FORUMS
Remove All Ads from XDA

Sonim XP8 (Root?)

25 posts
Thanks Meter: 2
 
By ctradio, Junior Member on 7th October 2018, 02:36 AM
Post Reply Email Thread
13th November 2019, 06:47 PM |#101  
Member
Thanks Meter: 2
 
More
Since userdebug XP8 firmware build is out in the wild and floating around, I would appreciate if anyone can share it with me. @smokeyou, I assume you have it already (hint, hint)?
-albertr
13th November 2019, 10:00 PM |#102  
Member
Thanks Meter: 27
 
More
https://mega.nz/#!qjBxEC5L!9THbhbe7m...sQlCF5miIhgkyE
Quote:
Originally Posted by albert.r

Since userdebug XP8 firmware build is out in the wild and floating around, I would appreciate if anyone can share it with me. @smokeyou, I assume you have it already (hint, hint)?
-albertr

14th November 2019, 12:47 AM |#103  
Member
Thanks Meter: 2
 
More
Quote:
Originally Posted by eleotk

https://mega.nz/#!qjBxEC5L!9THbhbe7m...sQlCF5miIhgkyE

Thanks man! Appreciate it and I owe you a beer

-albertr
14th November 2019, 04:02 AM |#104  
Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by albert.r

Thanks man! Appreciate it and I owe you a beer

-albertr

Looks like he beat me to it.

As previously confirmed, this is not AT&T..

Also does not include DM-Verity (this makes it hard to switch back to AT&T / other current firmware).

It's good for research but probably not something we would want to use in a day to day situation. The security patch level is far outdated and will never update on the Debug image. We gain the value of having fastboot unlocked but that does not really do much for us on the XP8 currently anyways.

It would probably be better to flash only ABL + XBL that will allow the same unlock method on a current carrier firmware variant. This comes with a risk though because any future OTA's could brick the device.

And he edited his first post.. I feel horrible for anyone who see's page 1 here looking for root and ends up with this debug image .. Take caution as I will not be able to help you when you brick your device or end up stuck on 7.1 firmware.

Edit.. So the post he edited on page 1 is ASG.. That other post later in the thread is USC. Beyond assumptions I cant say what these acronyms mean but I can at least definitively say they are not AT&T. Full carrier code listing below.

Code:
    None = 0,
    ATT = 10, // 0x0000000A
    Bell = 11, // 0x0000000B
    Telus = 12, // 0x0000000C
    Sasktel = 13, // 0x0000000D
    Harris = 14, // 0x0000000E
    Verizon = 15, // 0x0000000F
    Ecom = 16, // 0x00000010
    NAM = 17, // 0x00000011
    Rogers = 18, // 0x00000012
    T_Mobile = 19, // 0x00000013
    EU_Generic = 20, // 0x00000014
    MSI = 21, // 0x00000015
    CISCO = 22, // 0x00000016
    NAM_Public_Safety = 23, // 0x00000017
    Vodafone_Global = 24, // 0x00000018
    Orange = 25, // 0x00000019
    Southern_Linc = 26, // 0x0000001A
    OPTIO = 27, // 0x0000001B
    India = 28, // 0x0000001C
    SPRINT = 29, // 0x0000001D
    JVCK = 30, // 0x0000001E
    AUS = 31, // 0x0000001F
    ACG = 32, // 0x00000020
    CSPIRE = 33, // 0x00000021
    USC = 34, // 0x00000022
    SB = 35, // 0x00000023
    Multi = 99, // 0x00000063
8A.0.0-00-7.1.1-32.00.12 = ACG
8A.0.0-00-7.1.1-34.00.10 = USC
8A.0.5-11-8.1.0-10.54.00 = ATT
14th November 2019, 06:29 AM |#105  
Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by smokeyou

Looks like he beat me to it.

As previously confirmed, this is not AT&T..

Also does not include DM-Verity (this makes it hard to switch back to AT&T / other current firmware).

It's good for research but probably not something we would want to use in a day to day situation. The security patch level is far outdated and will never update on the Debug image. We gain the value of having fastboot unlocked but that does not really do much for us on the XP8 currently anyways.

It would probably be better to flash only ABL + XBL that will allow the same unlock method on a current carrier firmware variant. This comes with a risk though because any future OTA's could brick the device.

And he edited his first post.. I feel horrible for anyone who see's page 1 here looking for root and ends up with this debug image .. Take caution as I will not be able to help you when you brick your device or end up stuck on 7.1 firmware.

Edit.. So the post he edited on page 1 is ASG.. That other post later in the thread is USC. Beyond assumptions I cant say what these acronyms mean but I can at least definitively say they are not AT&T. Full carrier code listing below.

Code:
    None = 0,
    ATT = 10, // 0x0000000A
    Bell = 11, // 0x0000000B
    Telus = 12, // 0x0000000C
    Sasktel = 13, // 0x0000000D
    Harris = 14, // 0x0000000E
    Verizon = 15, // 0x0000000F
    Ecom = 16, // 0x00000010
    NAM = 17, // 0x00000011
    Rogers = 18, // 0x00000012
    T_Mobile = 19, // 0x00000013
    EU_Generic = 20, // 0x00000014
    MSI = 21, // 0x00000015
    CISCO = 22, // 0x00000016
    NAM_Public_Safety = 23, // 0x00000017
    Vodafone_Global = 24, // 0x00000018
    Orange = 25, // 0x00000019
    Southern_Linc = 26, // 0x0000001A
    OPTIO = 27, // 0x0000001B
    India = 28, // 0x0000001C
    SPRINT = 29, // 0x0000001D
    JVCK = 30, // 0x0000001E
    AUS = 31, // 0x0000001F
    ACG = 32, // 0x00000020
    CSPIRE = 33, // 0x00000021
    USC = 34, // 0x00000022
    SB = 35, // 0x00000023
    Multi = 99, // 0x00000063
8A.0.0-00-7.1.1-32.00.12 = ACG
8A.0.0-00-7.1.1-34.00.10 = USC
8A.0.5-11-8.1.0-10.54.00 = ATT

ACG-userdebug
8A.0.0-00-7.1.1-32.00.12


ATT-userdebug

8A.0.0-00-7.1.1-10.00.10

USC-userdebug

8A.0.0-00-7.1.1-34.00.10


Att version(extract)
8A.0.5-11-8.1.0-10.54.00
14th November 2019, 03:20 PM |#106  
Member
Thanks Meter: 2
 
More
Thanks for sharing AT&T userdebug build, it's much appreciated! I'm on GSM AT&T here in the USA and I think both US Cellular (USC) and Associated Carrier Group (ACG) are CDMA, not sure if they have different modem code/parameters. I'll try to flash AT&T userdebug this weekend.

-albertr
14th November 2019, 10:34 PM |#107  
Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by albert.r

Thanks for sharing AT&T userdebug build, it's much appreciated! I'm on GSM AT&T here in the USA and I think both US Cellular (USC) and Associated Carrier Group (ACG) are CDMA, not sure if they have different modem code/parameters. I'll try to flash AT&T userdebug this weekend.

-albertr


It is not recommended to refresh the userdebug version. This version is older. You can use the EIF file to completely back up your original version. You can refresh the QCN.
14th November 2019, 10:49 PM |#108  
Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by albert.r

Thanks for sharing AT&T userdebug build, it's much appreciated! I'm on GSM AT&T here in the USA and I think both US Cellular (USC) and Associated Carrier Group (ACG) are CDMA, not sure if they have different modem code/parameters. I'll try to flash AT&T userdebug this weekend.

-albertr

The thread is closed,
23rd November 2019, 12:37 PM |#109  
Member
Thanks Meter: 7
 
More
Hey guys, been a while and I'm glad to share some updates with the community!

Main post here has been updated according to the progress made in the previous posts. Much thanks to everyone for providing early debug images, files, and knowledge!

Updates
- Torrent file hosting moved to Android FIle Host
- Current 8.1.0 AT&T Debug image uploaded
- 8.1.0 Debug image verified to retain dm-verity! At least on current AT&T builds.
- Additional factory images uploaded
- All basic flash tools, elf files, drivers, and GPTConsole executable uploaded
- More images will be uploaded in the following days. Ran out of time to upload everything tonight.

Full Android File Host Repository - Here

We continue to welcome new images for the file collection.
The Following User Says Thank You to smokeyou For This Useful Post: [ View ] Gift smokeyou Ad-Free
24th November 2019, 01:20 AM |#110  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by smokeyou

Enjoy!

XP8 Android Root Theory - DEBUG or Magisk over EDL
EDL is a must since Fastboot cannot be unlocked initially from standard "user" builds.

One option is flash a userdebug image (below) allowing for adb root, fastboot unlocking, and other useful features.
or
Without unlocking the bootloader - Similar flashing methods remain valid when standard magisk powered root is desired. This method allows preservation of all current system data aside from boot.img. All is covered since Magisk works with AVB and we have EDL as a flashing alternative. Please see Android Boot Flow > LOCKED Devices with Custom Root of Trust for more information.

Recommend method ..
It's up to you.. If you want OTA updates and your planning to use root apps then go with Magisk. As of today we have current debug images available and I personally prefer isolated adb root access only however future availability of updated Debug images cannot be guaranteed.

Disclaimer
-Devices with locked bootloaders will display a custom OS warning at boot
-Tested on AT&T branded devices only - please provide system dump for validation on other builds
-I have not identified any JTAG procedures and I can not help if you hard brick your device!
-This guide only touches boot_a and should be relatively safe since boot_b remains unmodified. I'm pretty sure this is enough to restore the original boot.img to boot_a under a failure scenario.. But I'm not really qualified enough to say definitively either.
-Take great caution - this is raw emmc access and critical system data! You are proceeding at your own risk!

Magisk Root


Step 1 - Pull Boot.img
We need to pull the boot.img in order to feed it to magisk later for patching. It's also good to keep on hand for if/when you need to restore for any reason.
1. Create an XML file with the data below
Code:
<?xml version="1.0"?>
<data>
<program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
</data>
2. Boot to EDL mode and load firehose programmer
Code:
QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
3. Backup boot.img using the following command
Code:
fh_loader.exe  --convertprogram2read --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset
Or visit the XP8 carrier firmware thread for full system backup steps.
https://forum.xda-developers.com/sho...45&postcount=6

Step 2 - Magisk Patch
1. ADB push boot.img /storage/self/primary/Download/
2. Install Magisk Manager and apply patch to boot.img
2a. Download from https://forum.xda-developers.com/app...mless-t3473445
2b. Extract and run adb install magisk.apk
2c. Open Magisk app and apply patch to boot.img
3. ADB pull /storage/self/primary/Download/magisk_patched.img

Step 3 - Restore
1. Change the filename attribute in the XML to reflect newly created magisk_patched.img as shown below
Code:
<?xml version="1.0"?>
<data>
<program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
</data>
2. Boot back into EDL mode and load firehose programmer
Code:
QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
3. Apply magisk_patched.img using the following command
Code:
fh_loader.exe --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset

USERDEBUG Flash

Step 1 - Backup
1. Boot to EDL mode and load firehose programmer
2. Generate rawprogram0.xml - Run GPTConsole <COM Number>
Example: GPTConsole 19
3. Initiate backup
Code:
fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset
4. Wipe all partitions
Code:
fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=erase.xml --lun=0  --memoryname=emmc --noprompt --reset
5. Restore new image
Code:
fh_loader.exe --port=\\.\COM<#> --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset --search_path=<extracted image file directory>
// rawprogram0_unsparse.xml for some images

Images and OTA Files

Full 8.1 System Image
XP8_ATT_USER_8A.0.5-11-8.1.0-10.54.00
(AT&T 7.1 pending upload. Please check back later.)

USERDEBUG Images
XP8_ATT_USERDEBUG_8A.0.5-11-8.1.0-10.54.00
(ACG, USG, & ATT 7.1 pending upload. Please check back or use other links available further in thread.)

OTA Updates
XP8_ATT_USER_N10.01.75-O10.49.00
XP8_ATT_USER_O10.49.00-O10.54.00
XP8_TEL_USER_N12.00.24-O12.23.00

Flash Tools - programmer (elf) file provided by eleotk!
XP8 Drivers

Firmware Carrier Codes
Code:
    None = 0,
    ATT = 10
    Bell = 11
    Telus = 12
    Sasktel = 13
    Harris = 14
    Verizon = 15
    Ecom = 16
    NAM = 17
    Rogers = 18
    T_Mobile = 19
    EU_Generic = 20
    MSI = 21
    CISCO = 22
    NAM_Public_Safety = 23
    Vodafone_Global = 24
    Orange = 25
    Southern_Linc = 26
    OPTIO = 27
    India = 28
    SPRINT = 29
    JVCK = 30
    AUS = 31
    ACG = 32
    CSPIRE = 33
    USC = 34
    SB = 35
    Multi = 99
Automatic OTA without AT&T service:
Purchase a blank AT&T SIM card ($5)
Start online prepaid activation - complete pages 1 & 2
**SIM Card is now partially active without funding - do not complete page 3 (payment)***
*#*#368378#*#* > Clear UI > Check for updates in settings

XP5s
Sprint Image: XP5SA.0.2-03-7.1.2-29.03.00
Works the same. Tested with unmodified Sprint firmware. Like most other apps, the Magisk manager app is unusable since the XP5s has no touch screen - I had to patch the boot image on another device. You can plug in a USB mouse however the cursor does not seem to invoke in-app tap's.

Need to use the appropriate Firehose loader (prog_emmc_firehose_8920.mbn) and replace the boot image location according to the XP5s GPT (start_sector="790528").




















so i finally got thru everything.. and it seems to say success...however when i load magisk up it still shows uninstalled and no root or modules :\ any suggestions?

c:\flashtools>fh_loader.exe --port=\\.\COM11 --sendxml=xmlfile.xml --lun=0 --memoryname=emmc --noprompt --reset

Base Version: 17.07.28.15.44
Binary build date: Jul 28 2017 @ 18:08:54
Incremental Build version: 17.07.28.18.08.54

16:16:19: INFO: FH_LOADER WAS CALLED EXACTLY LIKE THIS
************************************************
fh_loader.exe --port=\\.\COM11 --sendxml=xmlfile.xml --lun=0 --memoryname=emmc --noprompt --reset
************************************************

16:16:19: INFO: Current working dir (cwd): c:\flashtools\
16:16:19: INFO: Showing network mappings to allow debugging
16:16:19: INFO:



16:16:19: INFO: Trying to store 'xmlfile.xml' in string table
16:16:19: INFO: Looking for file 'xmlfile.xml'
16:16:19: INFO: User wants to talk to port '\\.\COM11'
16:16:19: INFO: Took 0.01500000 seconds to open port
16:16:19: INFO: Sorting TAGS to ensure order is <configure>,<erase>, others, <patch>,<power>
16:16:19: INFO: If you don't want this, use --dontsorttags

16:16:19: INFO: Sending <configure>

16:16:19: INFO: TARGET SAID: 'Binary build date: Aug 6 2018 @ 20:55:38'

16:16:19: INFO: TARGET SAID: 'Chip serial num: 0 (0x0)'

16:16:19: INFO: TARGET SAID: 'Supported Functions: program configure nop firmwarewrite patch setbootablestoragedrive ufs emmc power benchmark read getstorageinfo getsha256digest erase peek poke '

16:16:19: INFO: TARGET SAID: 'Calling usb_al_bulk_set_zlp_mode(TRUE) since ZlpAwareHost='1''
16:16:19: INFO: fh.attrs.MaxPayloadSizeToTargetInBytes = 1048576
16:16:19: INFO: fh.attrs.MaxPayloadSizeToTargetInBytesSupported = 1048576
16:16:19: INFO: In handleProgram('magisk_patched.img')
16:16:19: INFO: Looking for file 'magisk_patched.img'
16:16:19: INFO: ================================================== =====
16:16:19: INFO: {<program> FILE: 'magisk_patched.img'}
16:16:19: INFO: {<program> (47.31 MB) 96883 sectors needed at location 262144 on LUN 0}
16:16:19: INFO: ================================================== =====


16:16:19: INFO: TARGET SAID: 'start 262144, num 96883'

16:16:21: INFO: Overall to target 1.688 seconds (28.02 MBps)

16:16:21: INFO: TARGET SAID: 'Finished programming start_sector 359027 and TotalSectorsToProgram 96883'
16:16:21: INFO:
16:16:21: INFO: ================================================== =====
16:16:21: INFO: ==================== {SUCCESS} ========================
16:16:21: INFO: ================================================== =====


16:16:21: INFO: Sending <power>

16:16:21: INFO: TARGET SAID: 'Inside handlePower() - Requested POWER_RESET'

16:16:21: INFO: TARGET SAID: 'Issuing bsp_target_reset() after 10 seconds, if this hangs, do you have WATCHDOG enabled?'
16:16:21: INFO: ================================================== ============
16:16:21: INFO: Files used and their paths
16:16:21: INFO: 1 'c:\flashtools\port_trace.txt'
16:16:21: INFO: 2 'c:\flashtools\xmlfile.xml'
16:16:21: INFO: 3 'c:\flashtools\magisk_patched.img'

16:16:21: INFO: _ (done)
16:16:21: INFO: | |
16:16:21: INFO: __| | ___ _ __ ___
16:16:21: INFO: / _` |/ _ \| '_ \ / _ \
16:16:21: INFO: | (_| | (_) | | | | __/
16:16:21: INFO: \__,_|\___/|_| |_|\___|
16:16:21: INFO: {All Finished Successfully}

16:16:21: INFO: Overall to target 1.906 seconds (24.82 MBps)

Writing log to 'c:\flashtools\port_trace.txt', might take a minute


Log is 'c:\flashtools\port_trace.txt'


c:\flashtools>
24th November 2019, 03:01 AM |#111  
Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by uberdude420

so i finally got thru everything.. and it seems to say success...however when i load magisk up it still shows uninstalled and no root or modules :\ any suggestions?

c:\flashtools>fh_loader.exe --port=\\.\COM11 --sendxml=xmlfile.xml --lun=0 --memoryname=emmc --noprompt --reset

Base Version: 17.07.28.15.44
Binary build date: Jul 28 2017 @ 18:08:54
Incremental Build version: 17.07.28.18.08.54

16:16:19: INFO: FH_LOADER WAS CALLED EXACTLY LIKE THIS
************************************************
fh_loader.exe --port=\\.\COM11 --sendxml=xmlfile.xml --lun=0 --memoryname=emmc --noprompt --reset
************************************************

16:16:19: INFO: Current working dir (cwd): c:\flashtools\
16:16:19: INFO: Showing network mappings to allow debugging
16:16:19: INFO:



16:16:19: INFO: Trying to store 'xmlfile.xml' in string table
16:16:19: INFO: Looking for file 'xmlfile.xml'
16:16:19: INFO: User wants to talk to port '\\.\COM11'
16:16:19: INFO: Took 0.01500000 seconds to open port
16:16:19: INFO: Sorting TAGS to ensure order is <configure>,<erase>, others, <patch>,<power>
16:16:19: INFO: If you don't want this, use --dontsorttags

16:16:19: INFO: Sending <configure>

16:16:19: INFO: TARGET SAID: 'Binary build date: Aug 6 2018 @ 20:55:38'

16:16:19: INFO: TARGET SAID: 'Chip serial num: 0 (0x0)'

16:16:19: INFO: TARGET SAID: 'Supported Functions: program configure nop firmwarewrite patch setbootablestoragedrive ufs emmc power benchmark read getstorageinfo getsha256digest erase peek poke '

16:16:19: INFO: TARGET SAID: 'Calling usb_al_bulk_set_zlp_mode(TRUE) since ZlpAwareHost='1''
16:16:19: INFO: fh.attrs.MaxPayloadSizeToTargetInBytes = 1048576
16:16:19: INFO: fh.attrs.MaxPayloadSizeToTargetInBytesSupported = 1048576
16:16:19: INFO: In handleProgram('magisk_patched.img')
16:16:19: INFO: Looking for file 'magisk_patched.img'
16:16:19: INFO: ================================================== =====
16:16:19: INFO: {<program> FILE: 'magisk_patched.img'}
16:16:19: INFO: {<program> (47.31 MB) 96883 sectors needed at location 262144 on LUN 0}
16:16:19: INFO: ================================================== =====


16:16:19: INFO: TARGET SAID: 'start 262144, num 96883'

16:16:21: INFO: Overall to target 1.688 seconds (28.02 MBps)

16:16:21: INFO: TARGET SAID: 'Finished programming start_sector 359027 and TotalSectorsToProgram 96883'
16:16:21: INFO:
16:16:21: INFO: ================================================== =====
16:16:21: INFO: ==================== {SUCCESS} ========================
16:16:21: INFO: ================================================== =====


16:16:21: INFO: Sending <power>

16:16:21: INFO: TARGET SAID: 'Inside handlePower() - Requested POWER_RESET'

16:16:21: INFO: TARGET SAID: 'Issuing bsp_target_reset() after 10 seconds, if this hangs, do you have WATCHDOG enabled?'
16:16:21: INFO: ================================================== ============
16:16:21: INFO: Files used and their paths
16:16:21: INFO: 1 'c:\flashtools\port_trace.txt'
16:16:21: INFO: 2 'c:\flashtools\xmlfile.xml'
16:16:21: INFO: 3 'c:\flashtools\magisk_patched.img'

16:16:21: INFO: _ (done)
16:16:21: INFO: | |
16:16:21: INFO: __| | ___ _ __ ___
16:16:21: INFO: / _` |/ _ \| '_ \ / _ \
16:16:21: INFO: | (_| | (_) | | | | __/
16:16:21: INFO: \__,_|\___/|_| |_|\___|
16:16:21: INFO: {All Finished Successfully}

16:16:21: INFO: Overall to target 1.906 seconds (24.82 MBps)

Writing log to 'c:\flashtools\port_trace.txt', might take a minute


Log is 'c:\flashtools\port_trace.txt'


c:\flashtools>

Are you getting the boot warning during power up? Does the Magisk app show an option to flash directly now?

I do recall having a couple extra steps within the Magisk app after flashing however it prompted me and seemed automated.

It looks like you applied everything correctly though so we can't far off.
Post Reply Subscribe to Thread

Tags
sonim-xp8

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes