Root Team ItsOnKyo

[rbheromax]

@cooldudezach
In IDA Pro I need u to piece together the function of verify_image and get it mem addr
I'm trying to now but you know this a lot better than I do
We can port Loki with that mem addr

 

[smartmanvartan]

holy Jesus! I was looking to see if someone had a c5155 raw image for me to flash in to the c5156 models i have so we could be on the same page and everyone just jumped right back in to this phone all over again!!! that's awesome! I need a backup of a mmcblk0 on a c5155 so that i can change the partitions around on my c5156 and be on the same page as you guys... anyone got one handy?

 

[cooldudezach]

holy Jesus! I was looking to see if someone had a c5155 raw image for me to flash in to the c5156 models i have so we could be on the same page and everyone just jumped right back in to this phone all over again!!! that's awesome! I need a backup of a mmcblk0 on a c5155 so that i can change the partitions around on my c5156 and be on the same page as you guys... anyone got one handy?

@cooldudezach
In IDA Pro I need u to piece together the function of verify_image and get it mem addr
I'm trying to now but you know this a lot better than I do
We can port Loki with that mem addr

Both probably won't happen until later this week at the earliest, and sometime next week at the latest. I'm in ATL this week!

 

[zixxorb]

I have the event and I'm pretty much game to beta test anything that you guys do if you need someone to.

Otherwise, I'd love to help in anyway possible.

Btw, did the Rise or Hydro get the new firmware updates like the Event did and can it help us do anything?

Edit: Also, can we run the software of these devices on an android emulator and try things that way?

 

[DedicatedAndroid]

i wonder if a 2nd init recovery would work on this phone?

 

[x000x]

not sure how useful this info will be but jlmancuso got a semi-working recovery on the kyocera torque. [Q] Searched many places for root for kyocera torque but no results - Post #507 - XDA Forums maybe some info can be shared between everyone that might help both parties working on this

 

[smartmanvartan]

hey guys...just checking in...anybody have a c5155 mmcblk0?

 

[zixxorb]

hey guys...just checking in...anybody have a c5155 mmcblk0?

What exactly is that? I might have it.....possibly.....

 

[smartmanvartan]

when your pulling partitions with adb, you usually pull each individual partitions(mmcblk0p1,mmcblk0p2,mmcblk0p3...etc).I need the whol block in one chunk (mmcblk0). I own three Rises but here in canada we have the c5156 with a different partition layout... this is from the compilation of rise partitions thread...

Here is the updated partition lists for the various Rises and the Event. As soon as I get my Hydro in the mail, I'll add it's partition list as well.

I'm pretty certait these are accurate from comparing other devices with Qualcomm Snapdragon S2 chips. (MSM7x30 and MSM8x55)

Sprint / Virgin Mobile Rise

mmcblk0p1          SYS_BOOT / AMSS
mmcblk0p2          DBL
mmcblk0p3          OSBL
mmcblk0p4          EXTENDED
mmcblk0p5          ABOOT
mmcblk0p6         
mmcblk0p7         
mmcblk0p8          BOOT
mmcblk0p9          ADSP
mmcblk0p10         MODEMST1
mmcblk0p11         MODEMST2
mmcblk0p12         SYSTEM
mmcblk0p13         CACHE
mmcblk0p14         PERSIST
mmcblk0p15         RECOVERY
mmcblk0p16         FOTA
mmcblk0p17         SYSPROP
mmcblk0p18         CARRIER
mmcblk0p19         DEVLOGS
mmcblk0p20         DATA

Public Mobile Rise

mmcblk0p1          SYS_BOOT / AMSS
mmcblk0p2          DBL
mmcblk0p3          OSBL
mmcblk0p4          EXTENDED
mmcblk0p5          ABOOT
mmcblk0p6         
mmcblk0p7         
mmcblk0p8          BOOT
mmcblk0p9          ADSP
mmcblk0p10         MODEMST1
mmcblk0p11         MODEMST2
mmcblk0p12         SYSTEM
mmcblk0p13         CACHE
mmcblk0p14         PERSIST
mmcblk0p15         RECOVERY
mmcblk0p16         FOTA
mmcblk0p17         SYSPROP
mmcblk0p18         DEVLOGS
mmcblk0p19         USERDATA

Virgin Mobile Event

mmcblk0p1          SYS_BOOT / AMSS
mmcblk0p2          DBL
mmcblk0p3          OSBL
mmcblk0p4          EXTENDED
mmcblk0p5          ABOOT
mmcblk0p6         
mmcblk0p7         
mmcblk0p8          BOOT
mmcblk0p9          ADSP
mmcblk0p10         MODEMST1
mmcblk0p11         MODEMST2
mmcblk0p12         SYSTEM
mmcblk0p13         CACHE
mmcblk0p14         PERSIST
mmcblk0p15         RECOVERY
mmcblk0p16         FOTA
mmcblk0p17         SYSPROP
mmcblk0p18         CARRIER
mmcblk0p19         USERDATA
mmcblk0p20         DEVLOGS
mmcblk0p21         INTERNALSD

Boost Mobile Hydro

Cricket Hydro

Edit:
I think I *might* know what 6 and 7 are for. Using this as an inaccurate guideline:
https://cooltrainer.org/2012/11/28/samsung-galaxy-s-iii-sgh-i747-complete-cm10-update-guide/
I think it's safe to say that p6/7 are fsg and backup, although I am unsure which is which.
Going by that link, this is the order of the 4 partitions listed:

mmcblk0p12         modemst1
mmcblk0p13         modemst2
mmcblk0p20         backup
mmcblk0p21         fsg

So p6 could be backup, and p7 could be fsg.
Time for some more research!

EDIT2:
Also, I was looking at the Kyocera Developers page and noticed that they have indeed actually added the source for the Event, they just mislabeled it as the Hydro. I mean, the body has some very striking similarities, and I wouldn't be surprised in the slightest if their boards weren't much different.
"Hydro C5133 4.0.4 OS (1.005VM)"

so i need to turn my c5156 into a c5155 by flashing the whole block in one shot...

 

[zixxorb]

Well i have the event so i guess that's not much help unless you can use that instead

 

[mel4787]

i have a theory. is there a way to get an old update to this phone and see if it looks for the update? if so then there may be a way to use an update.img and make the phone update through that.

 

[db2]

i have a theory. is there a way to get an old update to this phone and see if it looks for the update? if so then there may be a way to use an update.img and make the phone update through that.

... if you can sign your update with Kyocera's keys. Tricking it in to installing something unsigned will make it fail its "security" checks resulting in a bootloop that there's no recovering from.

 

[mel4787]

so the keys are needed. is there a way to get the keys from the phone itself?

 

[db2]

so the keys are needed. is there a way to get the keys from the phone itself?

No. They belong to Kyocera and Kyocera will not release them.

You'd do well to read some of the older threads here... just sayin'.

 

[smartmanvartan]

Even if you had the keys from the stock update.zip, the boot and recovery images have another level of security. It's not so much the method we flash the image over, it's the image itself. We can pull images from our rooted phones but extracting the signature itself from the image cannot be done without corrupting it. Even taking a stock recovery, not making any changes and then repacking it, just that no changes and it doesn't work. I wanna try something crazy, if we could find the exact partition that checks for this signature, if we could find that specific stage of the bootloader, then maybe we could just overwrite that specific file with a blank or one from a device with the same chipset and similar specs... now we know that a recovery from another Kyocera android phone will boot so maybe we could try using a second stage bootloader from the hydro or event mixed with the first stage bootloader from the rise then maybe it would glitch and not check properly but still boot... I don't know..there's still a few things we could try short of compiling an entirely new bootloader... I have three rises I don't mind bricking... any one else have any "outside the box ideas"?

 

[mel4787]

Even if you had the keys from the stock update.zip, the boot and recovery images have another level of security. It's not so much the method we flash the image over, it's the image itself. We can pull images from our rooted phones but extracting the signature itself from the image cannot be done without corrupting it. Even taking a stock recovery, not making any changes and then repacking it, just that no changes and it doesn't work. I wanna try something crazy, if we could find the exact partition that checks for this signature, if we could find that specific stage of the bootloader, then maybe we could just overwrite that specific file with a blank or one from a device with the same chipset and similar specs... now we know that a recovery from another Kyocera android phone will boot so maybe we could try using a second stage bootloader from the hydro or event mixed with the first stage bootloader from the rise then maybe it would glitch and not check properly but still boot... I don't know..there's still a few things we could try short of compiling an entirely new bootloader... I have three rises I don't mind bricking... any one else have any "outside the box ideas"?

interesting. hmmsince the phone checks for the security i was wondering if we could implement that same security to cwm ? what do you think

 

[lorm]

So this is only for the rise im working on the hydro life will it b da same u think?

 

[mel4787]

theory. if we erase the recovery partition what will that do? could that do something for the phone? for all we know the recovery has something in it that blocks fastboot and such

 

[smartmanvartan]

So this is only for the rise im working on the hydro life will it b da same u think?

Well the hydro life is a completely different phone..I can't speculate on that phone. The hydro(1st gen not the hydro life) is almost the same phone as the rise and that model could use whatever we would find here as a solution...

theory. if we erase the recovery partition what will that do? could that do something for the phone? for all we know the recovery has something in it that blocks fastboot and such

If you erase the recovery partition then all you have accomplished is deleting the recovery..the signature check is in one of the other partitions...

 

[mel4787]

hmm then we have to narrow that down. any clues where the security partition is located

 

[db2]

the signature check is in one of the other partitions...

Two iirc, and if either fails it's bootloop time.

 

[lorm]

Good luck you guys hope n for ya to accomplish this us hydroblife users r counting on you guys lol goodluck cuz what ya doin aint easy mane keep me updated thank you

 

[shawnsdada]

Came off as too trollish when I'm not

Original post removed by me

 

[zixxorb]

New idea...

I'm sure that everyone here knows what keyloggers are so that's the basis for this idea....

Can we write some software that makes our phone not boot without entering the keys from Kyocera then send the phone to Kyocera and have them enter the key and the software then remote uploads the key somewhere?

I know there's problems with this but what do you guys think about this for a general idea?

If it worked, could it help us?

 

[connor557]

Woo! First post on androidforums.net!

I'm totally in. Used poot root method a couple weeks ago but no recovery mod yet.