Question Rooting Galaxy Watch4

Search This thread

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Code:
adb shell wm density 235

@sermister1
Thank you very much for this tipp
And for your Bootpatcher script...

Amazing.

With this density Trick I can better work with Magisk.
For instance confirm su access... Root Permission.

Best Regards
 

Attachments

  • Screenshot_20220915_224356_magisk.png
    Screenshot_20220915_224356_magisk.png
    32.5 KB · Views: 104
  • Screenshot_20220915_224414_sysui.png
    Screenshot_20220915_224414_sysui.png
    51.2 KB · Views: 104

official_zephy

New member
May 5, 2018
1
1
@adfree Good afternoon, I would like to know how GW4 rutting is progressing. I read the thread, but since I don’t understand this, the process itself is not very clear to me. It would be desirable to see the answer which will be clear to the ordinary user. If possible.
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
For Root you need:

A

USB cable... look here:

Way with netOdin alone NOT found...


B

You need boot.img aka Kernel from Firmware...

Available for:
Code:
SM-R860
SM-R870
SM-R880
SM-R890

LTE Versions not leaked...
I have NO LTE Firmware like SM-R865F nor U

SM-R870 Firmware as Example:

C

Magisk 24.3 work for me to patch boot.img from:

Code:
EVA8
GVH2


I am using Magisk on my SM-R860 to create patched boot.img for my SM-R870...

NOT use Phone...
Because for instance my attempts with my SM-A202F fail for SM-R870...

Magisk read something important from device... to make valid boot.img...


Best Regards

Edit 1.

Attached GVH2 Kernel... for SM-R870.

Patched with Magisk 24.3 and working for me. To have Root access...

Again.
USB cable... to bypass Security
 

Attachments

  • ROOT_GVH2_v1.zip
    10.6 MB · Views: 19
Last edited:

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Before this year ends...

I will try also newer Magisk...


As at the moment Version 24.3 do the job for me...

Only as info.

I have no luck with ADB for USB cable... this is really f§$%...

Because WiFi no really stable...
Battery Heating blabla or other stupid s h...

Best Regards

Edit 1.

Step 1 done...

Installed Magisk Version 25.2 on my not rooted SM-R860... and patched GVH2 boot.img for my SM-R870 Victim...
Code:
D:\Android\ADB>adb pull /sdcard/Download/magisk_patched-25200_UN8bG.tar
/sdcard/Download/magisk_patched-25200_UN8bG.tar: 1 file pulled. 2.1 MB/s (37761024 bytes in 17.544s)
 
Last edited:
  • Like
Reactions: 73sydney

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Maybe I will spent some time again with netOdin...

Reason for this... "new" idea...

Long time ago I bypassed FAC check from boot.img and recovery.img by complete cut "after"/including this text string:
Code:
SEANDROID

So around 10 MB removed...

Last tests... few days ago... for super.img and other Combination Firmware Files...

I have only changed 3 Bytes to bypass FACtory check...
Code:
get the approval to use factory binaries


Instead FAC I have replaced with MRK...

Example... so our normal Stock Firmware "signed"... human readable:

Code:
SEANDROIDENFORCESignerVer03     55295464R       R870XXU1GVH2                    20220819101306  SM-R870_NA_USA_EKEY0            SRPUC30A001     SRPUC30A001     usr frp mrk boot.img

And in Combination Firmware instead mrk you see fac:
Code:
SEANDROIDENFORCESignerVer03     55295464R       R870XXU1GVH2                    20220819101306  SM-R870_NA_USA_EKEY0            SRPUC30A001     SRPUC30A001     usr frp fac boot.img

My tests only with Odin and USB cable... as I waste enough time...

But maybe I will do again few tests with netOdin...

Best Regards
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Code:
127|freshbl:/ # cd data/adb
freshbl:/data/adb # ls
magisk  magisk.db  modules  post-fs-data.d  service.d
freshbl:/data/adb # cd magisk
freshbl:/data/adb/magisk # ls -a1l
total 2365
drwxr-xr-x 3 root root    3452 2022-10-04 22:45 .
drwx------ 6 root root    3452 2022-10-04 22:27 ..
-rwxr-xr-x 1 root root    3530 2022-10-04 22:45 addon.d.sh
-rwxr-xr-x 1 root root    5987 2022-10-04 22:45 boot_patch.sh
-rwxr-xr-x 1 root root 1461400 1979-11-30 00:00 busybox
drwxr-xr-x 2 root root    3452 2022-10-04 22:45 chromeos
-rwxr-xr-x 1 root root  154452 1979-11-30 00:00 magisk32
-rwxr-xr-x 1 root root  323320 1979-11-30 00:00 magiskboot
-rwxr-xr-x 1 root root  210128 1979-11-30 00:00 magiskinit
-rwxr-xr-x 1 root root  218220 1979-11-30 00:00 magiskpolicy
-rwxr-xr-x 1 root root   23888 2022-10-04 22:45 util_functions.sh
freshbl:/data/adb/magisk #

Found answer in this thread...

Maybe usefull for some study...

Best Regards
 

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Code:
sec_build_conf_model_signing_name=SM-R870_NA_USA_EKEY0
sec_build_conf_signer_kill_switch_magic=frp
sec_build_conf_signer_version=SignerVer03
sec_build_option_new_signserver=true
sec_build_option_type=user
sec_dmverity=true
sec_factory_build=false
sec_fota_update_version=V2
sec_quickbuild_id=48727028
secureboot_auto=2.0
squashfs_sparse_flag=-s
super_block_devices=super
super_group_basic_group_size=5364514816
super_group_basic_partition_list= system vendor product odm
super_metadata_device=super
super_partition_groups=group_basic
super_partition_size=5368709120
super_super_device_size=5368709120
svb=true

Found in additional FOTA file... fota.zip

Reason for this...



I will try different recovery.img and maybe patch 1 of them... to check if this file:
Code:
wirelessd

Is the only reason why we fail with netOdin...

I can see text string mrk... maybe I will replace with fac and check if then boot.img from Combination Firmware successfully flashed...
 

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Code:
default_system_dev_certificate=build/make/target/product/security/testkey

If I search for this in Google... 1 hit is this:

Code:
# Example of ALL TARGET_BUILD_VARIANTS
 [@RELEASE]
-ENG       : build/target/product/security/testkey.x509.pem
-USER      : build/target/product/security/testkey.x509.pem
-USERDEBUG : build/target/product/security/testkey.x509.pem
+ENG       : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER      : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem


Stupid Question...

Maybe we can sign with testkey(s) boot.img

?
 

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Recovery Files aka recovery.img from SM-R870 attached for study...

Maybe somebody can help...

A
DUK1
EVA8

and AVE2 from
COMBINATION_FAC_FBR0_R870XXU1AVE2_FACFAC_CL24349936_QB52279853_REV00_user_mid_noship_MULTI_CERT.tar.md5

Please maybe somebody have older Firmware and can share with me/us?

B
Please maybe somebody can share LDU aka Live Demo Unit Firmware?

Perfect for me would SM-R870X


But maybe somebody can help to find any LDU Firmware Android 11... from other device...

I wish to know the text after SignerVer03

?

Thanx in advance.

Best Regards
 

Attachments

  • Recovery_smR870.zip
    61.5 MB · Views: 8

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Uuupsi...

Code:
freshbl:/system/priv-app # mkdir test1
freshbl:/system/priv-app # cd test1
freshbl:/system/priv-app/test1 # rm test1
rm: test1: No such file or directory
1|freshbl:/system/priv-app/test1 # ls test1
ls: test1: No such file or directory
1|freshbl:/system/priv-app/test1 # cd ..
freshbl:/system/priv-app # rm test1
rm: test1: Is a directory
1|freshbl:/system/priv-app # rm -r test1
freshbl:/system/priv-app #


Seems I have write access... GVH2...
Code:
freshbl:/system/priv-app # mount -o remount,rw /

Will check again with open eyes...

Best Regards
 

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Seems really write access to super.img... GVH2

I have copied 1 APK into /system/priv-app...

And after Factory Reset still available...

First test into Standalone Mode... later I will config with paired Phone... to see if problems...

Btw. Standalone...
Look at Screenshots...
Code:
*#0808#

If configured with Setup... then IMHO more visible...

Or is this because I set to INU as active CSC...

Best Regards

Edit 1.
Also no problem with setup via paired Phone...

Factory IME App from Combination Firmware still present... see Screenshot.
 

Attachments

  • Screenshot_20221007_113821_usbsettings.png
    Screenshot_20221007_113821_usbsettings.png
    24.5 KB · Views: 33
  • Screenshot_20221007_113826_usbsettings.png
    Screenshot_20221007_113826_usbsettings.png
    23.8 KB · Views: 33
  • Screenshot_20221007_145554_sysui.png
    Screenshot_20221007_145554_sysui.png
    54.3 KB · Views: 33
Last edited:

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Hmmmmm...

After writing this post...

We never tried to remove text string ...
Code:
SEANDROIDENFORCE

... before patching with Magisk...

Magisk remove all other Samsung text after this string...

Hmmmmmmmmmmm...

For now I have focus on "super.img"... before new attempts with netOdin...

Best Regards
 
  • Like
Reactions: TheIntruder

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Need some time for avbtool...

Code:
./avbtool erase_footer --image boot.img

All other Tools I found remove this Samsung text SEANDROID SignerVers frp usr mrk ...

IMHO mandatory stuff for netOdin Flash...

Edit 1.

Interesting...

Code:
[email protected]:~/fota/OTA/tools$ LD_LIBRARY_PATH=.  ./avbtool info_image --image boot.img
Footer version:           1.0
Image size:               37748736 bytes
Original image size:      26204960 bytes
VBMeta offset:            26206208
VBMeta size:              2112 bytes
--
Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     576 bytes
Auxiliary Block:          1280 bytes
Public key (sha1):        7f2828f98883db0b67fe711faa4750c6af07a16f
Algorithm:                SHA256_RSA4096
Rollback Index:           0
Flags:                    0
Release String:           'avbtool 1.1.0'
Descriptors:
    Hash descriptor:
      Image Size:            26204960 bytes
      Hash Algorithm:        sha256
      Partition Name:        boot
      Salt:                  1b5fca73a5ad6e10811398307d15fb59e85f90ebe8f3f5392f7f64daed2e041c
      Digest:                da6d639d3f23bde4a1418d3438de254f9f3cb4e9c5d8ea1387de1cb45776e1e7
      Flags:                 0

Code:
[email protected]:~/fota/OTA/tools$ LD_LIBRARY_PATH=.  ./avbtool extract_public_key --key avbkey_rsa4096.pem --output pubkeyEXTRACT.bin


After this...
Code:
LD_LIBRARY_PATH=.  ./avbtool erase_footer --image boot.img

I can now see this block is 512 Bytes and not part of AVB crap...

Added as HEX as not only text... easier got me...
Code:
5345414E44524F4944454E464F5243455369676E65725665723033000000000035353239353436345200000000000000523837305858553147564832000000000000000000000000000000000000000032303232303831393130313330360000534D2D523837305F4E415F5553415F454B455930000000000000000000000000535250554333304130303100000000005352505543333041303031000000000075737200667270006D726B00626F6F742E696D6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000004000000000000000867DD3C00000000000000000000000000000000000000006D7C62858A0B01DA29391BCC4192F1DFD9619FBB1CA583C7E4A4E6607C95881EF1AF885C7AE7939FD6E95EAB570D11220000000000000000000000000000000000000000C9862A7A39AB18F34CCD5F392AE2A503D0103FC30A0E91F683C138589D591BCE0D4A9B96FFC4A2A08BA01AEAEE41625981BCA057869C42C80FF3B57DAD1A9ACA12EF554E6189B0F46EEFD62E9A8670B8054002BA9A8EF1179FF3F30B463AF4A0EA6F8A18D84EE277B03E64663DE5263AD07335CA73FAD7650A47AEB14DEA07DC7A292B309998484B

IMHO this is the part what delted by Magisk and other Tools...
But seems mandatory for netOdin check...

Only as info...

Best Regards
 
Last edited:
  • Like
Reactions: nandakis4

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Code:
aosp/avb/avbtool.v1.2.py, add_hash_footer, --image, boot.img.signed2, --flags, 0, --partition_size, 37748736, --salt, 1b5fca73a5ad6e10811398307d15fb59e85f90ebe8f3f5392f7f64daed2e041c,
--partition_name, boot, --hash_algorithm, sha256, --algorithm, SHA256_RSA4096, --rollback_index, 0, --key, aosp/avb/data/testkey_rsa4096.pem, --internal_release_string, avbtool 1.1.0]


Taken from Log from nice Linux Tool...


IMHO I think I will do exercises with unmodified Stock boot.img...


Goal is to create valid boot.img for use with netOdin...

Difference to our Magisk patched attempts...
Magisk need more Bytes... but we have only limited space...
And the 512 Bytes with text SEANDROIDENFORCE blabla SignerVer blabla...

I will later add files and some more infos... after some tests...

Best Regards
 
  • Like
Reactions: nandakis4

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
Okidoki.

Tiny progress...

Seems I have something as "base"...
Code:
[email protected]:~/fota/OTA/tools$ LD_LIBRARY_PATH=.  ./avbtool add_hash_footer --image boot.img --flags 0 --partition_size 37748736 --salt 1b5fca73a5ad6e10811398307d15fb59e85f90ebe8f3f5392f7f64daed2e041c --partition_name boot --hash_algorithm sha256 --algorithm SHA256_RSA4096 --rollback_index 0 --key avbkey_rsa4096.pem


Now difference ... compared with Original SM-R870 GVH2 boot.img and my "selfsigned"...
Only on 2 positions...

I will upload my files for study... after short test with netOdin...

Edit 1.

Tested short my result with netOdin...
No Error and SM-R870 boot normal...


Now next attempt to sign Magisk patched boot.img... which I use successfully with Odin...
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,090
5,927
Samsung Galaxy Watch 4
Google Pixel Watch
My SM-R870 Victim is connected via USB cable... soldered wires:

Looks like this and then I can use Odin Tool... for Phones...

Best Regards
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Anyone arriving here today; Just completed reading the whole thread.

    If you are looking ROOT on GW4 / GW5 -

    NetOdin cannot flash a patched boot image due to the security,

    Opening up the back cover, and soldering wires is a must for USB and PC Odin Flash.
    Cheers.
    2
    adfree worked that out months ago...

    By Soldering cables. Not Netodin.
    1
    make_signerv2_header.sh

    Code:
    #!/bin/bash
    
    if [[ $# != 2 ]]; then
        echo "Usage make_signerv2_header.sh [binaryname]"
        exit 0
    fi
    
    filename=`basename $1`
    imagename=${filename%.*}
    
      echo "SignerRevision=SignerVer${SIGNERVER}" > $SIGNER_ROOT_PATH/signerheader_$imagename
    
      if [[ "$SEC_RELEASE_KEY_DIR" != "" ]] ; then
        echo "QuickBuildId=${SEC_QUICKBUILD_ID}R" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      else
        echo "QuickBuildId=${SEC_QUICKBUILD_ID}P" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      fi
    
      echo "VersionName=$SEC_BUILD_CONF_SIGNER_VERSION_NAME" >> $SIGNER_ROOT_PATH/signerheader_$imagename
    
      echo "BuildTime=$(date +%Y%m%d%H%M%S)" >> $SIGNER_ROOT_PATH/signerheader_$imagename
    
      if [[ "$SEC_BUILD_CONF_SIGNER_MODEL_NAME" != "" ]] ; then
        echo "ModelName=$SEC_BUILD_CONF_SIGNER_MODEL_NAME" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      else
        echo "ModelName=$SECURE_ARG_NAME" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      fi
    
      if [[ "$SEC_BUILD_CONF_SECURE_SYSTEM_SYSMAGIC" != "" ]] ; then
        echo "SystemRPValue=$SEC_BUILD_CONF_SECURE_SYSTEM_SYSMAGIC" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      else
        echo "SystemRPValue=" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      fi
    
      if [[ "$SEC_BUILD_CONF_SECURE_KERNEL_SYSMAGIC" != "" ]] ; then
        echo "KernelRPValue=$SEC_BUILD_CONF_SECURE_KERNEL_SYSMAGIC" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      else
        echo "KernelRPValue=" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      fi
    
      if [[ $SEC_BUILD_OPTION_TYPE == "user" ]] ; then
        echo "BuildVarient=usr" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      else
        echo "BuildVarient=eng" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      fi
    
      echo "KillSwitchMagic=$SEC_BUILD_CONF_SIGNER_KILL_SWITCH_MAGIC" >> $SIGNER_ROOT_PATH/signerheader_$imagename
    
      if [[ $SEC_FACTORY_BUILD == "true" ]] ; then
        echo "FactoryBuild=fac" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      else
        echo "FactoryBuild=mrk" >> $SIGNER_ROOT_PATH/signerheader_$imagename
      fi
    
    #should be last
      echo "BinaryName=$1" >> $SIGNER_ROOT_PATH/signerheader_$imagename
    
      python $SIGN_HEADER_SCRIPT $SIGNER_ROOT_PATH/signerheader_$imagename $imagename
    
    echo "make [$1] signerv2 header finished"



    Edit 1.

    Code:
    struct SignerInfo {
        char SignSystemRevision[16];
        char QuickBuildId[16];
        char VersionName[32];
        char BuildTime[16];
        char ModelName[32];
        char SystemRPValue[16];
        char KernelRPValue[16];
        char BuildVarient[4];        //(usr | eng)
        char KillSwitchMagic[4];    //(frp | ral)
        char FactoryBuild[4];        //(fac | mrk)
        char BinaryName[16];
        char Reserve[84];

    KillSwitchMagic... hmmm what is ral

    Edit 2.

    Code:
    if (GetSignerVer(Signer_Info) != 0 && kill_switch_on) {
    #if defined(CONFIG_REACTIVATION_LOCK)
            if (!strncasecmp(Signer_Info->KillSwitchMagic, "frp", 3)) {
                lpr_err_dual("R/L is enabled, not allow download non-R/L %s binary\n", name);
                decon_string_update();
                mdelay(1000);
                return -1;
            }
    #endif
    #if defined(CONFIG_FRP_LOCK)
            if (!strncasecmp(Signer_Info->KillSwitchMagic, "ral", 3)) {
                lpr_err_dual("FRP is enabled, not allow download non-FRP %s binary\n", name);
                decon_string_update();
                mdelay(1000);
                return -1;
  • 4
    Can I ask, why would root be good for thus device? What could we achieve from a actual root of a wear os watch?
    The same reason we root any device; to have full access to system resources without a naggy nanny telling us what we can and can't do with our own devices. With root, we can be creative. Without root, we have to follow rules.
    4
    A

    NO
    1 click Solution

    B

    netOdin
    AND
    Odin


    So at the moment USB connection required. Means 4 wires soldered to Watch...

    Feel free to find Solution without USB...
    My brain is too small.

    C

    Success only with old EVA8 and my SM-R870...

    If I have enough tested... then maybe 1 day in future will check newer Firmware(S)...


    D

    Magisk
    Version 24.3 patched successfully 2 files from Stock Firmware EVA8

    Code:
    boot.img
    vbmeta.img

    D.1

    My mistake was to use other device to Patch... SM-A202F Android 11...
    But this is wrong

    Better same or similar device...

    In my case I performed the Magisk step with SM-R860 FVD4

    D.2

    BUT
    additional step required to make it GW4 Security "compatible"...

    With Hex Editor of your choice... search for text string:
    Code:
    seandroid

    Remove last 11 MB... included the search text string...

    Look at attached boot.img

    E

    After Bootloader Unlock blabla stepS...

    netOdin for vbmeta TAR

    This force you to do Factory Reset in Recovery...

    WARNING!
    This is exact the step which kills Knox... so byebye warranty and some Apps...

    F

    NEXT/SECOND
    step is with ODIN and USB cable

    boot.img TAR

    G

    In next post(s) I will try to give more infos...
    Maybe Video Upload for Magisk step... because additional File Manager needed...


    Best Regards
    3
    I've unlocked bootloader, got boot.img(hashes match in update.zip and my boot.img + it boots fine), patched it and vbmeta in tar by magisk 24.3, but when i flash new boot.img, it throws me "SECURE FAILED: BOOT" error on watch and system doesn't boot, flashing unpatched boot.img gets watch to work again. Why does it happen and is there any fix? SM-R860
    Files:
    3
    The Magisk "creation"/patching part with GW4 device.

    A
    Magisk APK 24.3 successfully tested with my SM-R860 FVD4...

    Code:
    adb install Magisk-v24.3.apk


    B
    Magisk need Filemanager...
    I have installed 4 or 5 from Playstore via GW4... but ONLY this is working as it seems...

    File Explorer FTP Server
    from Nasai



    C

    I will make Video... how Magisk looks on SM-R860 aka GW4...
    Need some time...
    Will add later...


    D

    You can use Download folder... because Magisk stores result in Download...

    In other words:
    Code:
    /sdcard/Download
    3
    IMHO in 1 hour I can test...

    My Checklist...

    Code:
    A
    
    Reset SM-R870 Standalone
    No WiFi
    
    
    B
    
    *#9900#
    
    Upload enabled
    +
    Debug HIGH
    
    C
    
    Full charging
    
    
    D
    
    Bootloader unlock
    
    
    
    E
    
    netOdin Action

    I need 45 minutes for C... Charging...

    Then Bootloader Unlock... then I can try Magisk patched files... Version 25.1...