Monday, 3 June 2013

Root Huawei X3 8150 Without Windows or a Working Touchscreen

I got some of this from here

Some phone modes

Enter FASTBOOT Mode

Disconnect USB.
Power-off phone.
RED+VOL-DN+POWER - hold for about 5 seconds. Phone will vibrate and show a white screen with IDEOS displayed.
Connect USB.

Enter RECOVERY Mode

Disconnect USB.
Power-off phone.
GREEN+VOL-UP+POWER - hold for about 5 seconds. Phone will vibrate, show a white screen with IDEOS displayed and then show Recovery menu.
Connect USB.

Enter DOWNLOAD mode

Disconnect USB.
Power-off phone.
RED+GREEN+POWER - hold for a few seconds until screen turns pink/magenta.
Connect USB.
(This does not work for me under Linux)

Replace Stock Recovery with ClockWork Recovery

Install Android SDK
From ubuntu this is very easy now:
apt-get install android-tools-adb
apt-get install android-tools-fastboot
Open root terminal or open terminal and sudo su.

Check that all is well, that USB connection is working and that ADB is correctly installed

Enter RECOVERY mode
Phone should boot into 'Android system recovery'

# adb devices
List of devices attached 
308730C82377 recovery

Enter FASTBOOT mode

# fastboot erase recovery
erasing 'recovery'...
OKAY [  0.033s]
finished. total time: 0.033s

Get ClockWorkMod Recovery
All available Recovery's are here: http://clockworkmod.com/rommanager

Get ClockWork Recovery fro IDEOS
I used http://download2.clockworkmod.com/recoveries/recovery-clockwork-3.0.2.4-ideos.img

# fastboot flash recovery /home/phil/Downloads/recovery-clockwork-3.0.2.4-ideos.img 
sending 'recovery' (3796 KB)...
OKAY [  0.255s]
writing 'recovery'...
OKAY [  0.806s]
finished. total time: 1.061s

Reboot
# fastboot reboot
Phone should reboot.

Get Root
Get files from http://forum.xda-developers.com/attachment.php?attachmentid=416413&d=1286678225

# adb push ../../rootme/rageagainstthecage-arm5.bin  /data/local/tmp
127 KB/s (5392 bytes in 0.041s)

# adb ls /data/local/tmp
000041fd 00000000 51208853 .
000041fd 00000000 51208845 ..
000081b6 00001510 4c77ab24 rageagainstthecage-arm5.bin

# adb shell
~ # cd /data/local/tmp
/data/local/tmp # chmod 0755 rageagainstthecage-arm5.bin 
/data/local/tmp # ./rageagainstthecage-arm5.bin 
/sbin/sh: ./rageagainstthecage-arm5.bin: not found

I give up. I'll exit shell and try again.

/data/local/tmp # exit

# adb shell
~ # whoami
root

Hmm. It seem I was already root! I suspect that SuperuserOneClick that I experimented with - but did not log - using mono under linux may have worked - although I had no indication that it did.

I'll carry on.

Next I remount mdtblock4 to be able to write to it.

~ # mount -o rw,remount /dev/block/mdtblock4 /system
mount: mounting /dev/block/mdtblock4 on /system failed: Invalid argument

But it seems it is not mounted.

~ # mount          
rootfs on / type rootfs (rw)
tmpfs on /dev type tmpfs (rw,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
/dev/block/mtdblock5 on /cache type yaffs2 (rw,nodev,noatime,nodiratime)

~ # df
Filesystem           1K-blocks      Used Available Use% Mounted on
tmpfs                    91624        32     91592   0% /dev
/dev/block/mtdblock5     95232      1688     93544   2% /cache

In my case, mtdblock4 is not mounted so I mounted it.

~ # mount /dev/block/mtdblock4 /system

~ # ls /system/
app         etc         lib         tts         xbin
bin         fonts       lost+found  usr
build.prop  framework   media       wifi

Now I realise that I made a typo: I entered mdtblock4 instead of mtdblock4.

~ # mount -o rw,remount /dev/block/mtdblock4 /system 
~ # df
Filesystem           1K-blocks      Used Available Use% Mounted on
tmpfs                    91624        32     91592   0% /dev
/dev/block/mtdblock5     95232      1688     93544   2% /cache
/dev/block/mtdblock4    174080    131780     42300  76% /system

Ok. mtdblock4 is now writeable.

Copy su, busybox, sqlite3, Superuser.apk to device.

# adb push rootme/su  /system/bin/su
837 KB/s (26264 bytes in 0.030s)

# adb push SuperOneClickv2.3.3-ShortFuse\ \(1\)/Dependencies/busybox  /system/bin/busybox
1978 KB/s (1075144 bytes in 0.530s)

# adb push SuperOneClickv2.3.3-ShortFuse\ \(1\)/Dependencies/sqlite3  /system/bin/sqlite3
333 KB/s (24120 bytes in 0.070s)

# adb push SuperOneClickv2.3.3-ShortFuse\ \(1\)/Root/  /system/bin/sqlite3
Superuser.apk  su-v1          su-v2          

# adb push SuperOneClickv2.3.3-ShortFuse\ \(1\)/Root/Superuser.apk  /system/app/Superuser.apk
2095 KB/s (843503 bytes in 0.393s)

Now to change permissions.

# adb shell
~ # cd /system/bin
/system/bin # chmod 4755 su
/system/bin # chmod 4755 busybox 
/system/bin # chmod 4755 sqlite3 

/system/bin # cat /proc/cpu
/proc/cpu/     /proc/cpuinfo

What CPU do we have?

/system/bin # cat /proc/cpuinfo 
Processor : ARMv6-compatible processor rev 2 (v6l)
BogoMIPS : 594.73
Features : swp half thumb fastmult edsp java 
CPU implementer : 0x41
CPU architecture: 6TEJ
CPU variant : 0x1
CPU part : 0xb36
CPU revision : 2

Hardware : HUAWEI U8150 BOARD 
Revision : 0000
Serial : 0000000000000000

Mount /data using ClockWorkMod Recovery
(could have done this using adb)

/system/bin # df
Filesystem           1K-blocks      Used Available Use% Mounted on
tmpfs                    91624        32     91592   0% /dev
/dev/block/mtdblock5     95232      1688     93544   2% /cache
/dev/block/mtdblock4    174080    133716     40364  77% /system
/dev/block/mtdblock6    170624     12340    158284   7% /data

/data is mounted and this seems to be where settings are stored.
 Open settings using sqlite3

/system/bin # ./sqlite3 /data/data/com.android.providers.settings/databases/settings.db 
SQLite version 3.6.22
Enter ".help" for instructions
sqlite>
sqlite> .dump
BEGIN TRANSACTION;
CREATE TABLE android_metadata (locale TEXT);
INSERT INTO "android_metadata" VALUES('en_AU');
CREATE TABLE system (_id INTEGER PRIMARY KEY AUTOINCREMENT,name TEXT UNIQUE ON CONFLICT REPLACE,value TEXT);
INSERT INTO "system" VALUES(4,'volume_voice','4');
INSERT INTO "system" VALUES(5,'volume_alarm','6');
INSERT INTO "system" VALUES(6,'volume_notification','5');
INSERT INTO "system" VALUES(7,'volume_bluetooth_sco','7');
INSERT INTO "system" VALUES(9,'vibrate_on','6');
INSERT INTO "system" VALUES(10,'mode_ringer_streams_affected','166');
INSERT INTO "system" VALUES(11,'mute_streams_affected','46');
INSERT INTO "system" VALUES(12,'dim_screen','1');
INSERT INTO "system" VALUES(13,'stay_on_while_plugged_in','0');
INSERT INTO "system" VALUES(14,'screen_off_timeout','60000');
INSERT INTO "system" VALUES(15,'emergency_tone','0');
INSERT INTO "system" VALUES(16,'call_auto_retry','0');
INSERT INTO "system" VALUES(17,'dtmf_tone_type','0');
INSERT INTO "system" VALUES(18,'hearing_aid','0');
INSERT INTO "system" VALUES(19,'tty_mode','0');
INSERT INTO "system" VALUES(20,'airplane_mode_on','0');
INSERT INTO "system" VALUES(21,'airplane_mode_radios','cell,bluetooth,wifi');
INSERT INTO "system" VALUES(22,'airplane_mode_toggleable_radios','wifi');
INSERT INTO "system" VALUES(23,'auto_time','1');
INSERT INTO "system" VALUES(24,'screen_brightness','77');
INSERT INTO "system" VALUES(25,'screen_brightness_mode','0');
INSERT INTO "system" VALUES(26,'window_animation_scale','0.0');
INSERT INTO "system" VALUES(27,'transition_animation_scale','0.0');
INSERT INTO "system" VALUES(28,'accelerometer_rotation','1');
INSERT INTO "system" VALUES(29,'haptic_feedback_enabled','1');
INSERT INTO "system" VALUES(30,'end_button_behavior','1');
INSERT INTO "system" VALUES(31,'notification_light_pulse','1');
INSERT INTO "system" VALUES(32,'set_install_location','0');
INSERT INTO "system" VALUES(33,'default_install_location','0');
INSERT INTO "system" VALUES(34,'power_sounds_enabled','1');
INSERT INTO "system" VALUES(35,'low_battery_sound','/system/media/audio/ui/LowBattery.ogg');
INSERT INTO "system" VALUES(36,'dock_sounds_enabled','0');
INSERT INTO "system" VALUES(37,'desk_dock_sound','/system/media/audio/ui/Dock.ogg');
INSERT INTO "system" VALUES(38,'desk_undock_sound','/system/media/audio/ui/Undock.ogg');
INSERT INTO "system" VALUES(39,'car_dock_sound','/system/media/audio/ui/Dock.ogg');
INSERT INTO "system" VALUES(40,'car_undock_sound','/system/media/audio/ui/Undock.ogg');
INSERT INTO "system" VALUES(41,'lockscreen_sounds_enabled','0');
INSERT INTO "system" VALUES(42,'lock_sound','/system/media/audio/ui/Lock.ogg');
INSERT INTO "system" VALUES(43,'unlock_sound','/system/media/audio/ui/Unlock.ogg');
INSERT INTO "system" VALUES(44,'vibrate_in_silent','1');
INSERT INTO "system" VALUES(47,'alarm_alert','content://media/internal/audio/media/5');
INSERT INTO "system" VALUES(48,'notification_sound','content://media/internal/audio/media/28');
INSERT INTO "system" VALUES(49,'ringtone','content://media/internal/audio/media/55');
INSERT INTO "system" VALUES(57,'volume_system','0');
INSERT INTO "system" VALUES(58,'volume_system_last_audible','7');
INSERT INTO "system" VALUES(59,'volume_ring','0');
INSERT INTO "system" VALUES(60,'volume_ring_last_audible','1');
INSERT INTO "system" VALUES(61,'mode_ringer','1');
INSERT INTO "system" VALUES(62,'volume_music','10');
INSERT INTO "system" VALUES(63,'volume_music_last_audible','10');
INSERT INTO "system" VALUES(75,'next_alarm_formatted','');
DELETE FROM sqlite_sequence;
INSERT INTO "sqlite_sequence" VALUES('system',75);
INSERT INTO "sqlite_sequence" VALUES('secure',25);
INSERT INTO "sqlite_sequence" VALUES('systemex',1);
CREATE TABLE secure (_id INTEGER PRIMARY KEY AUTOINCREMENT,name TEXT UNIQUE ON CONFLICT REPLACE,value TEXT);
INSERT INTO "secure" VALUES(1,'bluetooth_on','0');
INSERT INTO "secure" VALUES(2,'data_roaming','0');
INSERT INTO "secure" VALUES(3,'default_input_method','com.android.inputmethod.latin/.LatinIME');
INSERT INTO "secure" VALUES(4,'enabled_input_methods','com.huawei.inputmethod.hwpal/.PinyinIME:com.android.inputmethod.latin/.LatinIME:com.android.inputmethod.pinyin/.PinyinIME:jp.co.omronsoft.openwnn/.OpenWnnJAJP');
INSERT INTO "secure" VALUES(5,'install_non_market_apps','0');
INSERT INTO "secure" VALUES(6,'location_providers_allowed','gps');
INSERT INTO "secure" VALUES(7,'assisted_gps_enabled','1');
INSERT INTO "secure" VALUES(8,'network_preference','1');
INSERT INTO "secure" VALUES(9,'usb_mass_storage_enabled','1');
INSERT INTO "secure" VALUES(10,'wifi_on','0');
INSERT INTO "secure" VALUES(11,'wifi_networks_available_notification_on','1');
INSERT INTO "secure" VALUES(12,'preferred_network_mode','0');
INSERT INTO "secure" VALUES(13,'cdma_cell_broadcast_sms','1');
INSERT INTO "secure" VALUES(14,'preferred_cdma_subscription','0');
INSERT INTO "secure" VALUES(15,'mock_location','0');
INSERT INTO "secure" VALUES(16,'backup_enabled','1');
INSERT INTO "secure" VALUES(17,'backup_transport','com.google.android.backup/.BackupTransportService');
INSERT INTO "secure" VALUES(18,'mount_play_not_snd','1');
INSERT INTO "secure" VALUES(19,'mount_ums_autostart','0');
INSERT INTO "secure" VALUES(20,'mount_ums_prompt','1');
INSERT INTO "secure" VALUES(21,'mount_ums_notify_enabled','1');
INSERT INTO "secure" VALUES(22,'android_id','9774d56d682e549c');
INSERT INTO "secure" VALUES(23,'adb_enabled','0');
INSERT INTO "secure" VALUES(24,'voice_recognition_service','com.google.android.voicesearch/.GoogleRecognitionService');
INSERT INTO "secure" VALUES(25,'throttle_reset_day','3');
CREATE TABLE bluetooth_devices (_id INTEGER PRIMARY KEY,name TEXT,addr TEXT,channel INTEGER,type INTEGER);
CREATE TABLE bookmarks (_id INTEGER PRIMARY KEY,title TEXT,folder TEXT,intent TEXT,shortcut INTEGER,ordering INTEGER);
INSERT INTO "bookmarks" VALUES(1,'Browser',NULL,'#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10000000;component=com.android.browser/.BrowserActivity;end',98,NULL);
INSERT INTO "bookmarks" VALUES(2,'Contacts',NULL,'#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10000000;component=com.android.contacts/.DialtactsContactsEntryActivity;end',99,NULL);
INSERT INTO "bookmarks" VALUES(3,'Email',NULL,'#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10000000;component=com.android.email/.activity.Welcome;end',101,NULL);
INSERT INTO "bookmarks" VALUES(4,'Gmail',NULL,'#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10000000;component=com.google.android.gm/.ConversationListActivityGmail;end',103,NULL);
INSERT INTO "bookmarks" VALUES(5,'Calendar',NULL,'#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10000000;component=com.android.calendar/.LaunchActivity;end',108,NULL);
INSERT INTO "bookmarks" VALUES(6,'Music',NULL,'#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10000000;component=com.android.music/.MusicBrowserActivity;end',112,NULL);
INSERT INTO "bookmarks" VALUES(7,'Messaging',NULL,'#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10000000;component=com.android.mms/.ui.ConversationList;end',115,NULL);
CREATE TABLE systemex (_id INTEGER PRIMARY KEY AUTOINCREMENT,name TEXT UNIQUE ON CONFLICT REPLACE,value TEXT);
INSERT INTO "systemex" VALUES(1,'white_languages','en_PK,en_AU,en_US,es_ES');
CREATE INDEX systemIndex1 ON system (name);
CREATE INDEX secureIndex1 ON secure (name);
CREATE INDEX bookmarksIndex1 ON bookmarks (folder);
CREATE INDEX bookmarksIndex2 ON bookmarks (shortcut);
CREATE INDEX systemexIndex1 ON systemex (name);
COMMIT;

I wonder what INSERT INTO "secure" VALUES(23,'adb_enabled','0'); is?

I think I want to try this to turn USB Debugging on (based on http://stackoverflow.com/questions/10282484/android-adb-turn-on-wifi-via-adb)

update secure set value=1 where name='adb_enabled';


So here goes...

/system/bin # ./sqlite3 /data/data/com.android.providers.settings/databases/sett
ings.db

sqlite> select * from secure;
1|bluetooth_on|0
2|data_roaming|0
3|default_input_method|com.android.inputmethod.latin/.LatinIME
4|enabled_input_methods|com.huawei.inputmethod.hwpal/.PinyinIME:com.android.inputmethod.latin/.LatinIME:com.android.inputmethod.pinyin/.PinyinIME:jp.co.omronsoft.openwnn/.OpenWnnJAJP
5|install_non_market_apps|0
6|location_providers_allowed|gps
7|assisted_gps_enabled|1
8|network_preference|1
9|usb_mass_storage_enabled|1
10|wifi_on|0
11|wifi_networks_available_notification_on|1
12|preferred_network_mode|0
13|cdma_cell_broadcast_sms|1
14|preferred_cdma_subscription|0
15|mock_location|0
16|backup_enabled|1
17|backup_transport|com.google.android.backup/.BackupTransportService
18|mount_play_not_snd|1
19|mount_ums_autostart|0
20|mount_ums_prompt|1
21|mount_ums_notify_enabled|1
22|android_id|9774d56d682e549c
23|adb_enabled|1
24|voice_recognition_service|com.google.android.voicesearch/.GoogleRecognitionService
25|throttle_reset_day|3
sqlite> 

Reboot phone.

No good.

I then installed CyanogenMod 7 for Huewei IDEOS 8150.

It supports adb so I should have done this ages ago.

I wrote this bash script to begin phone setup without a touchscreen.

#!/bin/bash

adb_sendevent(){
    local -i _a=$1 _k=$2 _v=$3
    printf "$FUNCNAME: _a=%d  _k=%d  _v=%d\n" $_a $_k $_v
    adb shell sendevent "/dev/input/event2" $_a $_k $_v
}

adb_touch1(){
    local -i _a=$1 _x=$2 _y=$3 _w=$4
    #printf "$FUNCNAME: _a=%d  _x=%d  _y=%d  _w=%d\n" $_a $_x $_y $_w
    # send touch event x y
    adb_sendevent 3 0x39 $_a  # start event?
    adb_sendevent 3 0x35 $_x
    adb_sendevent 3 0x36 $_y
    adb_sendevent 3 0x30 $_w  # finger width?
    adb_sendevent 3 0x31 0  # x moved?
    adb_sendevent 3 0x34 0
    adb_sendevent 3 0x32 0  # y moved?
    adb_sendevent 0 0x02 0  # end event?
}

adb_touch(){
    local -i _x=$1 _y=$2 _w=$3
    #adb_sendevent 0 0 0
    adb_touch1 0 $_x $_y   $_w
    adb_touch1 1 0   0x15b 0
    adb_sendevent 0 0 0
}

adb_tap(){
    local -i _x=$1 _y=$2
    adb_touch $_x $_y 0x20
    # android icon selected
    adb_touch $_x $_y 0
}

#0 -->  "KEYCODE_UNKNOWN" 
#1 -->  "KEYCODE_MENU" 
#2 -->  "KEYCODE_SOFT_RIGHT" 
#3 -->  "KEYCODE_HOME" 
#4 -->  "KEYCODE_BACK" 
#5 -->  "KEYCODE_CALL" 
#6 -->  "KEYCODE_ENDCALL" 
#7 -->  "KEYCODE_0" 
#8 -->  "KEYCODE_1" 
#9 -->  "KEYCODE_2" 
#10 -->  "KEYCODE_3" 
#11 -->  "KEYCODE_4" 
#12 -->  "KEYCODE_5" 
#13 -->  "KEYCODE_6" 
#14 -->  "KEYCODE_7" 
#15 -->  "KEYCODE_8" 
#16 -->  "KEYCODE_9" 
#17 -->  "KEYCODE_STAR" 
#18 -->  "KEYCODE_POUND" 
#19 -->  "KEYCODE_DPAD_UP" 
#20 -->  "KEYCODE_DPAD_DOWN" 
#21 -->  "KEYCODE_DPAD_LEFT" 
#22 -->  "KEYCODE_DPAD_RIGHT" 
#23 -->  "KEYCODE_DPAD_CENTER" 
#24 -->  "KEYCODE_VOLUME_UP" 
#25 -->  "KEYCODE_VOLUME_DOWN" 
#26 -->  "KEYCODE_POWER" 
#27 -->  "KEYCODE_CAMERA" 
#28 -->  "KEYCODE_CLEAR" 
#29 -->  "KEYCODE_A" 
#30 -->  "KEYCODE_B" 
#31 -->  "KEYCODE_C" 
#32 -->  "KEYCODE_D" 
#33 -->  "KEYCODE_E" 
#34 -->  "KEYCODE_F" 
#35 -->  "KEYCODE_G" 
#36 -->  "KEYCODE_H" 
#37 -->  "KEYCODE_I" 
#38 -->  "KEYCODE_J" 
#39 -->  "KEYCODE_K" 
#40 -->  "KEYCODE_L" 
#41 -->  "KEYCODE_M" 
#42 -->  "KEYCODE_N" 
#43 -->  "KEYCODE_O" 
#44 -->  "KEYCODE_P" 
#45 -->  "KEYCODE_Q" 
#46 -->  "KEYCODE_R" 
#47 -->  "KEYCODE_S" 
#48 -->  "KEYCODE_T" 
#49 -->  "KEYCODE_U" 
#50 -->  "KEYCODE_V" 
#51 -->  "KEYCODE_W" 
#52 -->  "KEYCODE_X" 
#53 -->  "KEYCODE_Y" 
#54 -->  "KEYCODE_Z" 
#55 -->  "KEYCODE_COMMA" 
#56 -->  "KEYCODE_PERIOD" 
#57 -->  "KEYCODE_ALT_LEFT" 
#58 -->  "KEYCODE_ALT_RIGHT" 
#59 -->  "KEYCODE_SHIFT_LEFT" 
#60 -->  "KEYCODE_SHIFT_RIGHT" 
#61 -->  "KEYCODE_TAB" 
#62 -->  "KEYCODE_SPACE" 
#63 -->  "KEYCODE_SYM" 
#64 -->  "KEYCODE_EXPLORER" 
#65 -->  "KEYCODE_ENVELOPE" 
#66 -->  "KEYCODE_ENTER" 
#67 -->  "KEYCODE_DEL" 
#68 -->  "KEYCODE_GRAVE" 
#69 -->  "KEYCODE_MINUS" 
#70 -->  "KEYCODE_EQUALS" 
#71 -->  "KEYCODE_LEFT_BRACKET" 
#72 -->  "KEYCODE_RIGHT_BRACKET" 
#73 -->  "KEYCODE_BACKSLASH" 
#74 -->  "KEYCODE_SEMICOLON" 
#75 -->  "KEYCODE_APOSTROPHE" 
#76 -->  "KEYCODE_SLASH" 
#77 -->  "KEYCODE_AT" 
#78 -->  "KEYCODE_NUM" 
#79 -->  "KEYCODE_HEADSETHOOK" 
#80 -->  "KEYCODE_FOCUS" 
#81 -->  "KEYCODE_PLUS" 
#82 -->  "KEYCODE_MENU" 
#83 -->  "KEYCODE_NOTIFICATION" 
#84 -->  "KEYCODE_SEARCH" 
#85 -->  "TAG_LAST_KEYCODE"

adb_tap 0x70 0x80  # tap on android icon
adb shell input keyevent 20  # down to 'Create'
adb shell input keyevent 20  # down to 'Sign in'
adb shell input keyevent 23  # enter
adb shell input text 'username@gmail.com'
adb shell input keyevent 20  # down to 'password'
adb shell input text 'password or 2-factor code'  # 2-factor pw
adb shell input keyevent 23  # enter
adb shell input keyevent 20  # down to 'Sign in'
adb shell input keyevent 23  # enter
My phone is now setup and working.

Now to setup WiFi.