[Release] Root the Palm phone

deadman96385

Retired Forum Moderator / Recognized Developer
Aug 19, 2011
2,220
7,757
203
Saint Paul, Minnesota
Here is a rooting method for the Plam Phone either the US variant or the Vodafone variant this has not been tested or confirmed working on any other device. This root method may break in the future because it is using a tool that isn't designed for the public i tried getting the firehose packaged with the tool to work in other edl flashing tools but was not able to get it working. So this is all we have for now. There is minimal risk in doing this it just has a lot of steps and it requires a pc running windows.

Note: This will wipe your device so anything stored on it will be lost please backup anything important like photos/contacts/etc

  1. Download and install Sugar QCT from here (Be sure to install the usb drivers as well)
  2. Included in the zip is the username and password that you will need to use to run the program please do not post it here.
  3. Boot the device into recovery by turning the device off and then holding the power button until it restarts 3-4 times and boots to recovery
  4. Select the option to go into emergency download mode
  5. Now plug the device into your computer and open Sugar QCT
  6. From the list select pepito/PVG100 (US) or pepito_vdf (Vodafone)
  7. Now select Upgrade this will download the palms firmware package and flash it to the device
  8. When it finishes do not close sugar
  9. Unplug your device and hold the power button for a few minutes so it will restart out of EDL mode, use a rubber band or something to apply pressure to it so you don't have to hold it
  10. Go to where Sugar QCT is installed (C:\Program Files (x86)\SUGAR QCT_SP_Gotu2\bin\)
  11. In there you should see a folder called PVG100-xxxx (The x's are your serial number)
  12. Copy that to your desktop or anywhere else that you like
  13. In the folder, there should be some random looking mbn files these are actually the firmware files just names are randomized to make using them harder.
  14. There should be a file called B1AMD0D0CV00.mbn if not look for a file that starts with a B it will be the boot.img
  15. You will need to push that to an android device and patch it with magisk manager.
  16. Once that is done replace the B1AMD0D0CV00.mbn in your copy of the firmware with the patched boot.img
  17. Boot it back into emergency download mode as previously stated
  18. Close and reopen sugar
  19. Copy your firmware copy back into C:\Program Files (x86)\SUGAR QCT_SP_Gotu2\bin\ be sure it is the same folder structure
  20. Now select your model again and then press the upgrade button in sugar this will now flash your modified firmware to the device.
  21. Once it finishes hold the power button for a few minutes so it will restart out of EDL mode, use a rubber band or something to apply pressure to it so you don't have to hold it
  22. When it restarts and powers up then go through setting the phone up and install magisk manager and you're rooted.

Thanks to @StormSeeker1 for telling me about holding the power button for a few minutes to get out of EDL previously you had to let the phone die to get out of it which is a pain.
 
Last edited:

snoopy20

Senior Member
Jul 21, 2008
390
49
0
Interesting, shall do it tomorrow.

Curious, this doesn't use the root exploit discussed in other threads? Where is (7) downloading from?
 

xswxm

Senior Member
Apr 19, 2011
122
223
0
Is it possible to dump the radio files from an network unlocked device, and use these files to unlock Verizon network.
Any other ideas to unlock network?

Current findings:
1. Remove the Verizon sim warning.
Simply edit the /vendor/build.prop and modify line "ro.product.vzw=true" to false. However, it has a side effect, causing the contacts in dailer FC while browsering.
2. Enable diag, serial and QMI
One method is dialing "###2324#", another approach is launching "EngineerMode" through apps like quickshortcutmaker, then navigate to Connectivity - DiagProtector.
3. Boot animation path
/Vendor/JRD_custres/media/
4. Most garbage apps path
/Vendor /priv-app/
 
  • Like
Reactions: Pasha66

deadman96385

Retired Forum Moderator / Recognized Developer
Aug 19, 2011
2,220
7,757
203
Saint Paul, Minnesota
Is it possible to dump the radio files from an network unlocked device, and use these files to unlock Verizon network.
Any other ideas to unlock network?

Current findings:
1. Remove the Verizon sim warning.
Simply edit the /vendor/build.prop and modify line "ro.product.vzw=true" to false. However, it has a side effect, causing the contacts in dailer FC while browsering.
2. Enable diag, serial and QMI
One method is dialing "###2324#", another approach is launching "EngineerMode" through apps like quickshortcutmaker, then navigate to Connectivity - DiagProtector.
3. Boot animation path
/Vendor/JRD_custres/media/
4. Most garbage apps path
/Vendor /priv-app/
I put my t-mobile sim into mine and it worked fine no edits needed and mine is officially locked to verizon.

Every time I try to replace the MBN files after being patched the utility keeps redownloading the originals. Any advice?
Are you postive that the folder structure is the same?
 

snoopy20

Senior Member
Jul 21, 2008
390
49
0
Just began mind. So far it's stuck on 2%.

Regarding flashing Vodaphone over Verizon, if the ROM files are signed with different keys then modifying the boot.img will surely break the signage?
 

tapa_t

Senior Member
May 27, 2014
75
6
28
Just began mind. So far it's stuck on 2%.

Regarding flashing Vodaphone over Verizon, if the ROM files are signed with different keys then modifying the boot.img will surely break the signage?
Are you still stuck at 2%? Of downloading, or of flashing?
 

tapa_t

Senior Member
May 27, 2014
75
6
28
Tried flash pvg100e over pvg100, it will stuck at the beginning and the program won't flash.
Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
Is pvg100e for Vodafone? Where did you get the ROM if your device is pvg100?
Does it finish flashing if you do pvg100 over pvg100?
 

xswxm

Senior Member
Apr 19, 2011
122
223
0
Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
Is pvg100e for Vodafone? Where did you get the ROM if your device is pvg100?
Does it finish flashing if you do pvg100 over pvg100?
The tool deadman provided definitely works if u follow the instruction and choose the right version.
For the signature issue, maybe u can find the answer in another thread about temporary root.
As to the version problems, pvg100 is for Verizon.
To my knowledge, the pvg100e is for many other vendors, such as Vodafone, and the UK version maybe share the same model name. There is another version pvg100eu, for European. U can find more evidence in the temporary root thread.
 

snoopy20

Senior Member
Jul 21, 2008
390
49
0
So far the following:

Windows 10 64 - goes to 2% then after a few seconds a 5002 error.
Windows 7 64 inside Virtualbox - goes to 2% and then doesn't move.

I've tried the drivers and others on the web although the latest is around 2014/15.
 

xswxm

Senior Member
Apr 19, 2011
122
223
0
The tool deadman provided definitely works if u follow the instruction and choose the right version.
For the signature issue, maybe u can find the answer in another thread about temporary root.
As to the version problems, pvg100 is for Verizon.
To my knowledge, the pvg100e is for many other vendors, such as Vodafone, and the UK version maybe share the same model name. There is another version pvg100eu, for European. U can find more evidence in the temporary root thread.
Checked last night, mine, pvg100, is snapdragon 430, and the China mainland version is pvg100c with snapdragon 435.
 

ssuds

Senior Member
Jul 13, 2012
458
232
0
It doesn't use any root exploit, it's downloading the firmware directly from TCL servers, the tool used is designed for service centers.
I'm not looking to root right now, but if I'm understanding this correctly this should mean that I can use SugarQCT to pull the latest version (1AMD) firmware for my Palm that doesn't show any OTA's available and is still on the original 1AGL firmware. Is that correct?

Thanks for making this happen, deadman96385!
 

terence.tan

Member
Jan 13, 2017
40
82
28
Canberra
keybase.io
Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
No need for empirical proof, I did the analysis here.

The difference is: the early part of boot is Qualcomm code using Qualcomm security. These are the "pbl", "sbl/edl" and "aboot/fastboot" programs (and also "modem", "tz" and other bits). These were the parts that I was looking at in the link above.

When "aboot" completes, it hands over to the late part of boot, which is Android code using Google security. These are the "boot.img/Linux kernel" programs, "recovery", "system", "vendor", "data", etc. They use a different security model. That's what this root method targets. You are correct when you say "Maybe we are just so lucky that boot.img is not checked as rigorously".

It does imply that you can mix the PVG100 Qualcomm partitions for "early boot" with the PVG100E Android partitions for "late boot" and vice-versa. But someone with motivation needs to test this... (No, you can't unlock cellular bands this way; the "modem" partition is from Qualcomm and must match your hardware.)

A good diagram is below; Source (and explanation): https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html -- I recommend studying this article.



I'm not looking to root right now, but if I'm understanding this correctly this should mean that I can use SugarQCT to pull the latest version (1AMD) firmware for my Palm that doesn't show any OTA's available and is still on the original 1AGL firmware. Is that correct?
This should work. Keep in mind that whilst 1AMD seems to be fine, future versions may (permanently) close the vulnerabilities that allow you to get root, modify system partitions or use the current version of SugarQCT. I don't think this will happen but we should all keep the possibility in mind.
 
Last edited:
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone