[Q] bootloader bypass?

---

I am relatively new to android, but I recently purchaced an Acer a100. I probably should have done more research... but unfortunately the bootloader is locked down pretty tight so I'm on a mission now to help find a way past this evil bootloader issue. I have scoured the Google plains only to find this tablet has missed out on alot of great dev possibilities due to the bootloader. But I did come across an interesting tidbit of dev info and am not sure if it would really aid us in our search for a fix. The Motorola atrix forums here on xda has some interesting dev on a file called kexec I believe. It seems as though someone figured out how to bypass the locked bootloader and was very close to finding a kernel that would load on top of the program, though the issue was then Motorola having some sort of security to shut down the radio on the device if a custom kernel was loaded... so.. that being said, would this project be worth continuing on the a100 since mine does not have a cellular radio and as far as I know no security to disable anything if a custom kernel is loaded? http://forum.xda-developers.com/showthread.php?t=1079097

Quote:

Originally Posted by masterpker2

I am relatively new to android, but I recently purchaced an Acer a100. I probably should have done more research... but unfortunately the bootloader is locked down pretty tight so I'm on a mission now to help find a way past this evil bootloader issue. I have scoured the Google plains only to find this tablet has missed out on alot of great dev possibilities due to the bootloader. But I did come across an interesting tidbit of dev info and am not sure if it would really aid us in our search for a fix. The Motorola atrix forums here on xda has some interesting dev on a file called kexec I believe. It seems as though someone figured out how to bypass the locked bootloader and was very close to finding a kernel that would load on top of the program, though the issue was then Motorola having some sort of security to shut down the radio on the device if a custom kernel was loaded... so.. that being said, would this project be worth continuing on the a100 since mine does not have a cellular radio and as far as I know no security to disable anything if a custom kernel is loaded? http://forum.xda-developers.com/show....php?t=1079097

AFAIK that was one the things thrown around for the Nook Tablet which also had a locked and signed bootloader. Maybe someone with the necessary skills should take a look and see if its viable? it looks like quite the undertaking though.

how can dumb people help

---

I was curious if anyone knew how a person with absolutely no development skills could help this locked bootloader situation and get some rooms on this amazing machine?

Quote:

Originally Posted by RobbandJenica

I was curious if anyone knew how a person with absolutely no development skills could help this locked bootloader situation and get some rooms on this amazing machine?

Talk to acer and express your concern and disappointment with thier device. Tell them what you think about the locked bootloader and make them understand how its imacting how you use the device and that the limitations they have placed on your device will effect future decisions on buying additional devices from them in the future.

I doubt it'll help, but it's better than sitting on your hands doing nothing.

Sent from my MB860 using XDA App

Quote:

Originally Posted by crossix

Talk to acer and express your concern and disappointment with thier device. Tell them what you think about the locked bootloader and make them understand how its imacting how you use the device and that the limitations they have placed on your device will effect future decisions on buying additional devices from them in the future.

I doubt it'll help, but it's better than sitting on your hands doing nothing.

Sent from my MB860 using XDA App

I wanted to ask you or any of the other devs that were giving this a try, if you could perhaps spare a few minutes to fill us in on what has been tried and is currently being tried (if anything)? I think at the very least it would stop the posting of more threads on the same subject (perhaps even sticky such post so new owners and devs alike are informed on progress), and also maybe shine a little bit of hope to the community

Quote:

Originally Posted by littleemp

I wanted to ask you or any of the other devs that were giving this a try, if you could perhaps spare a few minutes to fill us in on what has been tried and is currently being tried (if anything)? I think at the very least it would stop the posting of more threads on the same subject (perhaps even sticky such post so new owners and devs alike are informed on progress), and also maybe shine a little bit of hope to the community

I don't know if there is anyone that is actually working on a solution to unlock it or find a work around such as 2nd-init or kexec. I don't know if we have any experienced devs that have done that sort of thing in the past with other devices that actually own an a100 and are working on it. If we don't I'd suggest that someone contact someone that does have experience (ie. koush or possibly sc2k) and see if they would be willing to help.

I am not a bootloader / recovery guy and have never personally developed a working solution to a problem like this. I barely know how they work in conjunction with each other. I know that recovery runs it's own kernel and in order to get cwm to work you have to compile a kernel for your device and cwm uses it. I have tried several solutions that others have created but none of them have worked so far.

sc2k from the a500 forum created itsmajic for their device and I attempted to install it along with cwm but almost borked recovery on my tab in the process.
The recovery partition does some sort of checking (I dunno if its a checksum validation or what) but its obvious that the p7 partition in our device doesn't do the same thing as it does on the a500. So the bootloader hack for the a500 will not work for our device.

I have compiled kexec and got kexec-tools to run, but I don't know enough about the kernel or memory addresses to know how to launch an alternate kernel or what memory address to launch it in (if thats even the proper terminology??)

I have looked at 2nd-init, but don't understand where / how cwm would get launched from it.

I just don't have enough knowledge about the boot process / recovery to get a working solution for this thing. I don't consider myself a dev, but just a modder that has done some kernel tweaking and device tweaking here and there. I know how to use a c compiler, write sh scripts, check logcats for issues... enough to be dangerous but thats about it

Quote:

Originally Posted by crossix

I have compiled kexec and got kexec-tools to run, but I don't know enough about the kernel or memory addresses to know how to launch an alternate kernel or what memory address to launch it in (if thats even the proper terminology??)

I have looked at 2nd-init, but don't understand where / how cwm would get launched from it.

I just don't have enough knowledge about the boot process / recovery to get a working solution for this thing. I don't consider myself a dev, but just a modder that has done some kernel tweaking and device tweaking here and there. I know how to use a c compiler, write sh scripts, check logcats for issues... enough to be dangerous but thats about it

2nd-Init might be possible, we just need to find a binary that starts within init/init.rc that can be hijacked. On Motorola phones it is logwrapper, at this line in init.rc is the first it executes.

Code:

    exec /system/bin/logwrapper /system/bin/mount_ext3.sh userdata /data

For this to work logwrapper has to be renamed to something else (logwrapper.bin , .orig) and executed in a new executable script called, logwrapper. In the script just about anything can be done. To run cwm, / gets remounted rw new init files replace the old. busybox, other binaries and a hacked adbd are unzipped. 2nd-Init then goes to work killing process 1 (init) and starts cwm. I believe in this case cwm is 2nd-Init rather than a recovery partition.

The a100 init.rc doesn't use logwrapper. One idea, which may be too far fetched and too far into init, is hijacking the bootanimation binary, but it runs as user 'graphics' which doesn't have elevated privileges. So could an su binary, compiled without requesting SuperUser.apk, be used in the hijacked bootanimation??... If it's too far in the boot process maybe we could atleast get init.d tweaks.

Hashcode has come up with an inventive new approach to cwm bootstrap called safestrap. A different partition is used to hold the rom keeping stock intact making it almost impossible to brick. For anyone interested I recommend reading his blog to see how it works http://hash-of-codes.blogspot.com/p/...trap.html?m=0/. Attached is the logwrapper script from my Droid3 to get an idea of how it starts cwm. The safestrap.apk can also be downloaded from hashcode's blog for a better understanding. DO NOT install it, it can be unzipped and analyzed.

At this point theres no reason we can't deodex then make a custom rom/theme with just replacing atleast the system apps and the framework. With the update.zips theres no reason not to.

Some interesting stuff you have there...

So, you think that update-style ROM porting would be possible right now?

I will defenitely take a look at the logwrapper.

Sent from my A100 using xda premium

Quote:

Originally Posted by Icewyng

Some interesting stuff you have there...

So, you think that update-style ROM porting would be possible right now?

I will defenitely take a look at the logwrapper.

Sent from my A100 using xda premium

Using an update.zip? The only option we have now would be copying via adb or maybe dd but doubtful. So if the apks are decompiled and themed or even adjusting some code, they can be copied with a simple script from adb. If it bricks just use one of the update.zip's to recover. The first thing the updates do is format /system so no checksums or anything it should be safe.

I would think that aosp style roms can be compiled but most of acers framework would have to stay, along with all the libs. Kind of like some of Team Liberty roms.

Quote:

Originally Posted by eww245

Using an update.zip? The only option we have now would be copying via adb or maybe dd but doubtful. So if the apks are decompiled and themed or even adjusting some code, they can be copied with a simple script from adb. If it bricks just use one of the update.zip's to recover. The first thing the updates do is format /system so no checksums or anything it should be safe.

I would think that aosp style roms can be compiled but most of acers framework would have to stay, along with all the libs. Kind of like some of Team Liberty roms.

True. I used edify script before to get my updates to work w/ CWR and I was formatting cache, userdata and system before reinstalling.

Perhaps working on an Acer update with the DSIDXA kitchen could help to get something workable?

Sent from my A100 using xda premium