Help - Search - Members - Calendar
Full Version: Rooting the Cosmo Communicator
OESF Portables Forum > Model Specific Forums > Cosmo Communicator > Cosmo Communicator - Hardware
Pages: 1, 2
Charlie Stross
Does anyone have any insight into how to go about rooting the Cosmo?

(Yes, yes, I know they've only just begun shipping ..!)

NB: directions to enable a relative noob to root a Communicator would be welcome. (I want to be able to use some of the root-only functions of t-ui launcher.)
Vistaus
It should be easy. I don't have a Gemini, but there is official root support for the Gemini and it seems easy enough. So I think the process for the Cosmo will be very similar. I want to root it too smile.gif
Zarhan
Actually...can someone point to a good tutorial on rooting Android in general?

The phone I'm using daily is still good old Nokia N900 (only big problem with it is the lack of TLS 1.2 support). Syncing with MS Exchange Online (O365) works. Anyway, this means that I really have no in-depth experience with Android apart from occasionally seeing my wife use her Samsung.

I'm finding a bunch of tutorials by googling for them, but the basics, such as "What are the differences between Supersu and Magisk and why do I need them in the first place" is missing. Same applies for TWRP. (Well, for that I could find info on what it is - essentially a boot manager with partition backup functions), but no one has exactly told why it's needed and why TWRP is the one everybody recommends...

So by "good" tutorial I'm looking for information that besides telling "Do X, then do Y" actually also tells WHY you should do X and why Y is the best choice (instead of Z).
Vistaus
Dunno. Sometimes rooting is device-specific. But to get you started: DON'T ever use SuperSu. It has been abandoned for a long time and contains security holes. Magisk is the only good way to root, plus it's more flexible as you can add Magisk repos to customize your device after rooting it.
TWRP is needed because the default bootloader iis never really flexible nor easy to use and often doesn't even allow you to flash Magisk and custom ROMs and stuff. There are a few other bootloaders out there, but TWRP is the most flexible and widely supported.
shinkamui
QUOTE(Vistaus @ Oct 24 2019, 04:36 AM) *
Dunno. Sometimes rooting is device-specific. But to get you started: DON'T ever use SuperSu. It has been abandoned for a long time and contains security holes. Magisk is the only good way to root, plus it's more flexible as you can add Magisk repos to customize your device after rooting it.
TWRP is needed because the default bootloader iis never really flexible nor easy to use and often doesn't even allow you to flash Magisk and custom ROMs and stuff. There are a few other bootloaders out there, but TWRP is the most flexible and widely supported.


TWRP isn't a bootloader, its a custom recovery environment...
Vistaus
QUOTE(shinkamui @ Nov 9 2019, 08:08 AM) *
QUOTE(Vistaus @ Oct 24 2019, 04:36 AM) *
Dunno. Sometimes rooting is device-specific. But to get you started: DON'T ever use SuperSu. It has been abandoned for a long time and contains security holes. Magisk is the only good way to root, plus it's more flexible as you can add Magisk repos to customize your device after rooting it.
TWRP is needed because the default bootloader iis never really flexible nor easy to use and often doesn't even allow you to flash Magisk and custom ROMs and stuff. There are a few other bootloaders out there, but TWRP is the most flexible and widely supported.


TWRP isn't a bootloader, its a custom recovery environment...


I know, I just wanted to keep it simple.
gidds
TWRP is certainly not necessary to install rooted Android, as the Gemini I'm typing this on was rooted without it!

It can be done using the Windows or Linux Flash Tool to install the rooted Android OS that Planet supply. (It's pretty fiddly, but doable.)

Assuming the same tool works with the Cosmo -- and I suspect it will -- all we'll need will be Planet to supply the rooted Android image for the Cosmo.
ZimbiX
I need root to be able to migrate from my Gemini properly. I've been carrying around three phones this week =P

According to the official Magisk installation instructions, the app can patch an arbitrary kernel image file. https://topjohnwu.github.io/Magisk/install....-image-patching

I'm thinking the desktop flash tool would be able to flash that patched kernel image to the Cosmo. It would just need a scatterfile to know where the partitions are.

I did some Googling, and apparently an MTK Tool can generate a scatterfile by analysing the device. The flash tool might support doing this too.

So lastly, we need to first read the kernel image from the device so the Magisk app can patch it. The MTK Tool can apparently make a backup of the device. Hopefully that means it stores the partitions as individual img files. Again, the flash tool might also support this.

I've been thinking about this for a few days, but haven't tried any of it yet. Sadly, I haven't been able to get the flash tool working on my Arch Linux in the past, so I'll have to have a go on Windows on the weekend.
gidds
On my Mac, the only way I was able to run the Flash Tool was by setting up a USB stuck with Debian and booting from that. (It didn't work on Ubuntu.) I had a second stick with the Flash Tool and scatter file and images, but I first needed to install the non-free Debian tools to read it...
ZimbiX
Unfortunately, it turns out the MTK Tool is unmaintained and has not supported new devices for some years.

I found another tool called Miracle Thunder, which was described as rather capable, but it looked sketchy and I couldn't get it to load up past the splash screen.

There's info on a more manual process (https://forum.xda-developers.com/showthread.php?t=2540400) which I haven't made much headway with. The various partition info files in /proc which it mentions do not exist. I guess the Cosmo's using a newer/different Android storage system?

I've spent the better part of today researching and experimenting, and at this point I'm afraid I'm about ready to give up and wait for Planet to eventually release something =\
ZimbiX
In case it's useful, I've just worked out how to boot to recovery and show the menu:
- Reboot the device while holding down the right-hand side of the fingerprint rocker switch until the screen turns on (info from https://github.com/gemian/gemian/wiki/Bootloader) - or alternatively, run `adb reboot recovery`
- Once in recovery, press Fn + Esc + right-hand side of the fingerprint rocker switch

I tried the ADB sideload option to flash the Magisk zip, but predictably, it responds with "Signature verification failed" - since I'd reckon the bootloader's still locked (so zips require manufacturer signing). Now, if there was a way to unlock the bootloader...

I've had a play with the 'Reboot to bootloader' option with fastboot - hoping to try something like `fastboot oem unlock` (which is the bootloader unlock method for other Androids I've used) - but annoyingly, it doesn't show up with `fastboot devices` and Windows keeps making device plugged and unplugged noises (alternating about every ten seconds).
ZimbiX
At a glance, this looks quite interesting - using a 'Wwr MTK tool' to create a full backup of the device: https://forum.hovatek.com/thread-21970.html
I don't have any more time to look into this for a while! =\
v3ritas
QUOTE(ZimbiX @ Nov 17 2019, 09:52 AM) *
At a glance, this looks quite interesting - using a 'Wwr MTK tool' to create a full backup of the device: https://forum.hovatek.com/thread-21970.html
I don't have any more time to look into this for a while! =\


Thanks for your work on this. I just got my Cosmo yesterday & have started to play around with it a little as well, looking into rooting.

I was trying to do the same thing with the bootloader unlock: `fastboot oem unlock`, but didn't have any luck.

Going to keep playing with it & see what I can get. On other systems I've been able to patch the boot image through Magisk Manager, flash through fastboot, & then be set. I forget how I was getting root on my Gemini while using stock firmware, but may be similar to this.

Do we have recovery images yet for the Cosmo? May need those (either for root or when I inevitably break something while trying to root).
ZimbiX
QUOTE(v3ritas @ Nov 18 2019, 08:13 AM) *
I forget how I was getting root on my Gemini while using stock firmware, but may be similar to this.


For the Gemini, Planet provided a pre-rooted boot.img for us to flash with the SP Flash Tool. Unless you're saying you might have done something else.

QUOTE(v3ritas @ Nov 18 2019, 08:13 AM) *
Do we have recovery images yet for the Cosmo? May need those (either for root or when I inevitably break something while trying to root).


Not that I know of. I did come across this last night though: 'Mediatek (MTK) Auto TWRP recovery porter by Team Hovatek' - https://forum.hovatek.com/thread-21839.html. It looks recently developed enough that it might just work once we extract the stock recovery image biggrin.gif These Hovatek people are champs.

Good luck! And let us know what you learn
gidds
(I can't add anything useful, but just wanted to encourage you all to let us know what you find! I'll need to root my Cosmo when it arrives, as I rely on my Gemini being rooted to do things like backups and file transfers over ssh, adblocking via the hosts file, checking for runaway processes, and much more.)
v3ritas
QUOTE(ZimbiX @ Nov 17 2019, 06:23 PM) *
QUOTE(v3ritas @ Nov 18 2019, 08:13 AM) *
I forget how I was getting root on my Gemini while using stock firmware, but may be similar to this.


For the Gemini, Planet provided a pre-rooted boot.img for us to flash with the SP Flash Tool. Unless you're saying you might have done something else.

QUOTE(v3ritas @ Nov 18 2019, 08:13 AM) *
Do we have recovery images yet for the Cosmo? May need those (either for root or when I inevitably break something while trying to root).


Not that I know of. I did come across this last night though: 'Mediatek (MTK) Auto TWRP recovery porter by Team Hovatek' - https://forum.hovatek.com/thread-21839.html. It looks recently developed enough that it might just work once we extract the stock recovery image biggrin.gif These Hovatek people are champs.

Good luck! And let us know what you learn


It's using the "new" unlocking commands (`fastboot flashing unlock`), but currently hung at the prompt because I can't find out what's bound as the volume keys on the device. Going to try to play around with it while I'm at work today.

Here's some info from `fastboot getvar all` though:
? ~ fastboot getvar all
(bootloader) max-download-size: 0x8000000
(bootloader) variant:
(bootloader) logical-block-size: 0x200
(bootloader) erase-block-size: 0x80000
(bootloader) hw-revision: ca00
(bootloader) battery-soc-ok: yes
(bootloader) battery-voltage: 3734mV
(bootloader) partition-size:flashinfo: 1000000
(bootloader) partition-type:flashinfo: raw data
(bootloader) partition-size:otp: 2b00000
(bootloader) partition-type:otp: raw data
(bootloader) partition-size:userdata: 1be53f8000
(bootloader) partition-type:userdata: ext4
(bootloader) partition-size:cache: 1b000000
(bootloader) partition-type:cache: ext4
(bootloader) partition-size:system: c0000000
(bootloader) partition-type:system: ext4
(bootloader) partition-size:vendor: 35800000
(bootloader) partition-type:vendor: ext4
(bootloader) partition-size:tee2: c00000
(bootloader) partition-type:tee2: raw data
(bootloader) partition-size:tee1: 500000
(bootloader) partition-type:tee1: raw data
(bootloader) partition-size:dtbo: 800000
(bootloader) partition-type:dtbo: raw data
(bootloader) partition-size:logo: 800000
(bootloader) partition-type:logo: raw data
(bootloader) partition-size:boot: 2000000
(bootloader) partition-type:boot: raw data
(bootloader) partition-size:lk2: 100000
(bootloader) partition-type:lk2: raw data
(bootloader) partition-size:lk: 100000
(bootloader) partition-type:lk: raw data
(bootloader) partition-size:nvram: 4000000
(bootloader) partition-type:nvram: raw data
(bootloader) partition-size:gz2: 1000000
(bootloader) partition-type:gz2: raw data
(bootloader) partition-size:gz1: 1000000
(bootloader) partition-type:gz1: raw data
(bootloader) partition-size:cam_vpu3: f00000
(bootloader) partition-type:cam_vpu3: raw data
(bootloader) partition-size:cam_vpu2: f00000
(bootloader) partition-type:cam_vpu2: raw data
(bootloader) partition-size:cam_vpu1: f00000
(bootloader) partition-type:cam_vpu1: raw data
(bootloader) partition-size:sspm_2: 100000
(bootloader) partition-type:sspm_2: raw data
(bootloader) partition-size:sspm_1: 100000
(bootloader) partition-type:sspm_1: raw data
(bootloader) partition-size:scp2: 600000
(bootloader) partition-type:scp2: raw data
(bootloader) partition-size:scp1: 600000
(bootloader) partition-type:scp1: raw data
(bootloader) partition-size:spmfw: 100000
(bootloader) partition-type:spmfw: raw data
(bootloader) partition-size:md1dsp: 1000000
(bootloader) partition-type:md1dsp: raw data
(bootloader) partition-size:md1img: 6400000
(bootloader) partition-type:md1img: raw data
(bootloader) partition-size:proinfo: 300000
(bootloader) partition-type:proinfo: raw data
(bootloader) partition-size:sec1: 200000
(bootloader) partition-type:sec1: raw data
(bootloader) partition-size:persist: 3000000
(bootloader) partition-type:persist: ext4
(bootloader) partition-size:seccfg: 800000
(bootloader) partition-type:seccfg: raw data
(bootloader) partition-size:protect2: 978000
(bootloader) partition-type:protect2: ext4
(bootloader) partition-size:protect1: 800000
(bootloader) partition-type:protect1: ext4
(bootloader) partition-size:metadata: 2000000
(bootloader) partition-type:metadata: raw data
(bootloader) partition-size:nvdata: 4000000
(bootloader) partition-type:nvdata: ext4
(bootloader) partition-size:nvcfg: 2000000
(bootloader) partition-type:nvcfg: ext4
(bootloader) partition-size:frp: 100000
(bootloader) partition-type:frp: raw data
(bootloader) partition-size:expdb: 1400000
(bootloader) partition-type:expdb: raw data
(bootloader) partition-size:para: 80000
(bootloader) partition-type:para: raw data
(bootloader) partition-size:recovery: 2000000
(bootloader) partition-type:recovery: raw data
(bootloader) partition-size:boot_para: 100000
(bootloader) partition-type:boot_para: raw data
(bootloader) partition-size:preloader: 80000
(bootloader) partition-type:preloader: raw data
(bootloader) serialno: << Redacted >>
(bootloader) off-mode-charge: 1
(bootloader) warranty: yes
(bootloader) unlocked: no
(bootloader) secure: yes
(bootloader) kernel: lk
(bootloader) product: k71v1_64_bsp
(bootloader) slot-count: 0
(bootloader) version-baseband: MOLY.LR12A.R3.MP.V66.11
(bootloader) version-bootloader: k71v1_64_bsp-7c4ca86-20191029135153-201
(bootloader) version-preloader:
(bootloader) version: 0.5
all: Done!!
Finished. Total time: 0.015s
? ~


EDIT: Added the unlocking command above: `fastboot flashing unlock`

EDIT2: Okay, got the bootoader unlocked -- it looks like the button(s) in the fingerprint sensor are bound to volume. After hitting that I was able to actually get it through the unlock process. Now to see about getting a boot image to modify with Magisk for root.
? ~ fastboot getvar all
...
(bootloader) unlocked: yes
(bootloader) secure: no
...
? ~
v3ritas
I'm pretty much stuck. Tried a few different things I found online related to getting a dump of the current firmware, but wasn't successful. Trying to avoid using any app I come across (also running Linux), but through one of the tutorials I have a template for the scatter file. I'm attaching it here in case it helps anyone else out.

Going to keep trying, but don't think I'll be able to accomplish anything before Planet releases the firmware or a way for us to root themselves.

EDIT: Might have the wrong chip there -- the MT6771 appears to be for MediaTek P60, not the Cosmo's P70.
ZimbiX
Good news, everyone!

I've managed to make decent progress with WwR. The UI in the latest version is a bit different from the tutorial I linked, but I've managed to generate a full scatterfile, and have commenced a full readback of the device! It looks like that's going to take a very long time to finish, so I thought I'd update here in the meantime.

Next up would be to use WwR to split the backup into individual image files.

Given it seems so easy to do that, I think I'll do a factory reset of my Cosmo and upload a full stock backup so no one else has to go through the same process. That way it'll be easy for anyone to use the SP Flash Tool to do a factory reset cool.gif

The blocking two-minute donation prompt on launching WwR is pretty annoying, haha. I would donate to get rid of it - plus they really deserve the money - but the PayPal form's loaded in the app, which is pretty dodgy. I think I'd prefer the delays than risk having my payment details stolen via man-in-the-middle tongue.gif

Actually, I've just realised I could have simply readback only the boot image partition now that I know the partition layout from the scatterfile laugh.gif I think I'll do that next before working out the splitting.

Going at 29.53MB/s, it's 32% done as I post this! I'm excited, haha.

I've attached the scatterfile for anyone else interested in playing around biggrin.gif
ZimbiX
Ok, I've extracted the boot image from the partition called 'boot' (using WwR on my full device backup), and patched it in Magisk Manager on the Cosmo. Here are the original and Magisk'd images:

boot.img: https://mega.nz/#!x8lXTKjT!kXjEjYGD...36v2Tbht3a4n1yQ
boot-magisk.img: https://mega.nz/#!U8sFVACI!J-TS3q11...V1YIVDipez05BvE

Flashing the Magisk'd image (with Sp Flash Tool v5.1916 using the scatterfile I uploaded), I'm unfortunately seeing this message on top of the splash screen:

QUOTE
Bad State

Your device has failed verification and may not
work properly.
Please download boot image with correct signature
or disable verified boot.
Your device will reboot in 5 seconds.


Flashing the original boot image back at least gets the Cosmo working again.

I'm terribly late for bed, so sadly I'll have to wait until the weekend to continue. We're so close now!

I'm guessing this error is where the bootloader unlocking comes in - @v3ritas: your turn!
peter
QUOTE(ZimbiX @ Nov 21 2019, 10:46 AM) *
Ok, I've extracted the boot image from the partition called 'boot' (using WwR on my full device backup), and patched it in Magisk Manager on the Cosmo. Here are the original and Magisk'd images:

boot.img: https://mega.nz/#!x8lXTKjT!kXjEjYGD...36v2Tbht3a4n1yQ
boot-magisk.img: https://mega.nz/#!U8sFVACI!J-TS3q11...V1YIVDipez05BvE

Flashing the Magisk'd image (with Sp Flash Tool v5.1916 using the scatterfile I uploaded), I'm unfortunately seeing this message on top of the splash screen:

QUOTE
Bad State

Your device has failed verification and may not
work properly.
Please download boot image with correct signature
or disable verified boot.
Your device will reboot in 5 seconds.


Flashing the original boot image back at least gets the Cosmo working again.

I'm terribly late for bed, so sadly I'll have to wait until the weekend to continue. We're so close now!

I'm guessing this error is where the bootloader unlocking comes in - @v3ritas: your turn!


Last night I had success unlocking the bootloader using adb and fastboot per the instructions here: https://www.thecustomdroid.com/unlock-bootl...fastboot-guide/

This morning I installed the boot-magisk.img file using fastboot starting at step 12 of Method 2 here: https://www.thecustomdroid.com/install-magi...ndroid-devices/

Successfully booted, and Magisk is now installed, so I've got root? Maybe? I've always used SuperSU, so I need to learn how Magisk works.
v3ritas
Ah, this is great~ Thanks ZimbiX!

Didn't get a chance to check on this while I was at work today so this is a nice surprise. Getting mine rooted now.

Glad you were able to get the app working to dump the scatter file. I don't have a Windows laptop anymore & it was not going well for me when I tried do it through VMware Fusion on my Mac.

peter: Yes, if you have Magisk then you're rooted. If you have any apps that use root you can go ahead & give them a try, or if you already have you can check what has rights in Magisk Manager > Superuser.

I'm getting it flashed now, as soon as my Cosmo finishes charging.

EDIT: I forgot, since we're just flashing the modified boot image, Magisk Manager needs to be installed separately. You can download it from the XDA thread here.
peter
QUOTE(v3ritas @ Nov 21 2019, 08:27 PM) *
peter: Yes, if you have Magisk then you're rooted. If you have any apps that use root you can go ahead & give them a try, or if you already have you can check what has rights in Magisk Manager > Superuser.

I'm getting it flashed now, as soon as my Cosmo finishes charging.

EDIT: I forgot, since we're just flashing the modified boot image, Magisk Manager needs to be installed separately. You can download it from the XDA thread here.



Thanks for your reply, v3ritas. Unfortunately, what I'm seeing on my Cosmo doesn't match the descriptions I'm reading about. Magisk Manager was pre-installed. Even after unlocking the bootloader, flashing the modified .img, and updating Magisk and MM, I'm left with the following:

Click to view attachment

When I hit Ok, I get a small pop-up saying "Setup failed." I couldn't find anywhere to toggle superuser permissions. The info I've read at xda so far seems to assume that the additional setup has been completed successfully.

I'd be grateful for any tips! Tomorrow when my brains are fresh, I'll try un- and then re-installing, but I'd really rather not.
ZimbiX
QUOTE(peter @ Nov 22 2019, 04:06 PM) *
When I hit Ok, I get a small pop-up saying "Setup failed." I couldn't find anywhere to toggle superuser permissions. The info I've read at xda so far seems to assume that the additional setup has been completed successfully.

I'd be grateful for any tips! Tomorrow when my brains are fresh, I'll try un- and then re-installing, but I'd really rather not.


Damn, that's annoying! blink.gif

I've just had a go, and got it working on mine biggrin.gif After tapping 'ok' on the 'Requires additional setup' popup, it runs a spinner for a few seconds, then reboots. Root confirmed working via Termux happy.gif

I flashed boot using the SP Flash Tool rather than using fastboot if that makes any difference. I can't work out what the key combination is to boot straight to fastboot - maybe there isn't one..?

Edit: Did you retry it? Maybe the download failed somehow. And maybe there's logs somewhere - adb logcat while you do it?

Edit 2: It's amusing that the only way to tell a Cosmo and Gemini apart in these kinds of photos is by the subtle presence of the third hinge in the centre =P
v3ritas
QUOTE(ZimbiX @ Nov 22 2019, 12:33 AM) *
QUOTE(peter @ Nov 22 2019, 04:06 PM) *
When I hit Ok, I get a small pop-up saying "Setup failed." I couldn't find anywhere to toggle superuser permissions. The info I've read at xda so far seems to assume that the additional setup has been completed successfully.

I'd be grateful for any tips! Tomorrow when my brains are fresh, I'll try un- and then re-installing, but I'd really rather not.


Damn, that's annoying! blink.gif

I've just had a go, and got it working on mine biggrin.gif After tapping 'ok' on the 'Requires additional setup' popup, it runs a spinner for a few seconds, then reboots. Root confirmed working via Termux happy.gif

I flashed boot using the SP Flash Tool rather than using fastboot if that makes any difference. I can't work out what the key combination is to boot straight to fastboot - maybe there isn't one..?

Edit: Did you retry it? Maybe the download failed somehow. And maybe there's logs somewhere - adb logcat while you do it?

Edit 2: It's amusing that the only way to tell a Cosmo and Gemini apart in these kinds of photos is by the subtle presence of the third hinge in the centre =P


I did get the same prompt about needing additional setup, hit okay & think mine clocked a little too. After that I was set though. Tested through ADB shell & worked as expected. I also flashed the Magisk boot.img through fastboot, so I don't think that would be causing the issue.

I wasn't sure about the key combo for direct fastboot either. I think using the Assistant button just works on the different OS boot methods, but I usually just go through `adb reboot bootloader` instead of fumbling around with the required keys per device.
peter
QUOTE(ZimbiX @ Nov 21 2019, 07:51 AM) *
I've attached the scatterfile for anyone else interested in playing around biggrin.gif


So, here's a question. Would it be possible to manually tweak the Cosmo scatter file by comparing it to a Gem file and use the Debian .img provided by Planet for the Gem to set up a dual boot Cosmo? Or is that Debian .img too heavily customized for the Gem to work on our new devices?

I'd just go ahead and try it myself, but I still haven't wrangled Magisk Manager successfully. I'm aiming to do that so I can use Titanium Backup before moving on to further experiments...
AP756
Thank you all contributing to this thread. With the scatter.txt and boot-magisk.img provided by ZimbiX I was able to root my Cosmo about 4h after receiving it :-).

Now I'm going to "improve" it the way I used to optimize my Gemini.

Update 1: Started Magisk manager, within Magisk installed Riru-Core and then Riru-EdXposed (SandHook), installed edXposed manager.apk, rebooted and started edxposed. It works!

Update 2: Within edXposed I installed GravityBox [P] v 9.1.3, updated modules list and rebooted. It works :-)

Regarding "Your device has failed verification and may not work properly..." I think this message is most probably located in lk (21500000). In another forum someone tweakd this area, the text is gone, but the 5 sec waiting time still exists. We'll know when the Planet Computers solution of rooting is published. For the time being I just ignore that message ;-)

Bye for now
xopher
These steps do work, I had to update my ADB Fastboot Driver to get the bootloader to unlock (curse words happened during that process). I don't want to provide the source of the updated driver in case the source I used is not altruistic.

Now, I wait for someone knowledgeable and/or brave enough to make a new scatter file with an empty partition to add some Linux spice to my device. I wonder if PC will host a partition tool before the community provides and figures out the key combos.

I imagine PC doesn't want to open the floodgates so they can focus on general support first. Their undertaking is not a small feat even at 4000. Imagine the possibility of having 4000 hungry infants to feed at once with only a few baby feeding bottles, YIKES!

I'm pretty sure since bootloader is unlocked NFC payments are out of the question since the device is "untrusted", it is possible your banking apps may no run on it post bootloader unlock since you broke the trust (if the app checks for that sort of thing). This is something to consider before unlocking ("tampering") with bootloader, you know your use case.

I might be wrong but thought I'd throw that last bit out there since no one else mentioned it. An LG Watch I had became ineligible for NFC payment until I reverted it back to "natural" state and Samsung has Knox, all the same principal, and I could be wrong.

Time to tame battery drain. My Gemini has a lot more stamina than Cosmo ATM (what are others using for power mgmt and background process control these days?? That is another question for another subforum).

BTW, hi; I'm new here, thanks for allowing me to fly the OESF skies!
gidds
QUOTE(AP756 @ Nov 25 2019, 08:15 PM) *
We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’?  Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android…  At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)
MadAdy
Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.
v3ritas
QUOTE(gidds @ Nov 26 2019, 02:35 PM) *
QUOTE(AP756 @ Nov 25 2019, 08:15 PM) *
We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’? Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android… At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)


It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just to unlock the bootloader (which will wipe the device) & either backup & modify your own boot.img from the device, or use the already Magisk'ed one that ZimbiX has posted.

I'm waiting for those recovery images too. Hopefully will have some time this weekend to make a proper backup, so I have something to restore if I ended up doing harm to my device with root. That's part of the reason I haven't done anything crazy with root right now.

QUOTE(MadAdy @ Nov 26 2019, 06:11 PM) *
Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.


Also need to then boot to the bootloader & run `fastboot flashing unlock`. The button(s) in the fingerprint scanner worked as volume keys to confirm I wanted to unlock (& wipe the device in the process).
NormMonkey
QUOTE(xopher @ Nov 26 2019, 12:10 PM) *
I'm pretty sure since bootloader is unlocked NFC payments are out of the question since the device is "untrusted", it is possible your banking apps may no run on it post bootloader unlock since you broke the trust (if the app checks for that sort of thing). This is something to consider before unlocking ("tampering") with bootloader, you know your use case.

I might be wrong but thought I'd throw that last bit out there since no one else mentioned it. An LG Watch I had became ineligible for NFC payment until I reverted it back to "natural" state and Samsung has Knox, all the same principal, and I could be wrong.


I thought that was the Magisk advantage, it supposedly allows Google SafetyNet and other tamper checks to pass so that various secured apps like Google Pay still work.
I haven't tried this yet. Perhaps others can clarify if the Magisk'd image is indeed passing checks?
Big thanks to everyone working on this!
v3ritas
QUOTE(NormMonkey @ Nov 27 2019, 11:12 AM) *
QUOTE(xopher @ Nov 26 2019, 12:10 PM) *
I'm pretty sure since bootloader is unlocked NFC payments are out of the question since the device is "untrusted", it is possible your banking apps may no run on it post bootloader unlock since you broke the trust (if the app checks for that sort of thing). This is something to consider before unlocking ("tampering") with bootloader, you know your use case.

I might be wrong but thought I'd throw that last bit out there since no one else mentioned it. An LG Watch I had became ineligible for NFC payment until I reverted it back to "natural" state and Samsung has Knox, all the same principal, and I could be wrong.


I thought that was the Magisk advantage, it supposedly allows Google SafetyNet and other tamper checks to pass so that various secured apps like Google Pay still work.
I haven't tried this yet. Perhaps others can clarify if the Magisk'd image is indeed passing checks?
Big thanks to everyone working on this!


I'll get Google Pay installed on mine to check, but it's passing from within Magisk Manager. Will be a problem if the app specifically checks the bootloader status though.

EDIT: Looks like mine is fine with Google Pay. Didn't finish verifying my card, but was able to get up to that part. No notifications about it being blocked because of root.
gidds
QUOTE(v3ritas @ Nov 27 2019, 12:13 PM) *
It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just [...]

I'm afraid that's as far as I understood... sad.gif

I've read the previous posts, but they didn't mean much to me because I don't know how to 'unlock the bootloader', nor what adb or fastboot are or how you use them.? (I've gained access to the developer options by clicking seven times on Settings -> System -> Advanced -> About phone -> Build number, but I can't see anything relevant in there.)

Can anyone describe in foolproof terms exactly what to do to get root access on my Cosmo?? (By which I mean: allow me to use 'tsu' to get a root shell in Termux, which is the only thing I need it for so far.)

I have a Mac running macOS, which I suspect is not supported by anything you're likely to be talking about.? (No access to Windows.)? I also have a stick set up letting me boot into Debian, along with the SP Flash Tool from MediaTek and the other bits and pieces that I've successfully used to flash my Gemini.? I documented that process in lots of detail in this post.

If anyone could explain in a similar level of detail how to do the same to my Cosmo, I expect I wouldn't be the only grateful person smile.gif

Also: having done so, can we tell how it might interact with future firmware updates (whether Over-The-Air or downloadable from the Planet support site)?
Robert
QUOTE(v3ritas @ Nov 27 2019, 07:13 AM) *
QUOTE(gidds @ Nov 26 2019, 02:35 PM) *
QUOTE(AP756 @ Nov 25 2019, 08:15 PM) *
We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’? Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android… At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)


It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just to unlock the bootloader (which will wipe the device) & either backup & modify your own boot.img from the device, or use the already Magisk'ed one that ZimbiX has posted.

I'm waiting for those recovery images too. Hopefully will have some time this weekend to make a proper backup, so I have something to restore if I ended up doing harm to my device with root. That's part of the reason I haven't done anything crazy with root right now.

QUOTE(MadAdy @ Nov 26 2019, 06:11 PM) *
Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.


Also need to then boot to the bootloader & run `fastboot flashing unlock`. The button(s) in the fingerprint scanner worked as volume keys to confirm I wanted to unlock (& wipe the device in the process).


I'm having trouble getting this to work. I did do the bootloader unlock procedure above. When I boot to the bootloader and run `fastboot flashing unlock` it hangs with `< waiting for any device >`.

Also, `fastboot devices` returns a blank line, and `adb devices` returns what appears to be a device identifer, followed by the word `unauthorized`.

For what it's worth, when I boot into regular Android, `adb devices` returns the device code and the word `device` -- meaning the devices is apparently `authorized` after a normal boot, but not in bootloader.

Any ideas?

Thanks!

Ignatz
QUOTE(Robert @ Nov 28 2019, 04:19 PM) *
QUOTE(v3ritas @ Nov 27 2019, 07:13 AM) *
QUOTE(gidds @ Nov 26 2019, 02:35 PM) *
QUOTE(AP756 @ Nov 25 2019, 08:15 PM) *
We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’? Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android… At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)


It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just to unlock the bootloader (which will wipe the device) & either backup & modify your own boot.img from the device, or use the already Magisk'ed one that ZimbiX has posted.

I'm waiting for those recovery images too. Hopefully will have some time this weekend to make a proper backup, so I have something to restore if I ended up doing harm to my device with root. That's part of the reason I haven't done anything crazy with root right now.

QUOTE(MadAdy @ Nov 26 2019, 06:11 PM) *
Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.


Also need to then boot to the bootloader & run `fastboot flashing unlock`. The button(s) in the fingerprint scanner worked as volume keys to confirm I wanted to unlock (& wipe the device in the process).


I'm having trouble getting this to work. I did do the bootloader unlock procedure above. When I boot to the bootloader and run `fastboot flashing unlock` it hangs with `< waiting for any device >`.

Also, `fastboot devices` returns a blank line, and `adb devices` returns what appears to be a device identifer, followed by the word `unauthorized`.

For what it's worth, when I boot into regular Android, `adb devices` returns the device code and the word `device` -- meaning the devices is apparently `authorized` after a normal boot, but not in bootloader.

Any ideas?

Thanks!



I had the same Problems, found the solution with some help.

You need to install Google USB Drivers.

If that doesent help, reboot to fastboot and go to your device manager.

Locate your cosmo (For me it said it cant find driver, and was just namend "Android")

Update the driver through the driver manager, and select the google ubs driver (download it manually if needed)

If it cant autodetect it, select it manually and choose "Bootloader Interface"

After thet you should be able to use fastboot command.

Kind Regards,
Ignatz
AP756
The driver problem is solved by installing the MTK driver package MTK_USB_All_v1.0.8 (you'll find that on Inet).

When Cosmo is booted goto Settings -> System -> Advanced -> Developer options and enable USB debugging (If there is no developer options goto About phone and tap 7 times on Build number). Now start a CMD window (as administrator) and connect Cosmo. You'll be prompted with a message where you'll be asked to authorize the USB debugging connection. Do so and then issue the command "adb devices". It should prompt you with your device name without unautorized.

Bye for now Fred
TauPan
QUOTE(ZimbiX @ Nov 17 2019, 05:52 PM) *
At a glance, this looks quite interesting - using a 'Wwr MTK tool' to create a full backup of the device: https://forum.hovatek.com/thread-21970.html
I don't have any more time to look into this for a while! =\


I'm just dumping my Cosmo following this howto.

The only stumbling block so far was that the "memory check" method of determining the dump length does not work with recent SP flash tool so you have to use the method of loading the incomplete dump of the EMMC_USER partition and let Wwr analyze it to determine the length.

(That and my wife's windows laptop was set to 125% magnification so I could not see some buttons in the Wwr tool at first.)

Dumping takes loooong... the full 128MB + system partitions are being dumped. My hope is that if I re-flash all of this after unlocking the bootloader via "fastboot flashing unlock" I can get *all* my data back.

I'm not quite sure how to verify the dump other than flashing it. I guess I'll just have to trust Smartphone Flash Tool from MTK. After all it's a tool from the chipset vendor. They should know what they're doing.

I'd certainly appreciate input on this.
TauPan
QUOTE(TauPan @ Dec 7 2019, 01:18 AM) *
QUOTE(ZimbiX @ Nov 17 2019, 05:52 PM) *
At a glance, this looks quite interesting - using a 'Wwr MTK tool' to create a full backup of the device: https://forum.hovatek.com/thread-21970.html
I don't have any more time to look into this for a while! =\


I'm just dumping my Cosmo following this howto.

The only stumbling block so far was that the "memory check" method of determining the dump length does not work with recent SP flash tool so you have to use the method of loading the incomplete dump of the EMMC_USER partition and let Wwr analyze it to determine the length.

(That and my wife's windows laptop was set to 125% magnification so I could not see some buttons in the Wwr tool at first.)

Dumping takes loooong... the full 128MB + system partitions are being dumped. My hope is that if I re-flash all of this after unlocking the bootloader via "fastboot flashing unlock" I can get *all* my data back.

I'm not quite sure how to verify the dump other than flashing it. I guess I'll just have to trust Smartphone Flash Tool from MTK. After all it's a tool from the chipset vendor. They should know what they're doing.

I'd certainly appreciate input on this.


Oh dear, it appears I've missed some pages here. I'm not used to reading forums any more.

Well, I'll compare my scatter file to ZimbiX's (I expect them to be identical). Indeed using the scatter file in SP flash tool seems to be an easier for dump + restore.

I'd still like to know if my hunch is correct that I can reflash (most of) my backup after unlocking the bootloader (perhaps excluding the bootloader itself?) to regain my data?

Regarding Magisk there is *one* addon I use on my other phone to fool netflix *and* my banking software. I think it's magisk hide props config, but I'd need to boot the phone to be sure. This needs busybox for magisk to work.
ZimbiX
QUOTE(TauPan @ Dec 7 2019, 09:38 AM) *
Well, I'll compare my scatter file to ZimbiX's (I expect them to be identical). Indeed using the scatter file in SP flash tool seems to be an easier for dump + restore.

I'd still like to know if my hunch is correct that I can reflash (most of) my backup after unlocking the bootloader (perhaps excluding the bootloader itself?) to regain my data?


Mmm, I'd been wondering that too. I'd tried to restore my data after unlocking the bootloader by flashing the data partition using SP Flash Tool with my data partition image, but it didn't work properly afterwards, with Android saying something like "Unable to decrypt user data partition" and showing a button to factory reset. I couldn't find any info on doing this - I'd imagine it's not a common thing to be able to get a dump of a device before unlocking the bootloader, so maybe people just haven't investigated it.

The encryption key must be stored separately to the encrypted data, so it's probably on a different partition. I was wondering if unlocking might be generating a new key to ensure security of the original data. I'd only flashed the data partition back, so maybe it would have worked if I'd flashed more. Or maybe processing of the same key is altered/incompatible between locked and unlocked.

I'd split out the data partition from my full backup using WwR rather than doing a readback with SP Flash Tool once I had the scatterfile, so the problem could be with that, but I'd hope not.

I hadn't done much setup on it before unlocking, so I ended up factory resetting.

Oh, and regarding payment for WwR, I'd found the dev's PayPal address in the HTML source of the donation prompt. I tried sending the money, but PayPal was blocking the transaction for some reason. I emailed vvaaavv about it on Nov 22 to ask if he'd accept another form of payment such as Bitcoin, but he hasn't responded (yet). I'm all for financially supporting development efforts, but at this point I'm getting more tempted to reverse engineer the thing to disable the timeouts =P
ZimbiX
TauPan, if you can't work it out and need to factory reset, I tweeted about the process I used to transfer my data: https://twitter.com/ZimbiX/status/1202220166446080000
TauPan
QUOTE(ZimbiX @ Dec 7 2019, 09:51 AM) *
TauPan, if you can't work it out and need to factory reset, I tweeted about the process I used to transfer my data: https://twitter.com/ZimbiX/status/1202220166446080000


I'm a tiny bit confused now.

From re-reading all the previous posts in this thread and you tweet, it appears to me that:

- We can modify the boot image on device with magisk and flash that via SP flash
- But it won't boot, ,if the bootloader is still locked, so the device will reject it?
- fastboot flashing unlock will delete all data

(The last part seems pointless if SP flash tool provides low level access to all the data anyway. But you can confirm that unlocking the bootloader will remove all user data?)

My use-case is that I've spent the previous two weeks to get my cosmo set up properly, so I'd really like to have a working backup of the cosmo.

Most of the stuff from my previous daily driver (Nexus 6p) is backed up with Titanium, which apparently doesn't work properly in some cases.
Both Titanium and Swift backup won't be able to backup app data if the device isn't rooted.

I do have a full backup of my user data now, but it's encrypted.

Maybe I should just try to dump everything with the scatter file, do a factory reset (unlock the bootloader) and then try to reflash everything. If that doesn't work I'll just go through the setup process again. I do have most stuff in the cloud anyway, it's mostly just busywork getting it all back, setting up accounts, etc.

(And in some cases, request account verifycation codes via snail mail, from banks, insurances, etc.)

ZimbiX
Oh, I'm sorry, I was mixed up!

You might have luck with Helium, or using ADB backup directly (which is what Helium uses). That used to be a great way to keep appdata when unlocking the bootloader, but sadly, nowadays a bunch of apps block themselves from being backed up this way.

Do a backup with that before trying the full reflash just in case it doesn't work. But I'm keen to hear whether it does! biggrin.gif Good luck

Titanium restores of just appdata once you've already installed the app would probably work actually.

Woah, having to get verification codes by snail mail is nuts! I guess I'm lucky I've never had to do that
TauPan
QUOTE(ZimbiX @ Dec 7 2019, 07:19 PM) *
Oh, I'm sorry, I was mixed up!

You might have luck with Helium, or using ADB backup directly (which is what Helium uses). That used to be a great way to keep appdata when unlocking the bootloader, but sadly, nowadays a bunch of apps block themselves from being backed up this way.

Do a backup with that before trying the full reflash just in case it doesn't work. But I'm keen to hear whether it does! biggrin.gif Good luck

Titanium restores of just appdata once you've already installed the app would probably work actually.

Woah, having to get verification codes by snail mail is nuts! I guess I'm lucky I've never had to do that


Yeah, quite a lot of apps block adb backups. I got a list created with Adebar. Also adb backup is quite annoying because you have to keep the screen awake or disable auto-locking. If I have to make a list of what to backup how, I might as well set up everything again.

Btw. How did you manage to extract the user data partition with WwR? Every way I cut my dump, the user data is always missing from the result. I think I'll try a readback with SP flash tool with the full scatter file this evening.

Account verification via snail mail is slow, but beats someone stealing your money along by stealing your phone number.
ZimbiX
QUOTE(TauPan @ Dec 8 2019, 05:05 AM) *
Yeah, quite a lot of apps block adb backups. I got a list created with Adebar. Also adb backup is quite annoying because you have to keep the screen awake or disable auto-locking. If I have to make a list of what to backup how, I might as well set up everything again.


Mmm, fair enough. I'm glad I haven't needed to do it in a long time.

QUOTE(TauPan @ Dec 8 2019, 05:05 AM) *
Btw. How did you manage to extract the user data partition with WwR? Every way I cut my dump, the user data is always missing from the result. I think I'll try a readback with SP flash tool with the full scatter file this evening.


Yeah, I don't understand why. The descriptions are misleading. I'd ended up using its cutting tool and supplied the offsets manually. It was really slow though - like 2MB/s. Readback's probably a better idea, actually, for speed. And takes any potential issues with that WwR process out of the picture.

QUOTE(TauPan @ Dec 8 2019, 05:05 AM) *
Account verification via snail mail is slow, but beats someone stealing your money along by stealing your phone number.


Hah. But what about stealing your mail? tongue.gif
Robert
QUOTE(Ignatz @ Nov 29 2019, 05:15 PM) *
QUOTE(Robert @ Nov 28 2019, 04:19 PM) *
QUOTE(v3ritas @ Nov 27 2019, 07:13 AM) *
QUOTE(gidds @ Nov 26 2019, 02:35 PM) *
QUOTE(AP756 @ Nov 25 2019, 08:15 PM) *
We'll know when the Planet Computers solution of rooting is published.

Is that definitely ‘when’, rather than ‘if’? Have they said anything on the issue?

(My Cosmo is scheduled to be delivered tomorrow, but I won't be able to set it up and transfer everything from my Gemini without having rooted Android… At first glance, the above posts looks pretty daunting; I'd be much happier if Planet provided downloadable firmware for the Cosmo, the way they did for the Gemini — after a lot of pain, I know how to use that!)


It's not as bad as it looks above. That was mostly just work when we were figuring out how to get root working. Right now the process is just to unlock the bootloader (which will wipe the device) & either backup & modify your own boot.img from the device, or use the already Magisk'ed one that ZimbiX has posted.

I'm waiting for those recovery images too. Hopefully will have some time this weekend to make a proper backup, so I have something to restore if I ended up doing harm to my device with root. That's part of the reason I haven't done anything crazy with root right now.

QUOTE(MadAdy @ Nov 26 2019, 06:11 PM) *
Hi owners, FYI Bootloader Unlock is in Developer Options.

Tap on Build Number in About Phone.


Also need to then boot to the bootloader & run `fastboot flashing unlock`. The button(s) in the fingerprint scanner worked as volume keys to confirm I wanted to unlock (& wipe the device in the process).


I'm having trouble getting this to work. I did do the bootloader unlock procedure above. When I boot to the bootloader and run `fastboot flashing unlock` it hangs with `< waiting for any device >`.

Also, `fastboot devices` returns a blank line, and `adb devices` returns what appears to be a device identifer, followed by the word `unauthorized`.

For what it's worth, when I boot into regular Android, `adb devices` returns the device code and the word `device` -- meaning the devices is apparently `authorized` after a normal boot, but not in bootloader.

Any ideas?

Thanks!



I had the same Problems, found the solution with some help.

You need to install Google USB Drivers.

If that doesent help, reboot to fastboot and go to your device manager.

Locate your cosmo (For me it said it cant find driver, and was just namend "Android")

Update the driver through the driver manager, and select the google ubs driver (download it manually if needed)

If it cant autodetect it, select it manually and choose "Bootloader Interface"

After thet you should be able to use fastboot command.

Kind Regards,
Ignatz



Ignatz,

Thanks for the ideas. I tried to post a reply several days ago, but apparently it didn't get through.

I found what I thought were Google USB drivers here: https://developer.android.com/studio/run/win-usb

And I tried to install them using the instructions here: https://developer.android.com/studio/run/oe...nstallingDriver (for Win10).

The install utility always said that I already had "the most up to date drivers" installed, and when I told it to install anyway (even using the "Have disk" option to point it to the right place) kept insisting that there weren't any drivers there.

So, I am back where I started.

--Robert

TauPan
QUOTE(ZimbiX @ Nov 21 2019, 03:51 PM) *
Good news, everyone!


What is it, professor? wink.gif

QUOTE(ZimbiX @ Nov 21 2019, 03:51 PM) *
I've attached the scatterfile for anyone else interested in playing around biggrin.gif


As promised, I have compared your scatterfile with the one I got from analyzing the EMMC_BOOT_1 and EMMS_USER areas with WwR.

Surprisingly I have found a difference between the two, which may be significant:

Yours gives:

partition_size: 0x100000

and mine:

partition_size: 0x40000

for the preloader partition.

I think mine is correct (Edit: Spoiler: I was wrong about this!), because when I have SP Flash Tool (latest version) connected to the Cosmo, it gives:

Boot 1 Size: 0x40000
Boot 2 Size: 0x40000
RPMB Size: 0x1000000
GP(1-4) Size: 0x0
UA Size: 0x1d1f000000

Actually that last number is the coveted size for the full EMMS_USER dump with WwR, so it appears there are easier ways if you just want to get just that number than running WwR.

Any idea what RPMB Size is?

However, WwR has proved invaluable to get that scatter file. I've come across some other tools to analyze the partial dumps via google, but didn't really take a closer look, because SP Flash Tool only works on windows for me, and for CLI/programming stuff I strongly prefer Linux.

I now have the full readback of the cosmo, done with SP Flash tool and I'm going to just root it. I'll see if I can recover the userdata.img afterwards, but I doubt it which is why I just updated all the app backups I could round up.

(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)
TauPan
QUOTE(TauPan @ Dec 9 2019, 12:25 PM) *
RPMB Size: 0x1000000


Replay Protected Memory Block, apparently.

QUOTE(TauPan @ Dec 9 2019, 12:25 PM) *
(Final thought: There's a reserved partition called OTP, which apparently cannot be read back with SP flash tool. OTP refers to "One Time Pad" in cryptographic terms. I didn't check the android developer documentation on that so this is just a guess, but if that partition is used as a one-time-pad for encrypting userdata and it is reset while unlocking the bootloader, there's not a chance in hell you could use the encrypted userdata.img dumped with the previous OTP. Hm... Maybe I should try to read back the reserved partitions by putting in the numbers. I'm going to try that now, before resetting. But maybe the data will be incompatible for other reasons.)


On Google I only found a reference to a part of the linux kernel config with support for "One Time Programming" area. See https://android.googlesource.com/kernel/med...host/Kconfig#37

Both of these may or may not have anything to do with encryption of userdata. I obviously lack the knowledge and I don't even know where to look wink.gif

I've rooted my Cosmo now and I'm just downloading the userdata.img to the device. I get a constant 30MB/s and it's at 52% currently, so it should take another half hour or so, until I know if that worked.

(Funny thing: I can only use SP flash tool from windows and fastboot only works on linux for me. I even tried installing the google drivers on the windows laptop, as suggested here, but fastboot would still not find the cosmo.)
TauPan
Hm... wondering if this might work on newer MediaTek devices as well: https://forum.xda-developers.com/hd8-hd10/o...11#post78774211 ... but no need to do this kind of funny stuff to the Cosmo, since we'll get a signed rooted android image at some point, so we can lock the bootloader again. (Linked from here http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ found while searching for RPMB Mediatek.)
TauPan
Ok, I did it, apparently!

Process is:

- Get scatter file (see attachment)
- Take full Readback of all partitions (all possible are enabled in scatter file)
- fastboot flashing unlock (wiping all data)
- Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!

Takes an hour for me, and now I have all my data on a rooted cosmo.

(Edit: Nonsense... Apparently my Fingerprint Data *and* my Password are still as they were. Wondering what else seccfg contains, as the partition is not very small.)

I almost completely ruined my work productivity for this today, but that was totally worth it wink.gif

(Edit: Attachment deleted, see corrected version below.)
TauPan
I need to say that I figured this out by trial and error. When I tried to find information on this, I either found documents that were very vague, or that made no sense without appropriate background knowledge.

When I ticked *all* partitions in SP flash tool, I got "verified boot is enabled" at some point during the flashing (Download) process, so apparently one partition re-enabled secure boot (locked bootloader). But apparently the error did not occur directly after flashing the partition which reset the bootloader.

So if I flash everything including stock boot.img, I can get back to stock, without a trace of root.

And then I flashed the partitions one my one, noting which one would cause the error to appear.

Point of note: It's enough to unplug the device while it is in download mode in order to flash the next partition, which makes this process a bit faster.

Everything went well when I left out seccfg.img until I came to userdata.img. Then I rebooted and got all my configuration back, installed Magisk Manager, which said that magisk was already installed. \o/

Quick test in termux confirmed I had root.

I don't have the slightest idea what all these partitions contain, other that the names give hints in some cases. I also don't know what seccfg contains. Maybe it would be wortwhile to read back seccfg now and do a binary comparision with the stock version.

So you might be able to get your userdata back, if you reflash just the right partition(s) together with userdata. I suspect it may be the ones named "tee.." and/or "*sec*", maybe others. (See https://source.android.com/security/trusty ... Also see http://www.lieberbiber.de/2015/07/04/media...-and-preloader/ )

QUOTE(TauPan @ Dec 9 2019, 06:58 PM) *
ossible are enabled in scatter file)
- fastboot flashing unlock (wiping all data)
- Download all partitions except *drumroll* seccfg along with boot-magisk.img (see other post)

To clarify: flash everything with SP flashing tool *except* seccfg and *do* flash the magisk-modified root image, then reboot!


Downloading / readback takes 60 - 90 minutes for me with constant 30 M/s. ("M/s" is from the SP flash tool.)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2019 Invision Power Services, Inc.