Rooting the Cosmo Communicator

[NormMonkey]

I'm pretty sure since bootloader is unlocked NFC payments are out of the question since the device is "untrusted", it is possible your banking apps may no run on it post bootloader unlock since you broke the trust (if the app checks for that sort of thing). This is something to consider before unlocking ("tampering") with bootloader, you know your use case.

I might be wrong but thought I'd throw that last bit out there since no one else mentioned it. An LG Watch I had became ineligible for NFC payment until I reverted it back to "natural" state and Samsung has Knox, all the same principal, and I could be wrong.

I thought that was the Magisk advantage, it supposedly allows Google SafetyNet and other tamper checks to pass so that various secured apps like Google Pay still work.
I haven't tried this yet.  Perhaps others can clarify if the Magisk'd image is indeed passing checks?
Big thanks to everyone working on this!

[v3ritas]

I'm pretty sure since bootloader is unlocked NFC payments are out of the question since the device is "untrusted", it is possible your banking apps may no run on it post bootloader unlock since you broke the trust (if the app checks for that sort of thing). This is something to consider before unlocking ("tampering") with bootloader, you know your use case.

I might be wrong but thought I'd throw that last bit out there since no one else mentioned it. An LG Watch I had became ineligible for NFC payment until I reverted it back to "natural" state and Samsung has Knox, all the same principal, and I could be wrong.

I thought that was the Magisk advantage, it supposedly allows Google SafetyNet and other tamper checks to pass so that various secured apps like Google Pay still work.
I haven't tried this yet.  Perhaps others can clarify if the Magisk'd image is indeed passing checks?
Big thanks to everyone working on this!

I'll get Google Pay installed on mine to check, but it's passing from within Magisk Manager. Will be a problem if the app specifically checks the bootloader status though.

EDIT: Looks like mine is fine with Google Pay. Didn't finish verifying my card, but was able to get up to that part. No notifications about it being blocked because of root.

[gidds]

It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just [...]

I'm afraid that's as far as I understood...  

I've read the previous posts, but they didn't mean much to me because I don't know how to 'unlock the bootloader', nor what adb or fastboot are or how you use them.? (I've gained access to the developer options by clicking seven times on Settings -> System -> Advanced -> About phone -> Build number, but I can't see anything relevant in there.)

Can anyone describe in foolproof terms exactly what to do to get root access on my Cosmo?? (By which I mean: allow me to use 'tsu' to get a root shell in Termux, which is the only thing I need it for so far.)

I have a Mac running macOS, which I suspect is not supported by anything you're likely to be talking about.? (No access to Windows.)? I also have a stick set up letting me boot into Debian, along with the SP Flash Tool from MediaTek and the other bits and pieces that I've successfully used to flash my Gemini.? I documented that process in lots of detail in this post.

If anyone could explain in a similar level of detail how to do the same to my Cosmo, I expect I wouldn't be the only grateful person  

Also: having done so, can we tell how it might interact with future firmware updates (whether Over-The-Air or downloadable from the Planet support site)?

[Robert]

We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’?  Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android…  At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)

It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just to unlock the bootloader (which will wipe the device) & either backup & modify your own boot.img from the device, or use the already Magisk'ed one that ZimbiX has posted.

I'm waiting for those recovery images too. Hopefully will have some time this weekend to make a proper backup, so I have something to restore if I ended up doing harm to my device with root. That's part of the reason I haven't done anything crazy with root right now.

Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.

Also need to then boot to the bootloader & run `fastboot flashing unlock`. The button(s) in the fingerprint scanner worked as volume keys to confirm I wanted to unlock (& wipe the device in the process).

I'm having trouble getting this to work.  I did do the bootloader unlock procedure above.  When I boot to the bootloader and run `fastboot flashing unlock` it hangs with  `< waiting for any device >`.

Also, `fastboot devices` returns a blank line, and `adb devices` returns what appears to be a device identifer, followed by the word `unauthorized`.  

For what it's worth, when I boot into regular Android, `adb devices` returns the device code and the word `device` -- meaning the devices is apparently `authorized` after a normal boot, but not in bootloader.

Any ideas?

Thanks!

[Ignatz]

We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’?  Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android…  At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)

It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just to unlock the bootloader (which will wipe the device) & either backup & modify your own boot.img from the device, or use the already Magisk'ed one that ZimbiX has posted.

I'm waiting for those recovery images too. Hopefully will have some time this weekend to make a proper backup, so I have something to restore if I ended up doing harm to my device with root. That's part of the reason I haven't done anything crazy with root right now.

Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.

Also need to then boot to the bootloader & run `fastboot flashing unlock`. The button(s) in the fingerprint scanner worked as volume keys to confirm I wanted to unlock (& wipe the device in the process).

I'm having trouble getting this to work.  I did do the bootloader unlock procedure above.  When I boot to the bootloader and run `fastboot flashing unlock` it hangs with  `< waiting for any device >`.

Also, `fastboot devices` returns a blank line, and `adb devices` returns what appears to be a device identifer, followed by the word `unauthorized`.  

For what it's worth, when I boot into regular Android, `adb devices` returns the device code and the word `device` -- meaning the devices is apparently `authorized` after a normal boot, but not in bootloader.

Any ideas?

Thanks!

I had the same Problems, found the solution with some help.

You need to install Google USB Drivers.

If that doesent help, reboot to fastboot and go to your device manager.

Locate your cosmo (For me it said it cant find driver, and was just namend "Android")

Update the driver through the driver manager, and select the google ubs driver (download it manually if needed)

If it cant autodetect it, select it manually and choose "Bootloader Interface"

After thet you should be able to use fastboot command.

Kind Regards,
Ignatz

[AP756]

The driver problem is solved by installing the MTK driver package MTK_USB_All_v1.0.8 (you'll find that on Inet).

When Cosmo is booted goto Settings -> System -> Advanced -> Developer options and enable USB debugging (If there is no developer options goto About phone and tap 7 times on Build number). Now start a CMD window (as administrator) and connect Cosmo. You'll be prompted with a message where you'll be asked to authorize the USB debugging connection. Do so and then issue the command "adb devices". It should prompt you with your device name without unautorized.

Bye for now  Fred

[TauPan]

At a glance, this looks quite interesting - using a 'Wwr MTK tool' to create a full backup of the device: https://forum.hovatek.com/thread-21970.html
I don't have any more time to look into this for a while! =\

I'm just dumping my Cosmo following this howto.

The only stumbling block so far was that the "memory check" method of determining the dump length does not work with recent SP flash tool so you have to use the method of loading the incomplete dump of the EMMC_USER partition and let Wwr analyze it to determine the length.

(That and my wife's windows laptop was set to 125% magnification so I could not see some buttons in the Wwr tool at first.)

Dumping takes loooong... the full 128MB + system partitions are being dumped. My hope is that if I re-flash all of this after unlocking the bootloader via "fastboot flashing unlock" I can get *all* my data back.

I'm not quite sure how to verify the dump other than flashing it. I guess I'll just have to trust Smartphone Flash Tool from MTK. After all it's a tool from the chipset vendor. They should know what they're doing.

I'd certainly appreciate input on this.

[TauPan]

At a glance, this looks quite interesting - using a 'Wwr MTK tool' to create a full backup of the device: https://forum.hovatek.com/thread-21970.html
I don't have any more time to look into this for a while! =\

I'm just dumping my Cosmo following this howto.

The only stumbling block so far was that the "memory check" method of determining the dump length does not work with recent SP flash tool so you have to use the method of loading the incomplete dump of the EMMC_USER partition and let Wwr analyze it to determine the length.

(That and my wife's windows laptop was set to 125% magnification so I could not see some buttons in the Wwr tool at first.)

Dumping takes loooong... the full 128MB + system partitions are being dumped. My hope is that if I re-flash all of this after unlocking the bootloader via "fastboot flashing unlock" I can get *all* my data back.

I'm not quite sure how to verify the dump other than flashing it. I guess I'll just have to trust Smartphone Flash Tool from MTK. After all it's a tool from the chipset vendor. They should know what they're doing.

I'd certainly appreciate input on this.

Oh dear, it appears I've missed some pages here. I'm not used to reading forums any more.

Well, I'll compare my scatter file to ZimbiX's (I expect them to be identical). Indeed using the scatter file in SP flash tool seems to be an easier for dump + restore.

I'd still like to know if my hunch is correct that I can reflash (most of) my backup after unlocking the bootloader (perhaps excluding the bootloader itself?)  to regain my data?

Regarding Magisk there is *one* addon I use on my other phone to fool netflix *and* my banking software. I think it's magisk hide props config, but I'd need to boot the phone to be sure. This needs busybox for magisk to work.

[ZimbiX]

Well, I'll compare my scatter file to ZimbiX's (I expect them to be identical). Indeed using the scatter file in SP flash tool seems to be an easier for dump + restore.

I'd still like to know if my hunch is correct that I can reflash (most of) my backup after unlocking the bootloader (perhaps excluding the bootloader itself?)  to regain my data?

Mmm, I'd been wondering that too. I'd tried to restore my data after unlocking the bootloader by flashing the data partition using SP Flash Tool with my data partition image, but it didn't work properly afterwards, with Android saying something like "Unable to decrypt user data partition" and showing a button to factory reset. I couldn't find any info on doing this - I'd imagine it's not a common thing to be able to get a dump of a device before unlocking the bootloader, so maybe people just haven't investigated it.

The encryption key must be stored separately to the encrypted data, so it's probably on a different partition. I was wondering if unlocking might be generating a new key to ensure security of the original data. I'd only flashed the data partition back, so maybe it would have worked if I'd flashed more. Or maybe processing of the same key is altered/incompatible between locked and unlocked.

I'd split out the data partition from my full backup using WwR rather than doing a readback with SP Flash Tool once I had the scatterfile, so the problem could be with that, but I'd hope not.

I hadn't done much setup on it before unlocking, so I ended up factory resetting.

Oh, and regarding payment for WwR, I'd found the dev's PayPal address in the HTML source of the donation prompt. I tried sending the money, but PayPal was blocking the transaction for some reason. I emailed vvaaavv about it on Nov 22 to ask if he'd accept another form of payment such as Bitcoin, but he hasn't responded (yet). I'm all for financially supporting development efforts, but at this point I'm getting more tempted to reverse engineer the thing to disable the timeouts =P

[ZimbiX]

TauPan, if you can't work it out and need to factory reset, I tweeted about the process I used to transfer my data: https://twitter.com/ZimbiX/status/1202220166446080000

[TauPan]

TauPan, if you can't work it out and need to factory reset, I tweeted about the process I used to transfer my data: https://twitter.com/ZimbiX/status/1202220166446080000

I'm a tiny bit confused now.

From re-reading all the previous posts in this thread and you tweet, it appears to me that:

 - We can modify the boot image on device with magisk and flash that via SP flash
 - But it won't boot, ,if the bootloader is still locked, so the device will reject it?
 - fastboot flashing unlock will delete all data

(The last part seems pointless if SP flash tool provides low level access to all the data anyway. But you can confirm that unlocking the bootloader will remove all user data?)

My use-case is that I've spent the previous two weeks to get my cosmo set up properly, so I'd really like to have a working backup of the cosmo.

Most of the stuff from my previous daily driver (Nexus 6p) is backed up with Titanium, which apparently doesn't work properly in some cases.
Both Titanium and Swift backup won't be able to backup app data if the device isn't rooted.

I do have a full backup of my user data now, but it's encrypted.

Maybe I should just try to dump everything with the scatter file, do a factory reset (unlock the bootloader) and then try to reflash everything. If that doesn't work I'll just go through the setup process again. I do have most stuff in the cloud anyway, it's mostly just busywork getting it all back, setting up accounts, etc.

(And in some cases, request account verifycation codes via snail mail, from banks, insurances, etc.)

[ZimbiX]

Oh, I'm sorry, I was mixed up!

You might have luck with Helium, or using ADB backup directly (which is what Helium uses). That used to be a great way to keep appdata when unlocking the bootloader, but sadly, nowadays a bunch of apps block themselves from being backed up this way.

Do a backup with that before trying the full reflash just in case it doesn't work. But I'm keen to hear whether it does!  Good luck

Titanium restores of just appdata once you've already installed the app would probably work actually.

Woah, having to get verification codes by snail mail is nuts! I guess I'm lucky I've never had to do that

[TauPan]

Oh, I'm sorry, I was mixed up!

You might have luck with Helium, or using ADB backup directly (which is what Helium uses). That used to be a great way to keep appdata when unlocking the bootloader, but sadly, nowadays a bunch of apps block themselves from being backed up this way.

Do a backup with that before trying the full reflash just in case it doesn't work. But I'm keen to hear whether it does!  Good luck

Titanium restores of just appdata once you've already installed the app would probably work actually.

Woah, having to get verification codes by snail mail is nuts! I guess I'm lucky I've never had to do that

Yeah, quite a lot of apps block adb backups. I got a list created with Adebar. Also adb backup is quite annoying because you have to keep the screen awake or disable auto-locking. If I have to make a list of what to backup how, I might as well set up everything again.

Btw. How did you manage to extract the user data partition with WwR? Every way I cut my dump, the user data is always missing from the result. I think I'll try a readback with SP flash tool with the full scatter file this evening.

Account verification via snail mail is slow, but beats someone stealing your money along by stealing your phone number.

[ZimbiX]

Yeah, quite a lot of apps block adb backups. I got a list created with Adebar. Also adb backup is quite annoying because you have to keep the screen awake or disable auto-locking. If I have to make a list of what to backup how, I might as well set up everything again.

Mmm, fair enough. I'm glad I haven't needed to do it in a long time.

Btw. How did you manage to extract the user data partition with WwR? Every way I cut my dump, the user data is always missing from the result. I think I'll try a readback with SP flash tool with the full scatter file this evening.

Yeah, I don't understand why. The descriptions are misleading. I'd ended up using its cutting tool and supplied the offsets manually. It was really slow though - like 2MB/s. Readback's probably a better idea, actually, for speed. And takes any potential issues with that WwR process out of the picture.

Account verification via snail mail is slow, but beats someone stealing your money along by stealing your phone number.

Hah. But what about stealing your mail?

[Robert]

We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’?  Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android…  At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)

It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just to unlock the bootloader (which will wipe the device) & either backup & modify your own boot.img from the device, or use the already Magisk'ed one that ZimbiX has posted.

I'm waiting for those recovery images too. Hopefully will have some time this weekend to make a proper backup, so I have something to restore if I ended up doing harm to my device with root. That's part of the reason I haven't done anything crazy with root right now.

Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.

Also need to then boot to the bootloader & run `fastboot flashing unlock`. The button(s) in the fingerprint scanner worked as volume keys to confirm I wanted to unlock (& wipe the device in the process).

I'm having trouble getting this to work.  I did do the bootloader unlock procedure above.  When I boot to the bootloader and run `fastboot flashing unlock` it hangs with  `< waiting for any device >`.

Also, `fastboot devices` returns a blank line, and `adb devices` returns what appears to be a device identifer, followed by the word `unauthorized`.  

For what it's worth, when I boot into regular Android, `adb devices` returns the device code and the word `device` -- meaning the devices is apparently `authorized` after a normal boot, but not in bootloader.

Any ideas?

Thanks!

I had the same Problems, found the solution with some help.

You need to install Google USB Drivers.

If that doesent help, reboot to fastboot and go to your device manager.

Locate your cosmo (For me it said it cant find driver, and was just namend "Android")

Update the driver through the driver manager, and select the google ubs driver (download it manually if needed)

If it cant autodetect it, select it manually and choose "Bootloader Interface"

After thet you should be able to use fastboot command.

Kind Regards,
Ignatz

Ignatz,

Thanks for the ideas.  I tried to post a reply several days ago, but apparently it didn't get through.

I found what I thought were Google USB drivers here:  https://developer.android.com/studio/run/win-usb

And I tried to install them using the instructions here:  https://developer.android.com/studio/run/oe...nstallingDriver (for Win10).

The install utility always said that I already had "the most up to date drivers" installed, and when I told it to install anyway (even using the "Have disk" option to point it to the right place) kept insisting that there weren't any drivers there.

So, I am back where I started.

--Robert