• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Porting ClockWorkMod to the Kyocera Rise

dtalley11 said:
I'm still looking to 2nd-init as the answer for this phone until somebody smarter than me gets around to cracking the bootloader
Click to expand...

trying to work on that. First step is finding what's in unknown partitions. I'm having a helluva time manually editing the mbr and ebr's in a hex editor (dont ask T_T)

EDIT:
If anybody can assist me with finding the ebr's using a hex editor, that would be great!

Double Edit:
Nevermind. Turns out Kyocera used MBR instead of GPT for the partition table, so no named partitions. *grumble* At least I figured out how to get the SD card copy of mmcblk0 to be readable in gparted.
 
So here's a question for anybody. Would QPST be of any use to us? I could not get the VM Rise to be recognized by either QPST or CDMAW, but the Sprint Rise was recognized right away. However, I've removed so much stuff from the phone, I can't get the MSL from it. -_-
 
cooldudezach said:
So here's a question for anybody. Would QPST be of any use to us? I could not get the VM Rise to be recognized by either QPST or CDMAW, but the Sprint Rise was recognized right away. However, I've removed so much stuff from the phone, I can't get the MSL from it. -_-
Click to expand...


getting the msl was something that was never achieved as far as i know... I had tried using the calculator method and a few other methods and had no success... Keep in mind I tried with the c5156 and you may have better luck... This site is pretty legit. I used it on a few zte phones on different carriers and it worked for me time and time again but it works better with a meid(hex) rather than the the (dec). Also on your sprint Rize, do you have access to the data menu (##3282#)?
 
smartmanvartan said:
getting the msl was something that was never achieved as far as i know... I had tried using the calculator method and a few other methods and had no success... Keep in mind I tried with the c5156 and you may have better luck... This site is pretty legit. I used it on a few zte phones on different carriers and it worked for me time and time again but it works better with a meid(hex) rather than the the (dec). Also on your sprint Rize, do you have access to the data menu (##3282#)?
Click to expand...

Oh, Some guy created this a ways back, worked on the VM Rise:
https://play.google.com/store/apps/details?id=com.unlockgods.kyc&hl=en

Like I said, I pretty much have a skeleton of the Sprint Rise with everything I've removed. I don't even have the phone apk installed anymore. Half the settings options crash it.
 
Would somebody be able to tell me what this might be exactly? It looks like a hash of some sort, but I'm not sure which one it could be. I pulled this from the end of the Event's recovery image using a hex editor.

PHP: 
AA A7 82 2D 77 6A A1 5D 70 BC B3 1E 08 2B D2 42
A8 AB EC 13 08 D6 0C 91 4A ED 78 37 A4 4C E4 D8
CB 80 4A 19 F0 22 1E 8F E7 65 B3 96 81 77 F6 2B
B5 E1 4C 41 2F 40 3F B9 87 CE F3 FA 34 4F A3 F0
80 A8 C2 0A F7 97 A9 0C 29 B6 27 A6 1B 66 AF 75
F6 4F FA 85 49 F5 CE A1 80 71 0D C4 E2 F3 C8 60
40 30 34 EA 76 C8 FB C6 BB E7 8F 9C 87 57 7D 31
BF A6 BA 8E 20 E7 CD 60 FB D1 C7 0E FA 44 F9 39
6F F4 4B DF 73 84 62 C1 14 8B 71 9E 02 AC 45 46
7A 63 E9 E1 96 98 88 7E F1 0B 86 7F D1 2E 12 F9
71 3B 4F 97 17 2B B5 9C D5 FD 96 D0 C1 28 FE CE
06 63 40 7E 5A 9F 79 97 DB E2 97 AB F2 EF D0 BF
08 3E 4E 56 40 48 D3 93 A3 C0 A9 96 B6 AC D6 07
BA F7 81 A9 E3 DC 00 8F 59 CB FA E4 64 FB 92 10
09 18 05 3C 8C 01 0C CF 80 E8 1D F1 56 B5 B7 0B
B8 F8 37 F1 C5 48 C7 88 5E F1 3F 6E 80 EF B9 B5
 
oh...i noticed the } in the file, and if this was compiled from source (not if because it is) then we can possibly break it down to assembly then convert to somewhat cleartext.
but something important is in the lines above it, unless its endless rows of .....
 
rbheromax said:
oh...i noticed the } in the file, and if this was compiled from source (not if because it is) then we can possibly break it down to assembly then convert to somewhat cleartext.
but something important is in the lines above it, unless its endless rows of .....
Click to expand...

yeah, about 2500 individual dots before it gets to the end of the ramdisk section.

FYI: Each of the recovery/boot images has a similar snippet of bits after the ramdisk. They aren't all the same, and simply copying it over to a repacked image doesn't work.
 
rbheromax said:
really??? o.O This may be useful
where is the starting location in hex form?
Click to expand...

It's in different locations for each. For the Public Mobile Rise and the Event, its at 004e9000, and for the Sprint Rise, it's at 004e6000. (Note that these locations are whats written on the left hand side of my hex editor. I'm not very bright when it comes to hex conversions/offsets *shrug*) The PM Rise and the Event are also the same 'distance' from the end of the ramdisk, while the Sprint Rise has an extra 1604 "00"s (bits? I dunno. I wish I could remember these things. >.>).

Also just finished running some tests, dealing with unpacking/repacking the ramdisk. Nothing worked, even adding that hash thing and padding it to the same location as before. What IS interesting, is that I dd'd the recovery from the Sprint Rise onto the Event, and it worked just fine. (Ignoring that it couldn't mount the /data partition.)

So the VM Rise can boot it's recovery as well as the BM Hydro's recovery for sure, and the VM Event can boot it's recovery and the Sprint Rise's recovery. I don't know what we should be looking for. It seems that Kyocera changed toolchains or something at some point, just because the ramdisks start at different locations. (The PM Rise and VM Event are at the same location, the Sprint Rise is earlier)

EDIT:
Oh, and the Event must really be based off the Hydro. The screen is upside down when running the Sprint Rise recovery, which happens when running the Hydro recovery on the Rise.

EDIT2:
Just found a new fastboot command (well, new to me.) "device-info", so I ran it on the Sprint Rise, which has bootloader access. Here is the output:
PHP: 
sudo fastboot oem device-info
...
(bootloader)     Device tampered: true
(bootloader)     Device unlocked: true
OKAY [  0.003s]
finished. total time: 0.003s
So it truly believes it is unlocked, yet it still can't normal boot into custom images. *grumble*

EDIT3:
Just "fastboot boot"ed the unpadded repacked recovery from the Event (with adb enabled, of course) onto the Sprint Rise, and again it works. (Just doesn't mount /data and the screen is flipped. Both were expected.) Also, adb does in fact work. I'm so confused. T_T;
 
Just means they didn't lock the bootloader using traditional ways (Kindof expected since locked phones with qcom SoCs are known for having as many holes in the bootloader as swiss cheese) also you might have triggered tampered and unlocked by simply running fastboot boot or fastboot sees the sprint bootloader as unlocked by default
 
Hey cooldudezach, junkie2100 posted this in my Public Mobile thread for the ZTE N861 a while back... I think it might help you with finding out what partitions do what on the rise. You could boot into twrp with fastboot on your sprint rise and then mount the partitions with adb...

junkie2100 said:
pretty much. that was confusing at first but they used some weird way of implementing the crypto program or something, it cycles 16-19 up one when the rom boots sending 19 back around to 16 and pushing the others up one if i remember correctly. if you ever get confused about it though, this is how i figured it out

go into cwm
adb shell
make a directory called testing or whatever
mount any partition in question to that folder
then browse it using cd and ls commands
if you cant tell kuz its carrier or cache or whatever go back into rom and put a blank file named cache in cache and a blank file named carrier in carrier, that way if things change outside of the rom they will be flagged appropriately

if you use that method and dont do anything else in cwm all you need is a bootable version of cwm with working adb, even if the partitions arent set up correctly in the fstab as long as you are only mounting manually for testing purposes it wont matter at all
Click to expand...
 
smartmanvartan said:
Hey cooldudezach, junkie2100 posted this in my Public Mobile thread for the ZTE N861 a while back... I think it might help you with finding out what partitions do what on the rise. You could boot into twrp with fastboot on your sprint rise and then mount the partitions with adb...
Click to expand...

That's good to keep in mind, but I don't think it will help too much. The partitions I'm interested in aren't the ones that are mountable through android.
 
There is a saying about android programming which states "If you are not willing to break your android you are not willing to program android".

With that in mind I boot-loop my 3rd Rise. Since I have 2 boot-looped Rises in my possession, I decided to take one completely apart. When I did this, here is the info I found...

********************************************************
Note: this was on a (Virgin Mobile Rise)
********************************************************
The flash is an EMMC flash created by Samsung.
Which answers my question why Samsung drivers worked for me.

The Description on it is as followed...
Samsung 222
KLM2G1HE3F-B001

Which leads me to believe the same process used on some Samsung devices may work for the Rise with some tweaks.

The second thing I noticed is the processor is
Qualcomm PM8058.
(Linux has some drivers to connect to this processor. )

The more I looked into this processor, the more it seems the only other phones which use it were the Sony Xperia (Arc/Arc s). Which already have an unlock boot-loader process.

The process for unlocking boot-loader for Xperia involves contacting Sony.

*******************************************************

Final thoughts...

The emmc flash is what keeps restoring the phone to stock and causing boot-loops. With processes already online on how to access emmc flash on Samsung devices, there should be some process already to allow Rise bootloader access. It makes no sense that Samsung would create an EMMC flash component and not already put that version on one of their devices?

Which brings me to my next thought on the bootloader. Xperia (Arc/Arc s) seem to be the most similiar phone to the Rise which has a process to unlock the bootloader.

The process for it is to dial "#06#" to get your IMEI code send it to Sony, they send your your key and with a fastboot command+key your bootloader is unlocked. Which means the "IMEI" has a key associated with Sony which unlocks the bootloader.

Now taking this thought into the Rise, Kyocera should have the same process since they are the maker of the phone. Sony is a much bigger company than Kyocera but they are in a way similar. They both do not have a big foot in the mobile phones door. With that in mind Sony may have unlocked bootloader hoping to have users help develop phones to expand Sony mobile line-up by seeing what the current phones can do.

Maybe we can convince Kyocera to do the same and unlock the boot-loader, by us providing the "IMEI", Kyocera providing us the key with fastboot command and drivers. Then we can show Kyocera what their phones can do.
*******************************************************

I No longer have a working Rise, so I cannot test. Will pop-in from time to time, to see progress.

I hope this helps!

TD378

In Loving Memory,
R.I.P. 3rd Boot-looped Kyocera Rise
 
The kyocera rise has a qualcomm msm8655. same as in the zte n860 and n861 as well as in a lot of other zte devices. the msm8x55 is a revision of the msm7x30... If i recall you where saying that the original bootloader for the rise when it had ics 4.0.3 was based on the 7x30 and then it was labeled 8x55 on the 4.0.4 builds... correct?
 
smartmanvartan said:
The kyocera rise has a qualcomm msm8655. same as in the zte n860 and n861 as well as in a lot of other zte devices. the msm8x55 is a revision of the msm7x30... If i recall you where saying that the original bootloader for the rise when it had ics 4.0.3 was based on the 7x30 and then it was labeled 8x55 on the 4.0.4 builds... correct?
Click to expand...

From what I can find, the MSM8x55 is the 7x30+LTE support and is almost fully compatible with 7x30 instructions (judging from the kernel source, there is almost nothing in there specific to the 8x55)

I think what TechDad is getting at is the physical chip has Qualcomm PM8058 printed right on it, and he could only find a few sony phones that also had that printed on the chip (albeit I'm sure there are some 8x55 phones that have not been opened up and documented)

My searching has found that the PM8058 is a power managment IC, and is known to be in the following phones:
HTC A9191 G10 G11 G12, sony ericsson MT15I LT15I LT18 ST18 Z1I R800

Samsung emmc controllers are very common as well, in fact I don't know if anybody else manufactures them.
 
Well, I got the Hydro I bought off of eBay today! It turned on and works like a charm, despite the cracked screen. I'm exhausted from work, will probably take a swing at it (rooting and bootloader messing with) later tonight. Will report back with findings.

Also, sent an email to Kyocera about the unlocked Sprint bootloader, here is their response. It's hilarious!

Dear Zach Williams,

Thank you for contacting Kyocera Communications Inc. This email message is in response to your concern regarding your Kyocera phone.
We are sorry to hear about the difficulties you are experiencing and appreciate the opportunity to assist you.
Unfortunately this messages are given because the programing of the phone may be compromised. Maybe the phone has gone through changes of the Operating System like rooting the phone or maybe other changes. If you have not made this type of changes in the phone, you can contact us back so we can process the warranty of the phone.

If you have any further questions, or are interested in purchasing, or information on accessories for your Kyocera Communications Inc. phone, please contact us at any of the phone numbers listed below:

-E-Mail: phone-help@kyocera.com
-Phone: (800) 349-4478 (Toll-free USA and Canada only)
-Sanyo Accessories: (877) 204-1816
-Kyocera Accessories: KyoceraWeb@scp4me.com
-International Access: (858) 882-1401 (Outside the USA)
-Fax: (858) 882-1717

Thank you for contacting Kyocera Communications Inc.

Donato,
Technical Support Specialist
Kyocera Communications Inc.


Description of Issue and Steps Needed to Duplicate:
Hi, I am emailing today to find a solution to my problem. I am using the Sprint C5155 Rise. I unlocked the bootloader, and I am still unable to load custom software. I can use the command "fastboot boot name.img" to load the custom software, but the software, both on the boot partition and the recovery partition, will not boot normally. What is the problem, and can you help me fix it?

Thanks,
-Zach
Click to expand...

How should I respond back?
 
cooldudezach said:
Well, I got the Hydro I bought off of eBay today! It turned on and works like a charm, despite the cracked screen. I'm exhausted from work, will probably take a swing at it (rooting and bootloader messing with) later tonight. Will report back with findings.

Also, sent an email to Kyocera about the unlocked Sprint bootloader, here is their response. It's hilarious!



How should I respond back?
Click to expand...

Probably shouldn't, poor guy was just doing his job (xD)
 
TechDad378 said:
The process for it is to dial "#06#" to get your IMEI code send it to Sony, they send your your key and with a fastboot command+key your bootloader is unlocked. Which means the "IMEI" has a key associated with Sony which unlocks the bootloader.
Click to expand...


I tried dialing this on PM Rise by curiosity and it doesn't do anything :|


cooldudezach said:
How should I respond back?
Click to expand...

Personally I would call, and try to talk to someone who knows more about the phone XD
 
im new on this on wanting cwm ported. i noticed with all my other phones that have cwm on them that the regular recovery is not there. i browsed the system/bin on my other phones and took notice that there isnt a recovery in there. so im wondering if its possible to get a modded 3e recovery to this phone without the checks the bootloader goes through. is it possible for the modded 3e recovery to skip the checks in the bootloader or not?
 
You prolly had those oddball samsungs (captivate/infuse/epic/vibrant) from the first Galaxy S series.
We dont have a recovery binary on this phone, as recovery on those were packed INTO the kernel as a second initramfs that called the binary when key combo was pressed. With this device, the kernel and recovery have their own little rooms to sleep in, instead of sharing a bed. So its much harder to port on a locked bootloader.
Right idea, wrong demographic :P
KkB15.png
 
well there goes my idea of a modded recovery. i've read on safestrap and kexec but many have failed in getting this to work. the only thing we need is the update.zip option so we can backport to ics 4.0.3. but kyocera did their job and didnt include that in the recovery. besides the hydro and event, is there any other phone that is similar to this phone? i looked in to the xperia arc and these phones are similar in design, but ik it is a no-go with this. imma continue to look at other phone specs to see if we have a method of use. too bad we cant use an odin file with this phone.......
 
i just got a tip on this phone. only virgin mobile can give us the codes to unlock our phones. has anyone contacted virgin mobile to get such a code?
 
You must log in or register to reply here.
Back
Top Bottom