FORUMS

iplay 7t (sc9832e processor) root / unlock bootloader suggestions

7 posts
Thanks Meter: 1
 
By jwehle, Junior Member on 4th February 2020, 08:24 PM
Post Reply Email Thread
Recently purchased an iplay 7t after reading the xda review. This is replacing an LG v400 tablet that I had rooted. I updated the iplay to build T701_V1.20_20191112, enabled developer options, enabled oem unlock bootloader, found the corresponding firmware pac, installed magisk and used it to patch boot.img. So far so good.

I entered fastboot, then I attempted to flash the modified boot.img and was told:

Code:
target didn't report max-download-size
sending 'boot' (18584 KB)...
OKAY [  0.593s]
writing 'boot'...
FAILED (remote: Flashing Lock Flag is locked. Please unlock it first!)
finished. total time: 0.608s
I tried various options to unlock the bootloader:

Code:
> fastboot getvar unlocked
unlocked:
finished. total time: -0.000s

> fastboot oem unlock
...
FAILED (remote: unknown cmd.)
finished. total time: -0.000s

> fastboot oem unlock-go
...
FAILED (remote: unknown cmd.)
finished. total time: 0.002s

> fastboot flashing get_unlock_ability
...
FAILED (remote: Not implement.)
finished. total time: -0.000s

> fastboot flashing unlock
...
FAILED (remote: Not implemet.)
finished. total time: -0.000s

> fastboot flashing unlock_critical
...
FAILED (remote: Not implement.)
finished. total time: 0.016s

> fastboot flashing unlock_bootloader
fastboot: usage: unknown 'flashing' command unlock_bootloader

> fastboot flashing unlock_bootloader_nonce
fastboot: usage: unknown 'flashing' command unlock_bootloader_nonce
Okay ... fine. I fired up SPD Research tool and attempted to use it to flash the modified boot.img. It transfers the image and then times out.

As a sanity check I used SPD Research tool to flash the original boot.img and that worked fine.

I'll note the modified image is smaller than the original, however padding the modified image with zeros to the same size didn't seem to help. Using SPD Research tool to flash the padded image still timed out.

I am looking to open a request up on the Alldocube support site (currently their registration form is giving me an error), in the meantime ... suggestions? Has anyone successfully flashed a modified boot.img on this device / rooted this device?
6th February 2020, 12:55 PM |#2  
Junior Member
Thanks Meter: 0
 
More
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
6th February 2020, 06:03 PM |#3  
OP Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by DR.Doyle

in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.

Yes ... I have that enabled.
11th February 2020, 05:52 AM |#4  
OP Junior Member
Thanks Meter: 1
 
More
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:

Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:

Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.

Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".

All this seems like I'm on the right track.

However attempting to boot into the re-signed stock recovery results in:

Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.

Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
19th February 2020, 07:29 AM |#5  
wangyiling's Avatar
Member
Flag shenzhen
Thanks Meter: 50
 
More
Quote:
Originally Posted by jwehle

Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:

Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:

Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.

Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".

All this seems like I'm on the right track.

However attempting to boot into the re-signed stock recovery results in:

Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.

Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.

Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery

please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .

how to change language from chinese to english,please see attach png file.

Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.

twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3...8vzVHaasAXglXo


and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
Attached Thumbnails
Click image for larger version

Name:	1.png
Views:	296
Size:	80.4 KB
ID:	4953893   Click image for larger version

Name:	2.png
Views:	310
Size:	51.5 KB
ID:	4953895   Click image for larger version

Name:	3.png
Views:	294
Size:	24.2 KB
ID:	4953897   Click image for larger version

Name:	4.png
Views:	276
Size:	23.9 KB
ID:	4953899   Click image for larger version

Name:	5.png
Views:	266
Size:	15.0 KB
ID:	4953901   Click image for larger version

Name:	6.png
Views:	250
Size:	14.9 KB
ID:	4953903   Click image for larger version

Name:	7.png
Views:	272
Size:	21.7 KB
ID:	4953905  
The Following 2 Users Say Thank You to wangyiling For This Useful Post: [ View ] Gift wangyiling Ad-Free
20th February 2020, 04:21 AM |#6  
OP Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by wangyiling

Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery.

Thanks for supplying the modified PAC and for explaining the changes.

Your PAC seemed to work fine and now that I have a better understanding
of things I should be able build my own PAC when I have a chance.

Your time and effort in explaining things is appreciated.
20th February 2020, 04:58 PM |#7  
OP Junior Member
Thanks Meter: 1
 
More
What's the significance of removing the encryption for the vendor partitions?
21st February 2020, 01:23 AM |#8  
wangyiling's Avatar
Member
Flag shenzhen
Thanks Meter: 50
 
More
Quote:
Originally Posted by jwehle

What's the significance of removing the encryption for the vendor partitions?

the vendor img in my pac,just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
fstab.sp9832e_1h10:
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data        f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,fileencryption=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data        ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,fileencryption=aes-256-xts
---------->
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data        f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,encryptable=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data        ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,encryptable=aes-256-xts
22nd February 2020, 03:00 AM |#9  
OP Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by wangyiling

the vendor img in my pac,just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.

Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
22nd February 2020, 03:12 AM |#10  
wangyiling's Avatar
Member
Flag shenzhen
Thanks Meter: 50
 
More
Quote:
Originally Posted by jwehle

Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.

Just for twrp to read the data partition, convenient for personal use。
26th February 2020, 03:41 AM |#11  
OP Junior Member
Thanks Meter: 1
 
More
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:

Code:
  vbmeta
  boot
  recovery
What was happening is when the system started normally it saw that recovery image had been modified so it checked if the boot image was the factory standard image. Since I hadn't touched the boot image the OS went ahead and attempted to replace the recovery image I flashed with a standard recovery image generated on the fly from the factory standard boot image. This caused a soft-brick when I rebooted into recovery since that recovery image wasn't signed using the public key specified by my replacement vbmeta.

By also flashing a newly signed boot image because the signature is different from what's it knows about the system no longer attempts to use it to refresh the recovery image.

Here's an outline of what I did to successfully root the device:
  1. Use the Qin 2 Pro instructions / tools to unlock the boot loader.
  2. Flash the appropriate factory standard firmware to establish a know starting point. I used iplay7t(T701)-Android9.0-ALLDOCUBE-191112 from the Alldocube web site.
  3. Use SPD Rsearch Tool to extract vbmeta-sign.img, boot.img, and recovery.img.
  4. Use avbtool (with the below patch) to extract the public keys from vbmeta-sign.img like so:

    Code:
    avbtool info_image --image vbmeta-sign.img.
  5. Use make (with the below makefile) to sign vbmeta, boot, and recovery using a new key.
  6. Flashed vbmeta, boot, and recovery.
  7. Booted into recovery, saw that it worked, and did a factory reset.
  8. Used magisk to patch recovery.img in the normal fashion, signed the patched recovery using the new key, and flashed the patched recovery.
  9. Proceed to finish installing magisk in the normal fashion.
Notes:
  1. rsa4096_vbmeta.pem is the private key mentioned in the Qin 2 Pro article.
  2. The dhtbsign-vbmeta command is basically the dhtb signing python script from Qin 2 Pro article.
Here's the trival patch for avbtool to dump the public keys.

Code:
--- avbtool   2020-02-22 22:11:55.107787032 -0500
+++ avbtool.dumpkeys     2020-02-22 22:15:36.046283077 -0500
@@ -1657,6 +1657,10 @@ class AvbChainPartitionDescriptor(AvbDes
     Arguments:
       o: The object to write the output to.
     """
+    kfd = open(self.partition_name, "w");
+    kfd.write(self.public_key);
+    kfd.close();
+
     o.write('    Chain Partition descriptor:\n')
     o.write('      Partition Name:          {}\n'.format(self.partition_name))
     o.write('      Rollback Index Location: {}\n'.format(
Here's the makefile I used for signing the images.

Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img

vbmeta-sign.img: Makefile avb4096_pkmd.bin keys/*
        avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
          --key ../rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
          --chain_partition boot:1:avb4096_pkmd.bin \
          --chain_partition system:3:keys/system \
          --chain_partition vendor:4:keys/vendor \
          --chain_partition product:10:keys/product \
          --chain_partition dtbo:9:keys/dtbo \
          --chain_partition recovery:2:avb4096_pkmd.bin \
          --chain_partition l_modem:5:keys/l_modem \
          --chain_partition l_ldsp:6:keys/l_ldsp \
          --chain_partition l_gdsp:7:keys/l_gdsp \
          --chain_partition pm_sys:8:keys/pm_sys \
          --chain_partition dtb:11:keys/dtb
        dhtbsign-vbmeta vbmeta.img vbmeta-sign.img
        @rm -f vbmeta.img

avb4096_pkmd.bin: avb4096.pem
        avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin

avb4096.pem:
        openssl genrsa -out avb4096.pem 4096

boot-sign.img: boot.img avb4096.pem
        cp boot.img boot-sign.img
        avbtool add_hash_footer --image boot-sign.img \
          --partition_name boot --partition_size 36700160 \
          --key avb4096.pem --algorithm SHA256_RSA4096

recovery-sign.img: recovery.img avb4096.pem
        cp recovery.img recovery-sign.img
        avbtool add_hash_footer --image recovery-sign.img \
          --partition_name recovery --partition_size 36700160 \
          --key avb4096.pem --algorithm SHA256_RSA4096
The Following User Says Thank You to jwehle For This Useful Post: [ View ] Gift jwehle Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes