Cubot Pocket: unlock bootloader and attempting to flash GSI

Search This thread

wori

Member
May 7, 2010
13
11
I finally got my cubot pocket. I like my devices without GAPPS so I unlocked the bootloader and tried to flash a GSI. I didn't manage to actually boot a flashed GSI yet.
Any hints how to achieve flashing a GSI would be highly appreciated!

This post contains: observations and general hints for this level of development, a guide to unlock the bootloader and what I did so far to flash a GSI. If I succeed, I'll post a guide for that too (If there's nothing before of course)

General/random notes​

  • there are two different things reachable as "bootloader":
    • in fastboot switch to bootloader. The device displays the Cubot splash and from the display it looks stuck, but it exposes a fastboot interface -> useful
    • $ adb|fastboot reboot bootloader
      shows the droid with open service door, saying "no command". It also exposes adb, but I don't see a way how to authorise it. Maybe via the debug UART? I didn't yet read the UART when I stumbled upon this. Currently it seems useless to me.
  • there are test points for the debug UART easily reachable once you disassemble it.
    I didn't see anything with a 3.3V USB UART adapter, but a logic analyser with 1.4 V threshold works -> it probably uses 1.8 V logic level. UART-wise it's 115200 8n1.
    I think I don't have anything to hook up to the TX currently.
  • UART log of boot
  • it's easy to softbrick this device, and I haven't found a nice way out of softbricked yet. Two not-so-nice-ways
    - drain the battery, which obviously requires lots of patience
    - disassemble the device and disconnect the battery

    then flash the original ROM from the cubot site following the instructions there.
    • Once it bootloops, I didn't manage to power it off or get into fastboot / recovery using the device's keys.
  • the device reconfigures it's USB during boot and there's a limited time for the SPDFlashTool's mode that flashes complete firmwares. That means that it's not really feasible to run SPDFlashTool inside a VM.
  • the phone actually does something with the battery detached but USB power attached. For example, it's possible to flash it with the SPDFlashTool. However, it doesn't boot the linux kernel / Android, this seems to be inhibited.
    This is in contrast to many other devices that are not laptops for which the PMIC does not provide power to the system when the battery is disconnected.

Unlocking the bootloader​

This works similar to other Spreadtrum/Unisoc-based devices.
The crucial thing is to issue get_identifier_token from fastboot -> reboot to bootloader. If you issue it in adb reboot fastboot, it will say OKAY and may also print a four character string, but this is not the token you're looking for.
Also, when you flash the unlock_bootloader signature.bin, it will prompt you on the phone, but you have to react differently than described on the phone - see below.
  • enable Android developer mode (Settings -> About Phone -> tap "build number" >= 7x)
  • enable OEM unlocking (Settings -> System -> Developer Options -> OEM unlocking)
  • enable ADB (Settings -> System -> Developer Options -> USB debugging)
  • adb reboot fastboot
  • choose "reboot to bootloader"
  • Code:
    $ fastboot oem get_identifier_token
  • proceed as described here
  • finally:
    Code:
    $ fastboot flashing unlock_bootloader signature.bin
    this prompts you to press volume up to cancel, volume down to confirm.
    But volume down and power don't have any effect, instead volume up starts wiping user.
    wiping takes a bit longer than I'd expect, for me 433 s.
Congratulations, you now own your phone a bit more than before!

Flashing GSIs (probably applies to ROMs in general)​

  • it's a Treble-enabled arm64 A/B device. Flashing GSIs should be possible.
  • It looks to me like the A/B is crippled as all the _b partitions are 0-sized, probably to save space.
  • system_a is a bit below 1 GB ( 0x3CF5D000 B) which is likely smaller than any interesting GSI.
    attempting to flash yields
    Code:
    Resizing 'system' FAILED (remote: 'Not enough space to resize partition')
  • There's the general hint to delete the product partition by running
    fastboot delete-logical-partition product
    then it's actually possible to flash a GSI, however:
  • the device bootloops :poop: -> log
    From the log I realised I need to modify vbmeta, so:
  • it does android verified boot / AVB which from my understanding the easiest way forward is to disable it by:
    • creating a vbmeta.img with
      Code:
      $ avbtool make_vbmeta_image --flags 2 --padding_size 4096 --output vbmeta_disabled.img
      • the padding necessary might be 16384 instead, according to the hovatek thread below.
    • it might be necessary to pad it additionally. There's a tutorial and a script here
    • when I flash both the hovatek-unpadded avbtool-4096-padded and hovatek-padded avbtool-16384-padded vbmeta, the device bootloops :poop: -> log
  • I guess the next step would be to unpack the vendor PAC ROM and check how the vbmeta image looks there.
    • Since with the original vbmeta it looks like it's restarting when it's already running linux / android, another way to go at this might be to change the kernel cmdline: instruct it to not do verity - Does anyone know how this is possible?
 

wori

Member
May 7, 2010
13
11

dead ends (so far...)​

  • didn't manage to find what image header magic number was wrong with the vbmeta.img (was already in the starting post)
  • the vbmeta actually doesn't chain to system, but there's a vbmeta_system partition (and vbmeta_vendor.img, vbmeta_system_ext.img, vbmeta_product.img) - I flashed the empty vbmeta disabling checking to vbmeta_system... and it bootloops again :poop:
    this time the error is:
    Code:
    sprd_get_all_imgversion: ab_slot_flag is 0
    read  successed
    sprd_get_all_imgversion: rpmb read blk 16382 successful
    invalid sprd imgversion magic 0 exp a50000a5
    uboot_vboot_verify_img() return error:param->a0=3
    • could be that it's just necessary to write the magic number to the correct offset, but I coulnd't figure out where this offset is - the images in the PAC don't have this number, so I guess it's embedded on-the-fly while flashing.
    • searching for imgversion+spreadtrum gets 0 relevant results - I guess it's very unusual that people hook up to the debug uart 🤨
    • I didn't manage to disassemble uboot.img - At least the disassemble doesn't look like a bootloader to me. Not an expert with disassemblies though!
  • modifying boot.img with magisk also results in invalid sprd imgversion, so no root or disabled verity through this route
  • I didn't manage to read back from flash through SPD ResearchDownload, I get the error "incompatible partition" for userdata - and I can't deselect it :/
    (I thought it might be possible to get the sprd imgversion magic throught this route

Partial success​

I managed to boot a GSI by signed by google through Dynamic System Updates (DSU).
It kind of looks like it's running in emulation though: settings say "About emulated device" and it gets an own userdata.img
the DSU page also says it will only run GSIs signed by google or the vendor (not sure which key that would be, but I doubt there are any) - I haven't tried flashing anything this route

Open Ends:​

reverse engineering the imgversion thing​

It should be possible to figure out how this imgversion business works, ultimatively from the u-boot.img / PAC content. Anyone has any idea how to proceed there? I tried:
  • binwalk: doesn't look useful to me, nothing got extracted -> here
  • arm-none-eabi-objdump -b binary -D u-boot-sign.bin -m armv8-a -Mforce-thumb
    (also without -Mforce-thumb and with -m armv7)
  • I'm pretty sure it's actually U-boot: there is the U-boot version string matching the one printed to uart and also the printf-string for the imgversion

requested U-boot source code from Cubot​

I requested source for all GPL'ed parts of the Pocket from Cubot, but especially U-Boot and the kernel. I'd be a pleasantly surprised if something comes out of this though

reading back the flash​

Does anyone have an idea how to do that? without root no access to /dev/block/mmcblk* and I didn't get SPD ResearchDownload to read it.
 
  • Like
Reactions: santosst

santosst

Senior Member
Oct 7, 2020
81
43
Sao Paulo
Moto G
Xiaomi Mi A1
It's nice that you could unlock the bootloader! I'll try to do it soon (maybe in some months, but ok lol)
Anyway, which GSI did you try? And about the vbmeta, I think it should be enough to flash the blank vbmeta.img from google. Maybe we could use the original vbmeta.img from stock ROM with the --disable-xxxxx flags.

This is the tutorial from phhusson's group (the man behind the treble project):

0. Get an up-to-date fastboot on your computer (fastboot —version should give version >= 29)
1. Get vbmeta.img from https://dl.google.com/developers/android/qt/images/gsi/vbmeta.img
2. Get A/B GSI (I'm guessing you need ARM64), don't forget to uncompress it
3. From running Android, do adb reboot bootloader
4. fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
5. fastboot reboot fastboot
6. fastboot flash system system-xxxx.img
6bis. If fastboot tells you there isn't enough place, do fastboot delete-logical-partition product, fastboot delete-logical-partition product_a, fastboot delete-logical-partition product_b and run the fastboot flash command again
7. On your phone, the screen should have a button "go back to recovery", select it, then select "factory reset / wipe data"
8. Reboot and enjoy
 
  • Like
Reactions: raary

changer86

Member
Aug 12, 2022
6
1
Thanks for your work. I got my Cubot Pocket unlocked too. I have booted LineageOS 19 via DSU Sideloader. It runs like a charm but there is no way to flash the GSI permanent.
 

wori

Member
May 7, 2010
13
11
@changer86 with the DSU I have the navigation bar not showing, back-gesture not functioning and no automatic display brightness - do these work for you?
 

changer86

Member
Aug 12, 2022
6
1
@changer86 with the DSU I have the navigation bar not showing, back-gesture not functioning and no automatic display brightness - do these work for you?

I tried it. My Navigation Bar is showing and working normal.
Automatic Display Brightness is working too.
I dont use gestures, but if you tell me how to do it, i will check that too.

Image: lineage-19.1-20220719-UNOFFICIAL-arm64_bvS.img.xz
and DSU-Sideloader 1.03 from Github. Default Settings
 

wori

Member
May 7, 2010
13
11
thanks for trying!
You can change it in Settings->System->Navigation->System Navigation->check Gesture Navigation

So: interesting that you got a lineage build working, maybe that's the important difference! From google's doc I understand that there's some verifcation, but looks like it's not. Since I actually don't want the google build, I'll try with lineage next. Did you also try with the built-in DSU way, like described in googles doc?
 

changer86

Member
Aug 12, 2022
6
1
Did you also try with the built-in DSU way, like described in googles doc?

As I understood, the app is doing exactly the same like the Google Doc say. It seems like unlocking the Bootloader is enough to boot a custom-DSU.I have read something about signed Images that will boot without unlocking the Bootloader, but i didnt try it. I just want to get rid of all the Google-Stuff before using the Pocket :) Hope we can get it working.

btw: Gestures seem to work. swipe from right to middle closes Apps. from middle to up opens Menue
 
Last edited:
  • Like
Reactions: wori

changer86

Member
Aug 12, 2022
6
1
After a Weekend of fails i flashed Lineage 19 to my old KingKong mini and its working on the first try. Problem seems to be the Unisoc T310. The success-rate of flashing GSI to T310 seems to be really low. Does anybody know another Android 11 Device with Unisoc T310 that is working with GSI-Roms?
 

badcodelab

Member
Mar 4, 2019
48
14

raary

Member
Feb 13, 2022
12
1
Hi, can you help me with this situation? I can't unlock bootloader on cubot pocket.
I tried to unlock on my ubuntu and windows devices.
FAILEN ( Flashing Lock Flag is locked. Please unlock it first)

I don't know that I will do for this problem

sss.png
 

changer86

Member
Aug 12, 2022
6
1
Did you use the modified fastboot ? Under Ubuntu start a Terminal from the extracted Folder and use ./fastboot instead of fastboot. Ensure that fastboot in the folder is executable. Check this guide: How to unlock Unisoc

Be warned: Unlocking the Bootloader ist working but flashing vbmeta like you tried leads to bootloop. I think the cubot pocket needs signed Images for flashing. there is a guide for custom signed Images but i did not get it to work for now.
 

raary

Member
Feb 13, 2022
12
1
Did you use the modified fastboot ? Under Ubuntu start a Terminal from the extracted Folder and use ./fastboot instead of fastboot. Ensure that fastboot in the folder is executable. Check this guide: How to unlock Unisoc

Be warned: Unlocking the Bootloader ist working but flashing vbmeta like you tried leads to bootloop. I think the cubot pocket needs signed Images for flashing. there is a guide for custom signed Images but i did not get it to work for now.
Thank you, I will be try to unlock
 

raary

Member
Feb 13, 2022
12
1
I can't stay in stock OS, my GSI on cubot pocket have only 16 Gb via DSU sideload less for me, correct custom not exist for this, sad
 

badcodelab

Member
Mar 4, 2019
48
14
@wori, @changer86 i didn't get clear from your posts if you tried to use signed vbmeta from the stock rom

also i haven't manage to make research tool to unpack boot.img nor super.img
by some reasons they stay listed as zero-sized .flag files in the target folder
 

Attachments

  • vbmeta-sign.img
    1 MB · Views: 2

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Ok, I just booted Google's Android 13 GSI from here, version ARM64, no GMS. Steps on fastbootd (after unlocking bootloader):

    fastboot --disable-verity --disable-verification flash vbmeta_system vbmeta_system.img
    fastboot --disable-verity --disable-verification flash vbmeta_product vbmeta_product.img
    fastboot resize-logical-partition product_a 38000
    fastboot flash system system.img

    (on phone, go to recovery -> factory reset -> factory reset -> reboot)

    I used both vbmeta-system and vbmeta-product from stock ROM.

    I'll try to boot any phh-treble-based GSI now

    EDIT 1: LOS 19.1 vndklite leads to bootloop
    EDIT 2: Sooti's Android 13 booted 🥳 so I suppose LOS isn't able to boot because it is not a "secure" version i.e. it has su binary. Probably any A11, A12, or A13 GSI without inbuilt su will boot following this tutorial
    EDIT 3: 4g calling isn't working, maybe we need to install the IMS apk from stock ROM in GSI. For now, I'll use only 3g
  • 4
    I finally got my cubot pocket. I like my devices without GAPPS so I unlocked the bootloader and tried to flash a GSI. I didn't manage to actually boot a flashed GSI yet.
    Any hints how to achieve flashing a GSI would be highly appreciated!

    This post contains: observations and general hints for this level of development, a guide to unlock the bootloader and what I did so far to flash a GSI. If I succeed, I'll post a guide for that too (If there's nothing before of course)

    General/random notes​

    • there are two different things reachable as "bootloader":
      • in fastboot switch to bootloader. The device displays the Cubot splash and from the display it looks stuck, but it exposes a fastboot interface -> useful
      • $ adb|fastboot reboot bootloader
        shows the droid with open service door, saying "no command". It also exposes adb, but I don't see a way how to authorise it. Maybe via the debug UART? I didn't yet read the UART when I stumbled upon this. Currently it seems useless to me.
    • there are test points for the debug UART easily reachable once you disassemble it.
      I didn't see anything with a 3.3V USB UART adapter, but a logic analyser with 1.4 V threshold works -> it probably uses 1.8 V logic level. UART-wise it's 115200 8n1.
      I think I don't have anything to hook up to the TX currently.
    • UART log of boot
    • it's easy to softbrick this device, and I haven't found a nice way out of softbricked yet. Two not-so-nice-ways
      - drain the battery, which obviously requires lots of patience
      - disassemble the device and disconnect the battery

      then flash the original ROM from the cubot site following the instructions there.
      • Once it bootloops, I didn't manage to power it off or get into fastboot / recovery using the device's keys.
    • the device reconfigures it's USB during boot and there's a limited time for the SPDFlashTool's mode that flashes complete firmwares. That means that it's not really feasible to run SPDFlashTool inside a VM.
    • the phone actually does something with the battery detached but USB power attached. For example, it's possible to flash it with the SPDFlashTool. However, it doesn't boot the linux kernel / Android, this seems to be inhibited.
      This is in contrast to many other devices that are not laptops for which the PMIC does not provide power to the system when the battery is disconnected.

    Unlocking the bootloader​

    This works similar to other Spreadtrum/Unisoc-based devices.
    The crucial thing is to issue get_identifier_token from fastboot -> reboot to bootloader. If you issue it in adb reboot fastboot, it will say OKAY and may also print a four character string, but this is not the token you're looking for.
    Also, when you flash the unlock_bootloader signature.bin, it will prompt you on the phone, but you have to react differently than described on the phone - see below.
    • enable Android developer mode (Settings -> About Phone -> tap "build number" >= 7x)
    • enable OEM unlocking (Settings -> System -> Developer Options -> OEM unlocking)
    • enable ADB (Settings -> System -> Developer Options -> USB debugging)
    • adb reboot fastboot
    • choose "reboot to bootloader"
    • Code:
      $ fastboot oem get_identifier_token
    • proceed as described here
    • finally:
      Code:
      $ fastboot flashing unlock_bootloader signature.bin
      this prompts you to press volume up to cancel, volume down to confirm.
      But volume down and power don't have any effect, instead volume up starts wiping user.
      wiping takes a bit longer than I'd expect, for me 433 s.
    Congratulations, you now own your phone a bit more than before!

    Flashing GSIs (probably applies to ROMs in general)​

    • it's a Treble-enabled arm64 A/B device. Flashing GSIs should be possible.
    • It looks to me like the A/B is crippled as all the _b partitions are 0-sized, probably to save space.
    • system_a is a bit below 1 GB ( 0x3CF5D000 B) which is likely smaller than any interesting GSI.
      attempting to flash yields
      Code:
      Resizing 'system' FAILED (remote: 'Not enough space to resize partition')
    • There's the general hint to delete the product partition by running
      fastboot delete-logical-partition product
      then it's actually possible to flash a GSI, however:
    • the device bootloops :poop: -> log
      From the log I realised I need to modify vbmeta, so:
    • it does android verified boot / AVB which from my understanding the easiest way forward is to disable it by:
      • creating a vbmeta.img with
        Code:
        $ avbtool make_vbmeta_image --flags 2 --padding_size 4096 --output vbmeta_disabled.img
        • the padding necessary might be 16384 instead, according to the hovatek thread below.
      • it might be necessary to pad it additionally. There's a tutorial and a script here
      • when I flash both the hovatek-unpadded avbtool-4096-padded and hovatek-padded avbtool-16384-padded vbmeta, the device bootloops :poop: -> log
    • I guess the next step would be to unpack the vendor PAC ROM and check how the vbmeta image looks there.
      • Since with the original vbmeta it looks like it's restarting when it's already running linux / android, another way to go at this might be to change the kernel cmdline: instruct it to not do verity - Does anyone know how this is possible?
    2
    Ok, I just booted Google's Android 13 GSI from here, version ARM64, no GMS. Steps on fastbootd (after unlocking bootloader):

    fastboot --disable-verity --disable-verification flash vbmeta_system vbmeta_system.img
    fastboot --disable-verity --disable-verification flash vbmeta_product vbmeta_product.img
    fastboot resize-logical-partition product_a 38000
    fastboot flash system system.img

    (on phone, go to recovery -> factory reset -> factory reset -> reboot)

    I used both vbmeta-system and vbmeta-product from stock ROM.

    I'll try to boot any phh-treble-based GSI now

    EDIT 1: LOS 19.1 vndklite leads to bootloop
    EDIT 2: Sooti's Android 13 booted 🥳 so I suppose LOS isn't able to boot because it is not a "secure" version i.e. it has su binary. Probably any A11, A12, or A13 GSI without inbuilt su will boot following this tutorial
    EDIT 3: 4g calling isn't working, maybe we need to install the IMS apk from stock ROM in GSI. For now, I'll use only 3g
    1

    dead ends (so far...)​

    • didn't manage to find what image header magic number was wrong with the vbmeta.img (was already in the starting post)
    • the vbmeta actually doesn't chain to system, but there's a vbmeta_system partition (and vbmeta_vendor.img, vbmeta_system_ext.img, vbmeta_product.img) - I flashed the empty vbmeta disabling checking to vbmeta_system... and it bootloops again :poop:
      this time the error is:
      Code:
      sprd_get_all_imgversion: ab_slot_flag is 0
      read  successed
      sprd_get_all_imgversion: rpmb read blk 16382 successful
      invalid sprd imgversion magic 0 exp a50000a5
      uboot_vboot_verify_img() return error:param->a0=3
      • could be that it's just necessary to write the magic number to the correct offset, but I coulnd't figure out where this offset is - the images in the PAC don't have this number, so I guess it's embedded on-the-fly while flashing.
      • searching for imgversion+spreadtrum gets 0 relevant results - I guess it's very unusual that people hook up to the debug uart 🤨
      • I didn't manage to disassemble uboot.img - At least the disassemble doesn't look like a bootloader to me. Not an expert with disassemblies though!
    • modifying boot.img with magisk also results in invalid sprd imgversion, so no root or disabled verity through this route
    • I didn't manage to read back from flash through SPD ResearchDownload, I get the error "incompatible partition" for userdata - and I can't deselect it :/
      (I thought it might be possible to get the sprd imgversion magic throught this route

    Partial success​

    I managed to boot a GSI by signed by google through Dynamic System Updates (DSU).
    It kind of looks like it's running in emulation though: settings say "About emulated device" and it gets an own userdata.img
    the DSU page also says it will only run GSIs signed by google or the vendor (not sure which key that would be, but I doubt there are any) - I haven't tried flashing anything this route

    Open Ends:​

    reverse engineering the imgversion thing​

    It should be possible to figure out how this imgversion business works, ultimatively from the u-boot.img / PAC content. Anyone has any idea how to proceed there? I tried:
    • binwalk: doesn't look useful to me, nothing got extracted -> here
    • arm-none-eabi-objdump -b binary -D u-boot-sign.bin -m armv8-a -Mforce-thumb
      (also without -Mforce-thumb and with -m armv7)
    • I'm pretty sure it's actually U-boot: there is the U-boot version string matching the one printed to uart and also the printf-string for the imgversion

    requested U-boot source code from Cubot​

    I requested source for all GPL'ed parts of the Pocket from Cubot, but especially U-Boot and the kernel. I'd be a pleasantly surprised if something comes out of this though

    reading back the flash​

    Does anyone have an idea how to do that? without root no access to /dev/block/mmcblk* and I didn't get SPD ResearchDownload to read it.
    1
    It's nice that you could unlock the bootloader! I'll try to do it soon (maybe in some months, but ok lol)
    Anyway, which GSI did you try? And about the vbmeta, I think it should be enough to flash the blank vbmeta.img from google. Maybe we could use the original vbmeta.img from stock ROM with the --disable-xxxxx flags.

    This is the tutorial from phhusson's group (the man behind the treble project):

    0. Get an up-to-date fastboot on your computer (fastboot —version should give version >= 29)
    1. Get vbmeta.img from https://dl.google.com/developers/android/qt/images/gsi/vbmeta.img
    2. Get A/B GSI (I'm guessing you need ARM64), don't forget to uncompress it
    3. From running Android, do adb reboot bootloader
    4. fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
    5. fastboot reboot fastboot
    6. fastboot flash system system-xxxx.img
    6bis. If fastboot tells you there isn't enough place, do fastboot delete-logical-partition product, fastboot delete-logical-partition product_a, fastboot delete-logical-partition product_b and run the fastboot flash command again
    7. On your phone, the screen should have a button "go back to recovery", select it, then select "factory reset / wipe data"
    8. Reboot and enjoy
    1
    Did you also try with the built-in DSU way, like described in googles doc?

    As I understood, the app is doing exactly the same like the Google Doc say. It seems like unlocking the Bootloader is enough to boot a custom-DSU.I have read something about signed Images that will boot without unlocking the Bootloader, but i didnt try it. I just want to get rid of all the Google-Stuff before using the Pocket :) Hope we can get it working.

    btw: Gestures seem to work. swipe from right to middle closes Apps. from middle to up opens Menue