[Release] Root the Palm phone

[deadman96385]

Here is a rooting method for the Plam Phone either the US variant or the Vodafone variant this has not been tested or confirmed working on any other device. This root method may break in the future because it is using a tool that isn't designed for the public i tried getting the firehose packaged with the tool to work in other edl flashing tools but was not able to get it working. So this is all we have for now. There is minimal risk in doing this it just has a lot of steps and it requires a pc running windows.

Note: This will wipe your device so anything stored on it will be lost please backup anything important like photos/contacts/etc

1. Download and install Sugar QCT from here (Be sure to install the usb drivers as well)
2. Included in the zip is the username and password that you will need to use to run the program please do not post it here.
3. Boot the device into recovery by turning the device off and then holding the power button until it restarts 3-4 times and boots to recovery
4. Select the option to go into emergency download mode
5. Now plug the device into your computer and open Sugar QCT
6. From the list select pepito/PVG100 (US) or pepito_vdf (Vodafone)
7. Now select Upgrade this will download the palms firmware package and flash it to the device
8. When it finishes do not close sugar
9. Unplug your device and hold the power button for a few minutes so it will restart out of EDL mode, use a rubber band or something to apply pressure to it so you don't have to hold it
10. Go to where Sugar QCT is installed (C:\Program Files (x86)\SUGAR QCT_SP_Gotu2\bin\)
11. In there you should see a folder called PVG100-xxxx (The x's are your serial number)
12. Copy that to your desktop or anywhere else that you like
13. In the folder, there should be some random looking mbn files these are actually the firmware files just names are randomized to make using them harder.
14. There should be a file called B1AMD0D0CV00.mbn if not look for a file that starts with a B it will be the boot.img
15. You will need to push that to an android device and patch it with magisk manager.
16. Once that is done replace the B1AMD0D0CV00.mbn in your copy of the firmware with the patched boot.img
17. Boot it back into emergency download mode as previously stated
18. Close and reopen sugar
19. Copy your firmware copy back into C:\Program Files (x86)\SUGAR QCT_SP_Gotu2\bin\ be sure it is the same folder structure
20. Now select your model again and then press the upgrade button in sugar this will now flash your modified firmware to the device.
21. Once it finishes hold the power button for a few minutes so it will restart out of EDL mode, use a rubber band or something to apply pressure to it so you don't have to hold it
22. When it restarts and powers up then go through setting the phone up and install magisk manager and you're rooted.

Thanks to @StormSeeker1 for telling me about holding the power button for a few minutes to get out of EDL previously you had to let the phone die to get out of it which is a pain.

 

[snoopy20]

Interesting, shall do it tomorrow.

Curious, this doesn't use the root exploit discussed in other threads? Where is (7) downloading from?

 

[deadman96385]

Interesting, shall do it tomorrow.

Curious, this doesn't use the root exploit discussed in other threads? Where is (7) downloading from?

It doesn't use any root exploit, it's downloading the firmware directly from TCL servers, the tool used is designed for service centers.

 

[snoopy20]

If they are the same hardware, it should be possible to flash Vodaphone over the top?

 

[deadman96385]

If they are the same hardware, it should be possible to flash Vodaphone over the top?

They are signed with different keys, so it will probably cause the device to boot loop and or not startup. I would not recommend trying it.

 

[xswxm]

Is it possible to dump the radio files from an network unlocked device, and use these files to unlock Verizon network.
Any other ideas to unlock network?

Current findings:
1. Remove the Verizon sim warning.
Simply edit the /vendor/build.prop and modify line "ro.product.vzw=true" to false. However, it has a side effect, causing the contacts in dailer FC while browsering.
2. Enable diag, serial and QMI
One method is dialing "###2324#", another approach is launching "EngineerMode" through apps like quickshortcutmaker, then navigate to Connectivity - DiagProtector.
3. Boot animation path
/Vendor/JRD_custres/media/
4. Most garbage apps path
/Vendor /priv-app/

 

[kotaKat]

Every time I try to replace the MBN files after being patched the utility keeps redownloading the originals. Any advice?

 

[deadman96385]

Is it possible to dump the radio files from an network unlocked device, and use these files to unlock Verizon network.
Any other ideas to unlock network?

Current findings:
1. Remove the Verizon sim warning.
Simply edit the /vendor/build.prop and modify line "ro.product.vzw=true" to false. However, it has a side effect, causing the contacts in dailer FC while browsering.
2. Enable diag, serial and QMI
One method is dialing "###2324#", another approach is launching "EngineerMode" through apps like quickshortcutmaker, then navigate to Connectivity - DiagProtector.
3. Boot animation path
/Vendor/JRD_custres/media/
4. Most garbage apps path
/Vendor /priv-app/

I put my t-mobile sim into mine and it worked fine no edits needed and mine is officially locked to verizon.

Every time I try to replace the MBN files after being patched the utility keeps redownloading the originals. Any advice?

Are you postive that the folder structure is the same?

 

[xswxm]

I put my t-mobile sim into mine and it worked fine no edits needed and mine is officially locked to verizon.



Are you postive that the folder structure is the same?

I am using another carrier, not USA ones, and it has problems with 4G network.

 

[RanTammit]

it works, thanks

 

[snoopy20]

Just began mind. So far it's stuck on 2%.

Regarding flashing Vodaphone over Verizon, if the ROM files are signed with different keys then modifying the boot.img will surely break the signage?

 

[tapa_t]

Just began mind. So far it's stuck on 2%.

Regarding flashing Vodaphone over Verizon, if the ROM files are signed with different keys then modifying the boot.img will surely break the signage?

Are you still stuck at 2%? Of downloading, or of flashing?

 

[xswxm]

I put my t-mobile sim into mine and it worked fine no edits needed and mine is officially locked to verizon.



Are you postive that the folder structure is the same?

Are you still stuck at 2%? Of downloading, or of flashing?

Tried flash pvg100e over pvg100, it will stuck at the beginning and the program won't flash.

 

[tapa_t]

Tried flash pvg100e over pvg100, it will stuck at the beginning and the program won't flash.

Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
Is pvg100e for Vodafone? Where did you get the ROM if your device is pvg100?
Does it finish flashing if you do pvg100 over pvg100?

 

[xswxm]

Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
Is pvg100e for Vodafone? Where did you get the ROM if your device is pvg100?
Does it finish flashing if you do pvg100 over pvg100?

The tool deadman provided definitely works if u follow the instruction and choose the right version.
For the signature issue, maybe u can find the answer in another thread about temporary root.
As to the version problems, pvg100 is for Verizon.
To my knowledge, the pvg100e is for many other vendors, such as Vodafone, and the UK version maybe share the same model name. There is another version pvg100eu, for European. U can find more evidence in the temporary root thread.

 

[snoopy20]

So far the following:

Windows 10 64 - goes to 2% then after a few seconds a 5002 error.
Windows 7 64 inside Virtualbox - goes to 2% and then doesn't move.

I've tried the drivers and others on the web although the latest is around 2014/15.

 

[xswxm]

The tool deadman provided definitely works if u follow the instruction and choose the right version.
For the signature issue, maybe u can find the answer in another thread about temporary root.
As to the version problems, pvg100 is for Verizon.
To my knowledge, the pvg100e is for many other vendors, such as Vodafone, and the UK version maybe share the same model name. There is another version pvg100eu, for European. U can find more evidence in the temporary root thread.

Checked last night, mine, pvg100, is snapdragon 430, and the China mainland version is pvg100c with snapdragon 435.

 

[ssuds]

It doesn't use any root exploit, it's downloading the firmware directly from TCL servers, the tool used is designed for service centers.

I'm not looking to root right now, but if I'm understanding this correctly this should mean that I can use SugarQCT to pull the latest version (1AMD) firmware for my Palm that doesn't show any OTA's available and is still on the original 1AGL firmware. Is that correct?

Thanks for making this happen, deadman96385!

 

[terence.tan]

Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.

No need for empirical proof, I did the analysis here.

The difference is: the early part of boot is Qualcomm code using Qualcomm security. These are the "pbl", "sbl/edl" and "aboot/fastboot" programs (and also "modem", "tz" and other bits). These were the parts that I was looking at in the link above.

When "aboot" completes, it hands over to the late part of boot, which is Android code using Google security. These are the "boot.img/Linux kernel" programs, "recovery", "system", "vendor", "data", etc. They use a different security model. That's what this root method targets. You are correct when you say "Maybe we are just so lucky that boot.img is not checked as rigorously".

It does imply that you can mix the PVG100 Qualcomm partitions for "early boot" with the PVG100E Android partitions for "late boot" and vice-versa. But someone with motivation needs to test this... (No, you can't unlock cellular bands this way; the "modem" partition is from Qualcomm and must match your hardware.)

A good diagram is below; Source (and explanation): https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html -- I recommend studying this article.

I'm not looking to root right now, but if I'm understanding this correctly this should mean that I can use SugarQCT to pull the latest version (1AMD) firmware for my Palm that doesn't show any OTA's available and is still on the original 1AGL firmware. Is that correct?

This should work. Keep in mind that whilst 1AMD seems to be fine, future versions may (permanently) close the vulnerabilities that allow you to get root, modify system partitions or use the current version of SugarQCT. I don't think this will happen but we should all keep the possibility in mind.

 

[snoopy20]

Which Windows version are people using? I've tried W10 and also W7 through a virtualbox but with the above errors.