Hovatek Forum DEVELOPMENT Android Unisoc (SPD) tablet Alldocube iPlay 20 finally rooted! Any tips on changing ROM?
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


Unisoc (SPD) tablet Alldocube iPlay 20 finally rooted! Any tips on changing ROM?

Unisoc (SPD) tablet Alldocube iPlay 20 finally rooted! Any tips on changing ROM?

Pages (4): 1 2 3 4 Next
tstm
tstm
tstm
Newbie
4
09-10-2020, 10:14 PM
#1



Let me thank you first for running a very nice forum with some nice tutorials!

First, some background:
* I've managed to unlock the bootloader
* I have extracted the device pac file with original .img files and I've been using those as my base
* The device is running Android 10 by default and uses the Unisoc SC9863A as a SoC

I've noticed that this tablet seems to have the AVB (Android Verified Boot) system activated, and comes with a vbmeta-sign.img in the pac package. 
I've been following this Hovatek tutorial on AVB vbmeta signing

I have extracted all the keys from the vbmeta-sign and they are all of correct size and seem to be ok:

Code:

% ls -la

1032 Oct  9 21:33 vbmeta_boot_signature.hex
1032 Oct  9 21:34 vbmeta_dtbo_signature.hex
1032 Oct  9 21:38 vbmeta_l_ldsp_signature.hex
1032 Oct  9 21:38 vbmeta_l_lgdsp_signature.hex
1032 Oct  9 21:37 vbmeta_l_modem_signature.hex
1032 Oct  9 21:35 vbmeta_odmko_signature.hex
1032 Oct  9 21:39 vbmeta_pm_sys_signature.hex
1032 Oct  9 21:34 vbmeta_recovery_signature.hex
1032 Oct  9 21:36 vbmeta_socko_signature.hex
1032 Oct  9 21:36 vbmeta_vbmeta_system_signature.hex
1032 Oct  9 21:37 vbmeta_vbmeta_vendor_signature.hex

Using those keys, I have tried several different things, having a self-signed boot.img and separately self-signed recovery.img, but both of those ended up in a boot loop. Then I decided to try to not change any keys, I just did:

Code:

avbtool make_vbmeta_image --key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 2 \
--chain_partition boot:1:keys/vbmeta_boot_signature.hex \
--chain_partition dtbo:10:keys/vbmeta_dtbo_signature.hex \
--chain_partition recovery:2:keys/vbmeta_recovery_signature.hex \
--chain_partition socko:11:keys/vbmeta_socko_signature.hex \
--chain_partition odmko:12:keys/vbmeta_odmko_signature.hex \
--chain_partition system:3:keys/vbmeta_vbmeta_system_signature.hex \
--chain_partition vendor:4:keys/vbmeta_vbmeta_vendor_signature.hex \
--chain_partition l_modem:6:keys/vbmeta_l_modem_signature.hex \
--chain_partition l_ldsp:7:keys/vbmeta_l_ldsp_signature.hex \
--chain_partition l_gdsp:8:keys/vbmeta_l_lgdsp_signature.hex \
--chain_partition pm_sys:9:keys/vbmeta_pm_sys_signature.hex \
--padding_size 16384 \
--output vbmeta_custom.img

And then added the padding (using vbmeta_pad.py), and pushed the image using fastboot:
`fastboot flash vbmeta vbmeta_custom.img`

Unfortunately even this, without any changed boot/recovery partitions results in a boot loop. So I can't even seem to get a functioning vbmeta-sign.img for some reason. Is this somehow different in Android 10? I can see, that I have a vbmeta_system and vbmeta_vendor entry at least in the signature image. Could that be significant?

Any help is appreciated. My main goal would be to switch the alldocube default OS to LineageOS or some similar more open operating system to run on it. And as there is no ready TWRP image for this device - and I'm not sure if I could make it run even if I had one as the AVB protection is there, rooting for now is a good start for my endeavors.

I'm fairly good with linux and machines, so I don't really need any details. Just hints on where to go next?
This post was last modified: 10-10-2020, 10:16 AM by tstm.
tstm
tstm
tstm
Newbie
4
09-10-2020, 11:32 PM
#2
I got root!

There was a few details missing. For this tablet the flag needs to be 0, not 2. I ran `avbtool info_image` on both the custom vbmeta and the original, and found that there were two differences. I had used `system` and `vendor` instead of `vbmeta_system` and `vbmeta_vendor` and that the flag was 0 in the original - changing those fixed the thing!

The first thing for me was to make the custom vbmeta without any changes work. After I had that, I decided to try magisk recovery.img, using Magisk Manager 8.0.2. That did not work, trying to boot into recovery just brought me a menu with a lot of chinese written on it.

Then I went for boot.img with the same Magisk version, patched it and signed it using my key and original size. Voila! I booted into the OS and I have root. The vbmeta image command line to do this was:

Code:

avbtool make_vbmeta_image --key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:keys/CUSTOM_KEY.bin \
--chain_partition dtbo:10:keys/vbmeta_dtbo_signature.hex \
--chain_partition recovery:2:keys/vbmeta_recovery_signature.hex \
--chain_partition socko:11:keys/vbmeta_socko_signature.hex \
--chain_partition odmko:12:keys/vbmeta_odmko_signature.hex \
--chain_partition vbmeta_system:3:keys/vbmeta_vbmeta_system_signature.hex \
--chain_partition vbmeta_vendor:4:keys/vbmeta_vbmeta_vendor_signature.hex \
--chain_partition l_modem:6:keys/vbmeta_l_modem_signature.hex \
--chain_partition l_ldsp:7:keys/vbmeta_l_ldsp_signature.hex \
--chain_partition l_gdsp:8:keys/vbmeta_l_lgdsp_signature.hex \
--chain_partition pm_sys:9:keys/vbmeta_pm_sys_signature.hex \
--padding_size 16384 \
--output vbmeta_custom.img

python vbmeta_pad.py

Where CUSTOM_KEY.bin is the one I made for myself and signed the magisk-patched boot.img with.

Now, I have root and Magisk is working. Would you guys have any suggestions on how I should go about eg. installing LineageOS? Should I just try to overwrite `system` with LineageOS, or should there be some other way?

Could I help port TWRP on the Alldocube iPlay 20 somehow? What would be needed to get a compile/modification going for the Unisoc chipset and this particular tablet?
gradkal
gradkal
gradkal
Newbie
3
13-10-2020, 06:39 PM
#3
Hi,

I have the same tablet and was able to unlock bootloader and create and flash a custom vbmeta.img. But now I´m failing to sign my magisk patched boot.img. How did you make it?

If I try to give a command in Ubuntu-Konsole

python avbtool add_hash_footer --image magisk_patched.img --partition_name boot --partition_size 36700160 --key keys/gk_custom_key.bin --algorithm SHA256_RSA4096

I always get error                 
avbtool: Image size of 36700160 exceeds maximum image size of 36630528 in order to fit in a partition size of 36700160.


I think I did nothing wrong, but maybe you could help me. Would it be possible to leave me a copy of your signed boot.img? I created my custom vbmeta.img also with rsa4096_vbmeta.pem.

Thanks in advance.
This post was last modified: 13-10-2020, 06:41 PM by gradkal.
tstm
tstm
tstm
Newbie
4
13-10-2020, 10:30 PM
#4
(13-10-2020, 06:39 PM)gradkal I always get error                 
avbtool: Image size of 36700160 exceeds maximum image size of 36630528 in order to fit in a partition size of 36700160.


I think I did nothing wrong, but maybe you could help me. Would it be possible to leave me a copy of your signed boot.img? I created my custom vbmeta.img also with rsa4096_vbmeta.pem.

Did you check your image size properly?

For the original boot image, what do you get if you run `avbtool info_image --image original_boot.img` ?

Also, it seems that your patched boot.img is larger than I got. My patched boot.img was somewhat smaller than the original. Are you running the same version of the Alldocube firmware? I have `iPlay20(T1011S)-EN-20200824.pac` that I'm working on.

I can also send you my patched boot image, but it might cause trouble if you are running a different firmware version than I. Please check that first, and the size to be correct, if it still won't work, I'll link you my patched boot.img. =)
gradkal
gradkal
gradkal
Newbie
3
13-10-2020, 11:39 PM
#5



Got it made. I patched boot.img with Canary version of Magisk Manager. This did not work properly. With the release version 8.0.2 it worked fine and I was able to sign the image. Now the device is rooted. Thanks anyway!
This post was last modified: 14-10-2020, 12:58 AM by gradkal.
tstm
tstm
tstm
Newbie
4
14-10-2020, 08:45 AM
#6
(13-10-2020, 11:39 PM)gradkal Got it made. I patched boot.img with Canary version of Magisk Manager. This did not work properly. With the release version 8.0.2 it worked fine and I was able to sign the image. Now the device is rooted. Thanks anyway!

Great to hear! If you happen to install some other OS on the thing, LineageOS or something else, please share your experiences! I'd like to get rid of the original OS, as I don't really trust the chinese software..
TriATK
TriATK
TriATK
Newbie
2
30-10-2020, 03:45 PM
#7
(13-10-2020, 06:39 PM)gradkal Hi,

I have the same tablet and was able to unlock bootloader and create and flash a custom vbmeta.img. But now I´m failing to sign my magisk patched boot.img. How did you make it?

If I try to give a command in Ubuntu-Konsole

python avbtool add_hash_footer --image magisk_patched.img --partition_name boot --partition_size 36700160 --key keys/gk_custom_key.bin --algorithm SHA256_RSA4096

I always get error                 
avbtool: Image size of 36700160 exceeds maximum image size of 36630528 in order to fit in a partition size of 36700160.


I think I did nothing wrong, but maybe you could help me. Would it be possible to leave me a copy of your signed boot.img? I created my custom vbmeta.img also with rsa4096_vbmeta.pem.

Thanks in advance.
Same here, I'm trying to flash a custom magisk build(based on Canery channel) to bypass a banking app. (the official build 8.0.2 always get detected with magisk hide on)

I got the exactly same output:
avbtool: Adding hash_footer failed: Image size of 36700160 exceeds maximum image size of 36630528 in order to fit in a partition size of 36700160..
TriATK
TriATK
TriATK
Newbie
2
31-10-2020, 08:18 PM
#8
(14-10-2020, 08:45 AM)tstm
(13-10-2020, 11:39 PM)gradkal Got it made. I patched boot.img with Canary version of Magisk Manager. This did not work properly. With the release version 8.0.2 it worked fine and I was able to sign the image. Now the device is rooted. Thanks anyway!

Great to hear! If you happen to install some other OS on the thing, LineageOS or something else, please share your experiences! I'd like to get rid of the original OS, as I don't really trust the chinese software..
You could use those gsi roms, for example:
fastboot flash system Y:\crdroid-6.5-arm64ab-200423-vanilla-v215.img

But you need to disable the AVB first by:
fastboot --disable-verification flash vbmeta %YOUR_PATH_TO_vbmeta%\vbmeta_signed.img
fastboot flash boot %YOUR_PATH_TO_boot%\boot_signed.img
shadowpanzer
shadowpanzer
shadowpanzer
Enthusiastic Member
5
02-11-2020, 05:12 PM
#9
Hi all, just got my iPlay 20 Pro in the mail. Would this rooting method work for this variant as well? I'm assuming the only change was the amount of RAM between the non-pro and pro variants.
X3non
X3non
X3non
Recognized Contributor
22,062
03-11-2020, 08:17 PM
#10



(02-11-2020, 05:12 PM)shadowpanzer Hi all, just got my iPlay 20 Pro in the mail. Would this rooting method work for this variant as well? I'm assuming the only change was the amount of RAM between the non-pro and pro variants.

you'll have to try it out to find out but do not use firmware files from the non-pro variant
ensure you use files from the firmware matching the build number on your phone
Pages (4): 1 2 3 4 Next
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram