Hello everyone. We found a way to unlock and root a BLU R1 HD in ota version 6.6.
Files http://forum.xda-developers.com/showpost.php?p=69387472&postcount=5
Here are the instrucction:
mrmazak said:
I wrote (or plagiarized a little) Five batch scripts and put them into a .tar archive.
It is attached.
***** NOTICE DURING THIS YOUR PHONE SCREEN MAY SHOW A FROZEN BOOT ANIMATION, THIS IS EXPECTED, THE ADB SHELL SHOULD STILL BE ACTIVE AND WORKING*****
** THE FREEZING IS FROM THE "/system/bin/app_process32" BEING TEMPORARILY OVER WRITTEN, ON THE NEXT REBOOT IT IS RESTORED****
WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE
So backup anything you want to keep
Decompress the files and start with "1-First", and continue until "5-Fifth". (in order 1,2,3,4,5)
The separate scripts could be combined into a one click option to unlock boot loader and then install the recovery. But there is issues with the shell in a shell in a cmd passing the commands through. So in an effort to make sure nobody misses the needed manual steps i kept them separate.
PLEASE PAY ATTENTION TO THE COMMENTS IN ADB WINDOW. CAREFULLY CHECK WHAT YOU TYPE BEFORE YOU HIT ENTER. A TYPO HERE MAY BE SERIOUS.
So you will need to run the script and follow the on screen notes , There are two times you will need to manually open a second command window and enter adb shell, type commands. One time in the First batch and again in the Third. Copy and paste also doesn't work in this situation
If you are on Linux you will have to re write the commands into a sh file or do it all by hand.
If anybody wants to make improvements and can get the manual entry part to be coded, please do.
1-First.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step one
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] adjust window size to the dashed lines above (press any button to continue)
pause > nul
adb push dirtycow /data/local/tmp/dirtycow
adb push cow-app64-mod /data/local/tmp/cow-app64-mod
adb push frp.bin /data/local/tmp/unlock
adb shell chmod 0777 /data/local/tmp/*
echo.--------------------------------------------------------------------------------------------
echo [*] done pushing next is dirtycow swapping (press any button twice)
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
adb shell /data/local/tmp/dirtycow /system/bin/app_process32 /data/local/tmp/cow-app64-mod
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] once it finishes
echo [*] open new command window and type
echo [*] "adb shell"
echo [*] then "toybox nc localhost 11112"
echo [*] and u will be in root shell... u wont see any # or ... but u type commands at it shows
echo [*] once you are in the shell type
echo [*] "mkdir /data/local/test"
echo [*] "chmod 7777 /data/local/test"
echo [*] "cp /dev/block/mmcblk0p17 /data/local/test/frp"
echo [*] "chmod 7777 /data/local/test/frp"
echo [*] Leave that New window There and go onto start 2-Second.bat
echo [*] (press any button twice)
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
2-Second.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Two
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] adjust window size to the dashed lines above (press any button to continue)
pause > nul
echo [*] YOU SHOULD NOT BE HERE UNLESS YOU DID THE STEP BELOW
echo [*] **************************************
echo [*] open new command window and type
echo [*] "adb shell"
echo [*] then "toybox nc localhost 11112"
echo [*] and u will be in root shell... u wont see any # or ... but u type commands at it shows
echo [*] once you are in the shell type
echo [*] "mkdir /data/local/test"
echo [*] "chmod 7777 /data/local/test"
echo [*] "cp /dev/block/mmcblk0p17"
echo [*] "chmod 7777 /data/local/test/frp"
echo [*] *****************************************
echo [*] (press any button)
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
echo [*] this step may take long time (up to one hour) to fully allow it to complete
echo [*] I continued before it finished and was fine though
echo [*] once the second "madvice=" line shows up should be ok to continue
echo [*] ..
echo [*] press any key twice to Start
echo [*] ......To continue after second "madvice" line hit "ctrl+c" then Y then run 3-Third.bat
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
adb shell /data/local/tmp/dirtycow /data/local/test/frp /data/local/tmp/unlock
echo [*] done dirtycow swapping next is run 3-Third.bat (press any button twice)
pause > nul
pause > nul
3-Third.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Three
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] adjust window size to the dashed lines above (press any button to continue)
pause > nul
echo [*] YOU SHOULD NOT BE HERE UNLESS YOU DID THE STEP BELOW
echo [*] **************************************
echo [*] wait for minumum the second "madvice=" line shows up while running 2-Second.bat
echo [*] this batch does nothing more that give you instructions to open seperate shell
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] ******
echo [*] ******
echo [*] ******
echo [*] ******
echo [*] Go Back to open shell window from step 1
echo [*] enter this command
echo [*] dd if=/data/local/test/frp of=/dev/block/mmcblk0p17
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] done writing unlock image next is run 4-Fourth.bat (press any button twice)
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
4-Forth.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Four
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] adjust window size to the dashed lines above (press any button twice continue)
pause > nul
@echo on
pause > nul
adb reboot bootloader
timeout 10 > nul
cls
@echo off
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] now that the device is in fastboot mode we are going to unlock the
echo [*] bootloader. on the next screen on your phone you will see
echo [*] PRESS THE VOLUME UP/DOWN BUTTONS TO SELECT YES OR NO
echo [*] just press volume up to start the unlock process.
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] press any key to start the unlock
pause > nul
fastboot oem unlock
echo [*] once the bootloader is unlocked press any key to wipe data
pause > nul
fastboot format userdata
echo [*] Press any key to reboot the device
pause > nul
fastboot reboot
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] your bootloader is now unlocked on your BLU R1 HD Amazon device
echo [*] first boot up will take around 5 to 10 minutes then you can set it up
echo [*] Next is the 5-Fifth.bat to install recovery echo echo [*]
echo [*] You will need to enble developers option, then enable adb to continue next script
echo [*] ******************
echo [*] IF PHONE DOES NOT REBOOT HOLD POWER UNTILL IT POWERS OFF THEN AGAIN TO POWER ON
echo [*] ******************
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] Press any key to finish this script.
pause > nul
exit
5-Fifth.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Five
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] adjust window size to the dashed lines above (press any button twice continue)
pause > nul
@echo on
pause > nul
adb reboot bootloader
timeout 10 > nul
cls
@echo off
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*]
echo [*]
echo [*]
echo [*]
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] press any key to Flash recovery
pause > nul
fastboot flash recovery recovery.img
echo [*] once the file transfer is complete hold volume up and press any key on pc
echo [*] IF PHONE DOES NOT REBOOT THEN HOLD VOLUME UP AND POWER UNTILL IT DOES
pause > nul
fastboot reboot
echo [*] on phone select recovery with volume key then select with power
pause > nul
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] now you booted to recovery continue and make a backup if you want
echo [*] you can just continue as is from here or flash the old preloader file with
echo [*] recovery. There are more steps not included here if you want to do that.
echo [*]
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] Press any key to finish this script.
pause > nul
exit
Follow up with bootloader roll-back if desired.
http://forum.xda-developers.com/r1-hd/how-to/r1hd-update-6-6-bootloader-roll-t3491096
Click to expand...
Click to collapse
none important note: my english sucks! Que viva Puerto Rico
thanks to:
@jcadduono - wrote recowvery-app_proccess64
@mrmazak - main tester, bat script writer & fastboot steps
@Scorpius666 - mod recowvery-app_proccess64 and lsh into cow-app64-mod
@christianrodher - compiled dirtycow , cow-app64-mod & found the steps to unlock/root
@rootjunky - for files
@lopestom - twrp recovery
@brenns10 - wrote lsh
nicely done guy.
wait you guys have a 64bit enabled r1HD? how?
KazuDante said:
nicely done guy.
wait you guys have a 64bit enabled r1HD? how?
Click to expand...
Click to collapse
thats just the name of the files... they are compiled as 32bits
Oh ok...man i had my hopes up.....because we need to enable the r1 in a 64bit mode
Sent from my BLU R1 HD using Tapatalk
UPDATED
OLD batch script is now made into interactive "tool"
REMOVED LINK FILE HAD PROBLEM SCRIPT TYPO MADE IT UNSTABLE
fixing and will update soon
fixed version here
sorry about the confusion. Will make new thread for tool i think
New thread https://forum.xda-developers.com/r1-hd/how-to/unlock-tool-t3561333
old post is hidden
I keep telling myself I am finished with the srcipt, but then improve it again. I finally decided to put it on github.
https://github.com/mrmazakblu/DirtyCow-R1_HD
most recent version of script and files are now kept on github.
Last post before github host is here
Download tar file and unpack into folder of your choice. Connect phone to pc with ADB enabled. Open folder where you unzipped files to and click on the "one-click-root.bat". Dirtycow has been modified to run much quicker. The new compiled dirtycow.c file is included in the archive. It is the optimized dirtyc0w from this github. https://github.com/bkerler/CVE-2016-5195/tree/master
The included recowvery-app_process32.c is included it comes from @vampirefo 's github project. I changed one line near the end. I changed the 120 second timeout to 10 seconds. https://github.com/vampirefo/limited_shell_root/tree/vampirefo-limited_shell_root
The included busybox executable also comes from vampirefo, it was not necessary to use the busybox, because this devise has toybox included, but I wanted something that could possibly help be used on more devices, so I included it in the scripts.
WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE
So backup anything you want to keep
One-Click-root.bat
Code:
::Set our Window Title
@title R1 HD AMAZON BOOTLOADER UNLOCK
mode 100,30
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] BEFORE WE BEGIN THE SCRIPT WILL RUN "ADB DEVICES" AND SEE IF YOU HAVE DRIVERS INSTLLED
echo [*] THE NEEDED RESPONSE IS SIMILAR TO BELOW
echo [*]
echo [*] List of devices attached
echo [*] **************** device
echo [*]
echo [*] INSTEAD OF STARS IT WILL BE YOUR SERIAL NUMBER
echo [*] IF NO DEVICE LISTED YOU ARE NOT READY TO RUN THIS SCRIPT. CLOSE THIS WINDOW NOW IF NOT READY
echo [*]
echo [*] IF DEVICE IS LISTED PRESS ANY KEY ON COMPUTER TO START
echo [*]
adb devices
pause > nul
adb wait-for-device
cls
echo [*] copying dirtycow to /data/local/tmp/dirtycow
adb push dirtycow /data/local/tmp/dirtycow
timeout 2 > nul
echo [*] copying recowvery-app_process32 to /data/local/tmp/recowvery-app_process32
adb push recowvery-app_process32 /data/local/tmp/recowvery-app_process32
timeout 2 > nul
echo [*] copying frp.bin to /data/local/tmp/unlock
adb push frp.bin /data/local/tmp/unlock
timeout 2 > nul
echo [*] copying busybox to /data/local/tmp/busybox
adb push busybox /data/local/tmp/busybox
timeout 2 > nul
echo [*] copying cp_comands.txt to /data/local/tmp/cp_comands.txt
adb push cp_comands.txt /data/local/tmp/cp_comands.txt
timeout 2 > nul
echo [*] copying dd_comands.txt to /data/local/tmp/dd_comands.txt
adb push dd_comands.txt /data/local/tmp/dd_comands.txt
timeout 2 > nul
echo [*] changing permissions on copied files
adb shell chmod 0777 /data/local/tmp/*
timeout 2 > nul
cls
echo.--------------------------------------------------------------------------------------------
echo [*] DONE PUSHING FILES TO PHONE. NOW WE ARE GOING TO TEMP WRITE OVER THE APP_PROCESS
echo [*] WITH A MODIFIED VERSION THAT HAS lsh IN IT USING A SYSTEM-SERVER AS ROOT SHELL
echo [*] THIS STEP WILL CAUSE PHONE TO DO A SOFT REBOOT AND WILL NOT RESPOND TO BUTTON PUSHES
echo [*]
adb shell /data/local/tmp/dirtycow /system/bin/app_process32 /data/local/tmp/recowvery-app_process32
echo.--------------------------------------------------------------------------------------------
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*]WAITING 60 SECONDS FOR ROOT SHELL TO SPAWN
timeout 60 > nul
echo.--------------------------------------------------------------------------------------------
echo [*] OPENING A ROOT SHELL ON THE NEWLY CREATED SYSTEM_SERVER
echo [*] MAKING A DIRECTORY ON PHONE TO COPY FRP PARTION TO
echo [*] CHANGING PERMISSIONS ON NEW DIRECTORY
echo [*] COPYING FPR PARTION TO NEW DIRECTORY AS ROOT
echo [*] CHANGING PERMISSIONS ON COPIED FRP
adb shell "/data/local/tmp/busybox nc localhost 11112 < /data/local/tmp/cp_comands.txt"
cls
echo [*] COPY UNLOCK.IMG OVER TOP OF COPIED FRP IN /data/local/test NOT AS ROOT WITH DIRTYCOW
echo [*]
adb shell /data/local/tmp/dirtycow /data/local/test/frp /data/local/tmp/unlock
timeout 5 > nul
cls
echo [*] WAITING 5 SECONDS BEFORE WRITING FRP TO EMMC
timeout 5 > nul
echo [*] DD COPY THE NEW (UNLOCK.IMG) FROM /data/local/test/frp TO PARTITION mmcblk0p17
adb shell "/data/local/tmp/busybox nc localhost 11112 < /data/local/tmp/dd_comands.txt"
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo.-----------REBOOTING_INTO_BOOTLOADER--------------------------------------------------------
adb reboot bootloader
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] YOUR PHONE SCREEN SHOULD BE BLACK WITH THE WORD "=>FASTBOOT mode..." IN LOWER CORNER
echo [*] JUST LIKE IN THE BEGINING WE NEED TO VERIFY YOU HAVE DRIVERS ON PC FOR THE NEXT STEP
echo [*] THE RESPONSE SHOULD BE
echo [*]
echo [*] *************** fastboot
echo [*]
echo [*] THE STARS WILL BE YOUR SERIAL NUMBER
echo [*] IF THE RESPONSE IS THIS THEN HIT ANY BUTTON ON PC TO CONTINUE
echo [*]
echo [*] IF RESPONSE IS A BLANK LINE YOU DO NOT HAVE DRIVER NEEDED TO CONTINUE. CLOSE THIS WINDOW
echo [*] AND GET FASTBOOT DRIVERS THEN EITHER RUN "fastboot oem unlock" IN TERMINAL
fastboot devices
pause > nul
cls
echo [*] NOW THAT THE DEVICE IS IN FASTBOOT MODE WE ARE GOING TO UNLOCK THE
echo [*] BOOTLOADER. ON THE NEXT SCREEN ON YOUR PHONE YOU WILL SEE
echo [*] PRESS THE VOLUME UP/DOWN BUTTONS TO SELECT YES OR NO
echo [*] JUST PRESS VOLUME UP TO START THE UNLOCK PROCESS.
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY ON COMPUTER TO START THE UNLOCK
pause > nul
fastboot oem unlock
cls
echo [*] ONCE THE BOOTLOADER IS UNLOCKED PRESS ANY KEY TO WIPE DATA
pause > nul
fastboot format userdata
cls
echo [*] PRESS ANY KEY TO REBOOT THE DEVICE
pause > nul
fastboot reboot
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] YOUR BOOTLOADER IS NOW UNLOCKED ON YOUR BLU R1 HD AMAZON DEVICE
echo [*] FIRST BOOT UP WILL TAKE AROUND 5 TO 10 MINUTES THEN YOU CAN SET IT UP
echo [*] NEXT IS TO INSTALL RECOVERY TWRP
echo [*]
echo [*]
echo [*] YOU WILL NEED TO ENBLE DEVELOPERS OPTION, THEN ENABLE ADB TO CONTINUE NEXT SCRIPT
echo [*] ******************
echo [*] IF PHONE DID NOT REBOOT HOLD POWER UNTILL IT POWERS OFF THEN AGAIN TO POWER ON
echo [*] ******************
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY TO INSTALL TWRP AFTER YOU ENABLE DEVELOPER OPTIONS ON PHONE
echo [*] OR CTRL+C TO STOP HERE
pause > nul
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo.-----------REBOOTING_INTO_BOOTLOADER--------------------------------------------------------
adb reboot bootloader
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] NOW YOUR IN FASTBOOT MODE AND READY TO FLASH TWRP RECOVERY
echo [*]
echo [*]
echo [*]
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY TO FLASH RECOVERY
pause > nul
fastboot flash recovery recovery.img
echo [*] ONCE THE FILE TRANSFER IS COMPLETE HOLD VOLUME UP AND PRESS ANY KEY ON PC
ECHO [*]
echo [*] IF PHONE DOES NOT REBOOT THEN HOLD VOLUME UP AND POWER UNTILL IT DOES
pause > nul
fastboot reboot
echo [*] ON PHONE SELECT RECOVERY FROM BOOT MENU WITH VOLUME KEY THEN SELECT WITH POWER
echo [*] PRESS ANY KEY ON PC FOR MORE NOTES
pause > nul
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] NOW YOU BOOTED TO RECOVERY CONTINUE AND MAKE A BACKUP IF YOU WANT
echo [*] YOU CAN JUST CONTINUE AS IS FROM HERE OR FLASH THE OLD PRELOADER FILE WITH
echo [*] RECOVERY. THERE ARE MORE STEPS NOT INCLUDED HERE IF YOU WANT TO DO THAT.
echo [*]
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY TO FINISH THIS SCRIPT.
pause > nul
exit
original post is below hidden
I wrote (or plagiarized a little) Five batch scripts and put them into a .tar archive.
It is attached.
***** NOTICE DURING THIS YOUR PHONE SCREEN WILL SHOW A FROZEN BOOT ANIMATION, THIS IS EXPECTED, THE ADB SHELL SHOULD STILL BE ACTIVE AND WORKING*****
** THE FREEZING IS FROM THE "/system/bin/app_process32" BEING TEMPORARILY OVER WRITTEN, ON THE NEXT REBOOT IT IS RESTORED****
WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE
So backup anything you want to keep
Decompress the files and start with "1-First", and continue until "5-Fifth". (in order 1,2,3,4,5)
The separate scripts could be combined into a one click option to unlock boot loader and then install the recovery. But there is issues with the shell in a shell in a cmd passing the commands through. So in an effort to make sure nobody misses the needed manual steps i kept them separate.
PLEASE PAY ATTENTION TO THE COMMENTS IN ADB WINDOW. CAREFULLY CHECK WHAT YOU TYPE BEFORE YOU HIT ENTER. A TYPO HERE MAY BE SERIOUS.
So you will need to run the script and follow the on screen notes , There are two times you will need to manually open a second command window and enter adb shell, type commands. One time in the First batch and again in the Third. Copy and paste also doesn't work in this situation
If you are on Linux you will have to re write the commands into a sh file or do it all by hand.
If anybody wants to make improvements and can get the manual entry part to be coded, please do.
1-lsh_Root_mkdir_test.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step one
mode 100,30
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
adb push dirtycow /data/local/tmp/dirtycow
adb push cow-app64-mod /data/local/tmp/cow-app64-mod
adb push frp.bin /data/local/tmp/unlock
adb push busybox /data/local/tmp/busybox
adb shell chmod 0777 /data/local/tmp/*
echo.--------------------------------------------------------------------------------------------
echo [*] DONE PUSHING FILES TO PHONE. NOW WE ARE GOING TO TEMP WRITE OVER THE APP_PROCESS
echo [*] WITH A MODIFIED VERSION THAT HAS LSH IN IT FOR A SYSTEM-SERVER AS ROOT SHELL
echo [*] NOW TO CONTINUE PRESS ANY BUTTON 2 TIMES
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
adb shell /data/local/tmp/dirtycow /system/bin/app_process32 /data/local/tmp/cow-app64-mod
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] ONCE IT FINISHES
echo [*] OPEN A NEW COMMAND WINDOW AND TYPE THE FOLLOWING COMMANDS WITHOUT THE ""
echo [*] "adb shell"
echo [*] "toybox nc localhost 11112" or "/data/local/tmp/busybox nc localhost 11112"
echo [*] YOU WILL NOW SEE "ciao" BUT THERE WILL NOT BE ANY PROMT OR CURSOR, JUST TYPE IT SHOW UP
echo [*] NOW ENTER THESE COMMANDS AT THE ROOT ciao
echo [*] "mkdir /data/local/test"
echo [*] "chmod 7777 /data/local/test"
echo [*] "cp /dev/block/mmcblk0p17 /data/local/test/frp"
echo [*] "chmod 7777 /data/local/test/frp"
echo [*] LEAVE THE NEW COMMAND WINDOW WHERE IT IS AND CONTINUES TO BATCH FILE 2
echo [*] (PRESS ANY BUTTON TWICE TO EXIT)
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
2-Dirtycow_unlock_to_tmp.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Two Move Unlock to root owned location
mode 100,30
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] YOU SHOULD NOT BE HERE UNLESS YOU DID THE STEP BELOW FROM FIRST BATCH
echo [*] **************************************
echo [*] ONCE IT FINISHES
echo [*] OPEN A NEW COMMAND WINDOW AND TYPE THE FOLLOWING COMMANDS WITHOUT THE ""
echo [*] "adb shell"
echo [*] "toybox nc localhost 11112" or "/data/local/tmp/busybox nc localhost 11112"
echo [*] YOU WILL NOW SEE "ciao" BUT THERE WILL NOT BE ANY PROMT OR CURSOR, JUST TYPE IT SHOW UP
echo [*] NOW ENTER THESE COMMANDS AT THE ROOT ciao
echo [*] "mkdir /data/local/test"
echo [*] "chmod 7777 /data/local/test"
echo [*] "cp /dev/block/mmcblk0p17 /data/local/test/frp"
echo [*] "chmod 7777 /data/local/test/frp"
echo [*] LEAVE THE NEW COMMAND WINDOW WHERE IT IS AND CONTINUES TO BATCH FILE 2
echo [*] *****************************************
echo [*] (PRESS ANT BUTTON TO CONTINUE)
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
echo [*] this step may take long time (up to one hour) to fully allow it to complete
echo [*] I continued before it finished and was fine though
echo [*] once the second "madvice=" line shows up should be ok to continue
echo [*] ..
echo [*] press any key twice to Start
echo [*] ......To continue after second "madvice" line hit "ctrl+c" then Y then run 3-Third.bat
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
adb shell /data/local/tmp/dirtycow /data/local/test/frp /data/local/tmp/unlock
echo [*] done dirtycow swapping next is run 3-Third.bat (press any button twice)
pause > nul
pause > nul
3-Write_unlockIMG.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Three DD unlock to FRP partition
mode 100,30
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] YOU SHOULD NOT BE HERE UNLESS YOU DID THE STEP BELOW
echo [*] **************************************
echo [*] wait for minumum the second "madvice=" line shows up while running 2-Second.bat
echo [*] this batch does nothing more that give you instructions to open seperate shell
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] ******
echo [*] ******
echo [*] ******
echo [*] ******
echo [*] Go Back to open shell window from step 1
echo [*] enter this command
echo [*] dd if=/data/local/test/frp of=/dev/block/mmcblk0p17
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] done writing unlock image next is run 4-Fourth.bat (press any button twice)
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
pause > nul
pause > nul
4-oem_unlock.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Four fastboot oem unlock
mode 100,30
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo.-----------REBOOTING_INTO_BOOTLOADER--------------------------------------------------------
adb reboot bootloader
timeout 15 > nul
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] now that the device is in fastboot mode we are going to unlock the
echo [*] bootloader. on the next screen on your phone you will see
echo [*] PRESS THE VOLUME UP/DOWN BUTTONS TO SELECT YES OR NO
echo [*] just press volume up to start the unlock process.
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] press any key to start the unlock
pause > nul
fastboot oem unlock
echo [*] once the bootloader is unlocked press any key to wipe data
pause > nul
fastboot format userdata
echo [*] Press any key to reboot the device
pause > nul
fastboot reboot
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] your bootloader is now unlocked on your BLU R1 HD Amazon device
echo [*] first boot up will take around 5 to 10 minutes then you can set it up
echo [*] Next is the 5-Fifth.bat to install recovery echo echo [*]
echo [*] You will need to enble developers option, then enable adb to continue next script
echo [*] ******************
echo [*] IF PHONE DOES NOT REBOOT HOLD POWER UNTILL IT POWERS OFF THEN AGAIN TO POWER ON
echo [*] ******************
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] Press any key to finish this script.
pause > nul
exit
5-TWRP.bat
Code:
::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Five Install TWRP
mode 100,30
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo.-----------REBOOTING_INTO_BOOTLOADER--------------------------------------------------------
adb reboot bootloader
timeout 15 > nul
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] NOW YOUR IN FASTBOOT MODE AND READY TO FLASH TWRP RECOVERY
echo [*]
echo [*]
echo [*]
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] press any key to Flash recovery
pause > nul
fastboot flash recovery recovery.img
echo [*] once the file transfer is complete hold volume up and press any key on pc
echo [*] IF PHONE DOES NOT REBOOT THEN HOLD VOLUME UP AND POWER UNTILL IT DOES
pause > nul
fastboot reboot
echo [*] on phone select recovery with volume key then select with power
pause > nul
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] now you booted to recovery continue and make a backup if you want
echo [*] you can just continue as is from here or flash the old preloader file with
echo [*] recovery. There are more steps not included here if you want to do that.
echo [*]
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] Press any key to finish this script.
pause > nul
exit
Follow up with bootloader roll-back if desired.
http://forum.xda-developers.com/r1-hd/how-to/r1hd-update-6-6-bootloader-roll-t3491096
thanks to @vampirefo for the busybox
(switched to busybox for a more universal approach) ** switched back to toybox with one-click. Busybox did not have a timeout command [(-q 1) for one second]
Follow up with install SperSu if desired.
Stable superSU link. http://forum.xda-developers.com/showthread.php?t=1538053
From supersu site download recovery install version. Version at time of first root was v2.76 no it is v2.78 both should work. Put .zip file onto phone internal memory. Either by adb push, or by mtp connection. And boot to recovery and install.
Follow up with bootloader roll-back if desired.
http://forum.xda-developers.com/r1-hd/how-to/r1hd-update-6-6-bootloader-roll-t3491096
congrats!
lol... give them root and they want 64bit.
Excelente viejo! lo voy a probar saludos desde honduras
Release the source code for these files, they are based on open source files.
Too refuse to release the source is selfish and hurtful to the spirit of open source, in which these files are based off of.
Sent from my R1HD(ZenUI) via Tapatalk
vampirefo said:
Release the source code for these files, they are based on open source files.
Too refuse to release the source is selfish and hurtful to the spirit of open source, in which these files are based off of.
Sent from my R1HD(ZenUI) via Tapatalk
Click to expand...
Click to collapse
The binaries are in the download. Is that what your looking for.
Or the .c files ?
I don't have the un-compiled xxx.c files.
But they are same as from this GitHub.
https://github.com/jcadduono/android_external_dirtycow
Just with minor changes to the referenced /dev/block to match whatever device it's for.
mrmazak said:
The binaries are in the download. Is that what your looking for.
Or the .c files ?
I don't have the un-compiled xxx.c files.
But they are same as from this GitHub.
https://github.com/jcadduono/android_external_dirtycow
Just with minor changes to the referenced /dev/block to match whatever device it's for.
Click to expand...
Click to collapse
Yes I am requesting c file for cow-app64-mod and no it's not in the github you linked to.
If Christian told you it was just a minor change to reference /dev/block then he is being dishonest and needs to be truthful and release the c file.
Sent from my R1HD(ZenUI) via Tapatalk
cant seem to get files to download correctly on Mac. has this been tested using adb and fastboot via macbook pro?
willdoyle22 said:
cant seem to get files to download correctly on Mac. has this been tested using adb and fastboot via macbook pro?
Click to expand...
Click to collapse
I know I'm on Windows. And o e other user who did it on arch. So that's two os's. I don't know why it would be different on a mac. You should be able to download it from the website.
But the batch (.bat) is a Windows thing isn't it.
I assume the adb commands will be the same , but might have to type each one out. That's what someone else did who was doing it on an arch Linux
Also remember there is an adb.exe and windows drivers .DLL in the downloaded zip. So you mifht have to remove them so your Mac used your adb and drivers
i removed the windows files/exe's. when i type in the first command " adb push drtycow /data/local/tmp/dirtycow" i keep getting the same response... "cannot stat 'dirtycow' : no such file or directory"
is this an error on my part?
* not necessarily new to rooting, but definitely new to doing it manually and dealing with locked bootloaders so i apologize if i am asking obvious questions*
willdoyle22 said:
i removed the windows files/exe's. when i type in the first command " adb push drtycow /data/local/tmp/dirtycow" i keep getting the same response... "cannot stat 'dirtycow' : no such file or directory"
is this an error on my part?
* not necessarily new to rooting, but definitely new to doing it manually and dealing with locked bootloaders so i apologize if i am asking obvious questions*
Click to expand...
Click to collapse
Try giving it the full path. For example if the file dirtycow is in /home/willDoyle/download. Then do "adb push /home/willDoyle/download/dirtycow /data/local/to/dirtycow"
mrmazak said:
Try giving it the full path. For example if the file dirtycow is in /home/willDoyle/download. Then do "adb push /home/willDoyle/download/dirtycow /data/local/to/dirtycow"
Click to expand...
Click to collapse
still no luck. it is at least recognizing it as a directory, but now anytime i try to push it, it just blasts me with all the different possible commands within adb... cant find anything that points out a specific problem. Thanks for your help btw.
willdoyle22 said:
still no luck. it is at least recognizing it as a directory, but now anytime i try to push it, it just blasts me with all the different possible commands within adb... cant find anything that points out a specific problem. Thanks for your help btw.
Click to expand...
Click to collapse
How about going back to the basic command to see if your Mac is conected to the phone. What do you get with "adb devices" ?
mrmazak said:
Try giving it the full path. For example if the file dirtycow is in /home/willDoyle/download. Then do "adb push /home/willDoyle/download/dirtycow /data/local/to/dirtycow"
Click to expand...
Click to collapse
mrmazak said:
How about going back to the basic command to see if your Mac is conected to the phone. What do you get with "adb devices" ?
Click to expand...
Click to collapse
works fine, shows my device serial number and then brings up a new command line
willdoyle22 said:
works fine, shows my device serial number and then brings up a new command line
Click to expand...
Click to collapse
attached screenshot of terminal
willdoyle22 said:
attached screenshot of terminal
Click to expand...
Click to collapse
oh I see. maybe
you need two (2) arguements for adb push
"adb push (sourse file location)(1 space)(destination file location)
ex ; willy_$ adb push willy/desktop/dirtycow /data/local/tmp/dirtycow
mrmazak said:
oh I see. maybe
you need two (2) arguements for adb push
"adb push (sourse file location)(1 space)(destination file location)
ex ; willy_$ adb push willy/desktop/dirtycow /data/local/tmp/dirtycow
Click to expand...
Click to collapse
just wanted to say thanks! got everything done, decided to not roll back to the previous bootloader version, but i blocked ota updates and amazon ads/apps so I think i should be fine. rooted and running xposed, finally got what i wanted out of this phone!!!
Related
I made a batch shell script for using wireless ADB in windows. It is simpler to use than opening CMD.exe, then CDing to the platform-tools directory and changing the ADB port, so I figured I'd post it. Just paste it into notepad, change the IP address to the correct one for your phone, and save as a .BAT file.
Code:
@ECHO OFF
cd "C:\Program Files (x86)\Android\android-sdk\platform-tools"
adb.exe connect [xxx.xxx.xxx.xxx:xxxx]
CLS
CHOICE /N /C:1234 /M "Press 1 for a realtime Android log, Press 2 for a shell prompt, press 3 for a bug report, or Press 4 for a command prompt."
IF ERRORLEVEL ==4 GOTO FOUR
IF ERRORLEVEL ==3 GOTO THREE
IF ERRORLEVEL ==2 GOTO TWO
IF ERRORLEVEL ==1 GOTO ONE
GOTO END
:FOUR
ECHO At the command prompt, type ADB for a list of possible commands.
GOTO END
:THREE
ECHO Enjoy your android bugs:
adb bugreport
GOTO END
:TWO
ECHO Welcome to the Android shell. Type "exit" and hit Enter to exit to command prompt.
adb shell
GOTO END
:ONE
adb logcat
GOTO END
:END
ECHO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cmd
Also, please let me know if you have any suggestions for my script.
Have you used UKE? It has wireless ADB built in to the phone. Never used wireless ADB personally, I'm a wired guy.
Don't you mean it's a Cyanogenmod feature and not a U.K.E feature?
Guys, need a nudge in right direction.
EDIT: I am running stock ROM
I have a rooted DroidX. Will be getting RAZR MAXX next month and want to sell my DX. So i want to take it back to stock to sell.
I have searched but couldn't find anything close to my situation.
Any ideas would be appreciated or can I just do a factory reset?
Here are the specifics.......
Had DX running .605.
I rooted using this video http://www.youtube.com/watch?v=Pxks-o2cd7E&feature=plcp
This is the version of the script I used.. I still have the script but there is not an "unroot" option in it.
Code:
echo ***************************************************************************
echo * *
echo * DROID 3 Easy Root script v7 *
echo * *
echo ***************************************************************************
echo *
I can post entire code if needed.
Here is where I am running into my specific problem.
When .621 OTA update was coming down, I installed OTA rootkeeper.
I took the OTA update and was able to retain root and be on .621
Only other mods done were supercharger (which I reversed to stock) and a mod to get wifi hotspot going.
The hotspot mod I did was a complicated one. Downloaded some program from Motorola and went in and edited some values in a database in the phone.
Where can I go to figure out how to reverse this back to stock so I can sell it in good faith?
Unfortunately I was extremely new to all of this when I rooted it and didn't think about going back.
I have a full Titanium Backup of the system after root and before .621 update.
Heck, here is the entire rooting code if it helps.
Code:
@echo off
cls
adb kill-server > NUL
COLOR B0
TITLE DROID 3 Easy Root Script
cls
echo ***************************************************************************
echo * *
echo * DROID 3 Easy Root script v7 *
echo * *
echo ***************************************************************************
echo *
echo * Please make sure you meet these pre-requisites:
echo *
echo * (a) install the correct driver
echo * (b) turn on USB debugging (on your phone under Settings -^> Applications)
echo * (c) plug in your phone and set your USB mode to 'charging only'
echo *
echo * Note: your phone will reboot twice during this procedure. This is normal.
echo *
echo * READY TO ROOT YOUR DROID 3 WHEN YOU ARE!
echo *
COLOR E0
pause
echo *
echo * Waiting for your phone to be connected...
echo *
adb wait-for-device > NUL
COLOR B0
echo * Running exploit [part 1 of 3]...
adb kill-server > NUL
adb shell rm /data/local/12m.bak > NUL
adb shell mv /data/local/12m /data/local/12m.bak > NUL
adb shell ln -s /data /data/local/12m
adb reboot
echo *
echo * Rebooting the phone... please wait.
adb kill-server > NUL
COLOR E0
adb wait-for-device > NUL
adb wait-for-device > NUL
COLOR B0
echo *
echo * Running exploit [part 2 of 3]...
adb shell rm /data/local/12m
adb shell mv /data/local/12m.bak /data/local/12m
adb shell rm /data/local.prop.bak > NUL
adb shell mv /data/local.prop /data/local.prop.bak
adb shell echo "ro.sys.atvc_allow_netmon_usb=0" ^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_netmon_ih=0" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_res_core=0" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_res_panic=0" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_all_adb=1" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_all_core=0" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_efem=0" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_bp_log=0" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_ap_mot_log=0" ^>^> /data/local.prop
adb shell echo "ro.sys.atvc_allow_gki_log=0" ^>^> /data/local.prop
adb reboot
echo *
echo * Rebooting the phone... please wait.
adb kill-server > NUL
COLOR E0
adb wait-for-device > NUL
adb wait-for-device > NUL
COLOR B0
echo *
echo * Running exploit [part 3 of 3]...
adb remount
adb push busybox /system/xbin/busybox
adb push su /system/xbin/su
adb push Superuser.apk /system/app/Superuser.apk
adb shell chmod 4755 /system/xbin/su
adb shell chmod 755 /system/xbin/busybox
adb shell chown system.system /data
echo *
echo * ALL DONE! YOUR PHONE SHOULD BE ROOTED!
echo *
echo ******************************************************************************
echo.
echo You may now close this window...
echo.
COLOR A0
adb kill-server > NUL
pause
TITLE Command Prompt
COLOR 07
Just simply try a factory reset
Sent from my shiny new white LOCKED SCH-I535 using xda app-developers app
If that didn't work just sbf back to stock. That will work for sure and gives the buyer the new phone experience
Sent from my SCH-I535 using xda app-developers app
dbett4 said:
Just simply try a factory reset
Sent from my shiny new white LOCKED SCH-I535 using xda app-developers app
Click to expand...
Click to collapse
Lol didnt mean to thank you but oh well...
Any ways lol to OP you can factory reset a hundred times and you still won't remove root.
Why remove root anyways you'll sell the phone faster and save someone the hassle of rooting again
As for the regs who don't know that root is... meh. Again won't hurt the phone in any way.
You will have to sbf back to what ever firmware you want. Afaik it's the only way to remove root. I'm not experienced enough for manual removal, and sbf is so simple and hassle free...when done right.
Easy to f-up if not lol.
Gl
Sent from my SAMSUNG-SGH-I747 using Tapatalk 2
I just checked ebay completed autions. Rooted phones do sell fast and are selling for more!! Great. Thanks for the tip.
If I do a factory reset, then it will go back to stock except it will leave root?? The main thing I was worried about was with the OTA upgrade.
If all else fails I will sbf with version .621 (afaik you can't go back further once you have .621 OTA) then re-root.
I did the same I had a deal and bought two DROIDX and rooted both then upgraded but kept root same way you did but my brother got a new phone so I went to market and downloaded an app called ginger unroot and bam full unroot. I even downloaded su and a root checker but no root. Hope this helps
Sent from my DROIDX using xda premium
Instead of SBF'ing I just did a factory reset. And it did in fact keep root.
Thanks guys.
Here's what ya do:
Factory reset
You will still have root.
Inform prospective buyer about rootkeeper.
Instruct them exactly what to do (don't make this part of your auction, just offer the advice after the sale;
make sure they know:
ota update =by by root)
Once buyer sets up their Google act and installs rootkeeper buyr can now ota with out worries of loosing root.
I just sold my dx and did this exact same thing.
Buyer was more than happy.
Hope that helps and glws
Sent from my DROID X2 using Tapatalk 2
How much did you get for it?
Sent from my Kindle Fire using xda app-developers app
Hello, so.. Before, my problem was about getting adb to work in recovery, which someone told me to install TWRP, that worked, and I got USB Debugging turned on.
Now, I seen that I need to root my phone, so I can push the adbkey.pub to data/misc/adb/adb_keys..
I tried pushing adbkeys.pub there already (without root, in recovery), and the phone still wants me to press ok, when the prompt of the RSA key pops up.
Have TWRP, ADB works when phone is in Recovery..
Phone not ROOT-ed. Which might be my problem..
USB Debugging works
adbkey.pub has been sent to data/misc/adb/adb_keys around 3 times
Generated new adbkey.pub already..
The things I did:
adb shell mount /system
abd shell
echo "persist.service.adb.enable=1" >> default.prop
echo "persist.service.debuggable=1" >> default.prop
echo "persist.sys.usb.config=mtp,adb" >> default.prop
echo "persist.service.adb.enable=1" >> /system/build.prop
echo "persist.service.debuggable=1" >> /system/build.prop
echo "persist.sys.usb.config=mtp,adb" >> /system/build.prop
exit (Exited out of adb shell)
adb push adbkey.pub /data/misc/adb/adb_keys
I had copied adbkey.pub to the adb folder.
Again, like I said in my last thread, I don't care about losing data. Flashing stuff would not be a problem with me.
If you are wondering, I am using windows.
EDIT: Regenerated another adbkey... The key is actually differient this time.. Will go into TWRP and push this key.
Has it worked with another key?
Stuck in the same situation at the moment.
Hey all -
I'm trying to root my V20 with some complications along the way!
I'm currently at the Recowvery setup (I've tried manual & "Easy Recowvery") and I cannot seem to get past the "adb logcat -s recowvery" step.
On my command prompt, all I end up seeing is:
--------- beginning of system
--------- beginning of main
to no end. I've waited hours. No "successful" message as stated there should be when it finishes what it needs to do.
I have a feeling this is a permission issue, because when I tried to use the "Easy Recowvery" method, it had said it could not create log files, etc in the directory that I was trying to run the easy setup from.
I then tried to run CMD w/ administrative privileges - same problem, still stuck at the aforementioned information displayed. The only way I can then get out of this is escaping via "Ctrl+C", and nothing ends up being done, because when I try the next step "adb shell reboot recovery", my phone goes to a black screen that just says, "No Command" - and then I have to go into the usual recovery by holding the power button, then volume-up.
Are there any suggestions that could be made here? Tips, etc? I'm using the H918 version of the V20 and I would really like to get it rooted - wanted to use crDroid :3
EDIT (Guides I'm following):
The one from theunlockr
and then the dirtycow git page that's linked in another guide (I cannot post actual links yet, apparently :S)
EDIT2 (add'l info):
C:\adb>adb shell
elsa:/ $ cd /data/local/tmp
elsa:/data/local/tmp $ chmod 0777 *
elsa:/data/local/tmp $ ./dirtycow /system/bin/applypatch recowvery-applypatch
warning: new file size (18472) and file old size (165144) differ
size 165144
[*] mmap 0x747ac24000
[*] exploit (patch)
[*] currently 0x747ac24000=10102464c457f
[*] madvise = 0x747ac24000 165144
[*] madvise = 0 1048576
[*] /proc/self/mem 1367343104 1048576
[*] exploited 0x747ac24000=10102464c457f
dirtycow /system/bin/app_process64 recowvery-app_process64 <
warning: new file size (10200) and file old size (18600) differ
size 18600
[*] mmap 0x7331eb7000
[*] exploit (patch)
[*] currently 0x7331eb7000=10102464c457f
[*] madvise = 0x7331eb7000 18600
[*] madvise = 0 1048576
[*] /proc/self/mem -1971322880 1048576
[*] exploited 0x7331eb7000=10102464c457f
elsa:/data/local/tmp $ exit
Not sure if something perhaps went wrong here? Before having to execute the adb logcat -s recowvery command?
EDIT3 (Removed -s from logcat command to see what was going on):
I removed the -s flag from the logcat command to see where it might be stalling..... But after doing this I realized truly what was going on (logcat... duh, logging) - but I never get any kind of message that is said would occur:
adb logcat -s recowvery
"<wait for it to tell you it was successful>"
"[CTRL+C]"
I never get that message, with or without the silent flag.
I feel like the purpose of this step was to log recowvery running? Instead it seems like it's logging EVERYTHING.
Another guide I found said I should be putting my phone in the bootloader/fastloader before running the last bit of steps, but if I do that and try running the adb commands, it will say "null, no device available", or something along those lines.
I no longer know what is going wrong.
EDIT4 (-s is not silent flag when using adb?):
So it turns out the -s flag when using adb isn't the silent flag? Unless it is for logcat? Either way still nothing working. I never get "beginning of crash" like I'm apparently supposed to when running "adb logcat -s recowvery". Halp.
same issue
bump
This issue has been resolved elsewhere. If needed I will make an edit to show the solution once I'm capable of doing so.
May have a working solution. Testing it now and will reply if it works.
---------- Post added at 04:49 AM ---------- Previous post was at 04:47 AM ----------
Yeah, I managed to find the solution myself. Not sure if its the same solution but it was a matter of downgrading my firmware to the previous patch from 10k to 10j through LGUP and it's working fine as of now.
Downgrade from V20 version k to version j
After downgrading from version k to j (via LGUP tool) and having the proper files to go along with it. If I am allowed to post a link to the Reddit post that ended up helping me, I will - however it seems by default I am unable to do so.
Before we start :
all credit goes to the following users for their amazing work and guides : olddroid, Sudeep, Eduardo Alonso and mrmazak
Honor 7x Knowledge base :
A – Unlocking your bootloader and getting ready to flash custom roms :
Alright we got 2 states in order to do this :
1- if your phone is fully working (Not soft bricked) :
You need the following things:
Device model:
Serial number:
IMEI:
Product ID - dialing *#*#1357946#*#*.
2 – If your phone is soft bricked and you only know your Imei number you can use this site to give you full info :
https://imei24.com/imei_check/Huawei/
Lastly , Submit this info in the google form and you should get your code within a day or less
https://docs.google.com/forms/d/e/1...YnBcAxAbz9SAVxPTFqMh9g/viewform?usp=send_form
B – Unbricking your phone :
1 – Knowing your model number:
Below are the model numbers for 7X
BND-L21C432 (Europe), BND-L21C185 (Middle East), BND-AL10C675 (India), BND-AL (TL) 10C00 (China), BND-L21C10 (Russia)
[–COLOR="lime"] Finding the right update package through firmware finder :
[/COLOR]1 – Visit the link http://pro-teammt.ru/firmware-database/?firmware_model=BND&firmware_page=1
2 – Find the right model as listed above (For nougat update will be called the same as the model number provided in Step 1 in section B)
3 – Make sure the update package type is Full-Ota
4 – since oreo , they don’t list the region, the best way to know if the update is compatible is by using this method : click on the file list , the second file would have some codes that I will explain
update_full_BND-l21_xxx.zip (the first part changes depends on the model)
If the code was _eu = it’s for the Eu version
If the code was _usa= American version
If the code was _in= India
Mefanf (or something like that ) = middle east, you get the idea by now
C- Flashing the update zips :
Alright this is the part where most users have errors so let’s try to make it simple
1 - For nougat with update zips
You need 5 main things in order to do that and they are :
BND-RECOVERY-NoCheck.img <download here
update.zip < from firmware finder
update_data_full_public.zip < from firmware finder
update_full_xxxxx.zip <from firmware founder
twrp for nougat < download here
4 gb sd
How to :
1 – Flash the nougat twrp
2 – copy update.zip , update_data_full_public_zip , update_full_xxxx (name changes depending on region and model) and BND-Recovery-NoCheck.img
3 – boot into twrp , plugin the phone via usb , open a command prompt on your pc
4 – type adb shell , press enter then copy paste these commands :
dd if=/external_sd/BND-RECOVERY-NoCheck.img of=/dev/block/bootdevice/by-name/recovery
dd if=/external_sd/BND-RECOVERY-NoCheck.img of=/dev/block/bootdevice/by-name/recovery2
echo --update_package=/sdcard/update.zip > /cache/recovery/command
echo --update_package=/sdcard/update_data_full_public.zip >> /cache/recovery/command
echo --update_package=/sdcard/update_full_xxxxx.zip >> /cache/recovery/command
reboot recovery
after that your phone will reboot and it will start updating
note : if adb shell doesn’t work , go to twrp >> advanced , terminal and type them manually
note: when you paste the echo commands they don’t show any output , that’s perfectly normal
2 – For nougat without update zips:
You also need :
BND-ReocveryNocheck.img
Twrp for Nougat
Sd card 4gb
Boot.img
Cust.img
System.img
Vendor.img
Version.img
Product.img
How to :
1 – Copy Product.img, Vendor.img, Version.img , cust.img to the root of your sd card
2 – copy paste the following commands via adb shell or the terminal in twrp
dd if=/external_sd/product.img of=/dev/block/mmcblk0p48
dd if=/external_sd/vendor.img of=/dev/block/mmcblk0p47
dd if=/external_sd/version.img of=/dev/block/mmcblk0p46
dd if=/external_sd/cust.img of=/dev/block/mmcblk0p45
3 – reboot to bootloader , flash boot and system images and everything should work fine
For Oreo with zip it’s the same steps like Nougat with zips but you just need a different recovery called
RecoveryNoCheckOreoHi6250 and twrp ramdisk
note : to flash twrp on oreo use this command
fastboot flash recovery_ramdisk imgnamehere.img
they can be found here
I like to try and Turn these monotonous repetitive things into tools.Mainly because one simple typo in the process can make it difficult to repair.
So I am in the process of making such a tool.
As a starting point I have made simple coding to do the recovery install part.
For now there are two batch programs , one for nougat , and one for oreo.
I am working toward some crafty line of code that can determine what build is on your devices first and according to the result choose which of the two batches to run.
In the meantime here are the two recovery switching batches. with recovery images included that have been copied from the xda forum.
Code:
@echo off
title Lazy Recovery Replace Oreo
adb shell getprop ro.build.version.emui > %~dp0\version-info.txt
for /f %%i in ('FINDSTR "EmotionUI_" %~dp0\version-info.txt') do set emui=%%i
echo %emui%
set str=%emui:~10%
echo.%str%
pause
if %str% lss 5.3 (goto nougat
)else (
echo ok to continue)
adb reboot bootloader
echo Wait Here untill fastboot mode Loads On Phone
SET PATH=%PATH%;"%~dp0\files\oreo"
pause
fastboot oem get-build-number 2> %~dp0\build-info.txt
for /f "tokens=2" %%i in ('findstr "^(bootloader)" "%~dp0\build-info.txt"') do set Device=%%i
for /f "tokens=3" %%i in ('findstr "^(bootloader)" "%~dp0\build-info.txt"') do set Build=%%i
echo Your Current Device is = %Device% %Build%
pause
:MAIN
cls
echo Choose what you need to work on.
echo(
echo %Device% %Build%
echo ][************************************][
echo ][ 1. complete_twrp_ramdisk ][
echo ][************************************][
echo ][ 2. Oreo Stock from beta ][
echo ][************************************][
echo ][ 3. twrp_p10_lite_0.3 Encryt works ][
echo ][************************************][
echo ][ 4. Oreo No-Check ][
echo ][************************************][
echo ][ 5. Local Image ][
echo ][************************************][
echo ][ 6. Cancel Exit and Reboot ][
echo ][************************************][
echo(
echo For performing Update simplest option is choose #1
set /p env=Type your option [1,2,3,4,5,6] then press ENTER: || set env="0"
if /I %env%==1 set recovery=complete_twrp_ramdisk.img && goto flash
if /I %env%==2 set recovery=RECOVERY_RAMDIS.img && goto flash
if /I %env%==3 set recovery=twrp_p10_lite_0.3.img && goto flash
if /I %env%==4 set recovery=RecoveryNoCheckOreoHi6250.img && goto flash
if /I %env%==5 call scripts\oreo\oreo_local_image_select.bat || goto end
if /I %env%==6 fastboot reboot && goto :eof
echo(
echo %env% is not a valid option. Please try again!
PING -n 3 127.0.0.1>nul
goto MAIN
:flash
echo THE FOLLOWING FILE HAS BEEN SELECTED
echo %recovery%
echo Continue IF it is correct, Else close window to cancel
pause
fastboot flash recovery_ramdisk %recovery%
:end
echo RECOVERY SHOULD NOW BE FLASHED
echo GET READY TO PULL USB PLUG OUT AND HOLD VOLUME UP
echo RIGHT AFTER YOU PRESS BUTTON TO CONTINUE
pause
fastboot reboot
goto :eof
exit
:nougat
echo You are On NOUGAT DO NOT USE THIS
pause
exit
Code:
@echo off
title Lazy Recovery Replace Nougat
adb shell getprop ro.build.version.emui > %~dp0\version-info.txt
for /f %%i in ('FINDSTR "EmotionUI_" %~dp0\version-info.txt') do set emui=%%i
echo %emui%
set str=%emui:~10%
echo.%str%
pause
if %str% gtr 5.2 (goto oreo
)else (
echo ok to continue)
adb reboot bootloader
echo Wait Here untill fastboot mode Loads On Phone
SET PATH=%PATH%;"%~dp0\files\oreo"
pause
fastboot oem get-build-number 2> %~dp0\build-info.txt
for /f "tokens=2" %%i in ('findstr "^(bootloader)" "%~dp0\build-info.txt"') do set Device=%%i
for /f "tokens=3" %%i in ('findstr "^(bootloader)" "%~dp0\build-info.txt"') do set Build=%%i
echo Your Current Device is = %Device% %Build%
pause
:MAIN
cls
echo Choose what you need to work on.
echo(
echo %Device% %Build%
echo ][************************************][
echo ][ 1. twrp-honor ][
echo ][************************************][
echo ][ 2. Stock Recovery ][
echo ][************************************][
echo ][ 3. Stock Recovery 2 ][
echo ][************************************][
echo ][ 4. BND-NO-CHECK ][
echo ][************************************][
echo ][ 5. Other file from your PC ][
echo ][************************************][
echo ][ 6. Cancel Exit and Reboot ][
echo ][************************************][
echo(
set /p env=Type your option [1,2,3,4,5,6] then press ENTER: || set env="0"
if /I %env%==1 set recovery=twrp-honor.img && goto flash
if /I %env%==2 set recovery=recovery.img && goto flash
if /I %env%==3 set recovery=recovery2.img && goto flash2
if /I %env%==4 set recovery=BND-RECOVERY-NoCheck.img && goto flash
if /I %env%==5 call scripts\nougat\nougat_recovery_file_flash.bat || goto end
if /I %env%==6 fastboot reboot && goto :eof
echo(
echo %env% is not a valid option. Please try again!
PING -n 3 127.0.0.1>nul
goto MAIN
:flash
echo THE FOLLOWING FILE HAS BEEN SELECTED
echo %recovery%
echo Continue IF it is correct, Else close window to cancel
pause
fastboot flash recovery %recovery%
goto end
:flash2
echo THE FOLLOWING FILE HAS BEEN SELECTED
echo %recovery%
echo Continue IF it is correct, Else close window to cancel
fastboot flash recovery2 %recovery%
:end
echo RECOVERY SHOULD NOW BE FLASHED
echo GET READY TO PULL USB PLUG OUT AND HOLD VOLUME UP
echo RIGHT AFTER YOU PRESS BUTTON TO CONTINUE
pause
fastboot reboot
goto :eof
exit
:oreo
echo You are On OREO DO NOT USE THIS
pause
exit
I have the launcher batch ready, it will detect the emui version with getprop. And call the appropriate switcher batch.
Code:
@echo off
if not defined in_subprocess (cmd /k set in_subprocess=y ^& %0 %*) & exit )
title Lazy Recovery Auto Launcher
echo Waiting For device to be recognized by ADB
adb wait-for-device
adb shell getprop ro.build.version.emui > %~dp0\version-info.txt
for /f %%i in ('FINDSTR "EmotionUI_" %~dp0\version-info.txt') do set emui=%%i
echo %emui%
set str=%emui:~10%
echo.%str%
pause
if %str% equ 8 call scripts\oreo\Oreo_lazy_Recovery.bat
if %str% equ 8.1 call scripts\oreo\Oreo_lazy_Recovery.bat
if %str% equ 5 call scripts\nougat\Nougat_lazy_Recovery.bat
if %str% equ 5.1 call scripts\nougat\Nougat_lazy_Recovery.bat
pause
exit
Updated 5-21
Tool Download
.