Question Rooting Galaxy Watch4

Search This thread

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Code:
java -Xmx1024m -jar signapk.jar -w testkey.x509.pem testkey.pk8 kill2.zip signed.zip

Interesting... now with signapk from FOTA meta...
Zip is generated without Certs related files inside... but Zip is signed.

Help info....

Code:
java -Xmx1024m -jar signapk.jar -h
Usage: signapk [-w] [-a <alignment>] [-providerClass <className>] [--min-sdk-version <n>] [--disable-v2] [--enable-v4] publickey.x509[.pem] privatekey.pk8 [publickey2.x509[.pem] privatekey2.pk8 ...] input.jar output.jar [output-v4-file]

Now need to puzzle what I need to sign correct with 2 Certs...

Maybe I can use 1 2 times...


Edit 1.

enable v4 could be something like this:

Edit 2.
Stupid test 1 for "2" Certs:
Code:
java -Xmx1024m -jar signapk.jar -w testkey.x509.pem testkey.pk8 testkey.x509.pem testkey.pk8 kill2.zip signed.zip
Only one key may be used with -w.

Edit 3.

Code:
java -Xmx1024m -jar signapk.jar testkey.x509.pem testkey.pk8 testkey.x509.pem testkey.pk8 kill2.zip signed.zip
java.lang.IllegalArgumentException: Cannot detect minSdkVersion. Use --min-sdk-version to override
    at com.android.signapk.SignApk.main(SignApk.java:1167)
Caused by: com.android.apksig.apk.MinSdkVersionException: No AndroidManifest.xml in APK
    at com.android.signapk.SignApk.getMinSdkVersion(SignApk.java:997)
    at com.android.signapk.SignApk.main(SignApk.java:1165)

Edit 4.

Maybe my HDD full...

Code:
java -Xmx1024m -jar signapk.jar --min-sdk-version 30 testkey.x509.pem testkey.pk8 testkey.x509.pem testkey.pk8 kill2.zip signed.zip
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    at java.base/java.util.Arrays.copyOf(Arrays.java:3745)
    at java.base/java.io.ByteArrayOutputStream.grow(ByteArrayOutputStream.java:120)
    at java.base/java.io.ByteArrayOutputStream.ensureCapacity(ByteArrayOutputStream.java:95)
    at java.base/java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:156)
    at com.android.signapk.CountingOutputStream.write(CountingOutputStream.java:46)
    at java.base/java.util.zip.DeflaterOutputStream.deflate(DeflaterOutputStream.java:253)
    at java.base/java.util.zip.DeflaterOutputStream.write(DeflaterOutputStream.java:211)
    at java.base/java.util.zip.ZipOutputStream.write(ZipOutputStream.java:332)
    at com.android.signapk.SignApk.copyFiles(SignApk.java:546)
    at com.android.signapk.SignApk.main(SignApk.java:1195)
 
Last edited:
  • Like
Reactions: spart0n

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Okay... my fault...

Copy and Paste without knowing why...

Code:
java -Xmx1024m

This means to set JAVA Heap to MAX 1024 MB...

No idea if useless parameter... but this creates my ZIP for further stupid tests...
Code:
java -Xmx2048m -jar signapk.jar --min-sdk-version 30 testkey.x509.pem testkey.pk8 testkey.x509.pem testkey.pk8 kill2.zip signed.zip



Edit 1.
Result differ...

Creates more files like:
CERT1.RSA
CERT2.RSA

Instead CERT.RSA

Anyway. Will test this file...

Edit 2.

Fail...

But some Google Search Action:
Code:
/**



     * Add a copy of the public key to the archive; this should



     * exactly match one of the files in



     * /system/etc/security/otacerts.zip on the device.  (The same



     * cert can be extracted from the OTA update package's signature



     * block but this is much easier to get at.)



     */

Edit 3.

Will check how v4 looks...

Code:
java -jar signapk.jar --min-sdk-version 30 --enable-v4 testkey.x509.pem testkey.pk8 testkey.x509.pem testkey.pk8 kill2.zip signed.zip

I have tiny "feelings" my fail is also -a allignment related...

Edit 4.

Hmmmm...

Seems I need something with -w whole file... but 2 Certs

enable v4 failed no idea why... and my last attempt not signed the Zip (outside)... only added files inside ZIP...
 
Last edited:
  • Like
Reactions: spart0n

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Okay.

Other stupid test.

I am sure I was able to spoof otacerts,zip...

Now I will do Local FOTA Test with Original update.zip...

IMHO verification should now also fail?

I will see.

IMHO I am save in Recovery... because update will skip... I hope...

Edit 1.

Correct.
Original update.zip Verify fail...
...because otacerts.zip Spoofing done

Edit 2.

I made new otacerts.zip ... with only 1 Cert inside:
Code:
testkey.x509.pem

This time with Original Filename...

Now i copy the older result from older signapk... where -w
Whole Zip signed by 1 Cert
 
Last edited:
  • Like
Reactions: spart0n

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Still "my" problem unsolved...

Still using SEARCH Button in XDA and Google search but its not easy to find something... for my tiny brain...

Older stuff but very interesting... IMHO

Edit 1.

Still using search on XDA and Google search...
 
Last edited:
  • Like
Reactions: spart0n and galaxys

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Okidoki.

Maybe the idea to play with FOTA Delta update.zip exceeds my skills... for now...
As also recovery.img "hacking" required...

I think I should plan my return steps... to be able to update "normal" from EVA8 to FVD4...

Variant A.

TAR file with Original unmodified EVA8 files:
Code:
boot.img
vbmeta.tar

To flash normal via netOdin...

Variant B.

If I am drunken enough I will check dd way...
And if I am really REALLY drunken... then I do this from rooted EVA8 over FOTA Local Test...
Hmmmmm.... but this is maybe too heavy for all Security Traps... and could brick my SM-R870...

No idea if Samsung will release for """all""" GW4 the new Watchface GSG9 ehm GVG7...
Close to "unpack event"...

So I have few dayS...

I will change CSC to India... to "easily" CSC change to KOO or XAA if FOTA is available...

I am sure they will release like ever in waves... KOO and XAA or XAA and KOO first...

Best Regards

Edit 1.

I am wimpy... so used thee safer way IMHO...

A
changed CSC to INU

done

B
Flashed Original vbmeta.img via netOdin

done

Forced Factory Reset via Recovery...

C
Booted proper as it seems... with Magisk patched boot.img...

Flashed Original boot.img via netOdin

done

Again forced me to do Factory Reset in Recovery...

D
Now trying to update to FVD4 via FOTA...

My SM-R870 startet via taping Trick in Standalone Mode...

Edit 2.

Argh... forgotten... INU is still on FVC8...
But it is downloading...
 
Last edited:
  • Like
Reactions: spart0n

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
:poop:

Now I have collection of problemS...

A

My SM-R870 is not rooted anymore...

Need to solder wires again... for USB connection...


B

I am still on old EVA8...

Because...

B.1

FOTA is broken by Knox 1...
So I can not update over the Air...

update.zip is downloading... Reboot into Recovery... I see 25 % then peng...
Error...

B.2

I have only EVA8 for netOdin/Odin Action...


C

If I solder wires for USB connection...

Then I have NO ADB over USB...

D

And if soldered wires I can not charge battery...
Not really safe...



IMHO I have to prepare few things, before I solder wires again...

Maybe I can find why ADB is disabled or blocked or ...

Found something by searching for init in Google...


I can run Recovery from Combination firmware... but low chance Security is lower to bypass FOTA check... IMHO...
But if ADB not detected I can not try the sideload option from recovery...

Best Regards
 

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Soldered wires again.

No luck with ADB... also from FAC Recovery...
Code:
C:\adb>adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached


C:\adb>adb sideload NOTICE
adb: failed to stat file NOTICE: No such file or directory

C:\adb>adb sideload NOTICE.txt
adb: sideload connection failed: no devices/emulators found
adb: trying pre-KitKat sideload method...
adb: pre-KitKat sideload connection failed: no devices/emulators found


By stupid moments I pressed short in FAC Recovery menu:
Code:
Enter rescue

I saw only big red !

After few minutes I skipped... by holding both Keys...

Now will check if something is more dead...

Also no luck with mount system etc in FAC Recovery...

Only as info...

Btw.

To bypass Security check...
Use of Odin is enough...

No need to use netOdin if you allready soldered wires...

Code:
<ID:0/004> Added!!
<ID:0/004> Odin engine v(ID:3.1401)..
<ID:0/004> File analysis..
<ID:0/004> Total Binary size: 0 M
<ID:0/004> SetupConnection..
<ID:0/004> Initialzation..
<ID:0/004> Get PIT for mapping..
<ID:0/004> Firmware update start..
<ID:0/004> NAND Write Start!!
<ID:0/004> SingleDownload.
<ID:0/004> vbmeta.img
<ID:0/004> RQT_CLOSE !!
<ID:0/004> RES OK !!
<ID:0/004> Removed!!
<ID:0/004> Remain Port ....  0
<OSM> All threads completed. (succeed 1 / failed 0)
Patched vbmeta in step 1...

Then Forced Factory Reset via Recovery...

Then I have flashed both modified boot and FAC recovery in 1 step:
Code:
<ID:0/004> Added!!
<ID:0/004> Odin engine v(ID:3.1401)..
<ID:0/004> File analysis..
<ID:0/004> Total Binary size: 60 M
<ID:0/004> SetupConnection..
<ID:0/004> Initialzation..
<ID:0/004> Get PIT for mapping..
<ID:0/004> Firmware update start..
<ID:0/004> NAND Write Start!!
<ID:0/004> SingleDownload.
<ID:0/004> boot.img
<ID:0/004> recovery.img
<ID:0/004> RQT_CLOSE !!
<ID:0/004> RES OK !!
<ID:0/004> Removed!!
<ID:0/004> Remain Port ....  0
<OSM> All threads completed. (succeed 1 / failed 0)

Best Regards
 
  • Like
Reactions: spart0n

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
New attempt to update with Original EVA8 and Original update.zip...

Code:
adb push boot.img /sdcard

adb push vbmeta.img /sdcard

adb push update.zip /sdcard

adb shell

su

cp /sdcard/update.zip /data/fota


dd if=/sdcard/boot.img of=/dev/block/mmcblk0p18

dd if=/sdcard/vbmeta.img of=/dev/block/mmcblk0p23
 
reboot fota


With FAC Recovery from Combination Firmware...

I hope no forced Factory Reset... otherwise I loose my update.zip

Edit 1.

Landed in Odin Mode... with vbmeta blabla Error...

Fixed by flashing again patched vbmeta via Odin... OS boot proper...

Now will check reboot fota again...

Edit 2.

By "mistake" real FOTA update started... now I know what kind of S. is the first Wear bla bla Animation before Reboot...
Here is Recovery checked and restored...

So in my SM-R870 FAC Recovery from Combination Firmware is replaced with Original Stock Recovery...

Grummel...

Tiny Summary...

I can flash back Original vbmeta.img... and after Forced Factory Reset...
Still Magisk patched boot.img and also "modified" Recovery working.

If I lock Bootloader again. Then Error...

Last attempt for today...

Flash FAC Recovery again... IMHO I need patched vbmeta again...

Then write back Original EVA8 vbmeta...

Then:
Code:
adb push boot.img /sdcard

adb push update.zip /sdcard

adb shell

su

cp /sdcard/update.zip /data/fota

dd if=/sdcard/boot.img of=/dev/block/mmcblk0p18

reboot fota
 
Last edited:
  • Like
Reactions: spart0n

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
I have few % battery left...

I could do:
Testing Magisk patched FVD4 Kernel with EVA8...

Or I can try few things to enable USB charging via Software... something like this:

Need some Google Search...

No idea if FAC Recovery allow me to charge...

If battery empty I will desolder again wires... as I need to assemble Back Cover for Charging...


Edit 1.

Code:
To enable battery Charging:

    adb shell dumpsys battery set ac 1
    adb shell dumpsys battery set usb 1
    adb shell dumpsys battery set wireless 1

To disable battery Charging:

    adb shell dumpsys battery set ac 0
    adb shell dumpsys battery set usb 0
    adb shell dumpsys battery set wireless 0

This looks interesting...

Will try first the get option...
If I can...

Edit 2.
SM-R870 EVA8 with connected USB cable... aka soldered wires...

Code:
D:\Android\ADB>adb shell dumpsys battery
Current Battery Service state:
  AC powered: false
  USB powered: false
  Wireless powered: false
  Max charging current: 0
  Max charging voltage: 0
  Charge counter: 140400
  status: 3
  health: 2
  present: true
  level: 38
  scale: 100
  voltage: 3737
  temperature: 344
  technology: Li-ion
  batteryMiscEvent: 0
  batteryCurrentEvent: 0
  mSecPlugTypeSummary: 0
  current now: -118
  charge counter: 140400
health: [email protected]::[email protected]
BatteryInfoBackUp
  mSavedBatteryAsoc: -1
  mSavedBatteryMaxTemp: -1
  mSavedBatteryMaxCurrent: -1
  mSavedBatteryUsage: 1150
  FEATURE_SAVE_BATTERY_CYCLE: true
 
Last edited:
  • Like
Reactions: sermister1

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
No real luck with Charging...

So I have tested short Magisk patched FVD4 Kernel...

Code:
D:\Android\ADB>adb shell cat /proc/version
Linux version 4.19.151-23869841-abR870XXU1FVD4 ([email protected]) (Android (6443078 based on r383902) clang version 11.0.1 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79), GNU ld (binutils-2.27-bd24d23f) 2.27.0.20170315) #1 SMP PREEMPT Wed Apr 27 11:38:13 KST 2022


So for me it runs with EVA8 Firmware crap...

Code:
D:\Android\ADB>adb shell
freshbl:/ $ su
freshbl:/ # cd /data/fota
freshbl:/data/fota # ls -a1l
total 367471
drwxrwx---  2 system system      3452 2022-08-13 00:13 .
drwxrwx--x 54 system system      4096 2022-08-13 01:03 ..
-rw-------  1 system system 375905930 2022-08-13 00:20 update.zip
freshbl:/data/fota # rm update.zip

So need to desolder wires soon... to charge battery...

Best Regards
 
  • Like
Reactions: sermister1

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Oh... today result of Google search for FOTA...

Need to read with open eyes...

More search results...

Hmmm... this seems to me not really Samsung related...

Maybe on other Brands easier... but for me with this Kox crap...
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Puh... progress with Fastboot Drivers...

Maybe this is chance to charge Battery... with USB cable...

Code:
C:\>cd adb

C:\adb>fastboot devices
mySerialN     fastboot

C:\adb>fastboot getvar battery-voltage
battery-voltage:
Finished. Total time: 0.002s

C:\adb>fastboot getvar all
all:
Finished. Total time: 0.000s



Driver found here:

Leads to this Megalink:

Only as info...

Now will check what I can do with Fastboot...

Still I hope Battery not exploding... only charging...


Best Regards
 

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Battery Charging over USB... still unsolved...

For now I am trying this...
Code:
C:\adb>fastboot devices
mySerialN     fastboot

C:\adb>fastboot flash zip update.zip
Sending 'zip' (367095 KB)

No idea... I still see fastboot on SM-R870 and on PC only Cursor Blinking...

Edit 1.

Grummel...
Code:
C:\adb>fastboot -v flash zip update.zip
fastboot: verbose: Do flash zip update.zip
fastboot: verbose: target didn't report max-download-size
Sending 'zip' (367095 KB)                          ^C
C:\adb>fastboot -v reboot
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 0.016s

Basic basic Command not work like Reboot...

So IMHO something is wrong...

A
Samsung own OEM Commands...

B
Driver totally wrong...

C
Maybe with FAC Recovery?

Need to check where Fastboot is inside...

"Enter fastboot" do nothing...

Edit 2.

If I look with HEX Editor into sboot.bin Bootloader File I can see few text strings ... fastboot related...

Also few fastboot related text strings inside RAMDISK from Recovery...

So maybe Recovery Kernel involved...

Will check FAC Recovery from Combination Firmware...

Edit 3.

Also no luck with FAC Recovery...


If I use count in sboot.bin.... from WinHex...

then in Stock EVA8 sboot.bin 14 hits...

But in FAC sboot.bin from Combination Firmware 32 hits...

Conclusion for me...
Kastra... from Stock Bootloader to block fastboot IMHO
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Plan for next dayS is to play with Recovery... Ramdisk...

So need Tools for unpack repack recovery.img...

Not tested... found this:

IMHO I will use Ubuntu...
Maybe other Tools like Super or what ever easier for me to use...

Best Regards
 

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Code:
[email protected]:~/kernelunpack/1$ ./gradlew unpack
[main] WARN cfig.packable.PackableLauncher - [recovery.img] will be handled by [BootImgParser]
[main] WARN cfig.packable.PackableLauncher - 'unpack' sequence initialized
[main] INFO cfig.packable.BootImgParser - header version 2
[main] WARN cfig.bootimg.v2.BootHeaderV2 - BootImgHeader constructor
[main] INFO cfig.Avb - python aosp/avb/avbtool.v1.2.py verify_image --image recovery.img
Verifying image recovery.img using embedded public key
vbmeta: Successfully verified footer and SHA256_RSA4096 vbmeta struct in recovery.img
recovery: Successfully verified sha256 hash of recovery.img for image of 55452448 bytes
[main] INFO KernelExtractor - [python, aosp/build/tools/extract_kernel.py, --input, build/unzip_boot/kernel, --output-configs, build/unzip_boot/kernel_configs.txt, --output-version, build/unzip_boot/kernel_version.txt]
[main] INFO KernelExtractor - kernel version: [5.4.61]
[main] INFO KernelExtractor - kernel config dumped to : build/unzip_boot/kernel_configs.txt
[main] INFO ZipHelper - decompress(gz) done: build/unzip_boot/ramdisk.img.gz -> build/unzip_boot/ramdisk.img
[main] INFO cfig.bootimg.cpio.AndroidCpio - Cleaning /home/asus/kernelunpack/1/build/unzip_boot/root ...
[main] INFO cfig.bootimg.cpio.AndroidCpio - cpio trailer found, mode=000001ed
[main] INFO cfig.bootimg.Common -  ramdisk extracted : build/unzip_boot/ramdisk.img -> build/unzip_boot/root
[main] INFO cfig.dtb_util.DTC - parsing DTB: build/unzip_boot/dtb
FATAL ERROR: Blob has incorrect magic number
[main] ERROR cfig.dtb_util.DTC - can not parse DTB: build/unzip_boot/dtb
[main] INFO cfig.Avb - parsing recovery.img ...
[main] INFO cfig.Avb - recovery.img: Footer(versionMajor=1, versionMinor=0, originalImageSize=55452448, vbMetaOffset=55455744, vbMetaSize=2112)
[main] INFO cfig.Avb - Header(required_libavb_version_major=1, required_libavb_version_minor=0, authentication_data_block_size=576, auxiliary_data_block_size=1280, algorithm_type=2, hash_offset=0, hash_size=32, signature_offset=32, signature_size=512, public_key_offset=208, public_key_size=1032, public_key_metadata_offset=1240, public_key_metadata_size=0, descriptors_offset=0, descriptors_size=208, rollback_index=0, flags=0, release_string=avbtool 1.1.0)
[main] INFO avb.desc.UnknownDescriptor - Parse descriptors stream, SIZE = 208
[main] INFO cfig.Avb - vbmeta info of [recovery.img] has been analyzed
[main] INFO cfig.Avb - vbmeta info written to build/unzip_boot/recovery.avb.json
[main] INFO cfig.bootimg.v2.BootV2 -
            Unpack Summary of recovery.img
┌───────────────────────────────────────┬──────────────────────────────────────┐
│What                                   │Where                                 │
└───────────────────────────────────────┴──────────────────────────────────────┘
┌───────────────────────────────────────┬──────────────────────────────────────┐
│image info                             │build/unzip_boot/recovery.json        │
├───────────────────────────────────────┼──────────────────────────────────────┤
│AVB info                               │build/unzip_boot/recovery.avb.json    │
├───────────────────────────────────────┼──────────────────────────────────────┤
│kernel                                 │build/unzip_boot/kernel               │
│\-- version [5.4.61]                   │build/unzip_boot/kernel_version.txt   │
│\-- config                             │build/unzip_boot/kernel_configs.txt   │
├───────────────────────────────────────┼──────────────────────────────────────┤
│ramdisk                                │build/unzip_boot/ramdisk.img.gz       │
│\-- extracted ramdisk rootfs           │build/unzip_boot/root                 │
├───────────────────────────────────────┼──────────────────────────────────────┤
│recovery dtbo                          │build/unzip_boot/recoveryDtbo         │
├───────────────────────────────────────┼──────────────────────────────────────┤
│dtb                                    │build/unzip_boot/dtb                  │
└───────────────────────────────────────┴──────────────────────────────────────┘
[main] WARN cfig.packable.PackableLauncher - 'unpack' sequence completed

First unpack attempt...
No GW4 Recovery Kernel... will come in second attempt...

Code:
[email protected]:~/kernelunpack/1$ ./gradlew unpack
[main] WARN cfig.packable.PackableLauncher - [recovery.img] will be handled by [BootImgParser]
[main] WARN cfig.packable.PackableLauncher - 'unpack' sequence initialized
[main] INFO cfig.packable.BootImgParser - header version 2
[main] WARN cfig.bootimg.v2.BootHeaderV2 - BootImgHeader constructor
[main] INFO cfig.Avb - python aosp/avb/avbtool.v1.2.py verify_image --image recovery.img
Verifying image recovery.img using embedded public key
vbmeta: Successfully verified footer and SHA256_RSA4096 vbmeta struct in recovery.img
recovery: Successfully verified sha256 hash of recovery.img for image of 37020448 bytes
[main] INFO KernelExtractor - [python, aosp/build/tools/extract_kernel.py, --input, build/unzip_boot/kernel, --output-configs, build/unzip_boot/kernel_configs.txt, --output-version, build/unzip_boot/kernel_version.txt]
[main] INFO KernelExtractor - kernel version: [4.19.151]
[main] INFO KernelExtractor - kernel config dumped to : build/unzip_boot/kernel_configs.txt
[main] INFO ZipHelper - decompress(gz) done: build/unzip_boot/ramdisk.img.gz -> build/unzip_boot/ramdisk.img
[main] INFO cfig.bootimg.cpio.AndroidCpio - Cleaning /home/asus/kernelunpack/1/build/unzip_boot/root ...
[main] INFO cfig.bootimg.cpio.AndroidCpio - cpio trailer found, mode=000001ed
[main] INFO cfig.bootimg.Common -  ramdisk extracted : build/unzip_boot/ramdisk.img -> build/unzip_boot/root
[main] INFO cfig.dtb_util.DTC - parsing DTB: build/unzip_boot/dtb
FATAL ERROR: Blob has incorrect magic number
[main] ERROR cfig.dtb_util.DTC - can not parse DTB: build/unzip_boot/dtb
[main] INFO cfig.Avb - parsing recovery.img ...
[main] INFO cfig.Avb - recovery.img: Footer(versionMajor=1, versionMinor=0, originalImageSize=37020448, vbMetaOffset=37023744, vbMetaSize=2112)
[main] INFO cfig.Avb - Header(required_libavb_version_major=1, required_libavb_version_minor=0, authentication_data_block_size=576, auxiliary_data_block_size=1280, algorithm_type=2, hash_offset=0, hash_size=32, signature_offset=32, signature_size=512, public_key_offset=208, public_key_size=1032, public_key_metadata_offset=1240, public_key_metadata_size=0, descriptors_offset=0, descriptors_size=208, rollback_index=0, flags=0, release_string=avbtool 1.1.0)
[main] INFO avb.desc.UnknownDescriptor - Parse descriptors stream, SIZE = 208
[main] INFO cfig.Avb - vbmeta info of [recovery.img] has been analyzed
[main] INFO cfig.Avb - vbmeta info written to build/unzip_boot/recovery.avb.json
[main] INFO cfig.bootimg.v2.BootV2 -
            Unpack Summary of recovery.img
┌───────────────────────────────────────┬──────────────────────────────────────┐
│What                                   │Where                                 │
└───────────────────────────────────────┴──────────────────────────────────────┘
┌───────────────────────────────────────┬──────────────────────────────────────┐
│image info                             │build/unzip_boot/recovery.json        │
├───────────────────────────────────────┼──────────────────────────────────────┤
│AVB info                               │build/unzip_boot/recovery.avb.json    │
├───────────────────────────────────────┼──────────────────────────────────────┤
│kernel                                 │build/unzip_boot/kernel               │
│\-- version [4.19.151]                 │build/unzip_boot/kernel_version.txt   │
│\-- config                             │build/unzip_boot/kernel_configs.txt   │
├───────────────────────────────────────┼──────────────────────────────────────┤
│ramdisk                                │build/unzip_boot/ramdisk.img.gz       │
│\-- extracted ramdisk rootfs           │build/unzip_boot/root                 │
├───────────────────────────────────────┼──────────────────────────────────────┤
│recovery dtbo                          │build/unzip_boot/recoveryDtbo         │
├───────────────────────────────────────┼──────────────────────────────────────┤
│dtb                                    │build/unzip_boot/dtb                  │
└───────────────────────────────────────┴──────────────────────────────────────┘
[main] WARN cfig.packable.PackableLauncher - 'unpack' sequence completed

This time SM-R870 Recovery EVA8...

Now will check if I can enable ADB for USB Connection....
 
Last edited:
  • Like
Reactions: TheIntruder

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Code:
[email protected]:~/kernelunpack/1$ ./gradlew pack
[main] WARN cfig.packable.PackableLauncher - [recovery.img] will be handled by [BootImgParser]
[main] WARN cfig.packable.PackableLauncher - 'pack' sequence initialized
[main] INFO cfig.packable.BootImgParser - Loading config from build/unzip_boot/recovery.json
[main] INFO cfig.bootimg.Common - Deleting build/unzip_boot/ramdisk.img.gz ...
[main] INFO cfig.bootimg.Common - Deleting build/unzip_boot/ramdisk.img ...
[main] INFO cfig.bootimg.Common - Packing rootfs build/unzip_boot//root ...
[main] INFO ZipHelper - compress(gz) done: build/unzip_boot/ramdisk.img.gz
[main] INFO cfig.bootimg.Common - build/unzip_boot/ramdisk.img.gz is ready
[main] WARN cfig.bootimg.v2.BootV2 - using fake recoveryDtboOffset 36562944 (as is in AOSP avbtool)
[main] INFO cfig.bootimg.v2.BootV2 - Writing data ...
[main] INFO cfig.bootimg.v2.BootV2 - [python, aosp/system/tools/mkbootimg/mkbootimg.py, --header_version, 2, --base, 0x0, --kernel, build/unzip_boot/kernel, --kernel_offset, 0x10008000, --ramdisk, build/unzip_boot/ramdisk.img.gz, --ramdisk_offset, 0x10000000, --board, SRPUC30A001, --recovery_dtbo, build/unzip_boot/recoveryDtbo, --dtb, build/unzip_boot/dtb, --dtb_offset, 0x10000000, --pagesize, 2048, --cmdline, , --os_version, 11.0.0, --os_patch_level, 2022-01-00, --tags_offset, 0x10000000, --id, --output, recovery.img.google]
Traceback (most recent call last):
  File "aosp/system/tools/mkbootimg/mkbootimg.py", line 316, in <module>
    main()
  File "aosp/system/tools/mkbootimg/mkbootimg.py", line 303, in main
    img_id = write_header(args)
  File "aosp/system/tools/mkbootimg/mkbootimg.py", line 152, in write_header
    args.output.write(pack('Q', get_recovery_dtbo_offset(args))) # recovery dtbo offset
struct.error: required argument is not an integer
Exception in thread "main" java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at kotlin.reflect.jvm.internal.calls.CallerImpl$Method.callMethod(CallerImpl.kt:97)
    at kotlin.reflect.jvm.internal.calls.CallerImpl$Method$Instance.call(CallerImpl.kt:113)
    at kotlin.reflect.jvm.internal.KCallableImpl.call(KCallableImpl.kt:108)
    at cfig.packable.PackableLauncherKt.main(PackableLauncher.kt:92)
Caused by: org.apache.commons.exec.ExecuteException: Process exited with an error: 1 (Exit value: 1)
    at org.apache.commons.exec.DefaultExecutor.executeInternal(DefaultExecutor.java:404)
    at org.apache.commons.exec.DefaultExecutor.execute(DefaultExecutor.java:166)
    at org.apache.commons.exec.DefaultExecutor.execute(DefaultExecutor.java:153)
    at cfig.bootimg.v2.BootV2.pack(BootV2.kt:398)
    at cfig.packable.BootImgParser.pack(BootImgParser.kt:62)
    ... 8 more

Hmmmm...

Need to solve repack problem...

First attempt only in:
Code:
prop.default

Edit 1.

Downloaded first this Version...
boot_editor_r11.zip

Will check now other Version...
boot_editor_v13_preview3.zip

Edit again....
Code:
[email protected]:~/kernelunpack/1$ ./gradlew unpack
23:35:58.712 [main] WARN  cfig.packable.PackableLauncher - [recovery.img] will be handled by [BootImgParser]
23:35:59.753 [main] WARN  cfig.packable.PackableLauncher - 'unpack' sequence initialized
23:35:59.796 [main] INFO  Helper - deleting uiderrors
23:35:59.890 [main] INFO  cfig.packable.BootImgParser - header version 2
23:36:01.013 [main] WARN  cfig.bootimg.v2.BootHeaderV2 - BootImgHeader constructor
23:36:01.274 [main] INFO  cfig.Avb - python aosp/avb/avbtool.v1.2.py verify_image --image recovery.img
Verifying image recovery.img using embedded public key
vbmeta: Successfully verified footer and SHA256_RSA4096 vbmeta struct in recovery.img
recovery: Successfully verified sha256 hash of recovery.img for image of 37020448 bytes
23:36:04.846 [main] INFO  KernelExtractor - [aosp/make/tools/extract_kernel.py, --input, build/unzip_boot/kernel, --output-configs, build/unzip_boot/kernel_configs.txt, --output-version, build/unzip_boot/kernel_version.txt]
23:36:04.914 [main] INFO  KernelExtractor - kernel version: [4.19.151]
23:36:04.918 [main] INFO  KernelExtractor - kernel config dumped to : build/unzip_boot/kernel_configs.txt
23:36:07.498 [main] INFO  ZipHelper - decompress(gz) done: build/unzip_boot/ramdisk.img.gz -> build/unzip_boot/ramdisk.img
23:36:07.512 [main] INFO  cfig.bootimg.cpio.AndroidCpio - Cleaning /home/asus/kernelunpack/1/build/unzip_boot/root ...
23:36:07.746 [main] WARN  cfig.bootimg.cpio.AndroidCpio -   root/config has improper file mode 555, fix it
23:36:12.782 [main] INFO  cfig.bootimg.cpio.AndroidCpio - cpio trailer found, mode=000001ed
23:36:12.790 [main] INFO  cfig.bootimg.Common -  ramdisk extracted : build/unzip_boot/ramdisk.img -> build/unzip_boot/root
23:36:12.870 [main] INFO  cfig.utils.DTC - parsing DTB: build/unzip_boot/dtb
FATAL ERROR: Blob has incorrect magic number
23:36:12.922 [main] ERROR cfig.utils.DTC - can not parse DTB: build/unzip_boot/dtb
23:36:12.938 [main] INFO  avb.AVBInfo - parseFrom(FILE:recovery.img) ...
23:36:13.349 [main] INFO  avb.AVBInfo - FILE:recovery.img: Glance(footer=Footer(versionMajor=1, versionMinor=0, originalImageSize=37020448, vbMetaOffset=37023744, vbMetaSize=2112), vbMetaOffset=37023744).footer
23:36:14.389 [main] INFO  avb.AVBInfo - VBMeta: recovery.img -> build/unzip_boot/recovery.avb.json
23:36:15.311 [main] INFO  cfig.Avb - signed with release key
23:36:15.712 [main] INFO  cfig.bootimg.v2.BootV2 -
            Unpack Summary of recovery.img
┌───────────────────────────────────────┬──────────────────────────────────────┐
│What                                   │Where                                 │
└───────────────────────────────────────┴──────────────────────────────────────┘
┌───────────────────────────────────────┬──────────────────────────────────────┐
│image info                             │build/unzip_boot/recovery.json        │
├───────────────────────────────────────┼──────────────────────────────────────┤
│AVB info [verified]                    │build/unzip_boot/recovery.avb.json    │
│\-- signing key                        │private release key                   │
├───────────────────────────────────────┼──────────────────────────────────────┤
│kernel                                 │build/unzip_boot/kernel               │
│\-- version [4.19.151]                 │build/unzip_boot/kernel_version.txt   │
│\-- config                             │build/unzip_boot/kernel_configs.txt   │
├───────────────────────────────────────┼──────────────────────────────────────┤
│ramdisk                                │build/unzip_boot/ramdisk.img.gz       │
│\-- extracted ramdisk rootfs           │build/unzip_boot/root                 │
├───────────────────────────────────────┼──────────────────────────────────────┤
│recovery dtbo                          │build/unzip_boot/recoveryDtbo         │
├───────────────────────────────────────┼──────────────────────────────────────┤
│dtb                                    │build/unzip_boot/dtb                  │
└───────────────────────────────────────┴──────────────────────────────────────┘
23:36:16.519 [main] WARN  cfig.packable.PackableLauncher - 'unpack' sequence completed
[email protected]:~/kernelunpack/1$ ./gradlew pack
23:39:06.302 [main] WARN  cfig.packable.PackableLauncher - [recovery.img] will be handled by [BootImgParser]
23:39:07.240 [main] WARN  cfig.packable.PackableLauncher - 'pack' sequence initialized
23:39:07.457 [main] INFO  cfig.packable.BootImgParser - Loading config from build/unzip_boot/recovery.json
23:39:10.200 [main] INFO  cfig.bootimg.Common - Deleting build/unzip_boot/ramdisk.img.gz ...
23:39:10.212 [main] INFO  cfig.bootimg.Common - Deleting build/unzip_boot/ramdisk.img ...
23:39:10.243 [main] INFO  cfig.bootimg.Common - Packing rootfs build/unzip_boot/root ...
23:39:10.493 [main] INFO  cfig.bootimg.cpio.AndroidCpio - loading build/unzip_boot/ramdisk.img_filelist.txt
23:39:27.836 [main] INFO  ZipHelper - compress(gz) done: build/unzip_boot/ramdisk.img.gz
23:39:27.838 [main] INFO  cfig.bootimg.Common - build/unzip_boot/ramdisk.img.gz is ready
23:39:27.903 [main] WARN  cfig.bootimg.v2.BootV2 - using fake recoveryDtboOffset 36562944 (as is in AOSP avbtool)
23:39:29.645 [main] INFO  cfig.bootimg.v2.BootV2 - Writing data ...
23:39:33.379 [main] INFO  cfig.bootimg.v2.BootV2 - [aosp/system/tools/mkbootimg/mkbootimg.py, --header_version, 2, --base, 0x0, --kernel, build/unzip_boot/kernel, --kernel_offset, 0x10008000, --ramdisk, build/unzip_boot/ramdisk.img.gz, --ramdisk_offset, 0x10000000, --board, SRPUC30A001, --recovery_dtbo, build/unzip_boot/recoveryDtbo, --dtb, build/unzip_boot/dtb, --dtb_offset, 0x10000000, --pagesize, 2048, --cmdline, , --os_version, 11.0.0, --os_patch_level, 2022-01-00, --tags_offset, 0x10000000, --id, --output, recovery.img.google]
0x71e297625167df34201eecb28eca0109b6d78dcf000000000000000000000000
23:39:37.031 [main] INFO  Helper - recovery.img.clear hash 069b4dfa3838e30283a275508eaca7ad24a4959a, recovery.img.google hash 069b4dfa3838e30283a275508eaca7ad24a4959a
23:39:37.036 [main] INFO  Helper - Hash verification passed: 069b4dfa3838e30283a275508eaca7ad24a4959a
23:39:37.051 [main] INFO  cfig.bootimg.Signer - Adding hash_footer with verified-boot 2.0 style
23:39:38.540 [main] INFO  cfig.Avb - addHashFooter(recovery.img.signed) ...
23:39:38.774 [main] INFO  cfig.Avb - max_image_size: 55504896
23:39:39.003 [main] INFO  cfig.Avb - original image recovery.img.signed doesn't have AVB footer
23:39:39.097 [main] INFO  avb.desc.HashDescriptor - preset salt[32] is valid: c62aaf373af19fb1da6e137e44fc99a8e732237821ba2817eda85fac8c56c825
23:39:39.098 [main] INFO  avb.desc.HashDescriptor - flag: use_ab = 1
23:39:42.346 [main] INFO  avb.desc.HashDescriptor - Digest(salt + file): 31bd4fed67dc797aa573a4015d78d0756fd07848f53076a941126280d672a63b
23:39:42.363 [main] INFO  cfig.Avb - updated hash descriptor:000000000000000200000000000000c0000000000234e0007368613235360000000000000000000000000000000000000000000000000000000000080000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007265636f76657279c62aaf373af19fb1da6e137e44fc99a8e732237821ba2817eda85fac8c56c82531bd4fed67dc797aa573a4015d78d0756fd07848f53076a941126280d672a63b00000000
23:39:42.666 [main] WARN  avb.blob.AuxBlob - Using different key from original vbmeta
23:39:42.667 [main] INFO  avb.blob.AuxBlob - no pubkey metadata in auxBlob
23:39:44.765 [main] WARN  avb.blob.AuxBlob - Using different key from original vbmeta
23:39:44.766 [main] INFO  avb.blob.AuxBlob - no pubkey metadata in auxBlob
23:39:45.306 [main] INFO  cfig.Avb - Footer(versionMajor=1, versionMinor=0, originalImageSize=37019648, vbMetaOffset=37019648, vbMetaSize=2112)
23:39:45.312 [main] INFO  cfig.Avb - 1/4 Padding image with 0 bytes ...
23:39:45.362 [main] INFO  cfig.Avb - 2/4 Appending vbmeta (4096 bytes)...
23:39:45.380 [main] INFO  cfig.Avb - 3/4 Appending DONT CARE CHUNK (18546688 bytes) ...
23:39:45.762 [main] INFO  cfig.Avb - 4/4 Appending AVB footer (4096 bytes)...
23:39:45.766 [main] INFO  cfig.Avb - addHashFooter(recovery.img.signed) done.
23:39:45.797 [main] INFO  cfig.bootimg.Signer - [aosp/avb/avbtool.v1.2.py, add_hash_footer, --image, recovery.img.signed2, --flags, 0, --partition_size, 55574528, --salt, c62aaf373af19fb1da6e137e44fc99a8e732237821ba2817eda85fac8c56c825, --partition_name, recovery, --hash_algorithm, sha256, --algorithm, SHA256_RSA4096, --rollback_index, 0, --key, aosp/avb/data/testkey_rsa4096.pem, --internal_release_string, avbtool 1.1.0]
23:39:51.148 [main] INFO  Helper - recovery.img.signed hash a71eb96aa6064fcaa40998d9e3a3dce1972a45cd, recovery.img.signed2 hash a71eb96aa6064fcaa40998d9e3a3dce1972a45cd
23:39:51.148 [main] INFO  Helper - Hash verification passed: a71eb96aa6064fcaa40998d9e3a3dce1972a45cd
23:39:51.149 [main] INFO  cfig.bootimg.v2.BootV2 - Adding hash_footer with verified-boot 2.0 style
23:39:51.504 [main] INFO  cfig.bootimg.v3.VendorBoot -
            Pack Summary of recovery.img
┌───────────────────────────────────────┬──────────────────────────────────────┐
│What                                   │Where                                 │
└───────────────────────────────────────┴──────────────────────────────────────┘
┌───────────────────────────────────────┬──────────────────────────────────────┐
│re-packed recovery.img                 │recovery.img.signed                   │
└───────────────────────────────────────┴──────────────────────────────────────┘
23:39:51.623 [main] WARN  cfig.packable.PackableLauncher - 'pack' sequence completed
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
ADB enable still fail...

But to be 100 % sure my modified Recovery is accepted I changed text string EVA8 to EVA9 and will check if I can see this...

Edit 1.
Harhar... tiny Display...
I can only see EV from EVA8...

Next attempt with DEAD as text String... I hope to see DE in Recovery...

Edit 2.

Few mistakes later...

Seems to work...

I have """modified"""...
Code:
librecovery_ui.so

I can see now Enter fastfood instead fastboot...

Now starting OS to check if boot.img detect Fake and restore Original Recovery...


Edit 3...

Okidoki...

As soon I am booting normal into boot.img...
F%&ing Original Recovery restored from...
Code:
recovery-from-boot.p
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
Will try to disable auto restore from recovery.img...

First idea to use 0 Byte files...
Code:
/system/recovery-from-boot.p

/system/bin/install-recovery.sh

In Magisk Module...

Edit 1.

Seems success...

So I can continue to do stupid tests with recovery.img...

I will try to execute something else from menu points:

Code:
Reboot to bootloader

Enter fastboot

Both are Fastboot related and both are useless as crippled by S...

Edit 2.

Google search for:
Code:
librecovery_ui.so


Code:
#include "recovery_ui/ui.h"

static std::vector<std::pair<std::string, Device::BuiltinAction>> g_menu_actions{
  { "Reboot system now", Device::REBOOT },
  { "Reboot to bootloader", Device::REBOOT_BOOTLOADER },
  { "Enter fastboot", Device::ENTER_FASTBOOT },
  { "Apply update from ADB", Device::APPLY_ADB_SIDELOAD },
  { "Apply update from SD card", Device::APPLY_SDCARD },
  { "Wipe data/factory reset", Device::WIPE_DATA },
  { "Wipe cache partition", Device::WIPE_CACHE },
  { "Mount /system", Device::MOUNT_SYSTEM },
  { "View recovery logs", Device::VIEW_RECOVERY_LOGS },
  { "Run graphics test", Device::RUN_GRAPHICS_TEST },
  { "Run locale test", Device::RUN_LOCALE_TEST },
  { "Enter rescue", Device::ENTER_RESCUE },
  { "Power off", Device::SHUTDOWN },
};

Edit 3.

Memo to me because f%&ing Ubuntu problems with Win Net... this seems to help me:
 
Last edited:

adfree

Senior Member
Jun 14, 2008
9,853
5,834
Samsung Galaxy Watch 4
After hours of stupid tests...

I am understanding tiny bit more... as before...

Seems in Stock Recovery and also FAC Recovery from Combination Firmware.
Partitions not mounted...

Tiny summary...
Code:
{ "Reboot to bootloader", Device::REBOOT_BOOTLOADER },

Fastboot crap... crippled by Samsung as 0 Support in Stock sboot.in Bootloader...

Code:
{ "Enter fastboot", Device::ENTER_FASTBOOT },
Same... kastriert in sboot.bin

Code:
{ "Apply update from ADB", Device::APPLY_ADB_SIDELOAD },
I am not able to enable ADB for USB...

Code:
{ "Apply update from SD card", Device::APPLY_SDCARD },
Partition not mounted... so no access to /sdcard/update.zip


Code:
{ "Mount /system", Device::MOUNT_SYSTEM },
Not working...

No idea if totally crippled or...


Puh...
1 idea is to replace /system/bin/recovery with Script *.sh...

Stupid idea...


Harder for me to mount "SD card"...
Maybe Sams.ng crippled feature Apply update from SD card... so maybe useless attempt...


I will try the idea with Script... *.sh

Best Regards

Edit 1.

FSTAB is 1:1 same from Stock Recovery and the FAC Recovery recovery.img I have from Combination Firmware...
Code:
# Copyright (c) 2011, Code Aurora Forum. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above
#       copyright notice, this list of conditions and the following
#       disclaimer in the documentation and/or other materials provided
#       with the distribution.
#     * Neither the name of Code Aurora Forum, Inc. nor the names of its
#       contributors may be used to endorse or promote products derived
#       from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


#<src>                                    <mnt_point>    <type>    <mnt_flags and options>    <fs_mgr_flags>
system                                               /system         ext4        ro,barrier=1,discard                  avb=vbmeta,logical,first_stage_mount
vendor                                               /vendor         ext4        ro,barrier=1,discard                  avb,logical,first_stage_mount
product                                              /product        ext4        ro,barrier=1,discard                  avb,logical,first_stage_mount
odm                                                  /odm            ext4        ro,barrier=1,discard                  avb,logical,first_stage_mount
/dev/block/by-name/boot        /boot           emmc        defaults                  recoveryonly
/dev/block/by-name/recovery    /recovery       emmc        defaults                  recoveryonly
/dev/block/by-name/metadata    /metadata       ext4        defaults                  wait,first_stage_mount
/dev/block/by-name/userdata    /data    f2fs    noatime,nosuid,nodev,discard,usrquota,grpquota,fsync_mode=nobarrier,reserve_root=32768,resgid=5678    recoveryonly,length=-20480
/dev/block/by-name/cache       /cache          ext4        defaults                  recoveryonly
/dev/block/mmcblk0p1                                 /sdcard         sdfat       defaults                  recoveryonly
/dev/block/by-name/sec_efs     /efs            ext4        defaults                  recoveryonly
/dev/block/by-name/sec_efs     /sec_efs        ext4        defaults                  recoveryonly
/dev/block/by-name/carrier     /carrier        ext4        defaults                  recoveryonly
/dev/block/by-name/hidden      /preload        ext4        defaults                  recoveryonly
/dev/block/by-name/radio         /modem        emmc     defaults                  recoveryonly

# Add misc for GOTA
/dev/block/by-name/misc        /misc           emmc        defaults                  recoveryonly

# Samsung ODE
/dev/block/by-name/keydata     /keydata        ext4        defaults                  recoveryonly
/dev/block/by-name/keyrefuge    /keyrefuge    f2fs    defaults    recoveryonly

#Auto-generated code by FOTA Portal
/dev/block/by-name/dtb        /dtb        emmc        default        recoveryonly
/dev/block/by-name/dtbo       /dtbo       emmc        default        recoveryonly

/dev/block/by-name/prism     /prism        ext4        defaults                  recoveryonly
/dev/block/by-name/optics     /optics        ext4        defaults                  recoveryonly



#Auto-generated code by FOTA Portal
/dev/block/by-name/vbmeta_samsung    /vbmeta_samsung    emmc    default    recoveryonly
/dev/block/by-name/vbmeta_system    /vbmeta_system    emmc    default    recoveryonly
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    I can confirm Magisk Version 25.2 also work for GVH2.

    Need some time for tests...

    Summary:
    Magisk 24.3
    AND
    Magisk 25.2
    Can root GW4...

    Best Regards
    2
    Attempt 1 for dd Action...

    Code:
    D:\Android\ADB>adb push super.zip /sdcard
    super.zip: 1 file pushed. 1.9 MB/s (1983237332 bytes in 995.834s)
    
    D:\Android\ADB>adb shell
    freshbl:/ $ su
    freshbl:/ # unzip -h
    usage: unzip [-d DIR] [-lnopqv] ZIP [FILE...] [-x FILE...]
    
    Extract FILEs from ZIP archive. Default is all files. Both the include and
    exclude (-x) lists use shell glob patterns.
    
    -d DIR  Extract into DIR
    -l      List contents (-lq excludes archive name, -lv is verbose)
    -n      Never overwrite files (default: prompt)
    -o      Always overwrite files
    -p      Pipe to stdout
    -q      Quiet
    -v      List contents verbosely
    -x FILE Exclude files
    freshbl:/ # cd /sdcard
    freshbl:/sdcard # unzip super.zip
    Archive:  super.zip
      inflating: super.new.img
    Aborted

    No idea why aborted... ZIP created on Ubuntu...

    Will try on Windows with 7Zip...

    Edit 1.

    After few different Compress Tools...
    Code:
    freshbl:/sdcard # gunzip super.img.gz
    freshbl:/sdcard # df -h
    Filesystem                            Size  Used Avail Use% Mounted on
    tmpfs                                 693M  1.2M  691M   1% /dev
    tmpfs                                 693M     0  693M   0% /mnt
    /dev/block/mmcblk0p27                  27M  128K   27M   1% /metadata
    /dev/block/dm-3                       3.9M  980K  3.0M  25% /odm
    /dev/block/mmcblk0p31                 581M  343M  238M  60% /prism
    /dev/block/mmcblk0p32                  39M  1.5M   37M   5% /optics
    tmpfs                                 693M  2.8M  690M   1% /dev/QelRwS
    tmpfs                                 693M     0  693M   0% /apex
    tmpfs                                 693M  352K  692M   1% /linkerconfig
    /dev/block/mmcblk0p34                  16M   24K   16M   1% /omr
    /dev/block/mmcblk0p33                 193M  2.8M  190M   2% /cache
    /dev/block/mmcblk0p1                  3.8M  228K  3.6M   6% /mnt/vendor/efs
    /dev/block/mmcblk0p4                  3.8M   24K  3.8M   1% /mnt/vendor/cpefs
    /dev/block/mmcblk0p2                  3.8M  1.1M  2.7M  29% /efs
    /dev/block/dm-4                       8.3G  5.9G  2.4G  72% /data
    tmpfs                                 693M     0  693M   0% /data_mirror
    /dev/QelRwS/.magisk/block/vendor       82M   79M  2.9M  97% /dev/QelRwS/.magisk/mirror/vendor
    /dev/QelRwS/.magisk/block/product     139M  139M  244K 100% /dev/QelRwS/.magisk/mirror/product
    /dev/QelRwS/.magisk/block/system_root 3.4G  3.3G   17M 100% /dev/QelRwS/.magisk/mirror/system_root
    tmpfs                                 693M     0  693M   0% /system/bin
    /dev/fuse                             8.3G  5.9G  2.4G  72% /mnt/user/0/emulated
    freshbl:/sdcard # dd if=/sdcard/super.img of=/dev/block/mmcblk0p30
    dd: /sdcard/super.img: read error: Transport endpoint is not connected
    1|freshbl:/sdcard # ls -a1l
    Segmentation fault
    139|freshbl:/sdcard # reboot
    Segmentation fault
    139|freshbl:/sdcard #

    Result is bootloop...
    But SM-R870 is still alive...
    Recovery I can enter... Fac Reset... blabla

    Now I restore super.img with Odin...
    1
    Okay found Command for our GW4.

    Here my SM-R870 EVA8

    Code:
    lpdump --slot 0 /dev/block/by-name/super
    
    lpdump --slot 1 /dev/block/by-name/super

    Result looks like this:

    Code:
    freshbl:/dev/block/by-name $ lpdump --slot 1 /dev/block/by-name/super
    Metadata version: 10.0
    Metadata size: 592 bytes
    Metadata max size: 65536 bytes
    Metadata slot count: 2
    Header flags: none
    Partition table:
    ------------------------
      Name: system
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 7067335 linear super 2048
    ------------------------
      Name: vendor
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 171487 linear super 7069696
    ------------------------
      Name: product
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 283823 linear super 7241728
    ------------------------
      Name: odm
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 8495 linear super 7526400
    ------------------------
    Super partition layout:
    ------------------------
    super: 2048 .. 7069384: system (7067336 sectors)
    super: 7069696 .. 7241184: vendor (171488 sectors)
    super: 7241728 .. 7525552: product (283824 sectors)
    super: 7526400 .. 7534896: odm (8496 sectors)
    ------------------------
    Block device table:
    ------------------------
      Partition name: super
      First sector: 2048
      Size: 5368709120 bytes
      Flags: none
    ------------------------
    Group table:
    ------------------------
      Name: default
      Maximum size: 0 bytes
      Flags: none
    ------------------------
      Name: group_basic
      Maximum size: 5364514816 bytes
      Flags: none
    ------------------------
    freshbl:/dev/block/by-name $ lpdump --slot 0 /dev/block/by-name/super
    Metadata version: 10.0
    Metadata size: 640 bytes
    Metadata max size: 65536 bytes
    Metadata slot count: 2
    Header flags: none
    Partition table:
    ------------------------
      Name: system
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 7067647 linear super 2048
        7067648 .. 7259671 linear super 7536640
    ------------------------
      Name: vendor
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 171927 linear super 7069696
    ------------------------
      Name: product
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 284671 linear super 7241728
        284672 .. 289775 linear super 7729152
    ------------------------
      Name: odm
      Group: group_basic
      Attributes: readonly
      Extents:
        0 .. 8495 linear super 7526400
    ------------------------
    Super partition layout:
    ------------------------
    super: 2048 .. 7069696: system (7067648 sectors)
    super: 7069696 .. 7241624: vendor (171928 sectors)
    super: 7241728 .. 7526400: product (284672 sectors)
    super: 7526400 .. 7534896: odm (8496 sectors)
    super: 7536640 .. 7728664: system (192024 sectors)
    super: 7729152 .. 7734256: product (5104 sectors)
    ------------------------
    Block device table:
    ------------------------
      Partition name: super
      First sector: 2048
      Size: 5368709120 bytes
      Flags: none
    ------------------------
    Group table:
    ------------------------
      Name: default
      Maximum size: 0 bytes
      Flags: none
    ------------------------
      Name: group_basic
      Maximum size: 5364514816 bytes
      Flags: none
    ------------------------


    Now I can check and compare output from imjtool etc...
    To find the correct values for my super.img Adventure...

    Best Regards
    1
    Tiny success 1

    Code:
    [email protected]:~/fota/OTA/tools$ LD_LIBRARY_PATH=.  ./lpmake --metadata-size 65536 --super-name super --metadata-slots 2 --device super:5368709120 --group main:4024119296 --partition system:readonly:3782160384:main --image system=./system.img --partition vendor:readonly:89243648:main --image vendor=./vendor.img --partition product:readonly:148365312:main --image product=./product.img --partition odm:readonly:4349952:main --image odm=./odm.img --sparse --output ./super.new.img
    lpmake I 09-09 00:39:34  2459  2459 builder.cpp:1059] [liblp]Partition system will resize from 0 bytes to 3782160384 bytes
    lpmake I 09-09 00:39:34  2459  2459 builder.cpp:1059] [liblp]Partition vendor will resize from 0 bytes to 89243648 bytes
    lpmake I 09-09 00:39:34  2459  2459 builder.cpp:1059] [liblp]Partition product will resize from 0 bytes to 148365312 bytes
    lpmake I 09-09 00:39:34  2459  2459 builder.cpp:1059] [liblp]Partition odm will resize from 0 bytes to 4349952 bytes
    Invalid sparse file format at header magic
    Invalid sparse file format at header magic
    Invalid sparse file format at header magic
    Invalid sparse file format at header magic

    Written File is 4 GB... IMHO size of sum...

    Will do again without --sparse argument... but same output...

    Will compare files...

    Btw... Funny. To bypass my first Error I had simple to take the old sized file of system.img

    Edit 1.

    Ah okay... same text output... but bigger file...
    Code:
    LD_LIBRARY_PATH=.  ./lpmake --metadata-size 65536 --super-name super --metadata-slots 2 --device super:5368709120 --group main:4024119296 --partition system:readonly:3782160384:main --image system=./system.img --partition vendor:readonly:89243648:main --image vendor=./vendor.img --partition product:readonly:148365312:main --image product=./product.img --partition odm:readonly:4349952:main --image odm=./odm.img --output ./super.new.img


    Need some time to check result...
    Before dd Action on my SM-R870 I will check with imjtool etc...

    Best Regards
    1
    Puhhhhh...

    Managed to have FVD4 on my SM-R870...

    If luck I have in few minutes latest GVH2 via FOTA...

    Finger crossed...

    Only as info.

    Best Regards

    Edit 1.

    Heureka...

    My SM-R870 is now updated successfully to GVH2.

    Need some time to prepare files for Rooting GVH2...
  • 4
    Can I ask, why would root be good for thus device? What could we achieve from a actual root of a wear os watch?
    The same reason we root any device; to have full access to system resources without a naggy nanny telling us what we can and can't do with our own devices. With root, we can be creative. Without root, we have to follow rules.
    4
    A

    NO
    1 click Solution

    B

    netOdin
    AND
    Odin


    So at the moment USB connection required. Means 4 wires soldered to Watch...

    Feel free to find Solution without USB...
    My brain is too small.

    C

    Success only with old EVA8 and my SM-R870...

    If I have enough tested... then maybe 1 day in future will check newer Firmware(S)...


    D

    Magisk
    Version 24.3 patched successfully 2 files from Stock Firmware EVA8

    Code:
    boot.img
    vbmeta.img

    D.1

    My mistake was to use other device to Patch... SM-A202F Android 11...
    But this is wrong

    Better same or similar device...

    In my case I performed the Magisk step with SM-R860 FVD4

    D.2

    BUT
    additional step required to make it GW4 Security "compatible"...

    With Hex Editor of your choice... search for text string:
    Code:
    seandroid

    Remove last 11 MB... included the search text string...

    Look at attached boot.img

    E

    After Bootloader Unlock blabla stepS...

    netOdin for vbmeta TAR

    This force you to do Factory Reset in Recovery...

    WARNING!
    This is exact the step which kills Knox... so byebye warranty and some Apps...

    F

    NEXT/SECOND
    step is with ODIN and USB cable

    boot.img TAR

    G

    In next post(s) I will try to give more infos...
    Maybe Video Upload for Magisk step... because additional File Manager needed...


    Best Regards
    3
    I can confirm Magisk Version 25.2 also work for GVH2.

    Need some time for tests...

    Summary:
    Magisk 24.3
    AND
    Magisk 25.2
    Can root GW4...

    Best Regards
    3
    IMHO in 1 hour I can test...

    My Checklist...

    Code:
    A
    
    Reset SM-R870 Standalone
    No WiFi
    
    
    B
    
    *#9900#
    
    Upload enabled
    +
    Debug HIGH
    
    C
    
    Full charging
    
    
    D
    
    Bootloader unlock
    
    
    
    E
    
    netOdin Action

    I need 45 minutes for C... Charging...

    Then Bootloader Unlock... then I can try Magisk patched files... Version 25.1...
    3
    Tiny progress...

    Flashed successfully only patched vbmeta...

    This forced me to do Factory Reset from Recovery... necause some Error blabla...

    Bootloader unlock shows Warning Pic... blabla Custom...

    Now I have the second blabla not Samsung Official...

    So IMHO Knox is now dead...

    Code:
    D:\Android\ADB>adb shell getprop ro.boot.warranty_bit
    1

    Bootloader unlock alone not kill Knox... IMHO...
    Code:
    D:\Android\ADB>adb shell getprop ro.boot.warranty_bit
    0