with the NAND disabled? It would be interesting if the device identifies itself on the USB bus (the recent Freescale and TI controllers I know do exactly this) and awaits a (most probably signed) firmware image (which we already should have with the old bootloader) or if someone found the datasheets of this SoC it might be possible to alter the bootstrap pins of the SoC to get it booting from another source
Click to expand...
Click to collapse
Good idea. I can chainload these bootloaders if I could get a dump of the vulnerable one.
There are two ways of disabling the NAND. One is to bridge a jumper (34 if memory serves me right) and the other is to just pull the disable pin high.
jchillerup said:
Good idea. I can chainload these bootloaders if I could get a dump of the vulnerable one.
There are two ways of disabling the NAND. One is to bridge a jumper (34 if memory serves me right) and the other is to just pull the disable pin high.
Click to expand...
Click to collapse
I have a partition dump of the exploitable bootloader if it helps. (which is just the bootloader written 8x times in a row, because google logic) Shoot me a PM if you need anything.
A raw dump would be best. I am considering searching for a vulnerable untouched CC and seeing what I can do with it with some hardware hackery. First things first is finding out is the nand is encrypted with a per device key, or is certain sections are encrypted, or if it isn't encrypted at all.
ddggttff3 said:
I have a partition dump of the exploitable bootloader if it helps. (which is just the bootloader written 8x times in a row, because google logic) Shoot me a PM if you need anything.
Click to expand...
Click to collapse
That would be really helpful! I'd appreciate that. I'm in #[email protected] like you, we can discuss further there.
ddggttff3 said:
I have a partition dump of the exploitable bootloader if it helps. (which is just the bootloader written 8x times in a row, because google logic) Shoot me a PM if you need anything.
Click to expand...
Click to collapse
I would be interested aswell:
probutus<at>yahoo.de Thanks!
By the way: Has anyone found a datasheet of the Armada 1500-mini CPU? Marvell seems to be rather restrictive...
It could help to find out about potential CPU bootmode options and alternatives
probutus said:
By the way: Has anyone found a datasheet of the Armada 1500-mini CPU? Marvell seems to be rather restrictive...
It could help to find out about potential CPU bootmode options and alternatives
Click to expand...
Click to collapse
I dug around a while back while looking for spec-ed operating temperature but I couldn't find anything substantial.
Seems like you have to register with Marvell or have an existing relationship to get that level of documentation.
do u think the noot version can be rooted ?
hello im wondering before buying this key if there will be probably a root ability in the near future ? or at least a way to use my own local vidéo with a non rooted one?
thanks by advance
yoann54 said:
hello im wondering before buying this key if there will be probably a root ability in the near future ?
Click to expand...
Click to collapse
Nobody knows the future.
yoann54 said:
or at least a way to use my own local vidéo with a non rooted one?
Click to expand...
Click to collapse
Avia, RealPlayer cloud and Plex. This is covered in the sticky FAQ.
Sent from a device with no keyboard. Please forgive typos, they may not be my own.
yoann54 said:
hello im wondering before buying this key if there will be probably a root ability in the near future ? or at least a way to use my own local vidéo with a non rooted one?
thanks by advance
Click to expand...
Click to collapse
The Idea is that if we can put the Marvell-CPU into usb or serial bootmode we could boot the vulnerable but properly signed original bootloader to just "recycle" the exploit. For this, I would need the cpu documentation. Till now, I didnt find anything usable
probutus said:
The Idea is that if we can put the Marvell-CPU into usb or serial bootmode we could boot the vulnerable but properly signed original bootloader to just "recycle" the exploit. For this, I would need the cpu documentation. Till now, I didnt find anything usable
Click to expand...
Click to collapse
Thanks for ur answers.....just a last question : this method here : http://gtvhacker.com/index.php/Google_Chromecast is it only for non updated chromecast devices ?
yoann54 said:
Thanks for ur answers.....just a last question : this method here : http://gtvhacker.com/index.php/Google_Chromecast is it only for non updated chromecast devices ?
Click to expand...
Click to collapse
Yes, that only works with the original (build 12072) vulnerable bootloader.
FlashCast uses the same vulnerability.
bhiga said:
Yes, that only works with the original (build 12072) vulnerable bootloader.
FlashCast uses the same vulnerability.
Click to expand...
Click to collapse
I'm starting to wonder if it isn't possible to trick the CCast by creating a fake Google services and tricking it into loading the original vulnerable version by telling it to load it as an OTA...
I suppose the biggest hurdle is finding a file of the vulnerable version that is OTA installable since the Original was never an OTAed version to begin with.
Asphyx said:
I'm starting to wonder if it isn't possible to trick the CCast by creating a fake Google services and tricking it into loading the original vulnerable version by telling it to load it as an OTA...
I suppose the biggest hurdle is finding a file of the vulnerable version that is OTA installable since the Original was never an OTAed version to begin with.
Click to expand...
Click to collapse
Google is one step ahead. Every OTA checks against the build.prop file build date (which is stored in the kernels initramfs) so you can't use old official OTA's to downgrade
ddggttff3 said:
Google is one step ahead. Every OTA checks against the build.prop file build date (which is stored in the kernels initramfs) so you can't use old official OTA's to downgrade
Click to expand...
Click to collapse
Yeah makes sense they would do some sort of version checking.

[Q] Need Help Unlocking Bootloader/Installing CM

I tried to unlock my bootloader, following various guides, and kept getting stuck on the "Download Mode !!!" part. I just want to install the latest stable version of Cyanogenmod on my phone since the stock ROM is being a real pain for me (very slow and unresponsive).
I have:
Android 4.1.2
Build Number: JZ054K
Software Version: AME-XXX
I read online that you need the Euro firmware to unlock the bootloader, can I flash the euro firmware and will it mess with my service? I'm confused as to how the firmware affects things since I've read conflicting information. I didn't flash my firmware a few hours before trying to unlock, so maybe that's the problem?
Seriously?
There aren't enough threads and guides for you to read already? Everything you need is already out there on this forum so why start another thread just because you are too lazy to search and read for yourself?
I have read around and have tried a number of guides a number of times. They haven't worked for me and I'm just wondering what i'm doing wrong. Even though all the information is out there, I don't have the experience to understand it apparently. I've spent hours trying to figure things out but i keep reading conflicting info and half-explained steps and now I'm just confused and would like a clear point in the right direction.
So, do i need to reflash the latest firmware, wait a few hours, then try again on a full charge? Or do i need a euro firmware? Which guide should i follow?
I've downloaded a few applications and driver packages and whatnot but if those could possibly conflict with each other and cause problems i could work with a fresh OS. I'm running OS X but i have linux VMs and friends with clean windows installs (mine is all sorts of messed up)
eatfoodnow said:
I tried to unlock my bootloader, following various guides, and kept getting stuck on the "Download Mode !!!" part. I just want to install the latest stable version of Cyanogenmod on my phone since the stock ROM is being a real pain for me (very slow and unresponsive).
I have:
Android 4.1.2
Build Number: JZ054K
Software Version: AME-XXX
I read online that you need the Euro firmware to unlock the bootloader, can I flash the euro firmware and will it mess with my service? I'm confused as to how the firmware affects things since I've read conflicting information. I didn't flash my firmware a few hours before trying to unlock, so maybe that's the problem?
Click to expand...
Click to collapse
It isn't a question of firmware, the phone needs to have an unlockable bootloader to be able to be, well, unlocked. Here is a list http://forum.xda-developers.com/showthread.php?t=2181581 of P880 bootloader versions. Follow the guide to check which BL your phone has.
Thats obsolete, all versions can be unlocked afaik, either with official method or by fuse editing. No need to keep sim card in,you just need proper drivers
Oh, OK, I didn't know that. But, even better, OP should not have any trouble, provided he follows the BL unlock guide here http://forum.xda-developers.com/showthread.php?t=2224020
Maybe his BL is already unlocked OR is relocked (meaning can't be unlocked anymore).
Its more likely that his drivers are messed up imo.
The fuse editing method should work for everyone, i recommend you give it a try
So the fuse method would be the "BL-unlock.bat" method on that bootloader unlock forum post? I've tried it before, but I'll try it again. The directions only say to run it, is there anything else I need? Now, since it's a .bat file I absolutely have to run it on Windows, right? Because if so I'll use a friend's computer instead of my windows installation.
What are the necessary installations before I run the file? How should I configure settings on my phone? (like what type of usb connection should it be)
There are a lot of things that people expect readers to know but I'm really not very knowledgeable about standard practices for phone stuff so I really need every step. Thanks for helping!
Since its.bat file, you can open it in text editor to see which commands it executes. I'd still recommend to do it on windows machine, other OSs may work but aren't tested.
You need abd & fastboot drivers, plus drivers for our device. It's been a while since I've done it, but afaik you can get proper device drivers via lg support tool.
Flying_Bear said:
Since its.bat file, you can open it in text editor to see which commands it executes. I'd still recommend to do it on windows machine, other OSs may work but aren't tested.
You need abd & fastboot drivers, plus drivers for our device. It's been a while since I've done it, but afaik you can get proper device drivers via lg support tool.
Click to expand...
Click to collapse
Also, correct me if i'm wrong I only had stock for 2hours, but also stock needs usb debugging to be enabled or adb won't work?
Yep, afaik usb debugging needs to be enabled
When you are fast enough, it is possible in charging mode wihle the carger animation is shown. But you have install adb driver very fast...
So I'm pretty sure I got the bootloader unlocked, I ran the .bat file and it went through everything until the part where it checks to see if my bootloader is unlocked, it just froze forever, so I closed it.
How should I go about checking?
Also, what would be my next step now for installing CM10.1.3? I tried to follow the guide on the cyanogenmod wiki (install_CM_for_p880) (I can't post links yet)
...but ran into problems with pushing it into root with adb. It said I didn't have permissions, so I googled some stuff, but just got myself confused.
Thanks for all the help btw!
eatfoodnow said:
So I'm pretty sure I got the bootloader unlocked, I ran the .bat file and it went through everything until the part where it checks to see if my bootloader is unlocked, it just froze forever, so I closed it.
How should I go about checking?
Also, what would be my next step now for installing CM10.1.3? I tried to follow the guide on the cyanogenmod wiki (install_CM_for_p880) (I can't post links yet)
...but ran into problems with pushing it into root with adb. It said I didn't have permissions, so I googled some stuff, but just got myself confused.
Thanks for all the help btw!
Click to expand...
Click to collapse
you can check your bl status by entering sw mode (phone off, hold vol+ and insert charger) or reeboting into bl (adb reboot oem-unlock)
to install cm steps are:
-install recovery (you can choose either cwm or twrp, it's more about looks than functions)
-download rom zip onto sd card
-install said zip from said recovery, there's no adb involved
Now my personal opinion, I really don't see the point in flashing 10.1, i would go staright for cm11 if i were you
Ok well I think I got things together more or less, eventually I tried to install CM10.1 with the ROM manager app. I forgot to select the options to wipe my data partitions and now I'm stuck in an endless boot loop every time I turn the phone on. I tried to boot from my backup using CWM which I made with the app prior to trying to install, and it gave me an error about an MD5 checksum failing, no matter what I tried. Should I do the factory reset/wipe option with CWM now? What's my best option.
Also why would you recommend CM11 over CM10.1? I don't want to have to deal with a nightly, all this phone stuff is a supreme headache to me.
eatfoodnow said:
Ok well I think I got things together more or less, eventually I tried to install CM10.1 with the ROM manager app. I forgot to select the options to wipe my data partitions and now I'm stuck in an endless boot loop every time I turn the phone on. I tried to boot from my backup using CWM which I made with the app prior to trying to install, and it gave me an error about an MD5 checksum failing, no matter what I tried. Should I do the factory reset/wipe option with CWM now? What's my best option.
Also why would you recommend CM11 over CM10.1? I don't want to have to deal with a nightly, all this phone stuff is a supreme headache to me.
Click to expand...
Click to collapse
Factory reset then get nandroid manager app and see if you can restore your stuff with that
CM11 is bugless atm and performance (imo) is way superior
So after a factory reset/data wipe, my phone just booted into CM10.1 and now that's working. And it looks like all of my stuff on the phone is still there (though of course apps aren't installed and whatnot, that wouldn't make sense). Thanks for all the help!
I tried to find a feature list or something to see what exactly is better about CM11, and found out that "stable" doesn't exactly mean stable for CM, and that it looks like a good idea to update, so I think I will try to update to that. Do you know anywhere that has an actual feature list to show me what CM11 does that CM10.1 doesn't?

[Q][ME176CX] Any News About Unlocking Bootloader And Installing CWM Recovery?

[Q][ME176CX] Any new news about unlocking bootloader and installing CWM Recovery?
I'm wondering if there are any new news/hacks/exploits/methods to unlock the bootloader on the ASUS Memo Pad 7 (ME176CX) to install ClockworkMod or any other Recovery Menu on it.
I really really need a working Recovery Menu installed, so I can undo critical system changes (eg: Xposed) if the device ends up bootlooping...
EDIT: I googled days long to find a solution, before opening this thread here
GhettoGirl said:
I'm wondering if there are any new news/hacks/exploits/methods to unlock the bootloader on the ASUS Memo Pad 7 (ME176CX) to install ClockworkMod or any other Recovery Menu on it.
I really really need a working Recovery Menu installed, so I can undo critical system changes (eg: Xposed) if the device ends up bootlooping...
EDIT: I googled days long to find a solution, before opening this thread here
Click to expand...
Click to collapse
Hi,
do you know of the "temporary cwm" or "temporary recovery method" here? How did you root your device?
And: To get out of a bootloop caused by one of the XPosed-Modules you only need a working adb connection.
Before installing XPosed, check, whether you can connect to your tablet via adb. If yes and you get into a bootloop,
simply open a adb shell and you will be able to edit the filesystem.
And maybe what is tried in this thread
http://forum.xda-developers.com/memo-pad-7/help/asus-memopad-7-me176cx-getting-linux-t3164705
may lead to a way to boot other things than Android on this wonderful tablet - that is may be twpr and cwm are
in reach.
HTH!
Best regards,
tuxic
thanks for the replay
tuxic001 said:
How did you root your device?
Click to expand...
Click to collapse
i've rooted my device with ROOT ZenFone, worked like a charm at the first try
tuxic001 said:
do you know of the "temporary cwm" or "temporary recovery method" here?
Click to expand...
Click to collapse
i've heard of that temporary recovery method, but i prefer a permanent one which can be accessed with POWER+HOLD VOL-. what are exactly the differences between a temporary and a permanent one, do you need to install this every time you need it? or how i can understand this.
tuxic001 said:
check, whether you can connect to your tablet via adb. If yes and you get into a bootloop,
simply open a adb shell and you will be able to edit the filesystem
Click to expand...
Click to collapse
what i understand about bootloops is, that the device does a full restart after unable to start android, which would disconnect the adb shell. or did i got somethig wrong here?
tuxic001 said:
And maybe what is tried in this thread
http://forum.xda-developers.com/memo-pad-7/help/asus-memopad-7-me176cx-getting-linux-t3164705
Click to expand...
Click to collapse
i know about this, but it's not finished yet. the power button for example cannot be used to confirm for example, which would be useless on-the-go. (how has a keyboard all the time :silly: )
http://forum.xda-developers.com/memo-pad-7/help/how-to-dual-boot-me176cx-part-1-t3183437
sorry for all the questions, but i got this device 2 days ago and i don't know anything whats going on under to hood - and no: i'm not a android/linux noob - i just won't full brick my device
and also, what about a nandroid backup over adb, is there a legit way to archive this?
thanks in advance
EDIT: i tried the temporary recovery, but i'm unable to do any kind of backup. maybe the paths are all incorrect (?)
anyway, i took the risk of a bootloop and installed the xposed framework and succeed
i also found out that i can try to "stop" android before it bootloops again -> adb -d shell stop and do a manually restore over the command line
GhettoGirl said:
thanks for the replay
i've rooted my device with ROOT ZenFone, worked like a charm at the first try
i've heard of that temporary recovery method, but i prefer a permanent one which can be accessed with POWER+HOLD VOL-. what are exactly the differences between a temporary and a permanent one, do you need to install this every time you need it? or how i can understand this.
what i understand about bootloops is, that the device does a full restart after unable to start android, which would disconnect the adb shell. or did i got somethig wrong here?
i know about this, but it's not finished yet. the power button for example cannot be used to confirm for example, which would be useless on-the-go. (how has a keyboard all the time :silly: )
http://forum.xda-developers.com/memo-pad-7/help/how-to-dual-boot-me176cx-part-1-t3183437
sorry for all the questions, but i got this device 2 days ago and i don't know anything whats going on under to hood - and no: i'm not a android/linux noob - i just won't full brick my device
and also, what about a nandroid backup over adb, is there a legit way to archive this?
thanks in advance
EDIT: i tried the temporary recovery, but i'm unable to do any kind of backup. maybe the paths are all incorrect (?)
anyway, i took the risk of a bootloop and installed the xposed framework and succeed
i also found out that i can try to "stop" android before it bootloops again -> adb -d shell stop and do a manually restore over the command line
Click to expand...
Click to collapse
Hi GhettoGirl,
(first of all: I am no native English speaker...so some things may sound wrong either technically or otherwise.
But they are not intended to do so.... )
I started with my ME176CX not long ago and I am still a newbie when it comes Android (haveing some experience in Linux though). Mis012 and cyandro helped me a
LOT to get more understanding and to root my tablet.
I rootet my ME176CX with the temporary cwm/twpr recovery method, which does other wonderful things possible too.
You will find links to its description here (a BIG thank you to cyandro and Mis012) and it is the thread from which I learned
so much:
http://forum.xda-developers.com/memo-pad-7/help/asus-memopad-7-me176cx-1e041a-otg-t3156922
(The title of the thread becomes a little misleading in the meanwhile...)
The base problem (currently) with this tablet is: The bootloader is locked.
This means:
If you power on the tablet roughly the following steps happens:
1) The CPU gets power, erases its own internal RAM and registeres, does some other initializing
and finally executes a super mini mini program, which is often in its own ROM.
2) This little program call UEFI (its kinda "BIOS replacement" -- think of the BIOS screen of PCs when pressing F2/ESC/DEL while booting)
3) The UEFI looks into its configuration and calls the bootloader.
4) Finally boots the Android Linux kernel BUT only a kernel which is cryptographically "signed" by ASUS. Thats why it is called "locked".
By the way: You can get into UEFI, if you attach a powered OTG hub and an USB keyboard to the tablet, power it up and hammering "F2" while
it boots. Be careful! For the first: Dont change anything!
A permanent TWPR/CWM is possible, if the bootloader would boot TWPR/CWM as a kind of "kernle replacement". But since both are not
signed by ASUS...sigh.
The temporary CWM/TWPR method (and now some not-so-sure-knowledge follows) tricks the bootloader (called "fastboot") in thinking, that some
factory maintenance has to be done (like partitioning the EMMC internal flash) and therefore allows to insert a not signed boot image temporarly
into the system and boot that instead of the kernel: And if these "recovery images" are not recovery images as such but say TWPR or cwm, the
system boots into those.
And it feels and act identical (until now I did not find a difference) to a permanent TWPR/CWM recovery ... but it only can be initiated with the help of
a seconde computer (or another Android smartphone/tablet with is rooted and has a Terminal Emulator and adb/fastboot installed.
Bootloops: You are completly right here, GhettoGirl...as long the power is there, it boot loops and boot loops and....
But you already found your way into the system: COOL!
WIth the same temporary twpr/cwm method you can start TWPR and do an Nandroid backup (whole system backup) and put that onto
the external SDcard.
BUT! ATTENTION! I dont know, whether the kind of EMMc flash is important in this process, and I dont know, wheter TWPR currently don't supports
the ME176CX. The locked bootloader may the reason or an incompatible/currently not supported EMMc flash. I did a Nandroid backup but I dont test
to restore it!
I dont understand, why it does not work for you: Of what size are your SDcard?
Another way, which may be better in this moment is to backup all user data with Titanium Backup to the external SDcard. If anything fails: Reflash the last
Lollipop ROM (not the upgrade...the whole thing) with the temporary TWPR/CWM method and then install Titanium backup again and restore all user data.
This way was also NOT tested by me.
May be someone can comment on this? Mis012? Cyandro?
What Mis012, cyandro and me are trying to to do is to insert an UEFI bootmanager in the boot sequence BEFORE the locked bootloader. With this bootmanager
it should be possible to select either another Linux kernel (another non-locked bootloader) to boot a free and open Linux distro of your choice or even things
like Windows...or TWPR/CWM or Cyanogenmod (if one will be available...)
Since this is a work in progress with some real problems to clearify, this is currently not finished.
And: Only questions will lead to answer. Therefore: ASK!
And I have also a question: Do you use Linux or Windows with your PC?
HTH!
Best regards,
tuxic
thanks for the useful info ?
and i'm a pure linux user, i literally don,t know anything about windows
my current distro is opensuse x86_64
GhettoGirl said:
thanks for the useful info
and i'm a pure linux user, i literally don,t know anything about windows
my current distro is opensuse x86_64
Click to expand...
Click to collapse
...me too. The only windows here are those made of glass...
Have fun!
tuxic

Kingroot gains then reboots after random time then root is lost???

Aha! Even though I am not a big fan of KingRoot, I managed to get version 5.3.0 to root the Z4V. Sort Of.
Sort Of? Well, I have Flashtool running on my PC and all drivers working. KingRoot runs and achieves root. Flashtool then recognizes root and pushes files and deactivates RIC. Then I get a seemingly random reboot on the phone, when it returns, root is gone.
Any ideas how to get it fixed?
RIck
BlackIce000
Sorry for the x-post, but this is a new issue.
I can have root for up to 30 seconds with ADB push and shell working and write access. What can I do to change build.prop (or other file) to allow bootloader unlock or disable RIC so on reboot I keep root? if I can get the ROM OUT of the phone I can change it.
Anyone have the Stock ROM image for the E6508?
Rick
BlackIce
blackice000 said:
I can have root for up to 30 seconds with ADB push and shell working and write access. What can I do to change build.prop (or other file) to allow bootloader unlock or disable RIC so on reboot I keep root? if I can get the ROM OUT of the phone I can change it.
Anyone have the Stock ROM image for the E6508?
Rick
BlackIce
Click to expand...
Click to collapse
Not really sure if bootloader unlock is possible in any way, shape or form - perhaps ask @jerpelea if he knows of any way to unlock it
disabling RIC, patching the boot.img and other stuff perhaps can be done with tobias.waldvogel's patcher but for that you first need an image (mentioned in your other thread)
also without unlocked bootloader trying to flash a kernel would be fruitless and the risk is high to brick the device by writing directly (from within Android) via dd an prepared image - given that it's possible that the image
might not work or you made a mistake so you'll end up with a non-booting or bootlooping device ...
... which you cannot recovery since you cannot restore a working state
Interesting reading! I just cannot get it done in the short time allotted by my brief root access.
I have spoken with Sony and they have provided an unlock code. I have spoken with verizon and they couldn't care less what I do with the phone. I am waiting for some high level tech to get back to me with some additional info.
I do not know if it is possible verizon can allow the bootloader to be unlocked with a simple code entry. if it CAN be done, I am sure I can get to someone to allow it. I have some very high connections within the verizon hierarchy. Just don't know what to actually ask for!
Rick

[noob] Understanding the bootloader/recovery/OS connection

I'm about to get an XZ1 Compact and I'm interested in exploring its files. I understand Windows, but Android's terminology is new to me. I'm unsure whether I understand correctly how Android works. Is this right?:
(1) When turned on, a small OS (the "bootloader") powers on, and its objects call
(2) objects in the "recovery partition," which in turn
(3) call the files and objects in the main partition which power the actual Android OS.
To change files in the main partition ("flashing ROM") either the new files' API's must match those in the previous OS or else files in the recovery partition also need to change ("be customized"). Similarly, changing the recovery partition requires either the same API calls from the bootloader or else changing the bootloader ("unlocking" it).
Is all that right? Does this mean doing something like installing TWRP (from the command line on my desktop, where I already have Android Studio and the Android SDK tools) means I have to "unlock" the bootloader too? [Is there a suggested web site or reference, besides this forum, with good info to teach me what I need to know to understand bootloaders, recovery partitions, custom ROMs, etc.?}
Thanks!
Al C.
acolburn3 said:
Is all that right? Does this mean doing something like installing TWRP (from the command line on my desktop, where I already have Android Studio and the Android SDK tools) means I have to "unlock" the bootloader too? [Is there a suggested web site or reference, besides this forum, with good info to teach me what I need to know to understand bootloaders, recovery partitions, custom ROMs, etc.?}
Thanks!
Al C.
Click to expand...
Click to collapse
Hi AI C,
What you described is basically how it works, although the bootloader decides what partition to load the operating system from. The recovery is located in the recovery partition and the bootloader can start it up the same way as an operating system and it allows users control over certain aspects of the phone such as wiping partitions and modifying the currently installed Android.
Here is a site that describes some of the terms:
https://trendblog.net/guide-to-android-rooting-custom-roms-apps/
In order to modify your Android operating system and flash a custom ROM you need to unlock the bootloader as the locked bootloader will only boot your stock firmware (Android OS) that came with your phone.
---------- Post added at 05:28 PM ---------- Previous post was at 05:22 PM ----------
The XZ1 compact is not the easiest device to learn these things with as Sony has locked certain parts of the OS using DRM (digital rights management) which requires a couple extra steps when unlocking the bootloader. Without these DRM keys the camera does not work.
Additionally not all XZ1 compacts bootloader's can be unlocked.
Check this PDF for instructions to unlocking the bootloader and backing up DRM keys:
https://forum.xda-developers.com/xp...-exploits-temp-root-to-backup-t3795510/page39
If you have any specific questions I'm happy to help.
Your explanation makes perfect sense, and those look like really useful links. Thank you for taking the time to respond so thoughtfully. I'd read about the camera issues. Although some folks describe solutions (XperiFix?), I don't think I need Android 10 enough to want to risk flashing it yet. In the meantime, do installing a different recovery (TWRP?) or rooting the device require unlocking the bootloader, too?
p.s. If the answers to those questions are in the links you gave me, I'm perfectly OK being told "go read them!"
acolburn3 said:
Your explanation makes perfect sense, and those look like really useful links. Thank you for taking the time to respond so thoughtfully. I'd read about the camera issues. Although some folks describe solutions (XperiFix?), I don't think I need Android 10 enough to want to risk flashing it yet. In the meantime, do installing a different recovery (TWRP?) or rooting the device require unlocking the bootloader, too?
p.s. If the answers to those questions are in the links you gave me, I'm perfectly OK being told "go read them!"
Click to expand...
Click to collapse
The short answer is yes. You need to unlock the bootloader in order to root and install a custom recovery.
The long answer is that there is a workaround using the Temp-Root solution provided by J4nn: https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
that is used to root the phone temporarily so that the DRM keys can be backed up. When you use the magisk version version of the exploit that is linked in the first post you have root access until you reboot the phone.
If you want to get root back you need to connect it to your computer using ADB (android debugging bridge) and send the commands again. Additionally it only works with a few certain android oreo based stock firmwares.
So it is not exactly a workable solution.
I have not heard of XperiFix before. The thread I linked by J4nn and the previous PDF I mentioned is the way that I bootloader unlocked my device and made sure I still have a working camera, although other methods might exist.
I'm glad I could help.

Categories

Resources