Differences

This shows you the differences between two versions of the page.

--- doc:appunti:hardware:blackview_bv5300 [2023/08/29 07:30] – [Create and sign a custom vbmeta.img] niccolo
+++ doc:appunti:hardware:blackview_bv5300 [2024/06/03 16:25] (current) – [Rooting] niccolo
@@ Line 1: / Line 1: @@
 ====== Blackview BV5300 Android Phone (rooting) ======
+I purchased this phone from Amazon in August 2023 for about **113 €**, to use as [[..:android:osmand_on_motorbike|GPS satellite navigation system on the motorbike]].
+{{.:bv5300:bv5300-back.jpg?direct&600|The Blackview BV5300}}
+^ Model            | Blackview BV5300  |
+^ Size             | 161.5 x 77.6 x 15 mm, weight 280 g  |
+^ RAM              | 4.0 Gb   |
+^ CPU              | MediaTek Helio A22 (MT6761) - ARM Cortex-A53 2.0 GHz, 4 core  |
+^ GPU              | PowerVR GE8300  |
+^ Internal Memory  | 32 Gb    |
+^ Screen           | 6.1 inches, 720 x 1560, brightness 500 cd/m² typical  |
+^ Battery          | Non replaceable 6580 mA  |
+^ Connector        | USB C    |
+^ Android version  | 12       |
+^ A/B (Seamless) System Updates  | No\\ No //boot_a// or //boot_b// partitions\\ ''fastboot getvar current-slot'' returned //GetVar Variable Not found//  |
+^ Anti-Rollback Protection  | No\\ ''fastboot getvar anti'' returned //GetVar Variable Not found//  |
+{{.:bv5300:bv5300-front.jpg?direct&200|BV5300: Front view}}
+{{.:bv5300:bv5300-bottom.jpg?direct&200|BV5300: Bottom}}
+{{.:bv5300:bv5300-right.jpg?direct&200|BV5300: Rigth buttons}}
+{{.:bv5300:bv5300-left.jpg?direct&200|BV5300: Left button}}
 ===== Getting the scatter file =====
@@ Line 17: / Line 39: @@
   * Using **SP_Flash_Tool_v5.2228_Linux**:
-    * Run **flash_tool.sh** and click on **Readback**.
+    * Run **flash_tool.sh**
+    * In the **Download** tab, **Scatter-loading File**: choose any scatter file you have on your hard disk (this step is required to unlock the Readback function below).
+    * Click on the **Readback** tab and delete all the partitions defined by the scatter file you loaded.
     * Add **two regions** to be read-back:
       * Filename: **preloader.bin**
@@ Line 46: / Line 70: @@
 ===== Rooting =====
-If your phone has the build number **BV5300_EEA_TE105_V1.0_20230705V11**, you can download the following archive containing the already patched **boot.img** and **vbmeta.img** images. Obviously you must trust me that the images don't contain malware or alike. If you don't trust me, you have to execute all the steps by yourself: **{{.:bv5300:bv5300_eea_te105_v1.0_20230705v11_magisk-26.1-boot.zip|BV5300_EEA_TE105_V1.0_20230705V11_magisk-26.1-boot.zip}}**.
+If your phone has the build number **BV5300_EEA_TE105_V1.0_20230705V11**, you can download the following archive containing the already patched **boot.img** and **vbmeta.img** images. Obviously you must trust me that the images don't contain malware or alike: **{{.:bv5300:bv5300_eea_te105_v1.0_20230705v11_magisk-26.1-boot.zip|BV5300_EEA_TE105_V1.0_20230705V11_magisk-26.1-boot.zip}}**. Whith the files contained into that archive you can directly jump to the last step of this guide: [[#flash_the_bootimg_and_the_vbmetaimg_custom_images|Flash the boot.img and the vbmeta.img custom images]].
-Whith the files contained into that archive you can directly jump to the last step of this guide: [[#flash_the_bootimg_and_the_vbmetaimg_custom_images|Flash the boot.img and the vbmeta.img custom images]].
+If you don't trust me, you have to execute all the steps by yourself.
 The standard rooting procedure (see [[https://topjohnwu.github.io/Magisk/install.html|installing Magisk]]) failed; **patching the boot image** and **flashing** it back into the phone worked as expected, but **flashing the vbmeta image** with the ''%%--disable-verity%%'' and ''%%--disable-verification%%'' options did not work: the bootloader still checks the signature of the images and because the boot image is tampered, the phone enters a **bootloop**. The bootloop occurs also if you disable //verity// and //verification// into the original vbmeta image, keeping the original boot image.
@@ Line 96: / Line 120: @@
 From //Settings// => //System// => //Developer options// enable the **OEM unlocking**. Then you must execute the actual unlocking from the phone fastboot mode.
-**WARNING**: Unlocking the bootloader will cause a **factory reset** of the phone and the device enters the **Orange state**, i.e. the device at each bootstrap warns the user that it can't be trusted anymore because the boot code can be altered. The orange state cannot be reverted, it may be a problem if you want to have the phone serviced under warranty.
+**WARNING**: Unlocking the bootloader will cause a **factory reset** of the phone and the device enters the **[[https://www.hovatek.com/blog/your-device-has-been-unlocked-and-cant-be-trusted-what-does-this-mean/|Orange state]]**, i.e. the device at each bootstrap warns the user that it can't be trusted anymore because the boot code can be altered. The orange state cannot be reverted, it may be a problem if you want to have the phone serviced under warranty.
 Attach the phone to the PC using the USB cable, tap **Allow** on the phone screen to permit the PC to control the phone via the **Android Debug Bridge**. Issue the following commands on the PC terminal:
@@ Line 123: / Line 147: @@
 </code>
-At bootstrap you will see the message about the Orange state and the phone does a factory reset. After the reset you need to **enable again the Developer options** and **USB debugging**.
+At bootstrap you will see the message about the **Orange state** and the phone does a factory reset. After the reset you need to **enable again the Developer options** and **USB debugging**.
+**WARNING**: The Orange state cannot be reverted, you can try to re-flash the original images and re-lock the bootloader, but it is not guaranteed that the latter is possible.
 ==== Read the "boot" and "vbmeta" images from the phone ====
@@ Line 197: / Line 223: @@
 From **vbmeta.img** we need to **extract all the public keys of the partitions that were not altered** (i.e. all the partitions listed in it, except the **boot** one). Browsing the //vbmeta.img// file with an **hex editor** it is easy to spot each entry of the list; it is composed as follows:
+  * An empty space made up of **64 zero bytes**.
   * The name of the partition, e.g. **vbmeta_system**.
   * A token of four bytes:  **%%0x00 0x00 0x08 0x00%%** (this should be the default token for a 2048 bit key).