Related
I have the Android ADK installed and I have adb. I don't seem to have the privledges to use it though. If I try and use it normally I get
Code:
[email protected]:~$ adb devices
List of devices attached
???????????? no permissions
I can only get it to work if I start adb as the admin. Then I can use it as a normal user.
Also, I don't seem to have fastboot. Where do I get it?
On some Linux systems, starting adb as root is the easiest way to go about things. Some systems require setting up udev rules to give normal users permissions to run adb. Still others, simply changing the permissions on adb itself and putting it somewhere in the path will work. Running it as root isn't recommended, but it does work.
As for fastboot, Google have stopped pre-compiling it and distributing it with the SDK. You can either compile the emulator to get it or download a pre-compiled binary from HTC's support website.
beartard said:
On some Linux systems, starting adb as root is the easiest way to go about things. Some systems require setting up udev rules to give normal users permissions to run adb. Still others, simply changing the permissions on adb itself and putting it somewhere in the path will work. Running it as root isn't recommended, but it does work.
As for fastboot, Google have stopped pre-compiling it and distributing it with the SDK. You can either compile the emulator to get it or download a pre-compiled binary from HTC's support website.
Click to expand...
Click to collapse
Ok I guess it's just easier to start it as root. Fastboot on the other hand wont work. After I use the command
Code:
adb reboot bootloader
my phone reboots into recovery and has FASTBOOT USB on the screen. When I type
Code:
fastboot devices
it just goes to the command line again and doesn't show anything. When I try and type $ fastboot reboot I get
Code:
< waiting for device >
Any ideas why it's not working?
I'm probably sharing my ignorance here, but did you run fastboot after starting adb as root? You might have to run it as root as well. Also, try unplugging your phone and re-plugging it before running the command.
beartard said:
I'm probably sharing my ignorance here, but did you run fastboot after starting adb as root? You might have to run it as root as well. Also, try unplugging your phone and re-plugging it before running the command.
Click to expand...
Click to collapse
Ok, now I feel really dumb. I guess I didn't run fastboot as root before. I could have sworen I did. Well now it seems to all be working, as long as I am root. I wish I could do it with out having to be root.
Thanks beartard
No problem. In case you're interested in how to do it The Right Way™ here's a post I found on the Google support forums for Android. The author had a Motorola CLIQ. The vendor id for the Slide is 0bb4.
I found this info to be helpful, although there was not much explanation behind it, and in the end things still did not work for me. after a number of hours of debugging (which was kind of fun!) i finally got things working, and wanted to document it here in case others have the same issues. also documented is *how to debug* your stuff, which may be as valuable as the fix!
disclaimer:
i still dont really understand udev very well, so if someone who does can clarify my observations, that would be cool.
my environment:
ubuntu 10.04, device is a motorola cliq.
adb version 1.0.26
eclipse version 3.5.2 (galileo)
the problem:
persistent issues with adb devices returning:
List of devices attached
???????????? no permissions
rat holes i went down:
a) first, be sure that when you write your android-specific rules in /etc/udev/rules.d that you ensure that you name the file with a name that ends in .rules, or else the udev daemon wont read it.
b) Ubuntu 10.04 uses a new version of udev, so some of the documentation you find on the web is out of date.
c) The phone looks like a disk drive to the OS, which caused me some wierdness. more later.
some basics:
a) the udev infrastructure is what the OS uses to dynamically map, present, and control USB devices. you will need to tell udev what to do with your android phone when the phone is in application debug mode (that is why you need the /etc/udev/rules.d/50-android.rules file.
b) the adb (android debug bridge) is the daemon (using network sockets) that allows the IDE to talk to the device. when you run commands like 'adb devices' the command looks for a running daemon, and if one is not running it starts one and then communicates with it.
c) the "no permissions" error message indicates that the adb daemon cannot get the right permissions to access the device as the user that it is running as. normally the IDE starts the daemon as the user you are logged in as. unless the phone device appears in the udev infrastructure with the correct permissions to be accessed as the user you are logged in as, it wont work.
steps:
1) plug your phone into the usb bus on your system. does not need to be in application debug mode yet...
2) verify that you can see the phone by using 'lsusb', e.g.:
$ lsusb
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 044: ID 22b8:2d66 Motorola PCS
Bus 002 Device 004: ID 0451:2046 Texas Instruments, Inc. TUSB2046 Hub
Bus 002 Device 003: ID 10d5:0001 Uni Class Technology Co., Ltd
...
the line "ID 22b8:2d66 Motorola PCS" is my phone. the rest is other stuff on the usb busses. ignore it.
3) the 4 digit value 22b8 is the Vendor ID of my phone. yours may be different. whatever it is, this is the value you need to use in your udev rule.
4) the Bus number and Device number are useful. you can see what permissions your device is getting at any time by doing
$ ls -l /dev/bus/usb/<busnumber> where <busnumber> is the Bus number above (002 in this case).
the permissions of the device will be the permissions of the file numbered with the Device number above. in my case it was device 044, so the full file path is /dev/bus/usb/002/044
! note - this device number will change when you plug/unplug or enable/disable debug on your device.
5) you can now get *alot* of info on this device now by using 'udevadm info', but you need to use the bus and device info above (remember yours may be different and change). you can use either udev info command --query=all or --attribute-walk, e.g.:
$ udevadm info --query=all --name=/dev/bus/usb/002/044
or
$ udevadm info --attribute-walk --name=/dev/bus/usb/002/044
note that the attribute-walk walks up the bus. the first entry printed should be the lowest device on the chain, which is your phone. in my case some of the lines looked like:
looking at device '/devices/pci0000:00/0000:00:1d.0/usb2/2-2/2-2.4':
KERNEL=="2-2.4"
SUBSYSTEM=="usb"
DRIVER=="usb"
ATTR{configuration}=="Motorola Config 42"
...
ATTR{idVendor}=="22b8"
...
ATTR{busnum}=="2"
ATTR{devnum}=="44"
ATTR{version}==" 2.00"
ATTR{maxchild}=="0"
ATTR{quirks}=="0x0"
ATTR{authorized}=="1"
ATTR{manufacturer}=="Motorola "
ATTR{product}=="MB200"
ATTR{serial}=="<serialnumber>"
...
where the <serialnumber> is the serial number of my phone, which will show up in the adb devices list when this all works. recognize the items that you will need for the .rules file are there.
6) now, lets write the .rules file. you have two choices. either get the permissions of the phone as it shows up changed to 0666 (rw for all users, including the world) or change the ownership to be your user. i prefer the latter. seems cleaner to me, so i will use this approach for the rest of the info.
7) find out who you are. use the id command, e.g.:
$ id
uid=1000(<your username>) gid=1000(<your group name>) groups=...
where the uid and gid for you are indicated. for now lets use both as 'juser' for the example.
8) now lets create the .rules file. the number at the beginning of the file name is the order that it will be loaded by the udev infrastructure. it may be important. all the examples showed a number of 50, but there are a bunch of things being loaded in /lib/udev/rules.d/ as well. i prefer to make my file name 99-android.rules to force it to load very late in the process. this keeps other later things from clobbering my permissions as they load.
for example, if you use the ATTR{idVendor} attribute in .rules as oppose to SYSFS{idVendor}, then when other later rules load they could over write the permissions you set in your .rules file.
9) you have to use root or sudo to create the file in /etc/udev/rules.d. create /etc/udev/rules.d/99-android.rules and put in a line like:
SUBSYSTEM=="usb", SYSFS{idVendor}=="<Vendor ID>", OWNER="<your username>" GROUP="<your group name>"
and save it.
the SYSFS{idVendor} value needs to match your device id, and the OWNER and GROUP are from step 7 above.
for this example lets use
SUBSYSTEM=="usb", SYSFS{idVendor}=="22b8", OWNER="juser" GROUP="juser"
if you just want to set the permissions use:
SUBSYSTEM=="usb", ATTR{idVendor}=="22b8", MODE="0666"
10) now, when you connect the device (try the application debug mode) you should be able to see that the device appears with the correct user permissions. e.g.(using this example's bus, device, and uid/gid values):
$ ls -l /dev/bus/usb/002
crw-rw-r-- 1 root root 189, 128 2010-10-09 20:02 001
...
crw-rw-r-- 1 root root 189, 131 2010-10-09 20:02 004
crw-rw-r-- 1 juser juser 189, 173 2010-10-10 11:29 044
this is very good, 'cause now adb running as you will be able to read and write the device.
11) if you did not get here, then you have udev issues. dont bother beating on adb, the problem is in udev. your best bet is to go into /etc/udev and edit udev.conf, to change the line
udev_log="err" to udev_log="debug" to see what is going on. then you can follow what udev is doing by opening a terminal window and following /var/log/syslog with:
# tail -f /var/log/syslog
you may need to restart udev, which you can do by doing:
$ sudo /etc/init.d/udev restart
from another terminal window.
this output is very verbose, but you should look to see that your .rules file is being loaded. if not, then that is the issue to fix.
12) if all is ok, and the device has the right permissions, when you put it into application debug mode you should be able to simply start the adb server with:
$ adb devices
and see your device by serial number
List of devices attached
<serialnumber> device
13) if you have problems with adb, here are a few things to check.
a) make sure you see that adb is running, and owned by you by looking for it with ps, e.g.:
$ ps aux |grep adb
you should see a line like:
juser <pid> 0.0 0.1 28160 728 pts/4 Sl 10:18 0:01 adb fork-server server
where juser should be your user id, and <pid> is the process ID.
b) if adb is running as root, you may need to use 'sudo killall adb' to kill it off and then as your user run 'adb devices', which should start the server as you.
c) if you still have problems you can run strace on the server and it's child processes with:
$ strace -f ./tools/adb server
note that the output is very verbose, but look thru there for some kind of permissions problem. lots of 'file not founds' are ok, but as the daemon starts and tries to bind to the device, you may find a permission problem.
hope this helps. sorry to be long winded.
jerichod.
Click to expand...
Click to collapse
It seems that most of the community is gravitating toward disabling forced encryption, so I might be alone here, but I actually like the idea of having the device encrypted.
I rooted my device without flashing twrp (I'll cover the steps I took in just a second) so that it could retain the original stock recovery. I'm trying to keep the device as stock as possible, just with root and xposed.
Steps I took are as follows...
Download
Minimal ADB and Fastboot
TWRP
SuperSU (beta)
Xposed
Enable developer mode on device
Code:
adb reboot fastboot
Code:
fastboot boot twrp*.img
(I had to nuke /data at this point, otherwise it wouldn't boot)
Turn on ADB sideload in TWRP
Code:
adb sideload BETA*.zip
Code:
adb sideload xposed*.zip
It's successfully rooted and xposed framework is installed, but it's not encrypted, and if I go into Settings -> Security -> Encryption and attempt to encrypt the device, it will just hang for hours at a time.
If anyone can offer any insight as to how I can get it rooted with xposed framework while retaining device encryption, that would be super helpful.
Figured it out.
Have to create a flag file for SuperSU. It can be any of the following (note leading dot to indicate it's a hidden file)...
/data/.supersu
/cache/.supersu
/system/.supersu
In it, the file needs to contain the following:
Code:
KEEPFORCEENCRYPT=true
Easiest way to accomplish this, for my purposes, is to do
Code:
adb shell 'echo "KEEPFORCEENCRYPT=true" >/data/.supersu'
I restored completely to stock before doing this, to avoid any possible issues. Also, this currently only works with BETA version (SuperSU 2.74). This particular flag's behavior might be inverted in the future, i.e., SuperSU might leave forceencrypt flag by default and require a flag to disable forceencrypt.
*** New Tool Added: 04-06-2017 ***Warning: 'extremely powerful and dangerous tool'
This tool is designed to execute commands as root + system_server && install_recovery. While this example shows how to disable packages please be aware that a typo will be executed on the system as a command.
General Notice:
This package disabler is Android 6.01 64 bit and it isn't Samsung specific.
This tool is currently limited to only two contexts and therefore may not currently be able to disable "some??" packages.. Please let me know if that is true and I will attempt to find the correct context to disable the problem package.
Please note
This tool is part of a root kit I'm designing but since it's purpose was never a package disabler it isn't likely to receive updates. If you have an issue and you're waiting for a correction it's gonna be some wait unless you pm me. (i'm trying to learn forums, best thing to do is PM me to make me aware of your post here)
Information Updates:
You can disable every AT&T app on the device for a net gain on battery performance for your device. But if you disable some of the security logging and Android proper packages you will start seeing a net loss on batter performance. I was at < 1% over night before I got crazy.. Now I'm back to 6% battery lost in 6 to 8 hours of screen off time.
(obviously a tool that can disable a package can enable it also so keep careful track of your cmd_list.txt files)
Instructions
Don't brick your phone... just kidding see in depth instructions on my github
sources, no binaries
April 12 2017 sources have been majorly overhauled, binaries are beta beta.. however, package disabling power not increased
--Android 5.11 r2 64-bit binary toolbox and applypatch 'till' now added. ubuntu + ndk needed to make run5
https://github.com/droidvoider/CVE-2016-5195_GreyhatRootProject_Root_Console
BINARIES - NO SOURCES -instructions for disabling packages are in the zips
Linux
https://drive.google.com/open?id=0B-fnF5v-xg6OYmdreVNJOGlLWUE
Windows (i didn't test that batch file.. edit the batch file it's just a "batch" of commands)
https://drive.google.com/open?id=0B-fnF5v-xg6OYmdreVNJOGlLWUE
Scope:
dirtycow 5195 is patched November 2016.. If you are running Android 6.01 you may be able to flash the October 2016 kernel to your phone to bypass the patch
1. First make sure you have the AP file from your firmware.. (specifically boot.img and recovery.img which are included in the AP file)
2. Backup your device.
3. Use Odin to flash PJ1 boot.img / recovery.img to your phone
https://drive.google.com/open?id=0B-fnF5v-xg6OR1VWRTItWFVOTVE
4. Constantly check your phone, if it is getting hot or losing a lot of battery fast you need to stop... restore it and forget this
5. as long as it's all good see the instructions included with the tool
OLD PROCESS BELOW
************************************************************ UPDATE: 02/21/2017 ************************************************************************
This exploit is powerful and from what I can tell you don't need to use adb at all to make it work. Create an archive of the app with your tool, I listed what I used below. Install from archive. "app crashes". There are 3 updaters that I kill: com.sec.fwservice + com.sec.android.soagent + com.ws.dm. Any apps I can disable in App Manger I disable normally instead. For example if you begin disabling Google play it will allow you to fully disable it. This was the biggest thing that made my batter life better. You can use the adb commands, script and etc also if you want to do anything and everything to avoid additional updates. Hopefully I'm right because I am done with updating.
**** Warning **** Disabling the wrong thing this way can cause the phone to crash so hard you need to flash firmware to restore it. Make sure you have backed up and that you have your firmware ready. Also be warned that in my experience devices can suddenly crash & need repair from doing this type of stuff!!
tESted on firmware N920AUCS4CPK1 Android 6.01 w/Nov. Sec. Patch
Overview of the process
Our goal is to completely remove most AT&T from the application manager list and have AT&T software show up as a regular app, not a hidden system app. I am unsure if we need to have a fresh flash and how far you need to go in order to achieve our intended goal. I am fairly confident we need only change system settings to off for AT&T + Knox that and then fire this script. If that is not enough please see page two. I would very much appreciate feedback so I can edit this.
===> REMINDER <===
Backup all your contacts, text messages, downloaded files and also individually back any apps there are important to you. Also have a look at your /sdcard/ to see what's there. Do a full backup on the entire phone just in case you forgot anything.
*** Prepare to have to flash/wipe data to get this to work as I've only truly tested this after a recent flash personally!!! ***
This walk through utilizes the following technologies you will need to Google
You need the platform-tools from Android Studio SDK it comes with adb. (You can probably google platform-tools directory and download it)
(path environment needs to be set in the script or just fully qualify the location of adb which is what I do) <change to match your path>
I assume you understand how to download a file, open command prompt, cd to the directory it's download to and edit the path to your platform-tools inside the batch file
I also assume you can figure out the Samsung USB driver for Windows and test that you can adb shell to your device.
I assume you can get into Download mode and flash your firmware with Odin / Windows using a usb cable.
Steps to brick your perfectly good working AT&T Note 5 phone
Denial of permission and general rearrangement of system apps Version .0008 beta
Fresh after a flash please block the signal on your phone if possible. I always block signal!!!
1.) Turn on developer options then confirm that you have OEM unlock on(like it matters), USB Debugging On and default Verify Apps via USB remains off
2) Kill all AT&T running processes DEVELOPER OPTIONS | RUNNING SERVICES (get Smart Limits, Protect app, ATT yahoo mail, anything ATT)
every opportunity)
2A) Package disabler is awesome leave it running if you have it we don't need anything special for adb, besides adb.
3) Plug your phone into your PC via usb and get it connected.. (adb devices "unauthorized means you didn't say ok on phone in time unplug/replug try again")
3a) adb shell should log you into the phone and exit should get you back out (we don't want to be in the shell just testing the connection)
4.)Turn off "can make system changes" for AT&T apps. Application Manger | More | Change System Settings | More | Show System Apps -- Turn off anything AT&T (I also kill anything I can knox, samsung)
5) Fire this script on your phone (obviously you will have it connected to your pc, allowed the connection on your phone screen)
Basic commands I'm using, I prioritize com.ws.dm and then I run the commands on the rest of AT&T:
<This small snippet is a linux bash shell while the attached script is a Windows example>
#NOTE TO LINUX USERS: take the rest of the script from the windows batch and convert it to bash
#!/bin/bash
/opt/Android/Sdk/platform-tools/adb devices
/opt/Android/Sdk/platform-tools/adb wait-for-device
/opt/Android/Sdk/platform-tools/adb shell am kill-all
/opt/Android/Sdk/platform-tools/adb shell pm clear com.ws.dm
/opt/Android/Sdk/platform-tools/adb shell pm reset-permissions com.ws.dm
/opt/Android/Sdk/platform-tools/adb shell am set-inactive com.ws.dm true
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.CHANGE_CONFIGURATION
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.WRITE_SECURE_SETTINGS
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.BATTERY_STATS
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.INTERACT_ACROSS_USERS
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.SET_PROCESS_LIMIT
/opt/Android/Sdk/platform-tools/adb shell am kill-all
/opt/Android/Sdk/platform-tools/adb shell am kill com.ws.dm
/opt/Android/Sdk/platform-tools/adb shell pm clear com.ws.dm
Note: I always did this right after a flash so I'm hoping that's not necessary
(I know I misused reset-permissions but it accepts it, laugh)
In the attached photo notice that I can "Show" system apps but AT&T Software Update is already shown (i.e. not a system app) For me I have no other att apps even if I show system apps!, they're installed tho)
**** Warning **** Disabling the wrong thing this way can cause the phone to crash so hard you need to flash firmware to restore it. Make sure you have backed up and that you have your firmware ready. Also be warned that in my experience devices can suddenly crash & need repair from doing this type of stuff!!
Stern Warning: You need your current matching firmware before doing this!! You can make a copy of your own firmware following directions on this forum. The info about your firmware is in SYSTEM | ABOUT
tESted on firmware N920AUCS4CPK1 Android 6.01 w/Nov. Sec. Patch
Overview of the process
We are going to do a various pronged assault using App Archiving / Restoring with a Google Play app as well as attacking a select set of permissions as well as clearing app data through adb using a batch or shell script from your computer. In some case I am able to also install the apk using adb shell pm install -rts which tags it as a test package. But I'm unclear how I achieved that so this is a work in progress.
(For the install -rts trick this is only after freshly flashing so it's been a little hard to remember to test it. Let me know if you stuble upon the process order again)
===> REMINDER <===
Backup all your contacts, text messages, downloaded files and also individually back any apps there are important to you. Also have a look at your /sdcard/ to see what's there. Do a full backup on the entire phone just in case you forgot anything.
*** Prepare to have to flash/wipe data to get this to work as I've only truly tested this after a recent flash personally!!! ***
This walk through utilizes the following technologies you will need to Google
You need the platform-tools from Android Studio SDK it comes with adb. (You can probably google platform-tools directory and download it)
(path environment needs to be set in the script or just fully qualify the location of adb which is what I do) <change to match your path>
I assume you understand how to download a file, open command prompt, cd to the directory it's download to and edit the path to your platform-tools inside the batch file
I also assume you can figure out the Samsung USB driver for Windows and test that you can adb shell to your device.
I assume you can get into Download mode and flash your firmware with Odin / Windows using a usb cable.
Steps to brick your perfectly good working AT&T Note 5 phone
Denial of permission and general rearrangement of system apps Version .0008 beta
Fresh after a flash please block the signal on your phone if possible. I always block signal!!!
1.) Turn on developer options then confirm that you have OEM unlock on(like it matters), USB Debugging On and default Verify Apps via USB remains off
2) Kill all AT&T running processes DEVELOPER OPTIONS | RUNNING SERVICES (get Smart Limits, Protect app, ATT yahoo mail, anything ATT)
every opportunity)
2A) Package disabler is awesome leave it running if you have it we don't need anything special for adb, besides adb.
3) Plug your phone into your PC via usb and get it connected.. (adb devices "unauthorized means you didn't say ok on phone in time unplug/replug try again")
3a) adb shell should log you into the phone and exit should get you back out (we don't want to be in the shell just testing the connection)
4.)Turn off "can make system changes" for AT&T apps. Application Manger | More | Change System Settings | More | Show System Apps -- Turn off anything AT&T (I also kill anything I can knox, samsung)
5) Backup/Restore the AT&T apps from a "backup tool", I used System App 2 let us know if others work "or excel".
Use an app archive tool such as System Panel 2 | apps | Archive to archive the AT&T apps then install them from that archive. You can do this to any you see!
(don't uninstall the app but feel free to install it repeatedly. e.g. install = uninstall as system app but uninstall = reinstall as system app
5 a) --- if doing step 8 you need a the com.ws.dm.apk copied to your computer so you can fire the install -rts on it
6) Repeat step 4
7) Fire the script from the first post on your phone (obviously you will have it connected to your pc, allowed the connection on your phone screen)
Basic commands I'm using, I prioritize com.ws.dm and then I run the commands on the rest of AT&T: (While it's running install/uninstall with the archive tool)
<This small snippet is a linux bash shell while the attached script is a Windows example
#NOTE TO LINUX USERS: take the rest of the script from the windows batch i think if you use linux you don't need step by step
#!/bin/bash
/opt/Android/Sdk/platform-tools/adb devices
/opt/Android/Sdk/platform-tools/adb wait-for-device
/opt/Android/Sdk/platform-tools/adb shell am kill-all
/opt/Android/Sdk/platform-tools/adb shell pm clear com.ws.dm
/opt/Android/Sdk/platform-tools/adb shell pm reset-permissions com.ws.dm
/opt/Android/Sdk/platform-tools/adb shell am set-inactive com.ws.dm true
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.CHANGE_CONFIGURATION
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.WRITE_SECURE_SETTINGS
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.BATTERY_STATS
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.INTERACT_ACROSS_USERS
/opt/Android/Sdk/platform-tools/adb shell pm revoke com.ws.dm android.permission.SET_PROCESS_LIMIT
/opt/Android/Sdk/platform-tools/adb shell am kill-all
/opt/Android/Sdk/platform-tools/adb shell am kill com.ws.dm
/opt/Android/Sdk/platform-tools/adb shell pm clear com.ws.dm
Note: I always did this right after a flash so I'm hoping that's not necessary
(I know I misused reset-permissions but it accepts it and I like it that way. Don't end process through your app archive tool it wakes up com.ws.dm)
Steps that may not work quite yet:
Note) I need to add to the how to for this to not say Invalid_URI bla bla but the way I do it is by flashing an invalid modem file, that's not acceptable since I don't think it's necessary yet:
8) issue the command adb shell pm install -rts com.ws.dm.apk.
8 a) refire the above snippet that is just an example for linux it is my knock out punch for after, but this step should fail if you make it work let me know please
**** Warning **** Disabling the wrong thing this way can cause the phone to crash so hard you need to flash firmware to restore it. Make sure you have backed up and that you have your firmware ready. Also be warned that in my experience devices can suddenly crash & need repair from doing this type of stuff!!
************************************************************ UPDATE: 02/21/2017 ************************************************************************
This exploit is powerful and from what I can tell you don't need to use adb at all to make it work. Create an archive of the app with your tool, I listed what I used above. Install from archive. "app crashes". There are 3 updaters that I kill: com.sec.fwservice + com.sec.android.soagent + com.ws.dm. Any apps I can disable in App Manger I disable normally instead. For example if you begin disabling Google play it will allow you to fully disable it. This was the biggest thing that made my batter life better. You can use the adb commands, script and etc also if you want to do anything and everything to avoid additional updates. Hopefully I'm right because I am done with updating.
Notice: 02-15-2017
It's reversible if you didn't realize this (tested in PK1 by me and one other). If you used the subtle approach just go into your backup app then uninstall. Only the extra installation is removed then the app will heal itself. If you used harsh method adb shell pm uninstall com.ws.dm = att updater. (do for all apps you miss dearly)
Package Disabler not working? OOPS, KLMSAgent is necessary use the above method to reverse our actions on com.samsung.klmsagent
Attached photos show that the AT&T Software updater is gone. I achieved that with a harsher script if I am going to release this method I want a more assured way then wrong modem file and 8 windows open at once.
I have to ask, if you see a snippet representing an efuse in the code, why not remove it and all references to it? If possible to do so, you'd be the first to crack an AT&T (and this would likely work for Verizon as well) GN5?
Edit - Also, the January sec. patch is beginning to roll out to users. I just got it today and I am usually behind most.
Update 02/21/2017 regarding efuse. I'v studied the binaries and processes hard and it is my belief the efuse will never trip if you aren't altering files on the system. We aren't doing that here and after weeks of testing my bit is still 0x0
**** Warning **** Disabling the wrong thing this way can cause the phone to crash so hard you need to flash firmware to restore it. Make sure you have backed up and that you have your firmware ready. Also be warned that in my experience devices can suddenly crash & need repair from doing this type of stuff!!
ajaxburger said:
I have to ask, if you see a snippet representing an efuse in the code, why not remove it and all references to it? If possible to do so, you'd be the first to crack an AT&T (and this would likely work for Verizon as well) GN5?
Edit - Also, the January sec. patch is beginning to roll out to users. I just got it today and I am usually behind most.
Click to expand...
Click to collapse
It's in the bootloader and they are friggin smart programmers and I am not that smart, yet. Probably ever.
I know you guys are on later firmware than me by now but I had to get off the marry go round at PK1. I had listed a work around to taking updates in Novemember but it was iffy at best. This is the first almost safe way I found, and now it's too late. That's the problem with the Note 5 we can't get back to a common point so we can all work toward freedom together.
edit: removed idea about flashing cm.bin, it's almost killing download mode.. we need to swim away little fishes
There is a new tool for disabling apps I posted on the first post
I just wanted to gather resources and guidance on workarounds for caveats found in:
nVidia Shield Experience Upgrade 9.0.0 with Android 11
Scoped storage for instance.
New Google TV launcher
Caution: I'm not responsible if you end up bricking your nVidia Shield Android TV.
Change default launcherLauncher alternativesFLauncher
https://play.google.com/store/apps/details?id=me.efesser.flauncher
https://gitlab.com/etienn01/flauncher
Example: FLauncher
Install FLauncher from Google Play store.
Open FLauncher to make sure it works.
Enable ADB over network on the nVidia Shield (developer options).
Connect ADB from a computer with android-tools.
Disable default launcher with following ADB command:
Code:
adb shell pm disable-user --user 0 com.google.android.tvlauncher
Disconnect ADB.
Press "Home" button on the nVidia Shield. This should open FLauncher.
Instructions
https://techmogulchannel.com/tutori...lt-launcher-to-custom-launcher-windows-guide/
https://www.reddit.com/r/AndroidTV/comments/o96tun/how_to_install_a_3rdparty_launcher_as_default_on/
Set scoped storage permissionsExample: Solid File Explorer
Markdown (GitHub flavored):
### Example session with nVidia Shield Android TV
#### Start ADB server
adb start-server
#### Connect (approve request on the Shield)
adb connect 192.168.86.36:5555
#### Solid Explorer
adb shell cmd appops get --uid pl.solidexplorer2
adb shell cmd appops set --uid pl.solidexplorer2 android:MANAGE_EXTERNAL_STORAGE allow
adb shell cmd appops set --uid pl.solidexplorer2 android:REQUEST_INSTALL_PACKAGES allow
#### Disconnect
adb disconnect
#### Turn off ADB server
adb kill-server
Instructions
https://www.codetd.com/en/article/10481938
https://forum.xda-developers.com/t/...adb-on-note-10-updated-to-android-11.4221617/
https://developer.android.com/train...es#enable-manage-external-storage-for-testing
https://www.reddit.com/r/androiddev/comments/mscu80/as_a_user_is_it_possible_for_me_to_grant_an_old/
Roll back to 8.2.3Download
https://developer.nvidia.com/gameworksdownload#?search=recovery os image
Instructions
https://developer.download.nvidia.c...ar/howtoflash/How-To-Flash-Recovery-Image.txt
https://docs.nvidia.com/gameworks/content/devices/shield_flashing_from_image.htm
https://forum.xda-developers.com/t/3321404/
https://forum.xda-developers.com/t/4392605/#post-86397133 by @perieanuo.
Other related guides by me
Ready made Leanback Icons and Shortcuts for "regular" Android Apps
[Tool][Windows][PowerShell] Android Platform Tools Updater (ADB & Fastboot)
Thanks for this !
I just hate this google tv launcher update and those F****** ads.
Now it's clean, Flauncher looks great
Thank you for that awesome guide
I have one question regarding scoped storage permissions. I'm trying to achieve the same with Kodi like you did with Solid File Explorer.
The first command worked fine: adb shell cmd appops get --uid org.xbmc.kodi
I get the following output:
Uid mode: LEGACY_STORAGE: allow
TAKE_AUDIO_FOCUS: allow; time=+2d3h23m52s536ms ago
WAKE_LOCK: allow; time=+2d3h23m52s331ms ago; duration=+22m38s145ms
READ_EXTERNAL_STORAGE: allow; time=+14h44m6s853ms ago
WRITE_EXTERNAL_STORAGE: allow
Unfortunately, when I try to execute the 2nd command adb shell cmd appops set --uid org.xbmc.kodi android:MANAGE_EXTERNAL_STORAGE allow I get the following error:
Error: Unknown operation string: android:MANAGE_EXTERNAL_STORAGE
Is there anything that I'm missing or not possible with Kodi?
No_Reason said:
Thank you for that awesome guide
I have one question regarding scoped storage permissions. I'm trying to achieve the same with Kodi like you did with Solid File Explorer.
The first command worked fine: adb shell cmd appops get --uid org.xbmc.kodi
I get the following output:
Uid mode: LEGACY_STORAGE: allow
TAKE_AUDIO_FOCUS: allow; time=+2d3h23m52s536ms ago
WAKE_LOCK: allow; time=+2d3h23m52s331ms ago; duration=+22m38s145ms
READ_EXTERNAL_STORAGE: allow; time=+14h44m6s853ms ago
WRITE_EXTERNAL_STORAGE: allow
Unfortunately, when I try to execute the 2nd command adb shell cmd appops set --uid org.xbmc.kodi android:MANAGE_EXTERNAL_STORAGE allow I get the following error:
Error: Unknown operation string: android:MANAGE_EXTERNAL_STORAGE
Is there anything that I'm missing or not possible with Kodi?
Click to expand...
Click to collapse
Are you using the latest version of Android platform-tools? I also got some errors when following a guide, turned out the command syntax had changed a little with newer versions of adb.
https://developer.android.com/studio/releases/platform-tools#downloads
I just switched to the latest version of Android platform-tools.
adb version is giving me:
Android Debug Bridge version 1.0.41
Version 32.0.0-8006631
But I still get the same error message as mentioned above
Any idea, why it's still failing? Does the app itself need to support this?
hi,
i downgraded but the flashing is not really like described here
https://developer.download.nvidia.c...ar/howtoflash/How-To-Flash-Recovery-Image.txt
those 2 are incorrect:
- fastboot flash dtb mdarcy.dtb.img
- fastboot flash vbmeta vbmeta.img
in my case i did (the files were in "c:\adb\822" folder, i used official 8.2.2 recovery image, but tested the same for 8.2.3 and 8.2.0)
fastboot flash staging ./822/blob
fastboot flash boot ./822/boot.img
fastboot flash recovery ./822/recovery.img
fastboot flash system ./822/system.img
fastboot flash vendor ./822/vendor.img
fastboot flash dtb ./822/tegra210-darcy-p2894-0050-a08-00.dtb
(attention i choosed /tegra210-darcy-p2894-0050-a08-00.dtb because my shield was this version, to be checked before flashing in settings/about...)
I tried with and without dtb and with and without erasing user data from fastboot menu (the last option)
I guess mdarcy.dtb.img and vbmeta.img are from other recovery archives, my test was done 27 jan 2022, maybe nvidia modified those recovery archives?
anyway, for inexperienced users it should be more clear what to flash, in what order, why writing this and that, the tutos for this downgrade are a mess. someone on reddit says we should format all those partitions but he says it at the end of his post, so if you respect command orders and reboot shield you're screwed.
my 2 cts, you should write ALL partitions provided by nvidia in archive after unlocking bootloader (maybe formatting them before??? but with UPS attached, risky thing btw), reset shield, relock bootloader and maybe reset shield from bootloader menu or gui.
i hope a pro take this in hand explaining for us
in the process i managed to fry my 'away' usb port power (it works well as debug port but his power control chip is dead, tried already deactivating usd debug and usb file sharing and reflashing 3 times like i described before, but it's clearrly a hardware issue). well, this one it's on me, I had olimex usb separator with power supply conected and after reflash i set that away usb as normal port, mayhe the two devices (shield and olimex usb-iso isolator tried to power the +5V line at once and the nvidia one was the weaker one). normally nvidia should entered protected mode, but i'm not the hw designer on that one
Any you guys know how to force landscape android tv 9, whole apks I used to forces doesn't work, I have 2015 and 2017 models, please help.
No_Reason said:
I just switched to the latest version of Android platform-tools.
adb version is giving me:
Android Debug Bridge version 1.0.41
Version 32.0.0-8006631
But I still get the same error message as mentioned above
Any idea, why it's still failing? Does the app itself need to support this?
Click to expand...
Click to collapse
Hmm. I'm certainly no expert at this. But what you say about the app need to support it might make sense. With the get command on Solid Explorer, I saw that permission that I could set, but you can't.
baba702 said:
Any you guys know how to force landscape android tv 9, whole apks I used to forces doesn't work, I have 2015 and 2017 models, please help.
Click to expand...
Click to collapse
Tried hotfix 3?
https://www.nvidia.com/en-us/geforce/forums/shield-tv/9/481434/shield-experience-upgrade-90-hotfix-image/
o-l-a-v said:
Tried hotfix 3?
https://www.nvidia.com/en-us/geforce/forums/shield-tv/9/481434/shield-experience-upgrade-90-hotfix-image/
Click to expand...
Click to collapse
Thank you I didn't know about it I'll try
Ok just I installed hotfix 3 but I'm still have several issues, now button mapper doesn't work and the screen rotation doesn't work, any help
baba702 said:
Ok just I installed hotfix 3 but I'm still have several issues, now button mapper doesn't work and the screen rotation doesn't work, any help
Click to expand...
Click to collapse
If you use button remapper so change default launcher, use the method in the original post instead to just disable the default launcher app. Else, ask the button remapper developer I guess.
For the 2nd problem (orientation), I think there is a adb command to set it. Google it and see what you find.
Edit: Orientation, found some related info:
https://www.nvidia.com/en-us/geforce/forums/shield-tv/9/481782/shield-experience-upgrade-90-known-issues/3206852/
I
o-l-a-v said:
If you use button remapper so change default launcher, use the method in the original post instead to just disable the default launcher app. Else, ask the button remapper developer I guess.
For the 2nd problem (orientation), I think there is a adb command to set it. Google it and see what you find.
Edit: Orientation, found some related info:
https://www.nvidia.com/en-us/geforce/forums/shield-tv/9/481782/shield-experience-upgrade-90-known-issues/3206852/
Click to expand...
Click to collapse
I give whole the permite but doesn't work the buttons remapper, something with YouTube vanced is the problem, I unistalled and that works, rotation I tried with whole permite included the energy optimization access but no work
perieanuo said:
hi,
i downgraded but the flashing is not really like described here
https://developer.download.nvidia.c...ar/howtoflash/How-To-Flash-Recovery-Image.txt
those 2 are incorrect:
- fastboot flash dtb mdarcy.dtb.img
- fastboot flash vbmeta vbmeta.img
in my case i did (the files were in "c:\adb\822" folder, i used official 8.2.2 recovery image, but tested the same for 8.2.3 and 8.2.0)
fastboot flash staging ./822/blob
fastboot flash boot ./822/boot.img
fastboot flash recovery ./822/recovery.img
fastboot flash system ./822/system.img
fastboot flash vendor ./822/vendor.img
fastboot flash dtb ./822/tegra210-darcy-p2894-0050-a08-00.dtb
(attention i choosed /tegra210-darcy-p2894-0050-a08-00.dtb because my shield was this version, to be checked before flashing in settings/about...)
I tried with and without dtb and with and without erasing user data from fastboot menu (the last option)
I guess mdarcy.dtb.img and vbmeta.img are from other recovery archives, my test was done 27 jan 2022, maybe nvidia modified those recovery archives?
anyway, for inexperienced users it should be more clear what to flash, in what order, why writing this and that, the tutos for this downgrade are a mess. someone on reddit says we should format all those partitions but he says it at the end of his post, so if you respect command orders and reboot shield you're screwed.
my 2 cts, you should write ALL partitions provided by nvidia in archive after unlocking bootloader (maybe formatting them before??? but with UPS attached, risky thing btw), reset shield, relock bootloader and maybe reset shield from bootloader menu or gui.
i hope a pro take this in hand explaining for us
in the process i managed to fry my 'away' usb port power (it works well as debug port but his power control chip is dead, tried already deactivating usd debug and usb file sharing and reflashing 3 times like i described before, but it's clearrly a hardware issue). well, this one it's on me, I had olimex usb separator with power supply conected and after reflash i set that away usb as normal port, mayhe the two devices (shield and olimex usb-iso isolator tried to power the +5V line at once and the nvidia one was the weaker one). normally nvidia should entered protected mode, but i'm not the hw designer on that one
Click to expand...
Click to collapse
this is really good info - seriously. I'm about to downgrade to 8.2.3 on the 2017_16gb model and I'm trying to take it all in. Weird how there's not a ton of good information on this. Did you follow any other videos or guides?
Alekos said:
this is really good info - seriously. I'm about to downgrade to 8.2.3 on the 2017_16gb model and I'm trying to take it all in. Weird how there's not a ton of good information on this. Did you follow any other videos or guides?
Click to expand...
Click to collapse
hi,
i did kinda mixup of some guides like
https://www.reddit.com/r/ShieldAndroidTV/comments/s3yqe1
(also tested like he said, first fastboot erase boot/staging/recovery/system/vendor, then write those)
the procedure was as simpliy as this:
__________________________________________________________________________________________________________________
How to downgrade your Shield TV Pro back to 8.2.3 (Android 9)
The first step is to go to Settings, Device Preferences, About, tap build number 7-8 times for developer options and enable USB debugging and allow debugging through your PC. Before you reboot to the bootloader, plug in a keyboard or your Shield Controller to continue, then input adb reboot bootloader (must have drivers installed), unlock bootloader, and factory reset, reboot and unplug the USB and power for a full unlock or else you'll get "write failed" when flashing.
first, wipe partitions:
fastboot erase boot
fastboot erase staging
fastboot erase recovery
fastboot erase system
fastboot erase vendor
second, flash partitions (i saved/unzipped in c:\adb\823 the files, that's why "./823/" appears below)
fastboot flash boot ./823/boot.img
fastboot flash staging ./823/blob
fastboot flash recovery ./823/recovery.img
fastboot flash system ./823/system.img
fastboot flash vendor ./823/vendor.img
I relocked bootloader at the end
fastboot oem lock (or via bootloader GUI)
Just used a simple usb keyboard ( a french one, "A" was in the place of "Q" key) and bootloader use US layout as default for keyboard.
The USB cable must be a quality one, mine was USB3 one, 1m long.
Hey, so you guys don't recommend updating to Android 11 on the 2017 Shield TV?
I'm still running Android 9 (NVidia Experience 8.2.3) and everything works well. Will I gain anything by updating?
Ghisy said:
Hey, so you guys don't recommend updating to Android 11 on the 2017 Shield TV?
I'm still running Android 9 (NVidia Experience 8.2.3) and everything works well. Will I gain anything by updating?
Click to expand...
Click to collapse
I'd wait for next stable/ non-hotfix release, and then check feedback on Reddit and the nVidia forum before doing the jump.
But I won't bother rolling back to 8.2.3 either, 9.0.0 works OK for me. If you're hosting Plex server on your Shield, definitely wait. I only use it as a media player, nothing fancy.
o-l-a-v said:
I'd wait for next stable/ non-hotfix release, and then check feedback on Reddit and the nVidia forum before doing the jump.
But I won't bother rolling back to 8.2.3 either, 9.0.0 works OK for me. If you're hosting Plex server on your Shield, definitely wait. I only use it as a media player, nothing fancy.
Click to expand...
Click to collapse
Well, I guess 9.0.1 is the stable one apparently: https://9to5google.com/2022/02/15/shield-tv-9-0-1-update-android-11/
I need to wait for the developer image because I want to root my Shield TV again. Although there's no guide here that's up to date unfortunately...
baba702 said:
I
I give whole the permite but doesn't work the buttons remapper, something with YouTube vanced is the problem, I unistalled and that works, rotation I tried with whole permite included the energy optimization access but no work
Click to expand...
Click to collapse
For the screen orientation setting, have you tried something as simple as a "forced rotation" app? I've used that for apps that normally come up in portrait that i wanted to force into landscape mode (ie YouTube Vanced, Magisk Manager, etc).
Here's one that's worked for me in the past (side loaded):
https://m.apkpure.com/set-orientation/com.googlecode.eyesfree.setorientation
o-l-a-v said:
I just wanted to gather resources and guidance on workarounds for caveats found in:
nVidia Shield Experience Upgrade 9.0.0 with Android 11
Scoped storage for instance.
New Google TV launcher
Caution: I'm not responsible if you end up bricking your nVidia Shield Android TV.
Change default launcherLauncher alternativesFLauncher
https://play.google.com/store/apps/details?id=me.efesser.flauncher
https://gitlab.com/etienn01/flauncher
Example: FLauncher
Install FLauncher from Google Play store.
Open FLauncher to make sure it works.
Enable ADB over network on the nVidia Shield (developer options).
Connect ADB from a computer with android-tools.
Disable default launcher with following ADB command:
Code:
adb shell pm disable-user --user 0 com.google.android.tvlauncher
Disconnect ADB.
Press "Home" button on the nVidia Shield. This should open FLauncher.
Instructions
https://techmogulchannel.com/tutori...lt-launcher-to-custom-launcher-windows-guide/
https://www.reddit.com/r/AndroidTV/comments/o96tun/how_to_install_a_3rdparty_launcher_as_default_on/
Set scoped storage permissionsExample: Solid File Explorer
Markdown (GitHub flavored):
### Example session with nVidia Shield Android TV
#### Start ADB server
adb start-server
#### Connect (approve request on the Shield)
adb connect 192.168.86.36:5555
#### Solid Explorer
adb shell cmd appops get --uid pl.solidexplorer2
adb shell cmd appops set --uid pl.solidexplorer2 android:MANAGE_EXTERNAL_STORAGE allow
adb shell cmd appops set --uid pl.solidexplorer2 android:REQUEST_INSTALL_PACKAGES allow
#### Disconnect
adb disconnect
#### Turn off ADB server
adb kill-server
Instructions
https://www.codetd.com/en/article/10481938
https://forum.xda-developers.com/t/...adb-on-note-10-updated-to-android-11.4221617/
https://developer.android.com/train...es#enable-manage-external-storage-for-testing
https://www.reddit.com/r/androiddev/comments/mscu80/as_a_user_is_it_possible_for_me_to_grant_an_old/
Roll back to 8.2.3Download
https://developer.nvidia.com/gameworksdownload#?search=recovery os image
Instructions
https://developer.download.nvidia.c...ar/howtoflash/How-To-Flash-Recovery-Image.txt
https://docs.nvidia.com/gameworks/content/devices/shield_flashing_from_image.htm
https://forum.xda-developers.com/t/3321404/
https://forum.xda-developers.com/t/4392605/#post-86397133 by @perieanuo.
Other related guides by me
Ready made Leanback Icons and Shortcuts for "regular" Android Apps
[Tool][Windows][PowerShell] Android Platform Tools Updater (ADB & Fastboot)
Click to expand...
Click to collapse
Do you need to be rooted to Set Scoped Storage permissions or install an alternative launcher?
Is there a guide for rooting the Nvidia Shield 2017 using linux?
Thanks.
bdika
Google Pixel Watch Root Guide using Magisk
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
ReadmeNote that this rooting process was performed with a special USB-C cradle provided by the Google Team. I would not recommend flashing the device without a stable connection to the pins under the wrist strap. I might attempt to make a 3D printed enclosure that uses pogo pins. Additionally, this process will wipe the device.
Rooting Process
Enable developer options on the watch by going to Settings > System > About > Versions > Tap Build number until you unlock developer mode
While here, note down the Build Number. It will look like RWD9.XXXXXX.XXX.XX.
Go into Developer options and enable ADB debugging
Install the latest version of ADB and Fastboot tools on a computer
https://developer.android.com/tools/releases/platform-tools
Connect watch to computer using USB and allow permanent ADB debugging access on the watch
Verify your access works by running
Code:
adb devices
Download the appropriate (LTE or Bluetooth/WIFI) firmware at the link below, making sure to download the version that matches the build number from Step 2.
Factory Images for Google Pixel Watch Devices | Google Play services | Google for Developers
developers.google.com
Verify the checksum of downloaded firmware using
Code:
sha256sum name-of-firmware.zip
Unzip the downloaded zip, then unzip the image-rXX zip inside the original zip. Then, transfer the boot.img file to the watch using
Code:
adb push boot.img /sdcard/Download
Install a file manager on the watch because it does not include one by default. We will need it to select the boot.img file the Magisk app. I used File Manager TV USB OTG Cloud from the Play Store. I recommend launching the app and granting Files and media permissions all the time like it asks you to do in the popup.
Install the latest version of the Magisk APK from the Github link below on the watch by running
Code:
adb install name-of-magisk.apk
Releases · topjohnwu/Magisk
The Magic Mask for Android. Contribute to topjohnwu/Magisk development by creating an account on GitHub.
github.com
Launch the Magisk app, click Install, choose Select and Patch a File, then browse to the downloaded boot.img file
Click Let's Go and the magisk-patched boot image will be created in the Download folder
Transfer the image back to your computer using
Code:
adb pull /sdcard/Download/name-of-patched-image
Run
Code:
adb reboot bootloader
to reboot the watch into Fastboot
Verify the device shows up by using
Code:
fastboot devices
Unlock the bootloader of the watch using
Code:
fastboot flashing unlock
Confirm the message on the watch to unlock and wipe the device
Flash and boot the newly created Magisk image using
Code:
adb flash boot name-of-patched-image.img
Select Start in Fastboot to start the watch
After waiting an extremely long time, the watch will hopefully start and will need to be setup again
Reinstall the Magisk app using
Code:
adb install name-of-magisk.apk
Launch the app and it might prompt that it needs to restart the watch
To prevent the broken Superuser request popup where the grant button is off the screen, I recommend changing the Automatic Response prompt setting in the Magisk app to Grant. To change the option, swipe up on the Prompt text
With the watch started and setup, start an adb shell by running
Code:
adb shell
Then, run su to escalate to root privilege. The shell should change symbols from $ to # and running
Code:
whoami
should result in root
Bypassing SafetyNet
Download the YASNAC - SafetyNet Checker APK from GitHub:
Releases · RikkaW/YASNAC
Yet Another SafetyNet Attestation Checker. Contribute to RikkaW/YASNAC development by creating an account on GitHub.
github.com
Install it on the watch using
Code:
adb install name-of-yasnac.apk
(Optional) Open the app and run the SafetyNet Attestation to verify your device fails
Download the SafetyNet Fix Magisk module from GitHub:
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
Transfer it to watch using
Code:
adb push safetynet-fix-v2.4.0.zip /sdcard/Download
Start an adb shell with the watch using
Code:
adb shell
Elevate to root privileges with
Code:
su
Install the module with
Code:
magisk --install-module /sdcard/Download/safetynet-fix-v2.4.0.zip
Once installed, restart your watch
Now, run YASNAC SafetyNet Attestation again, and you should pass!
Interfacing with the USB PinsThe USB pins are under the watch band closest to the secondary button. From left to right, the pins are voltage, data+, data-, and ground. Google's VRP program provides the watch cradles by invitation only (still waiting for mine ). As such, a DIY solution needs to be created to make this process more accessible.
Picture courtesy of @ShinyQuagsireThe most reliable solution I can think of currently is using PCBite SP10 probes to connect to the USB pins. Once I get my PCBite, I will post a setup picture.
Another solution I'm going to try is inserting pogo pins into a replacement silicone watch band to connect to the USB pins.
Similarly, the pins have a 1.27mm spacing which you can find headers for online. That in combination with some helping hands could give a somewhat janky connection.
Troubleshooting
If booting the Magisk image results in a bootloop, you can unbrick the device by flashing the corresponding stock boot.img image using
Code:
adb flash boot boot.image
If Magisk doesn't see the file, try doing the following to your file browser app:
Settings > Apps & Notifications > App permissions > Files and media > AppName > Allow all the time
Tips
You can get into FastBoot mode by tapping on the top left and bottom right of the screen at the same time as the device is booting when the white "G" logo appears.
Wireless debugging allows you to do almost all of this guide except booting the patched boot.img file in Magisk. To enable wireless debugging, go to Settings > Developer options > Check Debug over Wi-Fi. Then, in developer options still, go to Wireless debugging and turn it on. From here, you can connect to your watch remotely from your PC using
Code:
adb connect watchip
ThanksHuge thanks to Asmita Jha (Twitter @aj_0x00) who was there during the first 2 days of the rooting attempts and helped troubleshoot throughout. Additionally, big thanks to Stack Smashing (Twitter @ghidraninja) for giving us the idea to patch the Magisk file on the watch itself, instead of patching the boot image on another device running Magisk. Additionally, thanks to the Google team who gave us access to device and the prototype cradles to interface with the watch reliably.
Future PlansTo make the process more accessible, a cheap interfacing solution needs to be created. Please reach out if have any questions, concerns, or information that would make the process easier. You can find me on Twitter @breaddisease
https://twitter.com/breaddisease
Thanks!
This is awesome!
Now we just need a way to source that craddle or design one.
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
KineSight said:
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
Click to expand...
Click to collapse
I'm unsure about this so far! Both of my phones don't work with the Google Pixel Watch app (degoogled OP7P and old S8+) so I can't setup my Google account with the watch to use Google Wallet. Additionally, I can't install a SafetyNet checker without the USB cradle I'll get back to you if I figure something out!
How did you get the file manager to show the .img file? I installed the same file manager, pushed the file via adb, but the file manager can't see any .img files. I tried renaming it to 'boot.jpg', pushed that, the file manager sees it, but then Magisk fails with unknown/unsupported image type.
ClarkIV said:
How did you get the file manager to show the .img file? I installed the same file manager, pushed the file via adb, but the file manager can't see any .img files. I tried renaming it to 'boot.jpg', pushed that, the file manager sees it, but then Magisk fails with unknown/unsupported image type.
Click to expand...
Click to collapse
You might need to allow the app Files and media permissions all the time, like this:
Settings > Apps & Notifications > App permissions > Files and media > AnExplorer > Allow all the time
KineSight said:
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
Click to expand...
Click to collapse
I fail SafetyNet without the Universal SafetyNet Fix Magisk Module. However, I was able to install the SafetyNet Fix module with the following:
Code:
adb push safetynet-fix-v2.4.0.zip /sdcard/Download
adb shell
su
cd /sdcard/Download
magisk --install-module safetynet-fix-v2.4.0.zip
With this, I now pass SafetyNet! Still have to try Google Pay
breaddisease said:
Google Pixel Watch Root Guide using Magisk
ReadmeNote that this rooting process was performed with a special USB-C cradle provided by the Google Team. I would not recommend flashing the device without a stable connection to the pins under the wrist strap. I might attempt to make a 3D printed enclosure that uses pogo pins. Additionally, this process will wipe the device.
Rooting Process
Enable developer options on the watch by going to Settings > System > About > Versions > Tap Build number until you unlock developer mode
Go into Developer options and enable ADB debugging
Install the latest version of ADB and Fastboot tools on a computer
Connect watch to computer using USB and allow permanent ADB debugging access on the watch
Verify your access works by running
Code:
adb devices
Download the latest version of the appropriate (LTE or Bluetooth/WIFI) Google Pixel Watch OTA firmware at the link below. Note that the latest version is at the bottom of the list (thanks Google)
https://developers.google.com/android/ota-watch
Verify the checksum of downloaded firmware using
Code:
sha256sum name-of-firmware.zip
Unzip the downloaded zip, then transfer the boot.img file to the watch using
Code:
adb push boot.img /sdcard/Download
Install a file manager on the watch because it does not include one by default. We will need it to select the boot.img file the Magisk app. I used File Manager TV USB OTG Cloud from the Play Store
Install the latest version of the Magisk APK from the Github link below on the watch by running
Code:
adb install name-of-magisk.apk
Releases · topjohnwu/Magisk
The Magic Mask for Android. Contribute to topjohnwu/Magisk development by creating an account on GitHub.
github.com
Launch the Magisk app, click Install, choose Select and Patch a File, then browse to the downloaded boot.img file
Click Let's Go and the magisk-patched boot image will be created in the Download folder
Transfer the image back to your computer using
Code:
adb pull /sdcard/Download/name-of-patched-image
Run
Code:
adb reboot bootloader
to reboot the watch into Fastboot
Verify the device shows up by using
Code:
fastboot devices
Unlock the bootloader of the watch using
Code:
fastboot flashing unlock
View attachment 5925307
Confirm the message on the watch to unlock and wipe the device
Flash and boot the newly created Magisk image using
Code:
adb flash boot name-of-patched-image.img
Select Start in Fastboot to start the watch
After waiting an extremely long time, the watch will hopefully start and will need to be setup again
Reinstall the Magisk app using
Code:
adb install name-of-magisk.apk
Launch the app and it might prompt that it needs to restart the watch
With the watch started and setup, start an adb shell by running
Code:
adb shell
Then, run su to escalate to root privilege. The shell should change symbols from $ to # and running
Code:
whoami
should result in root
View attachment 5925313Bypassing SafetyNet
Download the YASNAC - SafetyNet Checker APK from GitHub:
Releases · RikkaW/YASNAC
Yet Another SafetyNet Attestation Checker. Contribute to RikkaW/YASNAC development by creating an account on GitHub.
github.com
Install it on the watch using
Code:
adb install name-of-yasnac.apk
(Optional) Open the app and run the SafetyNet Attestation to verify your device fails
Download the SafetyNet Fix Magisk module from GitHub:
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
Transfer it to watch using
Code:
adb push safetynet-fix-v2.4.0.zip /sdcard/Download
Start an adb shell with the watch using
Code:
adb shell
Elevate to root privileges with
Code:
su
Install the module with
Code:
magisk --install-module /sdcard/Download/safetynet-fix-v2.4.0.zip
Once installed, restart your watch
Now, run YASNAC SafetyNet Attestation again, and you should pass!
Troubleshooting/Tips
If booting the Magisk image results in a bootloop, you can unbrick the device by flashing the corresponding stock boot.img image using
Code:
adb flash boot boot.image
Additionally, you can get into FastBoot mode by tapping on the top left and bottom right of the screen at the same time as the device is booting and the white "G" logo appears.
If Magisk doesn't see the file, try doing the following to your file browser app:
Settings > Apps & Notifications > App permissions > Files and media > AppName > Allow all the time
Wireless debugging allows you to do almost all of this guide except booting the patched boot.img file in Magisk. To enable wireless debugging, go to Settings > Developer options > Check Debug over Wi-Fi. Then, in developer options still, go to Wireless debugging and turn it on. From here, you can connect to your watch remotely from your PC using
Code:
adb connect watchip
ThanksHuge thanks to Asmita Jha (Twitter @aj_0x00) who was there during the first 2 days of the rooting attempts and helped troubleshoot throughout. Additionally, big thanks to Stack Smashing (Twitter @ghidraninja) for giving us the idea to patch the Magisk file on the watch itself, instead of patching the boot image on another device running Magisk. Additionally, this wouldn't be possible without the help of the Google team who gave us access to device and the prototype cradles to interface with the watch reliably. Huge thanks to everyone running Hardwear.io this year where this method was discovered during the Hardpwn hardware hacking contest.
Future PlansTo make the process more accessable, a cheap interfacing solution needs to be created. My idea is to 3D print an enclosure and use pogo pins. Please reach out if have any questions, concerns, or information that would make the process easier. You can find me on Twitter @breaddisease
https://twitter.com/breaddisease
Thanks!
Click to expand...
Click to collapse
Cool
breaddisease said:
You might need to allow the app Files and media permissions all the time, like this:
Settings > Apps & Notifications > App permissions > Files and media > AnExplorer > Allow all the time
Click to expand...
Click to collapse
Thanks! That was it. Now the computer just refuses to recognize it as a fastboot device. It recognizes it with the watch fully on, so I know my wiring and pins are correct.
ClarkIV said:
Thanks! That was it. Now the computer just refuses to recognize it as a fastboot device. It recognizes it with the watch fully on, so I know my wiring and pins are correct.
Click to expand...
Click to collapse
Nice, good to hear! What's the output of
Code:
sudo fastboot devices
Or, if you're on Windows, an elevated terminal with
Code:
fastboot devices
Y'all realize that we already managed to root the watch a long time ago? https://forum.xda-developers.com/t/pixel-watch-successfully-bootloader-unlocked.4508253/
A lot of questions are also answered there.
Yes, it breaks safetynet. You can install this magisk module to get it back.
KineSight said:
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
Click to expand...
Click to collapse
Tiebe said:
Y'all realize that we already managed to root the watch a long time ago? https://forum.xda-developers.com/t/pixel-watch-successfully-bootloader-unlocked.4508253/
A lot of questions are also answered there.
Click to expand...
Click to collapse
I was not aware that it had been done already! Thanks for the info! I thought I was the first
breaddisease said:
I was not aware that it had been done already! Thanks for the info! I thought I was the first
Click to expand...
Click to collapse
Sadly, no.
Another small thing: You shouldn't download the OTA zip, but the factory images. The OTA zip doesn't always have full boot image, and only a patch image (boot.img.p), which is used in the updating process for patching the current boot image to the newer version. The factory images always have a full boot image.
Other than that: great guide!
Tiebe said:
Sadly, no.
Another small thing: You shouldn't download the OTA zip, but the factory images. The OTA zip doesn't always have full boot image, and only a patch image (boot.img.p), which is used in the updating process for patching the current boot image to the newer version. The factory images always have a full boot image.
Other than that: great guide!
Click to expand...
Click to collapse
Ok, thanks! I updated step 6 and 8 accordingly.
Would it be an issue if someone flashed an un-updated watch with the latest boot.img? Like should I recommend flashing the appropriate version's boot.img, or updating to the latest version before flashing the latest boot.img? Thanks!
breaddisease said:
Ok, thanks! I updated step 6 and 8 accordingly.
Would it be an issue if someone flashed an un-updated watch with the latest boot.img? Like should I recommend flashing the appropriate version's boot.img, or updating to the latest version before flashing the latest boot.img? Thanks!
Click to expand...
Click to collapse
Always flash the boot.img of the version that you're currently on. Happy to help!
@breaddisease
I've also noticed that the safetynet module patched by Displax seems to work better in most cases than the original one by kdrag0n. The one by Displax is just a fork of the one by kdrag0n, with some changes.
breaddisease said:
Nice, good to hear! What's the output of
Code:
sudo fastboot devices
Or, if you're on Windows, an elevated terminal with
Code:
fastboot devices
Click to expand...
Click to collapse
I'm on Linux and 'sudo fastboot devices' didn't list any device. I can communicate via ADB over USB so I know the cable is working. In fastboot mode, the device doesn't show up under 'lsusb' either. I have tried USB 2 and 3 ports.
ClarkIV said:
I'm on Linux and 'sudo fastboot devices' didn't list any device. I can communicate via ADB over USB so I know the cable is working. In fastboot mode, the device doesn't show up under 'lsusb' either. I have tried USB 2 and 3 ports.
Click to expand...
Click to collapse
Are you providing it power through the left pin? Maybe its required for fastboot
breaddisease said:
Are you providing it power through the left pin? Maybe its required for fastboot
Click to expand...
Click to collapse
Yes, I am powering it. Verified by the watch showing its charging when fully booted. Were you on Linux or Windows for this? If Linux what Distro?