Question Rooting Galaxy Watch4

Search This thread

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
Maybe this could help to get closer to Root...

Code:
COMBINATION_FAC_FBR0_R860XXU1AVE2_FACFAC_CL24349936_QB52279843_REV00_user_mid_noship_MULTI_CERT.tar.md5
2022-06-22
COMBINATION_FAC_FBR0_R865USQU1AVE2_FACFAC_CL24349936_QB52279850_REV00_user_mid_noship_MULTI_CERT.tar.md5
2022-06-22
COMBINATION_FAC_FBR0_R870XXU1AVE2_FACFAC_CL24349936_QB52279853_REV00_user_mid_noship_MULTI_CERT.tar.md5
2022-06-22
COMBINATION_FAC_FBR0_R875USQU1AVE2_FACFAC_CL24349936_QB52279860_REV00_user_mid_noship_MULTI_CERT.tar.md5
2022-06-22
COMBINATION_FAC_FBR0_R880XXU1AVE2_FACFAC_CL24349936_QB52279865_REV00_user_mid_noship_MULTI_CERT.tar.md5
2022-06-22
COMBINATION_FAC_FBR0_R885USQU1AVE2_FACFAC_CL24349936_QB52279872_REV00_user_mid_noship_MULTI_CERT.tar.md5
2022-06-22
COMBINATION_FAC_FBR0_R890XXU1AVE2_FACFAC_CL24349936_QB52279874_REV00_user_mid_noship_MULTI_CERT.tar.md5
2022-06-22
COMBINATION_FAC_FBR0_R895USQU1AVE2_FACFAC_CL24349936_QB52279880_REV00_user_mid_noship_MULTI_CERT.tar.md5

Only as info.

Best Regards
 

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
I have now 2 Victim SM-R870 for stupid tests...

1 seems dead dead... will see after Soldering wires...

But second SM-R870 is alive... EVA8 Firmware...

Ready for stupid Action(s).

Best Regards
 
  • Like
Reactions: galaxys

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
Found this today... for signing vbmeta...


My tiny "progress"...

A

Soldered wires to dead dead SM-R870... but still dead...

B

So I was able to take the 2 Hardware Keys to repair my halfdead SM-R870...

So I have now 2 HW Keys... the red Key(s)...

C

After soldering wires... I lost 1 wire... during movement...
So this is known danger... so I have to prepare few things... BEFORE I solder wires to my alive SM-R870...

I wish to prevent such accident like happens to me long time ago with SM-R730... ripped off 1 golden TP...

Best Regards

Edit 1.

Few Photos about my Soldering Adventure...

Edit 2.

More funny Photos and weired idea(s)...
 
Last edited:
  • Like
Reactions: spart0n and galaxys

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
My last Patching attempts long time ago with Magisk Version 24.3...

Now seems something new... 25.1

Only as info...

Will try both:
24.3
and
25.1

I have to prepare SM-R870 files... EVA8...

Best Regards
 
  • Like
Reactions: spart0n

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
IMHO in 1 hour I can test...

My Checklist...

Code:
A

Reset SM-R870 Standalone
No WiFi


B

*#9900#

Upload enabled
+
Debug HIGH

C

Full charging


D

Bootloader unlock



E

netOdin Action

I need 45 minutes for C... Charging...

Then Bootloader Unlock... then I can try Magisk patched files... Version 25.1...
 

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
I have forgotten Bootloader unlock is doing Factory Reset...

So I have to do again Debug HIGH etc...


First result... same like we know from Magisk 24.3...


I need now some time to check Log Files... taken via *#9900#

Best Regards

Edit 1.

Fail with netOdin also Reset Debug HIGH...
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
Tiny progress...

Flashed successfully only patched vbmeta...

This forced me to do Factory Reset from Recovery... necause some Error blabla...

Bootloader unlock shows Warning Pic... blabla Custom...

Now I have the second blabla not Samsung Official...

So IMHO Knox is now dead...

Code:
D:\Android\ADB>adb shell getprop ro.boot.warranty_bit
1

Bootloader unlock alone not kill Knox... IMHO...
Code:
D:\Android\ADB>adb shell getprop ro.boot.warranty_bit
0
 

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
Still no absolute success...

But tiny progress... very tiny...


Maybe problem is inside last "few" Bytes... in Footer...

For instance Combination Firmware crap is identified by FAC...

And normal boot.img have text string MRK... maybe like Market...


Magisk etc. removes all human readable Samsung text...

IMHO this seems why f%&ing DL wireless detect:
On Watch:
Code:
Secure Failed:Boot


In Odin Mode I see:
Code:
ODIN MODE (Boot: Load Fail
Load_boot_images: Invalid Magic

Only as info...

Best Regards

Edit 1.

Btw...

Footer from patched Magisk boot.img is much shorter...
So file length is wrong IMHO...
 

Attachments

  • AVB_BootFooter_v1.zip
    48.2 KB · Views: 4

TacoDeMuerte

Senior Member
Feb 16, 2021
52
44
Few mistakes later I am here...

Code:
'BOOT' Image size is too big!

Result of replace Footer from Original boot.img to Magisk patched Version...
Thanks for all your work! I wish I could help, but wouldn't know where to start. I have to wonder if there is a post somewhere that explains the general process of rooting. Not just the end result, but the work that goes into figuring it out in the first place. I have a background in app development and electronics engineering, and have been following the road to root posts for the GW4. So far, it all makes sense, but I am wondering, what needs to be done to complete the process? I wouldn't mind pitching in here and there, but would need to be brought 'up to speed', so I'm not sure if it's worth anyone's time to explain it on here. If there is a post/website out there, let me know and I will read up on it. Thanks again!
 
  • Like
Reactions: mrfatiga22

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4

Here is Ramdisk of EVA8...

In wirelessd Binary we can find the Error messages...

Btw... this is the Binary which is called by Recovery Kernel to perform Download Wireless...

sboot.bin Bootloader shows text strings in Odin Mode...


@TacoDeMuerte
Really sorry.


I have not enough time nor enough energy to collect Links for 1 click solution for you...

In main I am using "search function"...
search in Google
search in XDA

At the moment I am fail to bypass Security... with netOdin only

Rumour... because not really confirmed in public...
With USB cable connected and Odin use less Security check...

Search Strings...
Code:
AVB
vbmeta

No idea if you allready know Magisk?

Best Regards
 

TacoDeMuerte

Senior Member
Feb 16, 2021
52
44

Here is Ramdisk of EVA8...

In wirelessd Binary we can find the Error messages...

Btw... this is the Binary which is called by Recovery Kernel to perform Download Wireless...

sboot.bin Bootloader shows text strings in Odin Mode...


@TacoDeMuerte
Really sorry.


I have not enough time nor enough energy to collect Links for 1 click solution for you...

In main I am using "search function"...
search in Google
search in XDA

At the moment I am fail to bypass Security... with netOdin only

Rumour... because not really confirmed in public...
With USB cable connected and Odin use less Security check...

Search Strings...
Code:
AVB
vbmeta

No idea if you allready know Magisk?

Best Regards
Thanks! I figured it would be a longshot, but thought I would ask. Searching things like, "How to root..." only produces the end result and not the process/work involved. I will search vbmeta and Magisk. I have used Magisk, but am unfamiliar with how it does it's "magic". I think I will also read some of your older posts on other roots to get an idea of what it takes. Anyway, I don't want to waste anymore of your time, so I will just say, thanks again for your work!
 
  • Like
Reactions: mrfatiga22

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
Tried few more stupid things... but out of luck to bypass Security with netOdin only...

So I have no more ideas as USB...


Checklist...

Windows Driver needed (for my Test Notebook)

Found this:

Leads to this:

Odin I have somewhere on my PC... I hope...

Now charging Battery to 100 % before I will solder wires...
 

adfree

Senior Member
Jun 14, 2008
9,837
5,826
Samsung Galaxy Watch 4
Tiny progress...

Soldered wires with my old fat fingers...

2 times dump with RDX Tool...

First attempt with Odin unmodified TAR from Magisk 25.1

Flashing no problem... but Upload Mode comes...

So I will check the custom Kernel(s)...

Best Regards
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Attempt 1 for dd Action...

    Code:
    D:\Android\ADB>adb push super.zip /sdcard
    super.zip: 1 file pushed. 1.9 MB/s (1983237332 bytes in 995.834s)
    
    D:\Android\ADB>adb shell
    freshbl:/ $ su
    freshbl:/ # unzip -h
    usage: unzip [-d DIR] [-lnopqv] ZIP [FILE...] [-x FILE...]
    
    Extract FILEs from ZIP archive. Default is all files. Both the include and
    exclude (-x) lists use shell glob patterns.
    
    -d DIR  Extract into DIR
    -l      List contents (-lq excludes archive name, -lv is verbose)
    -n      Never overwrite files (default: prompt)
    -o      Always overwrite files
    -p      Pipe to stdout
    -q      Quiet
    -v      List contents verbosely
    -x FILE Exclude files
    freshbl:/ # cd /sdcard
    freshbl:/sdcard # unzip super.zip
    Archive:  super.zip
      inflating: super.new.img
    Aborted

    No idea why aborted... ZIP created on Ubuntu...

    Will try on Windows with 7Zip...

    Edit 1.

    After few different Compress Tools...
    Code:
    freshbl:/sdcard # gunzip super.img.gz
    freshbl:/sdcard # df -h
    Filesystem                            Size  Used Avail Use% Mounted on
    tmpfs                                 693M  1.2M  691M   1% /dev
    tmpfs                                 693M     0  693M   0% /mnt
    /dev/block/mmcblk0p27                  27M  128K   27M   1% /metadata
    /dev/block/dm-3                       3.9M  980K  3.0M  25% /odm
    /dev/block/mmcblk0p31                 581M  343M  238M  60% /prism
    /dev/block/mmcblk0p32                  39M  1.5M   37M   5% /optics
    tmpfs                                 693M  2.8M  690M   1% /dev/QelRwS
    tmpfs                                 693M     0  693M   0% /apex
    tmpfs                                 693M  352K  692M   1% /linkerconfig
    /dev/block/mmcblk0p34                  16M   24K   16M   1% /omr
    /dev/block/mmcblk0p33                 193M  2.8M  190M   2% /cache
    /dev/block/mmcblk0p1                  3.8M  228K  3.6M   6% /mnt/vendor/efs
    /dev/block/mmcblk0p4                  3.8M   24K  3.8M   1% /mnt/vendor/cpefs
    /dev/block/mmcblk0p2                  3.8M  1.1M  2.7M  29% /efs
    /dev/block/dm-4                       8.3G  5.9G  2.4G  72% /data
    tmpfs                                 693M     0  693M   0% /data_mirror
    /dev/QelRwS/.magisk/block/vendor       82M   79M  2.9M  97% /dev/QelRwS/.magisk/mirror/vendor
    /dev/QelRwS/.magisk/block/product     139M  139M  244K 100% /dev/QelRwS/.magisk/mirror/product
    /dev/QelRwS/.magisk/block/system_root 3.4G  3.3G   17M 100% /dev/QelRwS/.magisk/mirror/system_root
    tmpfs                                 693M     0  693M   0% /system/bin
    /dev/fuse                             8.3G  5.9G  2.4G  72% /mnt/user/0/emulated
    freshbl:/sdcard # dd if=/sdcard/super.img of=/dev/block/mmcblk0p30
    dd: /sdcard/super.img: read error: Transport endpoint is not connected
    1|freshbl:/sdcard # ls -a1l
    Segmentation fault
    139|freshbl:/sdcard # reboot
    Segmentation fault
    139|freshbl:/sdcard #

    Result is bootloop...
    But SM-R870 is still alive...
    Recovery I can enter... Fac Reset... blabla

    Now I restore super.img with Odin...
    1
    Few mistakes later...

    A

    Looks like SD Card means really external SD Card...

    B

    I still hope it is possible to inject Shell Script in Recovery...



    C
    Downloaded TWRP for my SM-A202F to learn few things...

    Need to unpack Ramdisk...

    D
    ADB Problems etc seems also in Phone world...

    So IMHO this is most Security crap related... not really missing drivers or something like this...


    E

    I saw some ENG files on Easy F...

    For my SM-A202F

    Maybe somebody found something like this... for other device...

    Please share for study.

    Best Regards

    Edit 1.

    Need to learn about init blabla...

    1
    @janjan
    Any kind of progress with this?

    I mean your TWRP project?

    Best Regards
    1
    Seems I have to go the longer... harder way to update from EVA8...

    Need to make fulldump with netcat to check few things...

    Meanwhile I have created recovery.img from FVD4 SM-R870 Delta package...

    Last steps looks like this. Size differ as we used for boot.img...

    Code:
    D:\Android\ADB>adb shell
    a20e:/ $ su
    a20e:/ # cd /sdcard
    a20e:/sdcard # losetup -f
    /dev/block/loop1
    a20e:/sdcard # losetup /dev/block/loop1 /sdcard/boot.img
    a20e:/sdcard # applypatch --patch /sdcard/recovery-from-boot.p --target EMMC:/dev/block/loop1:55574528:ddc1c9c7d82aaad94c3d64f3c56ee10264a1067b --source EMMC:/dev/block/loop1:55574528:4ae8eb9e8041c56588fe975805cc4126a9092b0e
    a20e:/sdcard # dd if=/dev/block/loop1 of=/sdcard/dumploop.bin
    108544+0 records in
    108544+0 records out
    55574528 bytes (53 M) copied, 0.748982 s, 71 M/s
    a20e:/sdcard #

    Still I use my SM-A202F for applypatch...

    Edit 1.

    With hard I mean to create valid super.img... something like this:


    1
    Okay found Command for our GW4.

    Here my SM-R870 EVA8

    Code:
    lpdump --slot 0 /dev/block/by-name/super
    
    lpdump --slot 1 /dev/block/by-name/super

    Result looks like this:

    Code:
    freshbl:/dev/block/by-name $ lpdump --slot 1 /dev/block/by-name/super
    Metadata version: 10.0
    Metadata size: 592 bytes
    Metadata max size: 65536 bytes
    Metadata slot count: 2
    Header flags: none
    Partition table:
    ------------------------
      Name: system
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 7067335 linear super 2048
    ------------------------
      Name: vendor
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 171487 linear super 7069696
    ------------------------
      Name: product
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 283823 linear super 7241728
    ------------------------
      Name: odm
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 8495 linear super 7526400
    ------------------------
    Super partition layout:
    ------------------------
    super: 2048 .. 7069384: system (7067336 sectors)
    super: 7069696 .. 7241184: vendor (171488 sectors)
    super: 7241728 .. 7525552: product (283824 sectors)
    super: 7526400 .. 7534896: odm (8496 sectors)
    ------------------------
    Block device table:
    ------------------------
      Partition name: super
      First sector: 2048
      Size: 5368709120 bytes
      Flags: none
    ------------------------
    Group table:
    ------------------------
      Name: default
      Maximum size: 0 bytes
      Flags: none
    ------------------------
      Name: group_basic
      Maximum size: 5364514816 bytes
      Flags: none
    ------------------------
    freshbl:/dev/block/by-name $ lpdump --slot 0 /dev/block/by-name/super
    Metadata version: 10.0
    Metadata size: 640 bytes
    Metadata max size: 65536 bytes
    Metadata slot count: 2
    Header flags: none
    Partition table:
    ------------------------
      Name: system
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 7067647 linear super 2048
        7067648 .. 7259671 linear super 7536640
    ------------------------
      Name: vendor
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 171927 linear super 7069696
    ------------------------
      Name: product
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 284671 linear super 7241728
        284672 .. 289775 linear super 7729152
    ------------------------
      Name: odm
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 8495 linear super 7526400
    ------------------------
    Super partition layout:
    ------------------------
    super: 2048 .. 7069696: system (7067648 sectors)
    super: 7069696 .. 7241624: vendor (171928 sectors)
    super: 7241728 .. 7526400: product (284672 sectors)
    super: 7526400 .. 7534896: odm (8496 sectors)
    super: 7536640 .. 7728664: system (192024 sectors)
    super: 7729152 .. 7734256: product (5104 sectors)
    ------------------------
    Block device table:
    ------------------------
      Partition name: super
      First sector: 2048
      Size: 5368709120 bytes
      Flags: none
    ------------------------
    Group table:
    ------------------------
      Name: default
      Maximum size: 0 bytes
      Flags: none
    ------------------------
      Name: group_basic
      Maximum size: 5364514816 bytes
      Flags: none
    ------------------------


    Now I can check and compare output from imjtool etc...
    To find the correct values for my super.img Adventure...

    Best Regards
  • 4
    Can I ask, why would root be good for thus device? What could we achieve from a actual root of a wear os watch?
    The same reason we root any device; to have full access to system resources without a naggy nanny telling us what we can and can't do with our own devices. With root, we can be creative. Without root, we have to follow rules.
    4
    A

    NO
    1 click Solution

    B

    netOdin
    AND
    Odin


    So at the moment USB connection required. Means 4 wires soldered to Watch...

    Feel free to find Solution without USB...
    My brain is too small.

    C

    Success only with old EVA8 and my SM-R870...

    If I have enough tested... then maybe 1 day in future will check newer Firmware(S)...


    D

    Magisk
    Version 24.3 patched successfully 2 files from Stock Firmware EVA8

    Code:
    boot.img
    vbmeta.img

    D.1

    My mistake was to use other device to Patch... SM-A202F Android 11...
    But this is wrong

    Better same or similar device...

    In my case I performed the Magisk step with SM-R860 FVD4

    D.2

    BUT
    additional step required to make it GW4 Security "compatible"...

    With Hex Editor of your choice... search for text string:
    Code:
    seandroid

    Remove last 11 MB... included the search text string...

    Look at attached boot.img

    E

    After Bootloader Unlock blabla stepS...

    netOdin for vbmeta TAR

    This force you to do Factory Reset in Recovery...

    WARNING!
    This is exact the step which kills Knox... so byebye warranty and some Apps...

    F

    NEXT/SECOND
    step is with ODIN and USB cable

    boot.img TAR

    G

    In next post(s) I will try to give more infos...
    Maybe Video Upload for Magisk step... because additional File Manager needed...


    Best Regards
    3
    IMHO in 1 hour I can test...

    My Checklist...

    Code:
    A
    
    Reset SM-R870 Standalone
    No WiFi
    
    
    B
    
    *#9900#
    
    Upload enabled
    +
    Debug HIGH
    
    C
    
    Full charging
    
    
    D
    
    Bootloader unlock
    
    
    
    E
    
    netOdin Action

    I need 45 minutes for C... Charging...

    Then Bootloader Unlock... then I can try Magisk patched files... Version 25.1...
    3
    Tiny progress...

    Flashed successfully only patched vbmeta...

    This forced me to do Factory Reset from Recovery... necause some Error blabla...

    Bootloader unlock shows Warning Pic... blabla Custom...

    Now I have the second blabla not Samsung Official...

    So IMHO Knox is now dead...

    Code:
    D:\Android\ADB>adb shell getprop ro.boot.warranty_bit
    1

    Bootloader unlock alone not kill Knox... IMHO...
    Code:
    D:\Android\ADB>adb shell getprop ro.boot.warranty_bit
    0
    3
    The Magisk "creation"/patching part with GW4 device.

    A
    Magisk APK 24.3 successfully tested with my SM-R860 FVD4...

    Code:
    adb install Magisk-v24.3.apk


    B
    Magisk need Filemanager...
    I have installed 4 or 5 from Playstore via GW4... but ONLY this is working as it seems...

    File Explorer FTP Server
    from Nasai



    C

    I will make Video... how Magisk looks on SM-R860 aka GW4...
    Need some time...
    Will add later...


    D

    You can use Download folder... because Magisk stores result in Download...

    In other words:
    Code:
    /sdcard/Download