FORUMS
Remove All Ads from XDA

Experimental Software Root for HD 8 & HD 10

835 posts
Thanks Meter: 1,030
 
By diplomatic, Senior Member on 26th February 2019, 02:58 AM
Post Reply Email Thread
26th February 2019, 10:10 PM |#21  
Senior Member
Thanks Meter: 961
 
More
@diplomatic

Fire HD8 2016 (MT8163V/B) - works

Fire HD10 2017 (MT8173) - no go:
Code:
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
ioctl: No message of desired type
read_at_pa() failed
Error in find_kallsyms_addresses()
Unable to get kernel symbol table
starting /system/bin/sh
[email protected]:/data/local/tmp $
Fire HD7 2014 (MT8135) - no go:
Code:
[email protected]:/data/local/tmp $ ./mtk-su
/system/bin/sh: ./mtk-su: not executable: 64-bit ELF file
[email protected]:/data/local/tmp $ exit
Need to test:
Fire Stick 4K - MTK8695
Fire Stick 2nd gen - MT8127D (seems the same as Fire 7 2015/2017)
The Following User Says Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
 
 
26th February 2019, 10:28 PM |#22  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Quote:
Originally Posted by xyz`

Maybe you can just compile it as a static binary instead if that's easier.

Whoa, you mean if it doesn't depend on any external libraries a 64-bit executable will load just fine even though the high-level system is only 32-bit? That's some sorcery right there. I'll keep that in mind.
But anyway I did just compile an arm version for you to test. (Unless someone beats you to it. @bibikalka?) It took more than a few tweaks to suppress the compiler warnings and make it run. But I tested it on my tablet and it worked out just fine. The attached zip file has both arch's. Both of these deal with a 64-bit kernel, and in general I recommend you use the arm64 unless your device only has a 32-bit software base.

Quote:
Originally Posted by Rortiz2

LOL
Very nice!
Awesome work @diplomatic
If you had discovered it before, I would not have asked you to compile TWRP for the BQ M8 and I would not have bothered you. By the way I I prefer to have TWRP. (thanks!)
I have reinstalled stock in my BQ M8 and the script has worked! If you want you can add it to the list of devices...
On Fire 7 7th Gen it not worked.. But we have TWRP.
EDIT: I have tried again and now I get this error

Code:
130|[email protected]_M8:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40a43000
kallsyms_num_syms 49221, addr_count 49221
kallsyms_names_pa 0x40aa3400
Size of kallsyms_names 602609 bytes
kallsyms_markers_pa 0x40b36600
kallsyms_token_table_pa 0x40b36c00
warning: token_count 1
kallsyms_token_index_pa 0x40b36d00
Patching credentials
__ksymtab_init_task not found
New UID/GID: 2000/2000
Setting selinux permissive
find_selinux_enforce_var() returned -1
starting /system/bin/sh

Thank you, sir.... You did have unlocked BL & root before TWRP, right? So the TWRP is not mutually exclusive to this exploit.

For intermittent errors like this, you have to keep your screen on and try again.


Quote:
Originally Posted by JJ2017

One difficulty: mtk-su seemed to run fine and UID= 0 was shown - but I did have trouble getting the the 'mount -o remount -rw /system' command to work at first - it needed a few attempts.
And then, using the work-through from post 10, I couldn't get full root (i.e. 'su' accepted at command prompt) until I changed permissions on each of the copied SU components (su, daemonsu etc) to those prescribed in @<br />'s awesome Hardmod post.

OK, I see. (Is that even the right remount command?) When you push the su-related binaries from Windows, you have to set the right permissions for the files because Windows does not distinguish between executable and not. This is something that hasn't been mentioned before.

Quote:
Originally Posted by Datastream33

Wait, will this work for a mt6753 chipset?

Signs point to yes.
The Following 2 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 10:33 PM |#23  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Quote:
Originally Posted by bibikalka

@diplomatic

Fire HD8 2016 (MT8163V/B) - works

Fire HD10 2017 (MT8173) - no go:

Code:
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
ioctl: No message of desired type
read_at_pa() failed
Error in find_kallsyms_addresses()
Unable to get kernel symbol table
starting /system/bin/sh
[email protected]:/data/local/tmp $
Fire HD7 2014 (MT8135) - no go:
Code:
[email protected]:/data/local/tmp $ ./mtk-su
/system/bin/sh: ./mtk-su: not executable: 64-bit ELF file
[email protected]:/data/local/tmp $ exit
Need to test:
Fire Stick 4K - MTK8695
Fire Stick 2nd gen - MT8127D (seems the same as Fire 7 2015/2017)

OK, I'll look into it for the HD 10. But I can tell you right now it will never work on the 2 devices you listed, the Fire TV Stick 4K and Fire TV Stick or any mt8127 based device.
26th February 2019, 10:40 PM |#24  
Member
Thanks Meter: 186
 
More
Quote:
Originally Posted by diplomatic

Whoa, you mean if it doesn't depend on any external libraries a 64-bit executable will load just fine even though the high-level system is only 32-bit? That's some sorcery right there. I'll keep that in mind.
But anyway I did just compile an arm version for you to test. (Unless someone beats you to it. @bibikalka?) It took more than a few tweaks to suppress the compiler warnings and make it run. But I tested it on my tablet and it worked out just fine. The attached zip file has both arch's. Both of these deal with a 64-bit kernel, and in general I recommend you use the arm64 unless your device only has a 32-bit software base.


Thank you, sir.... You did have unlocked BL & root before TWRP, right? So the TWRP is not mutually exclusive to this exploit.

For intermittent errors like this, you have to keep your screen on and try again.



OK, I see. (Is that even the right remount command?) When you push the su-related binaries from Windows, you have to set the right permissions for the files because Windows does not distinguish between executable and not. This is something that hasn't been mentioned before.


Signs point to yes.

Yep it works now, took two tries to get selinux into permissive mode though (first got the root shell but selinux remained in enforcing mode, second running same command from the root shell put it into permissive successfully).
The Following 2 Users Say Thank You to xyz` For This Useful Post: [ View ] Gift xyz` Ad-Free
26th February 2019, 10:58 PM |#25  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Sweet! Another device to the confirmed list. The selinux not being set sometimes, I just noticed that myself. It's another intermittent memory access glitch that you have to retry the exploit to get around.
26th February 2019, 11:37 PM |#26  
Member
Thanks Meter: 64
 
More
Quote:
Originally Posted by teamfresno

Thanks for this! I'm not sure if I'm doing it correctly, but everything works fine until I get to #11. Do I just type su? When I do, it says permission denied.


Quote:
Originally Posted by JJ2017

@diplomatic - awesome work - just had to give it a go for myself...

Factory reset my HD8 (2017) (root originally via @t0x1cSH "Fire hd8 2017 root, debrick" post) and followed your post plus the 'speedy SU install' from @dutchthomas - post 10.

One difficulty: mtk-su seemed to run fine and UID= 0 was shown - but I did have trouble getting the the 'mount -o remount -rw /system' command to work at first - it needed a few attempts.
And then, using the work-through from post 10, I couldn't get full root (i.e. 'su' accepted at command prompt) until I changed permissions on each of the copied SU components (su, daemonsu etc) to those prescribed in @<br />'s awesome Hardmod post.

Bit strange? I was using Fire OS 5.3.6.0 - I wonder if version makes any difference? Got there eventually tho'

Good catch, I missed the permissions step! I might have gotten the permissions correct on my first failed attempt (coincidentally) and so I didn't need it again. I'll update my instructions after work
The Following 2 Users Say Thank You to dutchthomas For This Useful Post: [ View ] Gift dutchthomas Ad-Free
26th February 2019, 11:55 PM |#27  
Datastream33's Avatar
Senior Member
Flag Salt Lake
Thanks Meter: 350
 
Donate to Me
More
Quote:
Originally Posted by diplomatic

Whoa, you mean if it doesn't depend on any external libraries a 64-bit executable will load just fine even though the high-level system is only 32-bit? That's some sorcery right there. I'll keep that in mind.
But anyway I did just compile an arm version for you to test. (Unless someone beats you to it. @bibikalka?) It took more than a few tweaks to suppress the compiler warnings and make it run. But I tested it on my tablet and it worked out just fine. The attached zip file has both arch's. Both of these deal with a 64-bit kernel, and in general I recommend you use the arm64 unless your device only has a 32-bit software base.

LOL
Very nice!
Awesome work @diplomatic
If you had discovered it before, I would not have asked you to compile TWRP for the BQ M8 and I would not have bothered you. By the way I I prefer to have TWRP. (thanks!)
I have reinstalled stock in my BQ M8 and the script has worked! If you want you can add it to the list of devices...
On Fire 7 7th Gen it not worked.. But we have TWRP.
EDIT: I have tried again and now I get this error

Thank you, sir.... You did have unlocked BL & root before TWRP, right? So the TWRP is not mutually exclusive to this exploit.

For intermittent errors like this, you have to keep your screen on and try again.



Thank you, sir.... You did have unlocked BL & root before TWRP, right? So the TWRP is not mutually exclusive to this exploit.

For intermittent errors like this, you have to keep your screen on and try again.


One difficulty: mtk-su seemed to run fine and UID= 0 was shown - but I did have trouble getting the the 'mount -o remount -rw /system' command to work at first - it needed a few attempts.
And then, using the work-through from post 10, I couldn't get full root (i.e. 'su' accepted at command prompt) until I changed permissions on each of the copied SU components (su, daemonsu etc) to those prescribed in @<br />'s awesome Hardmod post.
OK, I see. (Is that even the right remount command?) When you push the su-related binaries from Windows, you have to set the right permissions for the files because Windows does not distinguish between executable and not. This is something that hasn't been mentioned before.


Signs point to yes.

Ok, thank you. I'm going to try this method on Blu Vivo 8L.

---------- Post added at 01:55 AM ---------- Previous post was at 01:43 AM ----------

Quote:
Originally Posted by Datastream33

Ok, thank you. I'm going to try this method on Blu Vivo 8L.

Ok, so I tried the steps and was met with an error when trying to run it.

The error is as follows:
Code:
ioctl: Invalid Argument
Error allocating driver buffer
What am I doing wrong? Does this mean it will not work for my device?
27th February 2019, 12:14 AM |#28  
Senior Member
Thanks Meter: 961
 
More
Quote:
Originally Posted by k4y0z

If you want to zero out preloader, you should do it this way:

Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.

Quote:
Originally Posted by Rortiz2

When you execute that command, simply turn off the tablet and when you connect it to the PC it will detect it in BootROM Mode. Checked in Fire 7 2017.

Cool! This may become the go-to method to access BootRom for the next generation of bootloader unlocking tools (instead of cover removal & contact shorting). Hopefully, it goes into BootRom like that on every MTK Fire tablet! Not having amonet write LK/TZ will greatly decrease the chance it'll freeze during the writing operations.

Just checked - LK+TZ size is about 3.7Mb. Just the preloader plus the little pieces is ~ 150k. So pre-writing LK/TZ/TWRP/boot via dd before going into BootRom will decrease the amount of data that needs to be written by about 25x! That's a lot less risk to have it freeze during the procedure.
27th February 2019, 01:07 AM |#29  
cybersaga's Avatar
Senior Member
Loyalist, ON
Thanks Meter: 63
 
More
Quote:
Originally Posted by diplomatic

@cybersaga, yes, it's very possible it will work on an mt8167 device.

So I tried it on my Acer B3-A40 tablet and got this:

Code:
./mtk-su -v
Building symbol table
Error in find_kallsyms_addresses()
Unable to get kernel symbol table
starting /system/bin/sh
I don't know if anything can be done about that. Maybe this has a kernel that's patched. (kernel is 4.4.22)
27th February 2019, 01:28 AM |#30  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Quote:
Originally Posted by Datastream33

Ok, so I tried the steps and was met with an error when trying to run it.

The error is as follows:

Code:
ioctl: Invalid Argument
Error allocating driver buffer
What am I doing wrong? Does this mean it will not work for my device?

Hmm, there's nothing you're doing wrong. That result is odd, but I suspect mtk-su will need some tweaking to be compatible with that phone. I've checked some sources for mt6755 online. There's nothing that stands out to me yet. Do you have a link to kernel sources for that particular device?

Quote:
Originally Posted by cybersaga

So I tried it on my Acer B3-A40 tablet and got this:

Code:
./mtk-su -v
Building symbol table
Error in find_kallsyms_addresses()
Unable to get kernel symbol table
starting /system/bin/sh
I don't know if anything can be done about that. Maybe this has a kernel that's patched. (kernel is 4.4.22)

That's weird, but I'd say promising. Do you have a link to the kernel sources?
27th February 2019, 01:52 AM |#31  
cybersaga's Avatar
Senior Member
Loyalist, ON
Thanks Meter: 63
 
More
Quote:
Originally Posted by diplomatic

Do you have a link to the kernel sources?

Nothing here. I can try to poke around and see what I can find. I don't know where I'd find it if not the Acer site though.

---------- Post added at 08:52 PM ---------- Previous post was at 08:49 PM ----------

The source code for a similar model is available (under "Documents"): https://www.acer.com/ac/en/CA/conten...oduct/7318?b=1

But a slightly different CPU: MT8167A
Post Reply Subscribe to Thread

Tags
fire hd 10, fire hd 8, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes