MobileRead Forums - View Single Post

Noctuelles · 01-17-2022, 06:39 AM

Disclaimer

I am not responsible for any damage to your device. Please be very careful when doing such low level manipulation. Since we're dealing with partitions, be SURE you're flashing the correct one.

This tutorial will assume you're working with a Linux distribution. However, it can be successfully done under Windows and Mac OS.

Documentation

You can find useful resources that will help you to understand what's at stake.
I highly recommend you to read everything.
I assume you're already familiar with the command line interpreter, if not, i highly recommend you to practice a little bit before doing this tutorial.

Let's root our Max Lumi : original thread for the Max Lumi. Files provided does not apply to the Max Lumi 2.
As said in this thread, you should NOT use any patched Magisk image that don't match your current build.
Magisk installation page : only download the Magisk apk from the original GitHub repo'.
Magisk GitHub
Install ADB on Mac OS, Linux, Windows : this will guide you thought the installation of ADB (Android Debug Bridge), used to debug the device with USB-C connection.
EDL GitHub : an unofficial Qualcomm diag tools. Use to retrieve the boot partition off the device, without any super user permission or adb shell command. Again, use this tool with the greatest precaution.

Preamble

Install ADB, EDL, via the link in the documentation section.
I'll not explain how to install these because the tutorial are straightforward

Enable USB debugging on your Max Lumi 2 :

Go to 'App'
Press the top right button
Go to 'App management'
Tick 'USB Debug Mode'
Plug the tablet into your computer, accept the RSA key.
Go to a terminal, and type adb devices : you should see your tablet under an ID.

Download the attached file 'Qualcomm_662_loader.zip', used to communicate to the device in Emergency DownLoad Mode, and de-compress it in the EDL folder.
Qualcomm_662_loader.zip

Let's get to it.

Plug the Lumi 2 into the computer.
Type
Code:
```
adb devices
```
to check if your device is properly connected.
Set the device mode into Emergency Download mode :
Code:
```
adb reboot edl
```
At this point the device should hang and freeze : no panic, it's normal. If the ADB command hasn't returned any kind of error, you're in EDL mode.

Navigate in the EDL tool, and inject the elf file by typing : 'edl --loader=Qualcomm_662_loader.elf' you should have this output (excepted the ":

Code:

Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main - Using loader Qualcomm_662_loader.elf ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara - 
------------------------
HWID:              0x0014d0e100000000 (MSM_ID:0x0014d0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected:      "SDM662"
PK_HASH:           0xd40eee56f3194665574109a39267724ae7944134cd53cb767e293d3c40497955
Serial:            0x7b6cb5b2

sahara - Uploading loader Qualcomm_662_loader.elf ...
Successfully uploaded programmer :)
firehose - INFO: Chip serial num: 2070721970 (0x7b6cb5b2)
firehose_client - Target detected: SDM662
firehose_client
firehose_client - [LIB]: Based on the chipset, we assume eMMC as default memory type..., if it fails, try using --memory" with "UFS","NAND" or "spinor" instead !
firehose
firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
firehose
firehose - [LIB]: Couldn't detect TargetName
firehose - TargetName=Unknown
firehose - MemoryName=eMMC
firehose - Version=1
firehose
firehose - [LIB]: Memory type eMMC doesn't seem to match (Failed to init). Trying to use UFS instead.
firehose
firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
firehose
firehose - [LIB]: Couldn't detect TargetName
firehose - TargetName=Unknown
firehose - MemoryName=UFS
firehose - Version=1
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest

You can now dump the boot partition, type

Code:

edl r boot_a boot.img

You should see a progress bar indicating the dump status. If everything is ok, then check if the file is present in the folder by typing

Code:

ls -l boot.img

The file should be here and should weight approximately 100MB.

Code:

Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: firehose
firehose - INFO: UFS Boot Partition Enabled: 0x1
firehose - INFO: UFS Erase Block Size: 0x2000
firehose - INFO: UFS Inquiry Command Output: SAMSUNG KM2L9001CM-B518 0100 
firehose
firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
firehose
firehose - [LIB]: Couldn't detect TargetName
firehose - TargetName=Unknown
firehose - MemoryName=UFS
firehose - Version=1
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose - 
Reading from physical partition 4, sector 65414, sectors 24576
Progress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x6000 of 0x6000, ) 34.58 MB/s                                                   
Progress: |██████████████████████████████████████████████████| 100.0% Complete                                                                                      
Dumped sector 65414 with sector count 24576 as boot.img.

Reboot into android : type
Code:
```
edl reset
```
Now transfer the boot.img file we dumped earlier into the Internal Storage of the Lumi 2 with a standard USB data transfer. You can paste it in the root directory for example.
Go to the Magisk app, and perform the patch with the original boot.img (see Magisk documentation).
Export the patched boot.img on your computer (it should be located in the Download folder of your tablet), in a folder of your choice.
Reboot into a bootloader session with
Code:
```
adb reboot bootloader
```
The onyx logo is now displaying on the screen.

Navigate on the folder where the patched boot.img lies. Then, try to boot with it using

Code:

fastboot boot <file_name>

You should see :

Code:

downloading 'boot.img'...
OKAY [  0.342s]
booting...
OKAY [  0.096s]
finished. total time: 0.437s

The booting went fine ! Try if your tablet is rooted then : type
Code:
```
adb shell
```
and execute
Code:
```
su
```
If the tablet ask you root privilege, you're good. We can now flash the image into the Lumi 2.
Re-do the previous steps to reboot into a bootloader session.

Type

Code:

fastboot flash boot <file_name>

You should see :

Code:

target reported max download size of 805306368 bytes
sending 'boot_a' (98304 KB)...
OKAY [  0.474s]
writing 'boot_a'...
OKAY [  0.681s]

Reboot the device using
Code:
```
fastboot reboot
```
Congratulation ! The Max Lumi 2 is now fully unlocked.

You can now install a firewall to prevent android phoning back to China, and other super user privileges.
I'll not provide any .img file for the sake of caution
Feel free to ask anything.

01-17-2022, 06:39 AM	#1
Noctuelles Junior Member Posts: 2 Karma: 10 Join Date: Jan 2022 Device: Onyx Boox Max Lumi 2	Let's root the Max Lumi 2 Disclaimer I am not responsible for any damage to your device. Please be very careful when doing such low level manipulation. Since we're dealing with partitions, be SURE you're flashing the correct one. This tutorial will assume you're working with a Linux distribution. However, it can be successfully done under Windows and Mac OS. Documentation You can find useful resources that will help you to understand what's at stake. I highly recommend you to read everything. I assume you're already familiar with the command line interpreter, if not, i highly recommend you to practice a little bit before doing this tutorial. Let's root our Max Lumi : original thread for the Max Lumi. Files provided does not apply to the Max Lumi 2. As said in this thread, you should NOT use any patched Magisk image that don't match your current build. Magisk installation page : only download the Magisk apk from the original GitHub repo'. Magisk GitHub Install ADB on Mac OS, Linux, Windows : this will guide you thought the installation of ADB (Android Debug Bridge), used to debug the device with USB-C connection. EDL GitHub : an unofficial Qualcomm diag tools. Use to retrieve the boot partition off the device, without any super user permission or adb shell command. Again, use this tool with the greatest precaution. Preamble Install ADB, EDL, via the link in the documentation section. I'll not explain how to install these because the tutorial are straightforward Enable USB debugging on your Max Lumi 2 : Go to 'App' Press the top right button Go to 'App management' Tick 'USB Debug Mode' Plug the tablet into your computer, accept the RSA key. Go to a terminal, and type adb devices : you should see your tablet under an ID. Download the attached file 'Qualcomm_662_loader.zip', used to communicate to the device in Emergency DownLoad Mode, and de-compress it in the EDL folder. Qualcomm_662_loader.zip Let's get to it. Plug the Lumi 2 into the computer. Type Code: adb devices to check if your device is properly connected. Set the device mode into Emergency Download mode : Code: adb reboot edl At this point the device should hang and freeze : no panic, it's normal. If the ADB command hasn't returned any kind of error, you're in EDL mode. Navigate in the EDL tool, and inject the elf file by typing : 'edl --loader=Qualcomm_662_loader.elf' you should have this output (excepted the ": Code: Capstone library is missing (optional). Keystone library is missing (optional). Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021. main - Using loader Qualcomm_662_loader.elf ... main - Waiting for the device main - Device detected :) main - Mode detected: sahara Device is in EDL mode .. continuing. sahara - ------------------------ HWID: 0x0014d0e100000000 (MSM_ID:0x0014d0e1,OEM_ID:0x0000,MODEL_ID:0x0000) CPU detected: "SDM662" PK_HASH: 0xd40eee56f3194665574109a39267724ae7944134cd53cb767e293d3c40497955 Serial: 0x7b6cb5b2 sahara - Uploading loader Qualcomm_662_loader.elf ... Successfully uploaded programmer :) firehose - INFO: Chip serial num: 2070721970 (0x7b6cb5b2) firehose_client - Target detected: SDM662 firehose_client firehose_client - [LIB]: Based on the chipset, we assume eMMC as default memory type..., if it fails, try using --memory" with "UFS","NAND" or "spinor" instead ! firehose firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes firehose firehose - [LIB]: Couldn't detect TargetName firehose - TargetName=Unknown firehose - MemoryName=eMMC firehose - Version=1 firehose firehose - [LIB]: Memory type eMMC doesn't seem to match (Failed to init). Trying to use UFS instead. firehose firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes firehose firehose - [LIB]: Couldn't detect TargetName firehose - TargetName=Unknown firehose - MemoryName=UFS firehose - Version=1 firehose_client - Supported functions: ----------------- program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest You can now dump the boot partition, type Code: edl r boot_a boot.img You should see a progress bar indicating the dump status. If everything is ok, then check if the file is present in the folder by typing Code: ls -l boot.img The file should be here and should weight approximately 100MB. Code: Capstone library is missing (optional). Keystone library is missing (optional). Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021. main - Trying with no loader given ... main - Waiting for the device main - Device detected :) main - Mode detected: firehose firehose - INFO: UFS Boot Partition Enabled: 0x1 firehose - INFO: UFS Erase Block Size: 0x2000 firehose - INFO: UFS Inquiry Command Output: SAMSUNG KM2L9001CM-B518 0100 firehose firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes firehose firehose - [LIB]: Couldn't detect TargetName firehose - TargetName=Unknown firehose - MemoryName=UFS firehose - Version=1 firehose_client - Supported functions: ----------------- program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest firehose - Reading from physical partition 4, sector 65414, sectors 24576 Progress: \|██████████████████████████████████████████████████\| 100.0% Read (Sector 0x6000 of 0x6000, ) 34.58 MB/s Progress: \|██████████████████████████████████████████████████\| 100.0% Complete Dumped sector 65414 with sector count 24576 as boot.img. Reboot into android : type Code: edl reset Now transfer the boot.img file we dumped earlier into the Internal Storage of the Lumi 2 with a standard USB data transfer. You can paste it in the root directory for example. Go to the Magisk app, and perform the patch with the original boot.img (see Magisk documentation). Export the patched boot.img on your computer (it should be located in the Download folder of your tablet), in a folder of your choice. Reboot into a bootloader session with Code: adb reboot bootloader The onyx logo is now displaying on the screen. Navigate on the folder where the patched boot.img lies. Then, try to boot with it using Code: fastboot boot <file_name> You should see : Code: downloading 'boot.img'... OKAY [ 0.342s] booting... OKAY [ 0.096s] finished. total time: 0.437s The booting went fine ! Try if your tablet is rooted then : type Code: adb shell and execute Code: su If the tablet ask you root privilege, you're good. We can now flash the image into the Lumi 2. Re-do the previous steps to reboot into a bootloader session. Type Code: fastboot flash boot <file_name> You should see : Code: target reported max download size of 805306368 bytes sending 'boot_a' (98304 KB)... OKAY [ 0.474s] writing 'boot_a'... OKAY [ 0.681s] Reboot the device using Code: fastboot reboot Congratulation ! The Max Lumi 2 is now fully unlocked. You can now install a firewall to prevent android phoning back to China, and other super user privileges. I'll not provide any .img file for the sake of caution Feel free to ask anything.