Acer Gallant Duo root / hacking tools

[Guest ginco]

Yes that's it !

Open SuperSU app / Go parameters / uncheck SU activated

That works for me !

Thank you, works me too, now!

Edited September 23, 2012 by ginco

[Guest MrVegaBiggs]

Hi everyone ! One question :

Is it the only way to be able to install apps on the SD card (the REAL one) ?

Because rooting my device is not something that please me well... and it seems complecated, besides i'm lazy. :unsure:

[Guest FrankieADZ]

Hi everyone ! One question :

Is it the only way to be able to install apps on the SD card (the REAL one) ?

Because rooting my device is not something that please me well... and it seems complecated, besides i'm lazy.

i thought you was able to do that via the apps bit in the settings...thats the official 1, tho some apps cant be moved via the official way

that official way doesnt require rooting your device

[Guest vache]

Thanks !

I am starting to play with your extracts but before flashing it would like to check it and I could not unyaffs your system.img (I tried unyaffs & unyaffs2 I compiled on Mac and windows CYGWIN version)

[EDIT] I also try with a LInux VM and I got same s.t strange :

I compile my tools (latest unyaffs2) but still not possible to extract system.img with these tools (I can do so with other android system.img) ?!

I got : "image size (484419928)is NOT a multiple of (2048 + 64)" and my target directory is empty.

On the other hand I can convert this img to raw (with simg2img) and mount it like a charm with appropriate mount command.

I suppose I did something wrong with my unyaffs and (unyaffs2) .. any idea or recommendation ? specifics options ?

Regards

Regards

You may try to change some values in unyaffs.c before compiling:

#define CHUNK_SIZE 2048 to 4096

#define SPARE_SIZE 64 to 128

[Guest jaarvin]

You may try to change some values in unyaffs.c before compiling:

#define CHUNK_SIZE 2048 to 4096

#define SPARE_SIZE 64 to 128

Thanks,

With my unyaffs version, CHUNK and SPARE could be passed as arguments but I only try a complete set for chunk size, I did not for spare ! I'll try !

Regards

[Guest vache]

Thanks,

With my unyaffs version, CHUNK and SPARE could be passed as arguments but I only try a complete set for chunk size, I did not for spare ! I'll try !

Regards

Could you share your source ?

May be usefull.

[Guest frakie]

Ok, I did it, and everything went ok, but...

After rooting the phone I followed these instructions http://www.aaviah.com/2012/03/ics-hide-soft-key-buttons-for-amazing.html to hide the soft buttons, and while replacing the framework-res.apk something went wrong, the phone rebooted exactly in that moment :o ..

And now it gets stuck at the green "acer" sign at boot time :( ...

What can I do now to make it start again?

[Guest MrVegaBiggs]

FrankieADZ : no, not possible. The phone think that its 2Go memory allocated to personal files and apps are an SD card ("sdcard"). The real SD card, 8 Go in my case is recognized as "sdcard2". The settings let me mobe application files on "USB memory" or "phone". In both cas it's not on the real SD card.

It seems that ONLY some applications can help to do that but they need a rooted device... I just hate that stupid partitioning

[Guest jaarvin]

Could you share your source ?

May be usefull.

Pas de problème :-)

I just search with google :

Here are the links i found :

http://code.google.com/p/yaffs2utils/

http://code.google.c...unk/simg2img.py

http://www.bernhard-...ts/unyaffs.html

http://andwise.net/?p=403

http://android-dls.c...ack_Boot_Images

http://muzso.hu/?page=1

unyaffs and sym2img can be used with system.img

boot.img differ

All theses sources could be compiled under linux and mac (I think that even with cygwin a windows plateform remains very limited)

There is also an unyaffs binary available here (same dir that .img) :

ftp://94.23.233.147/Smartphones/Liquid%20Gallant/

I tried different values for CHUNK and SPARE without success (any way it seems that SPARE should be CHUNK / 32)

Regards

Edited September 25, 2012 by jaarvin

[Guest PaulOBrien]

I would probably give a full backup a try before doing anything - using Paul's scatter file in his downloads section I'll probably try this when I get time:

http://bm-smartphone-reviews.blogspot.co.uk/2012/04/creating-rom-dump-of-your-mt65x3-device.html

You should be able to make a backup of everything - boot.img recovery.img etc and be able to flash everything back.

I have another Mediatek device I'm playing with and if anyone has any tips on creating a scatter file for mediatek devices any advice is welcome!

I'll post a guide when I get a minute. :)

P

[Guest iMonz]

Can we install a custom recovery like 4Ext or similar? Is it possible right now? After root, of course.

Is there any custom rom on the way out? I don't wanna know when, but only if it is on the way....take your time and thanks for your work!

[Guest jaarvin]

I would probably give a full backup a try before doing anything - using Paul's scatter file in his downloads section I'll probably try this when I get time:

http://bm-smartphone...5x3-device.html

You should be able to make a backup of everything - boot.img recovery.img etc and be able to flash everything back.

I have another Mediatek device I'm playing with and if anyone has any tips on creating a scatter file for mediatek devices any advice is welcome!

[EDIT]

Tried ! but /proc/mtd is empty !

I also found one of your post about G500 and the Gallant also use /proc/emmc instead as below :

partno: start_sect nr_sects partition_name

emmc_p1: 00000020 00000002 "ebr1"

emmc_p2: 0010f720 00100000 "cache"

emmc_p3: 0020ff20 00200000 "usrdata"

emmc_p4: 00410720 003328e0 "fat"

emmc_p5: 00009f00 00002800 "sec_ro"

emmc_p6: 0000ef20 00100000 "android"

The Mediatek engineers mode also works for this phone

Edited September 26, 2012 by jaarvin

[Guest jaarvin]

Found this same website than adrenalize_ post :

http://bm-smartphone...g-tutorial.html

dedicated to MT6575

A 4share link point to a repository with different tools for each 65xx chipset

Edited September 26, 2012 by jaarvin

[Guest frakie]

Hi Vache,

I tried your BETA rom, but the flash tool crashed loading the DSP_BL module (S_DL_PC_BL_INVALID_GFH_FILE_INFO (5066)).

Hints?

[Guest carlettob72]

I'll post a guide when I get a minute.

P

Hi Paul,

any news about this guide.... B)

I want to do a full backup before rooting....I'm a beginner and I don't want to mess something without a way to roll back...

Bye

[Guest qeifupa]

Hi Paul,

thank you very much for your amazing work. I'm waiting your complete procedure to root the Acer Duo. Do you have an idea of the time required to prepare it?

BR,

F.

[Guest qeifupa]

Rooted following the information in the first page.... GREAT!

[Guest GPulse]

Hi Folks!

As you know I recently got my hands on an Acer Gallant Duo, which i've duly rooted... this post contains my root solution and the various tools i've accrued along the way.

First things first - as well as rooting using my method, the root exploit found by Bin4ryDigit also works at the time of writing.

With that said... here's my findings!

The MTK6765 chipset

The Gallant Duo (and Solo) use the MTK6575 chipset, which is also widely used in 'Chinese devices', meaning that a lot of hacking tools are already out there. The most useful one is the official MTK flashing tool. This is only available on Windows, but allows both the backing up and flashing of images directly from the device bootloader!

In order to facilitate this, a file called a 'scatter file' is used. This is basically a text file containing addresses for the various partitions on the flash, so that the tool knows where to write them. The Gallant devices don't use any of the existing MTK6575 scatter files out there, so i've created one for the device which is included in the download below. With this, we can flash custom ROMs, recoveries, boot images, logo binaries etc. with no problem. And create backups before we do.

Possible root attack vectors

Aside from Bin4ryDigit's root method and the one I am using (flashing a SuperRecovery using the MTK tool), there are a couple of other potential 'ways in', but they are best kept under wraps for the time being. Interestingly, the stock recovery on the Gallant devices has backup and restore options, which back up the data partition to a single file on the SD card. This is useful (not just for obvious reasons), but also because this allowed me to poke around the data partition of the device even before I had root. For reference, the backup files are gzipped tar images with a 512 byte signature on the front. If you cut the first 512 bytes off, you can extract it with no issues.

SuperRecovery

For the initial root for the Gallant, I wanted to create a solution which gave root without compromising the ability to provide over the air updates in the future. With this in mind I'm overwriting only the stock recovery, but i'm overwriting it with a version which is still fully compatible with the original. It is the stock recovery but with ADB access and a script that runs on startup to root the device. We will likely have a clockworkmod recovery very soon for users that want to play around with the device more (custom ROMs and the like).

To install, you need to use the MTK flasher and my scatter file to install the custom recovery. After installation, launching the recovery just once will root the device.

Using SuperRecovery - step by step

Follow this simple guide to using SuperRecovery and rooting your device (Windows PC required!)

1. Download the tools pack linked below and extract to a directory on your PC.
   
2. Take the back off your device and pull the battery. Run device manager on your PC. Plug the device into your PC via the USB cable and you will see an 'unknown device' briefly appear in Device Manager. Right click this device and select 'update driver', specifying the location where you just extracted the tools zip (specifically, the driver folder for your chosen OS).
   
3. With the driver installed, you're ready to run the flashing tool. From the 'Flash Tool' directory run 'Flash_tool.exe'. Unplug your device at this point.
   
4. The 'Download Agent' field is automatically populated. You need to click the 'Scatter-loading' button and select the 'MT6575_android_scatter_emmc.duo.modaco.txt' file from the 'Scatter directory'.
   
5. Next you need to tell the application which part you want to flash. Click the 'RECOVERY' line and select the 'recovery.superboot.duo.img' file from the 'Images' directory.
   
6. That's it! Don't click any other options. Note that flashing is DANGEROUS, and you do so entirely at your own risk. If you're ready to go, press 'Download'. Do NOT click any other buttons!
   
7. Now, with your device off, plug it back in via USB. You will first see a red bar, then a yellow progress bar, then a green success box as shown below.
   
8. When the flash is complete, turn your device on with 'volume up' held. This will launch recovery. When the recovery screen loads, press the volume up key to show the menu and select the reboot option. Your device is now rooted!
   

click the images to enlarge

[lightbox ]http://content.modac.../duoflash1.png][/lightbox]

[lightbox ]http://content.modac.../duoflash2.png][/lightbox]

[lightbox ]http://content.modac.../duoflash3.png][/lightbox]

[lightbox ]http://content.modac.../duoflash4.png][/lightbox]

[lightbox ]http://content.modac.../duoflash5.png][/lightbox]

Editing boot / recovery / logo images

The Gallant images are not a format we are used to, however scripts for unpacking and repacking have been created by bgcngm and are available to download on GitHub. I used these to create the SuperRecovery and they work great.

The download

All the files you need can be downloaded here!

• r1 - DOWNLOAD (ROMraid) - MD5: 9c604f9cb7f800ca1145635d92afd087
  

Any questions

Any questions or feedback on the above? Post below!

Have followed your instructions faithfully up to step 6 where I press the 'download' button but I get a warning that 'Not all images have been loaded properly etc, and whether I want to continue' and therefore I have been reluctant to proceed and plug in the E350. Is that a normal message that I shouldn't worry about or not? Thanks

[Guest GPulse]

Hi Folks!

As you know I recently got my hands on an Acer Gallant Duo, which i've duly rooted... this post contains my root solution and the various tools i've accrued along the way.

First things first - as well as rooting using my method, the root exploit found by Bin4ryDigit also works at the time of writing.

With that said... here's my findings!

The MTK6765 chipset

The Gallant Duo (and Solo) use the MTK6575 chipset, which is also widely used in 'Chinese devices', meaning that a lot of hacking tools are already out there. The most useful one is the official MTK flashing tool. This is only available on Windows, but allows both the backing up and flashing of images directly from the device bootloader!

In order to facilitate this, a file called a 'scatter file' is used. This is basically a text file containing addresses for the various partitions on the flash, so that the tool knows where to write them. The Gallant devices don't use any of the existing MTK6575 scatter files out there, so i've created one for the device which is included in the download below. With this, we can flash custom ROMs, recoveries, boot images, logo binaries etc. with no problem. And create backups before we do.

Possible root attack vectors

Aside from Bin4ryDigit's root method and the one I am using (flashing a SuperRecovery using the MTK tool), there are a couple of other potential 'ways in', but they are best kept under wraps for the time being. Interestingly, the stock recovery on the Gallant devices has backup and restore options, which back up the data partition to a single file on the SD card. This is useful (not just for obvious reasons), but also because this allowed me to poke around the data partition of the device even before I had root. For reference, the backup files are gzipped tar images with a 512 byte signature on the front. If you cut the first 512 bytes off, you can extract it with no issues.

SuperRecovery

For the initial root for the Gallant, I wanted to create a solution which gave root without compromising the ability to provide over the air updates in the future. With this in mind I'm overwriting only the stock recovery, but i'm overwriting it with a version which is still fully compatible with the original. It is the stock recovery but with ADB access and a script that runs on startup to root the device. We will likely have a clockworkmod recovery very soon for users that want to play around with the device more (custom ROMs and the like).

To install, you need to use the MTK flasher and my scatter file to install the custom recovery. After installation, launching the recovery just once will root the device.

Using SuperRecovery - step by step

Follow this simple guide to using SuperRecovery and rooting your device (Windows PC required!)

1. Download the tools pack linked below and extract to a directory on your PC.
   
2. Take the back off your device and pull the battery. Run device manager on your PC. Plug the device into your PC via the USB cable and you will see an 'unknown device' briefly appear in Device Manager. Right click this device and select 'update driver', specifying the location where you just extracted the tools zip (specifically, the driver folder for your chosen OS).
   
3. With the driver installed, you're ready to run the flashing tool. From the 'Flash Tool' directory run 'Flash_tool.exe'. Unplug your device at this point.
   
4. The 'Download Agent' field is automatically populated. You need to click the 'Scatter-loading' button and select the 'MT6575_android_scatter_emmc.duo.modaco.txt' file from the 'Scatter directory'.
   
5. Next you need to tell the application which part you want to flash. Click the 'RECOVERY' line and select the 'recovery.superboot.duo.img' file from the 'Images' directory.
   
6. That's it! Don't click any other options. Note that flashing is DANGEROUS, and you do so entirely at your own risk. If you're ready to go, press 'Download'. Do NOT click any other buttons!
   
7. Now, with your device off, plug it back in via USB. You will first see a red bar, then a yellow progress bar, then a green success box as shown below.
   
8. When the flash is complete, turn your device on with 'volume up' held. This will launch recovery. When the recovery screen loads, press the volume up key to show the menu and select the reboot option. Your device is now rooted!
   

click the images to enlarge

[lightbox ]http://content.modac.../duoflash1.png][/lightbox]

[lightbox ]http://content.modac.../duoflash2.png][/lightbox]

[lightbox ]http://content.modac.../duoflash3.png][/lightbox]

[lightbox ]http://content.modac.../duoflash4.png][/lightbox]

[lightbox ]http://content.modac.../duoflash5.png][/lightbox]

Editing boot / recovery / logo images

The Gallant images are not a format we are used to, however scripts for unpacking and repacking have been created by bgcngm and are available to download on GitHub. I used these to create the SuperRecovery and they work great.

The download

All the files you need can be downloaded here!

• r1 - DOWNLOAD (ROMraid) - MD5: 9c604f9cb7f800ca1145635d92afd087
  

Any questions

Any questions or feedback on the above? Post below!

Apologies! Didn't have sufficiently close look at your screenshots where it actually shows that message. Done it successfully. Thanks

[Guest idcool]

Thanks!

i've removed these apps:

AcerDLNA2.apk

AcerNidus.apk

AcerRegistration2.apk

BarcodeScanner41.apk

BlackList.apk

Chrome.apk

ClockWidget.apk

Default_ICS.apk

DigitalClockWidget2.apk

Fashion.apk

FBAndroidpreload.apk

Gmail.apk

HoloSpiralWallpaper.apk

HoloSpiralWallpaper.odex

Lady.apk

Launcher2.apk

Launcher2.odex

LiveWallpapers.apk

LiveWallpapers.odex

MagicSmokeWallpapers.apk

MagicSmokeWallpapers.odex

Maps_alldpi.apk

MtkWeatherProvider.apk

MtkWeatherSetting.apk

MtkWeatherSetting.odex

MtkWeatherWidget.apk

MtkWorldClockWidget.apk

MtkWorldClockWidget.odex

Music2.apk

NoiseField.apk

NoiseField.odex

PhaseBeam.apk

PhaseBeam.odex

PlusOne.apk

PolarisViewer4.apk

Science.apk

Sport.apk

Swype.apk

TagGoogle.apk

talkback.apk

Videos.apk

WeatherWidget2.apk

WSBoxNet.apk

WSDropbox.apk

Youtube.apk

device work like a charm!

I have rooted my phone successfully and deleted some of the files listed above, now my phone wont load the home screen but I can get into settings and some system apps.

I think I deleted Launcher2.apk... woops.

I am fairly inexperienced with this but I think I can fix my phone by installing a Launcher2.apk from my pc to my phone using ADB. The only problem is I dont have drivers for USB debugging so I cant use ADB. Am I going down the right path to fix this? Thanks in advance.

EDIT: Got the ADB working now by installing the official drivers from the acer website, will post back about the Launcher problem.

Edited October 12, 2012 by idcool

[Guest idcool]

I have rooted my phone successfully and deleted some of the files listed above, now my phone wont load the home screen but I can get into settings and some system apps.

I think I deleted Launcher2.apk... woops.

I am fairly inexperienced with this but I think I can fix my phone by installing a Launcher2.apk from my pc to my phone using ADB. The only problem is I dont have drivers for USB debugging so I cant use ADB. Am I going down the right path to fix this? Thanks in advance.

EDIT: Got the ADB working now by installing the official drivers from the acer website, will post back about the Launcher problem.

I got it working now.

I tried ABD but couldnt get it to remount using "abd remount" , I would get remount failed: Operation not permitted.

Then I tried MobileGo software and even though it said the Launcher2.apk install failed I can now launch to the home screen. Thought I would leave this here for anyone else who accidently deletes the launcher.

[Guest sbavi]

to remove stock launcher need an alternative in system apps ;)

Go to settings-> Security and flag on unknown sources

From lockscreen (shutter) try to open directly browser, download and install:

http://dl.apktops.com/app/201209/Nova_Launcher_1_3_1.apk[/CODE]

[Guest Hoevi]

Thank you very much Paul. It's a great piece of work.

Actually I just struggeling a liitle bit with software download from Google Play, Internet access and some other things that require Internet connection. I'm not sure if it's related to the root hack or a problem with the Gallnet duo itself, because i never tested it before rooting.

Here's my problem.

As long as I'm connected to the Internet via WLAN everything it's fine, but it's not working with my phone account. Neither SIM1 nor SIM2.

Same SIM cards (both Vodafone) are working fine for Internet access in another dual SIM phone.

I tried a lot of things like reboot, set back to APN standard values, switch between 2G / 3G, switch of SIM cards and so on but had no success up to now.

The only messages that may help are:

- from my E-mail program, that of course also don't work without WLAN Internet access. When i try to download my mails the message says "java.net.Socket.Timeout exception"

- when I shutdown the phone I can see a message for 1 second the says "Limited access changed"

Except of the "Dual sim" menue, is there any option to limit the Internet access I may hvae not found up to now?

Has anyone else similar trouble and maybe is there any solution?

Thanks a lot in advance

Hoevi from Germany

[Guest cmachado0]

easy way to root just one click , check the link

http://forum.xda-developers.com/showthread.php?t=1899736

[Guest cmachado0]

hello

by mistake i uninstall the google search apk now i cant find any to work with the phone do you have the apk ?

thks

Thanks!

i've removed these apps:

device work like a charm!