Nokia 8000 rooting research thread

1844 views
Skip to first unread message

Luxferre

unread,
Mar 19, 2021, 2:27:16 AMMar 19
to comp.mobile.nokia.8110
Hi folks,

So, I have encountered a semi-working firehose (will not publish it until the whole end-to-end rooting solution is found, but feel free to reach out to me in Discord) that can only read up to 300 or so 512-byte sectors at a time but writes the whole partitions successfully (even using the recent official bkerler's edl.py version).

What is known as of today's morning:

1. We can rewrite the recovery partition freely, since it gets restored to stock on each "normal" boot anyway.
2. If we flash Gerda Recovery "as is", we boot into a white screen (no surprise, different display drivers) but still get a rooted ADB shell, which is more than enough.
3. If we mount the persist partition and put the __post_reset_cmd__ file with root string there, the system will NOT switch into the privileged mode. They removed this mechanism in 2.3.4, and we must find another way of doing things.
4. The SELinux mechanism also gets in the way of doing things (even if we enable engmode-extension in the apps, the engine will still be unable to start commands as root anymore), and it also can't be removed without patching the boot partition (say goodbye to stock OTA updates, that is)

So, the current plan is:

1. Use Gerda Recovery as a one-time proxy for partition dumping via dd+ADB or general FS exploration.
2. Create some script (or even Docker container) to dynamically patch the boot image (remove secure flags, disable SELinux, replace adbd with rooted one).
3. Use normal edl.py with that firehose to restore the boot image or flash a new one.

Unfortunately, I don't see any other way of rooting the Sparkler, that is, without tampering system partitions. But as long as you have the original boot.img backed up, that shouldn't be a problem.

Stay tuned!

P.S. Please refrain from off-topic here. Off-topic messages (not related to 8000 rooting or privileged mode) will be deleted at once.

Luxferre

unread,
Mar 19, 2021, 9:02:23 AMMar 19
to comp.mobile.nokia.8110
Preliminary rooting has been performed. Dockerfile and all related scripts/files will be released within 2 days.

Luxferre

unread,
Mar 20, 2021, 5:27:45 AMMar 20
to comp.mobile.nokia.8110
Dockerized boot image patcher is out: https://gitlab.com/suborg/8k-boot-patcher

The patch disables basic security checks, updates the ADB daemon to the permanently rooted one and switches SELinux to permissive mode. It also preserves the original image by copying to the boot-orig.img file.
Obviously, needs a working x86 Docker installation to run. See the instructions in the README.

Luxferre

unread,
Mar 20, 2021, 5:42:33 AMMar 20
to comp.mobile.nokia.8110
Limited-capability firehose loader for 8000/6300 4G (except US versions - they have different hardware) updated on edl.bananahackers.net - it can't dump whole partitions correctly but it can write them.

Given all the limitation, the full rooting instruction will be shared in the next post.

Luxferre

unread,
Mar 20, 2021, 6:27:45 AMMar 20
to comp.mobile.nokia.8110
So, here are the current rooting instructions.

What you will need:

- a non-US-based Nokia 8000 or 6300 4G (in my example, it's 8000 4G TA-1303);
- a working ADB installation;
- a working Docker and Git installation;
- a (somewhat) working firehose loader MBN file (see @ edl.bananahackers.net);
- a method to replace partitions via EDL (in my example and instructions, it's Python 3.9 and bkerler's edl.py v3.1 release);
- an image of Gerda Recovery in case you don't already have a more reliable way to read partitions from the phone (in my case, I don't).

Rooting process is divided into three stages: boot partition pulling, boot image patching and boot partition replacing. Let's review them one by one.

First, I'll remind you how to switch the phone into EDL mode:

From the turned on state if you have ADB working with *#*#debug#*#* code: adb reboot edl
From the turned off state: insert USB cable while holding * and # at the same time. The screen should blink with KaiOS logo and become black.

Now, let's go!

Stage 1: Pulling the boot partition image

Here, we exploit the fact that OS will rewrite the recovery partition on the next "normal" boot anyway. So, we temporarily write the Gerda Recovery without worrying about stock state and then pull the image via ADB console.

1. Switch the phone into EDL mode.
2. Flash the Gerda Recovery: python edl.py w recovery /path/to/recovery-8110.img --loader=/path/to/8k.mbn
3. Without doing anything else, disconnect the phone from PC and remove the battery. Then insert the battery back.
4. Turn the phone on while holding * key only. Normally, it should boot into stock recovery, but now it should boot into a white screen (that's totally normal, 8110's and 8000's display drivers are different).
5. Connect the phone back to PC and check its availability with adb devices command.
6. Pull the boot image from the phone: adb pull /dev/block/bootdevice/by-name/boot boot.img
7. Reboot the phone into normal mode with adb reboot or, if it doesn't work, just by reinserting the battery.

Now we have the boot.img pulled from the phone and recovery automatically restored to stock. Let's patch our boot!

Stage 2: Patching the boot partition image

Note: keep the original boot.img file backup somewhere safe in case you need to restore it (for instance, to re-enable stock OTA updates)!

1. Pull the patcher image source: git clone https://gitlab.com/suborg/8k-boot-patcher.git && cd 8k-boot-patcher
2. Build the patcher image: docker build -t 8kbootpatcher . (note the dot in the end of the command - it's important)
3. Ensure that the boot.img file is called exactly boot.img and put into some directory (say, /path/to/image/dir).
4. Run the patching process according to the README: docker run --rm -it -v /path/to/image/dir:/image 8kbootpatcher
5. The boot.img will be patched. The original file will be copied into boot-orig.img.

Stage 3: Replacing the boot partition with the patched image

1. Switch the phone into EDL mode again.
2. Flash the image: python edl.py w boot /path/to/patched/boot.img --loader=/path/to/8k.mbn
3. Reboot the phone into the normal mode: python edl.py reset

That's it! Now, if you enter ADB, your shell will be rooted, getprop ro.secure will return 0 and getenforce will return Permissive. Just as planned.

To restore the stock boot, just repeat stage 3 with the original boot.img backup made in stage 1.

P.S. Depending on your distribution, you may want to use python3 command instead of just python in the examples above.

Have fun!

Mg

unread,
Mar 23, 2021, 6:48:53 AMMar 23
to comp.mobile.nokia.8110
Is it worth doing this whole long process what can I do if the device is rooting?
Message has been deleted

hagen

unread,
Apr 4, 2021, 4:50:15 PMApr 4
to comp.mobile.nokia.8110
Thank you @Luxferre for the amazing work! I successfully rooted my 6300!
Just some remarks, since I stumbled over some things using Fedora:

The only edl.py that worked for me was this one, but not the one from master branch: https://github.com/bkerler/edl/tree/3.1
On Fedora, do `sudo dnf install python-devel`, if installing pylzma fails
Append `blacklist qcserial` to `/etc/modprobe.d/blacklist.conf` in case of USB access problems and check your udev rules

Using podman instead of docker:
`podman build -t 8kbootpatcher .`
`podman run --rm -it --security-opt label=disable -v /path/to/image/dir:/image 8kbootpatcher`

postapczuk

unread,
Jun 15, 2021, 4:13:01 PMJun 15
to comp.mobile.nokia.8110
Hello!
I'm using Nokia 8k. I followed this instruction but it would be great to know what is the proper output, as my concern is:

1. after executing edl.py I'm getting:
Capstone and Keystone libraries missing.
Qualcomm Sahara / Firehose Client V3.1 (c) B.Kerler 2018-2021.
Library.utils - Using loader ~/8k.mbn ...
Library.utils - Waiting for the device
Library.utils - Device detected :)
Device is in Sahara error state, please reboot the device.
Library.utils - Mode detected: sahara
Sahara in error state, resetting ...
This doesn't sound good.

2. then after executing adb pull I'm getting:
adb: error: remote object '/dev/block/bootdevice/by-name/boot' does not exist

As you can see I'm not able to pull the boot image. Could you help me? I guess explanation would also help for the future cases :)

Luxferre

unread,
Jun 16, 2021, 1:46:12 AMJun 16
to comp.mobile.nokia.8110
Please read the instructions carefully. You must not use adb to pull the image, you must use edl utility of your choice (the example above is edl.py) after you connected in the edl mode.

postapczuk

unread,
Jun 16, 2021, 1:31:17 PMJun 16
to comp.mobile.nokia.8110
Firstly: Thanks for your great work and quick response!

Secondly:
In 6'th point of first step 1 there is info to use adb to pull the image. I've tried to use edl.py instead (python edl.py r ...) but without success...

I'm not sure if edl.py is working correctly for me, as I fixed the issue with line `Capstone and Keystone libraries missing.` by installing them, but still I have almost the output while executing python edl.py w recovery ~/Pobrane/v13recovery_gerdaos.img --loader=~/Pobrane/8k.mbn :

Qualcomm Sahara / Firehose Client V3.1 (c) B.Kerler 2018-2021.
Library.utils - Using loader ~/8k.mbn ...
Library.utils - Waiting for the device
Library.utils - Device detected :)
Device is in Sahara error state, please reboot the device.
Library.utils - Mode detected: sahara
Sahara in error state, resetting ...

Then, when I insert the cable with "*" I still see standard recovery view not the white screen.

So again - is this correct ourput, or is there something wrong in the log?

Luxferre

unread,
Jun 17, 2021, 1:39:52 AMJun 17
to comp.mobile.nokia.8110
The output is not correct. You must first flash the recovery and boot into it without booting in the system. And you whould see the white screen. I don't know what to do with "Sahara in error state".

postapczuk

unread,
Jun 19, 2021, 1:26:59 PMJun 19
to comp.mobile.nokia.8110
Ok I've managed it. The solution is to use latest master of edlpy instead 3.1 tag.

Longer Than This

unread,
Aug 4, 2021, 6:43:51 AMAug 4
to comp.mobile.nokia.8110
You can make an video tutorial to help me root nokia 8000 4g ? I think it so hard ( After i switch phone to edl mode and recovery phone i've lost all app :( )


Vào lúc 00:26:59 UTC+7 ngày Chủ Nhật, 20 tháng 6, 2021, postapczuk đã viết:

Adam Dawes

unread,
Aug 26, 2021, 2:45:07 AMAug 26
to comp.mobile.nokia.8110
Is there any update to being able to root the US version of the 6300? Per Luxferre in March, that hadn't been figured out yet due to different hardware.

Any success?

Message has been deleted

Heinz Hempel

unread,
Sep 15, 2021, 3:46:21 PMSep 15
to comp.mobile.nokia.8110
Hi.

I try to root the Nokia 8000 4G. I did follow the instructions but I get this error:

PS C:\Users\anonym\Desktop\Kaios\edl_github\edl> python edl.py w recovery C:\Users\anonym\Desktop\Kaios\recovery-8110.img --loader=C:\Users\anonym\Desktop\Kaios\8k.mbn
Qualcomm Sahara / Firehose Client V3.52 (c) B.Kerler 2018-2021.
main - Using loader C:\Users\anonym\Desktop\Kaios\8k.mbn ...
main - Waiting for the device
Traceback (most recent call last):
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl.py", line 362, in <module>
    base.run()
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl.py", line 255, in run
    mode, resp = self.doconnect(loop, mode, resp)
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl.py", line 177, in doconnect
    self.cdc.connected = self.cdc.connect()
  File "C:\Users\anonym\Desktop\Kaios\edl_github\edl\edl\Library\usblib.py", line 266, in connect
    self.configuration = self.device.get_active_configuration()
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 921, in get_active_configuration
    return self._ctx.get_active_configuration(self)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 249, in get_active_configuration
    self.managed_open()
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\core.py", line 131, in managed_open
    self.handle = self.backend.open_device(self.dev)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\backend\libusb1.py", line 804, in open_device
    return _DeviceHandle(dev)
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\backend\libusb1.py", line 652, in __init__
    _check(_lib.libusb_open(self.devid, byref(self.handle)))
  File "C:\Users\anonym\Desktop\Kaios\python\lib\site-packages\usb\backend\libusb1.py", line 600, in _check
    raise NotImplementedError(_strerror(ret))
NotImplementedError: Operation not supported or unimplemented on this platform

As you can see I use Windows. Could that be the problem?

Thanks in advance.

Heinz Hempel
Message has been deleted

bagavathi raja

unread,
Oct 26, 2021, 8:21:29 AMOct 26
to comp.mobile.nokia.8110
Hello All,

I have bricked my Nokia 8000 4g . Could someone please share stock rom for Nokia 8000 4G.
Thanks in Advance

Thanks & Regards

Luxferre

unread,
Nov 16, 2021, 3:39:00 AMNov 16
to comp.mobile.nokia.8110
As you can see, operation is unimplemented, so try using emmcdl or other similar tool instead of edl.py.
Reply all
Reply to author
Forward
0 new messages