Rooting the Cosmo Communicator

[TauPan]

Good news, everyone!

What is it, professor?

I've attached the scatterfile for anyone else interested in playing around

As promised, I have compared your scatterfile with the one I got from analyzing the EMMC_BOOT_1 and EMMS_USER areas with WwR.

Surprisingly I have found a difference between the two, which may be significant:

Yours gives:

  partition_size: 0x100000

and mine:

  partition_size: 0x40000

for the preloader partition.

I think mine is correct (Edit: Spoiler: I was wrong about this!), because when I have SP Flash Tool (latest version) connected to the Cosmo, it gives:

Boot 1 Size: 0x40000
Boot 2 Size: 0x40000
RPMB Size: 0x1000000
GP(1-4) Size: 0x0
UA Size: 0x1d1f000000

Actually that last number is the coveted size for the full EMMS_USER dump with WwR, so it appears there are easier ways if you just want to get just that number than running WwR.

Any idea what RPMB Size is?

However, WwR has proved invaluable to get that scatter file. I've come across some other tools to analyze the partial dumps via google, but didn't really take a closer look, because SP Flash Tool only works on windows for me, and for CLI/programming stuff I strongly prefer Linux.

I now have the full readback of the cosmo, done with SP Flash tool and I'm going to just root it. I'll see if I can recover the userdata.img afterwards, but I doubt it which is why I just updated all the app backups I could round up.

(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)

[TauPan]

RPMB Size: 0x1000000

Replay Protected Memory Block, apparently.

(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)

On Google I only found a reference to a part of the linux kernel config with support for "One Time Programming" area. See https://android.googlesource.com/kernel/med...host/Kconfig#37

Both of these may or may not have anything to do with encryption of userdata. I obviously lack the knowledge and I don't even know where to look

I've rooted my Cosmo now and I'm just downloading the userdata.img to the device. I get a constant 30MB/s and it's at 52% currently, so it should take another half hour or so, until I know if that worked.

(Funny thing: I can only use SP flash tool from windows and fastboot only works on linux for me. I even tried installing the google drivers on the windows laptop, as suggested here, but fastboot would still not find the cosmo.)

[TauPan]

Hm... wondering if this might work on newer MediaTek devices as well: https://forum.xda-developers.com/hd8-hd10/o...11#post78774211 ... but no need to do this kind of funny stuff to the Cosmo, since we'll get a signed rooted android image at some point, so we can lock the bootloader again. (Linked from here http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ found while searching for RPMB Mediatek.)

[TauPan]

Ok, I did it, apparently!

Process is:

 - Get scatter file (see attachment)
 - Take full Readback of all partitions (all possible are enabled in scatter file)
 - fastboot flashing unlock (wiping all data)
 - Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

Edit: Important point: You can't take OTA updates if you modified any partitions this way. So at least you must revert to your original boot partition before taking an update!

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!

Takes an hour for me, and now I have all my data on a rooted cosmo.

(Edit: Nonsense... Apparently my Fingerprint Data *and* my Password are still as they were. Wondering what else seccfg contains, as the partition is not very small.)

I almost completely ruined my work productivity for this today, but that was totally worth it

(Edit: Attachment deleted, see corrected version below.)

[TauPan]

I need to say that I figured this out by trial and error. When I tried to find information on this, I either found documents that were very vague, or that made no sense without appropriate background knowledge.

When I ticked *all* partitions in SP flash tool, I got "verified boot is enabled" at some point during the flashing (Download) process, so apparently one partition re-enabled secure boot (locked bootloader). But apparently the error did not occur directly after flashing the partition which reset the bootloader.

So if I flash everything including stock boot.img, I can get back to stock, without a trace of root.

And then I flashed the partitions one my one,  noting which one would cause the error to appear.

Point of note: It's enough to unplug the device while it is in download mode in order to flash the next partition, which makes this process a bit faster.

Everything went well when I left out seccfg.img until I came to userdata.img. Then I rebooted and got all my configuration back, installed Magisk Manager, which said that magisk was already installed. \o/

Quick test in termux confirmed I had root.

I don't have the slightest idea what all these partitions contain, other that the names give hints in some cases. I also don't know what seccfg contains. Maybe it would be wortwhile to read back seccfg now and do a binary comparision with the stock version.

So you might be able to get your userdata back, if you reflash just the right partition(s) together with userdata. I suspect it may be the ones named "tee.." and/or "*sec*", maybe others. (See https://source.android.com/security/trusty ... Also see http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ )

ossible are enabled in scatter file)
 - fastboot flashing unlock (wiping all data)
 - Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!

Downloading / readback takes 60 - 90 minutes for me with constant 30 M/s. ("M/s" is from the SP flash tool.)

[AP756]

This morning Planet Computers announced an update for the Cosmo. It will include

1. TWRP (Team Win Recovery Project)
2. Debian using KDE/Plasma
3. Debian using LXQT
4. Rooted Android

( https://www.indiegogo.com/projects/cosmo-co...59#/updates/all )

According to the message on Indiegogo we can expect the update within the next days...

Bye for now  Fred

[TauPan]

This morning Planet Computers announced an update for the Cosmo. It will include

1. TWRP (Team Win Recovery Project)
2. Debian using KDE/Plasma
3. Debian using LXQT
4. Rooted Android

( https://www.indiegogo.com/projects/cosmo-co...59#/updates/all )

According to the message on Indiegogo we can expect the update within the next days...

I think "In this update we would like to discuss plans regarding Linux support on the Cosmo Communicator." and "First Cosmo Firmware update - this week!" mean something different regarding the timeline.

We'll see if the firmware update this week already includes support for TWRP, linux and rooted android. That's not the way I understood those messages, though.

Edit: The output from the partition editor looks really cool, though. They're using parted to resize the partitions, which I think means that you can try out linux variants without losing data on your android installation. This would be really nice!

[ZimbiX]

Wow, TauPan, that's great research! Thanks so much for your work. I'm sure that process will be extremely useful for a great many Cosmo users

I had the same issue with fastboot, where that would only work on Linux for me. I'm not sure what Windows driver I was using - probably the one they supplied for the Gemini way back. No biggie for me, but I'm hoping others don't have too much trouble.

Not to get too off-topic: I'm looking forward to Planet's OTA and Linux news, but I expect a Linux release will not be provided for a good while. The screenshots are encouraging, and I'm impressed to see we might be able to have TWRP installed simultaneously with the expanded stock recovery. Keep up the good work, those working on Linux support

[TauPan]

A word of warning:

Yesterday I tried to reflash my cosmo because I thought this might fix the main display issue from another thread. (Not thinking very clearly apparently. I was in a bit of panic.) (Edit: Talking about this issue:  https://www.oesf.org/forum/index.php?s=&...st&p=293139 )

I did this with the preloader.bin that I read back using my scatter file. This gives the error:

preloader format invalid

from SP flash tool.

I thought I had bricked my cosmo, because it had spontaneously rebooted during flash.

Just now I tried again with the preloader file that fell out of the WwR analysis of the EMMC_BOOT_1 partition and this just worked.

The preloader.bin from WwR is just a tiny bit longer than the one from the readback (just a few bytes). Not sure what might have caused this, but be extra careful! Maybe my scatter file is not exactly correct, but it is consistent with the output from SP flash tool itself.

The display issue is very bad for me though, my Cosmo is completely unusable since yesterday afternoon. I filed an  issue in the Cosmo support sheet

Wish me luck!

[TauPan]

Ok, this inconsistency is bugging me, so I did a tiny analysis:

The preloader.bin that WwR generated out of the EMMC_BOOT_1 block dump has the following characteristics:

271540 bytes, 0x424B4 sha256sum: a4f77dc5392620f8743ef15ed3bc89e11c10ae6cdb6e5768a78d440cfda53763

As 0x424B4 is clearly quite a bit longer than 0x40000 (exactly 256K), my scatter file is wrong, and the (exactly 0x4000 bytes long) preloader.bin file from doing a readback with my scatter file is too short.

I wonder how WwR arrived at that value of 0x400000 for me... My initial (empty) scatter file had 0x800000 as preloader partition size.

It appears the initial (empty) scatter file has 0x800000, the scatter file from the analysis of the partial dump in WwR has 0x400000 and the scatter file from the analysis of the full dump has 0x1000000 (the complete size of the RPMB area, but I'm not sure if that's related).

Attaching the correct scatter file. (The only change: partition size goes up from 0x400000 (256K) to 0x1000000).

Also for anyone attempting the same: Be sure to dump seccfg after unlocking the bootloader. Flashing the unlocked seccfg partition is quite a bit more convenient than having to go through fastboot again (e.g. after accidentally flashing the locked one).

And another important thing: I can only flash my dumps with an unlocked bootloader. Apparently the files from the readback do not contain the verification signature or whatever, so SP flash tool complains that they're not verified if I try to flash them if the bootloader is locked!

A word of warning:

Yesterday I tried to reflash my cosmo because I thought this might fix the main display issue from another thread. (Not thinking very clearly apparently. I was in a bit of panic.) (Edit: Talking about this issue:  https://www.oesf.org/forum/index.php?s=&...st&p=293139 )

I did this with the preloader.bin that I read back using my scatter file. This gives the error:

preloader format invalid

from SP flash tool.

I thought I had bricked my cosmo, because it had spontaneously rebooted during flash.

Just now I tried again with the preloader file that fell out of the WwR analysis of the EMMC_BOOT_1 partition and this just worked.

The preloader.bin from WwR is just a tiny bit longer than the one from the readback (just a few bytes). Not sure what might have caused this, but be extra careful! Maybe my scatter file is not exactly correct, but it is consistent with the output from SP flash tool itself.

The display issue is very bad for me though, my Cosmo is completely unusable since yesterday afternoon. I filed an  issue in the Cosmo support sheet

Wish me luck!

[TheProfessorNQ]

Yesterday, while applying the android firmware update via OTA, I invoked some kind of ancient magic that got my Cosmo stuck in an endless boot loop. Key/button presses were of no help. I was boot loader unlocked and rooted. After the first two failed attempts at the OTA, I flashed the original boot.img back to the device via fastboot. Cosmo booted right up. This time, attempting the OTA seemed successful until it did its restart after updating.

Begin the endless boot loop. Attempts to power on. Shows only the splash screen with the unlocked bootloader unsafe whatever - not the boot animation. 5 seconds pass. Goes black for something like 7 seconds. Powers back on. Repeat until dead.

Then I learned about using SP Flash Tool, downloaded the scatter file from here and tried re-flashing the stock boot image that way. Now I get no screen display, but the SP Flash tools can, at least, still connect.

Hoping with growing desperation that someone may have some suggestions. I'm no fool when it comes to tech stuffs, but this is a little outside my usual realm these days.

Thanks!
-Prof

[TauPan]

Yesterday, while applying the android firmware update via OTA, I invoked some kind of ancient magic that got my Cosmo stuck in an endless boot loop. Key/button presses were of no help. I was boot loader unlocked and rooted. After the first two failed attempts at the OTA, I flashed the original boot.img back to the device via fastboot. Cosmo booted right up. This time, attempting the OTA seemed successful until it did its restart after updating.

Begin the endless boot loop. Attempts to power on. Shows only the splash screen with the unlocked bootloader unsafe whatever - not the boot animation. 5 seconds pass. Goes black for something like 7 seconds. Powers back on. Repeat until dead.

Then I learned about using SP Flash Tool, downloaded the scatter file from here and tried re-flashing the stock boot image that way. Now I get no screen display, but the SP Flash tools can, at least, still connect.

Hoping with growing desperation that someone may have some suggestions. I'm no fool when it comes to tech stuffs, but this is a little outside my usual realm these days.

Oh  dear! Looks like we broke the OTA upgrade. I've read in another thread that another rooted user managed to upgrade by completely reverting (flashing original boot and locking the bootloader) before upgrading.

I'd be able to provide the original firmware files from my dump, but I see several potential problems here:

1.) I read in you other post that you have a Verizon device. I have a European one. I don't know if the firmware files are completely compatible.  
2.) I'm not sure if it's ok to attach them to this forum wrt. Copyright and forum rules. It may be, because they're publically  downloadable anyways and we did not reverse engineer them or anything.
3.) I'm not 100% confident that my dumps are ok, as I already had problems with preloader.bin having the wrong length. Maybe Zimbix and I could compare checksums.

In turn, I would be very interested in your unlocked seccfg partition (see my scatter file) as I have unlocked myself and my display  is broken and the Cosmo doesn't boot.

I think 2. is pretty much a non issue, so I can provide the files with checksums later. Maybe someone can shed some light if the files are compatible. We don't want to make the bricks worse than they already are.

[TheProfessorNQ]

Oh  dear! Looks like we broke the OTA upgrade. I've read in another thread that another rooted user managed to upgrade by completely reverting (flashing original boot and locking the bootloader) before upgrading.

I'd be able to provide the original firmware files from my dump, but I see several potential problems here:

1.) I read in you other post that you have a Verizon device. I have a European one. I don't know if the firmware files are completely compatible.  
2.) I'm not sure if it's ok to attach them to this forum wrt. Copyright and forum rules. It may be, because they're publically  downloadable anyways and we did not reverse engineer them or anything.
3.) I'm not 100% confident that my dumps are ok, as I already had problems with preloader.bin having the wrong length. Maybe Zimbix and I could compare checksums.

In turn, I would be very interested in your unlocked seccfg partition (see my scatter file) as I have unlocked myself and my display  is broken and the Cosmo doesn't boot.

I think 2. is pretty much a non issue, so I can provide the files with checksums later. Maybe someone can shed some light if the files are compatible. We don't want to make the bricks worse than they already are.

Balls. I cant seem to make things happen today. No. That's not right. I can't make things happen positively. I can still connect, and it still tries flashing. I was going to attempt various pieces of the OTA update. I'd love to get you the seccfg file, but I can't seem to connect to do a readback. Ha! Finally connected for a readback while I was typing this. I am uploading a copy of thr error along with this message. Invalid preloader, or some such debauchery. Same error for both download and readback attempts. I might, at this point, be willing to try your preloader.bin, if you'd be willing.

Again, and every time,
Thank you!
-Prof

[PNuT]

I just fastbooted the original boot img back & it upgraded fine.....

[TauPan]

In turn, I would be very interested in your unlocked seccfg partition (see my scatter file) as I have unlocked myself and my display  is broken and the Cosmo doesn't boot.

Balls. I cant seem to make things happen today. No. That's not right. I can't make things happen positively. I can still connect, and it still tries flashing. I was going to attempt various pieces of the OTA update. I'd love to get you the seccfg file, but I can't seem to connect to do a readback. Ha! Finally connected for a readback while I was typing this. I am uploading a copy of thr error along with this message. Invalid preloader, or some such debauchery. Same error for both download and readback attempts. I might, at this point, be willing to try your preloader.bin, if you'd be willing.

On  second thought, I  think uploading your seccfg to a public forum might be a bad idea. It's 8MB and I don't know what else it contains, other than the flag that the bootloader is unlocked. Might be sensitive data in there.

The error message is the exact same I get when I try to flash the preloader that's too short. If you used my first scatter file to read it, then it will be too short.

I'll upload my preloader, but keep in mind that it's for a EU Wifi + 4G Cosmo.

Hm... Forum tells me "You  are not permitted to upload this kind of file", even when I put it into a 7z archive. So I put into a crypted zip archive, password is "secret". sha256sum of the unzipped file is a4f77dc5392620f8743ef15ed3bc89e11c10ae6cdb6e5768a78d440cfda53763

I see no reason why your preloader image should need  reflashing, so maybe:

I just fastbooted the original boot img back & it upgraded fine.....

@Professor You should try just unticking the box next to the preloader image (or anything else) and just reflash the un-magisked boot.img (provided by ZimbiX earlier).