Hovatek Forum DEVELOPMENT Android How do I root the Lemfo Lem16 Android 11 smart watch?
Try our Online TWRP Builder..its free!
Can't login? Please, reset your password.


How do I root the Lemfo Lem16 Android 11 smart watch?

How do I root the Lemfo Lem16 Android 11 smart watch?

emassey0135
emassey0135
emassey0135
Newbie
3
03-02-2023, 08:10 AM
#1



Hello,

I purchased a Lemfo LEM16 smart watch and I am trying to root it using Magisk. It has a Unisoc chip and runs full Android 11 with some modifications to make it better suited to a smart watch. I have been trying to create a custom signed vbmeta image and sign the patched boot image using the tutorial at https://www.hovatek.com/forum/thread-32664.html . I extracted the firmware images from the pac file using the SPD upgrade tool and patched boot.img using the Magisk app, and I have unlocked my boot loader. I extracted the keys from the stock vbmeta-sign.img using a Windows program, and I generated a public key from the RSA4096 key linked in the tutorial to a file named new.bin, and signed the patched boot image with the private key using the instructions at https://www.hovatek.com/forum/thread-32674.html except I ran avbtool erase_footer on the patched boot image first. I also created a custom vbmeta image using all the keys, partition names, and ordering from the original image, except replacing the boot key with my generated public key. I used the RSA4096 key linked in the first tutorial as the signing key for the new vbmeta. I ran the padding script for Android 10 afterward since there is none listed for Android 11, and used 16384 as the padding size in the avbtool command since this seems to be correct from investigating the original vbmeta image as described in the second post of the first tutorial thread. However, when I flash the new images, the device goes into a boot loop and I have to restore the original firmware with the SPD research tool. I am not sure what I am doing wrong. Do I need to change the flags for verified boot in the vbmeta or boot image? What else could be causing this problem? I have attached the original vbmeta image, its info from running avbtool info_image on it, the custom vbmeta image I generated, its info, the info for the stock boot image, the info for the signed patched boot image, a zip file containing the keys from my stock vbmeta image along with my new public key, and the command I used to generate the custom vbmeta.
Attached Files
.txt
boot-patched-info.txt
Size: 927 bytes / Downloads: 6
.img
vbmeta-sign.img
Size: 1 MB / Downloads: 3
.txt
vbmeta-sign-info.txt
Size: 2.8 KB / Downloads: 6
.txt
boot-stock-info.txt
Size: 1.08 KB / Downloads: 7
.zip
keys.zip
Size: 17.5 KB / Downloads: 5
.img
vbmeta-sign-custom.img
Size: 1 MB / Downloads: 4
.txt
vbmeta-sign-custom-info.txt
Size: 2.8 KB / Downloads: 8
.txt
generate-vbmeta.txt
Size: 856 bytes / Downloads: 8
hovatek
hovatek
hovatek
Administrator
49,607
09-02-2023, 10:27 AM
#2
(03-02-2023, 08:10 AM)emassey0135 Hello,

I purchased a Lemfo LEM16 smart watch and I am trying to root it using Magisk. It has a Unisoc chip and runs full Android 11 with some modifications to make it better suited to a smart watch. I have been trying to create a custom signed vbmeta image and sign the patched boot image using the tutorial at https://www.hovatek.com/forum/thread-32664.html . I extracted the firmware images from the pac file using the SPD upgrade tool and patched boot.img using the Magisk app, and I have unlocked my boot loader. I extracted the keys from the stock vbmeta-sign.img using a Windows program, and I generated a public key from the RSA4096 key linked in the tutorial to a file named new.bin, and signed the patched boot image with the private key using the instructions at https://www.hovatek.com/forum/thread-32674.html except I ran avbtool erase_footer on the patched boot image first. I also created a custom vbmeta image using all the keys, partition names, and ordering from the original image, except replacing the boot key with my generated public key. I used the RSA4096 key linked in the first tutorial as the signing key for the new vbmeta. I ran the padding script for Android 10 afterward since there is none listed for Android 11, and used 16384 as the padding size in the avbtool command since this seems to be correct from investigating the original vbmeta image as described in the second post of the first tutorial thread. However, when I flash the new images, the device goes into a boot loop and I have to restore the original firmware with the SPD research tool. I am not sure what I am doing wrong. Do I need to change the flags for verified boot in the vbmeta or boot image? What else could be causing this problem? I have attached the original vbmeta image, its info from running avbtool info_image on it, the custom vbmeta image I generated, its info, the info for the stock boot image, the info for the signed patched boot image, a zip file containing the keys from my stock vbmeta image along with my new public key, and the command I used to generate the custom vbmeta.

You first need to test by creating a stock vbmeta i.e flag 0 and don't replace any partition's public key.
You can then compare what you created to stock vbmeta . if they're not 100% identical then something is wrong somewhere

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
emassey0135
emassey0135
emassey0135
Newbie
3
17-06-2023, 11:22 PM
#3
I have tried to create a vbmeta image identical to the original one by using the exact same keys and setting the flag to 0. After generating the new image with avbtool, the new image is 32768 bytes long, and is identical with the first 32768 bytes of the original image. However, the rest of the file is different after running pad10.py on it. First, I figured out that the sequence of 0x0000 0000 0000 0000 0050 0000 inserted after the hash by pad10.py is there twice in the original vbmeta. After I changed pad10.py to write this sequence twice instead of once, and ran pad10.py against the generated image, the new image is exactly the same as the original, except for the hash bytes that the Python script generates by hashing the 32768 byte image using sha256. This must mean that the Lemfo LEM16 uses a different hash instead of SHA256 in this position in the vbmeta, or the hash is of something different than those 32768 bytes, or something else is different. Now I am not sure how to proceed, since this could be literally any hash function that outputs 32 bytes, or a sha256 of anything added to or removed from those 32768 bytes. How should I determine which hash function is being used? The sha256 hash generated by the Python script is 0x3efe539f1f4f57139d15159b76b49223d2867d0a93be31e069aaaf411e6445c1, and the original unknown hash is 0x4c03c7c46ed7af3b287df190b852c334a9b2eaeb925468a54671ff0dfd72f0e8. I have attached the first 32768 bytes that are being hashed as well.
Attached Files
.img
vbmeta-hashed-32768.img
Size: 32 KB / Downloads: 4
emassey0135
emassey0135
emassey0135
Newbie
3
18-06-2023, 03:22 PM
#4
Never mind, I had the padding size wrong. When I changed it to 20480, the generated image became 20480 bytes long instead of 32768, and the hash generated by the Python script matches the original image. Now I will try to generate a modified vbmeta and signed boot image to root the device. However, the DHTB format is still a little different than for Android 10, and I have attached a modified Python script that generates the correct format.
Attached Files
.zip
pad11.zip
Size: 345 bytes / Downloads: 4
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram