# [Q] How Root Toshiba Excite Pro AT10LE-A-108



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## DeuxEx (Dec 25, 2013)

dexxxZ said:


> hi
> so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
> http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails
> 
> ...

Click to collapse



Today is just  £169.99 ! A very good offert for a tablet with NVIDIA Tegra 4 1.6GHz, 2GB RAM, 16GB memory and Android 4.2!


----------



## dexxxZ (Dec 26, 2013)

DeuxEx said:


> Today is just  £169.99 ! A very good offert for a tablet with NVIDIA Tegra 4 1.6GHz, 2GB RAM, 16GB memory and Android 4.2!

Click to collapse



i know i payd same, but i try find any help about root & cwm, and ther is no official root and cwm, and no body dont know how rooted this device... i need root and i think sold it and buy Sony Xperia Z tablet or some Asus witch can be root and cwm install


----------



## beholder21 (Dec 28, 2013)

I bought it also, would be great if someone could root this beautiful device


----------



## DeuxEx (Dec 28, 2013)

How is working? You put it to a test? Antutu, Quadrant, 3DMark? How is manage with the heat in games?

Sent from my S500 using Tapatalk


----------



## anarchyuk (Dec 29, 2013)

DeuxEx said:


> How is working? You put it to a test? Antutu, Quadrant, 3DMark? How is manage with the heat in games?
> 
> Sent from my S500 using Tapatalk

Click to collapse



make sure you view hidden updates in the os update manager and even if it finds some keep doing it as for some reason myself and loads of others never got notified of updates. The device however since doing them has had no lockups and runs much better


----------



## AVTR1337 (Mar 1, 2014)

Is there a way to root this awesome thing? any news?


----------



## SANGER_A2 (Mar 9, 2014)

anarchyuk said:


> make sure you view hidden updates in the os update manager and even if it finds some keep doing it as for some reason myself and loads of others never got notified of updates. The device however since doing them has had no lockups and runs much better

Click to collapse



Hi. Could you tell me what version you are currently at so I can check I have the latest updates? I too would really like root. Mainly to get Autorun manager working and fully remove some stock apps. 

Sent from my AT10LE-A using Tapatalk


----------



## anarchyuk (Mar 12, 2014)

SANGER_A2 said:


> Hi. Could you tell me what version you are currently at so I can check I have the latest updates? I too would really like root. Mainly to get Autorun manager working and fully remove some stock apps.
> 
> Sent from my AT10LE-A using Tapatalk

Click to collapse



sure 4.3.001120220.05


----------



## SANGER_A2 (Mar 12, 2014)

anarchyuk said:


> sure 4.3.001120220.05

Click to collapse



Hmm. Well that's the version I have. I still have the issue where the wireless stops working - even though the status is convinced it isn't! I was hoping there was an update I didn't have that would fix it!


----------



## anarchyuk (Mar 13, 2014)

SANGER_A2 said:


> Hmm. Well that's the version I have. I still have the issue where the wireless stops working - even though the status is convinced it isn't! I was hoping there was an update I didn't have that would fix it!

Click to collapse



Have you made sure the router is facing the direction that your devices are located? firmware update the router? even though other devices may work fine they could have much bigger antennas that compensate better.. does it happen anywhere else?


----------



## SANGER_A2 (Mar 13, 2014)

anarchyuk said:


> Have you made sure the router is facing the direction that your devices are located? firmware update the router? even though other devices may work fine they could have much bigger antennas that compensate better.. does it happen anywhere else?

Click to collapse



The direction cannot have anything to do with it. Routers transmit in a bubble 360 degrees around themselves, although some spots may have less signal the tablet has never dropped below 4 bars when the issue has happened and it can connect at the full 150mb most of the time. I have a very high quality router that has no issues with range/transmit power/direction and has the latest firmware update available to it. It will even work outside the house to some distance. The issue with the wireless dropping but not appearing happens at different times and at different locations in my house - even when a metre in front of the router. I've tried changing the channel of the router and going through the settings to see if I can find a reason for it not working. I have not had this issue with any of the other wiireless devices I have including several that also have run android 4.3. I'm using WPA2, but I refuse to turn this off. It has been around much longer than android and should not be the source of the issue. Turning the wifi off and on again on the tablet fixes the issue, it's not the router. The issue to has been documented with this tablet on a few different locations around the net so I'm not along.


----------



## Andrew974 (Apr 29, 2014)

No news?


----------



## dangerous_b (Jun 1, 2014)

*root*



Andrew974 said:


> No news?

Click to collapse



Anyone routed the excite pro. Tried alsorts nothing will root it. Updated to android 4.3.
Thanks.


----------



## Rafostar (Jul 12, 2014)

There is no way to root it... Sorry :crying:


----------



## C4SCA (Nov 8, 2014)

Rafostar said:


> There is no way to root it... Sorry :crying:

Click to collapse



Use this https://towelroot.com/


----------



## Rafostar (Nov 13, 2014)

C4SCA said:


> Use this https://towelroot.com/

Click to collapse



Toshiba has "sealime" protection. So towelroot won't work too.


----------



## Tom Mix (Jan 22, 2016)

*update, maybe...*

any news on that?


----------



## YuriRM (Oct 27, 2016)

*‘Dirty Cow’ can Root every version of Android*



Rafostar said:


> Toshiba has "sealime" protection. So towelroot won't work too.

Click to collapse



Rooting with a Locked Boot Loader
http://technotif.com/rooting-locked-boot-loader/

9 Year Old Linux Kernel bug dubbed ‘Dirty Cow’ can Root every version of Android (October 26, 2016)
http://www.xda-developers.com/9-yea...-dirty-cow-can-root-every-version-of-android/

Will the 'Dirty Cow' exploit work?


----------



## Tom Mix (Nov 1, 2016)

*well...*

still hoping...


----------



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## YuriRM (Nov 1, 2016)

Tom Mix said:


> still hoping...

Click to collapse



We must try it before Toshiba issues a patch.
Where can we find the Dirty Cow program?


----------



## Tom Mix (Nov 6, 2016)

*any news*

on that?


----------



## markop741 (Sep 25, 2017)

I have got a rooted Toshiba Excite Pro. But I have no idea where I find a custom room ( android 6, 7 or 8). Mayby somebody know where I'll looking for?


----------



## YuriRM (Sep 27, 2017)

markop741 said:


> I have got a rooted Toshiba Excite Pro. But I have no idea where I find a custom room ( android 6, 7 or 8). Mayby somebody know where I'll looking for?

Click to collapse



Congratulations! You are the first person to have achieved that goal. Tell us how to root the Toshiba Excite Pro, please!

The next step is to build a recovery file for Toshiba Excite Pro. Then it will be possible to start developing third-party ROMs.


----------



## Al'++ (Sep 27, 2017)

*Root Toshiba AT10LE-A-10D*



YuriRM said:


> Congratulations! You are the first person to have achieved that goal. Tell us how to root the Toshiba Excite Pro, please!
> 
> The next step is to build a recovery file for Toshiba Excite Pro. Then it will be possible to start developing third-party ROMs.

Click to collapse



Hello,
I'm waiting for a solution for upgrading my Toshiba AT10LE-A-10D to Android 4.4 since a long time.
And so this post seems to bring a new peace of hope !
Thank you for the next answers and posts, I'm really excited and looking forward to the solution... !


----------



## markop741 (Oct 8, 2017)

YuriRM said:


> Congratulations! You are the first person to have achieved that goal. Tell us how to root the Toshiba Excite Pro, please!
> 
> The next step is to build a recovery file for Toshiba Excite Pro. Then it will be possible to start developing third-party ROMs.

Click to collapse



Until now, I do not believe in what I did.
First, I unlocked debugging on my tablet.
Then I downloaded to my laptop (also Toshiba product) I downloaded the usb drivers downloaded from Toshiba web page.
I connected the tablet to my laptop with a good USB cable.
I included doing root with Kingo ROOT and after reaching 60% failed.
I started doing root with iRoot and after reaching 80% failed.
I returned to Kingo Root and this time successful.

As I used to go back to factory settings on my tablet, it was enough to use Kingo ROOT to mount the root. I had to run Kingo ROOT two times because the first time I could not do root.
Now I have no problems and always Kingo is rooting my tablet.


----------



## YuriRM (Oct 9, 2017)

markop741 said:


> Until now, I do not believe in what I did.
> First, I unlocked debugging on my tablet.
> Then I downloaded to my laptop (also Toshiba product) I downloaded the usb drivers downloaded from Toshiba web page.
> I connected the tablet to my laptop with a good USB cable.
> ...

Click to collapse



Thank you very much! I know that KingoRoot is using now the DirtyCow exploit. It means that it can be rooted by other DirtyCow tools. 

Dirty COW, an exploit in the Linux kernel, is now being abused on Android by ZNIU.
https://www.xda-developers.com/dirty-cow-exploit-linux-android-zniu/

You can remove KingoRoot and replace it with SuperSU. There are instructions for that at the XDA forum.

Replace KingoRoot with SuperSU manually without Terminal (2017)
https://forum.xda-developers.com/an...g/replace-kingoroot-supersu-manually-t3573361

EDIT - However, some people had trouble when removing KingoRoot. It stopped working and they lost root access (have a look at the link provided above. Supersume seems to work. Read carefully the comments). Therefore,  do not try to remove KingoRoot as yet. Let's plan ahead to do a full readback backup first and to build the recovery file for Toshiba Excite Pro.
I will have to search on this subject to find the right tools for the Nvidia Tegra 4 cpu.

Give us the full reference of your device, please!
Toshiba AT10LE-A-10D is @Al'++ device.
Toshiba AT10LE-A-108 springs to my mind.
Toshiba AT10LE-A-109 /32GB is mine.

Sent from my takee 1 using XDA Labs


----------



## markop741 (Oct 9, 2017)

YuriRM said:


> Thank you very much! I know that KingoRoot is using now the DirtyCow exploit. It means that it can be rooted by other DirtyCow tools.
> 
> Dirty COW, an exploit in the Linux kernel, is now being abused on Android by ZNIU.
> https://www.xda-developers.com/dirty-cow-exploit-linux-android-zniu/
> ...

Click to collapse



Thank you for it. I'll be waiting for.
My Toshiba AT10LE-A-108/16GB
Android 4.3
compilation number: JSS15Q. 001120220.05
kernel version: 
3.4.57-gc710e6f
[email protected]
#SMP PREEMPT Mon Dec 2 17:16:19 IST 2013
If you need more information then write


----------



## YuriRM (Oct 10, 2017)

YuriRM said:


> KingoRoot is using now the DirtyCow exploit. It means that it can be rooted by other DirtyCow tools.
> 
> Therefore, do not try to remove KingoRoot as yet. Let's plan ahead to do a full readback backup first and to build the recovery file for Toshiba Excite Pro.
> I will have to search on this subject to find the right tools for the Nvidia Tegra 4 cpu.

Click to collapse



We should ask the help of @Tomsgt. He is a developer for the Nvidia Tegra 4 Note 7. Tomsgt has developed the Super Tool 3.1

This script has 8 options 
1. adb and fastboot driver install
2. unlock bootloader
3. Restore / unbrick device
4. Flash stock android recovery
5. install ClockWorkMod recovery Bat version
6. Install TeamWin / TWRP recovery
7. Root access in recovery with supersu

[Super Tool][Utility] Nvidia Tegra Note 7 Kitkat Unlock BL, Restore, Recovery, & Root by Tomsgt
https://forum.xda-developers.com/showthread.php?t=2627654

Root JunkySDL - Tegra Note 7 firmware + Super Tool
http://rootjunkysdl.com/files/?dir=Tegra Note 7

Tegra 4 - Model number T114 devices
https://en.m.wikipedia.org/wiki/Tegra

EDIT - An invitation to Tomsgt has already been posted at the Super Tool forum, on 10th October 2017.
https://forum.xda-developers.com/showthread.php?t=2583677&page=3

Sent from my takee 1 using XDA Labs


----------



## YuriRM (Oct 10, 2017)

YuriRM said:


> We should ask the help of @Tomsgt. He is a developer for the Nvidia Tegra 4 Note 7. Tomsgt has developed the Super Tool 3.1
> 
> This script has 8 options
> 1. adb and fastboot driver install
> ...

Click to collapse



Dear @Tomsgt , victory! The sealime protected Toshiba Excite Pro (Toshiba AT10LE-A-108) has been rooted by a DirtyCow enabled KingoRoot. It has long been a challenge but it was finally conquered!
Do you give us permission to fork and adapt your Super Tool 3.1? You are an expert on Nvidia Tegra 4 tablets. Can you help and lead us in this project, please?
KingoRoot is not desirable. Is it possible to use another DirtyCow tool in the Super Tool script? We would love to get Android 4.4 or 5.1 as well. Is it feasible? This tablet is still Android 4.3.
More details on @markop741's feat at
https://forum.xda-developers.com/showthread.php?t=2583677&page=3
Regards

Sent from my takee 1 using XDA Labs


----------



## Rafostar (Oct 17, 2017)

Rooting with KingoRoot is successful, but su binary is lost after reboot. Can something be done about that?
Also /system is still read-only so root is pretty much useless for now. Is there any way to make it rw?


----------



## YuriRM (Oct 17, 2017)

The official LineageOS 13.0 for Nvidia Shield Portable (code name Roth) could be ported to Toshiba Excite Pro. It has the same processor Nvidia Tegra 4 (T114) and 2GB RAM.
https://wiki.lineageos.org/devices/roth



Rafostar said:


> Rooting with KingoRoot is successful, but su binary is lost after reboot. Can something be done about that?
> Also /system is still read-only so root is pretty much useless for now. Is there any way to make it rw?

Click to collapse



Root Lost after rebooting using Kingo Android Root
https://www.kingoapp.com/troubleshoot/root-lost-after-rebooting-using-kingo-android-root.htm

Setting appropriate permissions on SU binary
https://android.stackexchange.com/questions/55714/setting-appropriate-permissions-on-su-binary

Does it help?
@Rafostar give us the full reference of your device. There are three variants of Toshiba Excite Pro. There are also 16GB and 32GB storage options.

Device Info HW by Andrey Efremov is a very good app for our project. Make use of it.

@markop741 do you have the same problem as Rafostar?

What does the Root Checker app find?
KingoRoot may enable a root in the Shell.

Sent from my takee 1 using XDA Labs


----------



## markop741 (Oct 18, 2017)

YuriRM said:


> The official LineageOS 13.0 for Nvidia Shield Portable (code name Roth) could be ported to Toshiba Excite Pro. It has the same processor Nvidia Tegra 4 (T114) and 2GB RAM.
> https://wiki.lineageos.org/devices/roth
> 
> 
> ...

Click to collapse




Yes, i have the same problem. I do not have a permanent root, when I turn on the tablet I have to use the Kingo Root program to do root. Rebooting the tablet and I have to install again the root. I have no permanent root only time. It would be great if you could erase all the tablet software, including the boatloader, and upload the new OS without any add-ons.


----------



## Rafostar (Oct 18, 2017)

@YuriRM Thanks for reply.
My tablet model is *AT10LE-A-108*, board *tostab12BA* (16GB EU ver).
Root is working fine until reboot. I am aware the issue is locked bootloader, but I don't know how to unlock it.
*/system partition* is read-only even when accessing with root permissions (write protected NAND?)


----------



## YuriRM (Oct 18, 2017)

markop741 said:


> Yes, i have the same problem. I do not have a permanent root, when I turn on the tablet I have to use the Kingo Root program to do root. Rebooting the tablet and I have to install again the root. I have no permanent root only time. It would be great if you could erase all the tablet software, including the boatloader, and upload the new OS without any add-ons.

Click to collapse






Rafostar said:


> @YuriRM Thanks for reply.
> My tablet model is AT10LE-A-108, board tostab12BA (16GB EU ver).
> Root is working fine until reboot. I am aware the issue is locked bootloader, but I don't know how to unlock it.
> /system partition is read-only even when accessing with root permissions (write protected NAND?)

Click to collapse



I will ask for advice to @mrmazak on how to proceed from the temporary root on Toshiba Excite Pro achieved by a Dirty Cow enabled KingoRoot. 
MrMazak is the co-developer of a successful method to root the BLU R1 smartphone using Dirty Cow. 

BLU R1 v6.6 DirtyCowed F.U.
AMAZON ROOT and UNLOCK
https://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882

EDIT- Are we able to build a recovery.img for Toshiba Excite Pro during the temporary root? It will be needed when the bootloader is unlocked.

EDIT- A screenshot of partitions with block numbers is needed too. The Factory Reset Protection must be found. Device Info HW by Andrey Efremov is the ideal app for that. Can you do it, please @Rafostar and @markop741 ?

Sent from my takee 1 using XDA Labs


----------



## markop741 (Oct 19, 2017)

I installed Device Info but I have no idea where I find FRP. @YuriRM could me tell where I have to looking for?-  SoC, system, memory, ect? I'll send You print screen


----------



## Rafostar (Oct 19, 2017)

Thanks for help @YuriRM
I don't have much time recently, but I will try to post partition table later today and try dumping recovery partition.


----------



## YuriRM (Oct 19, 2017)

markop741 said:


> I installed Device Info but I have no idea where I find FRP. @YuriRM could me tell where I have to looking for?- SoC, system, memory, ect? I'll send You print screen

Click to collapse



Go to Partitions and post here a full screenshot of it, please. FRP is there under another name. I cannot do it because the Toshiba tablet is at my parents.

We need to get a database for Toshiba Excite Pro because the components and drivers for the three variants and two storage options may differ. Under-the-hood disparities may affect the behavior of custom ROMs.

Therefore, I request that you select Upload device information at the Info Center option in order to feed the Device Info HW database by Andrey Efremov.

EDIT - I have just found that my Takee 1 smartphone is slightly different than another one at the Device Info HW database. Mine has a Flash from Samsung I2U00A and he has a Hynix HBG4e eMMC flash drive. The power management integrated circuit (PMIC) has an additional component too, a TPS6128x converter to operate in power-save mode.

http://www.deviceinfohw.ru/devices/...form0&brand=brand0&filter=takee&submit=Search

Sent from my takee 1 using XDA Labs


----------



## Rafostar (Oct 20, 2017)

So, here is partitions info of this tablet:





And their names:





According to Nexus 7 development thread, these are common names on Tegra tablets:

APP -> system
CAC -> cache
LNX -> boot
MDA -> encrypted userdata
MSC -> misc
PER -> per device calibration
SOS -> recovery
UDA -> userdata
USP -> bootloader

Dumping recovery (SOS partition) was successful. 
I'm sending it in attached file.


----------



## markop741 (Oct 20, 2017)

Ok. @YuriRM. I sent the tablet specification to the Device Info HW database by Audrey Efremov.
@Rafostar how did you do it? Can you send me instructions on email? I'm not a programmer and when i enter the recovery mode (volume +, switch on) i do not know what to do next.  Maybe I do not know what command to write then - doing wipa will not give me anything.
Regards


----------



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## Rafostar (Oct 20, 2017)

markop741 said:


> Ok. @YuriRM. I sent the tablet specification to the Device Info HW database by Audrey Efremov.
> @Rafostar how did you do it? Can you send me instructions on email? I'm not a programmer and when i enter the recovery mode (volume +, switch on) i do not know what to do next.  Maybe I do not know what command to write then - doing wipa will not give me anything.
> Regards

Click to collapse



There is *no need* for you to dump it again. Recovery image should be the same on all Excite Pro tablets.
I posted it here so devs can download it and modify it into custom recovery like TWRP for anyone to flash.
But we need unlocked bootloader first. 

Anyway, here is the guide that should help you if you still want to try dumping it yourself:
https://forum.xda-developers.com/showthread.php?t=2450045
Just after restoring root go to KingoRoot installed folder and one of the folders inside should contain adb.exe.
Open command prompt there and type "adb shell", then execute commands from guide above


----------



## YuriRM (Oct 20, 2017)

Rafostar said:


> So, here is partitions info of this tablet:
> 
> And their names:
> 
> ...

Click to collapse



Thanks a lot for all this valuable information (partitions, labels and the recovery image).

However, the screenshot of partitions at the Device Info HW app is much easier to understand. This app is built for wannabe developers like us. It will enable everybody to understand what is being discussed and give their opinion during development.
@markop741 I know that you have installed the Device Info HW app. Can you post here the screenshot of partitions, please?  Let's compare it with the traditional print posted by Rafostar.



markop741 said:


> Ok. @YuriRM. I sent the tablet specification to the Device Info HW database by Audrey Efremov.

Click to collapse



Here is the data for Toshiba Excite Pro (Toshiba AT10LE-A) uploaded by markop741 using the app.

http://www.deviceinfohw.ru/devices/...rm0&brand=brand0&filter=Toshiba&submit=Search
@Rafostar can you upload yours too, please? Manufacturers do sometimes change components according to price and availability.

Sent from my takee 1 using XDA Labs


----------



## Rafostar (Oct 20, 2017)

> Here is the data for Toshiba Excite Pro (Toshiba AT10LE-A) uploaded by markop741 using the app.
> 
> http://www.deviceinfohw.ru/devices/...rm0&brand=brand0&filter=Toshiba&submit=Search
> @Rafostar can you upload yours too, please? Manufacturers do sometimes change components according to price and availability.

Click to collapse



No problem. Uploaded already. Doesn't seem any different.
BTW @YuriRM You sure this app shows device partitions? I don't see this option... Maybe it is in paid Pro version only?


----------



## YuriRM (Oct 20, 2017)

Rafostar said:


> No problem. Uploaded already. Doesn't seem any different.
> BTW @YuriRM You sure this app shows device partitions? I don't see this option... Maybe it is in paid Pro version only?

Click to collapse



The standard version has 15 tabs that can be reached either by selecting the top left menu or simply by swiping your finger from right to left.

The Partitions tab is the 12th, between Project and PMIC.

Sent from my takee 1 using XDA Labs


----------



## Rafostar (Oct 20, 2017)

YuriRM said:


> The standard version has 15 tabs that can be reached either by selecting the top left menu or simply by swiping your finger from right to left.
> 
> The Partitions tab is the 12th, between Project and PMIC.
> 
> Sent from my takee 1 using XDA Labs

Click to collapse



I don't see that tab 
I checked on both app versions from xda and on latest from Play Store (enabling root in app settings doesn't increase tab count).
Screenshot in attachment.


----------



## markop741 (Oct 20, 2017)

I agree with the @Rafostar the program does not show all the information. @YuriRM  I send You some print screen.

---------- Post added at 11:05 PM ---------- Previous post was at 10:57 PM ----------
@YuriRM mayby You have got better version od this program.   I installed it yesterday.


----------



## YuriRM (Oct 21, 2017)

Rafostar said:


> I don't see that tab
> I checked on both app versions from xda and on latest from Play Store (enabling root in app settings doesn't increase tab count).
> Screenshot in attachment.

Click to collapse





markop741 said:


> I agree with the @Rafostar the program does not show all the information. @YuriRM I send You some print screen.
> @YuriRM mayby You have got better version od this program. I installed it yesterday.

Click to collapse



You are right! The Device Info HW app is not optimized for Nvidia Tegra 4 devices. Therefore, the partitions information is not available. I will ask Andrey Efremov to add support for Tegra 4. I have been using this app on a MediaTek device (Takee 1).

Supported platforms:
full: Mediatek, Rockchip
partialy: Qualcomm, Exynos, Intel and others.
low: Some devices with android 7.0+

My Toshiba AT10LE-A-109 /32GB details have been uploaded to the Device Info HW database by Audrey Efremov. It is identical to your AT10LE-A-108 with the exception of a Flash Toshiba 032G94.
http://www.deviceinfohw.ru/devices/...rm0&brand=brand0&filter=Toshiba&submit=Search



Al'++ said:


> Hello,
> I'm waiting for a solution for upgrading my Toshiba AT10LE-A-10D to Android 4.4 since a long time.
> And so this post seems to bring a new peace of hope !
> Thank you for the next answers and posts, I'm really excited and looking forward to the solution... !

Click to collapse


@Al'++ We need your contribution too! Can you install the app and upload the Toshiba AT10LE-A-10D details to the database, please?


----------



## YuriRM (Oct 22, 2017)

*Toshiba Excite Pro clones for donor parts*

The next step is to find Toshiba Excite Pro clones for donor parts.

TEGRA 4 DEVICES
Nvidia Shield Portable, Tegra Note 7, Microsoft Surface 2, HP Slate 7 Extreme, HP Slate 7 Beats Special Edition, HP Slate 8 Pro, HP SlateBook x2, HP SlateBook 14, HP Slate 21, ZTE N988S, nabi Big Tab, Nuvola NP-1, Project Mojo, Asus Transformer Pad TF701T, Toshiba AT10-LE-A (Excite Pro), Vizio 10" tablet, Wexler.Terra 7, Wexler.Terra 10, Acer TA272HUL AIO, Xiaomi Phone 3, Coolpad 大观 4, Audi Tablet, Le Pan TC1020 10.1", Matrimax iPLAY 7, Kobo Arc 10HD, Gigaset QV1030

Database of Tegra 4 devices
http://www.deviceinfohw.ru/devices/...form0&brand=brand0&filter=tegra&submit=Search

Clones for SCREEN SIZE and RESOLUTION - Quanta Gigaset QV1030, Asus Transformer Pad TF701 (KOOC)
Clones for SCREEN SIZE AND RESOLUTION, LENS, SOUND, ACCELEROMETER, MAGNETOMETER, GYROSCOPE, WIFI, AUDIO and 4 parts in 7 of OTHERS (dummy, palmas, nct_thermal, inv_dev) - Quanta Gigaset QV1030
Clones for SCREEN SIZE AND RESOLUTION, SOUND, ACCELEROMETER, GYROSCOPE, WIFI - and 3 parts in 7 of OTHERS (dummy, palmas and nct_thermal) - Asus Transformer Pad TF701 (KOOC)
Clones for SOUND, ACCELEROMETER, MAGNETOMETER and GYROSCOPE - Asus Google Nexus 7, HP SlateBook 10 x2 PC
Clones for PMIC, WIFI and AUDIO - HP SlateBook 10 x2 PC
Clones for WIFI and AUDIO - Quanta Gigaset QV1030, Asus Google Nexus 7, HP SlateBook 10 x2 PC
Clones for WIFI - Quanta Gigaset QV1030, Asus Transformer Pad TF701 (KOOC)
Clones for ALSPS - Asus Google Nexus 7
Clones for LENS - Quanta Gigaset QV1030
Clones for FLASH storage (032G4C) - Sony Xperia S LT26i
Clones for FLASH storage (016G92 and 032G94) - ???
Clones for TOUCHSCREEN, CAMERA - ???

Quanta Gigaset QV1030 is the best clone for donor parts to Toshiba Excite Pro (AT10LE-A).

Gigaset QV1030 Device Information:
http://www.deviceinfohw.ru/devices/item.php?item=6255

The QV1030 Kernel was published on the Gigaset Webpage.

Gigaset QV1030 Sourcecode:
https://web.archive.org/web/20150519070416/http://www.gigaset.com/support/open-source.html
https://web.archive.org/web/2017060...igaset.com/opensource/QV830-QV1030/QV1030.tar

Runner-up to best clone is Asus Transformer Pad TF701 (KOOC model).

Asus Transformer Pad TF701 (KOOC model)
http://www.deviceinfohw.ru/devices/item.php?item=5259

Not registered at the database
Nvidia Shield Portable (code name Roth)
Nvidia Tegra Note 7
and many others

Develop For Tegra NOTE 7
https://developer.nvidia.com/develop-for-tegra-note-7
SHIELD Open Source Resources and Drivers
https://developer.nvidia.com/shield-open-source
The official LineageOS 13.0 for Nvidia Shield Portable (code name Roth)
https://wiki.lineageos.org/devices/roth
[ROM] [8.0] [UNOFFICIAL] LineageOS 15.0 for Nexus 7 2013
https://forum.xda-developers.com/ne...ment/rom-lineageos-15-0-nexus-7-2013-t3673103
HP Slatebook X2 - maya - development thread (recovery,root)
https://forum.xda-developers.com/an...slatebook-x2-maya-development-thread-t2809038
[UNOFFICIAL] LineageOS 14.1 for HP Slatebook 14 by Carl Miller
https://plus.google.com/+CarlMillerteamregular
Asus Transformer Pad TF701 (Android 7.1.2) - 2560 x 1600 pixels
https://forum.xda-developers.com/transformer-tf701

nAOSP ROM 7.x for Sony Xperia S LT26i - Clones for FLASH storage (032G4C)
https://forum.xda-developers.com/xperia-s/s-development/rom-naosprom-xperia-s-t3462373


----------



## YuriRM (Oct 22, 2017)

*Root Checker screenshots (Congratulations, Verify root and Build info)*

Root Checker screenshots (Congratulations, Verify root and Build info) provided by @markop741
Has this KingoRoot method bypassed Toshiba's infamous sealime.ko security module? Rooting with KingoRoot is successful, but su binary is lost after reboot. Can something be done about that?
Also /system is still read-only so root is pretty much useless for now. Is there any way to make it rw?  Is it now possible to flash an unlocked bootloader which allows custom recovery and kernels/ramdisks (boot.img) to be used? @pio_masaki and @AmEv have achieved that goal in 2013. Read their feat!
[Root Tool] Toshiba Thrive 10.1" ICS (Android 4.0.4, Ice Cream Sandwich, Nvidia Tegra 2)
https://forum.xda-developers.com/showthread.php?t=2341075&page=1


----------



## Rafostar (Oct 26, 2017)

> @pio_masaki and @AmEv have achieved that goal in 2013. Read their feat!
> [Root Tool] Toshiba Thrive 10.1" ICS (Android 4.0.4, Ice Cream Sandwich, Nvidia Tegra 2)
> https://forum.xda-developers.com/showthread.php?t=2341075&page=1

Click to collapse



Hmm... I took a look at their Thrive root script. (link)
It looks like they are using system restore function to gain temp root from "fakebackup.ab". (line 30)
I think we can skip it thanks to Kingo temp root.
Lines 37-45 are just copying files to temp dirs for later flashing.
But I am curious about line 48 - "Bypassing sealime....".
The only thing they did to achive this is to move contents of _mmcblk0p6_ to _mmcblk0p9_ partition (also note, that they used _move_ command instead of _dd_ ). After that they have overwritten _mmcblk0p9_ with new unlocked bootloader. So if I'm not mistaken they simply get rid of all contents of _mmcblk0p6_ partition.

Can someone find partition names of that tablet and compare it to ours (ones that i posted earlier in this thread)?
sealime.ko is holding us from gaining write access to system...


----------



## YuriRM (Oct 26, 2017)

Rafostar said:


> Hmm... I took a look at their Thrive root script. (link)
> It looks like they are using system restore function to gain temp root from "fakebackup.ab". (line 30)
> I think we can skip it thanks to Kingo temp root.
> Lines 37-45 are just copying files to temp dirs for later flashing.
> ...

Click to collapse



Eureka! This is the answer to your prayers. Read to the very end and get GPS ready.

Rooting the Toshiba Thrive - Roy Keene´s Wiki
http://www.rkeene.org/projects/info/wiki/210


----------



## Rafostar (Oct 26, 2017)

YuriRM said:


> Eureka! This is the answer to your prayers. Read to the very end and get GPS ready.
> 
> Rooting the Toshiba Thrive - Roy Keene´s Wiki
> http://www.rkeene.org/projects/info/wiki/210

Click to collapse



No. It's not.
The GPS part is useless because it is only a weird way to gain root over adb (with the use of custom su binary).
KingoRoot already did that for us and even allowed us to gain root with an app in tablet (not only in adb shell).
The part about creating loop device and syncing it contents with system partition, even through it "might" work, only works like that:
- copy system somewhere else,
- modify it,
- resync

So the /system is still read-only. And needs repeating of modifying it with above steps *every time* you want to add/modify files.
Most root programs that we install are accessing and tinkering with /system as they work, so in other words they wouldn't work at all.


----------



## YuriRM (Oct 26, 2017)

*Complete ICS Thrive rooting tool*



Rafostar said:


> sealime.ko is holding us from gaining write access to system...

Click to collapse



Maybe this link is the same that you already analyzed. I am doing searches on a smartphone and the screen is tiny! Sorry.

Complete ICS Thrive rooting tool. Reported to be internationally working....
https://github.com/thrive-hackers/thrive-10-inch-ics-root

Got the link to the solution from here by robyn402
https://forum.xda-developers.com/showthread.php?t=2341075&page=2

A very interesting thread on this subject
http://www.thriveforums.org/forum/t...nt/16229-wip-root-toshiba-thrive-ics-ota.html


----------



## YuriRM (Oct 29, 2017)

Another tablet with sealime.ko conquered is

Toshiba Excite 10 SE (AT300SE) root [SOLVED]
http://www.thriveforums.org/forum/t...hiba-excite-10-se-at300se-root-solved-26.html

CVE-2013-6282 proof of concept for Android 
https://github.com/timwr/CVE-2013-6282



> Toshiba Excite 10 SE (AT300SE) root [SOLVED]
> 
> Originally Posted by UserName 02-12-2017, 02:06 PM
> 
> ...

Click to collapse



Sent from my takee 1 using XDA Labs


----------



## YuriRM (Nov 1, 2017)

*Porting KatKiss - Nougatella to Toshiba Excite Pro (AT10LE-A)*

I have made a request on our behalf to @timduru on 23-10-2017, 04:04 PM |#230 and maintained a dialogue with him until 27-10-2017, 12:51 PM |#235  
We got permission for porting KatKiss - Nougatella to Toshiba Excite Pro (AT10LE-A).

Asus Transformer TF701 - Transformer TF701 Original Android Development - [ROM][N 7.1.2] [ KatKiss - Nougatella #026 ] by timduru
https://forum.xda-developers.com/showpost.php?p=74266972&postcount=230



YuriRM said:


> @timduru Congratulations for your work! Can you give me the specifications of the front and rear camera (manufacturer and model), please?
> I request that you instal the Device Info HW app by Audrey Efremov and select the Info Center option to upload device information (components) to the database.
> https://play.google.com/store/apps/details?id=ru.andr7e.deviceinfohw
> 
> ...

Click to collapse





timduru said:


> Should be the K00C model:
> http://www.deviceinfohw.ru/devices/item.php?item=5259

Click to collapse





YuriRM said:


> Thanks for your contribution to the database of Device Info HW by Audrey Efremov! You have been very helpful.
> http://www.deviceinfohw.ru/devices/...form0&brand=brand0&filter=tegra&submit=Search
> 
> If you grant root access to the Device Info HW app (Use root in its Settings) enables more information to be uploaded, like TOUCHSCREEN, PMIC and MODEM.
> ...

Click to collapse





timduru said:


> Sure, feel free to port it.
> I won't really have time to help for another device though.

Click to collapse



Sent from my takee 1 using XDA Labs


----------



## YuriRM (Nov 4, 2017)

@Rafostar can you analyze and comment the dialogue between pio_masaki (developer) and UserName (Thrive Lurker) on pages 24, 25 and 26, please?

Thread: Toshiba Excite 10 SE (AT300SE) root [SOLVED]

http://www.thriveforums.org/forum/t...hiba-excite-10-se-at300se-root-solved-24.html

http://www.thriveforums.org/forum/t...hiba-excite-10-se-at300se-root-solved-25.html

http://www.thriveforums.org/forum/t...hiba-excite-10-se-at300se-root-solved-26.html

On Toshiba Excite Pro (AT10LE-A) are we able to go back to Android 4.2.1 in order to profit from the unpatched sealime.ko ? Is Android 4.3 still vulnerable to seakiller, motochopper and kernelchopper ? 

Has KingoRoot used this on our tablet AT10LE-A?

["... an exploit based on CVE-2013-6282 that worked out of the box:
https://github.com/timwr/CVE-2013-6282

However, I'm still blocked by sealime and can't access various files:

[email protected]:/ # ls /modules/
sealime.ko
[email protected]:/ # cat /modules/sealime.ko
/system/bin/sh: cat: /modules/sealime.ko: Operation not permitted "...]

EDIT - has UserName really managed to modify the sealime.ko module in his dirty C++ code? He intended to make it available on GitHub. His last publication is from 14 March 2017.

Sent from my takee 1 using XDA Labs


----------



## YuriRM (Nov 6, 2017)

*Partitions by Aida64 and Device Info HW*

Andrey Efremov, the creator of Device Info HW app has answered my request on Partitions info for Toshiba Excite Pro. The new version 4.6.0 has full support for Qualcomm and a few more processors. Maybe the Nvidia Tegra 4 is among them. The new version is not yet available on Google Play.

Find attached two screenshots of partitions by Aida64 and Device Info HW (this is an example for the Takee 1 smartphone). Which one do you prefer? Both views are needed for ROM development and tackling Sealime.ko.

EDIT - version 4.6.4 of Device Info HW is already available on Google Play. Try it on Toshiba Excite Pro (AT10LE-A), please!
https://play.google.com/store/apps/details?id=ru.andr7e.deviceinfohw

Sent from my takee 1 using XDA Labs


----------



## YuriRM (Nov 11, 2017)

*Version 4.6.4 of Device Info HW by Andrey Efremov (ANDR7E)*

I have already tested the Version 4.6.4 of Device Info HW app by Andrey Efremov (ANDR7E).
https://play.google.com/store/apps/details?id=ru.andr7e.deviceinfohw

It has some nice functionalities in line switches. The partitions info is now detected and displayed in the traditional way that @Rafostar presented to us.  
Therefore, my request to @ANDR7E is to improve the Partitions info with names (like on MediaTek SOCs). A second request is the inclusion of Project information, please!
Congratulations on this fabulous app!

You can read my message here:
https://forum.xda-developers.com/showpost.php?p=74479254&postcount=15
The reply of Andrey Efremov (ANDR7E)
https://forum.xda-developers.com/showpost.php?p=74486098&postcount=16

Regards

EDIT - The test was done on my unrooted tablet and thus is unable to fetch partition names. Your rooted devices will perform better.


----------



## Rafostar (Nov 12, 2017)

YuriRM said:


> @Rafostar can you analyze and comment the dialogue between pio_masaki (developer) and UserName (Thrive Lurker) on pages 24, 25 and 26, please?
> 
> Thread: Toshiba Excite 10 SE (AT300SE) root [SOLVED]
> 
> ...

Click to collapse



Sorry for my recent inactivity. As I mentionet earlier I don't have much time recently because of work and various "tasks" 

_motochopper_ is not for us - tool for rooting and it doesn't override sealime too (we already use KingoRoot with 100% chance of working without risk of bricking).
_seakiller_ is not designed for our newer tablet model and as mentioned in _thriveforums_ it would require to understand the assembler code of the _sealime_sb_mount()_ function and I'm really NOT into assembler code.

Thanks for finding android roms that shouldn't be too hard to port to our device. But in our stock 3e recovery there is no option to flash anything other than "update" that must be digitally signed otherwise it gets rejected (tried myself). So flashing even a patch to remove/modify sealime functionality is impossible afaik. We need to get rid of sealime for good some way or another, otherwise there is no point in porting roms that can't be flashed.

Toshiba doesn't host rom images (unlike other brands), so going back to older android is unlikely.

"Basically if sealime does NOT return null, the kernel proceeds." - if that is true then finding a way to edit part of memory that holds return value of sealime loading function would allow us to proceed with sealime turned off and do whatever we please. But we probably would need help as I can't handle this alone 

I have seen that thread some time ago before and searched for his "dirty C++ code" but never found it.


----------



## YuriRM (Nov 12, 2017)

*Creation of a device tree for Toshiba Excite Pro on GitHub*



Rafostar said:


> Sorry for my recent inactivity. As I mentionet earlier I don't have much time recently because of work and various "tasks"
> 
> motochopper is not for us - tool for rooting and it doesn't override sealime too (we already use KingoRoot with 100% chance of working without risk of bricking).
> seakiller is not designed for our newer tablet model and as mentioned in thriveforums it would require to understand the assembler code of the sealime_sb_mount() function and I'm really NOT into assembler code.
> ...

Click to collapse



Thanks for your valuable opinion!
1  - My suggestion is to move forward into the creation of a device tree for Toshiba Excite Pro (AT10LE-A or tostab12BA) and push it to GitHub. Making the configuration code available on GitHub gives visibility to this device and may attract interested people that have the required experience to do the memory trick that fools sealime. It is also a necessary step for ROM development. It is only a question of time before we get rid of sealime. KatKiss-Nougatella is an AOSP based ROM. Is it wise to make two device trees for AOSP and LineageOS ?

The device configuration of three clones is on GitHub.

My parents tablet is not rooted. Therefore, the task of device tree creation belongs to you and @markop741 .

https://wikidevi.com/wiki/Toshiba_AT10LE-A
http://www.deviceinfohw.ru/devices/item.php?item=5174

Device tree for ASUS Transformer Pad TF701T (macallan or K00C or taurus)
https://github.com/pershoot/android_device_asus_tf701t
http://deviceinfohw.ru/devices/item.php?item=5259

Device tree for HP SlateBook 10 x2 PC (maya)
https://github.com/Tegra4/android_device_hp_maya
http://deviceinfohw.ru/devices/item.php?item=4558

Device tree for HP Slate 21 Pro (ranger)
https://github.com/Quaesar/android_device_hp_ranger

2 - There is another topic of relevance brought to me by Andrey Efremov, creator of the Hardware Info HW app. He complained to be unable to find the source code of Nvidia Tegra 4. However, he got hold of the source code for Nvidia Tegra 3 that was uploaded by Pio Masaki on GitHub.
https://github.com/pio-masaki/kerne.../arch/arm/mach-tegra/board-tostab12AL-panel.c

Can you manage to find the source code of Nvidia Tegra 4 (Wayne, tegraT114, tostab12BA, Linux version 3.4.57-gc710e6f) and upload it to GitHub, please?

EDIT - the Source Code of Linux kernel 3.4.57 is available on the Linux Kernel Archives (https://www.kernel.org/). Unfortunately, I could not find the variant Linux version 3.4.57-gc710e6f used on Toshiba Excite Pro. Does it make a significant difference? Nonetheless, the source codes of Nvidia Tegra 4 (Wayne, tegraT114) and the board tostab12BA are nowhere to be found. I had a look inside the linux kernel 3.4.57 under arch/arm/mach-tegra/board-
Where can it be found??

EDIT - Protecting Data on Smartphones and Tablets from Memory Attacks
https://dl.acm.org/citation.cfm?id=2694380


----------



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## YuriRM (Nov 14, 2017)

*Linux kernel 3.4.57 - Vulnerabilities, Patch, Source code, PGP signature*



Rafostar said:


> "Basically if sealime does NOT return null, the kernel proceeds." - if that is true then finding a way to edit part of memory that holds return value of sealime loading function would allow us to proceed with sealime turned off and do whatever we please. But we probably would need help as I can't handle this alone

Click to collapse



Linux kernel 3.4.57 - Vulnerability statistics
https://www.cvedetails.com/version/160815/Linux-Linux-Kernel-3.4.57.html

Linux kernel 3.4.57 - Security Vulnerabilities
https://www.cvedetails.com/vulnerab...sion_id-160815/Linux-Linux-Kernel-3.4.57.html

Linux Kernel 3.4.57 - Security Database
https://www.security-database.com/cpe.php?detail=cpe:/o:linux:linux_kernel:3.4.57

Linux kernel 3.4.57 released (Patch, Full source, PGP signature)
https://www.spinics.net/lists/announce-kernel/msg00989.html

Linux 3.4.57 - Change Log
https://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.57
Linux 3.4.57 PGP signature - Change Log
https://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.57.sign

Patch (.bz2)
https://www.kernel.org/pub/linux/kernel/v3.0/patch-3.4.57.bz2
Full source (tar.bz2)
https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.4.57.tar.bz2

Patch (.gz)
https://www.kernel.org/pub/linux/kernel/v3.0/patch-3.4.57.gz
Full source (tar.gz)
https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.4.57.tar.gz

Patch (.xz)
https://www.kernel.org/pub/linux/kernel/v3.0/patch-3.4.57.xz
Full source (tar.xz)
https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.4.57.tar.xz

PGP signature
https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.4.57.tar.sign
PGP signature - Patch
https://www.kernel.org/pub/linux/kernel/v3.0/patch-3.4.57.sign

================================================
Compressed Files (.BZ2, .GZ, .XZ, tar.BZ2, tar.GZ, tar.XZ)
https://fileinfo.com/filetypes/compressed

BZ2 File Extension - What is a .bz2 file and how do I open it?
https://fileinfo.com/extension/bz2
tar.BZ2 File Extension - What is a tar.bz2 file and how do I open it?
https://fileinfo.com/extension/tar.bz2

GZ File Extension - What is a .gz file and how do I open it?
https://fileinfo.com/extension/gz
tar.GZ File Extension - What is a tar.gz file and how do I open it?
https://fileinfo.com/extension/tar.gz

XZ File Extension - What is a .xz file and how do I open it?
https://fileinfo.com/extension/xz
tar.XZ File Extension - What is a tar.xz file and how do I open it?
https://fileinfo.com/extension/tar.xz

Sent from my takee 1 using XDA Labs


----------



## YuriRM (Nov 14, 2017)

*Tegra 4 Technical Reference Manual*

Tegra 4 Technical Reference Manual
https://developer.nvidia.com/embedded/tegra-4-reference

The Tegra 4 Technical Reference Manual ("TRM") is a technical document of over 2,600 pages targeted at those working on open source or other low level software projects that use or target the Tegra 4 processor. The TRM focuses on the logical organization and control of Tegra 4 Series devices. It provides information for those modules that interface to external devices, or those that control fundamental chip operations. The modules detailed in this document provide an overview, any necessary programming guidelines, and a register listing for that module. Internal functional units such as video and graphics hardware acceleration are controlled by NVIDIA provided software and not documented.

NVIDIA provides access to the Tegra 4 Technical Reference Manual to registered developers only. To become a registered developer, please sign up for our Embedded Registered Developer Program.

If you are already a Registered Developer, you can download the TRM from our Download Center.
Table of Contents
Introduction
Address and Interrupt Map
Interrupt Controller
Arbitration Semaphores
Atomics
Clock and Reset Controller
CL-DVFS
Timers
Multi-Purpose I/O Pins and Pin Multiplexing (Pinmuxing)
Power Management Controller
Real-Time Clock
Boot Process
Host Subsystem
GR2D
GR3D
Encoder Pre-Processor (EPP)
Keyboard Controller
CPU
Flow Controller
Memory Controller
AHB
APB
USB Complex
Audio Hub (AHUB)
Display Controller
MIPI-DSI (Display Serial Interface)
Serial Transport Stream DTV Controller
High-Definition Multimedia Interface HDMI CEC MIPI-CSI (Camera Serial Interface) MIPI D-PHY Calibration for CSI and DSI Video Input (VI) SD/MMC Controller MIPI-HSI (High Speed Synchronous Serial Interface) I2C Controller UART and VFIR Controller Serial Peripheral Interface (SPI) Controller
One Wire Battery Controller
PWM Controller
Thermal Sensor and Thermal Throttling Controller


----------



## YuriRM (Nov 14, 2017)

*BootStomp + DUAL RECOVERY for locked BOOTLOADER + Reverse Engineering Xiaomi OTA*


```

```



Rafostar said:


> Thanks for finding android roms that shouldn't be too hard to port to our device. But in our stock 3e recovery there is no option to flash anything other than "update" that must be digitally signed otherwise it gets rejected (tried myself). So flashing even a patch to remove/modify sealime functionality is impossible afaik. We need to get rid of sealime for good some way or another, otherwise there is no point in porting roms that can't be flashed.

Click to collapse


@Rafostar 
Can we use these concepts and BootStomp ? 
A test on Nvidia Tegra K1 with 6 seeds and 1 sink reveals 12 Entry Points, performing 7 loops and returning 1 zero-day bug in under 25 minutes (see Table 2, eight attached images at the bottom, read the Redini PDF). 

"The particular vulnerabilities found consisted mostly of memory corruption and privilege escalation bugs, including a part of NVIDIA’s bootloader code that could end up becoming user-accessible under the right OS conditions, as one example. Essentially, most of the vulnerabilities would either unlock the bootloader, preventing it from enforcing key security policies, or hand over control of key processes to the user privilege level. Tests were inconclusive on MediaTek hardware due to the bootloader’s unique structure, while an older Qualcomm bootloader fell victim to a known old bug, and the NVIDIA bootloader was only found to be vulnerable to the aforementioned privilege escalation bug. "

"NVIDIA’s Tegra-based devices ship with a bootloader known as hboot. This bootloader is very similar to Qualcomm’s, in that it runs at EL1, and implements only the fastboot functionality at this stage. BOOTSTOMP also discovered a vulnerability in NVIDIA’s hboot. hboot operates at EL1, meaning that it has equivalent privilege on the hardware as the Linux kernel, although it exists earlier in the Chain of Trust, and therefore its compromise can lead to an attacker gaining persistence.  We have reported the vulnerability to NVIDIA, and we are working with them on a fix. Our tool did not identify any path to non-volatile storage for the NVIDIA’s or MediaTek’s bootloaders. Upon manual investigation, we discovered that these two bootloaders both make use of memory-mapped I/O to write the value, which could map to anything from the flash to special tamper-resistant hardware. Thus, we cannot exclude the presence of vulnerabilities."

EDIT - Should we challenge this BootStomp team at the University of California or instead Roee Hay (Aleph Research, a team of ex-IBM researchers) to defeat sealime in all Toshiba tablets? He has achieved amazing exploits even on Nvidia Tegra K1 (Nexus 9).

EDIT - We must run BootStomp on Nvidia Tegra 4 (T114) to uncover vulnerabilities that may be different. It is an older SoC than Nvidia Tegra K1. Are you able to perfom the BootStomp test?

1 - BootStomp: Find Mobile Device Bootloader Vulnerabilities
http://pentestit.com/bootstomp-find-mobile-device-bootloader-vulnerabilities/

Oh boy! This post is going to be interesting as it is about an interesting topic – mobile bootloaders. Specifically, this post is about BootStomp, which helps you find vulnerabilities in the bootloader. All of us know; as the name suggests, that bootloader is a program loads the operating system. It does so by accessing the non-volatile memory to load the operating system into the RAM. You also might be aware that bootloaders come in two flavours – digitally locked and unlocked.

A locked bootloader only allows authorized operating systems with a digital signature to be loaded. Unlocked bootloaders do not verify digital signatures before loading the software.

What is BootStomp?

With the above mentioned information, it must be now clear as to why it is an important part of any operating system. Now, let’s get on the to meaty part about this open source tool in Python. BootStomp uses a combination of static analysis and dynamic symbolic execution engines to build a taint analysis system, that is capable of identifying bootloader vulnerabilities. It aims to ﬁnd following classes of vulnerabilities:

- Memory corruption vulnerabilities.
- Insecure state storage vulnerabilities.

It depends on the able IDA Pro debugger to help debug the bootloader and the results are then presented to you for further analysis and research. At the core of BootStomp, is a taint analysis engine, which tracks the ﬂow of data within a program that searches for paths within the program where an attacker will be possibly able to inﬂuence a sensitive memory operation. You are alerted for each such potentially vulnerable paths. BootStomp is already market tested, as using this tool, the authors were able to discover vulnerabilities in the following devices:

HuaweiP8ALE-L23(Huawei/HiSiliconchipset)
Sony Xperia XA (MediaTek chipset)
Nexus 9 (NVIDIA Tegra chipset)
An un-named Qualcomm Little Kernel based device

Keep in mind that this is not your click and forget kinds. You need to be able to correctly configure it and understand the output you get from BootStomp. In addition to the project, the authors have also been kind enough to include a few of their tools that can be used to work with the bootloaders like bootsplitter.py which is used to split the extracted aboot.img into IDA loadable binary. Python scripts specific to the Huawei P8 are also included. They help you perform the following:

dump_nvme.py – used to dump the contents of nvme.img (/dev/block/platform/hi_mci.0/by-name/nvme
dump_oeminfo.py – used to dump the contents of oeminfo.img (/dev/block/platform/hi_mci.0/by-name/oeminfo
oeminfo_exploit.py – create an exploit oeminfo image for Huawei P8 Lite phones, so that if you flash this back you could perform stack buffer overflow

Download BootStomp:

This open source bootloader vulnerability finding tool can be checked out from its GitHub repository. Additionally, there is a technical paper  (bootstomp.pdf) published by the authors, which can be found here.

2 - BootStomp: On the Security of Bootloaders in Mobile Devices
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/redini

Redini PDF
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf

GitHub - BootStomp: a bootloader vulnerability finder 
https://github.com/ucsb-seclab/BootStomp

3 - DUAL RECOVERY for locked BOOTLOADER
https://forum.xda-developers.com/showthread.php?t=2261606

Announcement from [NUT]: The installer contains a ROOT EXPLOIT, this will trip A/V tools (e.g. ESET NOD32), disable it to download!!

-=[XZDualRecovery]=-
TWRP 2.8.7.0 & PhilZ Touch 6.59.0
*** For Locked and Unlocked BOOTLOADERS! ***

I proudly present you the first and only DUAL RECOVERY for locked boot loaders on our lovely Xperia phones! 

If you have an unlocked bootloader and chose to keep the STOCK Sony kernel, you can also use this MOD.

4 - Reverse Engineering Xiaomi OTA Updates to Find Unreleased Updates
https://www.xda-developers.com/reverse-engineering-xiaomi-ota-updates/

In an attempt to gain access to Xiaomi‘s nightlies—the unreleased, in-house versions of Xiaomi’s MIUI operating system — XDA Senior Member duraaraa reverse-engineer the China-based company’s over-the-air (OTA) update framework. The two work-in-progress exploits force Xiaomi devices to pull a nightly build instead of the latest commercial firmware, which in theory could be installed on off-the-shelf devices if (1) MIUI’s OTA application was reverse engineered and (2) the test builds were signed with the same keys as the official builds.

5 - OnePlus OTAs: Analysis & Exploitation
By Roee Hay (@roeehay) 
May 11, 2017 * CVE-2017-5948; CVE-2017-8850; CVE-2017-8851; CVE-2016-10370
https://alephsecurity.com/2017/05/11/oneplus-ota/

In this blog post we present new trivial vulnerabilities found on OnePlus One/X/2/3/3T OxygenOS & HydrogenOS. They affect the latest versions (4.1.3/3.0) and below. The vulnerabilities allow for a Man-in-the-Middle (MitM) attacker to intervene in the OTA update process in order downgrade OxygenOS/HydrogenOS to older versions and even to replace OxygenOS with HydrogenOS (and vice versa), both without a factory reset, allowing for exploitation of now-patched vulnerabilities. Moreover, the OnePlus X ROM can be installed over OnePlus One and vice versa, leading to Denial-of-Service. In addition, the vulnerabilities can also be exploited by physical attackers allowing for easy exploitation of some of the vulnerabilities we previously disclosed.

6 - (Nvidia Tegra K1) - Attacking Nexus 9 with Malicious Headphones
By Roee Hay (@roeehay) 
March 8, 2017 * CVE-2017-0510; CVE-2017-0563; CVE-2017-0582
In the March 2017 Android Security Bulletin, Google released a patch to CVE-2017-0510, a critical severity vulnerability in Nexus 9 we discovered and responsiblity disclosed a few months ago. This vulnerability has a very unusual attack vector – headphones. By exploiting this vulnerability we managed to leak stack canaries, derandomize ASLR, conduct a factory reset, and even access HBOOT, allowing for communication with internal System-on-Chips (SoCs) through I2C.

7 - (Nvidia Tegra K1) - Nexus 9 vs. Malicious Headphones, Take Two 
By Roee Hay (@roeehay) 
June 13, 2017 * CVE-2017-0648; CVE-2017-0510; CVE-2017-0563; CVE-2017-0582

In March 2017 we disclosed CVE-2017-0510, a critical vulnerability in Nexus 9, that allowed for quite unique an attack by malicious headphones. Interestingly, its patch was insufficient. We had responsibly reported that finding (CVE-2017-0648) to Google, that patched it in the June 2017 Android Security Bulletin.

In this blog post we will begin with a short recap of CVE-2017-0510, analyze why its original patch is insufficient (CVE-2017-0648), and demonstrate a sample attack against it. We will end by presenting CVE-2017-0648’s patch, which seems to completely block the attack.

8 - Going Inside an Arbitrary Kernel Write Vulnerability in the Nexus 9 (CVE-2016-3873)
https://securityintelligence.com/go...ry-kernel-write-vulnerability-in-the-nexus-9/

The IBM X-Force Application Security Research Team recently discovered an arbitrary write vulnerability in Nexus 9’s kernel (the Tegra kernel branch). Google’s Android Security Team acknowledged the vulnerability, which allows a privileged attacker to arbitrary write values within kernel space, and assigned it a high severity rating.

Kernel arbitrary write primitives can be used to achieve kernel code execution, which completely compromises the security of the device, not including TrustZone. It increases the TrustZone attack surface and allows attackers to access application data and override the Security-Enhanced Linux (SELinux) policy.

9 - Untethered initroot (USENIX WOOT '17)
By Roee Hay (@roeehay) 
August 30, 2017 * CVE-2016-10277; ALEPH-2017024

In USENIX WOOT ‘17, that took place earlier this month in Vancouver, we presented our paper, “fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations”, covering a year’s work in Android bootloaders research.

Our paper also includes some previously undisclosed details on CVE-2016-10277, a critical kernel command-line injection vulnerability in the Motorola Android Bootloader (ABOOT) that we had found and blogged about.

In the previous couple of blog posts, we demonstrated a tethered unrestricted root exploit against that vulnerability, that we later extended to other Moto devices - G4 & G5. Additional Moto devices have also been confirmed by the community.

In the WOOT’17 paper we describe a natural continuation of that exploit – a second stage untethered secure boot & device locking bypass (tested to be working on the vulnerable versions of Nexus 6, Moto G4 & G5). Moreover, we also present in the paper and this blog post other second stage exploits, such as persistent kernel code execution in Nexus 6, the ability to downgrade critical partitions (such as the bootloaders chain and TrustZone), unlocking a re-locked Nexus 6 bootloader, and more.

As usual, our PoC exploit is publicly available in our GitHub repo.

10 - Aleph Research (by Roee Hay)
Security Research by HCL Technologies
https://alephsecurity.com/
@Rafostar should we challenge Roee Hay to defeat sealime in all Toshiba tablets?

11 - [Update: OnePlus Responds] OnePlus Accidentally Pre-Installed an App that acts as a Backdoor to Root Access
https://www.xda-developers.com/oneplus-root-access-backdoor/


----------



## beholder21 (Nov 15, 2017)

YuriRM said:


> The next step is to find Toshiba Excite Pro clones for donor parts.
> 
> TEGRA 4 DEVICES
> Nvidia Shield Portable, Tegra Note 7, Microsoft Surface 2, HP Slate 7 Extreme, HP Slate 7 Beats Special Edition, HP Slate 8 Pro, HP SlateBook x2, HP SlateBook 14, HP Slate 21, ZTE N988S, nabi Big Tab, Nuvola NP-1, Project Mojo, Asus Transformer Pad TF701, Toshiba AT10-LE-A (Excite Pro), Vizio 10" tablet, Wexler.Terra 7, Wexler.Terra 10, Acer TA272HUL AIO, Xiaomi Phone 3, Coolpad 大观 4, Audi Tablet, Le Pan TC1020 10.1", Matrimax iPLAY 7, Kobo Arc 10HD

Click to collapse



The Gigaset QV1030 is also a Tegra 4 device.
LineageOS for Gigaset QV1030: https://fg6q-dev.github.io


----------



## YuriRM (Nov 16, 2017)

*[clone] [Device tree/Kernel/Vendor binaries] Gigaset QV1030 Sourcecode on GitHub*



beholder21 said:


> The Gigaset QV1030 is also a Tegra 4 device.
> LineageOS for Gigaset QV1030: https://fg6q-dev.github.io

Click to collapse



Thanks, you have been very helpful ! I am going to add the Gigaset QV1030 aka. Quanta FG6Q to the list of clones. This tablet's SoC is informally referred to as Tegra 4 T40s but the real name is Tegra 4 T114. I know that you posted in this thread on 28th December 2013. Do you own a Gigaset QV1030 too? You said that the Gigaset QV1030 Kernel Sourcecode is available and provided the GitHub link.

[Device tree // Kernel // Vendor binaries] LineageOS for Gigaset QV1030 aka. Quanta FG6Q 
https://fg6q-dev.github.io/

This is a great help for creating a device tree for Toshiba Excite Pro AT10LE-A.
Regards

Sent from my takee 1 using XDA Labs


----------



## YuriRM (Nov 20, 2017)

Device configuration for the ASUS Transformer Pad TF701T
https://github.com/LineageOS/android_device_asus_tf701t

Working Kernel for Tegra Note 7 (Tegra 4)
https://github.com/Shaky156/Tegra-Note-7
https://forum.xda-developers.com/nvidia-tegra-note-7/orig-development/kernel-t2813892


----------



## beholder21 (Nov 20, 2017)

YuriRM said:


> Do you own a Gigaset QV1030 too? You said that the Gigaset QV1030 Kernel Sourcecode is available

Click to collapse



Yes, and Today i Uploaded the Device Information to the Device Info HW App (by Audrey Efremov) Database
The QV1030 Kernel was published on the Gigaset Webpage.

Links:

Gigaset QV1030 Device Information: 
http://www.deviceinfohw.ru/devices/item.php?item=6255

Gigaset QV1030 Sourcecode: 
https://web.archive.org/web/20150519070416/http://www.gigaset.com/support/open-source.html
https://web.archive.org/web/2017060...igaset.com/opensource/QV830-QV1030/QV1030.tar


----------



## YuriRM (Nov 20, 2017)

*Quanta Gigaset QV1030 is the best clone for donor parts*



beholder21 said:


> I bought it also, would be great if someone could root this beautiful device

Click to collapse





beholder21 said:


> Yes, and Today i Uploaded the Device Information to the Device Info HW App (by Audrey Efremov) Database
> The QV1030 Kernel was published on the Gigaset Webpage.
> 
> Links:
> ...

Click to collapse



Marvellous! Quanta Gigaset QV1030 is the best clone for donor parts to Toshiba Excite Pro (AT10LE-A).  It has identical SCREEN SIZE AND RESOLUTION, LENS, SOUND, ACCELEROMETER, MAGNETOMETER, GYROSCOPE, WIFI, AUDIO and 4 parts in 7 of OTHERS (dummy, palmas, nct_thermal, inv_dev).

The source code is available from Gigaset. That is great!

The Asus Transformer Pad TF701T (KOOC) clone has identical SCREEN SIZE and RESOLUTION, SOUND, ACCELEROMETER, GYROSCOPE, WIFI and 3 parts in 7 of OTHERS (dummy, palmas and nct_thermal).

Fortunately, Asus Google Nexus 7 and HP SlateBook 10 x2 PCA can provide additional parts like ALSPS and PMIC, respectively. 

We still need parts from other clones: LCM, TOUCHSCREEN (goodix_touch), CAMERA (imx175_eeprom, mt9m114 and imx175), FLASH (016G92, 032G94 and 032G4C) and also 3 parts in 7 of OTHERS (dblc, nvtec and tc358770_dsi2edp).

EDIT - (tc358770_dsi2edp) is Toshiba lcd transmitter (converter) dsi-2-edp


----------



## YuriRM (Nov 21, 2017)

*FCC ID info - Quanta Gigaset QV1030 and Toshiba AT10LE-A*

Quanta Gigaset QV1030 aka. Quanta FG6Q (detailed information)

FCC ID HFS-FG6Q
HFSFG6Q, HFS FG6Q, HFS-FG6Q, HFS-FG6O, HFS-FG60, HF5-FG6Q
Quanta Computer Inc Tablet -FG6Q
https://fccid.io/HFS-FG6Q

Internal Photos
https://fccid.io/HFS-FG6Q/Internal-Photos/Internal-Photos-2090429.iframe
https://fccid.io/HFS-FG6Q/Internal-Photos/Internal-Photos-2090344.iframe
================================================
Toshiba AT10LE-A
https://wikidevi.com/wiki/Toshiba_AT10LE-A

Manuf/OEM/ODM Pegatron
FCC ID: VUIPDAPDAAT10LE-A
https://fcc.io/VUI/PDAPDAAT10LE-A

Direct access to links https://fccid.io/

Indirect access to links https://apps.fcc.gov/
For these it is necessary to use the menu of the first FCC link mentioned above. There are two options for each document (Details or Summary) and you should select details. Otherwise, access may not be authorized to the https://apps.fcc.gov/ links below.

Internal Photos 
https://fccid.io/VUIMU736ARC0/Internal-Photos/Internal-Photos-2010532.iframe
https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=1967259

External Photos
https://fccid.io/VUIPDAPDAAT10LE-A/External-Photos/External-Photos-1967214.pdf
https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=1967192

Camera (Front) - Brand name: Liteon , Model name: 12P2SF187, 1.2M FF MIPI w/ 2MIC
Camera (Rear) -  Brand name: Liteon , Model name: 12P2BA868, 8.0M AF MIP


----------



## ch.abderrahmane (Dec 14, 2017)

*Toshiba ROM*

Please can someone give us the detailed tuto to install a new rom  and root this tablet?

Thanks In advance


----------



## YuriRM (Dec 16, 2017)

ch.abderrahmane said:


> Please can someone give us the detailed tuto to install a new rom  and root this tablet?
> Thanks In advance

Click to collapse



Are you ready to help us? 
1 - Someone must read and implement the BootStomp test on Toshiba Excite Pro (AT10LE-A). This task will open the way to obtain a permanent root.
BootStomp – A Bootloader Vulnerability Finder
https://pentesttoolz.com/2017/12/10/bootstomp-a-bootloader-vulnerability-finder/
2 - Another task is the creation of a device tree.
3 -  A temporary root can be obtained with the KingoRoot app or PC version.
http://www.kingoapp.com/


----------



## YuriRM (Dec 17, 2017)

How to Legally Install Unsupported Android TV or NVIDIA Shield Games on any Android Device
https://www.xda-developers.com/how-...or-nvidia-shield-games-on-any-android-device/

Sent from my takee 1 using XDA Labs


----------



## fizzefazze (Mar 8, 2018)

I have an Excite Pro AT10LE-A-109 (32GB) Tablet, and I tried to root it using Kingoroot. After enabling the kingoroot options under accessibility, do I need to do anything else on this device?
It runs up to 90% and then appears to be hung, although the tablet itself is noticeably warm. I know it does a rowhammer, and that certainly takes a while, but I've waited for up to 10 minutes to no avail.
Has anyone here obtained root on this device using kingoroot?


----------



## YuriRM (Mar 8, 2018)

markop741 said:


> Until now, I do not believe in what I did.
> First, I unlocked debugging on my tablet.
> Then I downloaded to my laptop (also Toshiba product) I downloaded the usb drivers downloaded from Toshiba web page.
> I connected the tablet to my laptop with a good USB cable.
> ...

Click to collapse


@fizzefazze Have you read this? You must run KingoRoot two or three times until a temporary root is achieved. Are you trying the Android app or PC version? @Rafostar uses the Android app and @markop741 uses the PC version.

Sent from my takee 1 using XDA Labs


----------



## fizzefazze (Mar 8, 2018)

I'm using the android app. I've tried it 2-3 times so far, always have to reboot the device because it becomes unresponsive.
I'm running the latest toshiba firmware.


----------



## YuriRM (Mar 8, 2018)

fizzefazze said:


> I'm using the android app. I've tried it 2-3 times so far, always have to reboot the device because it becomes unresponsive.
> I'm running the latest toshiba firmware.

Click to collapse



How long have you been waiting? Once I had to wait for an hour while rooting a smartphone. If it does not work, then try the PC version.


----------



## fizzefazze (Mar 9, 2018)

I let it sit over night, plugged into the charger, still stuck at 90% in the morning. I'll try the PC app next.


----------



## markop741 (Mar 11, 2018)

Android version Kingo root did not give me the ability to root my tablet. 
Only the PC version allows me to root my tablet.

---------- Post added at 06:48 PM ---------- Previous post was at 06:41 PM ----------




fizzefazze said:


> I let it sit over night, plugged into the charger, still stuck at 90% in the morning. I'll try the PC app next.

Click to collapse



do you remember about installing USB drivers from the Toshiba website?


----------



## TheMarchHare (Mar 19, 2018)

I don't personally own one but @YuriRM mentioned some people where able to get temporary root with Kingo.
Did anyone try this, if you temporary root it, open a terminal app and chown or "chmod -R 777" the system directories, install BusyBox and SuperSU (or similar) then block su on boot a few times. 
Does it still drop root at reboot then?
It's kind of a simple fix but who knows, it might be a solution.


----------



## YuriRM (Apr 6, 2018)

TheMarchHare said:


> I don't personally own one but @YuriRM mentioned some people where able to get temporary root with Kingo.
> Did anyone try this, if you temporary root it, open a terminal app and chown or "chmod -R 777" the system directories, install BusyBox and SuperSU (or similar) then block su on boot a few times.
> Does it still drop root at reboot then?
> It's kind of a simple fix but who knows, it might be a solution.

Click to collapse



Safestrap is a recovery for phones with a locked bootloader.
Can we have it for Toshiba Excite Pro?
https://www.xda-developers.com/snapdragon-samsung-galaxy-s8-galaxy-note-8-safestrap-recovery/

Sent from my takee 1 using XDA Labs


----------



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## YuriRM (Apr 6, 2018)

A scatter file of Toshiba Excite Pro is easy to create using the new partitions table. 

Check how to retrieve more info on *partitions* and *other missing components* of Toshiba Excite Pro using the *new version 4.9.4* of Device Info HW, please. The new apk is attached at the end of post #1.
https://forum.xda-developers.com/android/apps-games/app-device-info-hw-t3558335

I do not know how to take a Screenshot of the new Partitions table.


----------



## YuriRM (Apr 20, 2018)

*Universal Coolpad Toolkit for Toshiba Excite Pro*

@[email protected] can you create a scatter file for my tablet Toshiba Excite Pro AT10LE-A-109, please? The SoC is a Nvidia Tegra 4.

Screenshots of the Partitions by Device Info HW are great for scatter files.

According to Nexus 7 development thread, these are common names of Partitions on Tegra tablets:

APP -> system
CAC -> cache
LNX -> boot
MDA -> encrypted userdata
MSC -> misc
PER -> per device calibration
SOS -> recovery
UDA -> userdata
USP -> bootloader

The stock recovery (SOS partition), traditional partition info and partition labels are also available in this post by @Rafostar
https://forum.xda-developers.com/showpost.php?p=74227484&postcount=39

A TWRP Recovery is needed too. However, there is only a temporary root by KingoRoot.

KP, your scripting skills are crucial to perform BootStomp, an automated tool to find bugs in Android bootloaders. Can you help us on that task, please?

We would like to add this device to your Universal Coolpad Toolkit. Does it support a Nvidia Tegra 4 SoC ? Should a customised version be prepared with your open source code, instead? 
https://coolpadtoolkit.wordpress.com/

Sent from my takee 1 using XDA Labs


----------



## [email protected] (Apr 21, 2018)

YuriRM said:


> @[email protected] can you create a scatter file for my tablet Toshiba Excite Pro AT10LE-A-109, please? The SoC is a Nvidia Tegra 4.
> 
> Screenshots of the Partitions by Device Info HW are great for scatter files.
> 
> ...

Click to collapse



I will add this device also and will definitely create a twrp for it and for scatter file you did it perfect listing partitions. Do one thing in Device Info HW app tap the 3 dots on top right then select info center. From there Create a Report. It will create an html file containing all information about your device PM me that file :angel:

Edit: Yes you can prepare you own Toolkit from my coolpad source code.


----------



## YuriRM (Apr 21, 2018)

@[email protected] can you master the python scripts of BootStomp?

Bootloader vulnerabilities on all android devices can be explored by BootStomp automated tool. 

Are you willing to try BootStomp on your device to learn how to use it? Then you may be able to help defeat Toshiba's Sealime protection and unlock the bootloader of Toshiba Excite Pro.

BootStomp: a bootloader vulnerability finder.
https://github.com/ucsb-seclab/BootStomp

Nexus 9 (Nvidia Tegra K1) bootloader vulnerabilities:
https://github.com/ucsb-seclab/BootStomp/tree/master/bootloaders/nexus_9

Huawei P8, Nexus 9, Qualcomm Little Kernel and Sony Xperia XA, bootloader vulnerabilities
https://github.com/ucsb-seclab/BootStomp/tree/master/bootloaders

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers
https://github.com/ucsb-seclab/dr_checker

EDIT - The first person of the XDA forum running a state of the art security tool to defeat famous protection mechanisms of Toshiba, ZTE, iRULU, etc. will get noticed and bask in glory. Being so young is a bonus. Google will want to hire you!


----------



## YuriRM (Apr 22, 2018)

How to Uninstall Carrier/OEM Bloatware Without Root Access

https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/


Sent from my takee 1 using XDA Labs


----------



## [email protected] (Apr 22, 2018)

YuriRM said:


> @[email protected] can you master the python scripts of BootStomp?
> 
> Bootloader vulnerabilities on all android devices can be explored by BootStomp automated tool.
> 
> ...

Click to collapse




Even I want to work hard on such project but have to wait till 13th May since Semesters are going in my high school will end up on 13th May after that full focus on on this!


----------



## YuriRM (Apr 25, 2018)

[email protected] said:


> Even I want to work hard on such project but have to wait till 13th May since Semesters are going in my high school will end up on 13th May after that full focus on on this!

Click to collapse



Tegra X1 vulnerability found, affects the Google Pixel C and Nvidia Shield
https://www.xda-developers.com/nvidia-tegra-x1-google-pixel-c-nvidia-shield/

I bet this vulnerability was found with BootStomp. It is likely to exist in Tegra 4 too!

Sent from my takee 1 using XDA Labs


----------



## YuriRM (Jun 7, 2018)

VirtualXposed lets you use some Xposed Modules without root
https://www.xda-developers.com/virtualxposed-xposed-modules-without-root/

Sent from my takee 1 using XDA Labs


----------



## stelioskoz (Jun 21, 2018)

hello i need firmware for excite pure at10-a-104
my tablet stuck at boot screen . i need this firmware to upgrade it from sd card


----------



## YuriRM (Jun 21, 2018)

stelioskoz said:


> hello i need firmware for excite pure at10-a-104
> my tablet stuck at boot screen . i need this firmware to upgrade it from sd card

Click to collapse



Toshiba Excite 10 AT305 is a clone of your Toshiba Excite Pure AT10-A-104. Both have an Nvidia Tegra 3. 

You may ask in this thread:
https://forum.xda-developers.com/showthread.php?t=1661171&page=16

All Toshiba devices are protected by variants of the Sealime module. It prevents the unlocking of the bootloader.

A KingoRoot app from September 2017 was able to obtain temporary root on two Toshiba Excite Pro devices with Nvidia Tegra 4.

You may try KingoRoot on your device too!

Sent from my takee 1 using XDA Labs


----------



## raven008 (Jul 14, 2018)

Any good news? Or it's over now?




YuriRM said:


> Toshiba Excite 10 AT305 is a clone of your Toshiba Excite Pure AT10-A-104. Both have an Nvidia Tegra 3.
> 
> You may ask in this thread:
> https://forum.xda-developers.com/showthread.php?t=1661171&page=16
> ...

Click to collapse


----------



## RafaelDeJongh (Sep 3, 2018)

Tried various methods today, sadly none of them worked for mine... shame toshiba locks it so damn hard!


----------



## YuriRM (Sep 6, 2018)

RafaelDeJongh said:


> Tried various methods today, sadly none of them worked for mine... shame toshiba locks it so damn hard!

Click to collapse



Try BootStomp

Sent from my takee 1 using XDA Labs


----------



## suethon (Dec 9, 2018)

*can I help?*

Hi all,
I got a Toshiba Excite Write AT10PE-A105. As far as I see, the only difference to your LE is the screen, which has different (corning) glass and a stylus and the extended Memory of 32GB. However I am desperately looking for a newer ROM since the latest Toshiba android is 4.3 which is no longer supported by apps, which I would like to use. 
Unfortunately I do not understand most of your discussion but with your help I might be able to contribute with information on my version of that hardware?

Peter


----------



## YuriRM (Mar 21, 2019)

*Can you master the python scripts of BootStomp?*

@Mich-C can you master the python scripts of BootStomp?

Bootloader vulnerabilities on all android devices can be explored by BootStomp automated tool. 

Are you willing to try BootStomp on your device to learn how to use it? Then you may be able to help defeat Toshiba's Sealime protection and unlock the bootloader of Toshiba Excite Pro (AT10LE-A-108 and AT10LE-A-109) and Toshiba Excite Write (AT10PE-A105). These are very expensive tablets with Nvidia Tegra 4 (Wayne, tegraT114, board tostab12BA, Linux version 3.4.57-gc710e6f) running Android 4.3.

BootStomp: a bootloader vulnerability finder.
https://github.com/ucsb-seclab/BootStomp

Nexus 9 (Nvidia Tegra K1) bootloader vulnerabilities:
https://github.com/ucsb-seclab/BootStomp/tree/master/bootloaders/nexus_9

Huawei P8, Nexus 9, Qualcomm Little Kernel and Sony Xperia XA, bootloader vulnerabilities
https://github.com/ucsb-seclab/BootStomp/tree/master/bootloaders

Tegra X1 vulnerability found, affects the Google Pixel C and Nvidia Shield
https://www.xda-developers.com/nvidia-tegra-x1-google-pixel-c-nvidia-shield/

I bet this vulnerability was found with BootStomp. It is likely to exist in Tegra 4 too!

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers
https://github.com/ucsb-seclab/dr_checker

EDIT - The first person of the XDA forum running a state of the art security tool to defeat famous protection mechanisms of Toshiba, ZTE, iRULU, etc. will get noticed and bask in glory. Being so young is a bonus. Google will want to hire you!


----------



## YuriRM (Mar 21, 2019)

*BootStomp - 6 seeds and 1 sink reveals 12 Entry Points  (Nvidia Tegra K1)*

@Mich-C

BootStomp

A test on Nvidia Tegra K1 with 6 seeds and 1 sink reveals 12 Entry Points, performing 7 loops and returning 1 zero-day bug in under 25 minutes (see Table 2, eight attached images at the bottom, read the Redini PDF).

"The particular vulnerabilities found consisted mostly of memory corruption and privilege escalation bugs, including a part of NVIDIA’s bootloader code that could end up becoming user-accessible under the right OS conditions, as one example. Essentially, most of the vulnerabilities would either unlock the bootloader, preventing it from enforcing key security policies, or hand over control of key processes to the user privilege level. Tests were inconclusive on MediaTek hardware due to the bootloader’s unique structure, while an older Qualcomm bootloader fell victim to a known old bug, and the NVIDIA bootloader was only found to be vulnerable to the aforementioned privilege escalation bug. "

"NVIDIA’s Tegra-based devices ship with a bootloader known as hboot. This bootloader is very similar to Qualcomm’s, in that it runs at EL1, and implements only the fastboot functionality at this stage. BOOTSTOMP also discovered a vulnerability in NVIDIA’s hboot. hboot operates at EL1, meaning that it has equivalent privilege on the hardware as the Linux kernel, although it exists earlier in the Chain of Trust, and therefore its compromise can lead to an attacker gaining persistence. We have reported the vulnerability to NVIDIA, and we are working with them on a fix. Our tool did not identify any path to non-volatile storage for the NVIDIA’s or MediaTek’s bootloaders. Upon manual investigation, we discovered that these two bootloaders both make use of memory-mapped I/O to write the value, which could map to anything from the flash to special tamper-resistant hardware. Thus, we cannot exclude the presence of vulnerabilities."

https://forum.xda-developers.com/showpost.php?p=74517016&postcount=63

---------- Post added at 11:38 PM ---------- Previous post was at 11:25 PM ----------




suethon said:


> Hi all,
> I got a Toshiba Excite Write AT10PE-A105. As far as I see, the only difference to your LE is the screen, which has different (corning) glass and a stylus and the extended Memory of 32GB. However I am desperately looking for a newer ROM since the latest Toshiba android is 4.3 which is no longer supported by apps, which I would like to use.
> Unfortunately I do not understand most of your discussion but with your help I might be able to contribute with information on my version of that hardware?
> 
> Peter

Click to collapse



Thanks!
You must instal the latest version of *Device Info HW* app by Andrey Efremov (ANDR7E).
https://play.google.com/store/apps/details?id=ru.andr7e.deviceinfohw

Give us a screenshot of *partitions with names*, please.



Rafostar said:


> Thanks for finding android roms that shouldn't be too hard to port to our device. But in our stock recovery there is no option to flash anything other than "update" that must be digitally signed otherwise it gets rejected (tried myself). So flashing even a patch to remove/modify sealime functionality is impossible afaik. We need to get rid of sealime for good some way or another, otherwise there is no point in porting roms that can't be flashed.
> 
> "Basically if sealime does NOT return null, the kernel proceeds." - if that is true then finding a way to edit part of memory that holds return value of sealime loading function would allow us to proceed with sealime turned off and do whatever we please. But we probably would need help as I can't handle this alone

Click to collapse





markop741 said:


> Android version Kingo root did not give me the ability to root my tablet.
> Only the PC version allows me to root my tablet.

Click to collapse




beholder21 said:


> Today i Uploaded the Device Information to the Device Info HW App (by Audrey Efremov) Database
> The QV1030 Kernel was published on the Gigaset Webpage.

Click to collapse




ch.abderrahmane said:


> Please can someone give us the detailed tuto to install a new rom  and root this tablet

Click to collapse




fizzefazze said:


> Has anyone here obtained root on this device using kingoroot?

Click to collapse




raven008 said:


> Any good news? Or it's over now?

Click to collapse




RafaelDeJongh said:


> Tried various methods today, sadly none of them worked for mine... shame toshiba locks it so damn hard!

Click to collapse


@Mich-C is going to help us but he does not own this device. *BootStomp *is going to be tested on his android devices. Then he will write a script that could auto-diagnose the *bootloader vulnerabilities* of any device. Thereafter, we can test his *script* on Toshiba Excite Pro.  This is a much needed *first step* to defeat Toshiba's Sealime protection (like a military *reconaissance *mission). After gathering this information the *second step* to fully defeat Toshiba's Sealime will be prepared.

NOTE - Mich-C is busy with a project for Takee 1 at the moment. He will test *BootStomp* and *DR.CHECKER* : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers, as soon as possible.
https://github.com/ucsb-seclab/dr_checker


----------



## RafaelDeJongh (Mar 28, 2019)

@YuriRM 

That's awesome, really looking forwards for that as it would be really nice to get a better OS  on it and braet some more life into it!


----------



## Onkelboern (Apr 2, 2020)

*New about Rootor Bootloader*

Hello

Is there anything new about boot loader or root? King Root give me temporaye Root but not more.


----------



## fizzefazze (May 2, 2020)

I have tried Kingoroot and Kingroot both the PC Version and the Android version numerous times without success. I could not get (temporary) root.
Can anyone report which firmware they are running, and which app and whether it is from the PC or on the device itself?
Or whether they do anything else other than that? Disable Wifi/4G? Set airplane mode?...?


----------



## Drahflow (Mar 22, 2021)

I succeeded in mounting /system rw; installing a debian and running Xorg:


			Jens-Wolfhard Schicke - Drahflow - Debian on the Toshiba Excite Pro AT10LE-A
		


Bootloader and kernel are still original.


----------



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## YuriRM (Mar 24, 2021)

Drahflow said:


> I succeeded in mounting /system rw; installing a debian and running Xorg:
> 
> 
> Jens-Wolfhard Schicke - Drahflow - Debian on the Toshiba Excite Pro AT10LE-A
> ...

Click to collapse



Congratulations! That is quite an achievement... I read your log and it's deliciously clever!
You are a genious... all that done with a humble Raspberry Pi?

Now that you have taken control of Toshiba Excite Pro AT10LE-A-108... can you flash LineageOS 13.0 (Android Marshmallow 6.0)... using the ROM of its best clone Gigaset QV1030 aka. Quanta FG6Q, please?





						LineageOS for Gigaset QV1030 by FG6Q-Dev
					






					fg6q-dev.github.io
				




Only a few of us will want to use this tablet as a computer monitor. 
My mother uses it as a night sky astronomy tool.








						SkyView® Lite - Apps on Google Play
					

SkyView®, an augmented reality space app, brings stargazing to everyone!




					play.google.com


----------



## Drahflow (Mar 25, 2021)

YuriRM said:


> Now that you have taken control of Toshiba Excite Pro AT10LE-A-108... can you flash LineageOS 13.0 (Android Marshmallow 6.0)... using the ROM of its best clone Gigaset QV1030 aka. Quanta FG6Q, please?
> 
> 
> 
> ...

Click to collapse



What exactly is the goal? Running LineageOS 13.0 userland (but keeping the stock kernel), or replacing the kernel, too? I'll have a second device soon, then I can test if I can boot a custom kernel, but I thought people have reported problems due to the bootloader checking some signature... which means I'd need to build a working kexec(2)-style module to load a custom kernel without angering the bootloader.


----------



## YuriRM (Mar 27, 2021)

Drahflow said:


> What exactly is the goal? Running LineageOS 13.0 userland (but keeping the stock kernel), or replacing the kernel, too? I'll have a second device soon, then I can test if I can boot a custom kernel, but I thought people have reported problems due to the bootloader checking some signature... which means I'd need to build a working kexec(2)-style module to load a custom kernel without angering the bootloader.

Click to collapse



Is a custom kernel needed in order to run Android 6.0 (Marshmallow) or Android 7.1.2 (Nougat) on Tegra 4 devices?
You tell me because I am not a developer.

However, I am aware that the first good developer of my EStar Takee 1 (Mediatek MT6592T with original Android 4.2.2 Jelly Bean) had to build a custom kernel of Linux 3.4.67 (Android 4.4 KitKat ROM). Then two other less gifted developers were able to use his kernel in order to port an Android 6.0 ROM and Android 7.1.2 ROM.

As an user I tried to gather useful information for a developer on hardware components of this Toshiba branded tablet. First I requested owners of Tegra 4 devices to run the Device Info HW app by Andrey Efremov (@ANDR7E). Then I searched those devices on his online database.

The original manufacturer (Manuf/OEM/ODM Pegatron) has used three FLASH storage components in our Toshiba branded tablet according to price and availability... for example (016G92 and 032G94 and 032G4C).
I recommend that you install the app too.





						Device Info HW
					






					www.deviceinfohw.ru
				




Asus Transformer Pad TF701 (KOOC model) is a clone running [ROM] [N 7.1.2] [ KatKiss - Nougatella #039 ]
However, the camera is not working. This ROM is very good and fast.








						[ROM][N 7.1.2] [ KatKiss - Nougatella #039 ]
					

KatKiss ROM  Nougat 7.1 Release Asus TF701T     This rom is an aosp based rom with my own additions on top of it.   The main motto of the rom being Kiss. Even though the Meerkat could give you a kiss, it stands for Keeps it Sweet and...




					forum.xda-developers.com
				




Gigaset QV1030 aka. Quanta FG6Q is a clone running LineageOS 13.0 (Android 6.0). Fortunately, the camera is working. This ROM is not as fast... I guess.





						LineageOS for Gigaset QV1030 by FG6Q-Dev
					






					fg6q-dev.github.io
				




These two devices share most components with Toshiba Excite Pro (AT10LE-A) tablet.
Unfortunately, I could not find donors for TOUCHSCREEN, CAMERA.


The original QV1030 Kernel was published on the Gigaset Webpage.

Gigaset QV1030 Sourcecode:
https://web.archive.org/web/20150519070416/http://www.gigaset.com/support/open-source.html
https://web.archive.org/web/2017060...igaset.com/opensource/QV830-QV1030/QV1030.tar

Please read my posts #48 , #55 , #60  , #62 , #65 , #66 , #68 , #69

It is up to you to decide if the best choice is Android 6 or Android 7... or something else... like Ubuntu Touch.

Maybe you can do much better than previous developers of those Tegra 4 tablet clones.
We respect your decision.


----------



## YuriRM (Mar 28, 2021)

*Suggestions*

Our wish is that a talented developer brings PROJECT TREBLE and PROJECT MAINLINE or PROJECT HALIUM to our Toshiba tablet.

PROJECT TREBLE Posts on XDA








						project treble | XDA Developers
					

Founded in 2002, XDA is the world’s largest smartphone and electronics community. Looking for the latest tech news and reviews? Want to do more with your Android phone, Windows PC, iPhone, iPad, or MacBook? Look no further than XDA.




					www.xda-developers.com
				




PROJECT MAINLINE Posts on XDA








						Project Mainline | XDA Developers
					

Founded in 2002, XDA is the world’s largest smartphone and electronics community. Looking for the latest tech news and reviews? Want to do more with your Android phone, Windows PC, iPhone, iPad, or MacBook? Look no further than XDA.




					www.xda-developers.com
				




HALIUM Posts on XDA








						halium | XDA Developers
					

Founded in 2002, XDA is the world’s largest smartphone and electronics community. Looking for the latest tech news and reviews? Want to do more with your Android phone, Windows PC, iPhone, iPad, or MacBook? Look no further than XDA.




					www.xda-developers.com
				




UBports GSI brings Ubuntu Touch to any Project Treble-supported Android device








						UBports GSI brings Ubuntu Touch to any Project Treble-supported Android device
					

XDA‌ Recognized Developer erfanoabdi has compiled an Ubuntu Touch GSI that can be installed on any Project Treble compliant device.




					www.xda-developers.com
				




Halium is an Open Source Project Working Towards a Common Base for Non-Android Mobile Operating Systems








						Halium is an Open Source Project Working Towards a Common Base for Non-Android Mobile Operating Systems
					

Project Halium is an open source project that aims to build a common working base for all non-Android, GNU/Linux based operating systems.




					www.xda-developers.com
				




Developer Brings Full Project Treble Compatibility to the Xiaomi Redmi Note 4
... originally Android 6.0 (Marshmallow), upgradable to 7.0 (Nougat), MIUI 11








						Developer Brings Full Project Treble Compatibility to the Xiaomi Redmi Note 4
					

A developer on our forum has managed to bring full Project Treble compatibility to the Xiaomi Redmi Note 4, and he's proved it by booting a generic Android 8.1 Oreo. This opens up the door for much easier future custom ROM development, and will be hugely beneficial once Android P comes around.




					www.xda-developers.com
				





Project Treble on the Xiaomi Redmi Note 4

How did he do it? He used the “cust” partition on the device for his make-shift vendor partition. The cust partition normally holds a lot of device-specific stuff from MIUI, so it’s essentially wasted space on an AOSP build. Using the approximately 830MB unused partition, he moved the vendor HALs from system into cust without needing to repartition.

After some hard work getting the vendor interface working, he was able to boot up XDA Senior Member phhusson‘s Android 8.1 Oreo GSI without much effort. (Note: phhusson told me that abhishek987 had to change things around for it to work due to a lack of a “versioned VNDK.”

@Drahflow can you do the same? Is Treble worth the effort? Could our Toshiba Treble ROM be adapted easily to Tegra 4 tablets of other brands? Is it easier and faster to compile Ubuntu Touch in the classic way?


----------



## Drahflow (Mar 29, 2021)

YuriRM said:


> can you do the same?

Click to collapse



Unfortunately not. I tried flashing a new recovery, but the bootloader refuses to start it, so I suppose it checks some signature. This leaves us always with the same kernel and the same rootfs during boot. The problem is not "just" one of getting the right vendor blobs to the right places, but how to orchestrate a switch-over from an already running Android into another one.

I tried (and failed) to do a manual startup of various services in a lineage-OS living in a chroot (from the Gigaset QV1030 link you gave above). The only real progress I made was the discovery that a blatant copy of /system/lib/egl from the stock ROM into the lineage image will fix a SIGSEGV in surfaceflinger which could then be started.

Next, I should try to clone the Android /init functionality to have a parser for /init.rc of the lineage OS which is capable of starting all the services with correct sockets etc., as otherwise I don't see a good way to re-start a working system.

If anyone has heard about androids running from within a chroot, please speak up, it would save a lot of time if someone already has some code for it.


----------



## YuriRM (Mar 29, 2021)

Drahflow said:


> Unfortunately not. I tried flashing a new recovery, but the bootloader refuses to start it, so I suppose it checks some signature. This leaves us always with the same kernel and the same rootfs during boot. The problem is not "just" one of getting the right vendor blobs to the right places, but how to orchestrate a switch-over from an already running Android into another one.
> 
> I tried (and failed) to do a manual startup of various services in a lineage-OS living in a chroot (from the Gigaset QV1030 link you gave above). The only real progress I made was the discovery that a blatant copy of /system/lib/egl from the stock ROM into the lineage image will fix a SIGSEGV in surfaceflinger which could then be started.
> 
> ...

Click to collapse



It is much faster to obtain privileges at the Tegra 4 processor level and bypass the bootloader.
I suggest that you run *BootStomp*. Please read my posts  #95,  #96
https://github.com/ucsb-seclab/BootStomp
and *DR.CHECKER* : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers.
https://github.com/ucsb-seclab/dr_checker

NOTE - Tegra 4 has the same vulnerabilities of Tegra K1 and Tegra X1... because they share the same platform.
Please read my post  #63 (extended compilation of vulnerabilities on Tegra processors that you can use, OTA signature spoofing, Malicious Headphones, Arbitrary Kernel Write Vulnerability, etc.)


----------



## YuriRM (Apr 6, 2021)

@Drahflow once the bootloader is defeated... JingOS may be another option. It is based on Ubuntu. Version 1.0 is expected in June 2021 (with support for x86 processors only). Support for ARM processors is not yet available. They will sell a JingPad tablet in August 2021. However, despite having GPS and 6-axis Gyroscope it does not have hardware Compass.
Not a good tablet in my opinion for navigation and night sky watching. It is very expensive too at $549.

JingPad A1 Linux tablet crowdfunding begins June 15th for $549 (or less for beta testers)​








						JingPad A1 Linux tablet crowdfunding begins June 15th for $549 (or less for beta testers) - Liliputing
					

JingPad A1 Linux tablet crowdfunding begins June 15th for $549 (or less for beta testers)




					liliputing.com
				




*JingOS*​World’s First Linux-Based Tablet OS​JingOS is a ‘convergence’ Linux-Based Open-Source mobile OS
for tablets and mobile devices.
It can run Linux and Android apps.
It is adapted to run naturally with touch, pencil, keyboard and trackpad.





						JingOS | Future Mobile OS based on Linux - JingLing - JingOS
					

JingOS is a ‘convergent’ Linux-Based Open-Source OS for future tablets&laptops.It is a product of JingLing Tech. JingPad A1 is the World’s FIRST Consumer-level ARM-based Linux Tablet.



					en.jingos.com


----------



## YuriRM (Jun 3, 2021)

@Drahflow how is it going? Much harder than expected?


----------



## bojan.1995 (Dec 3, 2021)

@Drahflow bump.


----------



## Drahflow (Dec 3, 2021)

YuriRM said:


> @Drahflow how is it going? Much harder than expected?

Click to collapse



Life got in the way, essentially. Getting anything else running is not critical for my usage of the Tablet and there were other priorities. If anyone has time to experiment, I can supply the dirtyCow and .ko required to disable sealime.


----------



## bojan.1995 (Dec 4, 2021)

Drahflow said:


> Life got in the way, essentially. Getting anything else running is not critical for my usage of the Tablet and there were other priorities. If anyone has time to experiment, I can supply the dirtyCow and .ko required to disable sealime.

Click to collapse



Posting files would be nice


----------



## Drahflow (Dec 4, 2021)

README inside. If anything is unclear or doesn't work, please ask.


----------



## PM128 (Jan 5, 2022)

Thank you for posting this method. I copied the files into that /data/local/tmp but 'chmod' command in the Step 2 fails with "Bad mode". I have the predecessor Toshiba Tegra 3 tablet AT300SE (tostab12AL) and I'm trying to root it in order to get some higher Android on it. What can I do to make it work?
Second question: after I will succeed to finally root it IS there any Custom ROM for this hardware at all? Maybe there isn't?


Drahflow said:


> README inside. If anything is unclear or doesn't work, please ask.

Click to collapse


----------



## Drahflow (Jan 5, 2022)

PM128 said:


> Thank you for posting this method. I copied the files into that /data/local/tmp but 'chmod' command in the Step 2 fails with "Bad mode".

Click to collapse



Try "chmod 777 *.sh dirtycow" instead.



PM128 said:


> I have the predecessor Toshiba Tegra 3 tablet AT300SE (tostab12AL) and I'm trying to root it in order to get some higher Android on it. What can I do to make it work?

Click to collapse



I have not worked on unlocking the bootloader, my method only replaces / augments the Linux userland of the tablet. Actually getting a newer *Android* running on it will be a lot of research + work.



PM128 said:


> Second question: after I will succeed to finally root it IS there any Custom ROM for this hardware at all? Maybe there isn't?

Click to collapse



No idea, really. I don't have one, but that doesn't mean much.


----------



## PM128 (Jan 6, 2022)

Drahflow said:


> Try "chmod 777 *.sh dirtycow" instead.
> 
> 
> I have not worked on unlocking the bootloader, my method only replaces / augments the Linux userland of the tablet. Actually getting a newer *Android* running on it will be a lot of research + work.
> ...

Click to collapse



That chmod 777 worked  Thanks for the tip. However the temporary root test then failed  See output below. I noticed your shell has the # sign, mine is still only $. Does it indicate your tablet was successfully rooted before the issued commands?

[email protected]:/data/local/tmp $ ls -la
-rw-rw-rw- shell    shell       55381 2021-12-04 22:39 dirtycow
-rw-rw-rw- shell    shell         296 2021-12-04 22:28 root.sh
-rw-rw-rw- shell    shell         309 2021-12-04 22:25 start-su.sh
-rw-rw-rw- shell    shell       49253 2021-12-04 22:40 su
-rw-rw-rw- shell    shell         132 2021-12-04 22:28 temp-root.sh
[email protected]:/data/local/tmp $ chmod 777 *.sh dirtycow
[email protected]:/data/local/tmp $ ls -la
-rwxrwxrwx shell    shell       55381 2021-12-04 22:39 dirtycow
-rwxrwxrwx shell    shell         296 2021-12-04 22:28 root.sh
-rwxrwxrwx shell    shell         309 2021-12-04 22:25 start-su.sh
-rw-rw-rw- shell    shell       49253 2021-12-04 22:40 su
-rwxrwxrwx shell    shell         132 2021-12-04 22:28 temp-root.sh
[email protected]:/data/local/tmp $ ./temp-root.sh
dcow start-su.sh /system/bin/debuggerd
warning: new file size (309) and destination file size (21736) differ

[*] size 21736
[*] mmap 0x40239000
[*] currently 0x40239000=464c457f
[*] using ptrace method
[*] madvise = 0x40239000 21736
[*] ptrace 0 13
[*] exploited 2417 0x40239000=732f2123
dcow start-su.sh /system/bin/netd
warning: new file size (309) and destination file size (75292) differ

[*] size 75292
[*] mmap 0x4021d000
[*] currently 0x4021d000=464c457f
[*] using ptrace method
[*] madvise = 0x4021d000 75292
[*] ptrace 0 9
[*] exploited 2426 0x4021d000=732f2123
[*] madvise = 0 16777216
[*] exploited 0 0x40239000=732f2123
[*] madvise = 0 16777216
[*] exploited 0 0x4021d000=732f2123

[email protected]:/data/local/tmp $ ./su
/system/bin/sh: ./su: can't execute: Permission denied


----------



## PM128 (Jan 6, 2022)

Well I got a little bit further though. Noticed that 'su' still had no executable permission so I gave it mit chmod. Got the temporary root:
[email protected]:/data/local/tmp $ ls -la
-rwxrwxrwx shell    shell       55381 2021-12-04 22:39 dirtycow
-rwxrwxrwx shell    shell         296 2021-12-04 22:28 root.sh
-rwxrwxrwx shell    shell         309 2021-12-04 22:25 start-su.sh
-rwxrwxrwx shell    shell       49253 2021-12-04 22:40 su
srwxrwxrwx root     root              2022-01-06 12:40 su.sock
-rwxrwxrwx shell    shell         132 2021-12-04 22:28 temp-root.sh
[email protected]:/data/local/tmp $ ./su
/system/bin/sh: No controlling tty: open /dev/tty: No such device or address
/system/bin/sh: warning: won't have full job control
[email protected]:/ # id
uid=0(root) gid=0(root)

However the rest of the procedure lead me to confusion. Opened the push.sh file since it could not be executed neither under shell nor su.  Through the Adb pull command I managed to get the gps_drv.ko out of the device to the PC. 'cp' command was not recognized by the shell of the device and neither by windows PC of course. So I 'copy'ied the file to the glomus.ko on the PC and that's it, got stuck. Now I think you have linux PC so I need to research if there is some way to "dd"  partially copy the files as per your prescription on a windows PC. Any help with it would be appreciated.

[email protected]:/data/local/tmp $ cp
/system/bin/sh: cp: not found
127|[email protected]:/data/local/tmp $ ./su
/system/bin/sh: No controlling tty: open /dev/tty: No such device or address
/system/bin/sh: warning: won't have full job control
[email protected]:/ # cp
/system/bin/sh: cp: not found
127|[email protected]:/ #


----------



## Drahflow (Jan 6, 2022)

Do you need more than the temporary root? The rest of the steps are "just" for removing the sealime.ko "protection" blocking you from simply remounting /system and doing whatever you like. It is not certain that your model actually requires these steps.

From the temporary root shell, can you already successfully do
root@tostab12BA:/ # mount -o remount,rw /system

If yes, you can ignore all that glomus.ko business. If not, please check your kernel version with

[email protected]:/ $ cat /proc/version

Because the instructions (even if successful) will create a fake-GPS driver which does some kernel patching to fixed offsets, and if you are on a different kernel version than I was when I wrote them, it will not work (and potentially crash the device; very likely not brick just crash).

My device reports
Linux version 3.4.57-gc710e6f ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 SMP PREEMPT Mon Dec 2 17:16:19 IST 2013


----------



## PM128 (Jan 6, 2022)

The mounting of /system still fails:

[email protected]:/data/local/tmp $ ./su
/system/bin/sh: No controlling tty: open /dev/tty: No such device or address
/system/bin/sh: warning: won't have full job control
[email protected]:/ # mount -o remount,rw /system
mount: Operation not permitted

My kernel:
[email protected]:/ # cat /proc/version
Linux version 3.1.10-g9ebfa32 ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 SMP PREEMPT Thu Aug 22 11:22:37 IST 2013
[email protected]:/ #

I was in the middle of the struggle with some dd for Windows, first didn't have the conv= parameter so then I found GnuWin32 utility, installed, copied the glomus.bin glomus.ko and gps_drv.ko tothat folder because of paths, & the first dd command was (I guess) successful. The second command which uses if=/dev/zero still failed since windows don't have such thing.


----------



## Drahflow (Jan 6, 2022)

Any file with a bunch of zero-bytes will do instead of /dev/zero; but I'd be surprised if the resulting glomus.ko would help you - the kernel offsets should be wrong. But following the original unlock development from http://drahflow.name/debian-toshiba-excite-pro.html the next step is to figure those out:

[email protected]:/ # echo 0 > /proc/sys/kernel/kptr_restrict
[email protected]:/ # cat /proc/kallsyms
...
bf0061c0 t cleanup_module       [sealime]
...
c0bc6d28 t register_sealime     [sealime]
...

(output from my device obviously) What does yours show?


----------



## PM128 (Jan 6, 2022)

issued the 2 commands (first gave no output):
... hundreds of lines (truncated by term buffer)
bf0285ec t cfg80211_wext_siwtxpower     [cfg80211]
bf0000b4 t proc_read    [sealime]
bf0000c4 t proc_write   [sealime]
bf0032e0 t proc_secsetting_write        [sealime]
bf000aac t sealime_ptrace_access_check  [sealime]
bf000a90 t sealime_ptrace_traceme       [sealime]
bf000ab8 t sealime_bprm_secureexec      [sealime]
bf002320 t sealime_sb_mount     [sealime]
bf000000 t sealime_sb_umount    [sealime]
bf001a58 t sealime_sb_pivotroot [sealime]
bf001928 t sealime_path_unlink  [sealime]
bf001814 t sealime_path_mkdir   [sealime]
bf00174c t sealime_path_rmdir   [sealime]
bf0014f0 t sealime_path_mknod   [sealime]
bf001440 t sealime_path_truncate        [sealime]
bf001310 t sealime_path_symlink [sealime]
bf001104 t sealime_path_link    [sealime]
bf001074 t sealime_path_rename  [sealime]
bf000fb8 t sealime_path_chroot  [sealime]
bf000790 t sealime_init_module  [sealime]
bf002260 t sealime_wifi_associate       [sealime]
bf000010 t sealime_file_permission      [sealime]
bf001ba8 t sealime_dentry_open  [sealime]
bf000608 t sealime_task_create  [sealime]
bf000560 t sealime_socket_connect       [sealime]
bf000444 t sealime_socket_accept        [sealime]
bf0000d4 t sealime_procfs_open  [sealime]
bf000140 t sealime_procfs_release       [sealime]
bf000160 t sealime_procfs_priv_open     [sealime]
bf000170 t sealime_procfs_priv_release  [sealime]
bf004814 t extra_ptrace_access_check    [sealime]
bf004824 t extra_ptrace_traceme [sealime]
bf004884 t extra_bprm_secureexec        [sealime]
bf004834 t extra_sb_mount       [sealime]
bf004844 t extra_sb_umount      [sealime]
bf004854 t extra_sb_pivotroot   [sealime]
bf0048a4 t extra_path_unlink    [sealime]
bf004904 t extra_path_mkdir     [sealime]
bf004894 t extra_path_mknod     [sealime]
bf004944 t extra_path_truncate  [sealime]
bf0048b4 t extra_path_rename    [sealime]
bf004864 t extra_path_chroot    [sealime]
bf0048d4 t extra_init_module    [sealime]
bf004954 t extra_wifi_associate [sealime]
bf004874 t extra_file_permission        [sealime]
bf004914 t extra_file_ioctl     [sealime]
bf0048f4 t extra_dentry_open    [sealime]
bf0048c4 t extra_task_create    [sealime]
bf0048e4 t extra_task_prctl     [sealime]
bf004924 t extra_socket_connect [sealime]
bf004934 t extra_socket_accept  [sealime]
bf004704 t parse_cmdline        [sealime]
bf003b9c t set_protect_file     [sealime]
bf003b4c t set_protect_nand     [sealime]
bf000180 t cleanup_module       [sealime]
bf0001dc t safe_kfree   [sealime]
bf002a48 t sealime_procfs_ioctl [sealime]
bf002d04 t set_loglevel_from_file       [sealime]
bf003210 t my_printk_when_verbose       [sealime]
bf003794 t init_module  [sealime]
bf00018c t basename     [sealime]
bf003be0 t concat_path  [sealime]
bf000180 t sealime_cleanup      [sealime]
bf00462c t read_odm_prod_mode   [sealime]
bf00325c t my_printk_when_error [sealime]
bf002d9c t sealime_file_ioctl   [sealime]
bf003294 t my_printk    [sealime]
bf000820 t determ_ptrace        [sealime]
bf000cb4 t set_zygote_state_allthread   [sealime]
bf003c48 t init_variables       [sealime]
bf00403c t sealime_task_prctl   [sealime]
bf001afc t is_android_system_program    [sealime]
[email protected]:/ #


----------



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## Drahflow (Jan 6, 2022)

bf000180 t cleanup_module [sealime]

That's different from my kernel layout, so we'd need a build a different glomus.ko patch. 

If you are willing to spend a few more hours on this; I'd need the output of
[email protected]:/ # cat /proc/kallsyms | grep register_sealime
[email protected]:/ # cat /proc/kallsyms | grep print_hex_dump

and a copy of your /system/lib/modules/gps_drv.ko

Then I can patch that into a glomus.ko with instructions to dump (via print_hex_dump) the instructions of register_sealime (which you'll need to pull via adb logcat) and then with that info I can prepare a second version of glomus.ko to disable sealime on your device. It'll take a bit of back-and-forth I think, but OTOH you don't need to do any patching on windows.


----------



## PM128 (Jan 6, 2022)

Was not so easy since that shell doesn't have grep. I had to max the term buffer to 9999 then copy the output (was still truncated) and search in it:
c0857494 r __kstrtab_register_sealime
c08595b2 r __kstrtab_print_hex_dump_bytes
c08595c7 r __kstrtab_print_hex_dump


----------



## Drahflow (Jan 6, 2022)

Unfortunately, those you found are the addresses in the string table which contains the symbol names, i.e. not useful for this.

Does
cat /proc/kallsyms > /data/local/tmp/kallsyms.txt
give you the full list?


----------



## PM128 (Jan 6, 2022)

Here you go. 
Hmm I don't know why are the addresses all 0s now. I had the tabby off for a while and now it doesn't boot (stuck in the sparkling stars). I don't get even the temp root  # after ./su.


----------



## PM128 (Jan 7, 2022)

Since I luckily still have access to the shell while the tabby is stuck on the booting I managed to let the dirtycow chow the system again and got the temp root again. With it I was able to get the complete dump of the kallsyms (had to chown it back to shell since adb pull couldn't get it otherwise). Would it be useful for you now?

c02145c4 t register_sealime
c0252878 T print_hex_dump
c02529a0 T print_hex_dump_bytes

Complete dump is attached.


----------



## Drahflow (Jan 7, 2022)

Thanks, this is useful. I should find some time over the weekend to build a dumping glomus.ko for your device.


----------



## Drahflow (Jan 9, 2022)

Please find attached a sightly "improved" version of your gps_drv.ko, which you can use like so:

1. Get temp root
2. Replace (in memory only) the original gps_drv.ko with the new one via dirtycow:
[email protected]:/data/local/tmp # ./dirtycow dump_memory.ko /system/lib/modules/gps_drv.ko
3. Load the new gps_drv.ko
[email protected]:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
It should say:
insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed)

4. Dump the kernel error log and search for the code-dump via glomus (should be near the end)
[email protected]:/data/local/tmp # dmesg

It should look like a bunch of lines like this one:
<3>[ 2669.888648] glomusc02096d0: 00 41 3f e2 00 40 bd e8 20 3a 3a e1 dd aa 27 e3  [email protected]@..(=...0L.

Please copy them into a .txt and upload. Those are the (hex representation of) the init_sealime instructions. I should be able to use those as a template where to reset whatever init_sealime did (most likely by just clearing two pointers at the right address).


----------



## PM128 (Jan 10, 2022)

First of all thanks so much for your time and dedication to help me. 
I pushed the dump_memory.ko into that /data/local/tmp folder (as shell of course, was wondering if I should have chown it to root before letting the dirtycow chew it). Got the temp root and issued the command ad 2.) ... didn't get the desired # prompt back even waited for like 20 minutes (got stuck on something):
[email protected]:/ # ./dirtycow dump_memory.ko /system/lib/modules/gps_drv.ko
/system/bin/sh: ./dirtycow: not found
127|[email protected]:/ # cd /data/local/tmp
o /system/lib/modules/gps_drv.ko                                              <
dcow dump_memory.ko /system/lib/modules/gps_drv.ko
[*] size 152743
[*] mmap 0x40192000
[*] currently 0x40192000=464c457f
[*] using ptrace method
[*] madvise = 0x40192000 152743
[*] ptrace 0 5
[*] exploited 14500 0x40192000=464c457f
[email protected]:/data/local/tmp # [*] madvise = 0 16777216
[*] exploited 0 0x40192000=464c457f
                                                                <--- here it stopped and no further progress
[email protected]:/data/local/tmp #                    <--- after pressing Enter

So instead of proceeding to the step 3.) here is the dmesg output so far no glomus there. Please note that the tablet is stuck in the boot process somewhere.


----------



## Drahflow (Jan 10, 2022)

I'm not exactly sure what's going on in your terminal (I think it didn't like to display one of the longer commands and the display / copy-paste got jumbled somewhat after that). But otherwise everything seems fine.  Maybe it'll be better if you use a wider terminal, but no idea.
Anyway... Please redo step 2 (as soon as enter gets you a new prompt it's done; no need to wait 20 minutes) and then proceed to step 3 and 4. That the tablet is stuck somewhere in UI startup shouldn't matter.


----------



## PM128 (Jan 10, 2022)

My Win terminal/cmd has 132 chars width, it must be some limitation either by adb or the shell of the device but this doesn't really matter since the command is always taken.
I tried to redo the step 2.) after I got the prompt by clicking enter several times, see the attached log of my attempts. So then the step 2.) seemed to get through giving me prompt but then by step 3.) the whole tablet froze hard. I had to kill the terminal and make hard reset of the tablet since the sparkling stars froze too. Tried to make the whole procedure after the half boot again... total freeze by step 3.) 
I am afraid if I would try to do factory reset of the tablet in recovery mode I might lose the settings for USB debugging (the adb gateway into the device) and the tablet would become completely unaccessible dead brick. 
Do you still have energy to continue? Doesn't have to be today...


----------



## Drahflow (Jan 10, 2022)

Sorry, I fear I confused  the versions of the .ko file between my device and the new development for yours. Could you kindly retry step 3 with the attached .ko?

And indeed, DO NOT factory reset. There is nothing to be gained and potentially the adb access to be lost.


----------



## PM128 (Jan 11, 2022)

Heureka!  I finally got the desired message about 'Identifier removed'. So here are the kernel messages attached. There are 16 lines with glomus in them.


----------



## Drahflow (Jan 11, 2022)

Perfect! Based on this, I prepared a glomus.ko for your (and I sure hope all) at300se.

It should work like this:
1. Get temp root
2. Replace (in memory only) gps_drv.ko with glomus.ko
[email protected]:/data/local/tmp # ./dirtycow glomus.ko /system/lib/modules/gps_drv.ko
3. Load replaced driver
[email protected]:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
Should again complain about "Identifier removed."
4. Try to mount /system read-write
[email protected]:/data/local/tmp # mount -o remount,rw /system
5. Enjoy your new power to modify the system image any way you like. (No replacing the kernel though, as I said initially.)


----------



## PM128 (Jan 11, 2022)

Thank you for the glomus.ko But seems today still no victory. System freezes again at step 4.):

stem/lib/modules/gps_drv.ko                                                   <
dcow glomus.ko /system/lib/modules/gps_drv.ko
[*] size 152743
[*] mmap 0x4013a000
[*] currently 0x4013a000=464c457f
[*] using ptrace method
[*] madvise = 0x4013a000 152743
[*] ptrace 0 4
[*] exploited 537 0x4013a000=464c457f
[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp # [*] madvise = 0 16777216                <--- wonder what output of some running process this is
[*] exploited 0 0x4013a000=464c457f

[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp #
[email protected]:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed)
255|[email protected]:/data/local/tmp #
255|[email protected]:/data/local/tmp #
255|[email protected]:/data/local/tmp # mount -o remount,rw /system
[email protected]:/data/local/tmp #                                    <--- system freezes no prompt back no Enter


----------



## Drahflow (Jan 11, 2022)

Now that is sad.  It *could* be something entirely else is wrong with your tablet (e.g. it dies upon remounting the filesystem due to corruption or problems with the flash chip), but how likely is that?

Can you do other sealime-restricted operations, e.g.
[email protected]:/data/local/tmp # cp /modules/sealime.ko /data/local/tmp/

Test before and after loading glomus.ko. Without it loaded, it should give you a permission denied error, with glomus.ko loaded, it should work (and not freeze the tablet). If it still freezes, something has changed in how sealime can be unregistered between the at300se and the excite pro.

Even in that case, don't declare the tablet useless yet, someone posted a cheap at300se on ebay a few days ago so I can test locally.


----------



## PM128 (Jan 12, 2022)

It didn't freeze the tablet but both ways before and after it's the same: Operation not permitted. 'cp' command is not recognized by the shell so I tried to use 'dd' instead see attached log. My knowledge of Linux is very limited. 
If you would find a solution so that I could at least have it bootable again I would be so thankful. I understand it might take longer time but I guess I am not the only one who have successfully bricked the AT300SE device so it would help the community as well.


----------



## Drahflow (Jan 12, 2022)

You forgot to
[email protected]:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
after the dirtycow in your last test.


----------



## PM128 (Jan 13, 2022)

You are right when I look back on that txt file that I created from some cut-off parts of the terminal window. But it may also be that Dr. Alzheimer suddenly called me interrupting my work  as he usually starts bugging me already at my age .
Anyway I tried again today (hopefully all the steps), it didn't freeze but 'Operation not permitted' 
I am still wondering if the dirtycow chews the system successfully. Why are always coming still some messages within like 10~15 secs when it gave the # prompt already? At that moment the prompt disappears until I press the Enter again. Strange what is it doing. Like if the sealime would still win the race over the dirty cow...


----------



## Drahflow (Jan 27, 2022)

I read your last procedure log. Did you dcow the dump_memory.ko, maybe? You need to dcow the glomus.ko (and only that).

I.e.

1. Get temp root
2. dcow glomus.ko /system/lib/modules/gps_drv.ko
3. insmod /system/lib/modules/gps_drv.ko
4. Try some restricted operation: E.g. dd if=/modules/sealime.ko of=/data/local/tmp/sealime.ko

(Wouldn't hurt to have an adb logcat running in parallel to some other window, maybe we can still see some errors if it freezes again.)


----------



## PM128 (Jan 29, 2022)

Hi Drahflow thank you for your persistence I thought you gave up on it. I dcow'd indeed the dump_memory.ko which came as instruction in your Post#127. So now I tried to dcow the glomus.ko and managed to get the sealime.ko module (see attached). The adb logcat runs constantly in the second terminal  so I just copied some excerpts from it since it overwrites the buffer and runs and runs mostly with Fatal error 11.


----------



## dexxxZ (Dec 25, 2013)

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ? 

Thanks for any help


----------



## Drahflow (Jan 30, 2022)

You being able to copy sealime.ko means that glomus.ko was able to disable sealime protections. Not having the same device in hand (still) it's hard to say for sure, but I'd assume that you now have full root; still temporary but unrestricted in what it can do.

 This implies your remount of /system killed the kernel for a different reason (I understand your device is also not booting normally anyway, probably same reason...)

Regarding the SEGV spamming in logcat: It's because the instructions apparently omitted creating backups of netd and debuggerd (dcow'ed for the temp-root). But since dcow is in-memory, it shouldn't be hard to fix:
1. Reboot device (this is important, otherwise you'll "backup" the already changed files)
2. cp /system/bin/debuggerd /data/local/tmp/debuggerd.orig
3. cp /system/bin/netd /data/local/tmp/netd.orig
4. Enable temp-root and check if the log-spam is now gone.


----------



## PM128 (Jan 31, 2022)

When I shut down my laptop I always shut down the tablet as well. I had to use dd instead of cp since the shell doesn't have it. The logcat seems to still spam however it doesn't run so crazy fast any more. I managed to capture the complete logcat so you can have a look. Maybe it's still missing some more files (java.io?)


----------



## Drahflow (Jan 31, 2022)

The logcat looks as if debuggerd is already broken before you're executing the exploit. It *could* be that the kernel wrote it back at some point. In that case we'd need someone with a *working* AT300SE to send you a clean /system/bin/debuggerd and /system/bin/netd to use as the .orig files.


----------



## PM128 (Mar 31, 2022)

Hi Drahflow it's been a while. I wonder if you got the tablet that you were to buy cheap from eBay? Mine is still screwed up after I tried to follow the procedure.


----------



## Drahflow (Mar 31, 2022)

Unfortunately not  If anything comes up, I'll extract the files and post.


----------



## PM128 (Apr 6, 2022)

From your post #135 on previous page I was believing you gonna buy that cheap tablet and test it locally. Well leasson learned and my tablet is screwed. Could you at least tell me what did you mean by '.orig' files? Could I simply replace the original files in the original system directory using the temporary root and leaving the extentions as e.g. .ko or the files must be copied somewhere else and naming them as ....orig? I tried to google and found on Github someone posted the kernel source for AT300SE but I assume it is a source code and cannot be used for simple copy of system files right?


----------



## Drahflow (Apr 6, 2022)

> Could you at least tell me what did you mean by '.orig' files?
Those would be the original (i.e. stock) versions of /system/bin/debuggerd and /system/bin/netd

The exploit works by replacing those (in RAM only, or that's what I thought) with some shell scripts giving you the temp-root. But apparently the broken versions were written back into your storage at some point. The temp-root scripts have commands to copy backup versions of those files back into the system RAM from /data/local/tmp/ - but for that it needs originals named debuggerd.orig and netd.orig.


----------



## Drahflow (Jul 8, 2022)

Got an AT300SE. The two original firmware (netd + debuggerd) files are attached and need to be put to /data/local/tmp to get them auto-restored after temp-root exploit has been run.

I'm not entirely sure what you'd need to do to get them written back to the durable storage. IIRC your tablet crashed the last time you tried to mount /system officially read/write. It might be enough to have the files in /data/local/tmp, run the temp-root (which should then patch the system ones with the originals in RAM) and reboot (via reboot CLI command, not hard-reset) to get the kernel to sync the dirty pages back to the fs.

Maybe a first good step is to copy the files, run temp-root and check if the log spam is gone.


----------

