Jump to content


Photo

Acer Gallant Duo root / hacking tools


  • Please log in to reply
93 replies to this topic

#81
lucky76

lucky76

    Regular

  • Members
  • PipPip
  • 103 posts
  • Gender:Male
  • Devices:Nexus 5
Hi hapx

I see this

shell@android:/ # cat /proc/dumchar_info
Part_Name	Size	StartAddr	Type	MapTo
preloader	0x0000000000040000 0x0000000000000000 2 /dev/misc-sd
dsp_bl	 0x00000000005c0000 0x0000000000040000 2 /dev/misc-sd
mbr		 0x0000000000004000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1		 0x000000000005c000 0x0000000000004000 2 /dev/block/mmcblk0p1
pmt		 0x0000000000400000 0x0000000000060000 2 /dev/block/mmcblk0
nvram		0x0000000000300000 0x0000000000460000 2 /dev/block/mmcblk0
seccfg	 0x0000000000020000 0x0000000000760000 2 /dev/block/mmcblk0
uboot		0x0000000000060000 0x0000000000780000 2 /dev/block/mmcblk0
bootimg	 0x0000000000600000 0x00000000007e0000 2 /dev/block/mmcblk0
recovery	 0x0000000000600000 0x0000000000de0000 2 /dev/block/mmcblk0
sec_ro	 0x0000000000600000 0x00000000013e0000 2 /dev/block/mmcblk0p5
misc		 0x0000000000060000 0x00000000019e0000 2 /dev/block/mmcblk0
logo		 0x0000000000300000 0x0000000001a40000 2 /dev/block/mmcblk0
expdb		0x00000000000a0000 0x0000000001d40000 2 /dev/block/mmcblk0
ebr2		 0x0000000000004000 0x0000000001de0000 2 /dev/block/mmcblk0
android	 0x0000000020100000 0x0000000001de4000 2 /dev/block/mmcblk0p6
cache		0x0000000020100000 0x0000000021ee4000 2 /dev/block/mmcblk0p2
usrdata	 0x0000000040100000 0x0000000041fe4000 2 /dev/block/mmcblk0p3
fat		 0x00000000662fc000 0x00000000820e4000 2 /dev/block/mmcblk0p4
bmtpool	 0x0000000000a00000 0x00000000ff9f0050 2 /dev/block/mmcblk0
Part_Name:Partition name you should open;
Size:size of partition
StartAddr:Start Address of partition;
Type:Type of partition(MTD=1,EMMC=2)
MapTo:actual device you operate

I think we have boot and recovery into /dev/block/mmcblk0

For backup boot.img on recovery.fstab i think have :

/boot emmc /dev/block/mmcblk0 bs=4096 count=1536 skip=2016
/recovery emmc /dev/block/mmcblk0 bs=4096 count=1536 skip=3552


bs=block-size
count=number-of-blocks
skip=input-offset

bootimg:
Exadecimal Value				 Decimal Value
0x0000000000600000 -----> 6291456 / 4096 = 1536 ---> count
0x00000000007e0000 -----> 8257536 / 4096 = 2016 ---> skip

dd if=/dev/block/mmcblk0 of=/sdcard/boot.img bs=4096 count=1536 skip=2016

Recovery:
Exadecimal Value				 Decimal Value
0x0000000000600000 -----> 6291456 / 4096 = 1536 ---> count
0x0000000000de0000 -----> 14548992 / 4096 = 3552 ---> skip

dd if=/dev/block/mmcblk0 of=/sdcard/recovery.img bs=4096 count=1536 skip=3552






Bye

Edited by lucky76, 04 November 2012 - 10:34 PM.

  • 0

#82
hapx

hapx

    Newbie

  • Members
  • Pip
  • 17 posts
@lucky76

Wow, it looks like you have the knowledge and have made big progression.
I try to follow your discovery but I am confused.


From scatter file:
(name) (start address)
boot.img 0xde0000
recovery.img 0x13E0000 diff 0x13E0000 - 0xde0000 = 0x60000 = size of boot.img = 393,216 bytes
sec_ro 0x19E0000 diff 0x19E0000 - 0x13E0000 = 0x560000 = size of recovery.img = 5,636,096 bytes
boot.img and recovery.img have different size.

From your # cat /proc/dumchar_info
Part_Name Size StartAddr Type MapTo
boot 0x0000000000600000 0x00000000007e0000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000000de0000 2 /dev/block/mmcblk0
boot and recovery have the same size 0x600000?

What are the size (ls -l) of the boot.img and recovery.img got with dd command? (1536 * 4096 bytes?).
dd if=/dev/block/mmcblk0 of=/sdcard/boot.img bs=4096 count=1536 skip=2016
dd if=/dev/block/mmcblk0 of=/sdcard/recovery.img bs=4096 count=1536 skip=3552

Are these 2 img files correct (got from mkyaff2image)?
Do you have the tool to extract the image from mkyaffs2image ( yaffs2utils unyaffs2 unspare2 ?)
http://code.google.c...es/detail?id=22
then check that you can exploit the yaffs file system?

  • 0

#83
lucky76

lucky76

    Regular

  • Members
  • PipPip
  • 103 posts
  • Gender:Male
  • Devices:Nexus 5

@lucky76

Wow, it looks like you have the knowledge and have made big progression.
I try to follow your discovery but I am confused.


From scatter file:
(name) (start address)
boot.img 0xde0000
recovery.img 0x13E0000 diff 0x13E0000 (20.840.448) - 0xde0000 (14.548.992) = 0x60000 (600000)= size of boot.img = 393,216 bytes (6.291.456 bytes for me)
sec_ro 0x19E0000 diff 0x19E0000 (27.131.904 v.decimal for me) - 0x13E0000 (20.840.448) = 600000 (6.291.456) = size of recovery.img = 5,636,096 bytes (6.291.456 bytes for me)

Ok.... for me is same bytes 6.291.456 recovery and boot

0x13E0000 ---> decimal is 20.840.448
0xde0000 ---> decimal is 14.548.992
20.840.448 -14.548.992 = 6.291.456 ---> 600000 esadecimal ---> same of my dumchar_info

0x19E0000 ---> decimal is 27.131.904
0x13E0000 ---> decimal is 20.840.448
27.131.904 - 20.840.448 = 6.291.456 ---> 600000 esadecimal ---> same of my dumchar_info



boot.img and recovery.img have different size.

From your # cat /proc/dumchar_info
Part_Name Size StartAddr Type MapTo
boot 0x0000000000600000 0x00000000007e0000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000000de0000 2 /dev/block/mmcblk0
boot and recovery have the same size 0x600000?

What are the size (ls -l) of the boot.img and recovery.img got with dd command? (1536 * 4096 bytes?).---->1536 x 4096 = 6.291.456 decimal ----> esadecimal 600000
dd if=/dev/block/mmcblk0 of=/sdcard/boot.img bs=4096 count=1536 skip=2016
dd if=/dev/block/mmcblk0 of=/sdcard/recovery.img bs=4096 count=1536 skip=3552

Are these 2 img files correct (got from mkyaff2image)?
Do you have the tool to extract the image from mkyaffs2image ( yaffs2utils unyaffs2 unspare2 ?)
http://code.google.c...es/detail?id=22
then check that you can exploit the yaffs file system?



I see scatter file and not same my dumchar_info .... <_< but for flash recovery i use this scatter file.

i have try use with linux:
adb shell
su
dd if=/dev/block/mmcblk0 of=/sdcard/boot.img bs=4096 count=1536 skip=2016
Now i have backup on my internal sdcard boot.img with 6144.0 kb ----> 6291456 bytes

dd if=/dev/block/mmcblk0 of=/sdcard/recovery.img bs=4096 count=1536 skip=3552
Now i have backup recovery.img with same kb 6144.0kb ---> 6291456 bytes


For open this files.img i use tools in first post:


The Gallant images are not a format we are used to, however scripts for unpacking and repacking have been created by bgcngm and are available to download on GitHub. I used these to create the SuperRecovery and they work great. :) ----> "Paul"

I have unpacking files with this tools of bgcngm and i have original boot.img and my recovery.img twrp flashed.


Because you have take ----> sec_ro 0x19E0000 diff 0x19E0000 - 0x13E0000 = 0x560000 = size of recovery.img = 5,636,096 bytes ---> no correct

but sec_ro is into other block ----> mmcblk0p5 ?????

I have extracted boot and recovery from same block mmcblk0 ..... is correct?

I hope is all clear and if you have other question i will try to answer and i'm happy see other person into this.

Thank you.

Edited by lucky76, 05 November 2012 - 08:25 PM.

  • 0

#84
hapx

hapx

    Newbie

  • Members
  • Pip
  • 17 posts
@lucky76

Thank you for your explanations. To summarize, does this mean that now you have a working CWM or equivalent, with capability to backup/restore boot, recovery, system, data, cache, .android_secure and internal SD? If yes, how to apply this new CWM? By a signed zip to apply from current recovery? Does this new CWM accept unsigned zip?

  • 0

#85
lucky76

lucky76

    Regular

  • Members
  • PipPip
  • 103 posts
  • Gender:Male
  • Devices:Nexus 5
Not have in this moment cwm full working........



EDIT:

Clockworkmod 6.0.1.5 Lucky76 Beta 1


Link Download only file image of recovery
md5 ---> 30022fcc55440c784bae7746f5a8f6fb


Link Download Pack R2 -----> Here
md5 ---> 4a055ab7ab0ff9d51647c77961886fbc


Pack R2 is Pack1 of PaulOBrien + my clockworkmod into Images.

Thank's Paul for his pack.



For install use same guide in first post of PaulOBrien........ with flash tool


Backup of Boot.img / Recovery.img / System / Data / Cache
Restore Idem

Wipe Ok

Mount USB microSD ok for Windows and Linux.

Please report me bug if you find. I hope no ehehehe :P :D

Bye

Edited by lucky76, 10 November 2012 - 02:08 AM.

  • 0

#86
ozfunghi

ozfunghi

    Regular

  • Members
  • PipPip
  • 59 posts
  • Gender:Male
  • Devices:Xiaomi Mi2
Just ordered the gallant duo for €199 (incl transportation) as a successor to my Liquid S100. I'll be testing it first, but maybe i'll root it and install a custom ROM.

Can we expect a stock upgrade to Jellybean? Or do we have to resort to custom ROMs for that? Are there many apps taking up lots of space, which can't be removed? And can these be removed just by rooting, or do i need to install a custom ROM to get rid of those? Or is installing superuser enough to get the job done?

Thanks! I'm very excited. I hope i get it in the mail tomorrow, but most likely i'll have to wait til monday :(

  • 0
Not buying Acer devices anymore due to the Acer Gallant Duo.

#87
leopesto

leopesto

    Regular

  • Members
  • PipPip
  • 56 posts
  • Gender:Male
  • Location:Ticino - Switzerland
  • Devices:Orange San Francisco-ZTE Blade
  • Twitter:@leopesto
How can I flash a recovery.img if I've root access but flash tool isn't working???

should a reverse dump work?

I mean, should "dd of=/dev/block/mmcblk0 if=/sdcard/recovery.img bs=4096 count=1536 seek=3976" work? is it safe?

Thanks in advance
Leo

  • 0

#88
ThePhi

ThePhi

    Newbie

  • Members
  • Pip
  • 1 posts
  • Devices:Acer Liquid Gallant Duo
Hi all!
Brilliant first post, very precise. Unfortunately I'd like to go further but I'm stuck at the first step.. If someone could help me... I've made a long research that but apparently no-one has the same problem as I. :(

When I connect my phone (without the battery), I don't see a 'unknown device' in the Device Manager. I see something named "MT65xx Preloader" (very briefly, it keeps appearing and disappearing every seconds). I've tried to use the driver found on Acer site but Windows say it's not proper ("can't install driver).

So I bet it's different from you guys with this MT65xx preloader-something which needs another driver maybe?

Thanks a lot for your help ;)
Windows 7 Ultimate. Dell mini 10

  • 0

#89
vendeur21

vendeur21

    Newbie

  • Members
  • Pip
  • 2 posts
thanks Paul, it WORK !
I was looking on internet hours and days for a solution to root this mobil phone, but nothing workin, today I found your topic and IT WORK VERY WELL THANKS VERY MUCH,
concerning the Acer Galant Duo itself, video recording with sound is far the worst mobil on the market, i wonder how they put this bullshit on sale, i have a old celular 10 years old and work beter for video sound recording than this Acer Galant Duo

  • 0

#90
vendeur21

vendeur21

    Newbie

  • Members
  • Pip
  • 2 posts

Hi all!
Brilliant first post, very precise. Unfortunately I'd like to go further but I'm stuck at the first step.. If someone could help me... I've made a long research that but apparently no-one has the same problem as I. :(

When I connect my phone (without the battery), I don't see a 'unknown device' in the Device Manager. I see something named "MT65xx Preloader" (very briefly, it keeps appearing and disappearing every seconds). I've tried to use the driver found on Acer site but Windows say it's not proper ("can't install driver).

So I bet it's different from you guys with this MT65xx preloader-something which needs another driver maybe?

Thanks a lot for your help ;)
Windows 7 Ultimate. Dell mini 10


don't worry dude, myself i meet the same probleme, in fact that is not a problem, when you see the device MT65xx Preloader make a speed clik on it before disepear and make the second step, choose the folder of driver and IT WORK,
you will have the same probleme on 7 step when you plug in your device for second time after you clik download, if download flash don't work first time, make ... etc

  • 0

#91
siuxoes

siuxoes

    Newbie

  • Members
  • Pip
  • 4 posts
  • Devices:e350
Thank you for this guide. I have rooted my e350. But i have a problem when I try to install the recovery. I pull out the battery. I connect the device via usb to the PC. But the e350 vibrates every X seconds. In windows appears the new device but it disappears every X seconds. I dont know what to do. Any idea?

Sorry for my english

  • 0

#92
Kataryno

Kataryno

    Newbie

  • Members
  • Pip
  • 1 posts
  • Devices:Acer Liquid Gallant Duo
Hello. First of all let me thank to all users for this information sharing, very useful for newbies like me.

I have a Gallant Duo and the widget of weather is overusing the CPU. Tested factory resets even sent it out to warranty but the problem still there. The only solution is to root the phone and delete that weather widget.

I already connected the phone to PC following the tutorial on first page, but not complete the root because first of all i wanted to do a full backup of the phone, in case of something can wrong.

How i could make that backup?

Thanks

  • 0

#93
d2p

d2p

    Newbie

  • Members
  • Pip
  • 4 posts
  • Devices:Acer E350

Guys, I have a sort of bricked Gallant Duo with me, that I just can't root no matter what I try.

 

The phone seems to restore itself on every boot. Any preferences changed or any apps installed pior to reboot disappear.

 

When I use flash tool, everything goes fine, green light... but after reboot its all the same. When I go into default recovery mode and do a wipe, everything goes fine, but it doesn't wipe anything!!

 

I can adb push, i can adb install stuff... but after a while the permissions change to read only on every directory, even /data/local/tmp. And of course, after reboot.. everything gone.

 

Is this a virus? Any help apreciated... Im going nuts!


  • 0

#94
Sali86

Sali86

    Newbie

  • Members
  • Pip
  • 4 posts
  • Devices:Acer Liquid Metal
  • Twitter:@Salibubu

Guys, I have a sort of bricked Gallant Duo with me, that I just can't root no matter what I try.

 

The phone seems to restore itself on every boot. Any preferences changed or any apps installed pior to reboot disappear.

 

When I use flash tool, everything goes fine, green light... but after reboot its all the same. When I go into default recovery mode and do a wipe, everything goes fine, but it doesn't wipe anything!!

 

I can adb push, i can adb install stuff... but after a while the permissions change to read only on every directory, even /data/local/tmp. And of course, after reboot.. everything gone.

 

Is this a virus? Any help apreciated... Im going nuts!

 

I have the same problem...I try all stuff but nothing works...HELP ME!!Thanks!!


  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users