Nokia 8000 rooting research thread

[Luxferre]

Hi folks,

So, I have encountered a semi-working firehose (will not publish it until the whole end-to-end rooting solution is found, but feel free to reach out to me in Discord) that can only read up to 300 or so 512-byte sectors at a time but writes the whole partitions successfully (even using the recent official bkerler's edl.py version).

What is known as of today's morning:

1. We can rewrite the recovery partition freely, since it gets restored to stock on each "normal" boot anyway.

2. If we flash Gerda Recovery "as is", we boot into a white screen (no surprise, different display drivers) but still get a rooted ADB shell, which is more than enough.

3. If we mount the persist partition and put the __post_reset_cmd__ file with root string there, the system will NOT switch into the privileged mode. They removed this mechanism in 2.3.4, and we must find another way of doing things.

4. The SELinux mechanism also gets in the way of doing things (even if we enable engmode-extension in the apps, the engine will still be unable to start commands as root anymore), and it also can't be removed without patching the boot partition (say goodbye to stock OTA updates, that is)

So, the current plan is:

1. Use Gerda Recovery as a one-time proxy for partition dumping via dd+ADB or general FS exploration.

2. Create some script (or even Docker container) to dynamically patch the boot image (remove secure flags, disable SELinux, replace adbd with rooted one).

3. Use normal edl.py with that firehose to restore the boot image or flash a new one.

Unfortunately, I don't see any other way of rooting the Sparkler, that is, without tampering system partitions. But as long as you have the original boot.img backed up, that shouldn't be a problem.

Stay tuned!

P.S. Please refrain from off-topic here. Off-topic messages (not related to 8000 rooting or privileged mode) will be deleted at once.

[Luxferre]

Preliminary rooting has been performed. Dockerfile and all related scripts/files will be released within 2 days.

[Luxferre]

Dockerized boot image patcher is out: https://gitlab.com/suborg/8k-boot-patcher

The patch disables basic security checks, updates the ADB daemon to the permanently rooted one and switches SELinux to permissive mode. It also preserves the original image by copying to the boot-orig.img file.

Obviously, needs a working x86 Docker installation to run. See the instructions in the README.

[Luxferre]

Limited-capability firehose loader for 8000/6300 4G (except US versions - they have different hardware) updated on edl.bananahackers.net - it can't dump whole partitions correctly but it can write them.

Given all the limitation, the full rooting instruction will be shared in the next post.

[Luxferre]

So, here are the current rooting instructions.

What you will need:

- a non-US-based Nokia 8000 or 6300 4G (in my example, it's 8000 4G TA-1303);

- a working ADB installation;

- a working Docker and Git installation;

- a (somewhat) working firehose loader MBN file (see @ edl.bananahackers.net);

- a method to replace partitions via EDL (in my example and instructions, it's Python 3.9 and bkerler's edl.py v3.1 release);

- an image of Gerda Recovery in case you don't already have a more reliable way to read partitions from the phone (in my case, I don't).

Rooting process is divided into three stages: boot partition pulling, boot image patching and boot partition replacing. Let's review them one by one.

First, I'll remind you how to switch the phone into EDL mode:

From the turned on state if you have ADB working with *#*#debug#*#* code: adb reboot edl

From the turned off state: insert USB cable while holding * and # at the same time. The screen should blink with KaiOS logo and become black.

Now, let's go!

Stage 1: Pulling the boot partition image

Here, we exploit the fact that OS will rewrite the recovery partition on the next "normal" boot anyway. So, we temporarily write the Gerda Recovery without worrying about stock state and then pull the image via ADB console.

1. Switch the phone into EDL mode.

2. Flash the Gerda Recovery: python edl.py w recovery /path/to/recovery-8110.img --loader=/path/to/8k.mbn

3. Without doing anything else, disconnect the phone from PC and remove the battery. Then insert the battery back.

4. Turn the phone on while holding * key only. Normally, it should boot into stock recovery, but now it should boot into a white screen (that's totally normal, 8110's and 8000's display drivers are different).

5. Connect the phone back to PC and check its availability with adb devices command.

6. Pull the boot image from the phone: adb pull /dev/block/bootdevice/by-name/boot boot.img

7. Reboot the phone into normal mode with adb reboot or, if it doesn't work, just by reinserting the battery.

Now we have the boot.img pulled from the phone and recovery automatically restored to stock. Let's patch our boot!

Stage 2: Patching the boot partition image

Note: keep the original boot.img file backup somewhere safe in case you need to restore it (for instance, to re-enable stock OTA updates)!

1. Pull the patcher image source: git clone https://gitlab.com/suborg/8k-boot-patcher.git && cd 8k-boot-patcher

2. Build the patcher image: docker build -t 8kbootpatcher . (note the dot in the end of the command - it's important)

3. Ensure that the boot.img file is called exactly boot.img and put into some directory (say, /path/to/image/dir).

4. Run the patching process according to the README: docker run --rm -it -v /path/to/image/dir:/image 8kbootpatcher

5. The boot.img will be patched. The original file will be copied into boot-orig.img.

Stage 3: Replacing the boot partition with the patched image

1. Switch the phone into EDL mode again.

2. Flash the image: python edl.py w boot /path/to/patched/boot.img --loader=/path/to/8k.mbn

3. Reboot the phone into the normal mode: python edl.py reset

That's it! Now, if you enter ADB, your shell will be rooted, getprop ro.secure will return 0 and getenforce will return Permissive. Just as planned.

To restore the stock boot, just repeat stage 3 with the original boot.img backup made in stage 1.

P.S. Depending on your distribution, you may want to use python3 command instead of just python in the examples above.

Have fun!

[Mg]

Is it worth doing this whole long process what can I do if the device is rooting?

[hagen]

Thank you @Luxferre for the amazing work! I successfully rooted my 6300!

Just some remarks, since I stumbled over some things using Fedora:

The only edl.py that worked for me was this one, but not the one from master branch: https://github.com/bkerler/edl/tree/3.1
On Fedora, do `sudo dnf install python-devel`, if installing pylzma fails

Append `blacklist qcserial` to `/etc/modprobe.d/blacklist.conf` in case of USB access problems and check your udev rules

Using podman instead of docker:

`podman build -t 8kbootpatcher .`

`podman run --rm -it --security-opt label=disable -v /path/to/image/dir:/image 8kbootpatcher`

[postapczuk]

Hello!

I'm using Nokia 8k. I followed this instruction but it would be great to know what is the proper output, as my concern is:

1. after executing edl.py I'm getting:
Capstone and Keystone libraries missing.
Qualcomm Sahara / Firehose Client V3.1 (c) B.Kerler 2018-2021.
Library.utils - Using loader ~/8k.mbn ...
Library.utils - Waiting for the device
Library.utils - Device detected :)
Device is in Sahara error state, please reboot the device.
Library.utils - Mode detected: sahara

Sahara in error state, resetting ...

This doesn't sound good.

2. then after executing adb pull I'm getting:
adb: error: remote object '/dev/block/bootdevice/by-name/boot' does not exist

As you can see I'm not able to pull the boot image. Could you help me? I guess explanation would also help for the future cases :)

[Luxferre]

Please read the instructions carefully. You must not use adb to pull the image, you must use edl utility of your choice (the example above is edl.py) after you connected in the edl mode.

[postapczuk]

Firstly: Thanks for your great work and quick response!

Secondly:

In 6'th point of first step 1 there is info to use adb to pull the image. I've tried to use edl.py instead (python edl.py r ...) but without success...

I'm not sure if edl.py is working correctly for me, as I fixed the issue with line `Capstone and Keystone libraries missing.` by installing them, but still I have almost the output while executing python edl.py w recovery ~/Pobrane/v13recovery_gerdaos.img --loader=~/Pobrane/8k.mbn :

Qualcomm Sahara / Firehose Client V3.1 (c) B.Kerler 2018-2021.
Library.utils - Using loader ~/8k.mbn ...
Library.utils - Waiting for the device
Library.utils - Device detected :)
Device is in Sahara error state, please reboot the device.
Library.utils - Mode detected: sahara

Sahara in error state, resetting ...

Then, when I insert the cable with "*" I still see standard recovery view not the white screen.

So again - is this correct ourput, or is there something wrong in the log?

[Luxferre]

The output is not correct. You must first flash the recovery and boot into it without booting in the system. And you whould see the white screen. I don't know what to do with "Sahara in error state".

[postapczuk]

Ok I've managed it. The solution is to use latest master of edlpy instead 3.1 tag.

[Longer Than This]

You can make an video tutorial to help me root nokia 8000 4g ? I think it so hard ( After i switch phone to edl mode and recovery phone i've lost all app :( )

Vào lúc 00:26:59 UTC+7 ngày Chủ Nhật, 20 tháng 6, 2021, postapczuk đã viết:

[Adam Dawes]

Is there any update to being able to root the US version of the 6300? Per Luxferre in March, that hadn't been figured out yet due to different hardware.

Any success?

[Heinz Hempel]

Hi.

I try to root the Nokia 8000 4G. I did follow the instructions but I get this error:

PS C:\Users\anonym\Desktop\Kaios\edl_github\edl> python edl.py w recovery C:\Users\anonym\Desktop\Kaios\recovery-8110.img --loader=C:\Users\anonym\Desktop\Kaios\8k.mbn
Qualcomm Sahara / Firehose Client V3.52 (c) B.Kerler 2018-2021.
main - Using loader C:\Users\anonym\Desktop\Kaios\8k.mbn ...
main - Waiting for the device
Traceback (most recent call last):
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl.py", line 362, in <module>
    base.run()
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl.py", line 255, in run
    mode, resp = self.doconnect(loop, mode, resp)
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl.py", line 177, in doconnect
    self.cdc.connected = self.cdc.connect()
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl\Library\usblib.py", line 266, in connect
    self.configuration = self.device.get_active_configuration()
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 921, in get_active_configuration
    return self._ctx.get_active_configuration(self)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 249, in get_active_configuration
    self.managed_open()
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 131, in managed_open
    self.handle = self.backend.open_device(self.dev)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\backend\libusb1.py", line 804, in open_device
    return _DeviceHandle(dev)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\backend\libusb1.py", line 652, in __init__
    _check(_lib.libusb_open(self.devid, byref(self.handle)))
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\backend\libusb1.py", line 600, in _check
    raise NotImplementedError(_strerror(ret))
NotImplementedError: Operation not supported or unimplemented on this platform

As you can see I use Windows. Could that be the problem?

Thanks in advance.

Heinz Hempel

[bagavathi raja]

Hello All,

I have bricked my Nokia 8000 4g . Could someone please share stock rom for Nokia 8000 4G.

Thanks in Advance

Thanks & Regards

[Luxferre]

As you can see, operation is unimplemented, so try using emmcdl or other similar tool instead of edl.py.

[Luxferre]

So, as of now, a new firehose has been found for 8000 and non-US 6300 4G, updated here: https://edl.bananahackers.net/loaders/8k.mbn

Now, you can just directly read the boot partition without having to fiddle with recovery.

[Mikpu]

Hello!

I have only been learning about all this for the last two days so please bear with my ignorance.

I've been working with my Nokia 2720 Flip and this is what I've learned so far:

I used this guide: https://wiki.bananahackers.net/development/edl   

The 2720.mbn loader from https://edl.bananahackers.net/loaders seems to work fine on windows.

However, I have absolutely no idea how to patch the boot img  with the docker/git thingy on windows, 

nor have I found any guide to do so yet.

I then installed Linux (for the first time ever) and the docker and git does work there but then the 2720.mbn loader does not! 

Someone else seems to have had the same problem: https://groups.google.com/g/bananahackers/c/2L9MZrdpXoI/m/sGc5QHebBwAJ

The only solution on that thread seems to be to wait for a working loader to come out...

So I'm wondering:

Would it be possible to

-pull the boot partition image on windows, 

-move it to linux, patch it there using the docker thingy, 

-then bring it back to windows to flash it in?

[Mikpu]

Update: 

I tried the above and managed to root? 

In the ADB shell, the  getprop ro.secure  does return  0  but  getenforce  returns  Enforcing  and not  Permissive ??

What does that mean??? 

The device still connected to WebIDE unlike before and managed to install several apps as shown in the guides on the b hackers site.

-OmniSD shows the list of .zip files on the app/downloads folder in the SD card but does nothing on pressing install.

-The bHacker by perry app however says "Incompatible data, try updating the app" on the device itself and on the webIDE it shows this: 

app submission to the Marketplace requires a 128px icon

‘certified’ apps are not fully supported on the App manager.

-I'm unable to install quite a lot of apps like BananaHackers-Web app, instagram, Pacman online etc as it shows warnings errors:

Unable to access the app starting document like ‘file:///home/mikpu/Downloads/nokia%202720%20apps/Pacman%20(online%20PWA)/application/index.html’

and

‘certified’ apps are not fully supported on the App manager.

Is this because of the wack rooting process that I went through? Or am I missing something here?

Much Appreciated!!!

[Luxferre]

This is an expected behavior. The root shell still should be available there.

Forget about OmniSD on this device. Just forget. They removed the necessary APIs to install apps in an autonomous fashion. You can only use WebIDE/gdeploy now.

And the "‘certified’ apps are not fully supported on the App manager" warning can be safely ignored.