Thread: Go 7 attempted root and now stuck on boox logo
View Single Post
Old 03-31-2026, 12:21 PM   #53
doomgoatman
Member
doomgoatman began at the beginning.
 
Posts: 10
Karma: 38
Join Date: Mar 2026
Device: Boox Go 7 BW
Got the Go 7 (B/W) rooted. Documenting the full process here for anyone else who wants to attempt it.

WHAT YOU NEED:
- EDL cable (Qualcomm 9008 deep flash cable with button). Not optional.
- FairPhone 4 ABL (abl.img from latest e/OS/ A15 build for FP4: https://doc.e.foundation/devices/FP4/install)
- fonix232's frp_oemunlock.img (from https://github.com/jdkruzr/BooxPalma2RootGuide/issues/9, Jan 13 comment)
- Renate's misc-recovery.prc (from this thread, post #3, rename to .img)
- Decrypted Go7 4.1.1 firmware (decrypt the .upx with https://github.com/Hagb/decryptBooxUpdateUpx, extract images with payload-dumper-go)
- EDL loader: 0000000000000000_bdaf51b59ba21d8a_fhprg.bin from https://www.temblast.com/ref/onyxldr.htm
- bkerler edl tool (https://github.com/bkerler/edl) running in WSL2. Windows fastboot was not able to consistently communicate with this device.
- Magisk APK and Termux APK
- Java, baksmali, and smali for the services.jar patch

PHASE 0: Download Firmware, Decrypt, and Extract Stock Images

Download
  1. In your browser, navigate to:
    Code:
    http://en-data.onyx-international.cn/api/firmware/update?where={"buildNumber":0,"buildType":"user","deviceMAC":"","lang":"en_US","model":"Go7","submodel":"","fingerprint":""}
  2. The key you are looking for is
    Code:
    "downloadUrlList": ...
  3. Download the .upx file

Decrypt and extract
Code:
# Clone decryption tool
git clone https://github.com/Hagb/decryptBooxUpdateUpx.git
cd decryptBooxUpdateUpx
git submodule update --init --recursive

# Decrypt (Go7 keys are in BooxKeys.csv)
python3 DeBooxUpx.py Go7 /path/to/update.upx /path/to/update.zip

# Extract payload
unzip update.zip payload.bin

# Extract individual partition images
# Download payload-dumper-go from https://github.com/ssut/payload-dumper-go/releases
./payload-dumper-go -o stock_images payload.bin
PHASE 1: UNLOCK THE BOOTLOADER

The Go 7's stock bootloader is completely locked. All fastboot write commands return "unknown command." We need to replace it with the FairPhone 4 ABL which has full fastboot functionality.

Enter EDL Mode
  1. Power off Go 7 completely (hold power 15+ seconds)
  2. Plug in EDL cable, press/hold the button
  3. Confirm "05c6:9008" appears in "usbipd list"

Attach USB to WSL
Code:
# Windows PowerShell (Admin)
usbipd bind --busid <BUSID>
usbipd attach --wsl --busid <BUSID>
Back up stock partitions
Code:
cd /path/to/edl
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc r abl_a abl_a_backup.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc r abl_b abl_b_backup.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc r frp frp_backup.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc r devinfo devinfo_backup.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc r boot_a boot_a_backup.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc r boot_b boot_b_backup.img
Quote:
Note: bkerler edl reports Error:{} after every write at 100%. This is a false negative. Verify with read-back + sha256sum if concerned.
Flash unlocked bootloader stack
Code:
# Stock boot to both slots
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w boot_a stock_images/boot.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w boot_b stock_images/boot.img

# FairPhone 4 ABL to both slots
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w abl_a fp4/abl.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w abl_b fp4/abl.img

# Unlocked FRP
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w frp frp_oemunlock.img

# Stock recovery to both slots
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w recovery_a stock_images/recovery.img
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w recovery_b stock_images/recovery.img

# Misc-recovery to trigger recovery boot
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w misc misc-recovery.img

# Erase devinfo (required for unlock to take effect)
sudo python3 edl.py --loader=go7_loader.bin --memory=emmc e devinfo
Boot into recovery and factory reset
Power cycle the device, it should enter fastboot. Attach to WSL via usbipd.
Check unlock status and reboot into recovery
Code:
fastboot oem device-info
# Should show: Device unlocked: true

fastboot reboot recovery
Recovery menu appears on e-ink screen. Page turn buttons navigate, power button selects. Select "Factory data reset". Device boots into Android.

Quote:
WARNING: Do NOT restore the stock Boox ABL after this procedure. It will re-brick the device. The FP4 ABL must stay.
PHASE 2: PATCH BOOT WITH MAGISK

Install Magisk and Termux APKs on the device.

Patch the boot image
Copy "stock_images/boot.img" to the Go 7's Download folder via USB File Explorer.

On the Go 7:
  1. Open Magisk
  2. Tap Install
  3. Select "Select and Patch a File"
  4. Navigate to Download, select "boot.img"
  5. Wait for patching to complete
  6. Copy the resulting "magisk_patched-XXXXX.img" back to your PC via USB File Explorer.


Flash Patched Boot
  1. Power off, plug in EDL cable, press button. Attach to WSL.
  2. Flash Magisk-patched boot to slot A ONLY
    Code:
    sudo python3 edl.py --loader=go7_loader.bin --memory=emmc w boot_a magisk_patched-XXXXX.img
sudo python3 edl.py --loader=go7_loader.bin reset

The device will boot into Android. Magisk's init runs but the Boox AMS bug will cause the Magisk app to freeze on splash and "su" to be inaccessible. This is expected and will be fixed in Phase 3.

Open Magisk, when Magisk opens for the first time, it shows a dialog: "Upgrade to full Magisk to finish the setup." Tap Install/OK. Let it download and complete. The app will freeze on splash after this. This is expected.

PHASE 3: FIX THE AMS BUG

This is the Boox WebView tracking bug in ActivityManagerService that crashes when it encounters Magisk's root daemon. Credit to dynamicfire for identifying this: https://github.com/dynamicfire/boox-ams-fix

The pre-built module from that repo will NOT work on the Go 7 because services.jar differs per device. You need to build your own.

Mount the stock system.img (read-only, from WSL):
Code:
cp stock_images/system.img /tmp/system.img
sudo mkdir -p /tmp/system_mount
sudo mount -t ext4 -o ro,loop /tmp/system.img /tmp/system_mount
cp /tmp/system_mount/system/framework/services.jar ./services.jar
sudo umount /tmp/system_mount
Disassemble:
Code:
# Download baksmali and smali
curl -sL -o baksmali.jar https://github.com/baksmali/smali/releases/download/v2.5.2/baksmali-2.5.2.jar
curl -sL -o smali.jar https://github.com/baksmali/smali/releases/download/v2.5.2/smali-2.5.2.jar

# Disassemble
unzip services.jar classes.dex
java -jar baksmali.jar d classes.dex -o smali_out

# Find the patch target
grep -n "addPackageDependency" smali_out/com/android/server/am/ActivityManagerService.smali

Open ActivityManagerService.smali. Find the addPackageDependency method. Locate the if-eqz line that branches to the label shared with UpdateWebViewUsedPkgsAction code (on my device it was if-eqz v1, :cond_4c).

Two edits:
1. Change that if-eqz branch target to :cond_return
2. Add :cond_return label on the line before return-void at the end of the method

Verify the patch:
Code:
# Should show: if-eqz v1, :cond_return
grep "if-eqz v1, :cond_return" smali_out/com/android/server/am/ActivityManagerService.smali

# Should show :cond_return before return-void at end of method
grep -A1 "cond_return" smali_out/com/android/server/am/ActivityManagerService.smali
Reassemble:
Code:
java -jar smali.jar a smali_out -o classes_patched.dex
cp services.jar services_patched.jar
cp classes_patched.dex classes.dex
zip services_patched.jar classes.dex
Build the Magisk module
Code:
mkdir -p boox-ams-fix-module/system/framework/oat/arm64

cp services_patched.jar boox-ams-fix-module/system/framework/services.jar

cat > boox-ams-fix-module/module.prop << 'EOF'
id=boox-ams-fix
name=Boox AMS Fix
version=v1.0
versionCode=1
author=dynamicfire (adapted for Go7)
description=Fix Magisk crash caused by Boox WebView tracking in ActivityManagerService
EOF

cat > boox-ams-fix-module/customize.sh << 'EOF'
SKIPUNZIP=0
EOF

cat > boox-ams-fix-module/post-fs-data.sh << 'EOF'
MODDIR=${0%/*}
EOF

cd boox-ams-fix-module
zip -r ../boox-ams-fix-go7.zip .
cd ..
Copy "boox-ams-fix-go7.zip" to the Go 7's Download folder via USB File Explorer.

PHASE 4: GET ROOT ACCESS AND INSTALL THE FIX

This is the trickiest part. The AMS bug prevents normal su access, but there is a workaround.
  1. Open the Magisk app on the Go 7 (it will freeze on splash screen, leave it)
  2. Fully power off the device (not sleep, hold power until it shuts down completely)
  3. Power back on
  4. Open Magisk again. It should get past the splash screen this time.
  5. If Magisk asks about additional setup, tap OK and let it reboot.
  6. After reboot, open Magisk (it freezes on splash again)
  7. Leave Magisk on splash, switch to Termux
  8. Type su and press enter
  9. A superuser grant popup should appear. Tap Allow.
  10. You should see a # root prompt

If Magisk's binaries are missing from /data/adb/magisk/ (you can check with ls /data/adb/magisk/ from the root shell), extract them manually from the APK:

Code:
# In root Termux shell
pm path com.topjohnwu.magisk
# Note the path, then:
cp /data/app/<path>/base.apk /data/local/tmp/magisk.zip
cd /data/local/tmp
unzip magisk.zip lib/arm64-v8a/* -d magisk_extract
mkdir -p /data/adb/magisk
cp magisk_extract/lib/arm64-v8a/libmagisk.so /data/adb/magisk/magisk64
cp magisk_extract/lib/arm64-v8a/libmagiskinit.so /data/adb/magisk/magiskinit
cp magisk_extract/lib/arm64-v8a/libmagiskboot.so /data/adb/magisk/magiskboot
cp magisk_extract/lib/arm64-v8a/libmagiskpolicy.so /data/adb/magisk/magiskpolicy
cp magisk_extract/lib/arm64-v8a/libbusybox.so /data/adb/magisk/busybox
chmod 755 /data/adb/magisk/*
With root in Termux, install the fix module:

Code:
mkdir -p /data/adb/modules/boox-ams-fix/
unzip /sdcard/Download/boox-ams-fix-go7.zip -d /data/adb/modules/boox-ams-fix/
reboot
After reboot, Magisk should open normally. Installed, root working, su accessible.

KNOWN ISSUES:
- Stock ABL cannot be restored after this procedure (re-bricks the device)
- OTA updates will likely break things. Disable com.onyx.android.onyxotaservice.
- fastboot boot with Magisk-patched images crashes the device. Must flash to disk via EDL.
- Windows fastboot.exe cannot see this device. Use WSL2 with usbipd.
- bkerler edl reports Error:{} on every write at 100%. Writes are successful (verify with read-back + sha256sum).
- fastbootd (userspace fastboot) does not support flash commands on this device.
- The full power off/on cycle (not sleep) is what breaks through the Magisk splash freeze. Regular sleep/wake does not work.

Thanks to Renate for misc-recovery.img, fonix232 for the FP4 ABL method, dynamicfire for identifying the AMS bug, and everyone in this thread for the collective knowledge that made this possible.
doomgoatman is offline   Reply With Quote