feat: Add unbrick-cannot-load-android-system
This commit is contained in:
parent
897b582ac7
commit
13d265674e
90
content/posts/unbrick-cannot-load-android-system.md
Normal file
90
content/posts/unbrick-cannot-load-android-system.md
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
---
|
||||||
|
title: "Unbrick \"Cannot load Android system\""
|
||||||
|
date: 2022-05-10T09:52:39+02:00
|
||||||
|
draft: false
|
||||||
|
---
|
||||||
|
|
||||||
|
Disclaimer: I have no idea on which phones it works,
|
||||||
|
it might actually brick your phone even more, etc.
|
||||||
|
If in doubt, don't listen to me.
|
||||||
|
|
||||||
|
Short answer:
|
||||||
|
- enter fastboot (depends on your phone)
|
||||||
|
- create an 8KB empty file - `truncate -s 8K file`
|
||||||
|
- flash it to `para`/`boot_para`/sometimes `misc` - `fastboot flash para file`
|
||||||
|
- reboot
|
||||||
|
|
||||||
|
Long answer - a short tale about living with a broken phone:
|
||||||
|
|
||||||
|
Honestly, this might not even apply to you. There's the "Try again" option.
|
||||||
|
But, you see, I have a broken power button and couldn't select it...
|
||||||
|
I've been doing some software patches to my phone to mitigate this hardware issue,
|
||||||
|
most notably making [a few patches][1] to my phone's bootloader, incl.
|
||||||
|
one that makes it boot on plugged USB cable, because sadly on this phone it's
|
||||||
|
not a togglable option, like others have. (`fastboot oem off-mode-charge 0`)
|
||||||
|
|
||||||
|
Unfortunately, the patches did not help this time. I was presented with
|
||||||
|
two options and no way to pick either of them. Tried disconnecting my battery
|
||||||
|
and connecting it back, to no avail - bootloader just skipped straight to recovery,
|
||||||
|
completely ignoring the volume buttons. Making matters even worse, the recovery
|
||||||
|
didn't handle USB in any way - no fastbootd, no adb, no anything. Just the screen
|
||||||
|
of doom and my phone lying to my face with the ominous "Cannot load Android system".
|
||||||
|
|
||||||
|
After trying all the simple solutions, I realized my only hope was to
|
||||||
|
patch the bootloader again (lol) and make it boot regular boot.img.
|
||||||
|
To make stuff a bit easier, I focused first on getting working fastboot;
|
||||||
|
from there I can just override the bootloader again and reboot without
|
||||||
|
having to use the dreaded Smart Phone Flash Tool, just `fastboot flash lk lk.img`.
|
||||||
|
|
||||||
|
So... I opened Ghidra alongside MediaTek's Little Kernel-based bootloader code,
|
||||||
|
generously leak^Wopen-sourced by Umidigi with the Linux sources and other stuff.
|
||||||
|
At first I tried to find stuff related to the actual issue itself - `wipe`, `erase`,
|
||||||
|
anything like that, but couldn't find anything meaningful. Ended up spending multiple
|
||||||
|
hours trying to map the C code onto functions Ghidra was showing me, expecially that
|
||||||
|
some of them were so highly optimized, that the decompiler was completely lost.
|
||||||
|
Fortunately, it yielded some nice results - at the end of `mt_boot_init` there was
|
||||||
|
a following snippet:
|
||||||
|
```c
|
||||||
|
/* Will not return */
|
||||||
|
boot_linux_from_storage();
|
||||||
|
|
||||||
|
fastboot:
|
||||||
|
target_fastboot_init();
|
||||||
|
```
|
||||||
|
|
||||||
|
This meant that if I'm lucky, I can get to fastboot with just one simple patch,
|
||||||
|
replacing the branch instruction to `boot_linux_from_storage` with a NOP or two.
|
||||||
|
And lucky I was, because a while later I had [the patch][2] ready and it worked!
|
||||||
|
Less fortunately, removing that call meant that it couldn't boot *any* Linux,
|
||||||
|
and the Android recovery is one too. My workaround turned out to be another laptop
|
||||||
|
with SPFT that reflashed only the `lk` partition - seems a bit pointless, but
|
||||||
|
it allowed me for faster prototyping, because I could do most of the stuff from
|
||||||
|
my Linux workstation and only use Windows for clicking one button.
|
||||||
|
|
||||||
|
What followed was a lot of trial and error with changing various things,
|
||||||
|
including trying to repack the recovery - turns out [magiskboot][3] can be ran
|
||||||
|
on a regular Linux machine and is _really_ good at its job; you can just unpack
|
||||||
|
the Magisk .apk file and run `lib/x86_64/libmagiskboot.so`.
|
||||||
|
Sadly, I didn't get much further with that, so I gave up on experimentation
|
||||||
|
and opened [Android Code Search][4] in hopes of finding something useful.
|
||||||
|
|
||||||
|
From perspective, I wish I did that sooner, because only after a few minutes
|
||||||
|
of looking around the code, I found [bootloader_message.cpp][5] which revealed
|
||||||
|
that the bootloader uses the `misc` partition to communicate with recovery.
|
||||||
|
The partition wasn't there on my phone, but now that I knew where to look,
|
||||||
|
I opened the recovery executable from my phone in Ghidra and found out that MTK
|
||||||
|
uses the name `para` instead, for some reason. With all that, I ensured that
|
||||||
|
making the partition empty [wouldn't break anything][6] and just flashed it.
|
||||||
|
|
||||||
|
With all that, after a few days of messing around, I finally booted my phone
|
||||||
|
(and promptly dropped it in the bathtub the same day, causing it to bootloop
|
||||||
|
again before I managed to backup any data from it :) )
|
||||||
|
Fortunately, it managed to survive and serves me as a backup phone to this day.
|
||||||
|
|
||||||
|
|
||||||
|
[1]: https://github.com/ptrcnull/umidigi-f2-patches
|
||||||
|
[2]: https://github.com/ptrcnull/umidigi-f2-patches/blob/master/force_fastboot.patch
|
||||||
|
[3]: https://topjohnwu.github.io/Magisk/tools.html
|
||||||
|
[4]: https://cs.android.com/
|
||||||
|
[5]: https://cs.android.com/android/platform/superproject/+/master:bootable/recovery/bootloader_message/bootloader_message.cpp
|
||||||
|
[6]: https://cs.android.com/android/platform/superproject/+/master:bootable/recovery/bootloader_message/bootloader_message.cpp;l=142
|
Loading…
Reference in a new issue