-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need to root Quaderno Gen2 A4 #195
Comments
Repack the package needs the private key of the original PKG which we don't have. So it's impossible to make a flashable without replacing the public key in the rawdata partition. So currently, we can't rooting the Gen 2. [Unless someone find a bug in the updater script which can bypass the signature check mechanism] |
Got it. Thanks |
I'm coming back to this now that I've got a Bigme ebook: it helped me learn many things about Android!
I'm getting good at that, so I've started looking at the scripts: yours and the one in the image The verification is conditional on buildvariant, so the simplest way to bypass the signature check would be to change the buildvariant to avoid the condition: Changing it to say buildvariant=root should not trip the script set -eu or the error detection, as you can try with that:
This buildvariant is defined in the boot.img at the end of the cmdline parameters: Changing that last buildvariant=user to buildvariant=root or anything else that's 4 characters should be enough The boot.img partition can be obtained from your script by unzipping the tmp file left: I got a boot.img with md5 a654bf0b3251ed40d687d606d0757a43 from 26010FP Changing the buildvariant as suggested would require:
If I understand the documentation correctly, there is a hardware recovery mode, and it should always be available when the bootloader switches from primary to secondary - it's different from the "recovery" partition also called "diagnostic" mode, as it sits at a much lower level. To check what the bootloader supports, we can extract not just boot.img but also u-boot-imx8mm.imx to study it: its md5 is e0d81c0689c635bf547dd3b950ceb2f5 Inside, I see it supports Serial Downloader Protocol, usb_dnload, USB EHCI, Android Fastboot, load binary file over serial line, mmcinfo, mmc part, tftpboot ... so I think it has absolutely everything we might need to do things directly to test a boot.img without even flashing it! And if it didn't, since the imx8mm is a standard platform for the evk, we can download the evk, compile the bootloader, and flash one with the extra things we need - or just grab a premade one. Google for the bootloader file name and you'll find many others, and documentation on how to flash it: It's not clear which DTBO should be used (there are many in the image) so instead of flashing it, I'd first try load the bootloader to ram with As it would all be done it ram, it would facilitate tests.
Then could you please detail the difference or explain me how to pack a .pkg that will match Fujitsu layout? In case this fails, I saw another potential bug in the updater that might be even simpler to exploit, but all the information I could find for the Sony was in https://github.com/HappyZ/dpt-tools/raw/master/fw_updater_packer_by_shankerzhiwu/pkg_example/hack_basics/fw.pkg :
In your script, I see you're skipping 20 bytes for B, then 12 (so 3x4) which could be for the animation but the differences don't really stand out to me. @ygjsz, if you have some time, could you have a look at the small FwUpdater.pkg from inside system.img, try to remove unpack/root/etc/init.d/S99updater, and explain me repack this FwUpdater.pkg in the Fujitsu Gen2 format? This is just to see what happens when it's fed to the Quaderno while I try my other method: where it will fail, what will be shown on the screen etc.
If it's really needed, that should be possible from a normal update if any daemon is listening for connections during the firmware update process: I see root has a shell in etc/passwd: Also, the unpacked etc/shadow contains a password: The previous Sony hack just changed the existing root password by tweaking the shadow file, but we may not be able to do that yet. So what about running hashcat on this sha512, to get the root password? If there's something listening and allowing a root login during the update (and I think there's login running on a USB serial tty), we can:
|
Hi
I have a Quaderno 13.3, and it's version is
1.1.01.04100FP
, when try to usedpt-tools.py
for upgrading it, it always showsError, Unable to update. Error code: 900001
.Does anyone know how to solve it? Or I cannot root my Quaderno 13.3 ?
--
Updated:
I found a project A4_fw_unpacker that can unpack FwUpdater_gen2_1.1.01.04100FP.pkg
But, after remove all of
exit 1
from unpacked script, I cannot find a way to repack it back to pkg file.unofficial_pkg_unpacker.sh is not for those files that unpacked by A4_fw_unpacker
Thanks
The text was updated successfully, but these errors were encountered: