• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Team ItsOnKyo

Jump to latest Follow Reply
Sort by date Sort by votes
TechDad378

TechDad378

Well-Known Member
Jun 2, 2013
123
17
The Shore
#1
This is for the sole purpose of putting clockworkmod on the Rise. In order to do so the bootloader will need.to be unlocked.

In order to post on this section you will need to list the top 3 tests you did while attempting this feature. If you have not tested this device list 3 things which will qualify you, to contribute to this post.

If you cannot follow above, your post will be deleted. It may sound harsh but this phone missing these features has gone on long enough.

With that said let's get to it. Here is what I know and done with this phone in no particular order.

1. I made a very informative tutorial for rooting the Rise. Just search Google for "Kyocera Rise Root" its ranked #1.

2. The tutorial can root other Kyocera devices as well.

3. I was able to determine that the Xposed framework works on the Rise.

4. The boot loader is loaded on the device by using u-boot.

5. Was able to compile a clockwork mod from builder section of the cwm site which was successful according to CWM.

6. Installed the CWM but it will not run on the device. Though the device boots normally but no recovery is found. I can revert back to original recovery and the device will work as normal.

7. The boot loader works off an absolute address. When the address is changed it will cause the device to reboot automatically. When the device cannot resolve the address change it will cause the dreaded bootloop.

8. The device uses secureboot. This was put in place by the manufacturer in order to protect their proprietary.

9. Secureboot is tough to crack but it can be bypassed by putting CWM in the memory cache. The memory cache is flushed somewhat on reboot but it can be altered to keep the CWM. The device would have to be tricked into looking for the boot loader from the cache.

9. A good understanding of u-boot will help, as well of knowledge about secure boot.

10. Will be able to reproduce install file, generic driver and CWM if needed.

Are you up for this task? Post below and welcome to "Team ItsOnKyo"...
 
#2
TechDad378 said:
This is for the sole purpose of putting clockworkmod on the Rise. In order to do so the bootloader will need.to be unlocked.

In order to post on this section you will need to list the top 3 tests you did while attempting this feature. If you have not tested this device list 3 things which will qualify you, to contribute to this post.

If you cannot follow above, your post will be deleted. It may sound harsh but this phone missing these features has gone on long enough.

With that said let's get to it. Here is what I know and done with this phone in no particular order.

1. I made a very informative tutorial for rooting the Rise. Just search Google for "Kyocera Rise Root" its ranked #1.

2. The tutorial can root other Kyocera devices as well.

3. I was able to determine that the Xposed framework works on the Rise.

4. The boot loader is loaded on the device by using u-boot.

5. Was able to compile a clockwork mod from builder section of the cwm site which was successful according to CWM.

6. Installed the CWM but it will not run on the device. Though the device boots normally but no recovery is found. I can revert back to original recovery and the device will work as normal.

7. The boot loader works off an absolute address. When the address is changed it will cause the device to reboot automatically. When the device cannot resolve the address change it will cause the dreaded bootloop.

8. The device uses secureboot. This was put in place by the manufacturer in order to protect their proprietary.

9. Secureboot is tough to crack but it can be bypassed by putting CWM in the memory cache. The memory cache is flushed somewhat on reboot but it can be altered to keep the CWM. The device would have to be tricked into looking for the boot loader from the cache.

9. A good understanding of u-boot will help, as well of knowledge about secure boot.

10. Will be able to reproduce install file, generic driver and CWM if needed.

Are you up for this task? Post below and welcome to "Team ItsOnKyo"...
Click to expand...
I'm in. Still have my hydro. Same device essentially. I'm think I'm qualified enough....
 
Upvote 0
#5
rbheromax said:
Do u think kyocera event could be used too? I have one of those too
Click to expand...
Yeah, same hardware. I have an event or two, same with the hydro, and a number of Rises.

Here is a short off-the-top-of-my-head list of stuff I've done:

1. First to really start any in-depth testing for getting CWM on the Rise

2. Identified the partition information

3. Successfully built and ran version of CWM temporarily
(also ran other peoples builds to confirm, only on Sprint/PM Rise)

4. Bricked upwards of 5-10 Rises performing tests >.>
 
Upvote 0
#8
rbheromax said:
Just a thought.....
Usually decides with emmc use LK boot loader from Qualcomm (little kernel)
NAND devices use u-boot
I think we might be using LK
Both projects are open source so that's good for us.
Click to expand...

Oh, we use LK for sure. :)

Also, just went through my LBOP (little-box-of-phones) and, to my horror, I'm missing at least one event and any hydros I have, plus at least one or two rises. :thinking: Hopefully I can find them before I leave for ATL tomorrow night lol.

But, currently my inventory of Rise-based hardware is:
1x VM Rise (1.004VM)
1x Sprint Rise (unknown, because somebody removed important APKs)
1x VM Event (1.005VM)
 
Upvote 0
#9
OK welcome fellas! Seems we seem to be floating in a few different directions here. I suggest we stay focused on one thing until each process is broken down.

Here's what I mean....
We need to first focus solely on the rise. This way, once one device is solved, the rest will follow. I say this because reading through the source code for the rise, it was designed for the devices C5155 - C5170. Since its stated in the source this means the rise will be the perfect starting point.

I agree there are a few different ways to install bootloader for other devices which have a potential to work well with the correct tweaks. But before we go ahead and start testing the loader we new to focus on how it would work off the memory cache. I know everyone is ready to dig deep into this but we need to prepare aka brainstorm first.

I chose to put this info on the forum in case someone may have any additional info to add thats viable.

With that said, can we all agree on working with just the rise for now? Then let's breakdown how we think the memory cache works on the rise.
 
Upvote 0
#11
From what I can make out of the memory, here are some thoughts...
Secureboot is very tough to crack since its hard-coded on the rise. At this time the way I think we can bypass Secure boot and install a boot loader is by storing in on the memory cache.

This process should work with the correct tweaks. The reason I believe this is because the Xposed Framework works on the Rise. Xposed runs off the memory cache which means a stored boot loader can work as well.

The memory has an absolute address of 512kb. It seems the address is added at the beginning and end of each sector while the phone is loading. They put a padding of 1mb on the memory cache since there is no way of knowing how big the cache would be at any given moment. This padding seems like a good location to insert the boot loader.

Now the problem is that during reboot the memory is flushed to a certain point which I can figure out where that point is located. Since I am not sure what is the absolute address.

Another approach is on the while the address is shuffled during boot. Looking into the way u-boot works seems there is a point where an empty sector loads with just the absolute address. If we can somehow insert the boot loader into the empty sector the memory cache can be used as a backup location...

Any thoughts?

@Rbh what's up? Looks like you been ready for this and yea I already knew you qualified.
But the fact part of the memory flushes is that modules from Xposed would disappear on reboot yet the framework and other modules would always stay? The modules worked fine even after reinstalling. Which is why parts of the memory is flushed.
 
Upvote 0
#12
TechDad378 said:
From what I can make out of the memory, here are some thoughts...
Secureboot is very tough to crack since its hard-coded on the rise. At this time the way I think we can bypass Secure boot and install a boot loader is by storing in on the memory cache.

This process should work with the correct tweaks. The reason I believe this is because the Xposed Framework works on the Rise. Xposed runs off the memory cache which means a stored boot loader can work as well.

The memory has an absolute address of 512kb. It seems the address is added at the beginning and end of each sector while the phone is loading. They put a padding of 1mb on the memory cache since there is no way of knowing how big the cache would be at any given moment. This padding seems like a good location to insert the boot loader.

Now the problem is that during reboot the memory is flushed to a certain point which I can figure out where that point is located. Since I am not sure what is the absolute address.

Another approach is on the while the address is shuffled during boot. Looking into the way u-boot works seems there is a point where an empty sector loads with just the absolute address. If we can somehow insert the boot loader into the empty sector the memory cache can be used as a backup location...

Any thoughts?

@Rbh what's up? Looks like you been ready for this and yea I already knew you qualified.
But the fact part of the memory flushes is that modules from Xposed would disappear on reboot yet the framework and other modules would always stay? The modules worked fine even after reinstalling. Which is why parts of the memory is flushed.
Click to expand...

Just so I'm not going crazy, what is the difference between u-boot and LK? Are they part of one-another or are they separate bootloaders?
 
Upvote 0
#13
Iirc They are separate projects for different flash based devices (nand vs emmc)
I don't think we need a mem cache hack but rather a secure boot hack. I did talk to djrbliss a while back about this, he said Loki would not work for us. I think because the flaw wasn't in the code yet. I'm sire its there just formatted differently. I think we should explore that since its something already documented and easy to work toward. Something similar to loki
 
Upvote 0
#14
rbheromax said:
Iirc They are separate projects for different flash based devices (nand vs emmc)
I don't think we need a mem cache hack but rather a secure boot hack. I did talk to djrbliss a while back about this, he said Loki would not work for us. I think because the flaw wasn't in the code yet. I'm sire its there just formatted differently. I think we should explore that since its something already documented and easy to work toward. Something similar to loki
Click to expand...

Okay, I thought so. We def. have LK though.

I'll second the secure boot hack, although I don't know how to help with it yet. :)
 
Upvote 0
#15
read up:
Azimuth Security: Exploiting Samsung Galaxy S4 Secure Boot

Dan explaining how he did it ^^

https://www.codeaurora.org/blogs/little-kernel-based-android-bootloader

How Kyocera disabled fastboot^^

https://gitorious.org/embedded/lk/source/742f31efdcca153d46e2908ab69ad57374fc616a:

Oldest source for LK I could find. Last commit in 2010 which is around the time the Snapdragon S1 (qsd8k) came out, and Qualcomm was about ready to release the Snapdragon S2 (msm7x30). We are the Snapdragon S2, so I think this may be close to the source that Kyocera was playing with. I'll dig a lil more to see if I can find some good repo's of LK. Thank god its open source :D
 
Upvote 0
#16
TechDad378 said:
With that said, can we all agree on working with just the rise for now? Then let's breakdown how we think the memory cache works on the rise.
Click to expand...

So, which version of the Rise do you intend to work with?

Sprint / VM are the same model #: C5155
PM is a different model #: C5156

Sprint / PM can both enter into fastboot, and temp boot with fastboot boot
VM cannot do either.
 
Upvote 0
#18
rbheromax said:
read up:
Azimuth Security: Exploiting Samsung Galaxy S4 Secure Boot

Dan explaining how he did it ^^

https://www.codeaurora.org/blogs/little-kernel-based-android-bootloader

How Kyocera disabled fastboot^^

https://gitorious.org/embedded/lk/source/742f31efdcca153d46e2908ab69ad57374fc616a:

Oldest source for LK I could find. Last commit in 2010 which is around the time the Snapdragon S1 (qsd8k) came out, and Qualcomm was about ready to release the Snapdragon S2 (msm7x30). We are the Snapdragon S2, so I think this may be close to the source that Kyocera was playing with. I'll dig a lil more to see if I can find some good repo's of LK. Thank god its open source :D
Click to expand...

Who wants to crawl through IDA Pro to reverse engineer the bootloader for a security exploit? Any good tutorials on the topic that I could peruse through whilst on vacation next week? (Yes, I'm being lazy and not googling because I'm sick and at work.)


edit:
removed for reasons. :)
 
Upvote 0
#19
cooldudezach said:
Who wants to crawl through IDA Pro to reverse engineer the bootloader for a security exploit? Any good tutorials on the topic that I could peruse through whilst on vacation next week? (Yes, I'm being lazy and not googling because I'm sick and at work.)


Off Topic:
Hey, rb, how's the work going over in the ZTE threads? I need to bet back over there, but I'm just now getting back into the swing of things again. I finally played Minecraft for the first time in months the other day, which is huge for me XD Also, I'm here lol. I don't want to jump back in over there just yet, too much to catch up on for me at the moment. It's on my list atm though. I also went through my ZTE stocks cuz they were in my LBOP too. :) I have:
2 Imperial, 1 Awe, 1 Mustang (wont poweron/charge, broken screen), 2 source (never did send jtx-whatshisname one >.>), and like, 7/8 Warp 4g's
Click to expand...

I dont want to have to do it, although I wouldn't really mind as I have nothing to do anyways. If someone can send me aboot I'll see what I can come up with. Something tells me there is a lot to find inside that little partition. More than we think we know.

N dude! send me a Warp! lol
lets keep the off topic stuff in PM's
 
Upvote 0
#20
rbheromax said:
I dont want to have to do it, although I wouldn't really mind as I have nothing to do anyways. If someone can send me aboot I'll see what I can come up with. Something tells me there is a lot to find inside that little partition. More than we think we know.

N dude! send me a Warp! lol
lets keep the off topic stuff in PM's
Click to expand...

I'll look into getting aboot for you. :)

EDIT: Got it! Also, it is NOT a zip, so remove the .zip extension. It was the quickest way for me to attach it. The school computers dont let me right click, so I couldn't actually zip it ;)

EDIT2: I'm going to leave this here:
http://androidforums.com/rise-all-t...on-kyocera-rise-stock-images.html#post6152366
It's my list of partition names I put together (after many tedious hours of pooling through my hex editor!) from the compilation thread. :)
 

Attachments

  • rb-aboot.img.zip
    4 MB · Views: 272
Upvote 0
#22
mel4787 said:
wait someone mentioned xposed and it used the memory block. hmm more interesting to see a backup bootloader to be ported into the memory block. that means we can build a module to access the bootloader while having a backup bootloader in case something happens
Click to expand...

I'm not sure exactly how it would work, but I can probably guarantee you it wont be a 'module' that is run via xposed. It would be a bootloader that is placed into memory cache that is ran upon startup, or something along those lines. Somebody correct me if I'm wrong.

However, I don't think that is the route we will/should pursue right now.
 
Upvote 0
You must log in or register to reply here.

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones

Best Android Phones

See All
  1. Google Pixel 8 Pro Check Price
  2. Samsung Galaxy S23 Ultra Check Price
  3. Samsung Galaxy Z Fold5 Check Price
  4. Google Pixel 8 Check Price
  5. Samsung Galaxy S23 Check Price

Upcoming

See All
  1. Samsung Galaxy S24 Early Access

Best iPhones

See All
  1. Apple iPhone 15 Pro Max Check Price
  2. Apple iPhone 15 Pro Check Price
  3. Apple iPhone 15 Plus Check Price
  4. Apple iPhone 15 Check Price
  5. Apple iPhone SE (2022) Check Price

Upcoming

See All
  1. Apple iPhone 16 Early Access

Tablets

Best Tablets

See All
  1. Samsung Galaxy Tab S9 Ultra Check Price
  2. Apple iPad Pro (2022) Check Price
  3. Apple iPad Air (2022) Check Price
  4. Apple iPad Mini (2021) Check Price
  5. Microsoft Surface Pro 9 Check Price

Upcoming

See All
  1. Apple iPad Air 6 Early Access
  2. Apple iPad Fold Early Access

Laptops

Best Laptops

See All
  1. Apple Macbook Pro Check Price
  2. Apple Macbook Air (2023) Check Price
  3. Dell XPS 13 Check Price
  4. Acer Chromebook Spin 714 Check Price
  5. Dell Alienware m18 (2022) Check Price

Upcoming

See All
  1. Microsoft Surface Laptop 6 Early Access
  2. Microsoft Surface Pro 10 Early Access

Televisions

Best TVs

See All
  1. Samsung The Frame TV Check Price
  2. Samsung Neo QLED 4K QN90C Check Price
  3. LG G3 OLED Check Price
  4. LG A2 OLED Check Price
  5. ROKU Plus Series Check Price
  6. Samsung S90C OLED Check Price
  7. SunBriteTV Veranda 3 Check Price

Upcoming

See All
  1. Hisense 110UX ULED X TV Early Access

Game Consoles

Best Game Consoles

See All
  1. Nintendo Switch OLED Check Price
  2. Microsoft XBOX Series X Check Price
  3. Sony Playstation 5 Check Price
  4. Microsoft XBOX Series S Check Price
  5. Nintendo Switch Lite Check Price

Upcoming

See All
  1. Nintendo Switch 2 Early Access

Wearables

Best Wearables

See All
  1. Oura Ring 3 Check Price
  2. Apple Watch Series 9 Check Price
  3. Google Pixel Watch 2 Check Price
  4. Samsung Galaxy Watch 6 Classic Check Price
  5. Fitbit Inspire 3 Check Price
  6. Amazfit Amazfit Band 7 Check Price
  7. Apple Watch SE Check Price
  8. Apple Watch Ultra 2 Check Price

Upcoming

See All
  1. Samsung Galaxy Watch 7 Early Access

Smart Home

Smart Home Tech

See All
  1. Amazon Echo (4th Gen) Check Price
  2. Schlage Encode Smart Lock Check Price
  3. Amazon Blink Smart Cameras Check Price
  4. Google Nest Thermostat Check Price
  5. Phillips Hue Smart Lights Check Price

Upcoming

See All
  1. Apple Homepod Vision Early Access

Similar threads

Astr4y4L
ROM Arrow OS latest and OPTIONAL DualBoot for Motorola G7 plus (lake)
Replies
0
Views
3K
Motorola
Astr4y4L
Astr4y4L
Upvote 0
Samsung
  • Suggestion
Samsung Electronics Announces Third Quarter 2023 Results
Replies
0
Views
830
Breaking News
Samsung
Samsung
N
[MTK][Root] TCL 20 XE 5087Z Root and Unlock Bootloader Guide
Replies
1
Views
9K
Rooting
Nostii
N
Upvote 0
Samsung
  • Suggestion
[Interview] Movie-Quality Audio From the Comfort of Your Home: Meet the Leaders of Next-Generation 3D Audio Technology
Replies
0
Views
200
Breaking News
Samsung
Samsung
Astr4y4L
[ROM] [ROOT] [Moto G Pure] [LiniageOS 20] [OrangeFox] Android 13 and ROOT with Recovery
Replies
27
Views
31K
Motorola
JuanDavid
J
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply