Develop Bugs

[HOW TO] Extract Rom.zip From RUU

Extracting ROM files from HTC RUU
Official HTC ROM updates are released as RUU (ROM Update Utility), which you run on your (Windows) PC to get the target device updated automatically.
Some of the big brains in the Android community release RUUs re-packaged into signed update files,
which in turn allow for whatever ROM customization you can imagine.
In this how to I will explain how to extract ROM files from a RUU image,
which you can then customize and use to flash your device without the fear of a new bootloader possibly making your device unrootable.
Requirements :
Windows PC,
Microsoft Process Monitor,
File Archiver capable of extracting ZIP files(eg, 7ZIP),
Official HTC RUU for your Android device.
The process of extracting ROM files from a RUU is really straightforward.
The idea behind it is that the self-contained update utility first needs to unpack the update payload into a temporary folder before pushing it onto the device.
This is when we grab the ROM file...
1. download the official RUU
2. start Process Monitor.
3. press CTRL+L
4. change "Architecture" to "Process Name"
5. leave the "is" field as it is
6. in the empty field copy and paste the name of your
RUU file (eg, RUU_Ace_Sense30_S_HTC_WWE_3.12.405.1_Radio_12.65.60.29_26.14.04.28_M_release_225512_signed.exe)
7. click "Add"
8. change "Process Name" to "Path"
9. change "is" to "Contains"
10. in the blank field type "rom.zip" (without quotes)
11. click add
Click "OK" to set the filter and then run the RUU file.
Once the utility starts switch back to Process Monitor and look for an entry in the "Path" column that ends with "\rom.zip".
Right click on that line and select "Jump to..."
this will open a Windows Explorer window in the folder which contains the zipped ROM files
Copy the "rom.zip" file to some other folder, outside of the temp RUU folder tree (eg, desktop)
Once copied, close Process Monitor and the RUU utility.
The copied "rom.zip" file contains the following files:
android-info.txt - list of CIDs this RUU will flash to,
boot.img - root file system image,
hboot (followed by a version string) - boot-loader update,
radio.img - radio driver update,
recovery.img - recovery partition image,
splash1_Hero_320x480.nb0 - boot loader splash image,
system_rel.img - system partition image,
userdata.img - data partition image.
You can now, among many other things, root the ROM
and then flash the updated boot.img and all the other image files on to your device using Recovery​

it doesnt work... the process monitor colum is all blank after running RUU... there are no processes listed

munnibhai said:
it doesnt work... the process monitor colum is all blank after running RUU... there are no processes listed
Click to expand...
Click to collapse
you mst be doing something wrong i double checked the method and it still works fine for me..
make sure your environment is set up correctly and run everything as administrator or disadle uac in windows..

thanks for the reply, let me check it again...
i will post back to u

rom.zip corrupted
I followed the directions and like another post in here procmon shows a blank screen. I went to task manager and opened processes and saw when it ran then clicked open file location and found it. I did this twice and both zips are corrupt. (used winzip)
error [D:\android apps\EVO root\EVO\rom.zip]: start of central directory not found; Zip file corrupt.
Possible cause: file transfer error
when I close the RUU all the files in that folder disappear so you have to leave the RUU running while you copy the zip file or it's gone.
At least that's what I saw.

update to last post
I found a zip repair tool and was able to repair and extract the 1.10.653.2 RUU rom capture. I will have to try to run it later. If anyone gets corrupted zip error, Zip Repair pro will repair it.

To get the rom zip without any errors just run the ruu.exe file, when the box with a picture of a phone pops up, click start on pc, type in "run" and click on run then in that box that pops up, type in %temp% and click ok. Another window pops up then just scroll down to the most recent folder and rom.zip will be in there, if not it will be in the next folder.

Hi,
when I try to open the rom.zip I get an error message, it just said it cannot open with 7zip and with windows it says its invalid.
I tried downloading the RUU multiple times but still the same error. I rune the RUU as administrator.
Tried copying it over to different locations and then open it.
RUU_ENRC2B_U_JB_45_O2_UK_1.14.206.13_Radio_3.1204.167.31_release_289474_signed
HTC ONE X+
Thank you
Update:
I used Zip Repair Pro.. however there is no boot.img inside the repaired zip -_-

For those which have problem with making Process Monitor detect RUU temp folder, make sure You add whole file name of RUU including .exe at the end.

Jmcclue's steps, work perfectly, Thank you post #7

htc RUU Rom
Inside 4ndroid said:
Extracting ROM files from HTC RUU
Official HTC ROM updates are released as RUU (ROM Update Utility), which you run on your (Windows) PC to get the target device updated automatically.
Some of the big brains in the Android community release RUUs re-packaged into signed update files,
which in turn allow for whatever ROM customization you can imagine.
In this how to I will explain how to extract ROM files from a RUU image,
which you can then customize and use to flash your device without the fear of a new bootloader possibly making your device unrootable.
Requirements :
Windows PC,
Microsoft Process Monitor,
File Archiver capable of extracting ZIP files(eg, 7ZIP),
Official HTC RUU for your Android device.
The process of extracting ROM files from a RUU is really straightforward.
The idea behind it is that the self-contained update utility first needs to unpack the update payload into a temporary folder before pushing it onto the device.
This is when we grab the ROM file...
1. download the official RUU
2. start Process Monitor.
3. press CTRL+L
4. change "Architecture" to "Process Name"
5. leave the "is" field as it is
6. in the empty field copy and paste the name of your
RUU file (eg, RUU_Ace_Sense30_S_HTC_WWE_3.12.405.1_Radio_12.65.60.29_26.14.04.28_M_release_225512_signed.exe)
7. click "Add"
8. change "Process Name" to "Path"
9. change "is" to "Contains"
10. in the blank field type "rom.zip" (without quotes)
11. click add
Click "OK" to set the filter and then run the RUU file.
Once the utility starts switch back to Process Monitor and look for an entry in the "Path" column that ends with "\rom.zip".
Right click on that line and select "Jump to..."
this will open a Windows Explorer window in the folder which contains the zipped ROM files
Copy the "rom.zip" file to some other folder, outside of the temp RUU folder tree (eg, desktop)
Once copied, close Process Monitor and the RUU utility.
The copied "rom.zip" file contains the following files:
android-info.txt - list of CIDs this RUU will flash to,
boot.img - root file system image,
hboot (followed by a version string) - boot-loader update,
radio.img - radio driver update,
recovery.img - recovery partition image,
splash1_Hero_320x480.nb0 - boot loader splash image,
system_rel.img - system partition image,
userdata.img - data partition image.
You can now, among many other things, root the ROM
and then flash the updated boot.img and all the other image files on to your device using Recovery​
Click to expand...
Click to collapse
this is good working 100% thank you :good:

i_4_u89 said:
this is good working 100% thank you :good:
Click to expand...
Click to collapse
no problem and please instead of saying thanks please remember to hit the thanks button on threads first post..

works great, to bad you cant open the zip file

jpwhre said:
works great, to bad you cant open the zip file
Click to expand...
Click to collapse
You can open the zip. Go back a page n try the way i said.

jmcclue said:
You can open the zip. Go back a page n try the way i said.
Click to expand...
Click to collapse
note path is desktop (last post showed from temp folder) and i still get same results. did some searching and aperantly htc now signs their zip files and they can't be opened anymore. having usb issues that causes fastboot force close errors and need to be able to flash boot.img thru flashify app to return it to stock. ran the htcguru reset rom that uses aroma installer to return to stock that lets me take ota's but i get qualcom location force close and other custom roms give me issues forcing me to reset phone to stock every few days with guru installer. flashing recovery in fastboot is a chore as well. I have s-off and can keep it, but doing fastboot oem lock wont relock the bootloader, even though it shows success in cmd line. i can cid and super cid with fastboot.
it leaves me at a point where i really need to pull everything out of the rom.zip file and it wont open.
pic 1, 7zip wont open archive on desktop
pic 2, how i get recovery to flash
pic 3, results from running RUU
i have to reboot device, set comand to reboot bootloader, set command to flash recovery all faster than phone will do all commands to get it to flash, and RUU doesnt work that fast. i know im on sprint with htc one m7, but google search "extract htc zip" "extract rom.zip" both lead to this thread as top result. no other searches will tell me how to open the archive, except one that resulted in "htc signed zips can no longer be opened"

you're more than welcome to give it a go
http://forum.xda-developers.com/showthread.php?t=2795856 Sprint_HTC_One_m7wls_5.05.651.2_RUU.exe

Did HTC change the way they create the exe? I don't find it, the biggest file is data1.cab file that I can't extract.
I'm trying to extract the stock rom for an ATT HTC One Mini (m4) because RUU keeps crashing on me and won't install. I am also rooted with S-off.
If anybody can help me get the stock m4 rom so I can go back to stock, I would really appreciate it.

SyPete said:
Did HTC change the way they create the exe? I don't find it, the biggest file is data1.cab file that I can't extract.
I'm trying to extract the stock rom for an ATT HTC One Mini (m4) because RUU keeps crashing on me and won't install. I am also rooted with S-off.
If anybody can help me get the stock m4 rom so I can go back to stock, I would really appreciate it.
Click to expand...
Click to collapse
No they didn't change it. Some ruu's use a different format requiring the use of a tool called unruu instead of trying to capture the zip file when using the exe (I just learned this today). I've gone ahead and used unruu and the resulting zips have been put in a single tar file. you can download it from here for about 30 days after which ill have to delete the file. also i dont know which zip has what in it.

hi
master how to open Zip firmware !!?
i want to open zip firmware (PM60IMG.zip Desire 400)with 7zip ! but shows below error :
"can not open file PM60IMG.zip az archive "
how to pass this encryption ?

gandolf007 said:
hi
master how to open Zip firmware !!?
i want to open zip firmware (PM60IMG.zip Desire 400)with 7zip ! but shows below error :
"can not open file PM60IMG.zip az archive "
how to pass this encryption ?
Click to expand...
Click to collapse
https://github.com/kmdm/ruuveal/tree/f4936338f19841c75edafbe7e622242105cb39aa

[Guide] Root Oppo F1s(A1601) + SuperSU without custom recovery or unlocked bootloader

EDIT: This root method has been outdated, see the newer guide instead https://forum.xda-developers.com/android/general/tutorial-root-oppo-f1s-flashtool-6-0-t3651220
Why I made this tutorial:
Recently some members claimed that KingRoot is not working for Oppo F1s(A1601) anymore, I assume it's because Kingroot uses cloud based root method, means Kingroot downloads root package and command from cloud and execute on your phone. Maybe the problem was caused by the change of their server, some configuration has been replaced? At this time, I still have a working root method working now, so I would like to share it with everyone Also, you can follow this guide to get rid of the superuser App from those android root exploit app and use SuperSU.
In short, this tutorial tells:
1.How to Root Oppo F1s(A1601) with KingoRoot.(Though cloud based root App Kingroot is not working at this period but KingoRoot the offline one is still working)
2.Though KingoRoot prevent you to switch to other superuser App, we can still replace it with SuperSU with few steps, no custom recovery needed.
****NOTE****
There're various version of KingoRoot apk over the Internet, use the APK version I provided at attachment can guarantee there're no unexpected errors.
The script to replace kingo root was based on the one here but with a little modification, I've added a infinite loop for the script because KingoRoot cause a force reboot(soft reset) right after you delete root from the app, I assume its because KingoRoot want to prevent you to replace it. A infinite loop can make sure the file copying action has been done before your phone reboot.
Steps to Root F1s and Install SuperSU:
1.Install android terminal from Google Play: https://play.google.com/store/apps/details?id=jackpal.androidterm
2.Download the attachment, extract the zip archive, you get an APK "KingoRoot.apk" and a folder "rmkingo", copy the APK and the folder to your Internal storge(Sdcard)
3.Use any file management App to open KingoRoot.apk and install KingoRoot.apk
4.Open KingoRoot and click "one click root" then wait it to obtain root
5.After root succeeded, Open previous installed "Terminal Emulator for Android" and type
Code:
su
. Now KingoRoot's Superuser should pop up and ask you if you want to grant root access, allow it.
6.Now change terminal directory to the script folder, terminal type
Code:
cd /sdcard/rmkingo
7.Now execute the first script, terminal type
Code:
sh step0.sh
8.If there's no error on the previous action, Now proceed to execute the second script which is an infinite loop, you might see infinite error message after you executed it, terminal type
Code:
sh step1.sh
9.Now make sure the Terminal emulator is still open and the script is still running in background, just open SuperUser(installed by KingoRoot), find and click "Remove root" in the option of the App.
10.Your phone should be forced reboot now, after reboot, install SuperSU from google play: https://play.google.com/store/apps/details?id=eu.chainfire.supersu&hl=zh_TW
11.Open SuperSU and update su binary file with normal mode and wait, it should finish in 2-3 minutes.
12.Hit thanks(My pleasure)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
above method has been confirmed working with the latest rom from my region,(date 2017/02/12 still working)
Rom: A1601_TW_11_A.17_161003

I am on build a1601ex_11_a27_170111
its currently letest update in india

sagargjasani264 said:
I am on build a1601ex_11_a27_170111
its currently letest update in india
Click to expand...
Click to collapse
Wow, Taiwan haven't receive any update since October........Looks like the rom of our region is terribly outdated,lol
A lot of people complaint on oppo forum of our region why there're no updates........
Is it method work for the rom from india?

evilhawk00 said:
wow, taiwan haven't receive any update since october........looks like the rom of our region is terribly outdated,lol
a lot of people complaint on oppo forum of our region why there're no updates........
Is it method work for the rom from india?
Click to expand...
Click to collapse
kingoroot is on 90% since last 20min
---------- Post added at 12:22 PM ---------- Previous post was at 12:10 PM ----------
sorry bro but kingoroot faild...

Sorry kingoroot failed error code : 0x196514

Lyes2 said:
Sorry kingoroot failed error code : 0x196514
Click to expand...
Click to collapse
Hi, I assume you have to downgrade your rom. Find a older version of your rom, flash it via OPPO stock recovery and this method will work.
In my region, Taiwan's newest rom date is 2016 October, so this method work. OPPO might fixed this CVE exploit in their new rom.
The rom I currently use can be downloaded from OPPO Taiwan website, however I'm not sure if it can work on your device, so you might need to find an older version of your region
You can try to get root with older firmware, flash twrp recovery with root app, such as rashr,then once you have twrp recovery, you can flash the new OTA update package, but be sure to modify the update package so you will not loose root after update. However, I think just stick with older firmware will be easier

Failed
Directory not found bro

evilhawk00 said:
Hi, I assume you have to downgrade your rom. Find a older version of your rom, flash it via OPPO stock recovery and this method will work.
In my region, Taiwan's newest rom date is 2016 October, so this method work. OPPO might fixed this CVE exploit in their new rom.
The rom I currently use can be downloaded from OPPO Taiwan website, however I'm not sure if it can work on your device, so you might need to find an older version of your region
You can try to get root with older firmware, flash twrp recovery with root app, such as rashr,then once you have twrp recovery, you can flash the new OTA update package, but be sure to modify the update package so you will not loose root after update. However, I think just stick with older firmware will be easier
Click to expand...
Click to collapse
what kind of modification do you exactly need to do to the update package to not loose root after update?

ngoralph said:
what kind of modification do you exactly need to do to the update package to not loose root after update?
Click to expand...
Click to collapse
I made one and got root with A27 , all you need is a twrp and a twrp flashable firmware zip.
Here's what I did,first I found that the TWRP by @BouyaPK did not have the same device model settings in comparison with the stock recovery, so I made a little modification to his TWRP image, now the offical firmware zip can pass Device detection test.
!!Before doing it , make sure you have flashed the modified recovery(the one from attachment) to your phone, official firmware is only flashable via this modified recovery and stock recovery
Download here
View attachment OPPO_F1s_twrp3.0_modified_devicemodel.zip
this is the example with the ota update package (A19 to A27 upgrade package around 150mb via coloros update manager app)
Now lets start to modify official firmware, follow my steps:
1.extract the newest official firmware zip.
2.now open the extracted folder, navigate to \META-INF\com\google\android\
3.find the file updater-script and open it with text editor( I suggest NotePad++)
4.you'll find a lot of lines start with apply_patch(xxxxx), remove the one with this file "/system/recovery-from-boot.p"
5.(if needed) also remove boot image sha1 check, in my case I have magisk installed, my boot image do not have the same sha1 value with stock boot image, so I found the line that checkes boot.img and remove it
6.done the file edit and save the file
7.repack it back to a zip file and sign the package with test keys
How to sign?
1.Download the sign package from attachment
2.have Java installed on your PC
3.Open a terminal at the same location with the keys and signapk.jar
4.terminal type
Code:
java -jar signapk.jar -w platform.x509.pem platform.pk8 my_modified_firmware.zip my_modified_firmware-signed.zip
8.install with twrp and you still have twrp exist, flash supersu zip or magisk zip
above is the way to modify a PATCH zip ota file, if you are modifying a full package, which may be easier,
the full package's update script write full image to phone instead, so you just need to modify the image in the ota package.
all you just have to make sure the new firmware do not replace twrp with stock recovery, so
1.try to extract the image in the package and modify the image file, remove files such as "recovery-from-boot.p" from the image then rebuild the image and calculate the new sha1 value of the new image(CarlivImageKitchen is a good tool to rebuild image)
2.replace the old sha1 hash in updater-script, repack and sign the zip.
3.flash with twrp
4.flash superSu zip or magisk zip after the firmware flash with twrp can get root.

evilhawk00 said:
I made one and got root with A27 , all you need is a twrp and a twrp flashable firmware zip.
Here's what I did,first I found that the TWRP by @BouyaPK did not have the same device model settings in comparison with the stock recovery, so I made a little modification to his TWRP image, now the offical firmware zip can pass Device detection test.
!!Before doing it , make sure you have flashed the modified recovery(the one from attachment) to your phone, official firmware is only flashable via this modified recovery and stock recovery
Download here
this is the example with the ota update package (A19 to A27 upgrade package around 150mb via coloros update manager app)
Now lets start to modify official firmware, follow my steps:
1.extract the newest official firmware zip.
2.now open the extracted folder, navigate to \META-INF\com\google\android\
3.find the file updater-script and open it with text editor( I suggest NotePad++)
4.you'll find a lot of lines start with apply_patch(xxxxx), remove the one with this file "/system/recovery-from-boot.p"
5.(if needed) also remove boot image sha1 check, in my case I have magisk installed, my boot image do not have the same sha1 value with stock boot image, so I found the line that checkes boot.img and remove it
6.done the file edit and save the file
7.repack it back to a zip file and sign the package with test keys
How to sign?
1.Download the sign package from attachment
2.have Java installed on your PC
3.Open a terminal at the same location with the keys and signapk.jar
4.terminal type
8.install with twrp and you still have twrp exist, flash supersu zip or magisk zip
above is the way to modify a PATCH zip ota file, if you are modifying a full package, which may be easier,
the full package's update script write full image to phone instead, so you just need to modify the image in the ota package.
all you just have to make sure the new firmware do not replace twrp with stock recovery, so
1.try to extract the image in the package and modify the image file, remove files such as "recovery-from-boot.p" from the image then rebuild the image and calculate the new sha1 value of the new image(CarlivImageKitchen is a good tool to rebuild image)
2.replace the old sha1 hash in updater-script, repack and sign the zip.
3.flash with twrp
4.flash superSu zip or magisk zip after the firmware flash with twrp can get root.
Click to expand...
Click to collapse
Can you send me a stock recovery for Oppo F1s or Color Os 3.0 version
[email protected]
I want ask to my friend to build the custom rom with latest version of TWRP.

Ananaqil12 said:
Can you send me a stock recovery for Oppo F1s or Color Os 3.0 version
[email protected]
I want ask to my friend to build the custom rom with latest version of TWRP.
Click to expand...
Click to collapse
If you want stock recovery image, check my reply here https://forum.xda-developers.com/showpost.php?p=71006625&postcount=26

evilhawk00 said:
I made one and got root with A27 , all you need is a twrp and a twrp flashable firmware zip.
Here's what I did,first I found that the TWRP by @BouyaPK did not have the same device model settings in comparison with the stock recovery, so I made a little modification to his TWRP image, now the offical firmware zip can pass Device detection test.
!!Before doing it , make sure you have flashed the modified recovery(the one from attachment) to your phone, official firmware is only flashable via this modified recovery and stock recovery
Download here
View attachment 4137856
this is the example with the ota update package (A19 to A27 upgrade package around 150mb via coloros update manager app)
Now lets start to modify official firmware, follow my steps:
1.extract the newest official firmware zip.
2.now open the extracted folder, navigate to \META-INF\com\google\android\
3.find the file updater-script and open it with text editor( I suggest NotePad++)
4.you'll find a lot of lines start with apply_patch(xxxxx), remove the one with this file "/system/recovery-from-boot.p"
5.(if needed) also remove boot image sha1 check, in my case I have magisk installed, my boot image do not have the same sha1 value with stock boot image, so I found the line that checkes boot.img and remove it
6.done the file edit and save the file
7.repack it back to a zip file and sign the package with test keys
How to sign?
1.Download the sign package from attachment
2.have Java installed on your PC
3.Open a terminal at the same location with the keys and signapk.jar
4.terminal type
Code:
java -jar signapk.jar -w platform.x509.pem platform.pk8 my_modified_firmware.zip my_modified_firmware-signed.zip
8.install with twrp and you still have twrp exist, flash supersu zip or magisk zip
View attachment 4137905
above is the way to modify a PATCH zip ota file, if you are modifying a full package, which may be easier,
the full package's update script write full image to phone instead, so you just need to modify the image in the ota package.
all you just have to make sure the new firmware do not replace twrp with stock recovery, so
1.try to extract the image in the package and modify the image file, remove files such as "recovery-from-boot.p" from the image then rebuild the image and calculate the new sha1 value of the new image(CarlivImageKitchen is a good tool to rebuild image)
2.replace the old sha1 hash in updater-script, repack and sign the zip.
3.flash with twrp
4.flash superSu zip or magisk zip after the firmware flash with twrp can get root.
Click to expand...
Click to collapse
There are no lines that say apply patch

diosdetiempo said:
[/HIDE]
There are no lines that say apply patch
Click to expand...
Click to collapse
As I mentioned, only the small OTA Update package(smaller than 300MB) extracted from Built in update manager App has the line apply patch.
You are using a full package which is another situation.
If you have the full ota firmware downloaded from official website, you can try the follow steps
1.first make a nandroid backup of the old 5.1, make sure you can always restore your phone with backup
2.flash the official firmware zip with the twrp I attach( if any error occurred,do not reboot ,restore your phone with nandroid backup, also write down the error, and see which image file does not have the match SHA1, calculate and modify the sha1 of that line)
3.if step 2 succed ,do not reboot flash superSU zip file
4reboot, you may have superSU and your twrp may be replaced by stock recovery, use rashr flash twrp back again since you have root

evilhawk00 said:
As I mentioned, only the small OTA Update package(smaller than 300MB) extracted from Built in update manager App has the line apply patch.
You are using a full package which is another situation.
If you have the full ota firmware downloaded from official website, you can try the follow steps
1.first make a nandroid backup of the old 5.1, make sure you can always restore your phone with backup
2.flash the official firmware zip with the twrp I attach( if any error occurred,do not reboot ,restore your phone with nandroid backup, also write down the error, and see which image file does not have the match SHA1, calculate and modify the sha1 of that line)
3.if step 2 succed ,do not reboot flash superSU zip file
4reboot, you may have superSU and your twrp may be replaced by stock recovery, use rashr flash twrp back again since you have root
Click to expand...
Click to collapse
It worked!
Here's a little guide
1) Put your TWRP, SuperSU and Android 6.0 Oppo F1S ROM onto SD card
2) Use Flashify to flash TWRP
3) Reboot into TWRP recovery
4) Flash Android 6.0 F1S ROM
5) Flash SuperSU
6) Reboot phone and you should be good to go

evilhawk00 said:
As I mentioned, only the small OTA Update package(smaller than 300MB) extracted from Built in update manager App has the line apply patch.
You are using a full package which is another situation.
If you have the full ota firmware downloaded from official website, you can try the follow steps
1.first make a nandroid backup of the old 5.1, make sure you can always restore your phone with backup
2.flash the official firmware zip with the twrp I attach( if any error occurred,do not reboot ,restore your phone with nandroid backup, also write down the error, and see which image file does not have the match SHA1, calculate and modify the sha1 of that line)
3.if step 2 succed ,do not reboot flash superSU zip file
4reboot, you may have superSU and your twrp may be replaced by stock recovery, use rashr flash twrp back again since you have root
Click to expand...
Click to collapse
update: the only issue i find is that SIM card isn't recognized

diosdetiempo said:
update: the only issue i find is that SIM card isn't recognized
Click to expand...
Click to collapse
sim card not recognized!? Sorry I can't really understand the reason of that because I don't have this problem.
Just a thought, maybe you lost baseband? Can you see your phone's IMEI number in settings? If you found null IMEI, that means you have lost your baseband, otherwise that's just something else maybe a small unknown issue, may also be the access point and protocol was not included in the 6.0 rom
If you lost your IMEI, I assume you already did the nandroid backup before, in twrp backup of NVRAM is the IMEI part, you should be able to recover your IMEI with that nvram backup

evilhawk00 said:
sim card not recognized!? Sorry I can't really understand the reason of that because I don't have this problem.
Just a thought, maybe you lost baseband? Can you see your phone's IMEI number in settings? If you found null IMEI, that means you have lost your baseband, otherwise that's just something else maybe a small unknown issue, may also be the access point and protocol was not included in the 6.0 rom
If you lost your IMEI, I assume you already did the nandroid backup before, in twrp backup of NVRAM is the IMEI part, you should be able to recover your IMEI with that nvram backup
Click to expand...
Click to collapse
have you tested with 6.0?

evilhawk00 said:
I made one and got root with A27 , all you need is a twrp and a twrp flashable firmware zip.
Here's what I did,first I found that the TWRP by @BouyaPK did not have the same device model settings in comparison with the stock recovery, so I made a little modification to his TWRP image, now the offical firmware zip can pass Device detection test.
!!Before doing it , make sure you have flashed the modified recovery(the one from attachment) to your phone, official firmware is only flashable via this modified recovery and stock recovery
Download here
View attachment 4137856
this is the example with the ota update package (A19 to A27 upgrade package around 150mb via coloros update manager app)
Now lets start to modify official firmware, follow my steps:
1.extract the newest official firmware zip.
2.now open the extracted folder, navigate to \META-INF\com\google\android\
3.find the file updater-script and open it with text editor( I suggest NotePad++)
4.you'll find a lot of lines start with apply_patch(xxxxx), remove the one with this file "/system/recovery-from-boot.p"
5.(if needed) also remove boot image sha1 check, in my case I have magisk installed, my boot image do not have the same sha1 value with stock boot image, so I found the line that checkes boot.img and remove it
6.done the file edit and save the file
7.repack it back to a zip file and sign the package with test keys
How to sign?
1.Download the sign package from attachment
2.have Java installed on your PC
3.Open a terminal at the same location with the keys and signapk.jar
4.terminal type
Code:
java -jar signapk.jar -w platform.x509.pem platform.pk8 my_modified_firmware.zip my_modified_firmware-signed.zip
8.install with twrp and you still have twrp exist, flash supersu zip or magisk zip
View attachment 4137905
above is the way to modify a PATCH zip ota file, if you are modifying a full package, which may be easier,
the full package's update script write full image to phone instead, so you just need to modify the image in the ota package.
all you just have to make sure the new firmware do not replace twrp with stock recovery, so
1.try to extract the image in the package and modify the image file, remove files such as "recovery-from-boot.p" from the image then rebuild the image and calculate the new sha1 value of the new image(CarlivImageKitchen is a good tool to rebuild image)
2.replace the old sha1 hash in updater-script, repack and sign the zip.
3.flash with twrp
4.flash superSu zip or magisk zip after the firmware flash with twrp can get root.
Click to expand...
Click to collapse
ok got it to work for a full firmware package here's what i did
1 . downloaded a27 (still 5.1 since 6.0 is not stable according to some)
2. using the twrp above flashed a27
3. flashed magisk
4. flash the twrp image again to make sure that incase it was overwritten by the update
NOTE: i did get an error like unable to mount dev/block/platform/...... it was fine for me

ngoralph said:
ok got it to work for a full firmware package here's what i did
1 . downloaded a27 (still 5.1 since 6.0 is not stable according to some)
2. using the twrp above flashed a27
3. flashed magisk
4. flash the twrp image again to make sure that incase it was overwritten by the update
NOTE: i did get an error like unable to mount dev/block/platform/...... it was fine for me
Click to expand...
Click to collapse
6.0 would work if the sim card issue could be fixed. i can't work it out :/

diosdetiempo said:
6.0 would work if the sim card issue could be fixed. i can't work it out :/
Click to expand...
Click to collapse
did you try restoring the nvram using twrp as stated before?
and did you wipe your data before flashing?? i think the transition from 5.1 to 6.0 may have broke some things read about it somewhere that wiping was necessary for LP to MM

[ROOT]G955U/G955U1 SnapDragon SamPWND Root IS HERE!

FINALLY!
We Present To You
SamPWND!
Root for the USA Variants of the S8 & S8 Plus Devices!
(This thread will focus only on the S8+)
This thread had been closed/locked until further notice. The thread and links should remain active and the thread has served it's purpose. You will need to search the thread if you have any questions pertaining to root or any errors/issues that you are facing. The other reason I have decided to close the thread is because it has gone off topic one too many times, people like to argue and debate and MODS have had to come in here 1 too many times to clean it up so as to make life easier, I will just shut it down. Please do not bombard me with PM's for root assistance because if it has been answered in this thread already (and it most likely has) I will just direct you to search in the thread if I am able to respond at all.
ALSO, please do not utilize our firmware/root files/method without gaining permission first or I will ask for the thread to be removed/locked. Just because the thread gets closed does not mean we didn't spend a lot of time to get to this point.
Thank you and enjoy SamPWND root!​
DISCLAIMER:
We are not responsible for any damage done to your device as no one is "forcing" you to root your phone! If you are not sure of how to follow instructions or use ADB then I would suggest waiting for someone to help you or that you read up on how these things work before diving head first. The ENG system is not very stable when it comes to root as well as it has a ton of tools and binaries not available on stock devices so we are not responsible if you break something while on any firmwares but especially while on the ENG firmware.
DISCLAIMER 2:
Please do not take our work and post it elsewhere. We spent a lot of time on this for people to take it and use it as if it is their own. With that being said, if you have a better process for something or find any issues/errors, please PM myself or one of the listed contributors of this root method, do NOT post it directly in the thread because it causes confusion. We know with 100% certainty the files and method presented WORK. If it is not working for someone there are a number of possible reasons why. If users start modifying our files/scripts and posting them and you decide you are going to use someone else's files/scripts, do not post in our threads asking for us to help you because we will have no idea what was modified or changed and will just tell you to use the original files.
Returning to Stock:
- It is possible to return to 100% stock and it is very EASY to do.
- This is the reason why I provide both Normal, and Comsey ODIN's.
- All you need is a full stock 4 files firmware of your choice.
- Extract those files. Open ODIN and select the 4 files in their respective slots.
* IF YOU GET ERRORS such as model mismatch, start with 1 partition at a time to find out which one is throwing the error. (In my experience, it is the BL file that causes the error.) Once you find the culprit, throw that partition into the other ODIN. (For example, the BL file is giving an error in Comsey ODIN, throw the BL file in NORMAL ODIN and flash it by itself.)
* Typically you might have to throw individual partitions into either of the ODIN's but in the end you will be back on full stock firmware.
What doesn't work while rooted?
- On ANY ROOTED device, anything that utilizes "SafetyNet" will NOT work.
- Magisk and/or SuHide will NOT work. Our bootloader is still locked and these two modify the boot.img which would cause our devices to not boot up and having to start the root process over again, you have been warned!
- Systemless root also does NOT work. Again, this patched the boot.img which we cannot do because of our locked bootloader.
- Battery currently only charges to 80%. There are a few that feel it legit doesn't charge fully but others are claiming they get the same amount of life as they did with a 100% battery so the 80% might just be a visual issue or "fake" when it is really at 100%. Either way, we are still looking into this.
Main Contributors:
@elliwigy
@Harry44
@akiraO1
@BotsOne
@GSMCHEN
@jrkruse (for uploading system.img.ext4 and his root zip for the part 2 instructions)
@V0idst4r (for help in creating a "1 click" method for part 1!)
Initial Description on the process:
We are essentially flashing a modified 4 file firmware package in ODIN and then utilizing a few binaries in conjunction with SU binary and a permissive kernel. We will then be running some ADB commands and in order to have a fully working, amazing root with all things working we will be utilizing a stock system.img & a root script in conjunction with Flashfire. If you want to know all the technical details, you can take apart the files if you would like. It is released, so it is no longer a secret!
PART 1 Instructions: NEW
Flashing SamPWND 4 Files Firmware:
1) Download the PART 1 FILES Listed Below (this includes SamPWND_Root.zip and Initial ODIN 4 Files FIRMWARE and ODIN's if you do not already have them.)
2) Extract the 4 Files ODIN Firmware Package (also extract the ODIN's if you do not have them already.)
3) Open Comsey ODIN and select each partition and then select the files from the 4 File Firmware Package you extracted (BL goes in BL slot, AP in AP, CP in CP & CSC in CSC.) The options you select in ODIN shouldn't matter but I typically select F. Reset Time, Auto Reboot, Re-Partition, Nand Erase All & Update Bootloader.
4) Press Start and Wait for it to Finish. Once it finishes, if it boots into stock recovery simply select "Reboot System"
Take a breather, the ODIN portion is done (unless you have to start over for some reason...)
Now the NEW Root Process:
1) Once the phone is booted up, make sure you have ADB Enabled and connected to your PC. It should have prompted you to accept USB debugging as soon as it booted up.
2) Unzip the SamPWND_Root.zip
3) Double click "step1"
4) Wait for it to finish and once it reboots and comes back on you will be rooted with SuperSU!
5) Continue to PART 2 for "EVEN BETTER ROOT"
* It is a Windows bat file so not sure if it works on MAC. If you can't run bat files, use the OLD instructions.
* The bat will take about 30 seconds to run it's course. This is due to giving enough time for the remount script to mount the system as RW.
PART 1 Instructions: OLD
1) Download the PART 1 FILES Listed Below (this includes Systemroot + ADB zip, Initial ODIN 4 Files FIRMWARE and ODIN's if you do not already have them)
2) Extract the 4 Files ODIN Firmware Package, Also extract the ODIN's if you don't have them already.
3) Open Comsey ODIN and select each partition and then select the files from the 4 File Firmware Package you extracted (BL goes in BL slot, AP in AP, CP in CP & CSC in CSC.) The options you select in ODIN shouldn't matter but I typically select F. Reset Time, Auto Reboot, Re-Partition, Nand Erase All & Update Bootloader.
4) Press Start and Wait for it to Finish. Once it finishes, if it boots into stock recovery simply select "Reboot System"
Take a breather, the ODIN portion is done (unless you have to start over for some reason...)
Now the ADB Process to actually Root:
1) Extract the Systemroot + ADB zip listed below in an easy to find directory.
2) Make sure phone is connected to PC and ensure USB Debugging is enabled.
3) In the folder you extracted, you should see a "cmd-here" file. Double click it and it should open up an ADB cmd window.
4) Now we will start with the ADB commands:
- Type
Code:
adb push systemroot /data/local/tmp
What it will look like:
C:\Users\Thomas\Desktop\Minimal ADB and Fastboot>adb push systemroot /data/local/tmp
/data/local/tmp/systemroot/: 8 files pushed. 0 files skipped. 10.0 MB/s (7072263 bytes in 0.673s)
- Type
Code:
adb shell chmod -R 7777 /data/local/tmp
What it will look like:
C:\Users\Thomas\Desktop\Minimal ADB and Fastboot>adb shell chmod -R 7777 /data/local/tmp
C:\Users\Thomas\Desktop\Minimal ADB and Fastboot>
- Type
Code:
adb shell setsid su
What it will look like:
C:\Users\Thomas\Desktop\Minimal ADB and Fastboot>adb shell setsid su
(It will be blank with the blinking cursor, move to next step)
- Type
Code:
id
(you should at this point see that your are in a root shell!)
What it will look like:
id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
- Type
Code:
echo /data/local/tmp/systemroot/remount2.sh > /sys/kernel/uevent_helper
What it will look like:
echo /data/local/tmp/systemroot/remount2.sh > /sys/kernel/uevent_helper
(Again, it will be blank with a blinking cursor after you type the command in, move to next step)
- WAIT ABOUT 30 SECONDS BEFORE MOVING TO THE NEXT COMMAND
- Type "
Code:
mount
" (you should now see rw next to rootfs and system partitions)
What it will look like:
mount
(After we type in mount, we are looking for the below two items to say rw like they do in the next two lines)
rootfs on / type rootfs (rw,seclabel,size=1586716k,nr_inodes=396679)
/dev/block/sda19 on /system type ext4 (rw,seclabel,relatime)
- Type
Code:
sh /data/local/tmp/systemroot/root.sh
What it will look like:
sh /data/local/tmp/systemroot/root.sh
rm: /system/bin/install-recovery.sh: No such file or directory
cp: /system/bin/.ext/.su: No such file or directory
chmod: /system/bin/.ext/.su: No such file or directory
chcon: /system/bin/.ext/.su: No such file or directory
touch: '/data/.supersu': Permission denied
/data/local/tmp/systemroot/root.sh[55]: can't create /data/.supersu: Permission denied
chmod: /data/.supersu: No such file or directory
C:\Users\Thomas\Desktop\Minimal ADB and Fastboot\NEWSAMPWNDFILES>
5) If you followed all of the above commands to the T, your device will reboot and you will have SuperSU installed.
6) Install Flashfire from the Play Store.
7) Up to this point, you are on an ENG system.img with root that doesn't function the way we would like it to. This means you will feel a vibrate every time you try to gain SU access as well as it will take quite a while for an SU prompt. You can stay on this root if you would like to experiment with the ENG system, but outside of that I would HIGHLY recommend you proceed to the STEP 2 PROCESS.
PART 2 Instructions:
1) Download the PART 2 FILES listed below (this includes the system.img.ext4 and the add CSC Systemroot zip both provided courtesy of @jrkruse , view post #195 for specifics on what these are but essentially they are stock QD2 system.img and the zip has multi CSC, root, and a bunch of other goodies!)
2) Extract the System.img.ext4 zip and place that actual "system.img.ext4" onto the Internal SD Card (might work from external but some users have reported issues with chainfires root.zip and FF with external sd cards, this is not a fault of the SamPWND files/process.)
3) Place the entire Add CSC Systemroot zip onto Internal or Externdal SD Card (THIS FILE DOES NOT NEED TO BE UNZIPPED, THROW THE WHOLE ZIP FILE ONTO SD CARD OR INTERNAL)
4) Open Flashfire and grant it root when it prompts you. IF FLASHFIRE IS NOT LOADING FILES AND YOU JUST SEE A CIRCLE OR LIKE ITS CONSTANTLY LOADING, PUT THE PHONE IN AIRPLANE MODE AND THEN GO BACK INTO FLASHFIRE AND THE FILES SHOULD NOW APPEAR.
5) Press the + sign and select "Flash Firmware Package" & navigate to where you placed the system.img.ext4 and select it
6) Press the + sign and select "Flash ZIP or OTA" & navigate to where you placed the Add CSC Systemroot zip and select it, select Mount System as r/w
7) Press the + sign and select "Wipe" and select System data, 3rd party apps, Dalvik cache, Cache partiton, Cache Partiton format
8) Now, long press on "Wipe" and make sure it is on the top by dragging it. The order should be Wipe, Flash Firmware Package & finally Flash ZIP or OTA
9) Make sure the "Everoot" is disabled!
10) Flash away!
If you followed all of PART 1, then followed all of PART 2, then you will be updated to QD2, rooted with busybox (and have some other goodies) and the phone will be running great! Root will be stable and snappy as ever. Adaway, Root Checker, V4A etc. etc. are now all possible.
XDA:DevDB Information
S8 Plus SamPWND ROOT, ROM for the Samsung Galaxy S8+
Contributors
elliwigy
ROM OS Version: 7.x Nougat
ROM Kernel: Linux 4.x
ROM Firmware Required: Android 7.0, Any Current Firmware
Based On: Stock Touchwiz
Version Information
Status: Beta
Current Stable Version: 1
Stable Release Date: 2017-08-19
Current Beta Version: 1
Beta Release Date: 2017-08-19
Created 2017-08-19
Last Updated 2017-08-19

DOWNLOADS SECTION:
PART 1 FILES:
SamPWND_Root.zip
https://mega.nz/#!8YcgTSwI!hIfbdJZ466sr1AyfiHLdtr1p-To0QdthTPDmVwtv0dc
Initial ODIN 4 Files FIRMWARE
https://mega.nz/#!5cUjnCwK!Zgw5_CaINbES08gwDzl7yMN0N4nzm56Fa12ow-gppKA
Mirror: https://www.androidfilehost.com/?fid=961840155545589828
AFH MD5: 73720c409782b751355b9443a003a6e8
Normal + Comsey ODIN
https://mega.nz/#!cFN2DD4C!I7AT4TgNSzBp7Py0UhC7pHZ0M4WDQhEC5qj2xD_qluM
Systemroot + ADB zip - OLD
https://mega.nz/#!1MVDhZxQ!Wd4Umvju1sS1DAe-jBcTue9NKSJ4co0I2gwiyC3c2pE
PART 2 FILES: (Potentially will be providing a rom.zip soon that will have latest updated U1 with multi CSC pre-rooted with other goodies)
system.img.ext4
https://www.androidfilehost.com/?fid=817550096634794132
Add CSC Systemroot
https://www.androidfilehost.com/?fid=745425885120757028
For more info on these files please see @jrkruse post located here:
https://forum.xda-developers.com/showpost.php?p=73489978&postcount=925
THANK HIM WHILE YOU'RE AT IT!

@elliwigy @Harry44 @akiraO1 @BotsOne
These months these four people are very hard, and I very relaxed!! lol

Cool Job!

GSM CHEN said:
@[email protected]@[email protected]
These months these four people are very hard, and I very relaxed!! lol
Click to expand...
Click to collapse
haha but we know it wouldnt be possible without you man

Dam it, if I wasnt drunk, and tired, I eould vet myself out of bed and do this now, lol. Thanks for all your hard work.
One thing i would suggest would be to either put the commands that need to be typed in as bold face type or im not sure if its possible on here, as im on my phone atm, but there are Code/code tags avaiable that will make them easier to copy and paste.
Again, thanks for this......I did not think it was going to be possible. This will be my morning present when i wake up, feels like Xmas.......

theboz1419 said:
Dam it, if I wasnt drunk, and tired, I eould vet myself out of bed and do this now, lol. Thanks for all your hard work.
One thing i would suggest would be to either put the commands that need to be typed in as bold face type or im not sure if its possible on here, as im on my phone atm, but there are Code/code tags avaiable that will make them easier to copy and paste.
Again, thanks for this......I did not think it was going to be possible. This will be my morning present when i wake up, feels like Xmas.......
Click to expand...
Click to collapse
to be honest its late haha, threw it together lol ill try to tidy it up when i get time lol

Awesome can't wait to try this out soon!

elliwigy said:
to be honest its late haha, threw it together lol ill try to tidy it up when i get time lol
Click to expand...
Click to collapse
You are forgiven, lol. I figured it would be out in the morning, just not this early in the morning.
You guys should have gotten some sleep you may need it after this weekend.

What a nice thing to wake up to when I'm getting ready to head to work at 530 in the morning lol. Can't wait to give this a shot once I get off work 12 hours later. Thanks for everything devs.

S8 thread will be posted tomorrow, too late to do it tonight

You guys are the ****. Thanks for all of your hard work.

Just want to know if Knox will be triggered or not? Please also add this to the first post [emoji397]

Where's the best place to get the stock firmware we might need just in case? As far as best download speed etc.

Wow,. I honestly didn't think it was possible. Amazing accomplishment ellwigy.
Sent from my SM-G955W using XDA-Developers Legacy app

powerstroke said:
Where's the best place to get the stock firmware we might need just in case? As far as best download speed etc.
Click to expand...
Click to collapse
I got mine here... Took awhile to download... Someone gave me the link in the 955U1 thread
http://updato.com/firmware-archive-select-model?record=F6B451FD73EE11E7963AFA163EE8F90B
Also do we need to back up our EFS/Imei stuff? I know its recommended when flashing roms in recovery but our bootloader is locked.... Is there a way to back up without root?
Edit* I asked about the backup before in a previous thread but didn't get an answer.... Sorry to ask again

Techvir said:
Just want to know if Knox will be triggered or not? Please also add this to the first post [emoji397]
Click to expand...
Click to collapse
Knox is not triggered

Kjc99 said:
I got mine here... Took awhile to download... Someone gave me the link in the 955U1 thread
http://updato.com/firmware-archive-select-model?record=F6B451FD73EE11E7963AFA163EE8F90B
Click to expand...
Click to collapse
And this will work with Sprint S8+ Correct? Lastly, since the latest update which included Sprint LTE Plus calling. We will still manage to have that feature after root right? Because boy do I enjoy being able to browse the internet and being on a call at the same time again lol

powerstroke said:
And this will work with Sprint S8+ Correct? Lastly, since the latest update which included Sprint LTE Plus calling. We will still manage to have that feature after root right? Because boy do I enjoy being able to browse the internet and being on a call at the same time again lol
Click to expand...
Click to collapse
If you have the system.img for the latest update then correct, if not and you want those features with root you will have to download the AP and CSC from thw firmware you want

powerstroke said:
And this will work with Sprint S8+ Correct? Lastly, since the latest update which included Sprint LTE Plus calling. We will still manage to have that feature after root right? Because boy do I enjoy being able to browse the internet and being on a call at the same time again lol
Click to expand...
Click to collapse
I have the U1 model so I'm not sure...
Edit* Deleted

[GUIDE][MAGISK]Create manual backup of stock boot.img

As it seems impossible to hotboot TWRP recovery for Magisk installation and installing TWRP only for this sole purpose is a little overkill, many people are using rooting procedure with flashing patched boot.img directly. However this does not automatically create a backup of stock boot image, which is used later for OTA updates.
It is fairly easy to create the backup manually (and hopefully Magisk developers will add this feature into Magisk Manager..).
Option 1 (ADB shell on the PC or terminal emulator on the phone):
Code:
copy boot.img into the root of internal sdcard
adb shell
su
cd /data/adb/magisk
./magiskboot sha1 /mnt/sdcard/boot.img
(copy generated SHA1 checksum)
./magiskboot compress /mnt/sdcard/boot.img /mnt/sdcard/stock_boot_[I]putSHA1here[/I].img.gz
cp /mnt/sdcard/stock_boot_[I]putSHA1here[/I].img.gz /data/stock_boot_[I]putSHA1here[/I].img.gz
Example:
Code:
tissot_sprout:/data/adb/magisk # ./magiskboot sha1 /mnt/sdcard/boot.img
cb925c4fe36ace17b2ff94b34ddcde1e564acaaf
tissot_sprout:/data/adb/magisk # ./magiskboot compress /mnt/sdcard/boot.img /mnt/sdcard/stock_boot_cb925c4fe36ace17b2ff94b34ddcde1e564acaaf.img.gz
tissot_sprout:/data/adb/magisk # cp /mnt/sdcard/stock_boot_cb925c4fe36ace17b2ff94b34ddcde1e564acaaf.img.gz /data/stock_boot_cb925c4fe36ace17b2ff94b34ddcde1e564acaaf.img.gz
Option 2 (Windows PC with Total Commander):
Code:
1. get stock boot.img
2. calculate SHA1 of it (file, create CRC, SHA1)
3. copy calculated SHA1 to clipboard
4. rename boot.img to [B]stock_boot_[I]putSHA1here[/I].img[/B]
5. zip to file, GZ
6. copy resulting file [B]stock_boot_[I]putSHA1here[/I].img.gz [/B]to /data on the phone
Option 2 will generate file with slightly different size than option 1, but it works just as fine for Magisk restore function.
Option 3 (rooted phone):
Code:
1. boot phone with Magisk patched boot.img
2. get stock boot.img
3. flash stock boot.img from Franco Kernel manager app, do NOT reboot
4. Magisk Manager - install, direct install
I tested this on Mi A1, but there is probably no reason why it shouldn't work on other phones too.
Option 4 (any phone)
After patching a stock image you can find a backup image in (assuming non-hidden Manager) /data/user_de/0/com.topjohnwu.magisk/install
Source

Important note - it seems that Magisk 20.2 changed the backup structure. Backups of stock boot.img are located in /data/magisk_backup_SHA1/boot.img.gz now. Each backup has its own folder.
v20.1 and below -> /data/stock_boot_SHA1.img.gz
v20.2 -> /data/magisk_backup_SHA1/boot.img.gz

Just a heads up that if you want to change the backup image to a different one you have to run magisk --path to get the path, edit the magiskpath/.magisk/config file to the new SHA1, force stop Magisk, and then restart Magisk

Note: the sbin folder does not always exist on Android 11 and up (see here).
Instead, look a folder under /dev with a random short name. In my case it was /dev/XFmlBk/.magisk

Armand Bernard said:
Note: the sbin folder does not always exist on Android 11 and up (see here).
Instead, look a folder under /dev with a random short name. In my case it was /dev/XFmlBk/.magisk
Click to expand...
Click to collapse
Holy hell, do you have any idea how long I've been searching for this very specific explanation on why I can't locate my sbin folder? Thank you!

Root guide (updated)

==== READ THIS POST BEFORE ROOTING ====​https://www.reddit.com/r/surfaceduo/comments/wn5joi/a_warning_to_wouldbe_developers_and_hobbyist/
(ORIGINAL GUIDE BELOW)​Since the last guy hasn't been updating his op, I figured I'd start a fresh thread with what we know and what to do for newcomers.
I will not be posting patched boot images in this thread, I'm a firm believer of "give you steps to follow from the top so you know what's going on and can do this yourself in the future". The more hands we have in the kitchen, the more we learn, and the better we are off as a community.
Walkthroughs for both fresh rooting and updating while rooted are both below:
==== FRESH ROOT ====​
0. make sure USB debugging is on in settings > developer options
0. make sure the phone's bootloader is actually unlocked, if the below doesn't work, back up all the data on your phone because we're about to wipe it
Code:
.\fastboot.exe flashing unlock
.\fastboot.exe flashing unlock_critical
I did both, but it might only require one of the two, if you only did one and it doesn't work you may not be fully unlocked and might have to do the other. Both of these commands from the bootloader will factory reset your phone. if you've already done this, go to step 1.
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing and used in the below examples)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
6a. if you don't have python, get it from ninite https://ninite.com/pythonx3/ and go back to step 5/6 and try again, you will likely also need to do a "pip install protobuf" to get the required python libraries for payload-dumper
7. download the latest version of magisk manager (the new magisk app may work, but I've not tested it, this is the exact version I am using on the exact phone you are using. If you feel like trying the app please report in the thread below!) https://github.com/topjohnwu/Magisk/releases/download/manager-v8.0.7/MagiskManager-v8.0.7.apk
8. install magisk manager on your phone
9. make a text file, I called mine magisk_channel.txt and put this in it
Code:
https://raw.githubusercontent.com/Lethany/magisk_files/0755a7d5f596dc2a351270120b31b665fb561294/stable.json
this is the "custom" channel we are using to force an older version of magisk that doesn't choke on our device like newer versions do.
10. use usb data transfer mode to copy the boot.img file we extracted from step 6 and the text file we created in step 8 to your phone's internal storage, I have a folder on the root of the internal storage directory called Z_Phone, but anywhere is fine as long as you know where it is and remember it later.
11. in magisk manager, click the gear in the top right and then select "update channel" > "custom channel"
12. use your duo's dank duo mode to open a file browser on the other screen, open the text file we made in step 9
13. copy and paste the custom channel text into the custom channel field under update channel in magisk so it has the text from step 9 in it. (the text file just saves us typing it out by hand)
14. go back to the magisk main screen, and click install next to "magisk"
14b. click next
14c. click "select and patch a zip file"
14d. browse to the location we uploaded boot.img to in step 9 and select boot.img
14e. click let's go
(this will create the patched boot.img, it'll be named magisk_patched_[some garbage].img)
15. open the internal storage on your PC again, and go to your phone's "downloads" folder, it'll have that patched boot.img (if you've tried this a bunch of times and don't remember which one we just made, feel free to delete all the old ones and do 14-14e again) copy this patched_boot.img to your computer, I just put it in that same folder as step 4
16. in powershell, cd back to that same working folder we've been using and run
Code:
.\adb.exe reboot bootloader
The phone will reboot to the bootloader and we can now try booting the patched image
16. in powershell, run
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
17. if your phone boots, that's a great sign and we're out of the woods, nothing else will probably go wrong from here, if it doesn't boot factory reset your phone and start at step 0.
18. open an adb shell prompt and make our boot partitions writable with the below 4 lines, run one by one. Right now we're "rooted" but we've booted off an image over usb, what we really want is to boot off the images on your phone so we need to.
Code:
.\adb.exe shell
su
chmod 777 /dev/block/by-name/boot_a
chmod 777 /dev/block/by-name/boot_b
19. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
20. reboot your phone via the power button menu and if all went well, you're now rooted!
==== UPDATE WHILE ROOTED ====​
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
7. boot off of your old magisk patched boot image
Code:
.\adb.exe reboot bootloader
.\fastboot.exe boot ..\[LAST VERSION'S FOLDER]\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
8. write the old, unpatched boot partition to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_b
(my unpatched boot image is in a folder called "Z_Phone" and my unpatched image in this example is called "boot.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/boot of=/dev/block/by-name/boot_b
)
9. reboot
10. run the OTA update on your now freshly stock phone
11. use magisk to patch the new boot image same as in the first root instructions (14a-14e)
12. copy this patched image off of the phone and into our working directory. leave a copy of this on the phone (I put it in my Z_Phone folder)
13. reboot to bootloader (in powershell, in that same working folder we've been using run)
Code:
.\adb.exe reboot bootloader
14. Boot your phone using the patched boot image (in powershell, run)
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
15. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
16. reboot and you're updated and rooted!

special thanks to Perseu5 and his original thread!
Unlocking Bootloader/ Magisk Attempt
MAGISK FULL GUIDE (APK for install and other mods coming soon!) The bootloader unlock is pretty similar to any other phone. Go to settings>about> click on build number until developer options are enabled. Go back and select system>Developer...
forum.xda-developers.com

Nice work!

NTchrist said:
special thanks to Perseu5 and his original thread!
Unlocking Bootloader/ Magisk Attempt
MAGISK FULL GUIDE (APK for install and other mods coming soon!) The bootloader unlock is pretty similar to any other phone. Go to settings>about> click on build number until developer options are enabled. Go back and select system>Developer...
forum.xda-developers.com
Click to expand...
Click to collapse
my magisk still shows that theres an update pending for the framework. when i try to patch the stock boot or the custom, it doesnt boot past the windows logo. im guessing the update is for Magisk 21+?

LocBox said:
my magisk still shows that theres an update pending for the framework. when i try to patch the stock boot or the custom, it doesnt boot past the windows logo. im guessing the update is for Magisk 21+?
Click to expand...
Click to collapse
Magisk updates are based on the git channel it's fed. Best guess is you don't have the same git repo as in the guide. If you feed it a repo link to a static version it should never be aware of any updates ever. As far as the app is concerned you're on the latest version.

On vacation until Wed, then I'll push through the new patch and update the guide

update process works successfully and is unchanged from previous versions

update process for 2021.525.62 works successfully and is unchanged from previous versions

This is incredibly helpful! I didn't even know you could unpack the payload.bin lol. I'll be doing some work in the kitchen thanks to this!

For anyone who needs it, here is a patched boot.img for ATT Locked 2021_525_63

nevergrownup said:
For anyone who needs it, here is a patched boot.img for ATT Locked 2021_525_63
Click to expand...
Click to collapse
Can you send the link or tell me how you were able to get the boot.img? When I try to download the factory image from MS, it is still giving me 2021.419.71.
EDIT: The new "Surface Duo - 256GB - Android 10 - ATT - 2021.525.63" recovery image is available on the "Surface Recovery Image Download" page. Thanks nevergrownup for giving me the heads up on Reddit

Is anyone on 2021.525.63 having issues? I've followed the exact guide above, as well as using the newest Magisk version & attempting to boot the patched boot.img just leads my Duo to hang on the Microsoft logo. Just want to see if anyone else has an issue or it's just me.
Thanks.

Veritas06 said:
Is anyone on 2021.525.63 having issues? I've followed the exact guide above, as well as using the newest Magisk version & attempting to boot the patched boot.img just leads my Duo to hang on the Microsoft logo. Just want to see if anyone else has an issue or it's just me.
Thanks.
Click to expand...
Click to collapse
when flashing stock July, my lockscreen keypad is frozen. cant unlock t to use.

LocBox said:
when flashing stock July, my lockscreen keypad is frozen. cant unlock t to use.
Click to expand...
Click to collapse
That's on a fresh install or after flashing the Magisk-modified boot.img?
I'm about to restore with the recovery image & start this again, in case there's some different between OTA & recovery.
EDIT: Doing a factory reset, ADB sideload of the recovery image, creating the new Magisk boot.img, & booting still doesn't work. I'm going to try the guide's version one more time to use the older version of Magisk Manager & the custom channel, but based on previous experience, I'm not hopeful. I only bought this as a device to have fun with because it can be rooted, so I'm regretting this purchase right now =\

Veritas06 said:
That's on a fresh install or after flashing the Magisk-modified boot.img?
I'm about to restore with the recovery image & start this again, in case there's some different between OTA & recovery.
EDIT: Doing a factory reset, ADB sideload of the recovery image, creating the new Magisk boot.img, & booting still doesn't work. I'm going to try the guide's version one more time to use the older version of Magisk Manager & the custom channel, but based on previous experience, I'm not hopeful. I only bought this as a device to have fun with because it can be rooted, so I'm regretting this purchase right now =\
Click to expand...
Click to collapse
I do have the factory unlocked, not the ATT version. In my experience when your lockscreen touch input is not recognized, that happens when either the boot image doesn't match the factory image, or someone has used the factory unlocked boot on an ATT phone or vice-versa.
I'd try a dirty flash of the complete applicable factory images (not just boot/recovery) and then factory reset, then start again from the top. It's possible one of your updates didn't complete or something's become inconsistent between A/B

NTchrist said:
I do have the factory unlocked, not the ATT version. In my experience when your lockscreen touch input is not recognized, that happens when either the boot image doesn't match the factory image, or someone has used the factory unlocked boot on an ATT phone or vice-versa.
I'd try a dirty flash of the complete applicable factory images (not just boot/recovery) and then factory reset, then start again from the top. It's possible one of your updates didn't complete or something's become inconsistent between A/B
Click to expand...
Click to collapse
Thanks. I never even got far enough to see failed touch input, but may try rooting again this weekend. I wasn't able to ever get past the MS logo on boot, after attempting to fastboot boot the Magisk-modified boot.img.

I am in the same boat as Veritas is. My Duo is from ATT and hangs on the Microsoft logo as well. I am very new to rooting and what goes into it so a lot of this stuff I am seeing for the first time. How do I know if I have the correct boot? I went through the whole process of extracting the boot image from the recovery file for my phone off of the Microsoft website. Does that get me the right boot to use?

ThrowARoot said:
I am in the same boat as Veritas is. My Duo is from ATT and hangs on the Microsoft logo as well. I am very new to rooting and what goes into it so a lot of this stuff I am seeing for the first time. How do I know if I have the correct boot? I went through the whole process of extracting the boot image from the recovery file for my phone off of the Microsoft website. Does that get me the right boot to use?
Click to expand...
Click to collapse
It should, yes. Unfortunately I do not have an ATT phone to test against. You'd have to have someone else in the thread confirm it works on the ATT build. About the only thing you can do is boot to stock, and check that settings>about>build number matches the images you downloaded from microsoft (2021.525.62) at time of writing

Actually in checking my settings I noticed there was a new update available, so ignore the build number above just make sure the image you download matches the image on your device

NTchrist said:
Since the last guy hasn't been updating his op, I figured I'd start a fresh thread with what we know and what to do for newcomers.
I will not be posting patched boot images in this thread, I'm a firm believer of "give you steps to follow from the top so you know what's going on and can do this yourself in the future". The more hands we have in the kitchen, the more we learn, and the better we are off as a community.
Walkthroughs for both fresh rooting and updating while rooted are both below:
==== FRESH ROOT ====​
0. make sure USB debugging is on in settings > developer options
0. make sure the phone's bootloader is actually unlocked, if the below doesn't work, back up all the data on your phone because we're about to wipe it
Code:
.\fastboot.exe flashing unlock
.\fastboot.exe flashing unlock_critical
I did both, but it might only require one of the two, if you only did one and it doesn't work you may not be fully unlocked and might have to do the other. Both of these commands from the bootloader will factory reset your phone. if you've already done this, go to step 1.
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing and used in the below examples)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
6a. if you don't have python, get it from ninite https://ninite.com/pythonx3/ and go back to step 5/6 and try again
7. download the latest version of magisk manager (the new magisk app may work, but I've not tested it, this is the exact version I am using on the exact phone you are using. If you feel like trying the app please report in the thread below!) https://github.com/topjohnwu/Magisk/releases/download/manager-v8.0.7/MagiskManager-v8.0.7.apk
8. install magisk manager on your phone
9. make a text file, I called mine magisk_channel.txt and put this in it
Code:
https://raw.githubusercontent.com/Lethany/magisk_files/0755a7d5f596dc2a351270120b31b665fb561294/stable.json
this is the "custom" channel we are using to force an older version of magisk that doesn't choke on our device like newer versions do.
10. use usb data transfer mode to copy the boot.img file we extracted from step 6 and the text file we created in step 8 to your phone's internal storage, I have a folder on the root of the internal storage directory called Z_Phone, but anywhere is fine as long as you know where it is and remember it later.
11. in magisk manager, click the gear in the top right and then select "update channel" > "custom channel"
12. use your duo's dank duo mode to open a file browser on the other screen, open the text file we made in step 9
13. copy and paste the custom channel text into the custom channel field under update channel in magisk so it has the text from step 9 in it. (the text file just saves us typing it out by hand)
14. go back to the magisk main screen, and click install next to "magisk"
14b. click next
14c. click "select and patch a zip file"
14d. browse to the location we uploaded boot.img to in step 9 and select boot.img
14e. click let's go
(this will create the patched boot.img, it'll be named magisk_patched_[some garbage].img)
15. open the internal storage on your PC again, and go to your phone's "downloads" folder, it'll have that patched boot.img (if you've tried this a bunch of times and don't remember which one we just made, feel free to delete all the old ones and do 14-14e again) copy this patched_boot.img to your computer, I just put it in that same folder as step 4
16. in powershell, cd back to that same working folder we've been using and run
Code:
.\adb.exe reboot bootloader
The phone will reboot to the bootloader and we can now try booting the patched image
16. in powershell, run
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
17. if your phone boots, that's a great sign and we're out of the woods, nothing else will probably go wrong from here, if it doesn't boot factory reset your phone and start at step 0.
18. open an adb shell prompt and make our boot partitions writable with the below 4 lines, run one by one. Right now we're "rooted" but we've booted off an image over usb, what we really want is to boot off the images on your phone so we need to.
Code:
.\adb.exe shell
su
chmod 777 /dev/block/by-name/boot_a
chmod 777 /dev/block/by-name/boot_b
19. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
20. reboot your phone via the power button menu and if all went well, you're now rooted!
==== UPDATE WHILE ROOTED ====​
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
7. boot off of your old magisk patched boot image
Code:
.\adb.exe reboot bootloader
.\fastboot.exe boot ..\[LAST VERSION'S FOLDER]\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
8. write the old, unpatched boot partition to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_b
(my unpatched boot image is in a folder called "Z_Phone" and my unpatched image in this example is called "boot.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/boot of=/dev/block/by-name/boot_b
)
9. reboot
10. run the OTA update on your now freshly stock phone
11. use magisk to patch the new boot image same as in the first root instructions (14a-14e)
12. copy this patched image off of the phone and into our working directory. leave a copy of this on the phone (I put it in my Z_Phone folder)
13. reboot to bootloader (in powershell, in that same working folder we've been using run)
Code:
.\adb.exe reboot bootloader
14. Boot your phone using the patched boot image (in powershell, run)
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
15. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
16. reboot and you're updated and rooted!
Click to expand...
Click to collapse
Ok I am not sure what I am doing wrong and before anyone says anything is not my first or 10th phone I have rooted, first the so called image that you download from Microsoft is nothing but folders of useless text docs. and the patched magisk image in this thread says it works. I went through the whole set up it says the boot image was successfully done yet upon rebooting my device is not rooted. Can anyone help with this.