I got this idea after reading about CVE-2013-6282 and seeing the source for it.
As we all know, anyone with MF3+ bootloaders on ATT/VZW cannot load custom kernels/recoveries. Hashcode saved the day with Safestrap, which allowed users to run custom ROMs using stock, signed boot.imgs (initramfs/kernel). Unfortunately booting a custom kernel is still not possible due to BL restrictions.
With this latest root exploit, it is possible to overwrite kernel memory and thus remove some of the restrictions of the stock kernel. Most important is the ability to insert kernel modules not signed by Samsung, specifically kexec. This module can allow one to load any custom kernel regardless of BL restrictions. Before you ask, I have never compiled nor worked with kexec!
I'm going to go over the process just for completeness, you can skip this section if you want. It's mostly for devs:
With 4.3, when you insert one of the included modules (ie, /system/lib/modules), you will see the following in dmesg:
Code:
<4>[ 2003.009063] TIMA: lkmauth--launch the tzapp to check kernel module; module len is 3224
<4>[ 2003.009124] TIMA: lkmauth -- hdr before kreq is : e3003000
<4>[ 2003.009155] TIMA: lkmauth--send cmd (tima_lkm) cmdlen(304:320), rsplen(264:320) id 0x00050000, req (0xE511C000), rsp(0xE511C140), module_start_addr(0xE3003000) module_len 3224
<4>[ 2003.012237] TIMA: lkmauth--verification succeeded.
Though I'm not intimately familiar with the workings of lkmauth, it's obvious it's querying the trustzone (TZ) to verify the module. If we now change one insignificant byte in the module, you get:
Code:
<4>[ 2301.298980] TIMA: lkmauth--launch the tzapp to check kernel module; module len is 3224
<4>[ 2301.299011] TIMA: lkmauth -- hdr before kreq is : e300c000
<4>[ 2301.299041] TIMA: lkmauth--send cmd (tima_lkm) cmdlen(304:320), rsplen(264:320) id 0x00050000, req (0xE511C000), rsp(0xE511C140), module_start_addr(0xE300C000) module_len 3224
<3>[ 2301.301391] TIMA: lkmauth--verification failed -1
<4>[ 2301.301544] TIMA: MSG=lkm_modified; result (TIMA_RESULT=MSG=lkm_modified;)
We can use these messages to narrow down the code in the kernel. I'm using ATT MK2 as the example here:
kernel/module.c
Code:
/* parse result */
if (krsp->ret == 0) {
pr_warn("TIMA: lkmauth--[B]verification succeeded[/B].\n");
ret = 0; /* ret should already be 0 before the assignment. */
} else {
pr_err("TIMA: lkmauth--[B]verification failed[/B] %d\n", krsp->ret);
ret = -1;
....
If we unpack boot.img, then decompress the zImage, we can find this code in the binary. Fire up IDA and set the base address to 0xC0008000. You should be able to resolve the above string reference to:
Code:
ROM:C00B9C20 44 11 98 E5 LDR R1, [R8,#0x144]
ROM:C00B9C24 00 00 51 E3 CMP R1, #0
[B][COLOR="Red"]ROM:C00B9C28 02 00 00 1A BNE loc_C00B9C38[/COLOR][/B]
ROM:C00B9C2C 54 01 9F E5 LDR R0, =a4TimaLkmauthVe ; "<4>TIMA: lkmauth--verification succeede"...
ROM:C00B9C30 CA 57 1D EB BL sub_C080FB60
ROM:C00B9C34 3C 00 00 EA B loc_C00B9D2C
That BNE is the target for our patch. So bypasslkm will basically overwrite that test with a NOP instruction thus forcing the authentication to succeed.
I tested inserting a modified stock module and one I compiled. Btw, if you wanna use the modules from the kernel source tree, be sure to add
-fno-pic to CFLAGS_MODULE in the Makefile.
-------------------------------------------------------------------------------------------------------------
Usage:
bypasslkm is run alone, and patches the kernel in memory. It does NOT make any changes to the filesystem, and a reboot will require re-executing the patch. Please note the patch will remain in memory until you run 'bypasslkm -r' OR reboot. THIS CAN LEAVE YOUR OS IN A VULNERABLE STATE TO MALWARE. Ideally, you would run the patch, insert your module, then run the patch with -r.
Typical usage:
adb push bypasslkm /data/local/tmp
cd /data/local/tmp
chmod 755 bypasslkm
./bypasslkm
insmod <modulename.ko>
./bypasslkm -r
Supported stock kernels: ATT MK2, VZW MK2, VZW MJ7
CREDITS
fi01 - awesome source for the CVE!
CUBE - getroot source!
djrbliss - thanks for the makefile =P
DOWNLOAD:
Get the latest from my git: https://github.com/jeboo/bypasslkm
Reserved!
Very nice work. Wish I had a MF3 device so I could try it.
Thank you @jeboo. I'll see what I can do with this
Sent from my XT926 using Tapatalk
Nice job man!
Sent from my SM-N900V using Tapatalk
Hashcode said:
Thank you @jeboo. I'll see what I can do with this
Sent from my XT926 using Tapatalk
Click to expand...
Click to collapse
it will help to crack the bootloader note 3?
This also works on the I545 with MI1 kernel...
This is directed at @Hashcode and @jeboo:
Guys, I just tried this on my I545 running the MI1 kernel, and it works. I am running Hyperdrive RLS 10.2 with the ATT compatibility pack (using AT&T service) -- but as you know, I am still stuck on the stock Verizon MI1 kernel. You should know that I flashed Hyperdrive over the stock ROM -- that's the only way (at the time) I could get it onto AT&T service here in the US.
My immediate question is how will this allow me to completely replace the stock kernel with something like the Infamous 4.6 OC kernel? I am just getting into this phase of development, so I am not as up on this as you guys are. I know every time I flash the Infamous kernel, the flash in SS seems to work -- but the phone always reboots to the stock 3.0.4 verizon kernel.
Of course, I had another thought, too -- I wonder if it is possible to use this to allow us to insert a module that does something similar to the Motorola Trust Zone unlock? Just another item for your consideration...
Here is a screen capture of me running bypasslkm:
=============================================
130|[email protected]:/data/local/tmp # ./bypasslkm
BypassLKM patch by Jeboo
usage: -r will restore kernel to original
Big thanks to fi01 & CUBE for their awesome CVE-2013-6282 exploit source!
ro.build.product=jflteatt
ro.build.displayid=JDQ39.I545VRUAME7
Patching kernel @ 0xC00B9C28: unsigned modules can now be inserted.
Done.
[email protected]:/data/local/tmp # ./bypasslkm -r
BypassLKM patch by Jeboo
usage: -r will restore kernel to original
Big thanks to fi01 & CUBE for their awesome CVE-2013-6282 exploit source!
ro.build.product=jflteatt
ro.build.displayid=JDQ39.I545VRUAME7
Patching kernel @ 0xC00B9C28: restoring original value.
Done.
[email protected]:/data/local/tmp #
I have an AMDL S4 so I'm already running AOSP ROM's, so I've never really paid attention to the problems which the newer S4's face.
Does the OP have a patch that allows the newer S4's to run AOSP now also?
Sorry if it's a stupid question.
Not quite yet...
CZ Eddie said:
I have an AMDL S4 so I'm already running AOSP ROM's, so I've never really paid attention to the problems which the newer S4's face.
Does the OP have a patch that allows the newer S4's to run AOSP now also?
Sorry if it's a stupid question.
Click to expand...
Click to collapse
Not quite yet -- but this is looking extremely promising!!
CZ Eddie said:
I have an AMDL S4 so I'm already running AOSP ROM's, so I've never really paid attention to the problems which the newer S4's face.
Does the OP have a patch that allows the newer S4's to run AOSP now also?
Sorry if it's a stupid question.
Click to expand...
Click to collapse
OP has an exploit that lets us load unsigned kernel modules. This means we can try to load up a kexec module, which would then load in a kernel over the stock one. So possibly, if it can be implemented.
budding_developer said:
This is directed at @Hashcode and @jeboo:
Guys, I just tried this on my I545 running the MI1 kernel, and it works. I am running Hyperdrive RLS 10.2 with the ATT compatibility pack (using AT&T service) -- but as you know, I am still stuck on the stock Verizon MI1 kernel. You should know that I flashed Hyperdrive over the stock ROM -- that's the only way (at the time) I could get it onto AT&T service here in the US.
My immediate question is how will this allow me to completely replace the stock kernel with something like the Infamous 4.6 OC kernel? I am just getting into this phase of development, so I am not as up on this as you guys are. I know every time I flash the Infamous kernel, the flash in SS seems to work -- but the phone always reboots to the stock 3.0.4 verizon kernel.
Of course, I had another thought, too -- I wonder if it is possible to use this to allow us to insert a module that does something similar to the Motorola Trust Zone unlock? Just another item for your consideration...
Click to expand...
Click to collapse
SS does not actually flash kernels, which is why it reboots to stock. The way this will allow you to run a different kernel is by loading in an unsigned kexec module and loading the new kernel over the stock one using that module. As for the Trust Zone unlock, someone with more real dev knowledge than me will have to look into that.
budding_developer said:
This is directed at @Hashcode and @jeboo:
Guys, I just tried this on my I545 running the MI1 kernel, and it works. I am running Hyperdrive RLS 10.2 with the ATT compatibility pack (using AT&T service) -- but as you know, I am still stuck on the stock Verizon MI1 kernel. You should know that I flashed Hyperdrive over the stock ROM -- that's the only way (at the time) I could get it onto AT&T service here in the US.
My immediate question is how will this allow me to completely replace the stock kernel with something like the Infamous 4.6 OC kernel? I am just getting into this phase of development, so I am not as up on this as you guys are. I know every time I flash the Infamous kernel, the flash in SS seems to work -- but the phone always reboots to the stock 3.0.4 verizon kernel.
Of course, I had another thought, too -- I wonder if it is possible to use this to allow us to insert a module that does something similar to the Motorola Trust Zone unlock? Just another item for your consideration...
Click to expand...
Click to collapse
Careful running this on unsupported kernels..I didn't add any sanity checking.
jeboo said:
Careful running this on unsupported kernels..I didn't add any sanity checking.
Click to expand...
Click to collapse
Didn't figure you did at this early stage... I am well equipped with everything I need to restore (short of JTAG, of course)... thanks for the warning, though!
I know it's early but are there any Modules handy for testing
SAFESTRAPPED ATT MK2 I337 S4
jball said:
I know it's early but are there any Modules handy for testing
SAFESTRAPPED ATT MK2 I337 S4
Click to expand...
Click to collapse
Too early, give it a week or so.. it's a long process being that no one is doing it full time...
Then again it's Christmas time, so maybe a few weeks..
tommydrum said:
Too early, give it a week or so.. it's a long process being that no one is doing it full time...
Then again it's Christmas time, so maybe a few weeks..
Click to expand...
Click to collapse
I've done some reading on it and trust me I do know it's not an easy thing for you and me.i don't put in development hours as I'm not a developer.i just want to Contribute anything I can even if it's just my phone.if you asked my wife I live and breath XDA .Thank you all for the Hard work your doing an awesome job
SAFESTRAPPED ATT MK2 I337 S4
jball said:
I've done some reading on it and trust me I do know it's not an easy thing for you and me.i don't put in development hours as I'm not a developer.i just want to Contribute anything I can even if it's just my phone.if you asked my wife I live and breath XDA .Thank you all for the Hard work your doing an awesome job
SAFESTRAPPED ATT MK2 I337 S4
Click to expand...
Click to collapse
I'd be willing to contribute my phone too .. even more since there's work around to odin bricked phone back on mk2
tommydrum said:
I'd be willing to contribute my phone too .. even more since there's work around to odin bricked phone back on mk2
Click to expand...
Click to collapse
What work around are you refering too? I thought there was no way to odin to MK2.
Sent from my GT-I9505 using XDA Premium 4 mobile app
cerobles1 said:
What work around are you refering too? I thought there was no way to odin to MK2.
Sent from my GT-I9505 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Let's not clutter this thread.Look it up please
i don't mean to be a noob but will this work on mf3?
Ask in another thread please..and we don't know, but there's a good chance yes..
Again..please only developers post on this thread!! Keep it clean!!
Related
Alright, here is the z4mod app at long last! This release needs a lot of testing for different devices still, so make sure you check the compatibility table below unless you know how to use Odin to flash back your original kernel. Thanks for helping to test this!
[size=+1]This is still in beta! If you know how to flash with Odin, please help test so all bugs can be found and fixed to allow for wider release![/size]
What is this?
Another lagfix. This one is a bit different from existing lagfixes though:
- Differences from OCLF: Uses native EXT/JFS instead of loopback mounts. Loopback mounts in linux can be a bit flakey at times, especially when they're on RFS. So this is generally better.
- Differences from lagfix kernels such as voodoo or sztupy's: These types of lagfixes are kernels compiled from GPL sources for specific devices. This can cause a number of issues, such as losing out on bug fixes in later Samsung kernels released after the GPL code, or differences in devices such as the I9000B, etc. z4mod also has (imo) a nicer design, in that it uses /etc/fstab for filesystem mounting, as well as keeping the convert scripts outside the kernel. It should also work across ALL (or many?) Samsung devices without changes!
How do I use this?
Install the app. Click the buttons. It should all just work. Let me know of any issues or complications! This is still in testing!
Device/firmware compatibility table
Samsung Galaxy S Devices
Stock Samsung
I9000 Stock Samsung 2.2 : WORKING
I9000 Stock Samsung 2.1 : NOT TESTED
I9000B Stock Samsung 2.2 : NOT TESTED
I9000B Stock Samsung 2.1 : NOT TESTED
I9000T Stock Samsung 2.2 : NOT TESTED
I9000T Stock Samsung 2.1 : NOT TESTED
I9000M Stock Samsung 2.2 : NOT TESTED
I9000M Stock Samsung 2.1 : NOT TESTED
Captivate Stock Samsung 2.2 : NOT TESTED
Captivate Stock Samsung 2.1 : NOT TESTED
Vibrant Stock Samsung 2.2 : NOT TESTED
Vibrant Stock Samsung 2.1 : NOT TESTED
Epic Stock Samsung 2.2 : NOT TESTED
Epic Stock Samsung 2.1 : NOT TESTED
Fascinate Stock Samsung 2.2 : NOT TESTED
Fascinate Stock Samsung 2.1 : NOT TESTED
Stock Japanese Docomo Galaxy S (SC-02B) : WORKING
Stock SHW-M110S (Korean SGS) : WORKING
Custom Firmwares
Any custom firmware that uses a stock kernel works as the stock kernel in the table above
Custom kernels that make use of changed filesystems or boot up scripts are unlikely to work at this time. Emphasis is on stock kernels currently.
Custom Kernels
BLN (backlight notification) custom kernel for GT-I9000 works
Voodoo kernels do not work
Kernels with heavily modified boot procedures such as rooted Vibrant kernels do not work
CFRoot kernel does not work.
DamianGto's kernels work
Other Samsung Devices
NOT TESTED
More info on z4mod
http://www.sgscompilebox.dreamhosters.com/about.html
Source Code
http://github.com/z4/z4mod
V0.9.2 Changelog
Fix for EXT2->RFS Conversion. Please update to this app version before using this conversion.
Other small bug fixes.
Conversion page now has scrolling text informing you of progress and any errors.
V0.9.3 Changelog
Critical: Upload kernel now passes binary MIME type to prevent corrupt kernels
Fixes for text in conversion screen.
Fix for 'mmcblk0p2' always being chosen for /data, even on devices that use 'mmcblk0p1'
Bug fixes for UI
Donations
Donate link is available at https://www.paypal.com/cgi-bin/webs...=PP-DonationsBF:btn_donateCC_LG.gif:NonHosted
quick question I need to disable vodoo before using this right ?
anyways im running vibrant rom ( axura ) on my rogers captivate ( i896 )
testing now
DAGr8 said:
quick question I need to disable vodoo before using this right ?
anyways im running vibrant rom ( axura ) on my rogers captivate ( i896 )
testing now
Click to expand...
Click to collapse
This probably won't work if you have a Voodoo kernel installed. The Voodoo kernel is unlikely to be patchable, since it's not native RFS, and does not use /etc/fstab.
RyanZA said:
- Differences from OCLF: Uses native EXT/JFS instead of loopback mounts. Loopback mounts in linux can be a bit flakey at times, especially when they're on RFS. So this is generally better.
Click to expand...
Click to collapse
I have a Vibrant and this is why I have avoided using the OCLF in the past. Many ROMs don't even need a lag fix. However, with that issue gone, I'll at least try it and report back on it.
RyanZA said:
This probably won't work if you have a Voodoo kernel installed. The Voodoo kernel is unlikely to be patchable, since it's not native RFS, and does not use /etc/fstab.
Click to expand...
Click to collapse
hey I forgot to mention I had flashed setiron's reoriented kernel on it , so yea result is could not patch kernel ..
I guess i have more test to do. But right now Im stuck with 0.12 problem.
I did test it
I knew it would not work.;-)
The thing i was testing was if you could do this on a kernel that has note been patched. Well you can press the button and the phone restart. I guess it try but failed and restart again.
Can you do a check on the kernel so you know its patched?
I thinking of ways happens if people try every kernel without the patch. It should point them to the website.
Instead of restarting the phone.
Sent from GT-I9000 jpo. My own kernel for z4mod and with 342MB Ram
can i use this with speedmod kernel?
DamianGto said:
I guess i have more test to do. But right now Im stuck with 0.12 problem.
I did test it
I knew it would not work.;-)
The thing i was testing was if you could do this on a kernel that has note been patched. Well you can press the button and the phone restart. I guess it try but failed and restart again.
Can you do a check on the kernel so you know its patched?
I thinking of ways happens if people try every kernel without the patch. It should point them to the website.
Instead of restarting the phone.
Sent from GT-I9000 jpo. My own kernel for z4mod and with 342MB Ram
Click to expand...
Click to collapse
It checks for a /z4mod/z4version file to determine if it's been patched already. If you are using an earlier patched z4mod kernel that doesn't have that file, then it won't work right. If you start with a stock samsung kernel then it should work fine.
specialex said:
can i use this with speedmod kernel?
Click to expand...
Click to collapse
Feel free to give it a shot, but the current emphasis in this 0.9 app release is on patching and lagfixing the stock samsung kernels. Once that is all working and bugfree across devices, then I will look more at supporting custom kernels. At present, any custom kernel that does not change the initramfs (in particular, the /init binary and init.rc mount options) too heavily should work fine.
Hey Ryan,
I patched the stock Vibrant JK2 kernel and it patched successful, however the conversion to ext2 did not work. Said it worked, rebooted, but I was still on RFS.
Whitehawkx said:
Hey Ryan,
I patched the stock Vibrant JK2 kernel and it patched successful, however the conversion to ext2 did not work. Said it worked, rebooted, but I was still on RFS.
Click to expand...
Click to collapse
Thanks for testing!
Could you upload the z4mod.log file in your sdcard? /sdcard/z4mod.log
Okay. Then its just because the bug in the latest z4build then.
That's why it tried to apply the change.
Z4ziggy is working on that problem
Hope he will solve that soon. Right know Im on stock filsystem with my new kernel. Lol.
Kind of fun to compare them.
Sent from GT-I9000 jpo. My own kernel for z4mod and with 342MB Ram
RyanZA said:
Thanks for testing!
Could you upload the z4mod.log file in your sdcard? /sdcard/z4mod.log
Click to expand...
Click to collapse
I just looked and there isn't one there.
Whitehawkx said:
I just looked and there isn't one there.
Click to expand...
Click to collapse
Hah... Okay that's pretty strange. What method did you use to root btw? Perhaps it's a busybox conflict of some type.
RyanZA said:
Hah... Okay that's pretty strange. What method did you use to root btw? Perhaps it's a busybox conflict of some type.
Click to expand...
Click to collapse
Hmmm the rom/kernel I flashed came pre-rooted. Now that I think about it, I was using the stock JK2 kernel but it has a custom init script to allow the use custom boot animations. Could this be effecting the conversion process by chance? Anytime I manually root though I use OCLF from the market.
Hey RyanZA,
I see that there is a list of devices in the first post but I dont see a listing for the GT-i9000M specifically. I see the i9000, i9000B and i9000T but no "M". Is there a reason for this? Is the i9000M considered in the generic i9000 family? Also...
A bit off topic here but I am curious to know if I root using z4root and need to unroot for warranty purposes, will it remove ALL traces that it had been rooted including Busybox and Superuser app?
I know that Samsung has issued a memo stating that if a phone shows up rooted to a service center that the warranty will be voided and Id really like to try this rooting method.
Also, as you are probably aware, the i9000M here in Canada has issues with internal sd card failures and I am curious to know if just rooting with z4root will possibly kill my internal sd?
Thanks...
Flashed my Epic using the DK05 2.2 Rom, ran Z4mod, get error: zimage test failed when i try and patch the kernal.
RyanZA said:
Feel free to give it a shot, but the current emphasis in this 0.9 app release is on patching and lagfixing the stock samsung kernels. Once that is all working and bugfree across devices, then I will look more at supporting custom kernels.
Click to expand...
Click to collapse
should probably put this on OP , less hassle probably .
if nobody else test it on the cappy ill flash to stock just to test ..
@DamianGto:
The problem is with CWM recovery - it's busybox-tar is not working properly.
I think I found a way to overcome this and I updated the git, so now CWM option should be working again.
Whitehawkx said:
Hey Ryan,
I patched the stock Vibrant JK2 kernel and it patched successful, however the conversion to ext2 did not work. Said it worked, rebooted, but I was still on RFS.
Click to expand...
Click to collapse
If you could paste the contents of the following 2 files we might learn more:
/z4mod/log/init
/sdcard/z4mod.log
Just installed on my device (GT-I9000 with official JPA just released today in Thailand)
It worked fine. I got 1730 from quadrant.
Thanks for your excellent job. ^__^
I MADE MISTAKE AT TOPIC
KEXEC is script/app/pony that allow to run custom kernel on LOCKED BOOTLOADER
I know it works on Moto RAZR
Hello. I remember that some Motorola devices has locked BL. I searched for some info and found:
Something for NOOK
http://forum.xda-developers.com/showthread.php?t=1361943
And for Moto
http://forum.xda-developers.com/showthread.php?t=1599648
IMPORTANT: i dont know - do i found something intresting?
Edit: Hmm it looks something like this:
1.Reboots phone
2.Delete Kernel from ram or it is rewriting in RAM
3.Launches System
Soooo it could be used in ous Arcs? I think it could.
IF anyone who knows something bout android could say something about it....
boss134 said:
IMPORTANT: i dont know - do i found something intresting?
Click to expand...
Click to collapse
It's interesting no doubt, let's see if anything comes from it.
I hope this will push our Locked Bootloader arcs to next level
Can someone look after that project? As you can see i am not dev and i think that someone with expirience should ask dev's of this KEXEC thing how do they done it and is this method uniwersal to evry Android device or at lest Quallcomm devices.
Ohh I remember Kexec from the old Xperia X10 days... FxP (Jerpelea) and Zdizihu both were able to run CM and Stock Froyo on custom kernels using Kexec for our Locked BL X10's....
The work was then abandoned when Sony decided to start unlocking Bootloaders when possible...
We have chance?
So can somebody make rom with that piece of software? I want to test some roms beafore i unlock my bootloader.
Besides this could be cheap way to have custom rom
Any hope to make working kexec to Arc S? I have locked bootloader,cannot unlocked...
Odd, how I have missed this topic. I will look into it as soon as I can and do some testing.
kexec
Someguyfromhell said:
Odd, how I have missed this topic. I will look into it as soon as I can and do some testing.
Click to expand...
Click to collapse
Hi!
I appearently found a working kexec command (compiled for armv7), i cannot test it,because i haven't got my USB cable now, but i can run, it displays help from terminal emulator.
trying kexec
Thats my result, not so good..
255|[email protected]:/system/bin # ./kexec /mnt/sdcard/lupus.img
./kexec /mnt/sdcard/lupus.img
Cannot open /proc/atags: No such file or directory
kexec_load failed: Function not implemented
entry = 0x208000 flags = 280000
nr_segments = 2
segment[0].buf = 0x2e008
segment[0].bufsz = 10
segment[0].mem = 0x201000
segment[0].memsz = 1000
segment[1].buf = 0x2ab3c008
segment[1].bufsz = 720000
segment[1].mem = 0x208000
segment[1].memsz = 720000
Thats Ok
I think that lupus.img kernel should have implemented some Kexec thngs to get it load to RAM, without it its useless :/
kernel
Hi!
I searched a lot, but i cannot found good information about kexec thing..it's not sure that if you have kexec compatible kernel you MUST got atags or no.( i suspect you must got atags only when you are trying to use a non kexec kernel) Someone needed who can make a kexec compatible kernel first, because i cannot compile android kernel I will found a tutorial to this, but i never compiled we need a surely working kernel..I hope some devs interested in this..
I would like to explain this a little bit:
What is kexec?
It is a function which allows you to boot an alternative kernel without needing to flash it or using `fastboot boot`. I am not going to write a thousand words to explain this, so if you want more info, search it yourself.
What is kexec hardboot?
It does the same as what kexec aims to do, but instead of booting another kernel directly, it reboots the device before doing so so that the hardware can be reinitialized by the bootloader. Normal kexec boots the kernel with the hardware in an unclean state, which is not very healthy. Kexec hardboot is somehow healthier.
I know I am not explaining very well, so please refer to the original thread by @Tasssadar
So what is this post about?
At this moment, there aren't any non-stock ROM, CAF or CM kernel isn't ported yet, so this is pretty useless actually.
In the future, if there are any custom ROMs, this will come in handy because it will allow "installing" multiple ROMs without having to flash them to the device memory.
Basically, this is just to prepare for the future.
Who should be reading this?
Well, developers who can properly compile a kernel.
Patches:
Kernel patch: https://gist.github.com/alvinhochun/7945428
Or, if you cloned my github stock kernel tree, check this: https://github.com/alvinhochun/sony-xperia-m-kernel/commit/2e818d81f21f6a627bc629e477052045426b0663
This is the kernel patch. Only the host kernel needs to be patched.
Related CONFIG options:
CONFIG_KEXEC=y
CONFIG_KEXEC_HARDBOOT=y
CONFIG_ATAGS_PROC=y
All these options must be enabled.
Userspace kexec binary: Use the one compiled by @Tasssadar on http://forum.xda-developers.com/showthread.php?p=46223952
Usage:
I have wrote a simple shell script to automatically set the correct cmdline here:
https://gist.github.com/alvinhochun/7945270
Basically, the most important thing is to make sure the addresses are correct and the cmdline has the proper information in it.
The script requires kernel to be packed with CWM which also provides /boot/busybox. You can use this tool: http://forum.xda-developers.com/showthread.php?t=2481864
Just download the kexec binary and put it in place.
Authors:
This patch was made by Mike Kasick for Samsung Epic 4G. Since that, it was ported to several devices.
My patch is based on the one by @Tasssadar on http://forum.xda-developers.com/showthread.php?p=46223952
So, are this is like 'Live CD' for android?
Richardsentosa said:
So, are this is like 'Live CD' for android?
Click to expand...
Click to collapse
Well, that analogy can't exactly be used. It's more like the kernel acts as a bootloader that is used to boot another kernel.
alvinhochun said:
Well, that analogy can't exactly be used. It's more like the kernel acts as a bootloader that is used to boot another kernel.
Click to expand...
Click to collapse
after see N4 multiboot, i think this is a great feature.
alvinhochun said:
I would like to explain this a little bit:
What is kexec?
It is a function which allows you to boot an alternative kernel without needing to flash it or using `fastboot boot`. I am not going to write a thousand words to explain this, so if you want more info, search it yourself.
What is kexec hardboot?
It does the same as what kexec aims to do, but instead of booting another kernel directly, it reboots the device before doing so so that the hardware can be reinitialized by the bootloader. Normal kexec boots the kernel with the hardware in an unclean state, which is not very healthy. Kexec hardboot is somehow healthier.
I know I am not explaining very well, so please refer to the original thread by @Tasssadar
So what is this post about?
At this moment, there aren't any non-stock ROM, CAF or CM kernel isn't ported yet, so this is pretty useless actually.
In the future, if there are any custom ROMs, this will come in handy because it will allow "installing" multiple ROMs without having to flash them to the device memory.
Basically, this is just to prepare for the future.
Who should be reading this?
Well, developers who can properly compile a kernel.
Patches:
Kernel patch: https://gist.github.com/alvinhochun/7945428
Or, if you cloned my github stock kernel tree, check this: https://github.com/alvinhochun/sony-xperia-m-kernel/commit/2e818d81f21f6a627bc629e477052045426b0663
This is the kernel patch. Only the host kernel needs to be patched.
Related CONFIG options:
CONFIG_KEXEC=y
CONFIG_KEXEC_HARDBOOT=y
CONFIG_ATAGS_PROC=y
All these options must be enabled.
Userspace kexec binary: Use the one compiled by @Tasssadar on http://forum.xda-developers.com/showthread.php?p=46223952
Usage:
I have wrote a simple shell script to automatically set the correct cmdline here:
https://gist.github.com/alvinhochun/7945270
Basically, the most important thing is to make sure the addresses are correct and the cmdline has the proper information in it.
The script requires kernel to be packed with CWM which also provides /boot/busybox. You can use this tool: http://forum.xda-developers.com/showthread.php?t=2481864
Just download the kexec binary and put it in place.
Authors:
This patch was made by Mike Kasick for Samsung Epic 4G. Since that, it was ported to several devices.
My patch is based on the one by @Tasssadar on http://forum.xda-developers.com/showthread.php?p=46223952
Click to expand...
Click to collapse
can we use this to boot cm10 cm11 on sony Xperia z?
nabelar82 said:
can we use this to boot cm10 cm11 on sony Xperia z?
Click to expand...
Click to collapse
I guess you are mislead this is a kernel feature and is not at all related to booting of a rom
SpinXO said:
I guess you are mislead this is a kernel feature and is not at all related to booting of a rom
Click to expand...
Click to collapse
Well I read that but I been looking the way that we can install cm11 on our xperia z with locked bootloader and this seems to help cause we can't flash boot img on locked bootloader
nabelar82 said:
Well I read that but I been looking the way that we can install cm11 on our xperia z with locked bootloader and this seems to help cause we can't flash boot img on locked bootloader
Click to expand...
Click to collapse
Not really.
But Recognized Developer @Rachit Rawat has explained how the Locked Bootloader CM is booted and I see @Olivier have worked on the same for Xperia S you can try to contact him
Explanation Link: http://forum.xda-developers.com/showthread.php?p=49073506#post49073506
nabelar82 said:
Well I read that but I been looking the way that we can install cm11 on our xperia z with locked bootloader and this seems to help cause we can't flash boot img on locked bootloader
Click to expand...
Click to collapse
Surely there is a way known as 2nd-init, with which we can change the ramdisk without changing the kernel.
Xperia SP has 3-4 ROMs booted with the same method on locked bootloader. You can search in SP forums and contact the respective persons for porting the feature.
aweosomeabhijeet said:
Surely there is a way known as 2nd-init, with which we can change the ramdisk without changing the kernel.
Xperia SP has 3-4 ROMs booted with the same method on locked bootloader. You can search in SP forums and contact the respective persons for porting the feature.
Click to expand...
Click to collapse
Well I am very interested on this patch but I am not a developer it will be very interesting if someone apply on a xperia z an we can test can someone try? I can test
aweosomeabhijeet said:
Surely there is a way known as 2nd-init, with which we can change the ramdisk without changing the kernel.
Xperia SP has 3-4 ROMs booted with the same method on locked bootloader. You can search in SP forums and contact the respective persons for porting the feature.
Click to expand...
Click to collapse
Contact Skrilax_CZ on freenode at channel #motomagic and he might be able to help us.
Disclaimer: Im not responsible for any damage done to your device if you flash this kernel.
Nexus 9 5.0.1 Stock Kernel with 2Amp charging modification
http://www38.zippyshare.com/v/52487126/file.html
compiled from source. edited the current limits based on FIK kernel. thanks to USBHost.
https://github.com/USBhost/FIK/commit/62aa76b7e1c6e68abdcc723e7a2aabfd398cf9e4
I'm still trying to figure out how to change the kernel version name. But this is a working kernel. I'm using it on my device. The highest charging current i have achieved is 1.9amps and charges my N9 from 5% to 100% in 3.5 hours using an Apple Charger.
Feedback is appreciated.
heres a screenshot of 3c toolbox battery status
Will this be good for LTE model or just wifi
I'm not sure if the kernel for lte is the same. I only have the non lte nexus9
Seems to work just fine on my LTE version. Verified the data connection still comes up and works for me.
jonahmt21 said:
I'm still trying to figure out how to change the kernel version name.
Click to expand...
Click to collapse
You will need to edit your defconfig for that
make "your defconfig"
make menuconfig
select the first option
select the second option :: if I remember correctly
Then type what you want
Then exit and save
Can you make this as flashasble zip please
How flash this kernel? On fastboot or can use flashify?
I used flashify and it worked great. No need for a flashable zip.
fastboot install using the nexus root toolkit.
I should of known... If you removed encryption, install this kernel, your device will encrypt itself... Dag nab it..
USBhost said:
You will need to edit your defconfig for that
make "your defconfig"
make menuconfig
select the first option
select the second option :: if I remember correctly
Then type what you want
Then exit and save
Click to expand...
Click to collapse
Actually, isn't that easier to just open the Makefile at the kernel dir? "kernel/htc/flounder/Makefile"
Code:
VERSION = 3
PATCHLEVEL = 10
SUBLEVEL = 40
EXTRAVERSION = [COLOR=Green][I]ENTER HERE FREE SPACE[/I][/COLOR]
NAME = [COLOR=DarkRed]TOSSUG Baby Fish [COLOR=Green]<--Or just change the given name here[/COLOR][/COLOR]
The first blank space option prob better.
I know I am a million years late here but I don't know how many old old threads I've had to read to get stuff. So good deal. I'm still trying to get the Camera working on DirtyUnicorns on flounder. haha
I think I must have a problem with my setup cuz I am getting weird compile errors when I try to build the kernel, inline or not....Like the stupid -mlittle_endian crap. MAN! gcc or PATH issues? hmm
wantowan2 said:
Actually, isn't that easier to just open the Makefile at the kernel dir? "kernel/htc/flounder/Makefile"
Code:
VERSION = 3
PATCHLEVEL = 10
SUBLEVEL = 40
EXTRAVERSION = [COLOR=Green][I]ENTER HERE FREE SPACE[/I][/COLOR]
NAME = [COLOR=DarkRed]TOSSUG Baby Fish [COLOR=Green]<--Or just change the given name here[/COLOR][/COLOR]
The first blank space option prob better.
I know I am a million years late here but I don't know how many old old threads I've had to read to get stuff. So good deal. I'm still trying to get the Camera working on DirtyUnicorns on flounder. haha
I think I must have a problem with my setup cuz I am getting weird compile errors when I try to build the kernel, inline or not....Like the stupid -mlittle_endian crap. MAN! gcc or PATH issues? hmm
Click to expand...
Click to collapse
True you can use EXTRAVERSION one
but the other one NAME it wont show in the kernel version
Could someone compile a version of this kernel with encryption disabled?
siraltus said:
Could someone compile a version of this kernel with encryption disabled?
Click to expand...
Click to collapse
You just need to edit the ramdisk
No need to recompile
All links are dead
Sent from my SM-N920C using XDA-Developers mobile app
Intro:
I've put in a serious number of hours poking around my G925T that I've upgraded to the official G925TUVU2COH6 firmware, trying to get TWRP installed and working on our device. With help from @bigbiff, @_that, and several testers in this thread, we finally have something working solid for our device. Before continuing, please take a moment to read through the extremely-relevant warnings below:
WARNING: Intentionally modifying your System partition from TWRP recovery, without first flashing a custom kernel (kernel must have no "verify" mount parameter in fstab), will likely cause a soft-brick (boot-loop). Before flashing this (or any) custom recovery/kernel, it is advised that you know how to restore your phone back to OH6 stock using Odin.
Note: Flashing a custom kernel (while keeping a stock System/ROM) may cause your device to report a security threat. If you proceed without caution, the device will literally attempt to re-flash the stock OH6 kernel again. It is possible to freeze "Security Log Agent" (or uninstall it completely), and this should keep your device from reporting this problem. Other reports say that using "Smart Manager" might also report the security threat, and there are some options out there for replacing it with a patched version.
Rooted Phones: Do NOT allow "com.tmobile.pr.adapt" to obtain root permissions, EVER. This app might be something that T-Mobile uses to determine if your device has ever been rooted. I would recommend freezing/disabling this app.
Unlocked Phones: If you have unlocked your phone, you might run into problems with 5.1.1. There have been reports of phones stuck in a boot-loop when upgrading from 5.0.2 -> 5.1.1 when the phone has been unlocked or EFS/IMEI has been tampered with. Combine this with the new "FRP LOCK" (Factory Reset Protection) in 5.1.1, and you might find yourself with a complete brick with no warranty. This issue may or may not have anything to do with rooting or custom firmware.
WARNING: Flashing any custom firmware to your device will trip the KNOX Warranty Bit. At this time, this is irreversible, and might cause you problems when returning faulty devices to T-Mobile or Samsung. YMMV.
Click to expand...
Click to collapse
How-To-Install (The Short Version):
Recognize that this will trip KNOX.
Be sure you're actually already running the 5.1.1 (OH6) firmware. If you're on 5.0.2 (OCG, for example), this thread is not for you.
Turn on "OEM unlocking" in Settings -> Developer options. This is the dreaded "FRP LOCK" that prohibits custom firmware from being flashed to the G925T/G920T (and maybe others) - it's something new in 5.1.1.
Download and Odin-flash my v13 of TWRP 2.8.7.x.
Download and Odin-flash (or TWRP-flash) my v1 build of the OH6 kernel. G920T users should use the appropriate G920T kernel for their device.
(Optional): Download and TWRP-flash Chainfire's SuperSU v2.49 (.zip format).
(Advice): Use Titanium Backup or some other app to freeze/disable/uninstall "SecurityLogAgent" (remove nagging about security) and "com.tmobile.pr.adapt" (remove nagging about root, helps with sleep, and may be used by T-Mobile to determine your rooted status).
Enjoy TWRP + Root with an almost-completely-stock OH6 kernel/system!
Click to expand...
Click to collapse
Official TWRP for G925T:
It's official! Thanks to all of our hard work in this thread, plus a bunch of work getting things fine-tuned and finalized by @bigbiff, our device is now officially supported by TeamWin! Check out the official page here. Development will continue here on this thread until further notice, and I'll always be building the latest-and greatest from source and making it available in this thread (not to mention this is the go-to place to get the latest version of my kernel).
Click to expand...
Click to collapse
Downloads:
Here's the Odin-flashable OF6 kernel I've built:
Version 1 (6/25/15) - built from OF6 stock kernel source, no modifications
Version 2 (6/27/15) - built from OF6 stock kernel source, fixes boot-loop
Version 3 (6/28/15) - built from OF6 stock kernel source, fixes boot-loop and allows root
Version 4 (6/28/15) - built from OF6 stock kernel source, fixes boot-loop, allows root, and fixes Deep Sleep - also available as a TWRP-flashable .zip or Flashify .img
Here's the Odin-flashable OF8 kernel I've built:
Version 1 (8/10/15) - built from OF8 stock kernel source, fixes boot-loop, allows root, and fixes Deep Sleep - also available as a TWRP-flashable .zip or Flashify .img
Here's the Odin-flashable OH6 kernel I've built:
Version 1 (9/15/15) - built from OH6 stock kernel source, fixes boot-loop, allows root, and fixes Deep Sleep - also available as a TWRP-flashable .zip or Flashify .img
Here's the Odin-flashable TWRP recovery I've put together:
Version 13 (7/10/15) - also available as a Flashify .img
And, in case you need it, here's the stock OF8 recovery as an Odin-flashable:
OF8 Stock Recovery - No guarantees it won't trip KNOX (it shouldn't), but if you're needing this, you've probably already tripped KNOX. Sorry, I'm too lazy to package and upload a flashable OH6 stock kernel.
G920T users! I bring you a gift! I took the G920TUVU2DOH6 Samsung source, built it with the same modifications as I did the G925T kernel to allow modified System partitions (allows root w/o bootloop), and then stuck that into the G920T OH6 stock kernel provided by @icepuente (thanks!). Also, some additional thanks to @icepuente for testing it, too!
Version 1 (9/21/15) - FOR G920T - built from G920TUVU2DOH6 stock kernel source, fixes boot-loop, allows root, and fixes Deep Sleep - also available as a TWRP-flashable .zip or Flashify .img
Click to expand...
Click to collapse
Building this OH6 kernel from source:
Setup your build environment for compiling Android.
Download the latest NDK, unpack, etc., etc.
Download the OH6 source code directly from Samsung.
Update the Makefile's CROSS_COMPILE to use the NDK toolchain. Mine ended up looking like this: /home/aou/android/NDK/android-ndk-r10e/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-
make exynos7420-zerolte_tmo_defconfig
For some reason, gcc treats CONFIG_ALWAYS_ENFORCE as always defined, and therefore the kernel will, of course, always enable SELinux: Enforcing. This makes it "impossible" to root Android 5.1.1. There is a workaround:
rm -rf security/selinux
svn export https://github.com/glewarne/S6-UniKernel/trunk/security/selinux security/selinux (snags a copy of their security/linux folder...)
Go give the guys over at the UniKernel thread some "Thanks!" for making this workaround in their kernel, especially @AndreiLux - he was the one to author this change to their source that fixes this problem.
Replace drivers/scsi/sd.c with Sujit Reddy Thumma's Deep Sleep fixed version, referenced in the UniKernel's source:
curl https://raw.githubusercontent.com/glewarne/S6-UniKernel/master/drivers/scsi/sd.c > drivers/scsi/sd.c
make -j#
Go snag that juicy arch/arm64/boot/Image - This is your kernel zImage.
Go download the official OH6 Odin package and extract the boot.img (kernel) from it.
Unpack the official kernel using the mkbootimg_tools, available here, replace the kernel file in the unpacked boot.img, and then repack it into a boot.img again. This boot.img would need to be tarballed and md5summed to be Odin flashable.
You'll want to remove the ,verify from both of these files in the ramdisk: fstab.samsungexynos7420 and fstab.samsungexynos7420.fwup
At the bottom of default.prop, you'll want to add these two lines:
Code:
ro.securestorage.support=false
androidboot.selinux=0
Building TWRP from source:
Setup your build environment for compiling Android.
Download the latest NDK, unpack, etc., etc. Mine ended up in ~/android/NDK.
Git clone the TWRP zerolte kernel source somewhere useful. Mine was cloned into ~/android/kernel:
git clone https://github.com/TeamWin/android_kernel_samsung_zerolte.git -b android-5.1 ~/android/kernel
The next several steps The next several steps are performed in & relative to this path.
Update the Makefile's CROSS_COMPILE to use the NDK toolchain. Mine ended up looking like this: /home/aou/android/NDK/android-ndk-r10e/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android- (to match my NDK path above - note I couldn't use the relative ~ path for /home/aou).
make exynos7420-zerolte_defconfig (ignore warnings about 'jump')
make -j# (replace # with number of CPU cores + 1)
Note the location of the output kernel - you'll need it in a little bit. In my case, it would be ~/android/kernel/arch/arm64/boot/Image.
Setup your Omnirom compile environment. Mine's in ~/android/omni. The next several steps are performed in & relative to this path.
Git clone the TWRP zeroltetmo device source into device/samsung/zeroltetmo:
rm -rf device/samsung/zeroltetmo && git clone https://github.com/TeamWin/android_device_samsung_zeroltetmo.git -b android-5.1 device/samsung/zeroltetmo
For some reason, TWRP doesn't build too well with the Omnirom's version of busybox. Replace the whole external/busybox folder with that from cm-12.1 source:
rm -rf external/busybox && git clone https://github.com/CyanogenMod/android_external_busybox.git -b cm-12.1 external/busybox
Remember that kernel we built? Rename/copy it to replace device/samsung/zeroltetmo/kernAl. In my case:
cp ~/android/kernel/arch/arm64/boot/Image device/samsung/zeroltetmo/kernAl
At this time (7/10/15), we need to cherry-pick a change by Dees Troy from the TWRP Gerrit. This is the stuff about forcing Read-Only mode on first boot, which will help with some of the boot-loop stuff (if you still have a stock kernel). You can grab the changes fairly easily using:
cd bootable/recovery && git fetch https://gerrit.omnirom.org/android_bootable_recovery refs/changes/15/14015/3 && git cherry-pick FETCH_HEAD && cd ../..
Since we're using Omnirom source and we're going to use lunch later, we need to create device/samsung/zeroltetmo/vendorsetup.sh. We can do that like this:
echo add_lunch_combo omni_zeroltetmo-eng > device/samsung/zeroltetmo/vendorsetup.sh
Do a . build/envsetup.sh (note the space between the period and "build" - was important for my environment).
lunch for omni_zeroltetmo-eng
make -j# recoveryimage (again, number of CPU cores +1)
Take that precious out/target/product/zeroltetmo/recovery.img and tarball/md5sum it to be Odin flashable.
Flash away!
Click to expand...
Click to collapse
Notes about accidentally causing a boot-loop:
The OF6/OF8/OH6 kernel, out-of-the-box, checks the hash/signature of your system partition. Modifying your system partition in any way (without flashing a custom kernel that does not perform this check) will cause your device to boot-loop.
Additionally, if you decide to use TWRP to mount your System partition read-write (despite warnings), upon exiting TWRP properly, it will make some changes to your system partition for you (namely, renames /system/recovery-from-boot.p to /system/recovery-from-boot.bak to prevent some systems from re-writing over your custom recovery). This would cause the boot-loop.
You obviously have some options to avoid causing a bootloop!
Option 1a: Flash my v4 kernel above. It does not have the hash/signature checks, plus it sets SELinux to permissive (allowing root!). You'll still need to root the device manually by flashing Chainfire's SuperSU.
Option 1b: Flash a different custom kernel that does not have these checks. The S6 UniKernel seems to work fine, for example.
Option 2: Don't modify your System partition, and don't let TWRP exit properly while you have the "read-only" checkbox unchecked (in the Mount screen).
Recovering from a boot-loop:
Something go wrong? Skip a step? No big deal. To get our device back in working order, you have a couple options:
Option 1: Flash the official OH6 firmware via Odin again. In my experience, the package DOES NOT wipe your data or sdcard partitions, so it really isn't that big of a deal to do. It just takes downloading a monster-size file, and the foreknowledge on how to flash it. But, caveat, don't blame me if something goes wrong with restoring the stock firmware!
Option 2: See Options 1a & 1b in the first list above. By flashing a custom kernel that doesn't have the hash/signature checks included, it should fix the boot-loop.
Click to expand...
Click to collapse
More Notes:
Huge thanks to @bigbiff for reading through prior versions of this post and updating the TWRP source code to work without device without the need of heavy modification. Additional thanks to @_that for his invaluable help in this project.
Click to expand...
Click to collapse
Hope this get resolved thanks soo much @Aou !
That's some progress made
Good to hear!
Nice work @Aou
Yay! Progress has been made! Congratulations, @Aou!
http://forum.xda-developers.com/showthread.php?t= check that out looks like root via a odin able unified kernel pre rooted and twrp
Sent from my SM-G925T using XDA Free mobile app
@tylerholbrook - I'm not sure what you're linking to? (broken link?)
And, to update everyone following this post, I've just uploaded v7 and a custom OF6 kernel, and replaced my DIY instructions with what I've done this time around. MUCH simpler with 2.8.7.0!
Also:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Is this proof enough for anyone that 5.1.1 does NOT lock the bootloader?
Aou said:
@tylerholbrook - I'm not sure what you're linking to? (broken link?)
And, to update everyone following this post, I've just uploaded v7 and a custom OF6 kernel, and replaced my DIY instructions with what I've done this time around. MUCH simpler with 2.8.7.0!
Also:
Is this proof enough for anyone that 5.1.1 does NOT lock the bootloader?
Click to expand...
Click to collapse
http://forum.xda-developers.com/gal...-stockmod-kernel-t3100395/page50#post61551321
try that one,, sorry, on my computer now. Its in the unified development section for the unified kernel.. They have a working TWRP for the non edge and there is a patched kernel that should give root for us when flashed in odin. If I read correctly. I'm still on 5.0.2 or I would test it, I just dont want to upgrade and it not work and be stuck having to flash the whole factory image. I need root for tethering ect..
---------- Post added at 08:34 AM ---------- Previous post was at 08:30 AM ----------
tylerholbrook said:
http://forum.xda-developers.com/gal...-stockmod-kernel-t3100395/page50#post61551321
try that one,, sorry, on my computer now. Its in the unified development section for the unified kernel.. They have a working TWRP for the non edge and there is a patched kernel that should give root for us when flashed in odin. If I read correctly. I'm still on 5.0.2 or I would test it, I just dont want to upgrade and it not work and be stuck having to flash the whole factory image. I need root for tethering ect..
Click to expand...
Click to collapse
@Aou somehow Sunderwear got another mysterious update OTA that was prerooted to my understanding... more info on that is in the TMobile galaxy s6 thread in the general section.
tylerholbrook said:
http://forum.xda-developers.com/gal...-stockmod-kernel-t3100395/page50#post61551321
try that one,, sorry, on my computer now. Its in the unified development section for the unified kernel.. They have a working TWRP for the non edge and there is a patched kernel that should give root for us when flashed in odin. If I read correctly. I'm still on 5.0.2 or I would test it, I just dont want to upgrade and it not work and be stuck having to flash the whole factory image. I need root for tethering ect..
---------- Post added at 08:34 AM ---------- Previous post was at 08:30 AM ----------
@Aou somehow Sunderwear got another mysterious update OTA that was prerooted to my understanding... more info on that is in the TMobile galaxy s6 thread in the general section.
Click to expand...
Click to collapse
I'll have to mess with those tomorrow. Thanks!
(okay, now I really need to go to bed! Work in the morning...)
Aou said:
I'll have to mess with those tomorrow. Thanks!
(okay, now I really need to go to bed! Work in the morning...)
Click to expand...
Click to collapse
Ha yeah no problem. Really hoping it works for us but they had success on the 920x versions as well as a fully working TWRP that could probably be used to branch and get yours fully working. Fingers crossed :good: Thanks for your hard work!
Bam. 5.1.1 root
Did you see bigbiff released a TWRP for the other guys where everything works. Should I test out v7? I just don't want a bootloop lol
ktetreault14 said:
Did you see bigbiff released a TWRP for the other guys where everything works. Should I test out v7? I just don't want a bootloop lol
Click to expand...
Click to collapse
For the other guys? Mind linking me up?
Adizzzle said:
For the other guys? Mind linking me up?
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=3080940
The only missing piece of the puzzle
Thank you for having this so I didn't I'm have to reodin
Sorry a little confused here does that mean we have a new TWRP image available for the G925T/W8
Well I can't take a backup but it doesn't screw my boot up
ktetreault14 said:
Well I can't take a backup but it doesn't screw my boot up
Click to expand...
Click to collapse
Really? It didn't screw up your boot? Interesting...
In any event, the v7 I had uploaded last night was not actually v7. It was some bastardized hybrid of v6 and v7. I re-uploaded the REAL v7.
Still breaks System at this time, but I'm working on it. The TWRP for the international S6 seems to have pretty much all the same source as mine, at least what they're showing right now. I'll double check and verify some stuff.
As for root, great! I'm looking into baking the same thing into my kernel, so those who want to say closer to TMO stock can do so without fear. It's possible that the SuperSU flashable zip would work on 5.1.1 if we just set SEAndroid to "permissive" which is what I see that those guys are doing, primarily. The rest is just convenience - taking advantage of:
a) some emergency-flash feature that samsung has baked in (lets the device flash or execute something on boot, if it needs to), and
b) some modified int.rc script and injecting root and starting it with every boot.
I'm looking into this, and fixing my TWRP. Also looking into the feasibility of flashing/repairing the System partition from my existing v7 broken TWRP...
Aou said:
Really? It didn't screw up your boot? Interesting...
In any event, the v7 I had uploaded last night was not actually v7. It was some bastardized hybrid of v6 and v7. I re-uploaded the REAL v7.
Still breaks System at this time, but I'm working on it. The TWRP for the international S6 seems to have pretty much all the same source as mine, at least what they're showing right now. I'll double check and verify some stuff.
As for root, great! I'm looking into baking the same thing into my kernel, so those who want to say closer to TMO stock can do so without fear. It's possible that the SuperSU flashable zip would work on 5.1.1 if we just set SEAndroid to "permissive" which is what I see that those guys are doing, primarily. The rest is just convenience - taking advantage of:
a) some emergency-flash feature that samsung has baked in (lets the device flash or execute something on boot, if it needs to), and
b) some modified int.rc script and injecting root and starting it with every boot.
I'm looking into this, and fixing my TWRP. Also looking into the feasibility of flashing/repairing the System partition from my existing v7 broken TWRP...
Click to expand...
Click to collapse
Yeah it didn't break system. It also didn't let me backup. Though. Haven't tried other yet.