• Announcements

    • Reminder - MoDaCo position on illegal content   07/30/15

      ILLEGAL CONTENT I'd like to just reaffirm MoDaCo's position regarding piracy and illegal content in the light of some recent questions / postings. Posts will be censored by myself or my moderation team if the contain or link to: Illegal / pirated / cracked software or sites that host such softwareNintendo emulators / ROMs or sites hosting them (in light of Nintendo's legal stance)CUSTOM ROMS You may discuss and post links to custom device ROMs on MoDaCo, provided the following rules are adhered to: ROMs must not contain any illegal 3rd party software (this includes trial versions included without permission)ROMs must give full credit to the original authorISSUES If you have any issues with this policy, please contact PaulOBrien directly via PM.
    • Reminder: Selling items on the forum directly is not allowed   07/30/15

      Please note that selling items on the forum directly is not allowed by the forum rules. There is a forum for eBay auctions whereby you can list the items on eBay and link to them there. This is the ONLY forum for this type of activity. You may also advertise links to the eBay forum in your signature. Please note that selling directly in contravention of these rules will result in a warning / suspension / ban.

Acer Gallant Duo root / hacking tools

94 posts in this topic

Posted

Hi Folks!

As you know I recently got my hands on an Acer Gallant Duo, which i've duly rooted... this post contains my root solution and the various tools i've accrued along the way.

First things first - as well as rooting using my method, the root exploit found by Bin4ryDigit also works at the time of writing.

With that said... here's my findings!

The MTK6765 chipset

The Gallant Duo (and Solo) use the MTK6575 chipset, which is also widely used in 'Chinese devices', meaning that a lot of hacking tools are already out there. The most useful one is the official MTK flashing tool. This is only available on Windows, but allows both the backing up and flashing of images directly from the device bootloader!

In order to facilitate this, a file called a 'scatter file' is used. This is basically a text file containing addresses for the various partitions on the flash, so that the tool knows where to write them. The Gallant devices don't use any of the existing MTK6575 scatter files out there, so i've created one for the device which is included in the download below. With this, we can flash custom ROMs, recoveries, boot images, logo binaries etc. with no problem. And create backups before we do. ;)

Possible root attack vectors

Aside from Bin4ryDigit's root method and the one I am using (flashing a SuperRecovery using the MTK tool), there are a couple of other potential 'ways in', but they are best kept under wraps for the time being. Interestingly, the stock recovery on the Gallant devices has backup and restore options, which back up the data partition to a single file on the SD card. This is useful (not just for obvious reasons), but also because this allowed me to poke around the data partition of the device even before I had root. For reference, the backup files are gzipped tar images with a 512 byte signature on the front. If you cut the first 512 bytes off, you can extract it with no issues.

SuperRecovery

For the initial root for the Gallant, I wanted to create a solution which gave root without compromising the ability to provide over the air updates in the future. With this in mind I'm overwriting only the stock recovery, but i'm overwriting it with a version which is still fully compatible with the original. It is the stock recovery but with ADB access and a script that runs on startup to root the device. We will likely have a clockworkmod recovery very soon for users that want to play around with the device more (custom ROMs and the like).

To install, you need to use the MTK flasher and my scatter file to install the custom recovery. After installation, launching the recovery just once will root the device.

Using SuperRecovery - step by step

Follow this simple guide to using SuperRecovery and rooting your device (Windows PC required!)

  1. Download the tools pack linked below and extract to a directory on your PC.
  2. Take the back off your device and pull the battery. Run device manager on your PC. Plug the device into your PC via the USB cable and you will see an 'unknown device' briefly appear in Device Manager. Right click this device and select 'update driver', specifying the location where you just extracted the tools zip (specifically, the driver folder for your chosen OS).
  3. With the driver installed, you're ready to run the flashing tool. From the 'Flash Tool' directory run 'Flash_tool.exe'. Unplug your device at this point.
  4. The 'Download Agent' field is automatically populated. You need to click the 'Scatter-loading' button and select the 'MT6575_android_scatter_emmc.duo.modaco.txt' file from the 'Scatter directory'.
  5. Next you need to tell the application which part you want to flash. Click the 'RECOVERY' line and select the 'recovery.superboot.duo.img' file from the 'Images' directory.
  6. That's it! Don't click any other options. Note that flashing is DANGEROUS, and you do so entirely at your own risk. If you're ready to go, press 'Download'. Do NOT click any other buttons!
  7. Now, with your device off, plug it back in via USB. You will first see a red bar, then a yellow progress bar, then a green success box as shown below.
  8. When the flash is complete, turn your device on with 'volume up' held. This will launch recovery. When the recovery screen loads, press the volume up key to show the menu and select the reboot option. Your device is now rooted!

Editing boot / recovery / logo images

The Gallant images are not a format we are used to, however scripts for unpacking and repacking have been created by bgcngm and are available to download on GitHub. I used these to create the SuperRecovery and they work great. :)

The download

All the files you need can be downloaded here!

  • r1 - DOWNLOAD (ROMraid) - MD5: 9c604f9cb7f800ca1145635d92afd087

Any questions

Any questions or feedback on the above? Post below! :)

2

Share this post


Link to post
Share on other sites

Posted

Worked a treat! Thanks Paul!!

0

Share this post


Link to post
Share on other sites

Posted (edited)

Great job !

Just 2 questions : recovery.stock.insecure.duo is the version for unroot ?

Thanks

Regards

Edited by jaarvin
0

Share this post


Link to post
Share on other sites

Posted (edited)

Thanks!

i've removed these apps:

AcerDLNA2.apk

AcerNidus.apk

AcerRegistration2.apk

BarcodeScanner41.apk

BlackList.apk

Chrome.apk

ClockWidget.apk

Default_ICS.apk

DigitalClockWidget2.apk

Fashion.apk

FBAndroidpreload.apk

Gmail.apk

HoloSpiralWallpaper.apk

HoloSpiralWallpaper.odex

Lady.apk

Launcher2.apk

Launcher2.odex

LiveWallpapers.apk

LiveWallpapers.odex

MagicSmokeWallpapers.apk

MagicSmokeWallpapers.odex

Maps_alldpi.apk

MtkWeatherProvider.apk

MtkWeatherSetting.apk

MtkWeatherSetting.odex

MtkWeatherWidget.apk

MtkWorldClockWidget.apk

MtkWorldClockWidget.odex

Music2.apk

NoiseField.apk

NoiseField.odex

PhaseBeam.apk

PhaseBeam.odex

PlusOne.apk

PolarisViewer4.apk

Science.apk

Sport.apk

Swype.apk

TagGoogle.apk

talkback.apk

Videos.apk

WeatherWidget2.apk

WSBoxNet.apk

WSDropbox.apk

Youtube.apk

device work like a charm!

Edited by sbavi
0

Share this post


Link to post
Share on other sites

Posted

Thanks Paul, Worked without any problems.

Next step a JB based Custom Rom :-)

0

Share this post


Link to post
Share on other sites

Posted

Thank you it was successful without any problem.

0

Share this post


Link to post
Share on other sites

Posted (edited)

post removed

Edited by jaarvin
0

Share this post


Link to post
Share on other sites

Posted

Root procedure succesfully completed! Thanks Paul!

0

Share this post


Link to post
Share on other sites

Posted

Ok, works great but for a newbie like me maybe you should modify the point 8 like this :

When the flash is complete, DISCONNECT THE USB CABLE, REINSTALL THE BATTERY AND turn your device on with 'volume up' held. This will launch recovery. When the recovery screen loads, press the volume up key to show the menu and select the reboot option WITH THE POWER BUTTON. Your device is now rooted!

For an expert like you maybe these steps are obvious...not for all! :)

Thank you!

1

Share this post


Link to post
Share on other sites

Posted

Hi Paul

ok, this is my girlfriend's phone, so no messing around here ;o)

I tried rooting the phone by following your tutorial but it did not work; let me detail the steps I went through:

I did not remove the battery and go through the driver installation as windows update already installed the right driver for the phone when I first plug it to my W7 64 bits laptop - do I still need to install your driver (remove battery + plug it while device manager up and running + point to provided driver)?

Also, you do not say whether the phone needs to be in USB debugging mode, does it need to?

So I started The flash tool, pointed to the scatter file, loaded the recovery image,

pressed the download button (bar on 0%), plugged in the phone while it's switched off but then nothing happened, the bar remain at 0%

do you know what went wrong?

Thanks

ben

0

Share this post


Link to post
Share on other sites

Posted (edited)

People are starting to root all over the web and then wining that the delete the wrong file and that they would like someone to send them one of there phone. Am I wrong here or average users should not root there phone until there are some proper backups made by devs or some custom roms easily flashable?

Edited by ayziaa
0

Share this post


Link to post
Share on other sites

Posted

Hi Paul thanks a lot for the root procedure!!!

0

Share this post


Link to post
Share on other sites

Posted

is there a way to unroot?

0

Share this post


Link to post
Share on other sites

Posted

People are starting to root all over the web and then wining that the delete the wrong file and that they would like someone to send them one of there phone. Am I wrong here or average users should not root there phone until there are some proper backups made by devs or some custom roms easily flashable?

think you should only do rooting if you understand what could happen if it goes wrong

0

Share this post


Link to post
Share on other sites

Posted

Thanks for all these constructive comments, that really helped indeed!

i'm am very familiar with rooting samsung as they are more run of the mill but here we are talking about a brand new phone that's just out.

Man, we all know flashing is sensitive (dangerous -> brick) so I don't think there is anything wrong with asking questions to someone who's more experienced and has done it at least one, otherwise there is even no point to all this community /board thing...

my 2 pence...

0

Share this post


Link to post
Share on other sites

Posted

How about battery life after rooting?

0

Share this post


Link to post
Share on other sites

Posted (edited)

Thanks for all these constructive comments, that really helped indeed!

i'm am very familiar with rooting samsung as they are more run of the mill but here we are talking about a brand new phone that's just out.

Man, we all know flashing is sensitive (dangerous -> brick) so I don't think there is anything wrong with asking questions to someone who's more experienced and has done it at least one, otherwise there is even no point to all this community /board thing...

my 2 pence...

Really don't know what to respond... I guess you do whatever you want. I was just asking a question.

Edited by ayziaa
0

Share this post


Link to post
Share on other sites

Posted

hi all, is it possible the unroot? The auto update fo gallant doesn't try to check the server because rooted. I didn't uninstalled any app for now.

Thank you

0

Share this post


Link to post
Share on other sites

Posted (edited)

hi all, is it possible the unroot? The auto update fo gallant doesn't try to check the server because rooted. I didn't uninstalled any app for now.

Thank you

Just go in your Superuser application and temporary suspend rooting !

Edited by jaarvin
0

Share this post


Link to post
Share on other sites

Posted (edited)

I would probably give a full backup a try before doing anything - using Paul's scatter file in his downloads section I'll probably try this when I get time:

http://bm-smartphone-reviews.blogspot.co.uk/2012/04/creating-rom-dump-of-your-mt65x3-device.html

You should be able to make a backup of everything - boot.img recovery.img etc and be able to flash everything back.

I have another Mediatek device I'm playing with and if anyone has any tips on creating a scatter file for mediatek devices any advice is welcome!

Edited by adrenalize_
0

Share this post


Link to post
Share on other sites

Posted (edited)

Thanks !

I am starting to play with your extracts but before flashing it would like to check it and I could not unyaffs your system.img (I tried unyaffs & unyaffs2 I compiled on Mac and windows CYGWIN version)

[EDIT] I also try with a LInux VM and I got same s.t strange :

I compile my tools (latest unyaffs2) but still not possible to extract system.img with these tools (I can do so with other android system.img) ?!

I got : "image size (484419928)is NOT a multiple of (2048 + 64)" and my target directory is empty.

On the other hand I can convert this img to raw (with simg2img) and mount it like a charm with appropriate mount command.

I suppose I did something wrong with my unyaffs and (unyaffs2) .. any idea or recommendation ? specifics options ?

Regards

Regards

Edited by jaarvin
0

Share this post


Link to post
Share on other sites

Posted

Just go in your Superuser application and temporary suspend rooting !

that should then give you back the ability to OTA updates then am I right?

*Paul also says this root method should affect the OTA reading the dialog on the OP,

0

Share this post


Link to post
Share on other sites

Posted

that should then give you back the ability to OTA updates then am I right?

*Paul also says this root method should affect the OTA reading the dialog on the OP,

Yes that's it !

Open SuperSU app / Go parameters / uncheck SU activated

That works for me !

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2015. MoDaCo uses IntelliTxt technology.