As you know I recently got my hands on an Acer Gallant Duo, which i've duly rooted... this post contains my root solution and the various tools i've accrued along the way.
First things first - as well as rooting using my method, the root exploit found by Bin4ryDigit also works at the time of writing.
With that said... here's my findings!
The MTK6765 chipset
The Gallant Duo (and Solo) use the MTK6575 chipset, which is also widely used in 'Chinese devices', meaning that a lot of hacking tools are already out there. The most useful one is the official MTK flashing tool. This is only available on Windows, but allows both the backing up and flashing of images directly from the device bootloader!
In order to facilitate this, a file called a 'scatter file' is used. This is basically a text file containing addresses for the various partitions on the flash, so that the tool knows where to write them. The Gallant devices don't use any of the existing MTK6575 scatter files out there, so i've created one for the device which is included in the download below. With this, we can flash custom ROMs, recoveries, boot images, logo binaries etc. with no problem. And create backups before we do.
Possible root attack vectors
Aside from Bin4ryDigit's root method and the one I am using (flashing a SuperRecovery using the MTK tool), there are a couple of other potential 'ways in', but they are best kept under wraps for the time being. Interestingly, the stock recovery on the Gallant devices has backup and restore options, which back up the data partition to a single file on the SD card. This is useful (not just for obvious reasons), but also because this allowed me to poke around the data partition of the device even before I had root. For reference, the backup files are gzipped tar images with a 512 byte signature on the front. If you cut the first 512 bytes off, you can extract it with no issues.
For the initial root for the Gallant, I wanted to create a solution which gave root without compromising the ability to provide over the air updates in the future. With this in mind I'm overwriting only the stock recovery, but i'm overwriting it with a version which is still fully compatible with the original. It is the stock recovery but with ADB access and a script that runs on startup to root the device. We will likely have a clockworkmod recovery very soon for users that want to play around with the device more (custom ROMs and the like).
To install, you need to use the MTK flasher and my scatter file to install the custom recovery. After installation, launching the recovery just once will root the device.
Using SuperRecovery - step by step
Follow this simple guide to using SuperRecovery and rooting your device (Windows PC required!)
- Download the tools pack linked below and extract to a directory on your PC.
- Take the back off your device and pull the battery. Run device manager on your PC. Plug the device into your PC via the USB cable and you will see an 'unknown device' briefly appear in Device Manager. Right click this device and select 'update driver', specifying the location where you just extracted the tools zip (specifically, the driver folder for your chosen OS).
- With the driver installed, you're ready to run the flashing tool. From the 'Flash Tool' directory run 'Flash_tool.exe'. Unplug your device at this point.
- The 'Download Agent' field is automatically populated. You need to click the 'Scatter-loading' button and select the 'MT6575_android_scatter_emmc.duo.modaco.txt' file from the 'Scatter directory'.
- Next you need to tell the application which part you want to flash. Click the 'RECOVERY' line and select the 'recovery.superboot.duo.img' file from the 'Images' directory.
- That's it! Don't click any other options. Note that flashing is DANGEROUS, and you do so entirely at your own risk. If you're ready to go, press 'Download'. Do NOT click any other buttons!
- Now, with your device off, plug it back in via USB. You will first see a red bar, then a yellow progress bar, then a green success box as shown below.
- When the flash is complete, turn your device on with 'volume up' held. This will launch recovery. When the recovery screen loads, press the volume up key to show the menu and select the reboot option. Your device is now rooted!
Editing boot / recovery / logo images
The Gallant images are not a format we are used to, however scripts for unpacking and repacking have been created by bgcngm and are available to download on GitHub. I used these to create the SuperRecovery and they work great.
All the files you need can be downloaded here!
- r1 - DOWNLOAD (ROMraid) - MD5: 9c604f9cb7f800ca1145635d92afd087
Any questions or feedback on the above? Post below!