FORUMS
Remove All Ads from XDA

DOOGEE S55 TWRP RECOVERY (How-To Port MTK Recovery)

19 posts
Thanks Meter: 6
 
By coozoo, Junior Member on 30th August 2018, 11:44 PM
Post Reply Email Thread
Greetings,
Got this device from China and it looks pretty good.
But surprised no TWRP recovery. Tried to prepare it by myself.

EVERYTHING THAT YOU DO. YOU DO AT YOUR OWN RISK.

DOWNLOAD -> recoveryTWRP311sd.zip

What works:
It's booting.
I'm able to flash magisk (so finally rooted).
External sdcard mounted fine.
Still has some problem with encryption and I can't get rid of it (device still shows encrypted).

Problems:
Not able to mount internal sdcard and data (suppose because of encryption)
Not sure about OTG mount.

So actually you can try it.


And so here the steps how to do that for those who want to do the same.
We need to download:
  1. First of all we need to find some TWRP for device that close to ours.
    I've got some recovery for DOOGEE Y6 just because it has the same CPU MTK6750 (I've used this one TWRP+3.1.1-0doogeey6.zip suppose google can find it somewhere download and save).
  2. Download original firmware (in case of doogee you need to register on doogee official site)
  3. We need to download CarlivImageKitchen (I've used this one CarlivImageKitchen_Windows_x64_v1.3.zip google for it) it is exists for windows and linux as well and extract it somewhere.
  4. Download SP_Flash_Tool
  5. Script for IDA kallsyms_loader.idc
    Open and remove inside:
    Code:
    static trim(str) {
        return rtrim( ltrim(str) );
    }
    rename kallsyms_loader.idc.c to kallsyms_loader.idc

Unpack recoveries:
  1. Go to inside "CarlivImageKitchen" folder and find "recovery-resources" folder.
    So this is the folder where we need to place our firmwares to modify them.
  2. Extract DOOGEE S55 original firmware and find inside recovery.img,
    copy it to "CarlivImageKitchen/recovery-resources" and
    rename recovery.img->recoverystock.img
  3. Now gain donnor recovery from archive (my case TWRP+3.1.1-0doogeey6.zip),
    copy it to "CarlivImageKitchen/recovery-resources" too and
    rename recovery.img->recoverydoogeey6.img
  4. Go to root of CarlivImageKitchen directory and find inside carliv.bat (or carliv.sh for linux) script and execute it
  5. You will see such screen. Type R and press Enter button:
    Code:
    *                                                 *
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    
     Choose what kind of image you need to work on.
    
    ][**********************][
    ][ B.  BOOT             ][
    ][**********************][
    ][ R.  RECOVERY         ][
    ][**********************][
    ][ C.  CLEAR FOLDER     ][
    ][**********************][
    ][ O.  CLEAR OUTPUT     ][
    ][**********************][
    ][ P.  SEE INSTRUCTIONS ][
    ][**********************][
    ][ E.  EXIT             ][
    ][**********************][
    
    Type your option [B,R,C,O,P,E] then press ENTER:
  6. Then you need select firmaware to work for.
    Type the number related to recoverystock.img (in example it is 2) and press Enter
    Code:
    ***************************************************
    *                                                 *
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    *             RECOVERY images section             *
    ***************************************************
    
    ---------------------------------------------------
    -  R. - Refresh.
    ---------------------------------------------------
    -  E. - Go to Main menu.
    ---------------------------------------------------
    -  1. - recoverydoogeey6.img
    ---------------------------------------------------
    -  2. - recoverystock.img
    ---------------------------------------------------
    
    Type an image number then press ENTER:
  7. You will get such screen. Type 1 and hit Enter.
    Wait few seconds and your stock will be extracted to "recoverystock" folder
    Code:
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    *               IMG scripts section               *
    ***************************************************
    
    Your selected image is recoverystock.img.
    The folder for repack will be recoverystock.
    Make sure that folder exists and you didn't delete it, because if you did, it wi
    ll give you an error.
    
    ][*************************][*************************][
    ][  1. Unpack image        ][  B. Other boot image    ][
    ][*************************][*************************][
    ][  2. Repack image        ][  R. Other recovery image][
    ][*************************][*************************][
    ][             I. Display image info                  ][
    ][*************************][*************************][
    ][                 Q. Go to main menu                 ][
    ][*************************][*************************][
    
    Type your option [1,2,B,R,I,Q] then press ENTER:
  8. Then you will be returned to the same screen (IMG scripts section). Type R and hit Enter.
  9. Now you will see RECOVERY images section screen again.
    Where you need to type number related to recoverydoogeey6.img (in my case it is 1) and hit Enter
  10. On next screen type 1 and hit enter to unpack recoverydoogeey6.img.
    As result "recoverydoogeey6" will be created in the root of CarlivImageKitchen directory (you can create some backup of original folder because it's the one what we will change).
  11. You can leave CarlivImageKitchen script opened just minimize it and peform merge of files described below.

Now we have stock and donnor recoveries unpacked. We need to merge them.
Merging:
  1. Copy and replace kernel donor kernel with stock
    recoverystock/recovery.img-kernel -> recoverydoogeey6/recovery.img-kernel
  2. Copy some other files in my case (maybe it should be some more but I will investigate later)
    recoverystock/ramdisk/fstab.enableswap -> recoverydoogeey6/ramdisk/fstab.enableswap
    recoverystock/ramdisk/meta_init.rc -> recoverydoogeey6/ramdisk/meta_init.rc
    recoverystock/ramdisk/ueventd.rc -> recoverydoogeey6/ramdisk/ueventd.rc
  3. Now we need to merge build.prop settings (I'm using meld for that)
    In stock firmware it is prop.default in donor recovery it is default.prop
    Just merge values wisely (I've did it somehow).
  4. And merge mount devices. Again I've used meld.
    recoverystock/ramdisk/etc/recovery.fstab
    into
    recoverydoogeey6/ramdisk/etc/recovery.fstab
    In my case they're pretty different and donor lack some items. So not sure about correctness at least it's place where possible fixes needed.

Packing modified recovery:
  1. Create back up of modified folder "recoverydoogeey6" (just in case of fail no need to perform all steps again)
  2. Maximize CarlivImageKitchen (if you closed it then you need unpack kernel again and replace with backup of modded folder from previous step)
    Type 2 and hit Enter
    Code:
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    *               IMG scripts section               *
    ***************************************************
    
    Your selected image is recoverydoogeey6.img.
    The folder for repack will be recoverydoogeey6.
    Make sure that folder exists and you didn't delete it, because if you did, it wi
    ll give you an error.
    
    ][*************************][*************************][
    ][  1. Unpack image        ][  B. Other boot image    ][
    ][*************************][*************************][
    ][  2. Repack image        ][  R. Other recovery image][
    ][*************************][*************************][
    ][             I. Display image info                  ][
    ][*************************][*************************][
    ][                 Q. Go to main menu                 ][
    ][*************************][*************************][
    
    Type your option [1,2,B,R,I,Q] then press ENTER:
  3. Go to CarlivImageKitchen root folder and find "output" directory.
    Inside will be file like this.
    recoverydoogeey6-20180828-0030.img

Now we can try our new recovery (really we should to continue)
First flashing
  1. Create somewhere recovery folder and place generated recoverydoogeey6-20180828-0030.img inside
  2. Rename recoverydoogeey6-20180828-0030.img -> recovery.img
  3. And copy scatter file from original firmware MT6750_Android_scatter.txt to this recovery folder
    Content of this directory should look like this:
    Code:
    MT6750_Android_scatter.txt
    recovery.img
  4. Now we need to open SP flash tool. Go to directory of tool and run flash_tool.exe (i'm skipping MTK driver installation here)
  5. Select Download tab
  6. Set Scatter-loading file (MT6750_Android_scatter.txt ) by choose button
  7. Now ONLY recovery markbox will be marked (check that)
  8. Press Download button and connect you phone in turned off state. Wait for firmawaring finish
  9. Hold Volume UP+Power buttons
  10. Select recovery by Volume UP and confirm Volume Down
  11. TWRP loaded

But (this bloody but) your touch will not work.
People discovered that problem in kernel, touch simply disabled for MTK in recovery mode.
Good news that now we have loaded our kernel and we can connect through ADB with root access.
So the next step is kernel patching... (thanks to LosTigeros on github who described it well by this link).

Kernel patching

Get kernel memory map
  1. So you phone in TWRP without touch
  2. Connect it via ADB
    Code:
    adb shell
  3. Execute
    Code:
    # echo 0 > /proc/sys/kernel/kptr_restrict
    # cat /proc/kallsyms >/tmp/symbols.txt
    # exit
  4. And pull out it from phone to PC
    Code:
    adb pull /tmp/symbols.txt symbols.txt
  5. At this point you can reboot phone we got what we want (it will restore stock recovery automatically)

Uncompress kernel
  1. Let's rename our fresh recovery.img -> recoverynotouch.img (now we will work using it as basement)
    and place it CarlivImageKitchen/recovery-resources/recoverynotouch.img
  2. Launch CarlivImageKitchen and unpack this image in the same way as we did it before
  3. Go to "recoverynotouch" folder and here our S55 kernel: recovery.img-kernel
    It is actually packed kernel with some additional info at the end of file.
    So let's unpack it. Open recovery.img-kernel and extract "recovery" file (it is inside archive) to some folder
    Attachment 4584557

Prepare Patch
  1. Open Unpacked recovery inside IDA PRO
  2. You will see "Load New File" window
    Select ARM little-indian as Processor type and press Set button and then Ok button
    Attachment 4584574
  3. Next window "Disassembly memory organization"
    Set 0xFFFFFFC000080000 as ROM start adress and Loading adress (because 64 bit)
    Attachment 4584575
  4. Answer yes for 64bit load
    Attachment 4584576
  5. Click Ok in next window that IDA not able to find entry point
  6. File -> Script file... and select previously downloaded that kallsyms_loader.idc file.
  7. You will see browse window. Select our symbols.txt that we've downloaded from our device
  8. Sit back and relax while script making work for you
  9. Now go to IDA menu Options -> General and change Number of opcode bytes (non-graph) to 6
  10. From some kernel sources (I've downloaded some close to mine) it's not hard to find name of function
    Code:
    get_boot_mode
    So let's search through disassembled code for such appearance.
    Go to menu Search -> Text
    Type here get_boot_mod
    and mark Find all occurrences
    Wait... New tab with results will be opened
    Pay attention to DCB instruction and double click it
    Click image for larger version

Name:	dcbgetbootmode.png
Views:	124
Size:	140.1 KB
ID:	4584581
  11. For our convenience lets rename function from address to human readable name get_boot_mod
    Click on DATA XREF address
    Click image for larger version

Name:	getbootmodxref.png
Views:	112
Size:	186.2 KB
ID:	4584584
    You will see function sub_FFFFFFC00050A910 and rename it to get_boot_mod
    Click image for larger version

Name:	renamefunction.png
Views:	114
Size:	135.6 KB
ID:	4584585
  12. Close previous search results tab and search for get_boot_mode again.
    Now you will see more.
    This time pay attention to BL instructions, go over them by double click (mine was almost last what I need)
    Click image for larger version

Name:	bllast.png
Views:	96
Size:	181.5 KB
ID:	4584592
  13. Here the right code
    You can see relations with kernel sources
    Code:
    BL              get_boot_mod;
    CMP             W0, #2; RECOVERY_BOOT = 2,
    B.EQ            loc_FFFFFFC00112A384;
    Code:
    if (RECOVERY_BOOT == get_boot_mode())
        return 0;
    Click image for larger version

Name:	recoverytouch.png
Views:	92
Size:	252.1 KB
ID:	4584593

    Code:
    /* boot type definitions */
    enum boot_mode_t {
      NORMAL_BOOT = 0,
      META_BOOT = 1,
      RECOVERY_BOOT = 2,
      SW_REBOOT = 3,
      FACTORY_BOOT = 4,
      ADVMETA_BOOT = 5,
      ATE_FACTORY_BOOT = 6,
      ALARM_BOOT = 7,
    #if defined(CONFIG_MTK_KERNEL_POWER_OFF_CHARGING)
      KERNEL_POWER_OFF_CHARGING_BOOT = 8,
      LOW_POWER_OFF_CHARGING_BOOT = 9,
    #endif
      DONGLE_BOOT = 10,
      UNKNOWN_BOOT
    };
  14. So lets patch it replace this 3 directives with NOP (1F 20 03 D5)
    Go to Edit->Patch Program->Change Byte
    and repeat 3 times for each line
    Click image for larger version

Name:	patchnop.png
Views:	100
Size:	250.3 KB
ID:	4584620
  15. Save changes Edit -> Patch program -> Apply patches to input file...

Now we need to compress kernel back. And add tricky data at the end.

Compress kernel
  1. Compress. You can use 7zip. I've used gzip
    Code:
    $ gzip -9 recovery
    You will receive recovery.gz
  2. Open compressed file recovery.gz with hex editor
    Scroll to the bottom
    Click image for larger version

Name:	compressed.png
Views:	100
Size:	106.3 KB
ID:	4584625
  3. Open recovery.img-kernel of our uncompressed unpatched kernel (extracted from recoverynotouch.img)
    Go to the end and find some data section with lot of different descriptions
    And you will find the same endings
    Click image for larger version

Name:	orikernel.png
Views:	96
Size:	146.3 KB
ID:	4584626
  4. Now copy this data after this end, I mean starting from D0 till the end to the end of our recovery.gz
  5. And now rename recovery.gz -> recovery.img-kernel

Prepare Image with working touch
  1. Launch CarlivImageKitchen script
  2. Unpack recoverynotouch.img
  3. Replace recovery.img-kernel inside "recoverynotouch" folder with our patched kernel
  4. Pack recoverynotouch in CarlivImageKitchen by typin 2 and hitting enter

EVERYTHING THAT YOU DO. YOU DO AT YOUR OWN RISK.

DOWNLOAD -> recoveryTWRP311sd.zip

What works:
It's booting.
I'm able to flash magisk (so finally rooted).
External sdcard mounted fine.
Still has some problem with encryption and I can't get rid of it (device still shows encrypted).

Problems:
Not able to mount internal sdcard and data (suppose because of encryption)
Not sure about OTG mount.

So actually you can try it.
The Following User Says Thank You to coozoo For This Useful Post: [ View ] Gift coozoo Ad-Free
 
 
4th September 2018, 11:34 AM |#2  
Member
Thanks Meter: 4
 
More
Thanks dude, i will try when I go Home.
Can I flash it via ADB or only with SP flash tool ?
I'm already rooted with magisk.

Edit :
Flash via fastboot no problem
Thanks
The Following User Says Thank You to Beda974 For This Useful Post: [ View ] Gift Beda974 Ad-Free
4th September 2018, 06:33 PM |#3  
OP Junior Member
Flag Vinnitsya
Thanks Meter: 6
 
More
Quote:
Originally Posted by Beda974

Thanks dude, i will try when I go Home.
Can I flash it via ADB or only with SP flash tool ?
I'm already rooted with magisk.

Edit :
Flash via fastboot no problem
Thanks

Thank you for trying

Is you phone encrypted? And does some of sdcard is mounted fine (int or ext)?
4th September 2018, 06:43 PM |#4  
Member
Thanks Meter: 4
 
More
Before flashing your recovery I have install magisk via adb,
So to do it i' have unlocked the phone via the adb command "fastboot oem unlock" and then flash my patched-boot img. I don't know if it's your question.

None of the sdcard are mounted
5th September 2018, 07:01 PM |#5  
OP Junior Member
Flag Vinnitsya
Thanks Meter: 6
 
More
Quote:
Originally Posted by Beda974

Before flashing your recovery I have install magisk via adb,
So to do it i' have unlocked the phone via the adb command "fastboot oem unlock" and then flash my patched-boot img. I don't know if it's your question.

None of the sdcard are mounted

My first question is(I'm thinking maybe it's related that internal/emulated sdcard not mounted):
if you go to Setings-> Sequrity & Location->Encryption & credentials
Does it show Encrypt phone Encrypted?

Thank you, so I will try to fix, Suppose at least external should be mounted fine...
5th September 2018, 07:06 PM |#6  
Member
Thanks Meter: 4
 
More
Quote:
Originally Posted by coozoo

My first question is(I'm thinking maybe it's related that internal/emulated sdcard not mounted):
if you go to Setings-> Sequrity & Location->Encryption & credentials
Does it show Encrypt phone Encrypted?

Thank you, so I will try to fix, Suppose at least external should be mounted fine...

Yep it's Encrypted
8th September 2018, 02:10 PM |#7  
OP Junior Member
Flag Vinnitsya
Thanks Meter: 6
 
More
Quote:
Originally Posted by Beda974

Yep it's Encrypted

Oh, thank you... so we are both unlucky

I've updated with fixed version now external sdcard should be mounted fine.
18th September 2018, 07:41 AM |#8  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by coozoo

Greetings,
Got this device from China and it looks pretty good.
But surprised no TWRP recovery. Tried to prepare it by myself.

EVERYTHING THAT YOU DO. YOU DO AT YOUR OWN RISK.

DOWNLOAD -> Attachment 4591304

What works:
It's booting.
I'm able to flash magisk (so finally rooted).
External sdcard mounted fine.
Still has some problem with encryption and I can't get rid of it (device still shows encrypted).




Problems:
Not able to mount internal sdcard and data (suppose because of encryption)
Not sure about OTG mount.

So actually you can try it.


And so here the steps how to do that for those who want to do the same.
We need to download:

  1. First of all we need to find some TWRP for device that close to ours.
    I've got some recovery for DOOGEE Y6 just because it has the same CPU MTK6750 (I've used this one TWRP+3.1.1-0doogeey6.zip suppose google can find it somewhere download and save).
  2. Download original firmware (in case of doogee you need to register on doogee official site)
  3. We need to download CarlivImageKitchen (I've used this one CarlivImageKitchen_Windows_x64_v1.3.zip google for it) it is exists for windows and linux as well and extract it somewhere.
  4. Download SP_Flash_Tool
  5. Script for IDA kallsyms_loader.idc
    Open and remove inside:
    Code:
    static trim(str) {
        return rtrim( ltrim(str) );
    }
    rename kallsyms_loader.idc.c to kallsyms_loader.idc

Unpack recoveries:
  1. Go to inside "CarlivImageKitchen" folder and find "recovery-resources" folder.
    So this is the folder where we need to place our firmwares to modify them.
  2. Extract DOOGEE S55 original firmware and find inside recovery.img,
    copy it to "CarlivImageKitchen/recovery-resources" and
    rename recovery.img->recoverystock.img
  3. Now gain donnor recovery from archive (my case TWRP+3.1.1-0doogeey6.zip),
    copy it to "CarlivImageKitchen/recovery-resources" too and
    rename recovery.img->recoverydoogeey6.img
  4. Go to root of CarlivImageKitchen directory and find inside carliv.bat (or carliv.sh for linux) script and execute it
  5. You will see such screen. Type R and press Enter button:
    Code:
    *                                                 *
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    
     Choose what kind of image you need to work on.
    
    ][**********************][
    ][ B.  BOOT             ][
    ][**********************][
    ][ R.  RECOVERY         ][
    ][**********************][
    ][ C.  CLEAR FOLDER     ][
    ][**********************][
    ][ O.  CLEAR OUTPUT     ][
    ][**********************][
    ][ P.  SEE INSTRUCTIONS ][
    ][**********************][
    ][ E.  EXIT             ][
    ][**********************][
    
    Type your option [B,R,C,O,P,E] then press ENTER:
  6. Then you need select firmaware to work for.
    Type the number related to recoverystock.img (in example it is 2) and press Enter
    Code:
    ***************************************************
    *                                                 *
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    *             RECOVERY images section             *
    ***************************************************
    
    ---------------------------------------------------
    -  R. - Refresh.
    ---------------------------------------------------
    -  E. - Go to Main menu.
    ---------------------------------------------------
    -  1. - recoverydoogeey6.img
    ---------------------------------------------------
    -  2. - recoverystock.img
    ---------------------------------------------------
    
    Type an image number then press ENTER:
  7. You will get such screen. Type 1 and hit Enter.
    Wait few seconds and your stock will be extracted to "recoverystock" folder
    Code:
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    *               IMG scripts section               *
    ***************************************************
    
    Your selected image is recoverystock.img.
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    The folder for repack will be recoverystock.
    Make sure that folder exists and you didn't delete it, because if you did, it wi
    ll give you an error.
    
    ][*************************][*************************][
    ][  1. Unpack image        ][  B. Other boot image    ][
    ][*************************][*************************][
    ][  2. Repack image        ][  R. Other recovery image][
    ][*************************][*************************][
    ][             I. Display image info                  ][
    ][*************************][*************************][
    ][                 Q. Go to main menu                 ][
    ][*************************][*************************][
    
    Type your option [1,2,B,R,I,Q] then press ENTER:
  8. Then you will be returned to the same screen (IMG scripts section). Type R and hit Enter.
  9. Now you will see RECOVERY images section screen again.
    Where you need to type number related to recoverydoogeey6.img (in my case it is 1) and hit Enter
  10. On next screen type 1 and hit enter to unpack recoverydoogeey6.img.
    As result "recoverydoogeey6" will be created in the root of CarlivImageKitchen directory (you can create some backup of original folder because it's the one what we will change).
  11. You can leave CarlivImageKitchen script opened just minimize it and peform merge of files described below.

Now we have stock and donnor recoveries unpacked. We need to merge them.
Merging:
  1. Copy and replace kernel donor kernel with stock
    recoverystock/recovery.img-kernel -> recoverydoogeey6/recovery.img-kernel
  2. Copy some other files in my case (maybe it should be some more but I will investigate later)
    recoverystock/ramdisk/fstab.enableswap -> recoverydoogeey6/ramdisk/fstab.enableswap
    recoverystock/ramdisk/meta_init.rc -> recoverydoogeey6/ramdisk/meta_init.rc
    recoverystock/ramdisk/ueventd.rc -> recoverydoogeey6/ramdisk/ueventd.rc
  3. Now we need to merge build.prop settings (I'm using meld for that)
    In stock firmware it is prop.default in donor recovery it is default.prop
    Just merge values wisely (I've did it somehow).
  4. And merge mount devices. Again I've used meld.
    recoverystock/ramdisk/etc/recovery.fstab
    into
    recoverydoogeey6/ramdisk/etc/recovery.fstab
    In my case they're pretty different and donor lack some items. So not sure about correctness at least it's place where possible fixes needed.

Packing modified recovery:
  1. Create back up of modified folder "recoverydoogeey6" (just in case of fail no need to perform all steps again)
  2. Maximize CarlivImageKitchen (if you closed it then you need unpack kernel again and replace with backup of modded folder from previous step)
    Type 2 and hit Enter
    Code:
    *      Carliv Image Kitchen for Android v1.3      *
    *     boot+recovery images (c)2016 [email protected]     *
    * including support for MTK powered phones images *
    *               WINDOWS x64 version               *
    *                                                 *
    ***************************************************
    *               IMG scripts section               *
    ***************************************************
    
    Your selected image is recoverydoogeey6.img.
    The folder for repack will be recoverydoogeey6.
    Make sure that folder exists and you didn't delete it, because if you did, it wi
    ll give you an error.
    
    ][*************************][*************************][
    ][  1. Unpack image        ][  B. Other boot image    ][
    ][*************************][*************************][
    ][  2. Repack image        ][  R. Other recovery image][
    ][*************************][*************************][
    ][             I. Display image info                  ][
    ][*************************][*************************][
    ][                 Q. Go to main menu                 ][
    ][*************************][*************************][
    
    Type your option [1,2,B,R,I,Q] then press ENTER:
  3. Go to CarlivImageKitchen root folder and find "output" directory.
    Inside will be file like this.
    recoverydoogeey6-20180828-0030.img

Now we can try our new recovery (really we should to continue)
First flashing
  1. Create somewhere recovery folder and place generated recoverydoogeey6-20180828-0030.img inside
  2. Rename recoverydoogeey6-20180828-0030.img -> recovery.img
  3. And copy scatter file from original firmware MT6750_Android_scatter.txt to this recovery folder
    Content of this directory should look like this:
    Code:
    MT6750_Android_scatter.txt
    recovery.img
  4. Now we need to open SP flash tool. Go to directory of tool and run flash_tool.exe (i'm skipping MTK driver installation here)
  5. Select Download tab
  6. Set Scatter-loading file (MT6750_Android_scatter.txt ) by choose button
  7. Now ONLY recovery markbox will be marked (check that)
  8. Press Download button and connect you phone in turned off state. Wait for firmawaring finish
  9. Hold Volume UP+Power buttons
  10. Select recovery by Volume UP and confirm Volume Down
  11. TWRP loaded

But (this bloody but) your touch will not work.
People discovered that problem in kernel, touch simply disabled for MTK in recovery mode.
Good news that now we have loaded our kernel and we can connect through ADB with root access.
So the next step is kernel patching... (thanks to LosTigeros on github who described it well by this link).

Kernel patching

Get kernel memory map
  1. So you phone in TWRP without touch
  2. Connect it via ADB
    Code:
    adb shell
  3. Execute
    Code:
    # echo 0 > /proc/sys/kernel/kptr_restrict
    # cat /proc/kallsyms >/tmp/symbols.txt
    # exit
  4. And pull out it from phone to PC
    Code:
    adb pull /tmp/symbols.txt symbols.txt
  5. At this point you can reboot phone we got what we want (it will restore stock recovery automatically)

Uncompress kernel
  1. Let's rename our fresh recovery.img -> recoverynotouch.img (now we will work using it as basement)
    and place it CarlivImageKitchen/recovery-resources/recoverynotouch.img
  2. Launch CarlivImageKitchen and unpack this image in the same way as we did it before
  3. Go to "recoverynotouch" folder and here our S55 kernel: recovery.img-kernel
    It is actually packed kernel with some additional info at the end of file.
    So let's unpack it. Open recovery.img-kernel and extract "recovery" file (it is inside archive) to some folder
    Attachment 4584557

Prepare Patch
  1. Open Unpacked recovery inside IDA PRO
  2. You will see "Load New File" window
    Select ARM little-indian as Processor type and press Set button and then Ok button
    Attachment 4584574
  3. Next window "Disassembly memory organization"
    Set 0xFFFFFFC000080000 as ROM start adress and Loading adress (because 64 bit)
    Attachment 4584575
  4. Answer yes for 64bit load
    Attachment 4584576
  5. Click Ok in next window that IDA not able to find entry point
  6. File -> Script file... and select previously downloaded that kallsyms_loader.idc file.
  7. You will see browse window. Select our symbols.txt that we've downloaded from our device
  8. Sit back and relax while script making work for you
  9. Now go to IDA menu Options -> General and change Number of opcode bytes (non-graph) to 6
  10. From some kernel sources (I've downloaded some close to mine) it's not hard to find name of function
    Code:
    get_boot_mode
    So let's search through disassembled code for such appearance.
    Go to menu Search -> Text
    Type here get_boot_mod
    and mark Find all occurrences
    Wait... New tab with results will be opened
    Pay attention to DCB instruction and double click it
    Attachment 4584581
  11. For our convenience lets rename function from address to human readable name get_boot_mod
    Click on DATA XREF address
    Attachment 4584584
    You will see function sub_FFFFFFC00050A910 and rename it to get_boot_mod
    Attachment 4584585
  12. Close previous search results tab and search for get_boot_mode again.
    Now you will see more.
    This time pay attention to BL instructions, go over them by double click (mine was almost last what I need)
    Attachment 4584592
  13. Here the right code
    You can see relations with kernel sources
    Code:
    BL              get_boot_mod;
    CMP             W0, #2; RECOVERY_BOOT = 2,
    B.EQ            loc_FFFFFFC00112A384;
    Code:
    if (RECOVERY_BOOT == get_boot_mode())
        return 0;
    Attachment 4584593

    Code:
    /* boot type definitions */
    enum boot_mode_t {
      NORMAL_BOOT = 0,
      META_BOOT = 1,
      RECOVERY_BOOT = 2,
      SW_REBOOT = 3,
      FACTORY_BOOT = 4,
      ADVMETA_BOOT = 5,
      ATE_FACTORY_BOOT = 6,
      ALARM_BOOT = 7,
    #if defined(CONFIG_MTK_KERNEL_POWER_OFF_CHARGING)
      KERNEL_POWER_OFF_CHARGING_BOOT = 8,
      LOW_POWER_OFF_CHARGING_BOOT = 9,
    #endif
      DONGLE_BOOT = 10,
      UNKNOWN_BOOT
    };
  14. So lets patch it replace this 3 directives with NOP (1F 20 03 D5)
    Go to Edit->Patch Program->Change Byte
    and repeat 3 times for each line
    Attachment 4584620
  15. Save changes Edit -> Patch program -> Apply patches to input file...

Now we need to compress kernel back. And add tricky data at the end.

Compress kernel
  1. Compress. You can use 7zip. I've used gzip
    Code:
    $ gzip -9 recovery
    You will receive recovery.gz
  2. Open compressed file recovery.gz with hex editor
    Scroll to the bottom
    Attachment 4584625
  3. Open recovery.img-kernel of our uncompressed unpatched kernel (extracted from recoverynotouch.img)
    Go to the end and find some data section with lot of different descriptions
    And you will find the same endings
    Attachment 4584626
  4. Now copy this data after this end, I mean starting from D0 till the end to the end of our recovery.gz
  5. And now rename recovery.gz -> recovery.img-kernel

Prepare Image with working touch
  1. Launch CarlivImageKitchen script
  2. Unpack recoverynotouch.img
  3. Replace recovery.img-kernel inside "recoverynotouch" folder with our patched kernel
  4. Pack recoverynotouch in CarlivImageKitchen by typin 2 and hitting enter

EVERYTHING THAT YOU DO. YOU DO AT YOUR OWN RISK.

DOWNLOAD -> Attachment 4591304

What works:
It's booting.
I'm able to flash magisk (so finally rooted).
External sdcard mounted fine.
Still has some problem with encryption and I can't get rid of it (device still shows encrypted).

Problems:
Not able to mount internal sdcard and data (suppose because of encryption)
Not sure about OTG mount.

So actually you can try it.

Great work ..!! Thanks for all the info..!!
26th September 2018, 04:58 AM |#9  
k4get1's Avatar
Member
Flag Plantation
Thanks Meter: 14
 
More
Quote:
Originally Posted by Beda974

Thanks dude, i will try when I go Home.
Can I flash it via ADB or only with SP flash tool ?
I'm already rooted with magisk.

Edit :
Flash via fastboot no problem
Thanks

witch version of magisk and can you send a copy please?
3rd October 2018, 06:50 PM |#10  
OP Junior Member
Flag Vinnitsya
Thanks Meter: 6
 
More
Quote:
Originally Posted by k4get1

witch version of magisk and can you send a copy please?

I'm using version from their thread
stable 17.1
https://forum.xda-developers.com/app...mless-t3473445
and few plugins like busybox )
The Following User Says Thank You to coozoo For This Useful Post: [ View ] Gift coozoo Ad-Free
5th October 2018, 01:21 AM |#11  
k4get1's Avatar
Member
Flag Plantation
Thanks Meter: 14
 
More
Quote:
Originally Posted by k4get1

witch version of magisk and can you send a copy please?

i cant gey twrp loaded with sp flasher, scatter file won't load. can it be flashed without twrp? my bootloader is unlocked.?
Post Reply Subscribe to Thread

Tags
doogee s55 twrp recovery mtk6750, doogee-s55

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes