Related
Not revolutionary (especially since zips work on stock recovery), maybe not even new on other variations, but still I thought worth bring up as at least it's new for for this variant in JB:
Now in JB for korean GSII we finally have a hidden partition(for better or worse) and it can be used to get root. I have no idea if this can apply at all to other variants of the gs2
On the SK ROM this partition contains nothing but apps (apks) which are all readable (I think they must be to work, but anyway they are). Most are probably arguably bloatware anyway, but it looks like some might be desirable or even fairly fundamental, I'm not sure yet.
It also turns out that it is possible to execute setuid-root files from this partition but of course it's not writable without flashing it.
So it's easy to copy all the files off the so called "hidden" partition through adb without root access... add an su binary, repack with make_ext4fs and tar and reflash with odin. Then you can adb in, run /preload/su to get root, and then copy/install su/supersu into the more normal place to make it more readily available to apps.
Of course the only thing preventing this method with the /system partition was that a few files in /system were not readable without root access and copying all the file permissions, links etc correctly could be a minor pain using only toolbox or whatever. For the hidden partition, for now at least, the directory layout is very simple and all readable.
If hemidall actually worked right in linux on this device for me I could do this with one linux script.
I have not tested a straight through trial of this because I got root already, but I've tested all steps.
In the past I got stock root without flashing unsigned kernels by hijacking the ROM through KIES (freeze it right after it's decrypted), unpacking the factoryfs, adding su/supersu, repacking and flashing. This allows some other customizations anyway so is at least sort of useful, not sure this hidden partition method has any added value. Maybe it will be a useful idea at point in time though.
I've just got a new Samsung Galaxy TAB A 7.0 LTE SM-T285, For some reason I can't seem to find any resources for this hardware yet in this forum, anyone know where I could find one? I'll try to find out if the current methods (custom recovery and root) for other tab versions work on this.
CUSTOM ROMS
============
Android 5.1.1 Lollipop (Stock)
Tinker V5 Edition based on the Samsung Stock Rom SM-T280/T285
Android 6.0 Marshmallow
Cyanogenmod 13 for the SM-T285 Only
OMNIRom for the SM-T285 Only
Android 7.1 Nougat
Cyanogenmod 14.1 for the SM-T285 Only (Experimental, things are broken, depcrated in favor of LOS 14.1)
LineageOS 14.1 for the SM-T285 Only
Other Operating systems
Porting for Sailfish OS is currently in progress for the SM-T285, stay tuned
TWRP RECOVERY AND ROOT
=======================
TWRP is available for both the T280 and T285. You should find the relevant threads in this Galaxy Tab A forum.
If you want to root stock, easiest way is to install TWRP and go for SuperSU. Please see the TWRP threads for SM-T280/T285 on how to root after TWRP is installed.
KERNEL
======
Custom kernel with working sources for the SM-T285 can be found Here
DEVELOPMENT
============
If you want to build LineageOS 14.1 on your SM-T285 LTE device, you can use this manifest, not that this is still a work in progress:
https://github.com/jedld/android.git
UPDATE 10/06/2016
================
After a couple of weeks of trial and error and tinkering, I've been able to compile a kernel for the SM-T285 from source and so far it seems to work flawlessly!
Screenshot here: http://imgur.com/a/HRgsq
link to my kernel sources here: https://github.com/jedld/kernel_samsung_gtexslte.git
You can also thank samsung for giving us a "broken by default" kernel source. I had to mix and match defconfigs from their other kernel releases just to make this thing work. Download modified boot.img here:
http://forum.xda-developers.com/galaxy-tab-a/development/kernel-galaxy-tab-7-0-2016-lte-sm-t285-t3474967
UPDATE 09/20/2016
================
This device is now ROOTED!
http://forum.xda-developers.com/galaxy-tab-a/help/resources-samsung-galaxy-tab-7-0-2016-t3431022/post68777842#post68777842
Download Pre-rooted Tinker Edition V5 in this thread: Tinker Edition Thread
Post Root Post Mortem Analysis for the SM-T285 (09/21/2016)
=========================
Q: How were you able to find root? What did you do?
A: Surprisingly the SM-T285 bootloader isn't actually locked like we thought it was (Once you OEM unlock of course and disable FRP). The bottomline is that
we simply needed patches to mkbootimg to properly package a boot image for this device as there were additional fields and sections not found on a normal boot image. There were even minor breaking difference between the tab 4 and the boot image for this device.
Q: I thought the bootloader was locked?? Why did it take so long?
A: I blame it on the really vague errors the bootloader shows when loading an improperly packaged boot image. What helped was my faith to open up a hex editor when I needed to, and really look at the stock images and the images we were making. What really pushed me to investigate further was the fact that I was able to make a really small modification to the ramdisk and use the abootimg -u update function instead of the create options.
Q: So the bootloader doesn't really check the image?
A: Yup, The bootloader doesn't do any check. I haven't checked if that is the case for the recovery partition though. Even without the SELINUXENFORCE headers at the end it still continues like other samsung devices do.
Q: So the mkbootimg patches are all that we need?
A: Yup, if you have CM, AOSP build env ready you can simply add the modified mkbootimg to system/core:
https://github.com/jedld/degas-mkbootimg/commit/b63ae38e2ab7040cc7ddaef777652a56b2e48322
Sample usage below:
Code:
degas-mkbootimg -o boot.img --base 0 --pagesize 2048 \
--kernel boot.img-zImage --cmdline "console=ttyS1,115200n8" --ramdisk boot_kitchen/boot.img-ramdisk-new.gz --dt boot.img-dt
Next challenge will be getting Cyanogenmod on this device as well as TWRP.
You won't because it has a locked bootloader, therefore not currently rootable and certainly no custom recovery.
jaritico said:
any idea to unlock bootloader?
Click to expand...
Click to collapse
Not unless Samsung provides one.
jaritico said:
any idea to unlock bootloader?
Click to expand...
Click to collapse
Probably no hope for root. the PIT, boot and recovery are basically untouchable, selinux enforcing enabled also does not help. You can still debloat and customize the system partition though:
http://forum.xda-developers.com/android/development/guide-samsung-galaxy-tab-7-0-sm-t285-t3438296
I'm working on getting CM 12.1 to run on this device.
jedld said:
Probably no hope for root. the PIT, boot and recovery are basically untouchable, selinux enforcing enabled also does not help. You can still debloat and customize the system partition though:
http://forum.xda-developers.com/android/development/guide-samsung-galaxy-tab-7-0-sm-t285-t3438296
I'm working on getting CM 12.1 to run on this device.
Click to expand...
Click to collapse
Yes at least the saving grace is that Samsung left Dm-verity off for this device.
If only they'd have left out the root restriction in the kernel too we'd have a rootable device.
I have an idea for this that I haven't tried yet.
Basically Samsung sends out security Policy updates via OTA, they recently released an SEPOLICY update to most devices breaking root. Chainfire patched this.
As this policy is stored in DATA and over rides the one in the boot.img it may be possible to use a patched SEPOLICY by creating a flashable DATA image with the patched SEPOLICY thereby removing the SElinux root restriction.
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
I think it would be difficult to get CM running as the kernel may need some patches and as we know that can't be touched.
ashyx said:
Yes at least the saving grace is that Samsung left Dm-verity off for this device.
If only they'd have left out the root restriction in the kernel too we'd have a rootable device.
I have an idea for this that I haven't tried yet.
Basically Samsung sends out security Policy updates via OTA, they recently released an SEPOLICY update to most devices breaking root. Chainfire patched this.
As this policy is stored in DATA and over rides the one in the boot.img it may be possible to use a patched SEPOLICY by creating a flashable DATA image with the patched SEPOLICY thereby removing the SElinux root restriction.
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
I think it would be difficult to get CM running as the kernel may need some patches and as we know that can't be touched.
Click to expand...
Click to collapse
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
Click to expand...
Click to collapse
Would probably need to brush up on se policies in linux. If there are already files available that I just need to flash over to /data I can try it out and also a means to test it if it works.
I've created a petition here:
https://www.change.org/p/samsung-unlock-the-bootloader-for-the-samsung-galaxy-tab-a-7-0-2016?recruiter=286570213&utm_source=petitions_show_components_action_panel_wrapper&utm_medium=copylink&recuruit_context=copylink_long
Not sure if samsung is the type that listens to this sort of thing though.
ashyx said:
As this policy is stored in DATA and over rides the one in the boot.img it may be possible to use a patched SEPOLICY by creating a flashable DATA image with the patched SEPOLICY thereby removing the SElinux root restriction.
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
Click to expand...
Click to collapse
I made an attempt to patch sepolicy using data however all I got in the logs was
Code:
E/SELinux ( 733): Function: fileToArray, File Open Unsuccessful:
E/SELinux ( 733): Function: getVersionhash, signature is NULL
I/SELinux ( 733): Function: selinux_init_verify_sepolicy, getVersionhash return false
E/SELinux ( 733): Function: VerifyPolicy , selinux_init_verify_sepolicy is failed
So far I have no indication that my patch worked
Code:
sepolicy-inject -s shell -t system -c file -p read -P sepolicy -o sepolicy
The error above only comes up if I place sepolicy in /data/security and sepolicy_version in /data/security/spota
sha256 hashes were also updated in the version file so I'm not sure what I'm missing.
If I could have a copy of a samsung ota that actually updates the policies I can probably have better direction
jedld said:
I made an attempt to patch sepolicy using data however all I got in the logs was
Code:
E/SELinux ( 733): Function: fileToArray, File Open Unsuccessful:
E/SELinux ( 733): Function: getVersionhash, signature is NULL
I/SELinux ( 733): Function: selinux_init_verify_sepolicy, getVersionhash return false
E/SELinux ( 733): Function: VerifyPolicy , selinux_init_verify_sepolicy is failed
So far I have no indication that my patch worked
Code:
sepolicy-inject -s shell -t system -c file -p read -P sepolicy -o sepolicy
The error above only comes up if I place sepolicy in /data/security and sepolicy_version in /data/security/spota
sha256 hashes were also updated in the version file so I'm not sure what I'm missing.
If I could have a copy of a samsung ota that actually updates the policies I can probably have better direction
Click to expand...
Click to collapse
Finally found a way to patch the kernel on this device. Stay tuned...
jedld said:
Finally found a way to patch the kernel on this device. Stay tuned...
Click to expand...
Click to collapse
Turns out I was just able to modify files in the boot.img, though when I try to update the sepolicy itself, it won't boot.
jedld said:
Turns out I was just able to modify files in the boot.img, though when I try to update the sepolicy itself, it won't boot.
Click to expand...
Click to collapse
Can you at least explain a bit further?
What modifications allow you to create a boot able image?
How have you overcome image signing?
Only way I can think of is hex editing the signature, however I was under the impression this was crc based.
ashyx said:
Can you at least explain a bit further?
What modifications allow you to create a boot able image?
How have you overcome image signing?
Only way I can think of is hex editing the signature, however I was under the impression this was crc based.
Click to expand...
Click to collapse
Yeah I was able to flash a modified boot.img using heimdall, turns out that you just need to use abootimg -u boot.img -r yourmodifiedramdisk so that you don't overwrite the SELINUXENFORCE headers appended at the end of the boot.img file, it appears the bootloader only checks for the presence of those headers but does not actually compute the sig.
Modifying ramdisk works, haven't tried modifying the kernel itself.
I tried to modify the sepolicy files after using sepolicy-inject but it throws a KERNEL not SEnforced error. I am not certain if this is just a blanket error if the kernel doesn't boot due to modifying the policy files incorrectly or if there is legit checking going on. Nevertheless I am able to modify the init.rc files now.
jedld said:
I tried to modify the sepolicy files after using sepolicy-inject but it throws a KERNEL not SEnforced error. I am not certain if this is just a blanket error if the kernel doesn't boot due to modifying the policy files incorrectly or if there is legit checking going on. Nevertheless I am able to modify the init.rc files now.
Click to expand...
Click to collapse
Continued checking it out. So even though I can modify the ramdisk, I am unable to add more than 1000 - 2000 bytes before setting off the SEAndroid enforce error on bootup. Might be some headers on the boot.img that I fail to update when the ramdisk size gets bigger. Trying to modify the sepolicy in any way even if there is minimal change in size prevents it from booting. I have no idea what is checking it, I'll try to hexedit and see what happens.
jedld said:
Continued checking it out. So even though I can modify the ramdisk, I am unable to add more than 1000 - 2000 bytes before setting off the SEAndroid enforce error on bootup. Might be some headers on the boot.img that I fail to update when the ramdisk size gets bigger. Trying to modify the sepolicy in any way even if there is minimal change in size prevents it from booting. I have no idea what is checking it, I'll try to hexedit and see what happens.
Click to expand...
Click to collapse
So I used a hexedit on the sepolicy file and was able to modify one byte of it effectively changing its sha256sum... and it worked. So the sepolicy file CAN be changed, however current sepolicy-inject and supolicy tools does something to it that trips it, looks like samsung has again added a proprietary modification sepolicy format.
I've never known a kernel not boot due to the kernel not SEANDROID enforcing warning.
It's a meaningless warning and easily bypassed.
However this is on bootloader unlocked devices.
So just let me get this straight, you have been able to repack the boot.img with modifications to the ramdisk then force flash it via Heimdall and it still boots?
ashyx said:
I've never known a kernel not boot due to the kernel not SEANDROID enforcing warning.
It's a meaningless warning and easily bypassed.
However this is on bootloader unlocked devices.
So just let me get this straight, you have been able to repack the boot.img with modifications to the ramdisk then force flash it via Heimdall and it still boots?
Click to expand...
Click to collapse
yup. that's correct. I'll post my modified boot.img in a while
jedld said:
yup. that's correct. I'll post my modified boot.img in a while
Click to expand...
Click to collapse
note that using the update only method of abootimg "abootimg -u boot.img -r xxxxxx " is the only one that works for repacking the ramdisk. Trying to build the boot.img from scratch using any other method has so far failed for me.
Here is a flashable boot.img for the SM-T285.
It contains the following modifications to the ramdisk:
a file at /this_device_is_owned
and a modified init.rc that creates a /tmp folder
jedld said:
Here is a flashable boot.img for the SM-T285.
It contains the following modifications to the ramdisk:
a file at /this_device_is_owned
and a modified init.rc that creates a /tmp folder
Click to expand...
Click to collapse
now managed to patch sepolicy using chainfire's supolicy tool. needed to use a customized mkbootimg due to changes in the Tab A image format for this. now attempting to root the device... wish me luck
Hi all,
has anyone been able to do this? Following the guide here, no longer works for Android N. The phone boots, but ignores all changes to system. How do I modify both build.prop and hosts? It seems that there are now possibly two system partitions?
Thanks!
Same issue on Nexus 5X
No answer on this? How is it that nobody else seems to be having this issue?
What I've done
It looks to me like everyone has moved to systemless and the /system partition cannot be adequately modified in this way anymore.
Maybe this will help others:
I was modifying the system directory for two reasons: 1. modify /system/etc/hosts to remove ads and modifying build.prop to increase lcd.density. I found that here are the alternatives for each:
Removing Ads
Using something similar to AdAway_systemless_hosts_v2.zip (google it for a copy) and modifying the hosts file in that zip file to be the one I use (and rezipping, deploying on the Android device). This basically mounts over /system/etc/hosts with a custom hosts file instead of actually modifying the system specific hosts file which is no longer writable.
The alternative is to use Netguard which routes non https network traffic through a private VPN where you can block ads according to a hosts file. This seems to work OK, but I have noticed that websites seem to take longer to load.
Modifying lcd.density
You can use the same trick as AdAway_systemless_hosts_v2.zip uses, but modify it to also mount a modified copy of build.prop. Alternatively just use the Android N Display settings that are small (what I did anyhow).
I have been able to edit build.prop and still maintain systemless root.
Sent from my Nexus 6P using XDA-Developers mobile app
I was able to modify my system partition; by installing busy box to /su/xbin and running "su busybox mount -o rw,remount system" (no quotes) in material terminal with root
ArminasAnarion said:
I was able to modify my system partition; by installing busy box to /su/xbin and running "su busybox mount -o rw,remount system" (no quotes) in material terminal with root
Click to expand...
Click to collapse
Have you been able to do this with simply fastboot boot <twrp-image>, mounting system in rw mode and modifying it? I did that as I didn't want to root the phone, and while it looks like it did the write, it does not affect the system partition that is used by the phone after boot. I think there are two system partitions, and twrp mounts only one in rw mode. It does seem like it may be possible to do what you say using adb though after the phone is fully booted up. I'll try that!
dontblinkwatchout said:
Have you been able to do this with simply fastboot boot <twrp-image>, mounting system in rw mode and modifying it? I did that as I didn't want to root the phone, and while it looks like it did the write, it does not affect the system partition that is used by the phone after boot. I think there are two system partitions, and twrp mounts only one in rw mode. It does seem like it may be possible to do what you say using adb though after the phone is fully booted up. I'll try that!
Click to expand...
Click to collapse
I had the same problem. I don't want to root but I do make a few changes to my /system partition through adb in recovery such as the hosts file and some font files (namely the Emoji font file). I had modified stock boot image to not enforce encryption. I would boot back up into the system and couldn't see any changes made. The only thing I found that worked was installing a custom kernel (I use ElementalX). After that, changes I made to /system in TWRP were reflected in the OS. I don't know enough about kernel development to understand why on (mostly) stock kernel my changes couldn't be seen but on a custom one they were.
I never had this "problem" prior to Nougat.
Same issue here. Something has changed with how this is handled in Nougat.
I don't want to root just to overwrite the hosts file...
I'll keep debugging but my capability in this is definitely limited!
I use a similar approach as described in the OP's linked guide except I use my own recovery image that I compiled as an engineering build from source, and I am also experiencing the same behavior. Modifying the hosts file seems to have no impact on the system though the changes persist. Comparing the host file I installed and the host file from the latest Nexus 5X image with 'ls -lZ' the SELinux info looks to be the same. The only information that appears to differ is the modified date and one additional line in the file itself for testing. I thought I was doing something wrong with my hosts file, even though I have been using this approach since Android 6.0. However, I agree, it appears that changes to system are being ignored. Further, changing the system partition no longer shows the red warning at boot about the system being corrupted.
---------- Post added at 09:58 PM ---------- Previous post was at 09:38 PM ----------
DanRyb;68654939 I would boot back up into the system and couldn't see any changes made.[/QUOTE said:
Oooh. You're right. Neither /etc/hosts or /system/etc/hosts is modified in the booted OS after I modify it from live image, but the change is retained when I reboot into live image and mount system. Hmm, so either:
1) Need to figure out where the the system files are being loaded from and modify them from live image if possible
2) Use a mechanism similar to what dontblinkwatchout described AdAway is using of having a custom mount setup (have to reverse engineer AdAway I guess to see what it's doing)
3) ?
Click to expand...
Click to collapse
There's absolutely no way to modify or mount system partition r+w unless you disable dm-verity
Enviado desde mi Nexus 6P mediante Tapatalk
alexiuss said:
There's absolutely no way to modify or mount system partition r+w unless you disable dm-verity
Enviado desde mi Nexus 6P mediante Tapatalk
Click to expand...
Click to collapse
dm-verity has been around since Android 4.4. Are you saying there is something new around this in Android 7.0?
You can modify the system partition by compiling an engineering build of Android and booting it, then mounting the system partition and modifying it. I've been doing this to update the hosts file since Android 6.0 for every OTA update (since more recently OTA updates bomb out unless you reflash the clean "uncorrupted" system.img first). Changing the system image before Android 7.0 did result in an extra screen with a red warning about a corrupted something or other (I'm sure because dm-verity checking failed). Regardless, you can still change the system partition, the information just no longer seems to be used, which is a bit perplexing to me atm.
crashenx said:
dm-verity has been around since Android 4.4. Are you saying there is something new around this in Android 7.0?
Click to expand...
Click to collapse
Android 7.0 introduced redundant bits for reed solomon forward error correction into the system and vendor partitions and code in the kernel to perform the error correction.
Your changes are being written to emmc but when you boot with 7.0 kernel with dm-verity enabled your changes are being treated as data corruption and on-the-fly error corrected back to original.
You can see your changes if you boot into twrp because it has dm-verity disabled. However if you boot into android with dm-verity enabled it will look like original image again even though your changes are technically still there.
It took me a day to figure out what was really going on because i initially had no idea they added this feature to Android N.
The simple way to disable dm-verity is to install SuperSU, but you can also accomplish the same patching your own kernel, installing pre-patched kernel, installing custom kernel, etc.
sfhub said:
Android 7.0 introduced redundant bits for reed solomon forward error correction into the system and vendor partitions and code in the kernel to perform the error correction.
Your changes are being written to emmc but when you boot with 7.0 kernel with dm-verity enabled your changes are being treated as data corruption and on-the-fly error corrected back to original.
You can see your changes if you boot into twrp because it has dm-verity disabled. However if you boot into android with dm-verity enabled it will look like original image again even though your changes are technically still there.
It took me a day to figure out what was really going on because i initially had no idea they added this feature to Android N.
The simple way to disable dm-verity is to install SuperSU, but you can also accomplish the same patching your own kernel, installing pre-patched kernel, installing custom kernel, etc.
Click to expand...
Click to collapse
That's good info and makes total sense. Thanks! Pretty neat actually, just a bummer for me.
Yeah so SuperSU path is not really one I want to pursue. I could learn how to update the dm-verity shas used for verification. That'd probably be the most secure, but it's gonna be a PITA I bet. I imagine I'd need to compile my own image similar to how I made my live image and update a few things. Might have to deal with encryption which is probably an even bigger headache. Also, I bet it would break OTA and have to reflash to update, though that's true now.
I'm really curious what AdAway is doing. Maybe I should pursue reverse engineering that.
I really appreciate you pointing us in the right direction.
I am glad found this thread..willing to assist here without permanent root..
Ericarthurc said:
I was able to modify my system partition; by installing busy box to /su/xbin and running "su busybox mount -o rw,remount system" (no quotes) in material terminal with root
Click to expand...
Click to collapse
I was trying to create a /system/xbin/post-boot but couldn't remount /system, and so I added busybox to the front of my command. I am not using adb so I cut that part off. Thanks a lot!
Hello good peoples of Xda ,
I just purchased a Note 3 verizon I believe 900v on swappa It will arive in the next few day's and I want to get all my ducks in a row by that I mean aquire all the root and unlocking tools nessary for a best practices root and if nessary unlocking of my boot loader.
Goals for root are mostly to debloat the phone and hotspot mod's for no hassle teathering.
I may dip my toes into custom rom for this phone but mostly I am just looking for a clean lean experiance for my note 3. I have been pouring over the many many pages of the various rooting guids and I am just not sure witch method to use is the safest / most reliable .
thank you for your time and helpful suggestions.
This is what I have found so far.
ArabicToolApp : Root for lolipop
Odin3 v3.12.3 : flash tool is this latest ? best to use ?
Samsung usb drivers v1.5.45.0 : are these the proper drivers to install ?
You should start by figuring out which firmware release it has on it.
If it has PL1 (the newest security release, circa 2017/01/15), there will be no rooting for you... unless you manage to create a new exploit.
OB6 and OF1 - (one of) the yemen tool(s)**
NK1 - no root available ( and can't be rolled backwards w/ Odin, only NK1 or higher )
NJ6 - no root available? ( Try towelroot, or you can downgrade to NC4 using Odin )
MI9/MJ7/MJE/NC2(leak)/NC4 - Towelroot v3
For which bootloader unlock binary to use, see here.
Can't help you out with USB drivers, I don't remember what I used. afaik, they will either work 100% or not work at all, so you just need to get something working.
I've never used anything but Odin 3.0.9. Can't tell you if the version you mention is "better".
good luck
** i've never rooted OB6 or OF1, so can't give you any advice about which to use. Feel free to read the related threads. In my (casual) reading of those threads, it is nearly impossible to intuit out why some people have problems and others do not. Mostly because the reporting is not sufficiently detailed.
bftb0 said:
You should start by figuring out which firmware release it has on it.
Click to expand...
Click to collapse
Your right, after thinking about my post I realized there were 2 many variables that I need to know before I ask for help. So once I recieve the phone and if it's fully functional I will find out what firmware it has and what the cid it has and will post a follow up if I need help.
P.S thank you for the concise jist of what is and is not possible with the various firmware's.
Recieved my phone.
I got my note 3 and boy is it just a wonderful device. SM-900v running OF1 firmware, and My Cid is 15 so is all good.
procedurs completed.
I got root from useing the yemem tool.
and have tryed some debloating removed the NFL apk as a test with Tit.backup.
dissabled ota updates, I made a copy of the update.zip (that was downloaded with out me asking it too. I assume that this update.zip is the new PL4 firmware )and deleted it. renamed the fota.apk's with a .bak
not really sure if I should unlock the the bootloader I would love to have twerp.
Could anyone point me at a good debloating script ?
LOVE LOVE LOVE my note 3.
I also have a zero lemon battery/case combo on the way.
PL1 not PL4
See here. Might be dated - stuff tends to move around from release to release.
You should probably also freeze SDM.* and SysScope.* (in addition to LocalFOTA)**
There is a small permanent downside to unlocking - the blowing of the Knox Warranty Flag means that you will never be able to use Knox Secure containers, even if you did a full stock flash with Odin. Not sure how important this is to folks using the phone as a personal device (as opposed to a corporate device).
Operating with a rooted-stock device with a locked bootloader usually progresses through a customary arc - especially with new rooters, but also with experienced folks - where the user one day does some incremental mod that boot-loops the Android UI. At that point there is no means to reverse the small change. (You can't get in via "adb" as it's daemon isn't started yet, and even if it were, the fact that it is in secure mode means that you would have to have a stable UI in order to confirm the connection.) As there is no rooted secondary boot available (i.e., a custom recovery), there is no way to perform repairs, and a trip back to Odin is in store for the owner. Worse yet, a backup has never been made... so all customizations are all lost and must be re-created completely from scratch.
** this is a good idea if you unlock and install a custom recovery: (although TWRP may detect it and emasculate it automatically)
Code:
su
chmod 0000 /system/bin/install-recovery.sh
bftb0 said:
PL1 not PL4
Click to expand...
Click to collapse
Right PL1 ok.
Well I decided in for a penney in for a pound and have sucessfully unlocked my boot loader, had no issues.
my question now is how do I install twerp I have downloaded
twerp-3.0.2-0-hltevzw-4.4
and twerp 3.0.2-1-hlte.img.tar
I think I need to install the tar file.
but I don't know how. I have odin but not sure if that is the right program to use. I think I read where somone installed twerp with flashify or somthing like that.
What should I do ?
Truck'nfool said:
Right PL1 ok.
Well I decided in for a penney in for a pound and have sucessfully unlocked my boot loader, had no issues.
my question now is how do I install twerp I have downloaded
twerp-3.0.2-0-hltevzw-4.4
and twerp 3.0.2-1-hlte.img.tar
I think I need to install the tar file.
but I don't know how. I have odin but not sure if that is the right program to use. I think I read where somone installed twerp with flashify or somthing like that.
What should I do ?
Click to expand...
Click to collapse
man up and use a root prompt command line. It's a single command.
Code:
dd of=/dev/block/mmcblk0p15 if=/sdcard/twrp-3.0.2-0-hltevzw-4.4.img bs=2048
( assuming that you put the twrp .img file in the /sdcard folder. If it was in the download folder, then if=/sdcard/Download/twrp-3.0.2-0-hltevzw-4.4.img )
Note there are absolutely, positively no spaces anywhere in "mmcblk0p15". Critically important.
The above command writes a raw binary data (the .img file) to the 15th partition of the mmcblk0 device - the flash memory chip. You can do this with boot images (such as custom recoveries) or a few other binary images, but typically not with ext4 or other filesystems.
Note this command could be extremely dangerous if you made a mistake. If you were to write data someplace else it could be a permanent disaster. So cut-n-paste to be safest (without a new-line), and then double- and triple- check the command for typos before you hit the enter key.
FYI, you can see what the partition mapping is by doing a folder listing
Code:
ls -ld /dev/block/platform/*1/by-name/*
The partitioning scheme varies from android device to android device; but on the SM-N900V the recovery partition is the 15th partition. (On other devices it might be something different).
bftb0 said:
man up and use a root prompt command line. It's a single command.
dd of=/dev/block/mmcblk0p15 if=/sdcard/twrp-3.0.2-0-hltevzw-4.4.img bs=2048
Click to expand...
Click to collapse
are you talking about adb ?
So somthing like
adb shell
su
dd of=/dev/block/mmcblk0p15 if=/sdcard/twrp-3.0.2-0-hltevzw-4.4.img bs=2048
???
Truck'nfool said:
are you talking about adb ?
So somthing like
adb shell
su
dd of=/dev/block/mmcblk0p15 if=/sdcard/twrp-3.0.2-0-hltevzw-4.4.img bs=2048
???
Click to expand...
Click to collapse
That works.
Or a terminal emulator.
All you need is to put the file on your (internal, pseudo-) /sdcard, "su", and "dd".
For extra credit, make sure to compute a file checksum (e.g. "md5sum") every time you copy the original .img file to a new location and especially prior to flashing. That safeguards against a bad copy operation, crappy flash memory, etc.
Stock ROMs might not have a "md5sum" binary in /system/bin, but since you are rooted you could install a private busybox in someplace like /data/local/bin. I prefer to use a busybox which is SELinux-cognizant, e.g. v1.23.1 here as busybox_full_selinux_1.23.1.zip Note that I don't "install" this .zip so that stuff in /system/bin or /system/xbin get overwritten, but instead just keep it in a private area all on it's own.
Steps.
0) extract the "busybox" binary from the .zip file and get a copy to your SD card. Then
Code:
su
mkdir -p /data/local/bin
chmod 755 /data/local/bin
cp /sdcard/busybox /data/local/bin/
chmod 755 /data/local/bin/busybox
cd /data/local/bin
./busybox --install -s /data/local/bin
This allows it to be used as needed in a terminal/console shell.
e.g. using ls
1) Explicitly: /data/local/bin/ls -lZ *
2) Implicitly "as a last resort":
export PATH="${PATH}"':/data/local/bin'
ls -lZ *
3) Implicitly "as preferred":
export PATH='/data/local/bin:'"${PATH}"
ls -lZ *
I am now have root, unlocked bootloader and twrp Whoot!!
Well I now have twrp installed thank you vary much for all your help and direction I sincerly appreciate your assistance.
I installed termux and after updating the packages sucessfully used dd to install twrp.
1st thing I am going to do a full system backup.
No developer love for N900V not good
Hi everyone. I'm scratching my head here and struggling to find a solution that doesn't require root.
I've got a hosts file that I love as it blocks nearly all advert servers on my phone.
I know there are several adblocking apps but they all require root.
I have had to remove root as I have some critical apps that still don;t work, even after hiding magisk from the apps within the Magisk Manager.
I've got a magisk patched image that I can "fastboot boot" with and can edit the hosts file (after remounting /system as rw) but when I then reboot afterwards, the hosts file has been overwritten.
Can anyone help me please or give me a pointer of how to make the hosts edits remain following a reboot?
edit2add
I am using stock ROM with latest August patches on my Mi A1
You can't without root even if you do it your system partition will be modified and it will result in phone not booting or just safetynet won't pass.
Use a vpn or I'm pretty sure there's app that can fake a vpn with a ad ban list
Dead-neM said:
You can't without root even if you do it your system partition will be modified and it will result in phone not booting or just safetynet won't pass.
Use a vpn or I'm pretty sure there's app that can fake a vpn with a ad ban list
Click to expand...
Click to collapse
Interesting idea regarding spoof VPN.
Do you know how the hosts file is generated? If it's copied over from somewhere during boot then could I edit the source file it's copied from?
If it's generated procedurally, might I be able to script it to add my edits during creation?
wodgey said:
Interesting idea regarding spoof VPN.
Do you know how the hosts file is generated? If it's copied over from somewhere during boot then could I edit the source file it's copied from?
If it's generated procedurally, might I be able to script it to add my edits during creation?
Click to expand...
Click to collapse
System partition ? so that's a good idea but you'll have to compile a rom to change this file. On Linux distro the host file is a thing you can modify easily. On android it's just deprecated by google as it's use mostly used as an adfilter. And google is an ad company. That's my guess.
Anyway host file will always need root even on Linux.
Simply because it can be used against you.
The problem is more on apps that blocks you because you're rooted than being rooted for changing this file.
If any app could modify host then bang you go to YouTube and it redirect you to something else.
Maybe for you it's just an adblock file but it's a little more than that.
So sorry but it's root or vpn.
Dead-neM said:
System partition ? so that's a good idea but you'll have to compile a rom to change this file. On Linux distro the host file is a thing you can modify easily. On android it's just deprecated by google as it's use mostly used as an adfilter. And google is an ad company. That's my guess.
Anyway host file will always need root even on Linux.
Simply because it can be used against you.
The problem is more on apps that blocks you because you're rooted than being rooted for changing this file.
If any app could modify host then bang you go to YouTube and it redirect you to something else.
Maybe for you it's just an adblock file but it's a little more than that.
So sorry but it's root or vpn.
Click to expand...
Click to collapse
So? Could I possibly extract the system.img from the stock ROM, make the edits there and then recompile?
(I've got a copy of payload.bin that I extracted a few weeks ago, when trying to flash the August security patches (this was before I did a compete flash of stock ROM using fastboot)
That actually seems like it wouldn't take too much effort
wodgey said:
So? Could I possibly extract the system.img from the stock ROM, make the edits there and then recompile?
(I've got a copy of payload.bin that I extracted a few weeks ago, when trying to flash the August security patches (this was before I did a compete flash of stock ROM using fastboot)
That actually seems like it wouldn't take too much effort
Click to expand...
Click to collapse
This will lead to a corrupt system partition modified. As i said the worse thing is you could not boot and the good just won't pass safetynet.
Dead-neM said:
This will lead to a corrupt system partition modified. As i said the worse thing is you could not boot and the good just won't pass safetynet.
Click to expand...
Click to collapse
Ok I understand.
How does the device 'know' that the system partition is corrupt? Does it perform a hash check perhaps?
How would compiling my own custom ROM avoid this same problem?
wodgey said:
Ok I understand.
How does the device 'know' that the system partition is corrupt? Does it perform a hash check perhaps?
How would compiling my own custom ROM avoid this same problem?
Click to expand...
Click to collapse
It does many thing to know that its have been touched. You'll have to modify some stuff and it will work. You'll loose certification but you'll have you own rom.
Dead-neM said:
It does many thing to know that its have been touched. You'll have to modify some stuff and it will work. You'll loose certification but you'll have you own rom.
Click to expand...
Click to collapse
Any chance you can outline the other stuff I'd need to change?
If it's really in-depth then don't worry but if it's just a few bullet-points that I can Google more info on, I'd appreciate it.
wodgey said:
Any chance you can outline the other stuff I'd need to change?
If it's really in-depth then don't worry but if it's just a few bullet-points that I can Google more info on, I'd appreciate it.
Click to expand...
Click to collapse
Search "dm-verity" and "safetynet". The first one is what will look at any r/o partition like system and kernel. It's been a long time since i dig into this. I'm not into this anymore.
But You can disable it but you'll loose safetynet, encrypted partition etc... (i may be wrong but you got the idea). And safetynet look if partition have been modified and you are a certified device if it won't pass the banking app and apps like Pokemon go etc won't work.
Magisk hide the fact that the kernel img have been touch and most app that detect it detect just the app itself. That means magisk capability (su, hide and module)
So you could maybe compile stock rom with a custom host file. Never touch vendor partition! Make a backup before! By booting and not flashing twrp. Do not flash twrp just use the "fastboot boot command"
You'll need to make a custom kernel and system img to flash in order to do it.
I'll try to do a rom without anything modded except kernel without dm verity and system with your host and i guess it needs change too.
I dunno if it will pass safetynet after.
Just don't brick your phone ?
Keep in mind that you'll loose ota. There's a chance that the rom work with just some changes but i can be a mess to do.
Why not trying a custom rom like lineage os?
Using their supersu zip won't you be able to replace the host file then remove root?
Once you make a backup a move it to a pc as a savestate. You are free to try different solution
Dead-neM said:
Search "dm-verity" and "safetynet". The first one is what will look at any r/o partition like system and kernel. It's been a long time since i dig into this. I'm not into this anymore.
But You can disable it but you'll loose safetynet, encrypted partition etc... (i may be wrong but you got the idea). And safetynet look if partition have been modified and you are a certified device if it won't pass the banking app and apps like Pokemon go etc won't work.
Magisk hide the fact that the kernel img have been touch and most app that detect it detect just the app itself. That means magisk capability (su, hide and module)
So you could maybe compile stock rom with a custom host file. Never touch vendor partition! Make a backup before! By booting and not flashing twrp. Do not flash twrp just use the "fastboot boot command"
You'll need to make a custom kernel and system img to flash in order to do it.
I'll try to do a rom without anything modded except kernel without dm verity and system with your host and i guess it needs change too.
I dunno if it will pass safetynet after.
Just don't brick your phone ?
Keep in mind that you'll loose ota. There's a chance that the rom work with just some changes but i can be a mess to do.
Why not trying a custom rom like lineage os?
Using their supersu zip won't you be able to replace the host file then remove root?
Once you make a backup a move it to a pc as a savestate. You are free to try different solution
Click to expand...
Click to collapse
Thanks for info I'll investigate later in the week when I have more time. Monday has arrived too quickly!
Appreciated though