Skip to content

ROOT: Patching the boot partition (non‐US only)

Jump to bottom
Bùi Minh Đức edited this page May 1, 2024 · 1 revision

(for non-US variants only)

On KaiOS 2.5.4 devices, such as the 6300 4G and 8000 4G, ADB and WebIDE can be used to install most third-party apps. However, apps with special ‘forbidden’ permissions are not allowed, including most BananaHackers apps with engmode-extension like Wallace Toolbox, which can be used to gain exclusive access of the phone. You also cannot make changes to the system. On the 2720 Flip and 800 Tough with KaiOS 2.5.2.2, with HMD/Nokia Mobile changing their release branches from dev-keys to release-keys, the situation is even worse as you cannot sideload at all.

This is because in order for WhatsApp's VoIP feature to work on these KaiOS versions, a security module called SELinux is now set to be Enforced which checks and reverts system modifications on boot. To get total read-write access to the devices, you'll now have to permanently root them by setting SELinux to Permissive mode.

The guide below is based on the main guide from BananaHackers website, but has been rewritten to make it easier to follow. The process will take somewhat considerable 30 minutes to an hour, so do this when you have enough time.

Remember, you don't have to root your phone to do things that usually need root access e.g. you can use this fork of Luxferre's AppBuster to disable apps from the launcher instead of deleting them with Wallace Toolbox. You can also install CrossTweak, a Wallace Toolbox alternative also made by Luxferre that does not need engmode-extension and therefore can be easily installed on KaiOS 2.5.4 devices.

DISCLAIMER: This process will void your phone's warranty, disable its ability to receive WhatsApp calls and over-the-air updates, but you can undo this if you save a copy of the original boot partition. However, you might also brick your phone if you make a mistake in the process, so proceed at your own risk and with caution! I won't be responsible for any damages done to your phone by following these.

What we'll need

  • an international non-US version of Nokia 6300 4G (not TA-1324) or Nokia 8000 4G, Nokia 2720 Flip or Nokia 800 Tough;
  • an USB cable capable of data transferring (EDL cables will also do);
  • an Internet connection to download the tools needed;
  • a somewhat-working firehose programmer MBN file for the 8000 4G and 6300 4G, 2720 Flip or 800 Tough;
  • an image file of Gerda Recovery (backup: one, two) for the Nokia 8110 4G, since the firehose loader above has a reading bug, we'll use this to access ADB from the recovery mode and get the boot partition from there (not needed for 2720 Flip/800 Tough);
  • a EDL tools package to read and write system partitions in low-level access (in this guide we'll be using bkerler's edl.py v3.1 for 8000 4G/6300 4G, andybalholm's edl for 2720 Flip/800 Tough)

andybalholm's EDL cannot be used on 8000 4G and 6300 4G due to some structural changes within the GPT partition table, which will result in an error AttributeError: 'gpt' object has no attribute 'partentries'. Did you mean: 'num_part_entries'?. Do note that the command structures used between bkerler's and andybalholm's are different, which we'll mention below.

We'll be using open-sourced Python scripts from GitHub for the sake of cross-platform usage (and my obsession of open-source tools), instead of QFIL which is proprietary and only supports Windows.

  • Windows users also need:
    • a computer with Python and pip installed for the EDL tools to work (Windows: both are packaged on Python's official website)
    • Qualcomm driver for your PC to detect the phone in EDL mode (included in the EDL tools)
    • Zadig 2.7 to configure libusb-win32 driver
    • Android Debug Bridge (ADB) installed to read the boot image in Gerda Recovery (see Development/WebIDE on BananaHackers Wiki)

@cyan-2048 confirmed to me that Zadig 2.5 bundled within the EDL package doesn't work, so DO NOT USE that. I've also specifically chosen version 2.7 as it works best throughout my testing, and the latest 2.8 version of Zadig tool also has troubles detecting the phone's EDL driver.

  • macOS & Linux users also need:
    • An package manager, such as Homebrew, to quickly set up Python, ADB, libusb and configure the environment for EDL tools (setup guide with Homebrew can be found below)
    • Python 2.7 bundled with macOS 10.8 to 12 is NOT recommended for following this guide.

If you're on Linux, Python and ADB can be quickly set up by installing with your built-in package manager. We won't be covering this here, as each Linux distro has its own way of installing from package manager.

  • If you're going the automatic boot partition patching and compilation via Docker route (only recommended for 5-6 year old computers):
    • Git to clone/download the repository of the patcher tool to your computer (install guide)
    • Docker Compose to provide the environment for the patcher tool to work (included in Docker Desktop, whose download links can be found here)
    • (Windows) WSL 2 with Linux kernel update package installed (to install WSL 2 turn on Virtualization in BIOS, then open Command Prompt with administrative rights and type wsl --install)
  • If you're going the extracting and manual editing by hand route:

For the sake of simplicity, the guide assumes you've moved the Gerda Recovery image and the MBN loader file into the root of EDL tools folder, which you should do for convenience. If you'd like to have those in other folders, change the directory path accordingly.

Part 1: Set up environment for EDL tools

This portion of the guide was taken from Development/EDL tools on BananaHackers Wiki so that you don't have to switch tabs. Kudos to Cyan for the guides!

Linux

  1. Install Python from your operating system's package manager e.g.
sudo apt-get install python pip3
  1. Then, open Terminal and type this to install the dependencies for EDL tools:
sudo -H pip3 install pyusb pyserial capstone keystone-engine docopt
  1. Switch your phone to EDL mode and connect it to your computer.
  • From the turned on state, turn on debugging mode on your phone by dialing *#*#33284#*#*, connect it to your computer and type adb reboot edl in a command-line window.
  • From the turned off state, hold down * and # at the same time while inserting the USB cable to the phone.

In both cases, the phone's screen should blink with a 'enabled by KaiOS' logo then become blank. This is normal behaviour letting you know you're in EDL mode and you can proceed.

Additionally, if you have issue with device access:

  • Open /etc/modprobe.d/blacklist.conf in a text editor and append blacklist qcserial.
  • Copy both 51-edl.rules and 50-android.rules in the root of extracted EDL tools folder to /etc/udev/rules.d.

macOS

  1. Follow the instructions to install Homebrew on its homepage. Basically just open Terminal and copy the long streak of code shown on the page, and type your password when prompted.
  2. While you're in Terminal, type this into the command-line:
brew install python android-platform-tools libusb && pip3 install pyusb pyserial capstone keystone-engine docopt
  1. Switch your phone to EDL mode and connect it to your computer.
  • From the turned on state, turn on debugging mode on your phone by dialing *#*#33284#*#*, connect it to your computer and type adb reboot edl in a command-line window.
  • From the turned off state, hold down * and # at the same time while inserting the USB cable to the phone.

Windows

  1. Open the Python installer and proceed with installation. Remember to tick the box next to "Add python.exe to PATH". This would make Python able to be called everywhere in the command-line instead of specifically pointing to its folder, which the next part of the guide won't cover on.

Demostration of a installation window for Python 3.9 showing two options, 'Install Now' and 'Customize installation', with the checkbox for 'Add Python 3.9 to PATH' being selected

  1. On Windows 10/11, by default, typing the python or python3 aliases within Command Prompt will call the Microsoft Store version of Python, which we don't have installed. To override this default into calling the local version of Python, head over to Settings > Apps > Apps & features > App execution aliases and toggle off both App Installer (python.exe) and App Installer (python3.exe).

Demostration of the Apps & features page in Windows 10's Settings app, of which the App execution aliases link is located under the Apps & features section Demostration of the App execution alias page, where the toggles for App Installer (python.exe) and App Installer (python3.exe) are both turned off. Description says Apps can declare a name used to run the app from a command prompt. If multiple apps use the same name, choose which one to use

  1. Open Command Prompt with administrator privileges and run this command:
pip3 install pyusb pyserial capstone keystone-engine docopt

Demostration of a command-line window showing the successful process of collecting and downloading dependencies after typing the above command

  1. Open the extracted EDL tools folder, go to the Drivers > Windows folder and run Qualcomm_Diag_QD_Loader_2016_driver.exe with administrator rights. Proceed with installation and leave everything as default, restart the computer if it prompts you to do so.

Demostration of a installation window for Qualcomm's diagnostic driver, in which two radio buttons are shown labelled 'WWAN-DHCP is not used to get IPAddress' and 'ETHERNET-DHCP is used to get IPAddress' respectively. The first button is selected.

  1. Switch your phone to EDL mode and connect it to your computer.
  • From the turned on state, turn on debugging mode on your phone by dialing *#*#33284#*#*, connect it to your computer and type adb reboot edl in a command-line window.
  • From the turned off state, hold down * and # at the same time while inserting the USB cable to the phone.

In both cases, the phone's screen should blink with a 'enabled by KaiOS' logo then become blank. This is normal behaviour letting you know you're in EDL mode and you can proceed.

  1. Run the Zadig tool (use the version downloaded above and NOT the one provided by the EDL package) and select Options > List All Devices. In the front dropdown menu, select QHSUSB__BULK (your device in EDL mode). In the target driver box (which the green arrow is pointing to), click on the up/down arrows until you see libusb-win32 and click on Replace Driver.

Demostration of Zadig program with the Option dropdown menu shown, in which the List All Devices option is highlighted and selected Demostration of Zadig's main interface with the front dropdown list shown listing all devices connected to computer, in which the option for QHSUSB_BULK is highlighted Demostration of Zadig's main interface with the second label box on the Drivers line, which the green arrow points to, showing 'libusb-win32 (v1.2.6.0)'. Two smaller up/down arrows are shown to the right of that box.

  1. If you're installing the driver for the first time, an "USB Device Not Recognised" pop-up may appear. Exit EDL mode by removing and re-inserting the battery, then turn on the phone in EDL mode again.

As I've said above, the latest 2.8 version of Zadig might have some troubles detecting the phone's EDL driver. If you were using it and the driver installation takes too much time and the tool aborts it, exit Zadig, exit and re-enter EDL mode on the phone, then try to install again. If that still doesn't help, try to download version 2.7 instead.

Part 2: Obtaining the boot partition

Nokia 8000 4G and Nokia 6300 4G with bkerler's EDL

Beware: due to the firehose loader being malfunctioned, the EDL tool only accepts one command each session, after which you'll have to disconnect the phone and restart the phone in EDL mode. If you try to throw a second command, it'll result in a bytearray index out of range error.

  1. Turn on the phone in EDL mode.

  2. Open the EDL tools folder in a command-line window. Flash the Gerda Recovery image to the recovery partition by typing this command:

python edl.py w recovery recovery-8110.img --loader=8k.mbn

If the progress bar stops at 99% and you get this error 'usb.core.USBError: [Errno None] b'libusb0-dll:err [_usb_reap_async] timeout error\n' or usb.core.USBError: [Errno 60] Command timed out, don't panic! This is because the phone doesn't send any indicator information back to the EDL tool when in fact the image has been successfully written. Don't mind the error and proceed with the next step.

  1. When finished, disconnect the phone from your computer and exit EDL mode by removing and re-inserting the battery.

  2. Then, hold down the top Power button and * to turn on the phone in recovery mode. Connect the phone to your computer again.

Be careful not to boot into normal operation mode at this point! As stated above, while SELinux is still in Enforced mode, it'll try to revert all system modifications on startup, in this case, the custom recovery image we've just flashed will be overwritten by the stock one. If you accidentally start into normal mode (with the Nokia logo), you'll have to start over from step 1.

Don't worry if this boots into a white screen, you can still use ADB right after boot. This is because the display driver for the Nokia 8110 4G included in the recovery image are not compatible with the display of 8000 4G/6300 4G.

Check if ADB can recognise the phone by typing adb devices into the command-line.

  1. Navigate the command-line to the platform-tools folder (if needed) and pull the boot image from the phone by typing this command:
adb pull /dev/block/bootdevice/by-name/boot boot.img

You should now see /dev/block/bootdevice/by-name/boot: 1 file pulled, 0 skipped. and have a copy of the boot partition with the size of 32.0MB (32,768KB). Fetched boot image will be saved to the current directory.

  1. Reboot the phone into normal operation by typing adb reboot into the command-line, or remove and re-insert the battery. Our custom Gerda Recovery partition will now be overwritten by the default one.

You can disconnect the phone from your computer for now.

Copy and keep the original boot partition somewhere safe in case you need to restore to the original state for over-the-air updates or re-enabling WhatsApp calls.

Nokia 2720 Flip and Nokia 800 Tough with andybalholm's EDL

Unlike the 6300 4G and 8000 4G, our phones' EDL loader properly works with both reading and writing, so the steps are more straightforward.

  1. Switch your phone to EDL mode and connect it to your computer.
  • From the turned on state, turn on debugging mode on your phone by dialing *#*#33284#*#*, connect it to your computer and type adb reboot edl in a command-line window.
  • From the turned off state, hold down both side volume keys (2720 Flip) or both D-Pad Up and Down keys (800 Tough) at the same time while inserting the USB cable to the phone.

In both cases, the phone's screen should blink with a 'Powered by KaiOS' logo then become blank. This is normal behaviour letting you know you're in EDL mode and you can proceed.

  1. Open the EDL tools folder in a command-line window. Extract the boot partition of the phone by typing one of these commands depend on which file you have:
python edl.py -r boot boot.img -loader 2720.mbn
python edl.py -r boot boot.img -loader 800t.mbn
  1. When finished, reboot the phone into normal operation by typing one of these into the command-line, or remove and re-insert the battery:
python edl.py -reset -loader 2720.mbn
python edl.py -reset -loader 800t.mbn

You can disconnect the phone from your computer for now.

Copy and keep the original boot partition somewhere safe in case you need to restore to the original state for over-the-air updates or re-enabling WhatsApp calls.

Part 3: Modifying the boot partition

Automatic patching with 8k-boot-patcher

  1. Follow Docker's tutorial on installing Docker Desktop. Once set up, open the program, click Accept on this box and let the Docker Engine start before exiting.

Demostration of a window titled as 'Docker Subscription Service Agreement' which declares that you will have to accept Docker's Subscription Service Agreements, Data Processing Agreement and Data Privacy Policy in order to use the program, and the free scope of it is limited to personal and small business uses. The window also lists the options to view the full agreements, accept them or reject and close the program.

  1. Clone/download the boot patcher toolkit by typing this into a command-line window. This will download the toolkit and have Docker set it up. Do not omit the dot/period at the end of this command, this tells Docker where our downloaded toolkit are located on the system.
git clone https://gitlab.com/suborg/8k-boot-patcher.git && cd 8k-boot-patcher && docker build -t 8kbootpatcher .

Demostration of a macOS Terminal window showing some logs in purple text after typing the command above

  1. Copy the boot.img file we've just pulled from our phone to the desktop and do not change its name. Type this into the command-line to run the modifying process:
docker run --rm -it -v ~/Desktop:/image 8kbootpatcher

Demostration of a macOS Terminal window listing a list of processed files after typing the command above

That's it! On your desktop there will be two new image files, the modified boot.img and the original boot-orig.img. You can now head to part 4.

Demostration of boot.img and boot-orig.img files as shown on desktop

Manual patching with Android Image Kitchen

  1. Extract the Android Image Kitchen tools and copy the boot image we've just obtained over to the root of the extracted folder.

Demostration of a list of folders and files contained in the extracted Android Image Kitchen folder

  1. Open the folder in a command-line window and type unpackimg boot.img. This will split the image file and unpack the ramdisk to their subdirectories.

Demostration of a Windows Command Prompt window showing some logs of the boot partition extracting process after typing the command above

Be sure to edit the files correctly, else the phone won't boot!

  1. Let the editing begin! First, open ramdisk/default.prop using Notepad++ and change:
  • line 7: ro.secure=1 -> ro.secure=0
  • line 8: security.perf_harden=1 -> security.perf_harden=0
  • line 10: ro.debuggable=0 -> ro.debuggable=1

Demostration of the original content of the default.prop file Demostration of the modified content of the default.prop file

  1. Open ramdisk/init.qcom.early_boot.sh in Notepad++ and add setenforce 0 as a new line at the end of the file.

Demostration of the modified content of the init.qcom.early_boot.sh file

  1. Go back to the root Android Image Kitchen folder and open split_img/boot.img-cmdline in Notepad++. Without adding a new line, scroll to the end of the first line and append androidboot.selinux=permissive enforcing=0.

Demostration of the modified content of the boot.img-cmdline file

  1. Open ramdisk/init.rc (NOT ramdisk/init) and delete line 393 setprop selinux.reload_policy 1 or mark a comment as shown. This will ultimately prevent SELinux from overwriting the policy changes we made above.

Demostration of the modified content of the init.rc file, with line 393 marked as comment. This has the same effects as deleting the line altogether.

Psst, if you wish to disable the Low Memory Killer function, now's a good time to do so! In the same ramdisk/init.rc file, after line 420, make a new line and add:

write /sys/module/lowmemorykiller/parameters/enable_lmk 0

Indent the new line to match up with other lines as shown.

Demostration of the modified content of the init.rc file, with line 421 added to disable the Low Memory Killer module

  1. And that's a wrap! Open the root Android Image Kitchen folder in a command-line window and type repackimg to package our modified boot partition.

Demostration of a Windows Command Prompt window showing some logs of the boot partition repacking process after typing the above command, but has a signing error at the end

If you happen to encounter an error during the signing process, that's likely because the process uses java to power the boot-signer.jar sequence and you don't have it installed. The image will still be packaged and ready for flashing, but if you're a perfectionist, you can install JRE and try again.

Demostration of a Windows Command Prompt window showing some logs of the fully successful boot partition process

If the newly packaged image is barely over 1/3 the size of the original image, it's a normal behaviour and you can proceed.

Part 4: Flashing the modified boot partition

  1. Turn on your phone in EDL mode and connect it to your computer.

  2. Move the newly created boot.img, unsigned-new.img or image-new.img to the EDL tools folder and open a command-line window within it. From here type either of these commands depending on which image file you have:

python edl.py w boot boot.img --loader=8k.mbn
python edl.py w boot unsigned-new.img --loader=8k.mbn
python edl.py w boot image-new.img --loader=8k.mbn

For Nokia 2720 Flip and Nokia 800 Tough with andybalholm's EDL:

python edl.py -w boot boot.img -loader 2720.mbn
python edl.py -w boot boot.img -loader 800t.mbn

Again, if the progress bar stops at 99% and you get a timeout error, this is because the phone doesn't send any indicator information back to the EDL tool when in fact the image has been successfully written. Don't mind the error and go on with the next step.

  1. Restart the phone to normal operation mode by typing python edl.py reset. And we're done!

If you still have the original boot partition and wish to revert all the messes and damages, connect the phone to your computer in EDL mode, move the image file to the EDL tools folder, open a command-line window within it and type these one-line at a time:

python edl.py w boot boot.img --loader=8k.mbn
python edl.py reset

Demostration of a command-line window showing the results after typing the first command above

Next steps

  • Now that you've rooted your phone, to install applications with 'forbidden' permissions, connect it to a WebIDE session, then open Device Preferences by the right pane, search for devTools.apps.forbiddenPermissions, clear its value, then either restart the phone or hold the top Power button and choose Memory Cleaner > Deep Clean Memory to restart B2G.

Demostration of a WebIDE window in which the location of Device Preferences is highlighted in the right pane and the value of devTools.apps.forbiddenPermissions has been emptied

  • If you wish to retain privileged permissions after restoring the phone to its unrooted state, before doing so, back up all data, sideload Luxferre's CrossTweak then press # to perform a privileged factory reset — this will wipe all data of the phone and let you set up with a privileged session. This session will last until an OTA update overrides or you choose to factory reset normally yourself.
  • After rooting, you can spoof SELinux's Enforced status for WhatsApp VoIP by typing these commands one-by-one into the rooted ADB shell. This will last until a restart.
echo -n 1 > /data/enforce
mount -o bind /data/enforce /sys/fs/selinux/enforce

This documentation page is written on the courtesy of the BananaHackers team, 2018–present.

Clone this wiki locally