Rooting the Cosmo Communicator

[PNuT]

It doesn't need much of a guide

I guess I have to improve my search terms then. I didn't find anything helpful yet.

Do you have fastboot set up on a computer?

[steeph]

Do you have fastboot set up on a computer?

I have now. I've improved my search terms and did find something and thought I'd have a go. But apparently I did a factory reset. I wanted root access to backup my stuff, so my plan is now obsolete anyway.

[rasva]

Any suggestion what else to try if my Cosmo is not recognised by fastboot?

- I succesfully flashed V19 using SP flash tool (was stuck at v16)
- I enabled USB debugging and OEM unlocking
- I ran "adb reboot bootloader"
- Cosmo rebooted to fastboot mode

Win10 recognises Cosmo in fastboot mode, I can see it in the devices. I installed google usb drivers and also tried MTK 1.0.8. drivers mentioned in previous posts (I think they are actually same)

I tried to assign it all three options one by one (ADB, bootloader and ADB combo). Still nothing, fastboot says <waiting for device>. If I reboot cosmo to recovery instead, it is at least recognised by adb, but this does not help.

[rasva]

Well.... I tried the same under OS X, and there fastboot worked, I have now unlocked Cosmo, ready to be rooted.

[Oran]

Hi!

I've rooted my Cosmo successfully using the boot-magisk.img you provided (unlocked the bootloader and flushed it with fastboot).

So, is there a guide I can follow to do the same or would you maybe willing to write one?

on the phone:
1) install magisk manager (you'll need to download the APK, and enable unknown sources)
2) activate "OEM unlocking" in developer settings (need to click on the build number repeatedly to get that)
NOTE that this will put some warning message on the display visible every time you boot, and possible make your device un-trusted by some apps, but IIUC there's a way to work around it if it'll ever become a problem with some magisk plugin.

on the PC: install adb and run these:
3) adb reboot bootloader
IIRC you'll need to press the volume up (right cover toggle button) to resume
4) fastboot flashing unlock
IIRC you may also need to press the right toggle button. (THIS WILL RESET ALL YOUR DATA)

5) reboot to bootloader again, see step 3 - (not sure if necessary)
6) download the patched boot image that matches your ROM version, and run:
fastboot flash boot boot-magisk.img
fastboot reboot

in order to be able to run OTA upgrades, you'll need to revert to the original boot image of the previous ROM version (by repeating steps 5 and 6)

note, if you want to use AdAway, you'll need to install a magisk module named: Systemless Hosts

[steeph]

Thank you very much! That looks very useful and doable for me.

[ehem]

Here's images for the V19 update:

Boot partition, unmodified: https://drive.google.com/file/d/1PHL6IlE3lq...iew?usp=sharing
Boot partition, rooted with Magisk: https://drive.google.com/file/d/1UqXZHeuPjr...iew?usp=sharing
Full images (~1.2GB): https://drive.google.com/open?id=1A9K04eyaX...sVVt3e6pVZGRA0Y

Mind advising us as to the origin of these?  Did you get your Cosmo updated to V19 and then download images from it?  I would much rather have "official" images from Planet Computers in some format which is signed so I can check signatures before installing them on a device.

on the phone:
1) install magic manager (you'll need to download the APK, and enable unknown sources) - https://magiskmanager.com/

I would tend to link to the source rather than this site which appears to be making money by advertising someone else's work (they may be doing some valuable service, but it wasn't immediately obvious).

[ZimbiX]

Mind advising us as to the origin of these?  Did you get your Cosmo updated to V19 and then download images from it?  I would much rather have "official" images from Planet Computers in some format which is signed so I can check signatures before installing them on a device.

I presume the procedure is the same as what I did the first time, as described earlier in this thread:

- Flash the original boot image back (matching the version)
- Apply the OTA update
- Extract the new boot image from the device using SP Flash Tool (and then optionally trim zeros somehow)
- Use the Magisk Manager Android app to manually patch that extracted file, producing the Magisk'd file

Feel free to do that yourself if you're wary of trusting random image files. It would be nice to have a signed image from Planet to avoid the boot warning, but I'm glad we don't need to wait on them, or we'd still be out in the cold.

on the phone:
1) install magic manager (you'll need to download the APK, and enable unknown sources) - <URL redacted>

I would tend to link to the source rather than this site which appears to be making money by advertising someone else's work (they may be doing some valuable service, but it wasn't immediately obvious).

Yeahh, I'd recommend you both edit your posts to avoid giving that dodgy site any more visits and ad revenue.

[Oran]

I would tend to link to the source rather than this site which appears to be making money by advertising someone else's work (they may be doing some valuable service, but it wasn't immediately obvious).

@ehem sorry i wasn't aware of that.
github doesn't seem to have apk files, i updated my post with a link to xda, and also added a note about AdAway and Systemless Hosts.

[ZimbiX]

github doesn't seem to have apk files, i updated my post with a link to xda, and also added a note about AdAway and Systemless Hosts.

Haha, it does actually, but it confused me the first time too - the releases are titled as either 'Magisk' or 'Magisk Manager' https://github.com/topjohnwu/Magisk/releases

Actually, I'd probably link the XDA thread since that contains info on what it is: https://forum.xda-developers.com/apps/magis...emless-t3473445

[Ninji]

Here's images for the V19 update:

Boot partition, unmodified: https://drive.google.com/file/d/1PHL6IlE3lq...iew?usp=sharing
Boot partition, rooted with Magisk: https://drive.google.com/file/d/1UqXZHeuPjr...iew?usp=sharing
Full images (~1.2GB): https://drive.google.com/open?id=1A9K04eyaX...sVVt3e6pVZGRA0Y

Mind advising us as to the origin of these?  Did you get your Cosmo updated to V19 and then download images from it?  I would much rather have "official" images from Planet Computers in some format which is signed so I can check signatures before installing them on a device.

I dumped all the partitions when I originally received my Cosmo (on V15), and have manually applied the OTA patch files to them, first V16 and then V19. You can reproduce these steps by using FlashTool to dump the partitions, the OTA zips from the official server and the tools from this GitHub repository: https://github.com/erfanoabdi/imgpatchtools

Take the V19 zip as an example: https://flare02.iofota.com/EASTAEON_FTPRO16...00118213137.zip
This is signed using an OTA certificate trusted by the Cosmo ( how to verify: https://android.stackexchange.com/a/83931 )

The following partitions just have .img files directly included in the zip: cam_vpu1, cam_vpu2, cam_vpu3, dtbo, lk, preloader, scp, spmfw, sspm, tee
So, you can trust these based off the zip itself.

Next, look at the META-INF/com/google/android/updater-script file.
The following partitions have simple patches: boot, md1dsp, md1img
You can look at the definitions in the script file for these:

Code: [Select]

apply_patch("EMMC:/dev/block/platform/bootdevice/by-name/boot:9538464:107496ed0ae9031b7356beeb6d6ae5e9d405025b:9538464:58d69f9ee544f6b994fa5082feb7f6265076992e",
            "-", 58d69f9ee544f6b994fa5082feb7f6265076992e, 9538464,
            107496ed0ae9031b7356beeb6d6ae5e9d405025b,
            package_extract_file("patch/boot.img.p"))
apply_patch("EMMC:/dev/block/platform/bootdevice/by-name/md1dsp:6885776:c703010283918d319aa37824f75113e714806543:6885776:b0a02f072aca1f17764bdc81f114a2879449bb61",
            "-", b0a02f072aca1f17764bdc81f114a2879449bb61, 6885776,
            c703010283918d319aa37824f75113e714806543,
            package_extract_file("patch/md1dsp.img.p"))
apply_patch("EMMC:/dev/block/platform/bootdevice/by-name/md1img:22674640:96f23e1ba17c7297c5dd41556d4585b64064e625:22674640:b362aef593db9b1aee7b2589c6d5c693c2bd5824",
            "-", b362aef593db9b1aee7b2589c6d5c693c2bd5824, 22674640,
            96f23e1ba17c7297c5dd41556d4585b64064e625,
            package_extract_file("patch/md1img.img.p"))
These give you the size and SHA1 hashes for the new and old versions of the partitions:

Code: [Select]

$ shasum -a1 boot_191209104700_orig.img EASTAEON_FTPRO16945_191209104700/patch/md1{dsp,img}.trim
107496ed0ae9031b7356beeb6d6ae5e9d405025b  boot_191209104700_orig.img
c703010283918d319aa37824f75113e714806543  EASTAEON_FTPRO16945_191209104700/patch/md1dsp.trim
96f23e1ba17c7297c5dd41556d4585b64064e625  EASTAEON_FTPRO16945_191209104700/patch/md1img.trim

$ shasum -a1 EASTAEON_FTPRO16945_200118213137/{boot_200118213137_orig.img,md1dsp.img,md1img.img}
58d69f9ee544f6b994fa5082feb7f6265076992e  EASTAEON_FTPRO16945_200118213137/boot_200118213137_orig.img
b0a02f072aca1f17764bdc81f114a2879449bb61  EASTAEON_FTPRO16945_200118213137/md1dsp.img
b362aef593db9b1aee7b2589c6d5c693c2bd5824  EASTAEON_FTPRO16945_200118213137/md1img.img
Next there's the partitions that use block image patches: system, vendor
These are, frustratingly, harder to verify as there is no single hash for the whole image. Instead, the script hashes certain blocks together in the original image (so in this case it would be V16, not V19) and also checks the hashes of certain regions specified in the transfer.list file (basically a script determining how to transform the old image to a new image):

Code: [Select]

if (range_sha1("/dev/block/platform/bootdevice/by-name/system", "56,1,446,698,32770,32959,32960,33466,65537,66043,98306,98495,98496,99002,131
73,131579,163842,164031,164032,164538,196609,197115,229378,229567,229568,230074,
62145,262651,294914,295103,295104,295610,327681,328187,360449,360955,393217,3937
3,425985,426491,458753,459259,467545,468034,491521,492027,524289,524795,557057,5
7563,558453,753664,753665,774155,780254,780261,786432") == "cf46d4c3a45898f5917dd2662e6f2aadc1989163" || block_image_verify("/dev/block/platform/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat")) then
[...]
if (range_sha1("/dev/block/platform/bootdevice/by-name/vendor", "22,1,155,538,32770,32822,32823,33306,65537,66020,82931,98304,98306,163840,16
842,196608,196609,215706,216486,216998,217408,217415,219136") == "e0dbc2e034534cef4053222528d0db5a3571f35f" || block_image_verify("/dev/block/platform/bootdevice/by-name/vendor", package_extract_file("vendor.transfer.list"), "vendor.new.dat", "vendor.patch.dat")) then
[...]
Then the last partition is the recovery. This one is encoded in an odd way: the patch is not in the OTA zip itself. The system partition contains a small script that runs on boot and applies an image patch to the boot image, producing the recovery image.
You can find this inside /system/bin/install-recovery.sh on the Cosmo:

Code: [Select]

applypatch  EMMC:/dev/block/platform/bootdevice/by-name/boot:9538464:58d69f9ee544f6b994fa5082feb7f6265076992e EMMC:/dev/block/platform/bootdevice/by-name/recovery a23d8adb309934aabb1e75b937da6855f8fe3580 15319968 58d69f9ee544f6b994fa5082feb7f6265076992e:/system/recovery-from-boot.p && log -t recovery "Installing new recovery image: succeeded" || log -t recovery "Installing new recovery image: failed"

Code: [Select]

$ shasum -a1 recovery_200118213137.img
a23d8adb309934aabb1e75b937da6855f8fe3580  recovery_200118213137.img
Finally, here's the commands I used to produce the images in that dump:

Code: [Select]

$ unzip -d EASTAEON_FTPRO16945_200118213137 EASTAEON_FTPRO16945_200118213137.zip
$ cd EASTAEON_FTPRO16945_200118213137
$ ../IMG_Patch_Tools_0.3/macOS/ApplyPatch newboot.img - 107496ed0ae9031b7356beeb6d6ae5e9d405025b 9536416 7e58e6005f7fc2f50ef3227f889898d67f689313 patch/boot.img.p
$ cp ../boot_191209104700_orig.img boot_200118213137_orig.img
$ ../IMG_Patch_Tools_0.3/macOS/ApplyPatch boot_200118213137_orig.img - 58d69f9ee544f6b994fa5082feb7f6265076992e 9538464 107496ed0ae9031b7356beeb6d6ae5e9d405025b patch/boot.img.p
$ adb push boot_200118213137_orig.img /sdcard/
$ # Patched from Magisk Manager on device
$ adb pull /sdcard/Download/magisk_patched.img
$ mv magisk_patched.img boot_200118213137_magisk.img
$ cp ../EASTAEON_FTPRO16945_191209104700/patch/md1dsp.trim md1dsp.img
$ cp ../EASTAEON_FTPRO16945_191209104700/patch/md1img.trim md1img.img
$ ../IMG_Patch_Tools_0.3/macOS/ApplyPatch md1dsp.img - b0a02f072aca1f17764bdc81f114a2879449bb61 6885776 c703010283918d319aa37824f75113e714806543 patch/md1dsp.img.p
$ ../IMG_Patch_Tools_0.3/macOS/ApplyPatch md1img.img - b362aef593db9b1aee7b2589c6d5c693c2bd5824 22674640 96f23e1ba17c7297c5dd41556d4585b64064e625 patch/md1img.img.p
$ cp ../new_system.img system_200118213137.img
$ cp ../new_vendor.img vendor_200118213137.img
$ ../IMG_Patch_Tools_0.3/macOS/BlockImageUpdate system_200118213137.img system.transfer.list system.new.dat system.patch.dat
$ ../IMG_Patch_Tools_0.3/macOS/BlockImageUpdate vendor_200118213137.img vendor.transfer.list vendor.new.dat vendor.patch.dat

$ # Flashed the new image
$ adb pull /system/system/recovery-from-boot.p
$ cp boot_200118213137_orig.img recovery_200118213137.img
$ ../IMG_Patch_Tools_0.3/macOS/ApplyPatch recovery_200118213137.img - a23d8adb309934aabb1e75b937da6855f8fe3580 15319968 58d69f9ee544f6b994fa5082feb7f6265076992e recovery-from-boot.p
Using these steps and existing images from your Cosmo you should be able to reproduce the exact same files.

[mithrandir]

Just being curious. What happens if we lock the bootloader again after rooting? Locked out?

What happens if we disable oem unlock afterwards?

Is there a way to install twrp without loosing the repartition tool recovery?

[aard]

Just being curious. What happens if we lock the bootloader again after rooting? Locked out?

What happens if we disable oem unlock afterwards?

Both unlocking and locking the bootloader wipes the device, unfortunately.

Locking the bootloader after rooting will send it into a boot loop due to failed signature verification. I've found the only way to drop out of that is to press and hold both cover display buttons until the recovery screen shows up (easier with the device closed - just hold until the regular vibrating stops). From there, go to bootloader, unlock, it'll wipe again, and let you boot back into the rooted device.

[Zarhan]

Hi, I haven't been able to go through every post in this thread, but couple of questions. I'm very much interested in the approach where we run Linux from SD-card (see https://www.oesf.org/forum/index.php?showtopic=36096 ).

Anyway, just to be clear, could somebody give a couple of clarifications? I'm mostly concerned about firmware upgrades after I've rooted my device.

- When starting to root the phone you need to unlock the bootloader. This will wipe all data. However, this is the only situation where data wipe is required - afterwards my data will stay even if I change to different firmwares.  Correct?
- One thing that troubles me is that how can I get the system to remain rooted when new firmware versions arrive. The problem is that I don't want to unroot, relock bootloader (wipe data), upgrade, unlock bootloader (wipe data), and root.
=> If there are prebuilt rooted images (either by the Community or planet), I can just apply a new FW directly. E.g. if I had a rooted V16, I could just install Ninji's rooted V19 and device would stay rooted, no data loss?

- This tutorial at https://github.com/topjohnwu/Magisk/blob/ma...ta-installation shows that if a device has A/B partitions (active and inactive one), it can make upgrades a breeze by restoring unrooted image to inactive partition and then just applying update to it, and then re-patching Magisk in there.
=> Does Cosmo actually have this A/B partition setup or not? Seems very straightforward method of both maintaining your upgrade level and staying rooted.

Essentially: If I don't want to lose my data at every OTA upgrade, do I need to always wait for community or Planet to publish pre-rooted images?

[Noppe]

- When starting to root the phone you need to unlock the bootloader. This will wipe all data. However, this is the only situation where data wipe is required - afterwards my data will stay even if I change to different firmwares.  Correct?

Correct.  You need to unlock the bootloader only once, and that is the only action that will wipe your data.  Best to do it early!  

- One thing that troubles me is that how can I get the system to remain rooted when new firmware versions arrive. The problem is that I don't want to unroot, relock bootloader (wipe data), upgrade, lock bootloader (wipe data), and root.

OTA updates don't care if your bootloader is unlocked.  If the OTA requires the untouched boot.img, you can flash the unrooted image back, apply the OTA, flash the new rooted boot.img, and be back to rooted.  You won't be touching the bootloader at all in this process, and your data are safe.

=> If there are prebuilt rooted images (either by the Community or planet), I can just apply a new FW directly. E.g. if I had a rooted V16, I could just install Ninji's rooted V19 and device would stay rooted, no data loss?

Correct, as long as you started with your bootloader already unlocked.

Essentially: If I don't want to lose my data at every OTA upgrade, do I need to always wait for community or Planet to publish pre-rooted images?

Nope, you can certainly follow the method of using SP Flash Tool or equivalent to extract the new boot.img, patch it in unrooted Cosmo userland with Magisk Manager, and then flash it back with SP Flash Tool.  Again, as long as you've got your bootloader unlocked, your data are fine.  (Although obviously when doing any of this stuff, it's a good idea to have backups.)