Related
disclaimer:
Code:
I take no responsibility for any devices that may be bricked,
or any bad things that will happen to you.
flash/boot twrp from here
either flash SuperSU by chainfire, or reboot system and accept installing supersu via TWRP.
we've experienced a bug on the first boot after flashing supersu, where there is no boot animation. instead the warning sign will stay up saying "you're unlocked".
Do not worry. It will still load, and supersu will prompt you to finish installing SU. do so, and everything will be back to normal.
A known issue happens, where root breaks the camera.
If this happens to you, then change SeLinux to permissive. I may look in to fixing it properly at a later point.
thank you to @fix-this for testing
previous post:
Please note this is a development thread. If something is said that is NOT constructive, I will have it deleted.
OK so this thread doesn't tell you how to root your device... yet.
in the process of rooting my device, I have essentially soft bricked it until I can get hold of either a boot/recovery image, or I find out the kernel base, ramdisk offset and tags offset.
long story short, I shouldn't have been messing about with the system while I was tired, so I forgot about dm-verity, and now it won't boot since the boot image contains a dm-verity key. hurrah for perma root prevention systems finally working.. sort of..
Motorola has implemented a nifty method in to their bootloaders. It essentially allows you to dump a partition. This is when I stumbled on yet another security measure. to allow you to do anything with the bootloader, you must flick a switch in the android dev settings to give full access... oh wait, I can't load the system I don't know if this switch is done by writing a value to memory, or is passed on with the reboot reason. I don't know Java that well, and I sure as hell don't know smali.
So far I have attempted:
Dump a modified system image (Failed because dm-verity).
Pull the boot image (Failed because SELinux)
Dump the boot image via moto fastboot (failed because either outdated mfastboot, or security from [read above])
Boot directly in to DLOAD mode. (Failed. seems with the msm8916, they've changed the method of accessing it, and having dload mode is now optional [which they disabled.. probably..]. I'm not going to risk wiping the bootloader to see if DLOAD mode will load as a fail safe).
so how can you help?
method failed. trying something else..
I need someone who doesn't mind unlocking their bootloader (or already has done), and doesn't need their hand holding. (request for hand holding isn't development, it will be deleted).
unlock bootloader.
get mfastboot
go to settings, dev settings, and allow oem unlock
boot to fastboot/bootloader
run this command
Code:
mfastboot oem partition dump recovery
If this fails, then try this (with this fastboot) (Thank you @m1cha for this version of fastboot, sources here)
Code:
fastboot_dump dump recovery.img oem partition moto-dump recovery
send the results back to me
Hopefully, this will all go well. If not, I'll spend a few hours figuring out the values they've used for the kernel base and offsets.
If anyone else has any ideas (even if it's to get a temp root), then feel free to share them
Big thankyou to @PotatoJ who has donated a very generous $20
And it finally begins
Gave em both the commands, nothing. Both are restricted. Ugh...
C:\windows\system32>fastboot dump recovery.img oem partition moto-dump recovery
...
(bootloader) Command Restricted
FAILED (remote failure)
finished. total time: 0.002s
more updates. just been told that those commands are for internal use only.
had an idea though.. will get back to you
cybojenix said:
more updates. just been told that those commands are for internal use only.
had an idea though.. will get back to you
Click to expand...
Click to collapse
Whatever you need, let me know. I've got the phone waiting for commands.
if im correct i think the system images are now available. ill help with what i can to obtain root. id hope rooting this wont be too hard considering we can unlock the bootloader via moto.
i also messaged jcase to see if he might be able to help us.
fix-this! said:
if im correct i think the system images are now available. ill help with what i can to obtain root. id hope rooting this wont be too hard considering we can unlock the bootloader via moto.
i also messaged jcase to see if he might be able to help us.
Click to expand...
Click to collapse
No need for jcase now. the boot image is out. I can patch it, and talk with chainfire about how to best handle dm-verity
cybojenix said:
No need for jcase now. the boot image is out. I can patch it, and talk with chainfire about how to best handle dm-verity
Click to expand...
Click to collapse
Yeah jcase responded and said since we can unlock the bootloader all we needed was a custom recovery to flash superuser. Was just trying to help.
fix-this! said:
Yeah jcase responded and said since we can unlock the bootloader all we needed was a custom recovery to flash superuser. Was just trying to help.
Click to expand...
Click to collapse
it's kind of a pain to make a custom recovery without having a recovery/boot image
Do you plan on making the recovery work with the boost mobile Variant
903tex said:
Do you plan on making the recovery work with the boost mobile Variant
Click to expand...
Click to collapse
no. I don't have the device.
btw, got twrp on it, however the return of the "No touch till screen goes off" bug is back.
Xda seems to be glitching, and won't show there's a thread in original dev from the main forum, so here's a direct link.
http://forum.xda-developers.com/moto-e-2015/orig-development/twrp-moto-e-2015-recovery-t3049726
if you need me to test, pm me. otherwise ill wait until you say its ok to root.
Code:
$ adb shell
[email protected]_umts:/ $ su
[email protected]_umts:/ #
cybojenix said:
Code:
$ adb shell
[email protected]_umts:/ $ su
[email protected]_umts:/ #
Click to expand...
Click to collapse
congratulation to you to gaining root access. :good::good::good:
we want rooting all together:laugh::laugh:
cybojenix said:
Code:
$ adb shell
[email protected]_umts:/ $ su
[email protected]_umts:/ #
Click to expand...
Click to collapse
you hard work is much appreciated.
so some bad news. the GB and EU variants have different camera blobs it seems.
unless I get decent testers, I will not be supporting the different variants.
cybojenix said:
so some bad news. the GB and EU variants have different camera blobs it seems.
unless I get decent testers, I will not be supporting the different variants.
Click to expand...
Click to collapse
how would i know if i have a gb or eu variant? and yes that's sad indeed for users. ill test whatever you need. i have an unlocked lte gsm model from moto.
root is done, thanks @fix-this for doing the final testing
cybojenix said:
root is done, thanks @fix-this for doing the final testing
Click to expand...
Click to collapse
Whatever you need for the CDMA variant I'll be happy to provide!
This thread is out of date since there is my new thread with an easier method: https://forum.xda-developers.com/lg-k10/how-to/friendly-root-method-lg-k8-k10-t3531223
However i keep this one for troubleshooting and deeper understanding...
This description was originally made for the k8, however it seems to work on k10 k430 devices
LG K8:
OS Android v6.0 (Marshmallow)
Chipset Mediatek MT6735
CPU Quad-core 1.3 GHz Cortex-A53
GPU Mali-T720
1.5GB of RAM
8GB ROM
LG K10 K430...:
quite similar to k8
Rooting the k8 (and the k10) is rather difficult since it's using "lz4" compression for the partition images not the usual "gzip" method.
Systemless supersu is still unable to patch lz4 boot images so we need to have a little trick. Not to mention porting a working TWRP is also a pian in the ass...
Before posting any questions/errors please read the troubleshooting guide and also read back in the thread!
Steps:
0.
Remove the back panel of the phone because you'll have to be able to reach your sd card, watch out for your battery - must not fall out!
If your TWRP supports mtp connection under "mount" you can skip this part and you don't have to put your sd card in and out - maybe you have to fix the driver in windows!
1.
Unlock your bootloader (all your data will be lost!!!) via ADB then boot up normally
http://forum.xda-developers.com/lg-k10/how-to/unlock-bootloader-lg-k10-mtk-devices-t3486302
if there is no warnning message during boot up after unlocking your bootloader read this:
http://forum.xda-developers.com/lg-k10/how-to/rid-shutting-device-corrupt-message-t3517879
2.
Boot to TWRP (you have to stay in TWRP during the whole process!!!) via ADB and fastboot
3.
Mount sd card
Backup your boot image (find boot.emmc.win in TWRP folder on your sdcard - rename it on PC to bootlz4_0.img)
or use your boot image taken from your kdz as it is written in the end of this thread:
http://forum.xda-developers.com/lg-k10/how-to/rid-shutting-device-corrupt-message-t3517879
4. Tweak bootlz4_0.img with Carliv Image Kitchen (Carliv download: http://viid.me/qe7BDp)
-Unpack it, open "boot.img-ramdisk-compress" file with a text editor (notepad++) and change the first (and only) line from "lz4" to "gz"
-Repack image - rename the repacked image to bootgz_0
5. Flash bootgz_0.img in TWRP
6. Install SuperSU (and xposed if you wish or you can istall xposed later) - do not quit TWRP from now until last step - that would brick your device
7. Backup boot image again - you need to remove sd card (unmount first) and put it in PC - it means you have to remove the usb cable from the phone and remove back panel - maybe before getting into TWRP!
- or enable mtp in TWRP and copy/paste the boot image from sd card.
8. Tweak boot image in Carliv
-Unpack it, open "boot.img-ramdisk-compress" file and change the first line from "gz" to "lz4"
-Repack image
9. Flash boot image in TWRP
10. Restart (this will take a bit longer and also expect bootloop a few times)
you can find a rather detailed description here:
http://viid.me/qe7Zoh - don't forget that you can use mtp connection instead of taking in and out the sd card if your TWRP supports it.
If you prefer using adb/fastboot commands instead removing your sdcard all the time you can use salaigeethan666's guide:
http://forum.xda-developers.com/showpost.php?p=69415205&postcount=34
but some reported problems with flashing the boot image and getting back to TWRP this way.
If you have problems booting up after installing supersu maybe you can force boot described by cpatrick3000:
http://forum.xda-developers.com/lg-k10/how-to/root-lg-k10-mtk-chipset-95-method-t3498166
or the problem might be:
http://forum.xda-developers.com/lg-k10/how-to/rid-shutting-device-corrupt-message-t3517879
If you ever lose root and try again consider Darkos333's guide: http://forum.xda-developers.com/showpost.php?p=69713043&postcount=99
or use lg up to get back to full stock:
http://forum.xda-developers.com/lg-k10/how-to/flashing-firmware-using-lg-t3517839
Unbrick guide by Berkantkz:
http://forum.xda-developers.com/lg-k10/how-to/guide-unbricking-flashing-firmware-due-t3380529
Unbrick by lg up:
http://forum.xda-developers.com/lg-k10/how-to/flashing-firmware-using-lg-t3517839
TWRPs for the different models:
TWRP of the k8:
http://forum.xda-developers.com/lg-k10/development/recovery-twrp-3-0-2-lg-k8-k350-mtk-t3517894
As for the k10 TWRP 3.0.0 you should use http://forum.xda-developers.com/lg-k10/development/teamwinrecoveryproject-3-0-0-0-lg-k10-t3404434 by berkantkz.
or TWRP 3.0.2 by Singular777: http://forum.xda-developers.com/showpost.php?p=69381986&postcount=126
In case of k10 430dsy try 123xdagsm's recovery: http://forum.xda-developers.com/showpost.php?p=69706581&postcount=154
Please, before you proceed read and practice the methods of each steps! A few hours of preparation (google + xda + tests) might save your device getting hard bricket and it's also better for you to know what you're doing! Look for fastboot commands, systemless supersu, TWRP usage, Carliv image kitchen, ... (google + xda)! You better not leave TWRP during the whole process! Keep in mind that after the supersu is installed you must be able to recompress your boot image to "lz4" otherwise you get soft bricked and you need to use lg up to refirbish...!!!
Read each steps twice and follow them stricktly!
Also keep in mind that if you want to uninstall supersu/remove root you have to reflash stock firmware with lg bridge + hard reset or lg up.
Troubleshooting
"your device is corrupt. It can't be trusted and may not work properly"
- this message is normal when you have an opened bootloader
- phone shuts down right after this message: http://forum.xda-developers.com/lg-k10/how-to/rid-shutting-device-corrupt-message-t3517879
no ADB connection (command: "adb devices" - your device is not in the output list):
- turn-on USB Debugging (settings - developer opions)
- install drivers
no fastboot connection (command: "fastboot devices" - your device is not in the output list):
- install drivers
- check device manager
- you may try to install android SDK if the connection is not working
unable to unlock bootloader (command "fastboot oem unlock"):
- allow oem unlock (settings - developer opions)
device is not booting into TWRP:
- unlock bootloader
- the TWRP is not compatible with your device (there is a list of TWRPs for different devices, if you cant find yours you can try the next guide: http://www.chinaphonearena.com/foru...752-MT6753-MT6795-MT6797-TWRP-MT67xx-tutorial)
unable to unpack boot image in carliv
- your TWRP is not compatible with your device (at least it didn't backup your boot image properly)
unable to repack boot image in carliv
- check the unpacked boot image "ramdisk" folder, if there are all the necessary files and folders, find a list attached at posts #107 and #124: (doesn't have to be the exact same since k8 and k10 migth differ - there is no "boot" folder in case of the k8 and also before installing supersu the su folders are not to be there - normally 5+ folders and 20+ files)
- see if "boot.img-ramdisk-compress" file exists
- maybe you messed up something in carliv
supersu failed to patch the ramdisk (even if it sais installed succesfully)
- you can try just unpack and repack your stock boot image install/flash it and see if it boots up - so you can be sure you are a "master" of carliv and TWRP
- your boot image is not gzip compressed - open "boot.img-ramdisk-compress" as text. It should only have one line: "gz"
supersu failed to install
- you can try just unpack and repack your stock boot image install/flash it and see if it boots up - so you can be sure you are a "master" of carliv and TWRP
- your TWRP is not compatible with your device (or you need a newer version)
device is not booting up after the final step (boot loops for more then 2 minutes)
- http://forum.xda-developers.com/lg-k10/how-to/rid-shutting-device-corrupt-message-t3517879
- use Berkantkz guide to flash back the original firmware: http://forum.xda-developers.com/lg-k10/how-to/guide-unbricking-flashing-firmware-due-t3380529
- after getting back to stock you can try just unpack and repack your stock boot image install/flash it and see if it boots up - so you can be sure you are a "master" of carliv and TWRP
- duble check your final boot image (uncompress and compare files and folders to the one attached in posts #107 and #124 - has to be reasonably/more or less the same)
- consider step 6 in Darkos333 guide: http://forum.xda-developers.com/showpost.php?p=69713043&postcount=99
- also consider cpatrick3000's force boot guide: http://forum.xda-developers.com/lg-k10/how-to/root-lg-k10-mtk-chipset-95-method-t3498166
if none of these helps make a recovery log (in TWRP under advanced menu) before final restart and post it or send it to me
This method works for the LG K10 k430Y as well. Thanks very much brah, so far I have changed a couple of thing in the build.prop like activating the multi window setting and so far it is functioning properly besides the annoying 'device is corrupt' message everything seems to be fine thanks a lot bro :good: :good:
Judroidz said:
This method works for the LG K10 k430Y as well. Thanks very much brah, so far I have changed a couple of thing in the build.prop like activating the multi window setting and so far it is functioning properly besides the annoying 'device is corrupt' message everything seems to be fine thanks a lot bro :good: :good:
Click to expand...
Click to collapse
"device corrupt" message cames rigth after unlocking the bootloader (in my case at least...) however i believe there is a way to tweak boot logo and remove the message, Ill look into it.
Anyways your welcome
Judroidz said:
This method works for the LG K10 k430Y as well. Thanks very much brah, so far I have changed a couple of thing in the build.prop like activating the multi window setting and so far it is functioning properly besides the annoying 'device is corrupt' message everything seems to be fine thanks a lot bro :good: :good:
Click to expand...
Click to collapse
Can i ask whitch TWRP you used? Did you maybe tried it with the one i ported for the k8 or is this the one by berkantkz?
I used the twrp made by berkantkz, do you think it would be safe if I flashed it on my k10.
Judroidz said:
I used the twrp made by berkantkz, do you think it would be safe if I flashed it on my k10.
Click to expand...
Click to collapse
Actually the recovery partitions size is approx. 16Mb. Berkantkz's TWRP is almost 17Mb so there is little chance you can flash it. There is no problem if you try it would give you an error message if the size is too big and nothing's gonna change. I recompressed berkantkz's TWRP to gzip (https://drive.google.com/open?id=0BwyMOazoSp8TdnhBbWpobEk0V0E) so it is smaller, you can try to flash that but you have to try it before. I mean just boot into it (fastboot boot ...) don't flash it first.
Keep me updated please!
About the multiwindow, did you use "ro.build.type" -> userdebug or "persist.splitwindow.support_all" -> true ?
I flashed back to stock with lg bridge and also did factory format with hard buttons. There is no way to root again and boot up succesfully. Somehow lg bridge and also factory format leaves some partions untouched that still have something from supersu. So i erased all partitions in fastboot...
I shouldn't have cause now my phone can't connect at all. Not even in download mode.
I suggest if anyone tried any method to root unsuccesfully that should not try this method. It will not boot up...:S
Thats all for now. I'll try to exchange my phone and then start again...
I can't make lg up to work with the k8. There is no lgup...dll.msi to install. Any ideas?
Maybe the boot image is not turned back to stock not by factory format nor by lg bridge... this migth cause the mess with Supersu install after turnig back to stock... With lg up we could reflash the full stock system and try rooting again...
If anyone plans to root save your stock boot image first, might come handy later...
hilp for root lgk10 439dsy
ha118814kh said:
hilp for root lgk10 439dsy
Click to expand...
Click to collapse
439? Are you sure? I guess it must be 430... however i belive the only method is the above described one. If you ever attempted rooting the device i suggest not to do that unless you can flash it back to fully stock.
Theese might help for unsuccesful root attempts... i wish i found this before erasing all my partitions...:S
http://forum.xda-developers.com/showpost.php?p=63816659&postcount=2769
and
http://forum.xda-developers.com/apps/supersu/unroot-systemless-root-t3249542
Are there any easier ways to root it? It seems a bit of difficult to me(k430)
xdarootxda said:
Are there any easier ways to root it? It seems a bit of difficult to me(k430)
Click to expand...
Click to collapse
I'm afraid until SuperSU is not "lz4" compatible there is no easier method. I't not so difficult anyways as long as you can make a fastboot connection. There is always download mode and lg bridge if anything goes wrong...
PS. if you ever attempted to root this device before then most likely it's not gonna work... unless you can make LgUP see your k430 and reflash the whole firmware.
gottlasz said:
I'm afraid until SuperSU is not "lz4" compatible there is no easier method. I't not so difficult anyways as long as you can make a fastboot connection. There is always download mode and lg bridge if anything goes wrong...
PS. if you ever attempted to root this device before then most likely it's not gonna work... unless you can make LgUP see your k430 and reflash the whole firmware.
Click to expand...
Click to collapse
Thanks for the information, but i'm new to bootloader and recovery, so are there any video guides about this process?
xdarootxda said:
Thanks for the information, but i'm new to bootloader and recovery, so are there any video guides about this process?
Click to expand...
Click to collapse
There are many video guides on youtube but not for this particular case. I guess you can search each step separately and put the whole picture together.
gottlasz said:
There are many video guides on youtube but not for this particular case. I guess you can search each step separately and put the whole picture together.
Click to expand...
Click to collapse
Thanks, I'll have a look.
I'm so glad to see people working on this phone. Has anyone gotten this method to work?
Sent from my VS500 using XDA Free mobile app
chopperchez said:
I'm so glad to see people working on this phone. Has anyone gotten this method to work?
Sent from my VS500 using XDA Free mobile app
Click to expand...
Click to collapse
Guys,root is successfully received!
see details on the Russian forum
4pda in the subject LG K10 LTE.
Sent from my LG-K430 using xda premium
lg_l7_p700 said:
Guys,root is successfully received!
see details on the Russian forum
4pda in the subject LG K10 LTE.
Sent from my LG-K430 using xda premium
Click to expand...
Click to collapse
Unfortunately i speak no russain.. Is it somewhat similar to the method described in the OP?
It also uses carliv so i guess its basically the same, isn't it?
lg_l7_p700 said:
Guys,root is successfully received!
see details on the Russian forum
4pda in the subject LG K10 LTE.
Sent from my LG-K430 using xda premium
Click to expand...
Click to collapse
The principle of obtaining root.
Install SuperSU via TWPR.
We have the boot ramdisk
compression in lz4,it is not
supported so first comes the
installation boot with
compression gz,then install SuperSU,
and boot back lz4
Sorry for my bad English.
Sent from my LG-K430 using xda premium
I would love to try this.. but I tried flashing the supersu package previously and it didn't work.. my phone boots up properly.. but my usb isn't working anymore. I can't get into fastboot anymore cos there is no hardware shortcut to enter into that and Without ADB i can't go into fastboot. is there any way to fix this? pls help
I dont take responsibility for possible damages!'
1. When you unlock the bootloader, all your data will be erased!
2. When you try to lock the bootloader, your data will be erased and you will lose the API.
3. YOU CAN RECEIVE OTA UPDATES WITH THE BOOTLOADER UNLOCKED!
Download the tool: https://forum.xda-developers.com/mi-a2/how-to/mi-a2-toolkit-unlock-bootloader-root-t3834585
1. Unlock the bootloader (I will not go into detail, the tool is intuitive, follow the tool's instructions!.)
2. Start your phone and enable USB debugging.
3. Put your cellphone in Fastboot.
4. In the tool, use option 4 (This will not install TWRP, just start) (follow the tool's instructions!)
5. When entering TWRP, if prompted, check "Keep system read only".
6. Open in the tool folder "Open CMD here"
7. Run the command: adb shell
8. Now enter the following command: "setprop persist.camera.HAL3.enabled 1" without quotation marks, and enter. - This command enables the required core API for GCAM.
9. Now type "exit" to exit adb.
10. Go back to the phone, in TWRP -> Reboot -> System -> Do Not Install
Ready.
I did this tutorial quickly. Any questions, use the comments!
Just a note. That tool is working with August security patch, but a lot of us received already September Security patch. And how do you know that we will receive OTA. Did you test by yourself? And btw, looks very easy and clear explained. For now I will wait for stable patch from Xiaomi, and updated Tool from the link you recomended. Thank you.
kaiwanted said:
Just a note. That tool is working with August security patch, but a lot of us received already September Security patch. And how do you know that we will receive OTA. Did you test by yourself? And btw, looks very easy and clear explained. For now I will wait for stable patch from Xiaomi, and updated Tool from the link you recomended. Thank you.
Click to expand...
Click to collapse
The tool just has the August picture. But the functions used for the gcam works in the September patch.
Yes. I have.
when i want to launch the TWRP, my device already plugged in and in fastboot mode, but it says "could not detect the active partition used, please ensure your phone is plugged in and in fastbook mode". How to fix this? tks
asuturo said:
when i want to launch the TWRP, my device already plugged in and in fastboot mode, but it says "could not detect the active partition used, please ensure your phone is plugged in and in fastbook mode". How to fix this? tks
Click to expand...
Click to collapse
I'm stuck at this too, i got the september update, already unlocked the bootloader but still can't install the twrp
"could not detect the active partition used, please ensure your phone is plugged in and in fastbook mode"
Rafaelboxer said:
I'm stuck at this too, i got the september update, already unlocked the bootloader but still can't install the twrp
"could not detect the active partition used, please ensure your phone is plugged in and in fastbook mode"
Click to expand...
Click to collapse
I think the September update change the active partition from A to B ( the August is A). Thats why it doesn´t work.
I´m also with September Update, and camera2api is the only thing i want to enable on Mi a2 ( don´t want to root and lose OTA) until a relliable TWRP is relleased.
This command should tell you which slot is active:
fastboot getvar current-slot
ki69 said:
I think the September update change the active partition from A to B ( the August is A). Thats why it doesn´t work.
I´m also with September Update, and camera2api is the only thing i want to enable on Mi a2 ( don´t want to root and lose OTA) until a relliable TWRP is relleased.
Click to expand...
Click to collapse
I got the september boot.img from another topic and rooted
Still no working solution for the ones that have setember update, and don´t want to root or use magisk??? I think the problem is that TWRP does not work with september update. Any easy way to downgrade to August again??
I'm thinking of installing Camera2API/GCamera, but I wonder if it's worth it. What are the real benefits? Does this make the camera compatible with more applications (eg Snapchat), avoiding them from making a screen of the camera ?
Hey guys i have some doubts.
I saw many threads saying to flash twrp into a partition (A or B) but i don't get why we have to flash it... So can someone clarify for me some stuff?
1 - fastboot boot twrp.img
I don't recall where the persist properties are stored but i believe it's not a partition that the OEM or google will constantly modify, right? So why making changes to the persist props in TWRP doesn't make it persist when booting into system? Is it possible to make it store it not temp?
Why there are people saying that flashing TWRP into, eg. part A, and booting into it, and then changing to part B, is working to enable the camera2 API? This should be the same as fastboot boot TWRP and then reboot it.
2 - As far as i remember, su permissions might be allowed in boot.img (.props file), so i thought that magisk patched image would have some su privilegies, but after booting from a patched image, su doesn't return anything. Does anyone knows what is the patched image from magisk? I heard about an app showing up after booting, so the patch is just a runnable with root?
3 - I also saw many threads changing sys build.prop directly. Horrible choice, but, does anyone knows if it possible to have a build.prop in OEM partition? From what i know, the build.prop will be concat. from all the folders related to the booting process. Has anyone tried to throw a build.prop into OEM with the persist enable? I believe that, since the folder is related to OEM only, and since we have no OEM making apps or whatever in an Android One phone, i think it is more safe than other partitions
ricardohnn said:
Hey guys i have some doubts.
I saw many threads saying to flash twrp into a partition (A or B) but i don't get why we have to flash it... So can someone clarify for me some stuff?
1 - fastboot boot twrp.img
I don't recall where the persist properties are stored but i believe it's not a partition that the OEM or google will constantly modify, right? So why making changes to the persist props in TWRP doesn't make it persist when booting into system? Is it possible to make it store it not temp?
Why there are people saying that flashing TWRP into, eg. part A, and booting into it, and then changing to part B, is working to enable the camera2 API? This should be the same as fastboot boot TWRP and then reboot it.
Click to expand...
Click to collapse
If you did a search on that 'persist' command, you'd find that it does persist, to many of the tables that type of information is stored in. It does not change the info in the properties file in 'System'. It does change the 'Data' partition, but that's okay, as there's only 1 of those (used no matters which slot boots up). The reason for booting on the non-active partition is a twrp / dual slot phone type of thing. I know it works as I've done it, but the 'setprop persist' changes the one and only Data partition, which both slots use, that's why it works.
ricardohnn said:
2 - As far as i remember, su permissions might be allowed in boot.img (.props file), so i thought that magisk patched image would have some su privilegies, but after booting from a patched image, su doesn't return anything. Does anyone knows what is the patched image from magisk? I heard about an app showing up after booting, so the patch is just a runnable with root?
Click to expand...
Click to collapse
I thought the patched image would have some su capabilities also, but it doesn't. It only installs the Magisk stub, which you can further install magisk from. Magisk is a great and sophisticated app. Has numerous Magisk modules which do a wide variety of things. But if you don't need any of those things, and don't need root, it's pretty over the top for just setting the cam2api, imho.
ricardohnn said:
3 - I also saw many threads changing sys build.prop directly. Horrible choice, but, does anyone knows if it possible to have a build.prop in OEM partition? From what i know, the build.prop will be concat. from all the folders related to the booting process. Has anyone tried to throw a build.prop into OEM with the persist enable? I believe that, since the folder is related to OEM only, and since we have no OEM making apps or whatever in an Android One phone, i think it is more safe than other partitions
Click to expand...
Click to collapse
If you change 'System' directly you will not get any OTA updates, so yer right, don't change that. There's no need to consider changing it anywhere else, as the 'setprop persist etc' command populates all the tables for you. 'System' is not affected and OTA updates will continue. There's no removing Magisk, restoring boot image, reinstalling etc etc etc.
One thing I would warn others about, using the various 'Tools'. You don't know what commands they are running, so you can't be sure what they will do. I say that because one of the tools I recently downloaded and went through and found the commands in it. The first thing it did after booting TWRP was to mount 'System' as Read / Write!! Why does that matter? From what I've read, doing that stops OTA from happening. Just mounting it R/W will change the date stamp on it concerning modifications, and that's all the OTA needs to know to say 'it's been modified'.
good luck, cheers
Agree with the data persist, but why do you need to flash into the different partition and not only boot from it?
I don't disagree that it will work, i just want to know why not boot from fastboot directly instead of flashing into one of the backup partition. I know that fastboot boot command triggers different code than usual flow. But not that i remember that it would affect something.
Getprop | grep camera would return if enabled right? Or nope?
ricardohnn said:
Agree with the data persist, but why do you need to flash into the different partition and not only boot from it?
I don't disagree that it will work, i just want to know why not boot from fastboot directly instead of flashing into one of the backup partition. I know that fastboot boot command triggers different code than usual flow. But not that i remember that it would affect something.
Getprop | grep camera would return if enabled right? Or nope?
Click to expand...
Click to collapse
The dual partition thing is new to everyone, I only understand bits and pieces, like everyone. But we do know there's no more 'recovery' partition, like we use to know. And we also know the way the dual works is that when an update occurs, if the device then try's to boot it and fails, it will automagically switch to the previous partition and boot it. Pretty sure we also know that booting and flashing are different with dual slot devices, but I'm not 100% sure how different.
I've tried booting twrp and just ended in bootloops. And that may be because of diff versions of TWRP, or it may be because of basic code all TWRP's have, not sure. But TWRP is a recovery, not a boot image with the proper kernel, like the patched boot images.
I do know for sure I didn't want to brick my phone (duh). So when I found a Magisk install guide, mentioned in my Guide thread, they used TWRP to install it. It sounded like an authoritative guide to me, re the part of getting TWRP to work. So I used that just to be able to run the setprop commands. Worked perfectly. Having to use the other (non active) partition **may** have something to do with avoiding triggering any automatic code to switch partitions unnecessarily, not sure, but not going to experiment any further to find out
Again, do some research on that setprop command, one of the things you'll find is that it doesn't populate all the appropriate tables until 'after' the device has been rebooted. So doing a getprop directly after doing the setprop won't work, not until it's been rebooted.
cheers
AsItLies said:
I've tried booting twrp and just ended in bootloops. And that may be because of diff versions of TWRP, or it may be because of basic code all TWRP's have, not sure. But TWRP is a recovery, not a boot image with the proper kernel, like the patched boot images.
Click to expand...
Click to collapse
I did manage to boot the last version of TWRP only first time, every other time ended in bootloops.
And I can sorry say that ADB did not work in booted TWRP, adb did not recognized the phone, so no commands could be typed.
For me, it is easier to flash patched_boot.img and install root temporarily, and then when job is done with activating camera2, uninstall root.
But hey, there are two easy ways, and everyone can choose which one is best suitable for them to try.
It would be of course easiest to just boot TWRP and enable camera2, but it doesn't work for now.
minnuss said:
I did manage to boot the last version of TWRP only first time, every other time ended in bootloops.
And I can sorry say that ADB did not work in booted TWRP, adb did not recognized the phone, so no commands could be typed.
For me, it is easier to flash patched_boot.img and install root temporarily, and then when job is done with activating camera2, uninstall root.
But hey, there are two easy ways, and everyone can choose which one is best suitable for them to try.
It would be of course easiest to just boot TWRP and enable camera2, but it doesn't work for now.
Click to expand...
Click to collapse
Yes, just 'booting' twrp has been problems for everyone, "that" doesn't work (not just now, but probably never).
But, following the Guide I wrote, and 'flashing it' does work. Right Now.
AsItLies said:
The dual partition thing is new to everyone, I only understand bits and pieces, like everyone. But we do know there's no more 'recovery' partition, like we use to know. And we also know the way the dual works is that when an update occurs, if the device then try's to boot it and fails, it will automagically switch to the previous partition and boot it. Pretty sure we also know that booting and flashing are different with dual slot devices, but I'm not 100% sure how different.
I've tried booting twrp and just ended in bootloops. And that may be because of diff versions of TWRP, or it may be because of basic code all TWRP's have, not sure. But TWRP is a recovery, not a boot image with the proper kernel, like the patched boot images.
I do know for sure I didn't want to brick my phone (duh). So when I found a Magisk install guide, mentioned in my Guide thread, they used TWRP to install it. It sounded like an authoritative guide to me, re the part of getting TWRP to work. So I used that just to be able to run the setprop commands. Worked perfectly. Having to use the other (non active) partition **may** have something to do with avoiding triggering any automatic code to switch partitions unnecessarily, not sure, but not going to experiment any further to find out
Again, do some research on that setprop command, one of the things you'll find is that it doesn't populate all the appropriate tables until 'after' the device has been rebooted. So doing a getprop directly after doing the setprop won't work, not until it's been rebooted.
cheers
Click to expand...
Click to collapse
About the setprop, even after the reboot isn't returning the prop, so that's why i am not sure if it is actually keeping it after twrp boot.
About the AB partition... well...
it's more or less like this...
let's say some simple partition scheme....
Preloader
Boot
System
Vendor
ODM
Data
So the phone will probably have many boot images type... like the usual boot.img or recovery.img (before treble) etc.
The boot.img will have the kernel image bla bla bla... since this is a google update, i believe that the AB partition procedures starts here (meaning all the relevant code of checking whether is A or B)
Google wanted to make things faster for the OEM (Samsung, LG etc) so they wanted to separate their ****s from google's one.
So (if things didn't change) you will have the following partitions now (actually i am not sure if they kept the system AB, but i believe so, since it seems to be working in other phones like that )
BootA
BootB
SystemA
SystemB
VendorA
VendorB
OEMA
OEMB
Data
So let's say google wants to update some security patches, from kernel til android, it will have to update boot and system. So in a OTA (changes if it is a google phone or a branded phone) before treble, it would update like... download the image containing boot and system into cache partition or data partition (depending the OTA size), after the download the update manager apk would set as a update booting and reboot your phone. Once booted, the phone would copy the partitions to the correct place (not being detailed) and rereboot. After the rereboot, if everything went normal, it would delete the downloaded image from your data/cache partition.
Now it's different like... instead of sending the update to the data partition and copying. It has a flag to set whether you are in A or B partition.
If you are (for eg.) in A partition, it will download the OTA to the B partition. (consider that in an untouched phone, A and B would have identical copies). So after downloading it, the flag is set to the B partition and reboot the phone. When booting, this time, it will not follow the A booting flow, like...
Before the update booting process would be
BootA
SystemA
VendorA
ODMA
Data
After the update the boot process will be
BootB
SystemB
VendorB
ODMB
Data
But i didn't update the vendor or ODM... why not keep in A? Because it's too hard to manage it.
So if anything fails in this update, it can easily go back into A booting process (which means you have a backup of your old boot).
Since system is too big, i am not sure if the system AB exists (it would just take up too much space... but anyway...).
It is also not a way to prevent bootloop, it is related to update. If an update fails (say, the image is corrupted or has no signature etc) the boot will change back, but if the update is "correct" it will boot as it should, even if the image is bad.
So again... when we do the fastboot boot boot.img, we are copying this boot into some cache or data to boot up, instead of our original boot. When we reboot, it will use the original boot. So, is there a difference from using twrp flashed and booted?
I know that fastboot boot will trigger different booting process (meaning signatures verifying etc) but don't think that it will not mount a partition or something...
Well... anyway... so after the reboot, when you setprop in TWRP, the getprop returned the prop correctly? I recall something about getprop not returning the prop but camera2 was enabled anyway with the setprop... well... can you just confirm one thing for me?
The steps you used was... fastboot flash patchboot and then reboot into twrp and then reboot back to usual partition.
You didn't do fastboot boot patched boot -> twrp -> reboot
Right?
---------- Post added at 09:44 AM ---------- Previous post was at 09:42 AM ----------
AsItLies said:
Yes, just 'booting' twrp has been problems for everyone, "that" doesn't work (not just now, but probably never).
But, following the Guide I wrote, and 'flashing it' does work. Right Now.
Click to expand...
Click to collapse
Oh didn't see this one. OK...
Damn... hmm... strange... well thanks anyway...
---------- Post added at 09:50 AM ---------- Previous post was at 09:44 AM ----------
AsItLies said:
The dual partition thing is new to everyone, I only understand bits and pieces, like everyone. But we do know there's no more 'recovery' partition, like we use to know. And we also know the way the dual works is that when an update occurs, if the device then try's to boot it and fails, it will automagically switch to the previous partition and boot it. Pretty sure we also know that booting and flashing are different with dual slot devices, but I'm not 100% sure how different.
I've tried booting twrp and just ended in bootloops. And that may be because of diff versions of TWRP, or it may be because of basic code all TWRP's have, not sure. But TWRP is a recovery, not a boot image with the proper kernel, like the patched boot images.
I do know for sure I didn't want to brick my phone (duh). So when I found a Magisk install guide, mentioned in my Guide thread, they used TWRP to install it. It sounded like an authoritative guide to me, re the part of getting TWRP to work. So I used that just to be able to run the setprop commands. Worked perfectly. Having to use the other (non active) partition **may** have something to do with avoiding triggering any automatic code to switch partitions unnecessarily, not sure, but not going to experiment any further to find out
Again, do some research on that setprop command, one of the things you'll find is that it doesn't populate all the appropriate tables until 'after' the device has been rebooted. So doing a getprop directly after doing the setprop won't work, not until it's been rebooted.
cheers
Click to expand...
Click to collapse
Oh by the way, i saw one part
"But TWRP is a recovery, not a boot image with the proper kernel, like the patched boot images. "
I think this is wrong (at least if TWRP team didn't change stuff), but all images are bootable images... (by all images i mean... boot.img recovery.img Flashing.img).
I once thought that they used a common kernel image, but in fact, all the booting process image has the kernel image copied (literally) to prevent brick. So even with a corrupted boot img, you still can boot into recovery or into download mode.
So that's why TWRP must have a kernel.
@ricardohnn, you seem hell bent on getting twrp to boot. Good luck. Let me know how that works out for you. In the meantime I'll be enjoying my cam2api working
cheers
AsItLies said:
@ricardohnn, you seem hell bent on getting twrp to boot. Good luck. Let me know how that works out for you. In the meantime I'll be enjoying my cam2api working
cheers
Click to expand...
Click to collapse
Actually TWRP boots fine with fastboot boot...
ADB runs smooth, but it just won't keep.
But you've made me envy LOL
I will think about flashing... later...
ricardohnn said:
Actually TWRP boots fine with fastboot boot...
ADB runs smooth, but it just won't keep.
But you've made me envy LOL
I will think about flashing... later...
Click to expand...
Click to collapse
What version of TWRP did you use, there is now two versions, I used last one, from a few days ago, and in first try I did manage to boot from fastboot, not flash it, but ADB did not worked.
So, if adb did work for you, maybe it was earlier version ?
Anyway, as you say, it is not permanent setprop, maybe because the twrp is not stable one, or maybe it needs to be flashed to work, not just booted.
I personally do not have doubts that this tutorial works, I just did not want to flash twrp. :good:
TWRP Custom Recovery for the Onn Android Tablet series
This is the first fully-featured custom recovery for Walmart's MediaTek-based Onn tablets: ONA19TB002, ONA19TB003 and ONA19TB007. TWRP needs no introduction. If you have come here, you probably have some idea of what it is and what it's used for. This TWRP build does not need the bootloader unlocked or VBMeta verification disabled, although it's recommended that you at least unlock the bootloader.
DISCLAIMER
Everything described in this thread is done at your own risk. No one else will be responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.
FEATURES
Decrypted data partition
All USB modes functional: MTP, ADB, Mass Storage, OTG, Charging
Fast boot time
Adoptable storage mounting
Firmware image backup and restore
Works under locked bootloader
Android 9 build fits within the 16MB recovery partition -- no compromises or partition resizing necessary
INSTALLATION METHOD 1
Download the recovery to your PC and unzip the image
Unlock the bootloader (skip if you have already done this)
Enable OEM Unlock in Developer Options in Android Settings
Boot into fastboot mode either by holding vol. up+power to power it on and selecting "Fastboot mode", or by running the 'adb reboot bootloader' command from within Android.
Install fastboot and appropriate drivers on your PC if you have not set those up
Unlock the bootloader with the command
Code:
fastboot flashing unlock
...and follow the instructions on the screen. This will wipe your data.
Flash the custom recovery with
Code:
fastboot flash recovery twrp-3.3.1-ONA19TB002.img
(use the right file name path for your device)
Reboot to recovery with
Code:
fastboot oem reboot-recovery
INSTALLATION METHOD 2
This assumes you are familiar with SP Flash Tool or can figure it out on your own
Download the recovery to your PC and unzip the image
Get the appropriate scatter file for your device. The scatter file may be found in the device's firmware under /system/data/misc.
Set up SPFT Download tab as Download Only. Load your scatter file.
Under the recovery line, double-click Location and open your TWRP image.
Click Download and connect your powered-off tablet to your PC. SPFT will automatically flash the recovery to the emmc and disconnect when finished.
INSTALLATION METHOD 3
Head over to Amazing Temp Root for MediaTek ARMv8, read the requirements and directions, and grab the latest mtk-su.
Open a root shell with mtk-su
Flash the (unzipped) recovery with the command:
Code:
dd bs=1048576 if=twrp-3.3.1-0-ONA19TB002.img of=/dev/block/by-name/recovery
(replace the if= file name with your appropriate recovery image path)
Exit root shell
START RECOVERY
Three methods:
On a powered off tablet, hold Vol. up+power for about 3 seconds. In the menu that appears, select "Recovery mode"
With Android ADB, use the command 'adb reboot recovery'
From Android root shell, use the command 'reboot recovery' or just use any root app with OS reboot features
NOTES
Kind of important: Make a backup of your Crypto Footer as soon as you can. This is the encryption key to your data partition. When accessed from TWRP, this key can get "upgraded" so that you will get locked out of Android. TWRP uses a hacky workaround that saves and restores the original footer on every /data decrypt. But that method is not what I would call 100% reliable.
Make sure you have a backup of the untouched stock system and vendor images. There are no official firmware packages available to download.
Only mount system/vendor partitions in read/write mode if you have unlocked the bootloader. It is recommended to choose to leave system read-only at the startup prompt unless you have a specific reason to modify it. If the bootloader is locked, then dm-verity is enforced.* So merely mounting it once in r/w will cause a boot loop.
It's currently not possible to install incremental OTA updates using this TWRP. Use the stock recovery to update the FW. That will only work if you have never mounted system/vendor in write mode.
DOWNLOAD (Nov. 30, 2019)
Current version: 3.3.1-1
ONA19TB002 - Onn 8" model
ONA19TB003 - Onn 10.1" model
ONA19TB007 - Onn 10.1" w/keyboard model
Source code
ONA19TB002 | ONA19TB003 | ONA19TB007
ACKNOWLEDGEMENTS
The team behind TWRP & OmniROM
@tek3195 for testing and feedback on the 8" model
Please post feedback since these are still pretty new and not exhaustively tested. Let me know if I should port it to other models in the series.
Reserved also
grabbing this one too cuz why not
Very nice! I'll download and test the 003 one soon.
I also have a 007 model to experiment with.
I tried about a dozen times to build TWRP and failed miserably LOL. Closest I got was one that would boot but the rotation was all messed up, USB wouldn't work, didn't mount some partitions... Yeah, it was a hot mess.
Do you happen to have sources available?
Hi @NFSP G35,
I'll have the source code soon. Most of the tricks involved patching bootable/recovery. So I need to commit those changes and include the proper patch set from my tree....
Amazing!! Gonna install and test 8" right now.
Has anyone tried a GSI on these tablets yet?
MishaalRahman said:
Has anyone tried a GSI on these tablets yet?
Click to expand...
Click to collapse
I do know @tek3195 , the Onn 8 thread starter, has tried many of them as well as others here, somewhere on that thread he listed his tests and opinion of several of them.
I'm pretty sure others on that thread have also tried GSI's.
MishaalRahman said:
Has anyone tried a GSI on these tablets yet?
Click to expand...
Click to collapse
I did try both Phhuson vanilla and also Liquid Remix (I'm keeping this one for now). I didn't flash them through twrp, but using fastboot via bootloader.
WoW! AwEsOmE! I cannot wait to try this! THANK YOU!!!!!!
Hey,
This is a neat thing to see for the Onn tablets. I have a question though. I own a device based on the mt8163, and am trying to help people with another device I don't own (the powkiddy x18 which also uses the mt8163). One of the things I wanted to do was to make a custom rom for the x18, since it's stock firmware is horrible. And of course, one of the first steps to custom roms is twrp. So I have a question for you that I hope you can answer for me. How did you make this build of twrp? I have seen no device trees for this device so I was kinda curious. If you can help me in any way, I'd be so grateful, and I'm sure the other people with the x18 would be grateful for help.
@diplomatic
Is there a different procedure for installing TWRP on a locked bootloader?
I can confirm that using SP Flash to load your TWRP.img will produce a bootloop when installing to a device with the BL locked. Reflashing the original recovery.img makes the problem go away. You mentioned in the OP that this TWRP will work on a locked BL so I thought I would share my case study with you in following the procedure you defined.
MY SINCERE GRATITUDE FOR YOUR EFFORTS IN PORTING THIS TO THE ONN!
You're welcome, @Spatry.... Can you describe how you ended up with a locked BL? Was it unlocked before? Have you ever tweaked vbmeta? Also, when you say bootloop, do you mean for Android or just for recovery? I'm not going to insist that it works under locked BL. I tested it once and it did boot up...
diplomatic said:
You're welcome, @Spatry.... Can you describe how you ended up with a locked BL? Was it unlocked before? Have you ever tweaked vbmeta? Also, when you say bootloop, do you mean for Android or just for recovery? I'm not going to insist that it works under locked BL. I tested it once and it did boot up...
Click to expand...
Click to collapse
Presently, I am running stock with Magisk patched BOOT on locked bootloader, stock vbmeta. The boot loop was at the ONN Android screen, I could not get it to even boot into recovery.
At one time I did run with the bootloader unlocked (with --disable-verification on stock vbmeta) and I ran Phusson's AOSP, Liquid Remix and Bliss. I found there was no benefit to me in running the other mods so I reverted back to stock courtesy of @CaffeinePizza and the bootloader re-locked to get rid of that annoying 5 second orange state.
In each instance, I always used SP Flash tools to load all .img files. I only used fastboot to install magisk_patched.img onto the stock installation. Unlocking the bootloader erases all data and I did not feel like reinstalling everything again, so I figured I would try to install TWRP per your instruction to see if it would work while the BL was still locked... Restoring the original recovery got rid of the bootloop. I do want to try your TWRP so I will try it with BL unlocked when I get some free time to do so.
Spatry said:
Presently, I am running stock with Magisk patched BOOT on locked bootloader, stock vbmeta. The boot loop was at the ONN Android screen, I could not get it to even boot into recovery.
Click to expand...
Click to collapse
This sounds like you might have flashed a wrong/corrupt image to recovery. It may have to do with AVB checks rather than bootloader lock. But those conditions might be interdependent somehow so I can't tell you for sure. The fact that you are able to boot a patched image on a locked BL says it doesn't care too much about verification. I can tell you for sure that any recovery image must have avb metadata, not necessarily the required hash, for both Android and recovery to boot. Can you try to unzip the image file and flash it over again?
Hmm, the situation with the bootloader lock sounds eerily similar to the Nabi SE. The latter also had a similar implementation where there's not much in the way of locking things down, other than an (easily circumvented) SP Flash Tool signature check and different preloader keys. And here's the real kicker: the nearly-identical Fisher Price Nabi also ran on the MT8163, so it makes me wonder if it's possible to boot Pie on it, or perhaps a GSI assuming that Treble can be tacked onto it.
Also, do you have the source repo to this TWRP port of yours?
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
diplomatic said:
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
Click to expand...
Click to collapse
Where do I find crypto footer to backup
diplomatic said:
If anyone here gave me an XDA ad-free subscription, thanks a lot! I didn't get a notification of who it was. Using this site is a lot more bearable now.
Click to expand...
Click to collapse
Kinda cool without the ads isn't it. I know I sent one about a week ago or so. I think everybody ought to send you one, you deserve it. THANKS and AWESOME work.
Since there's a new generation of the Onn 8 tablets, and there currently isn't a rooting guide for them,
I figured I'd write one since I finally got mine to boot with magisk.
DISCLAIMER: I AM NOT RESPONSIBLE FOR BRICKED DEVICES. CONSIDER BACKING YOUR DEVICE UP BEFORE FOLLOWING THE INSTRUCTIONS LISTED IN THIS POST.
I won't bore you with useless details, let's just get into how to root this thing.
TOOLS:
You're going to need your vbmeta.img file to flash. You can use the one I have attached below, or supply your own from your own device dumps. Either way, you're gonna need that.
You will also need EITHER, the stock boot.img file for your tab (mine is also attached), or a magisk patched boot.img file, which I'll show you how to create if you don't already have one.
You will also need ADB and Fastboot installed on your PC for your platform, as well.
A guide on how to obtain that is available here if you don't already have it.
CREATING PATCHED MAGISK BOOT.IMG:
On your device, install the magisk manager apk.
inside the app, click on Install magisk, and supply the app with your boot.img file.
It should then open a terminal and patch the boot file, and output it to your download folder.
Now you've got a rooted boot.img file for your device. Alternatively, you can use the one I've supplied at the bottom of this post.
FLASHING ROOT ON YOUR DEVICE:
Here's the part where things get interesting.
Copy the patched boot.img to your pc from your tablet, and save it somewhere you'll remember. (preferably the same place you saved your vbmeta.img file.)
You'll need to shut down your device, then power it into fastboot mode by holding Vol+ and Power at the same time. This should bring up a menu with three options: Recovery, Fastboot, And Normal.
You'll want to use Vol+ to scroll to fastboot, then press Vol- to select and boot into fastboot.
Connect your device to your pc and open your ADB and fastboot program.
In the command prompt, type "fastboot devices".
This should spit out the serial number of your device followed by the word "fastboot".
If there is no device present, make sure you have android USB drivers installed properly.
Given that your device is connected properly, type the following commands. (without the quotes.)
"fastboot flash --disable-verity --disable-verification --skip-reboot boot /path/to/your/magisk_boot.img"
then
"fastboot flash --disable-verity --disable-verification vbmeta /path/to/your/vbmeta.img"
If all goes well and you get no errors, you should be safe to reboot, and you should have root now!
Once booted, open Magisk, and you should see that V22 is installed and running. You can now install edxposed via the magisk module manager if you'd like xposed installed, since TWRP currently isnt available for this model and lots of android 10 devices don't support it.
NOTE: SAFETYNET CHECK DOES NOT PASS, WE'LL NEED TO LOOK INTO THAT.
Here's a couple pics just showing I actually DID do this, and I'm not just ****posting or something
LaikaXv1 said:
Since there's a new generation of the Onn 8 tablets, and there currently isn't a rooting guide for them,
I figured I'd write one since I finally got mine to boot with magisk.
DISCLAIMER: I AM NOT RESPONSIBLE FOR BRICKED DEVICES. CONSIDER BACKING YOUR DEVICE UP BEFORE FOLLOWING THE INSTRUCTIONS LISTED IN THIS POST.
I won't bore you with useless details, let's just get into how to root this thing.
TOOLS:
You're going to need your vbmeta.img file to flash. You can use the one I have attached below, or supply your own from your own device dumps. Either way, you're gonna need that.
You will also need EITHER, the stock boot.img file for your tab (mine is also attached), or a magisk patched boot.img file, which I'll show you how to create if you don't already have one.
You will also need ADB and Fastboot installed on your PC for your platform, as well.
A guide on how to obtain that is available here if you don't already have it.
CREATING PATCHED MAGISK BOOT.IMG:
On your device, install the magisk manager apk.
inside the app, click on Install magisk, and supply the app with your boot.img file.
It should then open a terminal and patch the boot file, and output it to your download folder.
Now you've got a rooted boot.img file for your device. Alternatively, you can use the one I've supplied at the bottom of this post.
FLASHING ROOT ON YOUR DEVICE:
Here's the part where things get interesting.
Copy the patched boot.img to your pc from your tablet, and save it somewhere you'll remember. (preferably the same place you saved your vbmeta.img file.)
You'll need to shut down your device, then power it into fastboot mode by holding Vol+ and Power at the same time. This should bring up a menu with three options: Recovery, Fastboot, And Normal.
You'll want to use Vol+ to scroll to fastboot, then press Vol- to select and boot into fastboot.
Connect your device to your pc and open your ADB and fastboot program.
In the command prompt, type "fastboot devices".
This should spit out the serial number of your device followed by the word "fastboot".
If there is no device present, make sure you have android USB drivers installed properly.
Given that your device is connected properly, type the following commands. (without the quotes.)
"fastboot flash --disable-verity --disable-verification --skip-reboot boot /path/to/your/magisk_boot.img"
then
"fastboot flash --disable-verity --disable-verification vbmeta /path/to/your/vbmeta.img"
If all goes well and you get no errors, you should be safe to reboot, and you should have root now!
Once booted, open Magisk, and you should see that V22 is installed and running. You can now install edxposed via the magisk module manager if you'd like xposed installed, since TWRP currently isnt available for this model and lots of android 10 devices don't support it.
NOTE: SAFETYNET CHECK DOES NOT PASS, WE'LL NEED TO LOOK INTO THAT.
Click to expand...
Click to collapse
NOTE: SAFETYNET CHECK DOES NOT PASS, WE'LL NEED TO LOOK INTO THAT.
I'm glad to see that there is finally a root solution for this device. I have 2 Onn 8 first gen, Android 9 tablets and I use the Magisk module: Universal SafetyNet Fix to
pass.
MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0
Universal SafetyNet Fix Magisk module Magisk module to work around Google's SafetyNet attestation. This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS...
forum.xda-developers.com
Let us all know if this works. I work in a Walmart electronics department and have not bought one of the 2nd gen devices because I had assumed that it could not be rooted. I am temped just for a new challenge, even though I really don't need a new device.
Have you been able to create a backup of the stock rom? Is it flashed with spflashtool like the older device?
Thanks
I'll get the ROM backup uploaded to Google drive once I'm done updating windows.. it's taking forever, but I do have the dumps. Yes, spflashtool is what you'll need to flash the stock backup.
As for the magisk module, that seems to do the trick! Magist safetynet check reports a success for both basicIntegrity and ctsProfile.
Thanks for the tip!
LaikaXv1 said:
I'll get the ROM backup uploaded to Google drive once I'm done updating windows.. it's taking forever, but I do have the dumps. Yes, spflashtool is what you'll need to flash the stock backup.
As for the magisk module, that seems to do the trick! Magist safetynet check reports a success for both basicIntegrity and ctsProfile.
Thanks for the tip!
Click to expand...
Click to collapse
Ah, I didn't hit reply. Oops!
I'm not new to XDA persay, but I'm not usually the one making guides and actually saying things haha.
Doesn't seem to work for me
Keeps failing says
(remote: not allowed in locked state)
Boox17 said:
Doesn't seem to work for me
Keeps failing says
(remote: not allowed in locked state)
Click to expand...
Click to collapse
It sounds like maybe you did not unlock the bootloader first?
martyfender said:
It sounds like maybe you did not unlock the bootloader first?
Click to expand...
Click to collapse
Yeah exactly what it was
I have a 100011886 that I got used and has FRP lock, will this process work on it as well? Only rooted Fire tablets before, so this would be new to me and if I brick it not much will be lost. But any insight as to what I will need that isn't included in your post would be great! It seems pretty thorough though.
Edit: I've tried it, and I have done pretty much everything thanks to being able to get to the browser with one of those language keyboard tricks, but I can't enable dev mode and turn on OEM unlock so I can't unlock the bootloader. Really want to know what to do so I don't have a paper weight At least it was only $30
I'm stuck in a boot loop. Does this work with a 100011885 that has Android 11 or did I just brick it cause I didn't pay attention.
I think I have extracted the boot.img using spflashtool on the 100011885 with Android 11. abootimg seems to like it and I can extract the kernel and initrd.img I have tried booting with fastboot boot but it blackscreens the tablet. I have not tried re-flashing this image as I don't know if it will actually work.
start location and size
0x00000000085c0000
0x0000000002000000
boot.img
and another boot image found at
A5C0000
boot2.img
bowb said:
I think I have extracted the boot.img using spflashtool on the 100011885 with Android 11. abootimg seems to like it and I can extract the kernel and initrd.img I have tried booting with fastboot boot but it blackscreens the tablet. I have not tried re-flashing this image as I don't know if it will actually work.
start location and size
0x00000000085c0000
0x0000000002000000
boot.img
and another boot image found at
A5C0000
boot2.img
Click to expand...
Click to collapse
Did you get this working?
Valiante said:
Did you get this working?
Click to expand...
Click to collapse
No.
LaikaXv1 said:
I'll get the ROM backup uploaded to Google drive once I'm done updating windows.. it's taking forever, but I do have the dumps. Yes, spflashtool is what you'll need to flash the stock backup.
As for the magisk module, that seems to do the trick! Magist safetynet check reports a success for both basicIntegrity and ctsProfile.
Thanks for the tip!
Click to expand...
Click to collapse
did you happen to upload this image yet? if so, got a link?
I followed this guide for a ONN 100003561 (didn't look closely at the numbers) and this is what I get when trying to flash the vbmeta:
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (11520 KB) OKAY [ 0.287s]
Writing 'vbmeta' FAILED (remote: 'size too large')
I tried using a different vbmeta and when I restarted my tablet and got blank black screen. Tried twrp and now I can't get anything to work. Never tried rooting an Android device before, just trying to get all the annoying stuff off and now it looks like I bricked it.
Any advice from anyone?
pj_dev said:
I followed this guide for a ONN 100003561 (didn't look closely at the numbers) and this is what I get when trying to flash the vbmeta:
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (11520 KB) OKAY [ 0.287s]
Writing 'vbmeta' FAILED (remote: 'size too large')
I tried using a different vbmeta and when I restarted my tablet and got blank black screen. Tried twrp and now I can't get anything to work. Never tried rooting an Android device before, just trying to get all the annoying stuff off and now it looks like I bricked it.
Any advice from anyone?
Click to expand...
Click to collapse
Unfortunately, the numbers are important. Are you able to get to fastbootd? If you can get to fastbootd, I would recommend trying to change to boot slot. Newer androids actually have two boot partitions for updating purposes. You can check which boot partition you're using with `fastboot getvar current-slot` which should return "a" or "b". Then do `fastboot set-active x` and replace x with whichever slot is NOT active as determined by the previous command. If the other boot slot is still intact, this would hopefully result in a bootable device. I haven't tried this myself, but this is what I would try if I were in your situation.
If this doesn't work, I would try flashing stock with sp flash tool, which doesn't need fastboot if you can't access that. It's a leaked mediatek tool, so there isn't an official site to get it from unfortunately. I got it from here: https://androidmtk.com/smart-phone-flash-tool but use your discretion. And get v5, because that's what most of the guides use. Then you can try flashing the 3561 stock firmware here: https://forum.xda-developers.com/t/stock-stock-backups-images-otas.3998227/post-82619259
If you can get it to boot at this point and want to de-walmart it, I would recommend just flashing a GSI rather than messing around with the stock rom. You can find the GSI's here: https://github.com/phhusson/treble_experimentations/wiki/Generic-System-Image-(GSI)-list
LaikaXv1 said:
Here's a couple pics just showing I actually DID do this, and I'm not just ****posting or something
Click to expand...
Click to collapse
Lol, remember those copy-pasted guides where they provide the wrong TWRP images and it messes up the device
So the 8" Onn actually has a boot-ramdisk it appears. On the 7" Onn Surf (100005206), there is no boot-ramdisk, so the alternative is patching a recovery.img and allowing Magisk to hijack the /recovery partition. The only drawback is, anytime you need to reboot, using hardware keys as though booting into recovery is necessary.
inzane105 said:
I have a 100011886 that I got used and has FRP lock, will this process work on it as well? Only rooted Fire tablets before, so this would be new to me and if I brick it not much will be lost. But any insight as to what I will need that isn't included in your post would be great! It seems pretty thorough though.
Edit: I've tried it, and I have done pretty much everything thanks to being able to get to the browser with one of those language keyboard tricks, but I can't enable dev mode and turn on OEM unlock so I can't unlock the bootloader. Really want to know what to do so I don't have a paper weight At least it was only $30
Click to expand...
Click to collapse
I'm in a similar situation, my friend got an RCA Atlas 10 Pro-S from Goodwill for $1. It had an FRP lock on it though, and we ultimately managed to get to the home screen by enabling TalkBack and watching the support video to open the browser. Then, we installed Lawnchair to access the home screen. The settings app worked, but Developer Options would not open.
GetDroidTips has published a software called Miracle Box, claiming that it can unlock MediaTek bootloaders, as well as bypass FRP. However, a VirusTotal scan indicates that it is likely malware. I tried running it in a virtual machine and it asked if I wanted to run a process impersonating "svchost.exe" as Administrator. I airgapped the virtual machine, and Miracle Box said it needed Internet access for licensing, however GetDroidTips said it was free. I suspect that this was a fake software crack.
I am aware of a program called SP Flash Tool, but that won't work because I am on Linux, and not Windows. I doubt it would work under WINE, as it requires special device-specific drivers that also only work on Windows. I have a spare Lenovo IdeaPad 110-15ACL, however I don't have the drivers needed to set up Windows 7 on it. I could, of course, use Windows 10, but I have heard it is bad for flashing, and it is very slow anyway. (I did, however, buy an SSD for it, perhaps this will speed it up enough to be somewhat usable?)
I also found an open-source MediaTek exploit script called MTKTools. It did not work, and it told me to hold all hardware buttons before plugging the device in. It still did not detect the tablet. It told me that I could also short TP1 to ground, however I could not find Test Point 1 on the tablet's motherboard.
There are no custom recoveries or FRP unlocking guides for this device, likely because it's an obscure Android 7.1 tablet from back in 2014. I wouldnt be able to flash them anyway as the bootloader is locked. It has 2 GB of RAM and the processor cores are Cortex-A35s so I'm not sure that this is worth unlocking. On the other hand, it costs over $100 from Walmart.
I am worried that the device was stolen, as it had a password, and once I reset it from Recovery mode, it had an FRP lock. If it is indeed stolen, I can't return it, due to the "as is" nature of Goodwill, and besides, I have disassembled it several times as well. Should I be concerned about the ethical implications of unlocking this device?
Does this work on Android 11? I have the Onn. 100011885 model, according to my settings app.