Nokia 8000 rooting research thread

351 views
Skip to first unread message

Luxferre

unread,
Mar 19, 2021, 2:27:16 AMMar 19
to comp.mobile.nokia.8110
Hi folks,

So, I have encountered a semi-working firehose (will not publish it until the whole end-to-end rooting solution is found, but feel free to reach out to me in Discord) that can only read up to 300 or so 512-byte sectors at a time but writes the whole partitions successfully (even using the recent official bkerler's edl.py version).

What is known as of today's morning:

1. We can rewrite the recovery partition freely, since it gets restored to stock on each "normal" boot anyway.
2. If we flash Gerda Recovery "as is", we boot into a white screen (no surprise, different display drivers) but still get a rooted ADB shell, which is more than enough.
3. If we mount the persist partition and put the __post_reset_cmd__ file with root string there, the system will NOT switch into the privileged mode. They removed this mechanism in 2.3.4, and we must find another way of doing things.
4. The SELinux mechanism also gets in the way of doing things (even if we enable engmode-extension in the apps, the engine will still be unable to start commands as root anymore), and it also can't be removed without patching the boot partition (say goodbye to stock OTA updates, that is)

So, the current plan is:

1. Use Gerda Recovery as a one-time proxy for partition dumping via dd+ADB or general FS exploration.
2. Create some script (or even Docker container) to dynamically patch the boot image (remove secure flags, disable SELinux, replace adbd with rooted one).
3. Use normal edl.py with that firehose to restore the boot image or flash a new one.

Unfortunately, I don't see any other way of rooting the Sparkler, that is, without tampering system partitions. But as long as you have the original boot.img backed up, that shouldn't be a problem.

Stay tuned!

P.S. Please refrain from off-topic here. Off-topic messages (not related to 8000 rooting or privileged mode) will be deleted at once.

Luxferre

unread,
Mar 19, 2021, 9:02:23 AMMar 19
to comp.mobile.nokia.8110
Preliminary rooting has been performed. Dockerfile and all related scripts/files will be released within 2 days.

Luxferre

unread,
Mar 20, 2021, 5:27:45 AMMar 20
to comp.mobile.nokia.8110
Dockerized boot image patcher is out: https://gitlab.com/suborg/8k-boot-patcher

The patch disables basic security checks, updates the ADB daemon to the permanently rooted one and switches SELinux to permissive mode. It also preserves the original image by copying to the boot-orig.img file.
Obviously, needs a working x86 Docker installation to run. See the instructions in the README.

Luxferre

unread,
Mar 20, 2021, 5:42:33 AMMar 20
to comp.mobile.nokia.8110
Limited-capability firehose loader for 8000/6300 4G (except US versions - they have different hardware) updated on edl.bananahackers.net - it can't dump whole partitions correctly but it can write them.

Given all the limitation, the full rooting instruction will be shared in the next post.

Luxferre

unread,
Mar 20, 2021, 6:27:45 AMMar 20
to comp.mobile.nokia.8110
So, here are the current rooting instructions.

What you will need:

- a non-US-based Nokia 8000 or 6300 4G (in my example, it's 8000 4G TA-1303);
- a working ADB installation;
- a working Docker and Git installation;
- a (somewhat) working firehose loader MBN file (see @ edl.bananahackers.net);
- a method to replace partitions via EDL (in my example and instructions, it's Python 3.9 and bkerler's edl.py v3.1 release);
- an image of Gerda Recovery in case you don't already have a more reliable way to read partitions from the phone (in my case, I don't).

Rooting process is divided into three stages: boot partition pulling, boot image patching and boot partition replacing. Let's review them one by one.

First, I'll remind you how to switch the phone into EDL mode:

From the turned on state if you have ADB working with *#*#debug#*#* code: adb reboot edl
From the turned off state: insert USB cable while holding * and # at the same time. The screen should blink with KaiOS logo and become black.

Now, let's go!

Stage 1: Pulling the boot partition image

Here, we exploit the fact that OS will rewrite the recovery partition on the next "normal" boot anyway. So, we temporarily write the Gerda Recovery without worrying about stock state and then pull the image via ADB console.

1. Switch the phone into EDL mode.
2. Flash the Gerda Recovery: python edl.py w recovery /path/to/recovery-8110.img --loader=/path/to/8k.mbn
3. Without doing anything else, disconnect the phone from PC and remove the battery. Then insert the battery back.
4. Turn the phone on while holding * key only. Normally, it should boot into stock recovery, but now it should boot into a white screen (that's totally normal, 8110's and 8000's display drivers are different).
5. Connect the phone back to PC and check its availability with adb devices command.
6. Pull the boot image from the phone: adb pull /dev/block/bootdevice/by-name/boot boot.img
7. Reboot the phone into normal mode with adb reboot or, if it doesn't work, just by reinserting the battery.

Now we have the boot.img pulled from the phone and recovery automatically restored to stock. Let's patch our boot!

Stage 2: Patching the boot partition image

Note: keep the original boot.img file backup somewhere safe in case you need to restore it (for instance, to re-enable stock OTA updates)!

1. Pull the patcher image source: git clone https://gitlab.com/suborg/8k-boot-patcher.git && cd 8k-boot-patcher
2. Build the patcher image: docker build -t 8kbootpatcher . (note the dot in the end of the command - it's important)
3. Ensure that the boot.img file is called exactly boot.img and put into some directory (say, /path/to/image/dir).
4. Run the patching process according to the README: docker run --rm -it -v /path/to/image/dir:/image 8kbootpatcher
5. The boot.img will be patched. The original file will be copied into boot-orig.img.

Stage 3: Replacing the boot partition with the patched image

1. Switch the phone into EDL mode again.
2. Flash the image: python edl.py w boot /path/to/patched/boot.img --loader=/path/to/8k.mbn
3. Reboot the phone into the normal mode: python edl.py reset

That's it! Now, if you enter ADB, your shell will be rooted, getprop ro.secure will return 0 and getenforce will return Permissive. Just as planned.

To restore the stock boot, just repeat stage 3 with the original boot.img backup made in stage 1.

P.S. Depending on your distribution, you may want to use python3 command instead of just python in the examples above.

Have fun!

Mg

unread,
Mar 23, 2021, 6:48:53 AMMar 23
to comp.mobile.nokia.8110
Is it worth doing this whole long process what can I do if the device is rooting?
Message has been deleted

hagen

unread,
Apr 4, 2021, 4:50:15 PMApr 4
to comp.mobile.nokia.8110
Thank you @Luxferre for the amazing work! I successfully rooted my 6300!
Just some remarks, since I stumbled over some things using Fedora:

The only edl.py that worked for me was this one, but not the one from master branch: https://github.com/bkerler/edl/tree/3.1
On Fedora, do `sudo dnf install python-devel`, if installing pylzma fails
Append `blacklist qcserial` to `/etc/modprobe.d/blacklist.conf` in case of USB access problems and check your udev rules

Using podman instead of docker:
`podman build -t 8kbootpatcher .`
`podman run --rm -it --security-opt label=disable -v /path/to/image/dir:/image 8kbootpatcher`

Reply all
Reply to author
Forward
0 new messages