OESF Portal | OESF Forum | OESF Wiki | LinuxPDA | #planetgemini chat on matrix.org | #gemini-pda chat on Freenode | #zaurus and #alarmz chat on Freenode | ELSI (coming soon) | Ibiblio

IPB

Welcome Guest ( Log In | Register )

4 Pages V  « < 2 3 4  
Reply to this topicStart new topic
> Rooting the Cosmo Communicator
TauPan
post Yesterday, 01:25 AM
Post #46





Group: Members
Posts: 12
Joined: 9-October 19
From: Germany
Member No.: 856,957



QUOTE(ZimbiX @ Nov 21 2019, 03:51 PM) *
Good news, everyone!


What is it, professor? wink.gif

QUOTE(ZimbiX @ Nov 21 2019, 03:51 PM) *
I've attached the scatterfile for anyone else interested in playing around biggrin.gif


As promised, I have compared your scatterfile with the one I got from analyzing the EMMC_BOOT_1 and EMMS_USER areas with WwR.

Surprisingly I have found a difference between the two, which may be significant:

Yours gives:

partition_size: 0x100000

and mine:

partition_size: 0x40000

for the preloader partition.

I think mine is correct, because when I have SP Flash Tool (latest version) connected to the Cosmo, it gives:

Boot 1 Size: 0x40000
Boot 2 Size: 0x40000
RPMB Size: 0x1000000
GP(1-4) Size: 0x0
UA Size: 0x1d1f000000

Actually that last number is the coveted size for the full EMMS_USER dump with WwR, so it appears there are easier ways if you just want to get just that number than running WwR.

Any idea what RPMB Size is?

However, WwR has proved invaluable to get that scatter file. I've come across some other tools to analyze the partial dumps via google, but didn't really take a closer look, because SP Flash Tool only works on windows for me, and for CLI/programming stuff I strongly prefer Linux.

I now have the full readback of the cosmo, done with SP Flash tool and I'm going to just root it. I'll see if I can recover the userdata.img afterwards, but I doubt it which is why I just updated all the app backups I could round up.

(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)
Go to the top of the page
 
+Quote Post
TauPan
post Yesterday, 02:52 AM
Post #47





Group: Members
Posts: 12
Joined: 9-October 19
From: Germany
Member No.: 856,957



QUOTE(TauPan @ Dec 9 2019, 12:25 PM) *
RPMB Size: 0x1000000


Replay Protected Memory Block, apparently.

QUOTE(TauPan @ Dec 9 2019, 12:25 PM) *
(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)


On Google I only found a reference to a part of the linux kernel config with support for "One Time Programming" area. See https://android.googlesource.com/kernel/med...host/Kconfig#37

Both of these may or may not have anything to do with encryption of userdata. I obviously lack the knowledge and I don't even know where to look wink.gif

I've rooted my Cosmo now and I'm just downloading the userdata.img to the device. I get a constant 30MB/s and it's at 52% currently, so it should take another half hour or so, until I know if that worked.

(Funny thing: I can only use SP flash tool from windows and fastboot only works on linux for me. I even tried installing the google drivers on the windows laptop, as suggested here, but fastboot would still not find the cosmo.)
Go to the top of the page
 
+Quote Post
TauPan
post Yesterday, 03:03 AM
Post #48





Group: Members
Posts: 12
Joined: 9-October 19
From: Germany
Member No.: 856,957



Hm... wondering if this might work on newer MediaTek devices as well: https://forum.xda-developers.com/hd8-hd10/o...11#post78774211 ... but no need to do this kind of funny stuff to the Cosmo, since we'll get a signed rooted android image at some point, so we can lock the bootloader again. (Linked from here http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ found while searching for RPMB Mediatek.)
Go to the top of the page
 
+Quote Post
TauPan
post Yesterday, 07:58 AM
Post #49





Group: Members
Posts: 12
Joined: 9-October 19
From: Germany
Member No.: 856,957



Ok, I did it, apparently!

Process is:

- Get scatter file (see attachment)
- Take full Readback of all partitions (all possible are enabled in scatter file)
- fastboot flashing unlock (wiping all data)
- Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!

Takes an hour for me, and now I have all my data on a rooted cosmo.

(Edit: Nonsense... Apparently my Fingerprint Data *and* my Password are still as they were. Wondering what else seccfg contains, as the partition is not very small.)

I almost completely ruined my work productivity for this today, but that was totally worth it wink.gif
Attached File(s)
Attached File  Cosmo_MT6771_Android_full_stock_edited_scatter.txt ( 17.7K ) Number of downloads: 2
 
Go to the top of the page
 
+Quote Post
TauPan
post Yesterday, 01:05 PM
Post #50





Group: Members
Posts: 12
Joined: 9-October 19
From: Germany
Member No.: 856,957



I need to say that I figured this out by trial and error. When I tried to find information on this, I either found documents that were very vague, or that made no sense without appropriate background knowledge.

When I ticked *all* partitions in SP flash tool, I got "verified boot is enabled" at some point during the flashing (Download) process, so apparently one partition re-enabled secure boot (locked bootloader). But apparently the error did not occur directly after flashing the partition which reset the bootloader.

So if I flash everything including stock boot.img, I can get back to stock, without a trace of root.

And then I flashed the partitions one my one, noting which one would cause the error to appear.

Point of note: It's enough to unplug the device while it is in download mode in order to flash the next partition, which makes this process a bit faster.

Everything went well when I left out seccfg.img until I came to userdata.img. Then I rebooted and got all my configuration back, installed Magisk Manager, which said that magisk was already installed. \o/

Quick test in termux confirmed I had root.

I don't have the slightest idea what all these partitions contain, other that the names give hints in some cases. I also don't know what seccfg contains. Maybe it would be wortwhile to read back seccfg now and do a binary comparision with the stock version.

So you might be able to get your userdata back, if you reflash just the right partition(s) together with userdata. I suspect it may be the ones named "tee.." and/or "*sec*", maybe others. (See https://source.android.com/security/trusty ... Also see http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ )

QUOTE(TauPan @ Dec 9 2019, 06:58 PM) *
ossible are enabled in scatter file)
- fastboot flashing unlock (wiping all data)
- Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!


Downloading / readback takes 60 - 90 minutes for me with constant 30 M/s. ("M/s" is from the SP flash tool.)
Go to the top of the page
 
+Quote Post

4 Pages V  « < 2 3 4
Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 10th December 2019 - 04:48 AM