BLU R1 HD v6.6 Dirtycowed F.U. AMAZON ROOT AND UNLOCK GUIDE

christianrodher · Nov 1, 2016

Hello everyone. We found a way to unlock and root a BLU R1 HD in ota version 6.6.
Files http://forum.xda-developers.com/showpost.php?p=69387472&postcount=5
Here are the instrucction:

mrmazak said:

I wrote (or plagiarized a little) Five batch scripts and put them into a .tar archive.
It is attached.

***** NOTICE DURING THIS YOUR PHONE SCREEN MAY SHOW A FROZEN BOOT ANIMATION, THIS IS EXPECTED, THE ADB SHELL SHOULD STILL BE ACTIVE AND WORKING*****

** THE FREEZING IS FROM THE "/system/bin/app_process32" BEING TEMPORARILY OVER WRITTEN, ON THE NEXT REBOOT IT IS RESTORED****

WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE
So backup anything you want to keep

Decompress the files and start with "1-First", and continue until "5-Fifth". (in order 1,2,3,4,5)

The separate scripts could be combined into a one click option to unlock boot loader and then install the recovery. But there is issues with the shell in a shell in a cmd passing the commands through. So in an effort to make sure nobody misses the needed manual steps i kept them separate.

PLEASE PAY ATTENTION TO THE COMMENTS IN ADB WINDOW. CAREFULLY CHECK WHAT YOU TYPE BEFORE YOU HIT ENTER. A TYPO HERE MAY BE SERIOUS.

So you will need to run the script and follow the on screen notes , There are two times you will need to manually open a second command window and enter adb shell, type commands. One time in the First batch and again in the Third. Copy and paste also doesn't work in this situation

If you are on Linux you will have to re write the commands into a sh file or do it all by hand.

If anybody wants to make improvements and can get the manual entry part to be coded, please do.

1-First.bat

2-Second.bat

3-Third.bat

4-Forth.bat

Code:

::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Four

::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] adjust window size to the dashed lines above (press any button twice continue)
pause > nul
@echo on
pause > nul
adb reboot bootloader
timeout 10 > nul
cls
@echo off
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] now that the device is in fastboot mode we are going to unlock the
echo [*] bootloader. on the next screen on your phone you will see 
echo [*] PRESS THE VOLUME UP/DOWN BUTTONS TO SELECT YES OR NO
echo [*] just press volume up to start the unlock process.
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] press any key to start the unlock
pause > nul
fastboot oem unlock
echo [*] once the bootloader is unlocked press any key to wipe data
pause > nul
fastboot format userdata
echo [*] Press any key to reboot the device
pause > nul
fastboot reboot
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] your bootloader is now unlocked on your BLU R1 HD Amazon device
echo [*] first boot up will take around 5 to 10 minutes then you can set it up 
echo [*] Next is the 5-Fifth.bat to install recovery echo echo [*]
echo [*] You will need to enble developers option, then enable adb to continue next script 
echo [*] ******************
echo [*] IF PHONE DOES NOT REBOOT HOLD POWER UNTILL IT POWERS OFF THEN AGAIN TO POWER ON
echo [*] ******************
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] Press any key to finish this script.
pause > nul
exit

5-Fifth.bat

Code:

::Set our Window Title
@title R1 HD Amazon Bootloader Unlock Step Five

::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] adjust window size to the dashed lines above (press any button twice continue)
pause > nul
@echo on
pause > nul
adb reboot bootloader
timeout 10 > nul
cls
@echo off
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] 
echo [*]  
echo [*] 
echo [*] 
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] press any key to Flash recovery
pause > nul
fastboot flash recovery recovery.img
echo [*] once the file transfer is complete hold volume up and press any key on pc 
echo [*] IF PHONE DOES NOT REBOOT THEN HOLD VOLUME UP AND POWER UNTILL IT DOES
pause > nul
fastboot reboot
echo [*] on phone select recovery with volume key then select with power
pause > nul
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] now you booted to recovery continue and make a backup if you want
echo [*]  you can just continue as is from here or flash the old preloader file with 
echo [*] recovery. There are more steps not included here if you want to do that.
echo [*]  
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] Press any key to finish this script.
pause > nul
exit

Follow up with bootloader roll-back if desired.
http://forum.xda-developers.com/r1-hd/how-to/r1hd-update-6-6-bootloader-roll-t3491096

none important note: my english sucks! Que viva Puerto Rico

thanks to:
@jcadduono - wrote recowvery-app_proccess64
@mrmazak - main tester, bat script writer & fastboot steps
@Scorpius666 - mod recowvery-app_proccess64 and lsh into cow-app64-mod
@christianrodher - compiled dirtycow , cow-app64-mod & found the steps to unlock/root
@rootjunky - for files
@lopestom - twrp recovery
@brenns10 - wrote lsh

KazuDante · Oct 31, 2016 at 5:56 AM

nicely done guy.
wait you guys have a 64bit enabled r1HD? how?

christianrodher · Oct 21, 2016 20 20 0

KazuDante said:
nicely done guy.
wait you guys have a 64bit enabled r1HD? how?

thats just the name of the files... they are compiled as 32bits

KazuDante · Oct 31, 2016 at 5:59 AM

Oh ok...man i had my hopes up.....because we need to enable the r1 in a 64bit mode

Sent from my BLU R1 HD using Tapatalk

mrmazak · Feb 22, 2017

UPDATED

OLD batch script is now made into interactive "tool"
REMOVED LINK FILE HAD PROBLEM SCRIPT TYPO MADE IT UNSTABLE
fixing and will update soon

fixed version here
sorry about the confusion. Will make new thread for tool i think

New thread https://forum.xda-developers.com/r1-hd/how-to/unlock-tool-t3561333

old post is hidden

Download tar file and unpack into folder of your choice. Connect phone to pc with ADB enabled. Open folder where you unzipped files to and click on the "one-click-root.bat". Dirtycow has been modified to run much quicker. The new compiled dirtycow.c file is included in the archive. It is the optimized dirtyc0w from this github. https://github.com/bkerler/CVE-2016-5195/tree/master

The included recowvery-app_process32.c is included it comes from @vampirefo 's github project. I changed one line near the end. I changed the 120 second timeout to 10 seconds. https://github.com/vampirefo/limited_shell_root/tree/vampirefo-limited_shell_root

The included busybox executable also comes from vampirefo, it was not necessary to use the busybox, because this devise has toybox included, but I wanted something that could possibly help be used on more devices, so I included it in the scripts.

WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE
So backup anything you want to keep

One-Click-root.bat

Code:

::Set our Window Title
@title R1 HD AMAZON BOOTLOADER UNLOCK
mode 100,30
::Set our default parameters
@echo off
color 0b
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] BEFORE WE BEGIN THE SCRIPT WILL RUN "ADB DEVICES" AND SEE IF YOU HAVE DRIVERS INSTLLED
echo [*] THE NEEDED RESPONSE IS SIMILAR TO BELOW 
echo [*]
echo [*] List of devices attached
echo [*] ****************        device
echo [*] 
echo [*] INSTEAD OF STARS IT WILL BE YOUR SERIAL NUMBER 
echo [*] IF NO DEVICE LISTED YOU ARE NOT READY TO RUN THIS SCRIPT. CLOSE THIS WINDOW NOW IF NOT READY
echo [*] 
echo [*] IF DEVICE IS LISTED PRESS ANY KEY ON COMPUTER TO START
echo [*]
adb devices
pause > nul
adb wait-for-device
cls
echo [*] copying dirtycow to /data/local/tmp/dirtycow
adb push dirtycow /data/local/tmp/dirtycow
timeout 2 > nul
echo [*] copying recowvery-app_process32 to /data/local/tmp/recowvery-app_process32
adb push recowvery-app_process32 /data/local/tmp/recowvery-app_process32
timeout 2 > nul
echo [*] copying frp.bin to /data/local/tmp/unlock
adb push frp.bin /data/local/tmp/unlock
timeout 2 > nul
echo [*] copying busybox to /data/local/tmp/busybox
adb push busybox /data/local/tmp/busybox
timeout 2 > nul
echo [*] copying cp_comands.txt to /data/local/tmp/cp_comands.txt
adb push cp_comands.txt /data/local/tmp/cp_comands.txt
timeout 2 > nul
echo [*] copying dd_comands.txt to /data/local/tmp/dd_comands.txt
adb push dd_comands.txt /data/local/tmp/dd_comands.txt
timeout 2 > nul
echo [*] changing permissions on copied files
adb shell chmod 0777 /data/local/tmp/*
timeout 2 > nul
cls
echo.--------------------------------------------------------------------------------------------
echo [*] DONE PUSHING FILES TO PHONE. NOW WE ARE GOING TO TEMP WRITE OVER THE APP_PROCESS
echo [*] WITH A MODIFIED VERSION THAT HAS lsh IN IT USING A SYSTEM-SERVER AS ROOT SHELL
echo [*] THIS STEP WILL CAUSE PHONE TO DO A SOFT REBOOT AND WILL NOT RESPOND TO BUTTON PUSHES
echo [*] 
adb shell /data/local/tmp/dirtycow /system/bin/app_process32 /data/local/tmp/recowvery-app_process32
echo.--------------------------------------------------------------------------------------------
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*]WAITING 60 SECONDS FOR ROOT SHELL TO SPAWN
timeout 60 > nul
echo.--------------------------------------------------------------------------------------------
echo [*] OPENING A ROOT SHELL ON THE NEWLY CREATED SYSTEM_SERVER
echo [*] MAKING A DIRECTORY ON PHONE TO COPY FRP PARTION TO 
echo [*] CHANGING PERMISSIONS ON NEW DIRECTORY
echo [*] COPYING FPR PARTION TO NEW DIRECTORY AS ROOT
echo [*] CHANGING PERMISSIONS ON COPIED FRP
adb shell "/data/local/tmp/busybox nc localhost 11112 < /data/local/tmp/cp_comands.txt"
cls
echo [*] COPY UNLOCK.IMG OVER TOP OF COPIED FRP IN /data/local/test NOT AS ROOT WITH DIRTYCOW
echo [*]
adb shell /data/local/tmp/dirtycow /data/local/test/frp /data/local/tmp/unlock
timeout 5 > nul
cls
echo [*] WAITING 5 SECONDS BEFORE WRITING FRP TO EMMC
timeout 5 > nul
echo [*] DD COPY THE NEW (UNLOCK.IMG) FROM /data/local/test/frp TO PARTITION mmcblk0p17
adb shell "/data/local/tmp/busybox nc localhost 11112 < /data/local/tmp/dd_comands.txt"
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo.-----------REBOOTING_INTO_BOOTLOADER--------------------------------------------------------
adb reboot bootloader
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] YOUR PHONE SCREEN SHOULD BE BLACK WITH THE WORD "=>FASTBOOT mode..." IN LOWER CORNER
echo [*] JUST LIKE IN THE BEGINING WE NEED TO VERIFY YOU HAVE DRIVERS ON PC FOR THE NEXT STEP
echo [*] THE RESPONSE SHOULD BE 
echo [*]
echo [*] ***************     fastboot
echo [*]
echo [*] THE STARS WILL BE YOUR SERIAL NUMBER
echo [*] IF THE RESPONSE IS THIS THEN HIT ANY BUTTON ON PC TO CONTINUE
echo [*] 
echo [*] IF RESPONSE IS A BLANK LINE YOU DO NOT HAVE DRIVER NEEDED TO CONTINUE. CLOSE THIS WINDOW
echo [*] AND GET FASTBOOT DRIVERS THEN EITHER RUN "fastboot oem unlock" IN TERMINAL
fastboot devices
pause > nul 
cls
echo [*] NOW THAT THE DEVICE IS IN FASTBOOT MODE WE ARE GOING TO UNLOCK THE
echo [*] BOOTLOADER. ON THE NEXT SCREEN ON YOUR PHONE YOU WILL SEE 
echo [*] PRESS THE VOLUME UP/DOWN BUTTONS TO SELECT YES OR NO
echo [*] JUST PRESS VOLUME UP TO START THE UNLOCK PROCESS.
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY ON COMPUTER TO START THE UNLOCK
pause > nul
fastboot oem unlock
cls
echo [*] ONCE THE BOOTLOADER IS UNLOCKED PRESS ANY KEY TO WIPE DATA
pause > nul
fastboot format userdata
cls
echo [*] PRESS ANY KEY TO REBOOT THE DEVICE
pause > nul
fastboot reboot
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] YOUR BOOTLOADER IS NOW UNLOCKED ON YOUR BLU R1 HD AMAZON DEVICE
echo [*] FIRST BOOT UP WILL TAKE AROUND 5 TO 10 MINUTES THEN YOU CAN SET IT UP 
echo [*] NEXT IS TO INSTALL RECOVERY TWRP
echo [*]
echo [*]
echo [*] YOU WILL NEED TO ENBLE DEVELOPERS OPTION, THEN ENABLE ADB TO CONTINUE NEXT SCRIPT 
echo [*] ******************
echo [*] IF PHONE DID NOT REBOOT HOLD POWER UNTILL IT POWERS OFF THEN AGAIN TO POWER ON
echo [*] ******************
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY TO INSTALL TWRP AFTER YOU ENABLE DEVELOPER OPTIONS ON PHONE
echo [*] OR CTRL+C TO STOP HERE
pause > nul
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo.-----------REBOOTING_INTO_BOOTLOADER--------------------------------------------------------
adb reboot bootloader
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] NOW YOUR IN FASTBOOT MODE AND READY TO FLASH TWRP RECOVERY
echo [*]  
echo [*] 
echo [*] 
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY TO FLASH RECOVERY
pause > nul
fastboot flash recovery recovery.img
echo [*] ONCE THE FILE TRANSFER IS COMPLETE HOLD VOLUME UP AND PRESS ANY KEY ON PC 
ECHO [*]
echo [*] IF PHONE DOES NOT REBOOT THEN HOLD VOLUME UP AND POWER UNTILL IT DOES
pause > nul
fastboot reboot
echo [*] ON PHONE SELECT RECOVERY FROM BOOT MENU WITH VOLUME KEY THEN SELECT WITH POWER
echo [*] PRESS ANY KEY ON PC FOR MORE NOTES
pause > nul
cls
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] NOW YOU BOOTED TO RECOVERY CONTINUE AND MAKE A BACKUP IF YOU WANT
echo [*]  YOU CAN JUST CONTINUE AS IS FROM HERE OR FLASH THE OLD PRELOADER FILE WITH 
echo [*] RECOVERY. THERE ARE MORE STEPS NOT INCLUDED HERE IF YOU WANT TO DO THAT.
echo [*]  
echo.--------------------------------------------------------------------------------------------
echo.--------------------------------------------------------------------------------------------
echo [*] PRESS ANY KEY TO FINISH THIS SCRIPT.
pause > nul
exit

original post is below hidden

Follow up with install SperSu if desired.

Stable superSU link. http://forum.xda-developers.com/showthread.php?t=1538053
From supersu site download recovery install version. Version at time of first root was v2.76 no it is v2.78 both should work. Put .zip file onto phone internal memory. Either by adb push, or by mtp connection. And boot to recovery and install.

Follow up with bootloader roll-back if desired.
http://forum.xda-developers.com/r1-hd/how-to/r1hd-update-6-6-bootloader-roll-t3491096

GuestD0086 · Oct 31, 2016 at 1:06 PM

congrats!

lol... give them root and they want 64bit.

khyr · Aug 14, 2015 82 10 0

Excelente viejo! lo voy a probar saludos desde honduras

vampirefo · Nov 1, 2016 at 10:23 AM

Release the source code for these files, they are based on open source files.

Too refuse to release the source is selfish and hurtful to the spirit of open source, in which these files are based off of.

Sent from my R1HD(ZenUI) via Tapatalk

mrmazak · Nov 1, 2016 at 11:15 AM

vampirefo said:
Release the source code for these files, they are based on open source files.

Too refuse to release the source is selfish and hurtful to the spirit of open source, in which these files are based off of.

Sent from my R1HD(ZenUI) via Tapatalk

The binaries are in the download. Is that what your looking for.
Or the .c files ?

I don't have the un-compiled xxx.c files.
But they are same as from this GitHub.

https://github.com/jcadduono/android_external_dirtycow
Just with minor changes to the referenced /dev/block to match whatever device it's for.

vampirefo · Nov 1, 2016

mrmazak said:
The binaries are in the download. Is that what your looking for.
Or the .c files ?

I don't have the un-compiled xxx.c files.
But they are same as from this GitHub.

https://github.com/jcadduono/android_external_dirtycow
Just with minor changes to the referenced /dev/block to match whatever device it's for.

Yes I am requesting c file for cow-app64-mod and no it's not in the github you linked to.

If Christian told you it was just a minor change to reference /dev/block then he is being dishonest and needs to be truthful and release the c file.
Sent from my R1HD(ZenUI) via Tapatalk

willdoyle22 · May 5, 2016 12 2 0

cant seem to get files to download correctly on Mac. has this been tested using adb and fastboot via macbook pro?

mrmazak · Nov 1, 2016 at 6:47 PM

willdoyle22 said:
cant seem to get files to download correctly on Mac. has this been tested using adb and fastboot via macbook pro?

I know I'm on Windows. And o e other user who did it on arch. So that's two os's. I don't know why it would be different on a mac. You should be able to download it from the website.

But the batch (.bat) is a Windows thing isn't it.
I assume the adb commands will be the same , but might have to type each one out. That's what someone else did who was doing it on an arch Linux
Also remember there is an adb.exe and windows drivers .DLL in the downloaded zip. So you mifht have to remove them so your Mac used your adb and drivers

willdoyle22 · Nov 1, 2016

i removed the windows files/exe's. when i type in the first command " adb push drtycow /data/local/tmp/dirtycow" i keep getting the same response... "cannot stat 'dirtycow' : no such file or directory"

is this an error on my part?

* not necessarily new to rooting, but definitely new to doing it manually and dealing with locked bootloaders so i apologize if i am asking obvious questions*

mrmazak · Nov 1, 2016 at 7:21 PM

willdoyle22 said:
i removed the windows files/exe's. when i type in the first command " adb push drtycow /data/local/tmp/dirtycow" i keep getting the same response... "cannot stat 'dirtycow' : no such file or directory"

is this an error on my part?

* not necessarily new to rooting, but definitely new to doing it manually and dealing with locked bootloaders so i apologize if i am asking obvious questions*

Try giving it the full path. For example if the file dirtycow is in /home/willDoyle/download. Then do "adb push /home/willDoyle/download/dirtycow /data/local/to/dirtycow"

willdoyle22 · May 5, 2016 12 2 0

mrmazak said:
Try giving it the full path. For example if the file dirtycow is in /home/willDoyle/download. Then do "adb push /home/willDoyle/download/dirtycow /data/local/to/dirtycow"

still no luck. it is at least recognizing it as a directory, but now anytime i try to push it, it just blasts me with all the different possible commands within adb... cant find anything that points out a specific problem. Thanks for your help btw.

mrmazak · Nov 1, 2016 at 10:45 PM

willdoyle22 said:
still no luck. it is at least recognizing it as a directory, but now anytime i try to push it, it just blasts me with all the different possible commands within adb... cant find anything that points out a specific problem. Thanks for your help btw.

How about going back to the basic command to see if your Mac is conected to the phone. What do you get with "adb devices" ?

willdoyle22 · May 5, 2016 12 2 0

mrmazak said:
Try giving it the full path. For example if the file dirtycow is in /home/willDoyle/download. Then do "adb push /home/willDoyle/download/dirtycow /data/local/to/dirtycow"

mrmazak said:
How about going back to the basic command to see if your Mac is conected to the phone. What do you get with "adb devices" ?

works fine, shows my device serial number and then brings up a new command line

willdoyle22 · May 5, 2016 12 2 0

willdoyle22 said:
works fine, shows my device serial number and then brings up a new command line

attached screenshot of terminal

mrmazak · Nov 2, 2016 at 2:11 AM

willdoyle22 said:
attached screenshot of terminal

oh I see. maybe

you need two (2) arguements for adb push

"adb push (sourse file location)(1 space)(destination file location)

ex ; willy_$ adb push willy/desktop/dirtycow /data/local/tmp/dirtycow

willdoyle22 · May 5, 2016 12 2 0

mrmazak said:
oh I see. maybe

you need two (2) arguements for adb push

"adb push (sourse file location)(1 space)(destination file location)

ex ; willy_$ adb push willy/desktop/dirtycow /data/local/tmp/dirtycow

just wanted to say thanks! got everything done, decided to not roll back to the previous bootloader version, but i blocked ota updates and amazon ads/apps so I think i should be fine. rooted and running xposed, finally got what i wanted out of this phone!!!

BLU R1 HD v6.6 Dirtycowed F.U. AMAZON ROOT AND UNLOCK GUIDE

Member

Senior Member

Member

Senior Member

Senior Member

GuestD0086

Guest

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Member

Senior Member

Member

Senior Member

Member

Member

Senior Member

Member