Related
I'm new o all this stuff, so go easy with me! :silly:
If I understand correctly the root process, this should be true (correct me if I'm wrong):
Unsecure boot.img is only used to booting as root
Booting as root user allow to use some adb command
Command adb is used to modify system.img, injecting su command and superuser/supersu apk
If this is correct, can i modify a stock JB system.img and put su/superuser/supersu apk? Will this work? Then if this is right:
How can I unpack and edit system.img?
Where I can get the original su command?
Where I should download superuser/supersu apk?
I'd like to learn this stuff and do not use any external tool, apart from fastboot and adb commands. I'm quite familiar with *nix.
Thanks for helping :highfive:
uh..am i misinterpreting something here? why not just boot a custom recovery with fastboot and flash a su/supersu.apk or superuser.apk cwm zip?
sent from my i9250
bk201doesntexist said:
you will be better off building from src, if you're familiar with nix.
if not, no need to inject anything, just boot a custom recovery with fastboot and flash a su/supersu.apk or superuser.apk cwm zip.
sent from my i9250
Click to expand...
Click to collapse
Not so familiar to build system from the sorce, unfortunatly. I don't use a custom recovery... so there is no way of building my own system.img?
Gremo said:
[snip]
can i modify a stock JB system.img and put su/superuser/supersu apk?
Click to expand...
Click to collapse
Yes you could.
Gremo said:
How can I unpack and edit system.img?
Click to expand...
Click to collapse
As far as I know, you cannot unpack system.img using only fastboot and adb (which you indicated you ONLY wanted to use). I know you can use this to convert it to ext4 format and then you can mount it.
Gremo said:
Where I can get the original su command?
Where I should download superuser/supersu apk?
Click to expand...
Click to collapse
Superuser is here, or, if you prefer SuperSU, it is here.
EDIT: But this is a lot of work for nothing. You could just boot an insecure kernel (which you can get from the dev section, or you could build one yourself) and then copy the su and Superuser.apk files to your device, no?
I'm currently working on setting up a number of 2013 N7 LTEs (in the several hundred range, with possibly more to follow) with a specific set of apps. I'd really like to reduce the actual human interaction involved to a minimum (USB debugging activation at the start if possible) so I've been looking at fastboot flashing. Is it at all possible to clone the /userdata partition on a Nexus 7 to a .img file?
I've tried using dd and cat from the adb shell, and those all fail as they tend to copy the masses of empty space into the clone. I've also tried generating zips of the applications & their data using ZIPme, but that means having to manually enter the recovery (which, if there is no alternative, I am willing to do). ZIPme seems to have an issue with KitKat though, so I do wonder if anyone knows of any alternatives?
Older versions of CWM used to be img based.
The imgs it generated were essentially flashable via fastboot as they're the same filesystem as the original partition that was nandroided.
It's a lot of work (if you're not already set up to compile recoveries), but you could try reenabling the no longer used img nandroid code in CWM
-----------------------------------
Will the users have any kind of store access? (play/amazon/whatever)
If you hand out the same /data images and also go though first setup for the users, they could all end up with the same android ID.
Settings.Secure | Android Developers: #ANDROID_ID
The docs state that it's generated per user, so if you force them to all do initial setup themselves this isnt an issue.
If you dont care that they all have the same ID then you can ignore it.
Interesting. Do you know when/at what version they moved from away from the flashable img files? I'm going to go digging but if you can give me a hint it would be very much appreciated
The end user is going to be sent straight into a kiosk app to prevent them from hacking about with the device, so luckily I won't need to worry about the Play issue!
It was around the jump from CWM 5.0 -> 6.0, they added .dup and removed .img.
I cant tell you if it's worth your time to actually build your own rec with it reenabled, just pointing out the fact CWM used to do it in the past.
Adb has a backup and restore option, try looking into that maybe
http://forum.xda-developers.com/galaxy-nexus/general/guide-phone-backup-unlock-root-t1420351
Hi
I'm too interested in backup up the nexus partitions in fastboot flashable .img(s) to clone multiple Nexus for museum application(around 40 tablets)
I successfully grab system.img, boot.img, recovery.img from a "master" pre-configured rooted Nexus with:
Code:
adb shell dd if=... > c:\backup\....img
But dumping the userdata partition give me a 13gb file (with unfortunately the unused space) that doesn't seem to work when flashing...
The cloned tablet don't keep user setting/apps :\
Here how I do it:
MASTER:
- Fastboot oem unlock
- Setup tablet(root, install CWM, install apps, change setting, setup WIFI, change home app)
- Reboot in recovery for adb:
Code:
adb shell dd if=/dev/block/platform/msm_sdcc.1/by-name/system > c:\backup\system.img
adb shell dd if=/dev/block/platform/msm_sdcc.1/by-name/recovery > c:\backup\recovery.img
adb shell dd if=/dev/block/platform/msm_sdcc.1/by-name/userdata > c:\backup\userdata.img
adb shell dd if=/dev/block/platform/msm_sdcc.1/by-name/boot > c:\backup\boot.img
CLONED:
Code:
fastboot oem unlock
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot format cache
fastboot oem lock
But like I said, it doesn't work, still get the initial setup( language selection/setup tablet) and lost wifi setting and apps...
Found this old article that used the now removed ability of CWM to backup in .img
http://aigarius.com/blog/2012/09/23/cloning-or-pre-configuring-a-batch-of-android-phones/
Any thoughts, suggestions will be greatly appreciated, thanks.
This guide presupposes that you have Supersu installed as systemless, and that you have access to adb.
This will bypass provisioning checks for builtin tether app. The modded apk should work with future updates without touching /system at all.
Installation
Method 1 - Manual install
Download the attached CarrierEntitlement apk.
If you have su.img su:
Code:
adb push CarrierEntitlement.apk /sdcard/CarrierEntitlement.apk
adb shell
su
mkdir /su/CarrierEntitlement
cp /sdcard/CarrierEntitlement.apk /su/CarrierEntitlement/CarrierEntitlement.apk
chmod 644 /su/CarrierEntitlement/CarrierEntitlement.apk
echo "mount -o bind /su/CarrierEntitlement/CarrierEntitlement.apk /system/priv-app/CarrierEntitlement/CarrierEntitlement.apk" > /su/su.d/05TetherMod
chmod +x /su/su.d/05TetherMod
reboot
If you have sbin su (Android 8.0+)
Code:
adb push CarrierEntitlement.apk /sdcard/CarrierEntitlement.apk
adb shell
su
mkdir /sbin/supersu/CarrierEntitlement
cp /sdcard/CarrierEntitlement.apk /sbin/supersu/CarrierEntitlement/CarrierEntitlement.apk
chmod 644 /sbin/supersu/CarrierEntitlement/CarrierEntitlement.apk
echo "mount -o bind /sbin/supersu/CarrierEntitlement/CarrierEntitlement.apk /system/priv-app/CarrierEntitlement/CarrierEntitlement.apk" > /sbin/supersu/su.d/05TetherMod
chmod +x /sbin/supersu/su.d/05TetherMod
reboot
Method 2 - Flashable Zip (su.img only)
Code:
1. Download attached zip.
2. Flash in TWRP (Last tested in alpha 2)
Information
This mod is accomplished by replacing the following function:
Code:
.method public static getCarrierEntitlement(Landroid/content/Context;)Lcom/google/android/carrierentitlement/CarrierEntitlement;
.registers 2
.param p0, "context" # Landroid/content/Context;
.prologue
.line 56
const/4 v0, 0x0
return-object v0
.end method
NOTE: Post install
You may need to edit your APNs to get tethering working for your carrier.
On sprint, where editing APNs is disabled, the fix is here: Sprint Fix
Be sure to thank @Builtfordtough1 for all his help in diagnosing the issue at this post: The Solution!
Be sure to thank sb1893 for sbin su instructions.
Worked Perfectly
This worked perfectly. Fantastic job!
So I am on stock with unlocked bootloader, twrp installed, and rooted with SuperSU. Because this is an apk file, do i just download onto the phone and install as I would with any other .apk file?
coolhandz said:
So I am on stock with unlocked bootloader, twrp installed, and rooted with SuperSU. Because this is an apk file, do i just download onto the phone and install as I would with any other .apk file?
Click to expand...
Click to collapse
The directions clearly state in adb speak that you need to create a directory for the file. Move to said directory, change permissions, etc etc. Nothing about installing via the apk.
pcriz said:
The directions clearly state in adb speak that you need to create a directory for the file. Move to said directory, change permissions, etc etc. Nothing about installing via the apk.
Click to expand...
Click to collapse
well, i can follow basic commands in minimal adb & fastboot. I think this may be above me unless there is an idiots' guide.
coolhandz said:
well, i can follow basic commands in minimal adb & fastboot. I think this may be above me unless there is an idiots' guide.
Click to expand...
Click to collapse
Do you have access to adb? They are pretty straight forward. May need to view them on the website but if you are using an app it may throw the word wrap off and make the commands seem confusing. The directions are pretty word for word.
pcriz said:
Do you have access to adb? They are pretty straight forward. May need to view them actually on the website but if you are using an app it may throw the word wrap off and make the commands seem confusing. The directs are pretty word for word.
Click to expand...
Click to collapse
If by adb you mean minimal adb & fastboot, then yes I have access and I could probably brave it.
coolhandz said:
If by adb you mean minimal adb & fastboot, then yes I have access and I could probably brave it.
Click to expand...
Click to collapse
I wouldn't suggest doing it how I did it but I downloaded the file to my phone. I created the directory using a root enabled file browser (see mkdir command {make directory}). I even used the file properties option in solid explorer to change the permissions (see chmod 644). Every other command I did on the phone from a terminal emulator. Just had to ignore the adb shell command because I am actually doing them on the device and not through a shell on my computer.
pcriz said:
I wouldn't suggest doing it how I did it but I downloaded the file to my phone. I created the directory using a root enabled file browser (see mkdir command {make directory}). I even used the file properties option in solid explorer to change the permissions (see chmod 644). Every other command I did on the phone from a terminal emulator. Just had to ignore the adb shell command because I am actually doing them on the device and not through a shell on my computer.
Click to expand...
Click to collapse
yeah, all that is definitely outside of my comfort zone, but thank you for the info.
Can you normally update your device with OTA-updates like a un-rooted device, without flashfire or connect to your computer?
Is there an advantage to doing this over adding "net.tethering.noprovisioning=true" to the build.prop file?
airmaxx23 said:
Is there an advantage to doing this over adding "net.tethering.noprovisioning=true" to the build.prop file?
Click to expand...
Click to collapse
This mod is systemless, and should survive OTAs. That mod changes the build.prop on the system partition, which could prevent taking OTAs.
njeri123 said:
Can you normally update your device with OTA-updates like a un-rooted device, without flashfire or connect to your computer?
Click to expand...
Click to collapse
Any modification to the boot image *should* prevent OTAs from working at all. However, you can flash back to stock boot images, and take OTAs as long as you have not modified /system, which this mod does not do.
Furthermore, as long as you don't wipe /data/ this mod will live in su.img and survive when you flash newer system software.
Fenny said:
This mod is systemless, and should survive OTAs. That mod changes the build.prop on the system partition, which could prevent taking OTAs.
Any modification to the boot image *should* prevent OTAs from working at all. However, you can flash back to stock boot images, and take OTAs as long as you have not modified /system, which this mod does not do.
Furthermore, as long as you don't wipe /data/ this mod will live in su.img and survive when you flash newer system software.
Click to expand...
Click to collapse
Thanks for the explanation, I removed the build.prop line and used this method and it's working fine. Thank you.
@Fenny
Thank you so much for putting this into a .zip file. It is greatly appreciated!
is there a non root method to bypass the checks? i dont plan on unlocking or rooting since i use android pay...
ddarvish said:
is there a non root method to bypass the checks? i dont plan on unlocking or rooting since i use android pay...
Click to expand...
Click to collapse
I also use Android pay, so I have two boot images ready to fastboot or flash. I have a boot image with root, and a boot image without root running a kernel that hides the bootloader unlocked flag.
So, the way I handle this, I flash the unrooted (bootloader flag hidden) image as my daily driver kernel, this passes safetynet, and allows me to use Android pay.
I make a backup of that boot image. Then, I install TWRP, my custom kernel, and SuperSU. I make a backup of that image as well.
So I have two backed up boot images:
rooted.img
HideBLUnlock.img
I flash HideBLUnlock.img to boot a, and boot b, safetynet passes.
Whenever I need to tether I have my computer with me, so I "fastboot boot rooted.img" which leaves me rooted until my next reboot.
Depending on your usage you might want to reverse that.
All my mods get stored in su.img, so switching out the boot images is all I need to have the best of both worlds.
Is it possible to fastboot boot twrp and flash the zip without being rooted or having twrp actually installed? O unlocked my bootloader but that's been it
Ocelot13 said:
Is it possible to fastboot boot twrp and flash the zip without being rooted or having twrp actually installed? O unlocked my bootloader but that's been it
Click to expand...
Click to collapse
You can use the fastboot twrp image to install this mod but you MUST have SuperSu. I have basic validation to check that in my update.zip. If you don't have a su.img in /cache or /data, this mod cannot be installed.
Flashed via TWRP and now i finally have a fully functioning hotspot!!
Fenny said:
I also use Android pay, so I have two boot images ready to fastboot or flash. I have a boot image with root, and a boot image without root running a kernel that hides the bootloader unlocked flag.
So, the way I handle this, I flash the unrooted (bootloader flag hidden) image as my daily driver kernel, this passes safetynet, and allows me to use Android pay.
I make a backup of that boot image. Then, I install TWRP, my custom kernel, and SuperSU. I make a backup of that image as well.
So I have two backed up boot images:
rooted.img
HideBLUnlock.img
I flash HideBLUnlock.img to boot a, and boot b, safetynet passes.
Whenever I need to tether I have my computer with me, so I "fastboot boot rooted.img" which leaves me rooted until my next reboot.
Depending on your usage you might want to reverse that.
All my mods get stored in su.img, so switching out the boot images is all I need to have the best of both worlds.
Click to expand...
Click to collapse
This is facinating, do you ever think where we can use boot a and boot b in a multiboot like fashion so that when you turn on the device you can choose what to boot?
I searched everywhere but I couldn't find nowhere how to backup efs or persist partition, I just read the thread for twrp flashable stock oreo for moto g5 cedric and it says it is useful to backup them to save the phone in case of IMEI or VoLTE or 4G problems after the zip install but TWRP doesn't seems to backup them and online I didn't found guides.
EDIT:
To help people with the same problem I'll write here.
Thanks to TheFixItMan I've found the most easy solution which is to flash the TWRP 3.2.3-2 arm64 that has backup option for EFS and Persist, I'll quote here the answer with the link.
Use terminal commands to back up the partition - dd copy partition name to location
Or
Try this unofficial twrp and look at backup options
https://drive.google.com/open?id=1ML...yBHyg81cHdW1cB
Click to expand...
Click to collapse
Use terminal commands to back up the partition - dd copy partition name to location
Or
Try this unofficial twrp and look at backup options
https://drive.google.com/open?id=1MLlljM7BzMj9Da57LeyBHyg81cHdW1cB
TheFixItMan said:
Use terminal commands to back up the partition - dd copy partition name to location
Or
Try this unofficial twrp and look at backup options
https://drive.google.com/open?id=1MLlljM7BzMj9Da57LeyBHyg81cHdW1cB
Click to expand...
Click to collapse
So the command I should use is:
Code:
dd copy persist to <location dir>
?
Should I use this on twrp Advanced > Terminal?
Are unofficial twrp safe?
OnionMaster03 said:
So the command I should use is:
Code:
dd copy persist to <location dir>
?
Should I use this on twrp Advanced > Terminal?
Are unofficial twrp safe?
Click to expand...
Click to collapse
The command should look something like this - not tried it and don't own this device
Code:
dd if=/dev/block/bootdevice/by-name/persist of=/sdcard/persist.img
Yes enter it in twrp terminal - once done it will output persist.img to sdcard
To copy back just reverse the if and of parts of the command
Unofficial twrps are perfectly safe - all official builds that aren't build by twrp start off as unofficial and are just submitted to their repo to become official
You can always flash what ever recovery you want after
The one I gave I think has the backup option for persist - if not just try the terminal command
OP, did you try the command? I'd like to backup mine as well
same question here! any updates?
EDIT: Managed to do it myself. I ended up pulling up the image through adb.
For all of you who are still wondering all I did is start adb and type the following:
adb pull /persist C:\platform-tools/persist.img
Click to expand...
Click to collapse
Substitute C:\platform-tools with your local folder.
You can also use the code provided in the thread, but If you wanna retrieve the file, you should copy it to /external_sd instead of microsd (also you can do it from the adb shell instead of the twrp terminal, which is more convenient).
persist backup and restore - 9008 mode
maybe this tool is useful too...
works in 9008 mode and has some firehose-loaders inside
moto g5 has qualcomm 8937 chipset, so should work...
https://mega.nz/#!dIcE0ApR!DEZIBxdxCqVEVRZRKevRr_Z_EXMF1I1PCJb-k7wvyGc
BR
1rdc said:
OP, did you try the command? I'd like to backup mine as well
Click to expand...
Click to collapse
I haven't tried this yet, I'm going to do in the next hours
When I boot after the update of the rom, unlock pattern shows as 3x3 dots. I'm coming from previous version with 6x6 pattern. System doesn't accept pattern because it's not the same. I can't change pattern grid size, not showing recovery with Google account and I had disabled Google function to find the device for privacy reasons.
ictecnics said:
When I boot after the update of the rom, unlock pattern shows as 3x3 dots. I'm coming from previous version with 6x6 pattern. System doesn't accept pattern because it's not the same. I can't change pattern grid size, not showing recovery with Google account and I had disabled Google function to find the device for privacy reasons.
Click to expand...
Click to collapse
Look here, this might be your solution to bypass the screen lock feature. But for sure you need access to your /data directory.
Uluru25 said:
Look here, this might be your solution to bypass the screen lock feature. But for sure you need access to your /data directory.
Click to expand...
Click to collapse
This is what I don't have: Access to data it shows encrypted folder names.
you can change the screen lock from adb cmd line, you just need to figure out the encoding.
Code:
adb shell locksettings set-pattern --old '17=CIOPQRST' '14789'
https://blog.alxu.ca/unlocking-large-pattern-encryption-in-twrp.html
alecxs said:
you can change the screen lock from adb cmd line, you just need to figure out the encoding.
Code:
adb shell locksettings set-pattern --old '17=CIOPQRST' '14789'
https://blog.alxu.ca/unlocking-large-pattern-encryption-in-twrp.html
Click to expand...
Click to collapse
adb devices shows "device unauthorized" when system has booted so I can't use adb shell. Before the update/pattern problem I tried several times to flash magisk via TWRP, process shows ended succesfully but phone remains unrooted. I've tried to unistall renaming magisk to uninstaller.zip and fails with a message that can't access to data. I don't know if with TWRP I can do anything but I would to flash again previous version of the ROM but it's not downloadable online.
you can authorize adb with a script that runs from overlay.d or from system/etc/init
Accessing my phone with a dead screen
So my phone screen connector was liquid damaged. No touch or display. It's an Essential Phone which supports HDMI output, however I can't unlock it because I don't see the lock screen on the monitor I just see a lock icon. I have...
forum.xda-developers.com
alecxs said:
you can authorize adb with a script that runs from overlay.d or from system/etc/init
Accessing my phone with a dead screen
So my phone screen connector was liquid damaged. No touch or display. It's an Essential Phone which supports HDMI output, however I can't unlock it because I don't see the lock screen on the monitor I just see a lock icon. I have...
forum.xda-developers.com
Click to expand...
Click to collapse
Let me post the message that I have when
When I boot the system and I try adb shell:
* daemon not running; starting now at tcp:5037
* daemon started successfully
error: device unauthorized.
This adb server's $ADB_VENDOR_KEYS is not set
Try 'adb kill-server' if that seems wrong.
Otherwise check for a confirmation dialog on your device.
When I try adb devices (also with system booted):
List of devices attached
1270c2f0 unauthorized
No sure if magisk it's installed properly.
to which partition you have copied RSA key to phone? where did you place the init script?
alecxs said:
to which partition you have copied RSA key to phone? where did you place the init script?
Click to expand...
Click to collapse
I don't know how to do it, I've to read link in the post with calm. I only flashed ROM zip's from recovery and Magisk zip/apk, never modified other things manually like modifiing files with adb shell. I'm discovering a lot of things to do via adb / fastboot due to my problem. I'm a GNU/Linux user but with basic knowledge of system scripts and structure.
use AIK to modify boot.img, you will see if there exist overlay.d directory or not (only if the boot.img is patched with Magisk)
otherwise mount /system(_root) rw and place the script there. I used the /cache partition for the key. It didn't work on my Samsung but there are many ways to authorize adb, it's all written in that thread.
I have moved the off-topic discussion to separate thread.
alecxs said:
use AIK to modify boot.img, you will see if there exist overlay.d directory or not (only if the boot.img is patched with Magisk)
otherwise mount /system(_root) rw and place the script there. I used the /cache partition for the key. It didn't work on my Samsung but there are many ways to authorize adb, it's all written in that thread.
Click to expand...
Click to collapse
Hi
Seems that I have overlay.d directory when unpacked boot.img. I have to put init.adbguard.rc and adbguard.sh in this directory?
According to https://blog.alxu.ca/unlocking-large-pattern-encryption-in-twrp.html and https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1388 I think that my 6x6 pattern was 123456<BHNT but when I try adb shell twrp decrypt '123456<BHNT' I have this warning:
/system/bin/sh: can't open BHNT: No such file or directory
TWRP cannot decrypt, you need to do this in Android. Don't forget the quotes, < is a special char for redirecting files.
ictecnics said:
Hi
Seems that I have overlay.d directory when unpacked boot.img. I have to put init.adbguard.rc and adbguard.sh in this directory?
Click to expand...
Click to collapse
I'm waiting to try this but I don't know if this is the procedure.
alecxs said:
TWRP cannot decrypt, you need to do this in Android. Don't forget the quotes, < is a special char for redirecting files.
Click to expand...
Click to collapse
In Android = system booted I think. Command returned the error with quotes. I tried to put \ before < symbol (also with quotes) and command decrypt in TWRP failed with code 6.
unpack the zip and you have the directory names where the .rc and the .sh file belong to. edit the path in shell script with the location of adb_keys file, if necessary. repack the boot.img, flash it, find your local adbkey.pub, rename it adb_keys and copy to proper location on phone (I used cache partition). if the script is executed successfully, adb_keys will renamed to adb_keys.bak. after second reboot adb is authorized.
alecxs said:
unpack the zip and you have the directory names where the .rc and the .sh file belong to. edit the path in shell script with the location of adb_keys file, if necessary. repack the boot.img, flash it, find your local adbkey.pub, rename it adb_keys and copy to proper location on phone (I used cache partition). if the script is executed successfully, adb_keys will renamed to adb_keys.bak. after second reboot adb is authorized.
Click to expand...
Click to collapse
I checked the directory structure where I extracted the AIK and I only see a sbin subdirectory inside overlay.d. The path is /home/..../AIK-Linux-v3.8-ALL/AIK-Linux. Once "unpackimg.sh" is run, "ramdisk" and "split_img" directories are created. Inside "ramdisk" there is only "overlay.d", ".backup" and the "init" file, inside "split_img" only files. About the adbkey.pub file so far I have only located an "adbkey" file (without .pub) inside /home/.../.android and the first line says "-----BEGIN PRIVATE KEY---- -". I honestly don't know what to put or where
ramdisk/overlay.d is the right directory for the .rc file, and the .sh file should placed ramdisk/overlay.d/sbin. I meant this zip I have linked two days ago, you obviously didn't read that thread:
alecxs said:
you can authorize adb with a script that runs from overlay.d or from system/etc/init
Accessing my phone with a dead screen
So my phone screen connector was liquid damaged. No touch or display. It's an Essential Phone which supports HDMI output, however I can't unlock it because I don't see the lock screen on the monitor I just see a lock icon. I have...
forum.xda-developers.com
Click to expand...
Click to collapse
if there is no adbkey.pub file in ~/.android directory, run adb with another phone so a file is created.
alecxs said:
ramdisk/overlay.d is the right directory for the .rc file, and the .sh file should placed ramdisk/overlay.d/sbin. I meant this zip I have linked two days ago, you obviously didn't read that thread:
if there is no adbkey.pub file in ~/.android directory, run adb with another phone so a file is created.
Click to expand...
Click to collapse
I connected another phone, enabled OEM debugging and OEM unlock and no adbkey.pub is created in ~/.android, it shows the same files as before: adb.5037 and adbkey. Ran adb shell, connected to other phone, no file created.