OESF Portal | OESF Forum | OESF Wiki | LinuxPDA | #planetgemini chat on matrix.org | #gemini-pda chat on Freenode | #zaurus and #alarmz chat on Freenode | ELSI (coming soon) | Ibiblio

IPB

Welcome Guest ( Log In | Register )

4 Pages V  « < 2 3 4  
Reply to this topicStart new topic
> Rooting the Cosmo Communicator
TauPan
post Dec 9 2019, 01:25 AM
Post #46





Group: Members
Posts: 16
Joined: 9-October 19
From: Germany
Member No.: 856,957



QUOTE(ZimbiX @ Nov 21 2019, 03:51 PM) *
Good news, everyone!


What is it, professor? wink.gif

QUOTE(ZimbiX @ Nov 21 2019, 03:51 PM) *
I've attached the scatterfile for anyone else interested in playing around biggrin.gif


As promised, I have compared your scatterfile with the one I got from analyzing the EMMC_BOOT_1 and EMMS_USER areas with WwR.

Surprisingly I have found a difference between the two, which may be significant:

Yours gives:

partition_size: 0x100000

and mine:

partition_size: 0x40000

for the preloader partition.

I think mine is correct, because when I have SP Flash Tool (latest version) connected to the Cosmo, it gives:

Boot 1 Size: 0x40000
Boot 2 Size: 0x40000
RPMB Size: 0x1000000
GP(1-4) Size: 0x0
UA Size: 0x1d1f000000

Actually that last number is the coveted size for the full EMMS_USER dump with WwR, so it appears there are easier ways if you just want to get just that number than running WwR.

Any idea what RPMB Size is?

However, WwR has proved invaluable to get that scatter file. I've come across some other tools to analyze the partial dumps via google, but didn't really take a closer look, because SP Flash Tool only works on windows for me, and for CLI/programming stuff I strongly prefer Linux.

I now have the full readback of the cosmo, done with SP Flash tool and I'm going to just root it. I'll see if I can recover the userdata.img afterwards, but I doubt it which is why I just updated all the app backups I could round up.

(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)
Go to the top of the page
 
+Quote Post
TauPan
post Dec 9 2019, 02:52 AM
Post #47





Group: Members
Posts: 16
Joined: 9-October 19
From: Germany
Member No.: 856,957



QUOTE(TauPan @ Dec 9 2019, 12:25 PM) *
RPMB Size: 0x1000000


Replay Protected Memory Block, apparently.

QUOTE(TauPan @ Dec 9 2019, 12:25 PM) *
(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)


On Google I only found a reference to a part of the linux kernel config with support for "One Time Programming" area. See https://android.googlesource.com/kernel/med...host/Kconfig#37

Both of these may or may not have anything to do with encryption of userdata. I obviously lack the knowledge and I don't even know where to look wink.gif

I've rooted my Cosmo now and I'm just downloading the userdata.img to the device. I get a constant 30MB/s and it's at 52% currently, so it should take another half hour or so, until I know if that worked.

(Funny thing: I can only use SP flash tool from windows and fastboot only works on linux for me. I even tried installing the google drivers on the windows laptop, as suggested here, but fastboot would still not find the cosmo.)
Go to the top of the page
 
+Quote Post
TauPan
post Dec 9 2019, 03:03 AM
Post #48





Group: Members
Posts: 16
Joined: 9-October 19
From: Germany
Member No.: 856,957



Hm... wondering if this might work on newer MediaTek devices as well: https://forum.xda-developers.com/hd8-hd10/o...11#post78774211 ... but no need to do this kind of funny stuff to the Cosmo, since we'll get a signed rooted android image at some point, so we can lock the bootloader again. (Linked from here http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ found while searching for RPMB Mediatek.)
Go to the top of the page
 
+Quote Post
TauPan
post Dec 9 2019, 07:58 AM
Post #49





Group: Members
Posts: 16
Joined: 9-October 19
From: Germany
Member No.: 856,957



Ok, I did it, apparently!

Process is:

- Get scatter file (see attachment)
- Take full Readback of all partitions (all possible are enabled in scatter file)
- fastboot flashing unlock (wiping all data)
- Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!

Takes an hour for me, and now I have all my data on a rooted cosmo.

(Edit: Nonsense... Apparently my Fingerprint Data *and* my Password are still as they were. Wondering what else seccfg contains, as the partition is not very small.)

I almost completely ruined my work productivity for this today, but that was totally worth it wink.gif
Attached File(s)
Attached File  Cosmo_MT6771_Android_full_stock_edited_scatter.txt ( 17.7K ) Number of downloads: 3
 
Go to the top of the page
 
+Quote Post
TauPan
post Dec 9 2019, 01:05 PM
Post #50





Group: Members
Posts: 16
Joined: 9-October 19
From: Germany
Member No.: 856,957



I need to say that I figured this out by trial and error. When I tried to find information on this, I either found documents that were very vague, or that made no sense without appropriate background knowledge.

When I ticked *all* partitions in SP flash tool, I got "verified boot is enabled" at some point during the flashing (Download) process, so apparently one partition re-enabled secure boot (locked bootloader). But apparently the error did not occur directly after flashing the partition which reset the bootloader.

So if I flash everything including stock boot.img, I can get back to stock, without a trace of root.

And then I flashed the partitions one my one, noting which one would cause the error to appear.

Point of note: It's enough to unplug the device while it is in download mode in order to flash the next partition, which makes this process a bit faster.

Everything went well when I left out seccfg.img until I came to userdata.img. Then I rebooted and got all my configuration back, installed Magisk Manager, which said that magisk was already installed. \o/

Quick test in termux confirmed I had root.

I don't have the slightest idea what all these partitions contain, other that the names give hints in some cases. I also don't know what seccfg contains. Maybe it would be wortwhile to read back seccfg now and do a binary comparision with the stock version.

So you might be able to get your userdata back, if you reflash just the right partition(s) together with userdata. I suspect it may be the ones named "tee.." and/or "*sec*", maybe others. (See https://source.android.com/security/trusty ... Also see http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ )

QUOTE(TauPan @ Dec 9 2019, 06:58 PM) *
ossible are enabled in scatter file)
- fastboot flashing unlock (wiping all data)
- Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!


Downloading / readback takes 60 - 90 minutes for me with constant 30 M/s. ("M/s" is from the SP flash tool.)
Go to the top of the page
 
+Quote Post
AP756
post Yesterday, 05:29 AM
Post #51





Group: Members
Posts: 18
Joined: 26-May 18
From: South of Germany
Member No.: 823,258



This morning Planet Computers announced an update for the Cosmo. It will include

1. TWRP (Team Win Recovery Project)
2. Debian using KDE/Plasma
3. Debian using LXQT
4. Rooted Android

( https://www.indiegogo.com/projects/cosmo-co...59#/updates/all )

According to the message on Indiegogo we can expect the update within the next days...

Bye for now Fred
Go to the top of the page
 
+Quote Post
TauPan
post Yesterday, 05:39 AM
Post #52





Group: Members
Posts: 16
Joined: 9-October 19
From: Germany
Member No.: 856,957



QUOTE(AP756 @ Dec 10 2019, 04:29 PM) *
This morning Planet Computers announced an update for the Cosmo. It will include

1. TWRP (Team Win Recovery Project)
2. Debian using KDE/Plasma
3. Debian using LXQT
4. Rooted Android

( https://www.indiegogo.com/projects/cosmo-co...59#/updates/all )

According to the message on Indiegogo we can expect the update within the next days...


I think "In this update we would like to discuss plans regarding Linux support on the Cosmo Communicator." and "First Cosmo Firmware update - this week!" mean something different regarding the timeline.

We'll see if the firmware update this week already includes support for TWRP, linux and rooted android. That's not the way I understood those messages, though.

Edit: The output from the partition editor looks really cool, though. They're using parted to resize the partitions, which I think means that you can try out linux variants without losing data on your android installation. This would be really nice!
Go to the top of the page
 
+Quote Post
ZimbiX
post Yesterday, 06:55 AM
Post #53





Group: Members
Posts: 23
Joined: 22-December 18
From: Melbourne, Australia
Member No.: 838,517



Wow, TauPan, that's great research! Thanks so much for your work. I'm sure that process will be extremely useful for a great many Cosmo users biggrin.gif

I had the same issue with fastboot, where that would only work on Linux for me. I'm not sure what Windows driver I was using - probably the one they supplied for the Gemini way back. No biggie for me, but I'm hoping others don't have too much trouble.

Not to get too off-topic: I'm looking forward to Planet's OTA and Linux news, but I expect a Linux release will not be provided for a good while. The screenshots are encouraging, and I'm impressed to see we might be able to have TWRP installed simultaneously with the expanded stock recovery. Keep up the good work, those working on Linux support happy.gif
Go to the top of the page
 
+Quote Post
TauPan
post Today, 12:34 PM
Post #54





Group: Members
Posts: 16
Joined: 9-October 19
From: Germany
Member No.: 856,957



A word of warning:

Yesterday I tried to reflash my cosmo because I thought this might fix the main display issue from another thread. (Not thinking very clearly apparently. I was in a bit of panic.) (Edit: Talking about this issue: https://www.oesf.org/forum/index.php?s=&...st&p=293139 )

I did this with the preloader.bin that I read back using my scatter file. This gives the error:

preloader format invalid

from SP flash tool.

I thought I had bricked my cosmo, because it had spontaneously rebooted during flash.

Just now I tried again with the preloader file that fell out of the WwR analysis of the EMMC_BOOT_1 partition and this just worked.

The preloader.bin from WwR is just a tiny bit longer than the one from the readback (just a few bytes). Not sure what might have caused this, but be extra careful! Maybe my scatter file is not exactly correct, but it is consistent with the output from SP flash tool itself.

The display issue is very bad for me though, my Cosmo is completely unusable since yesterday afternoon. I filed an issue in the Cosmo support sheet sad.gif

Wish me luck!
Go to the top of the page
 
+Quote Post

4 Pages V  « < 2 3 4
Reply to this topicStart new topic
3 User(s) are reading this topic (3 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 11th December 2019 - 06:53 PM