User Tools

Site Tools


doc:appunti:hardware:blackview_bv5300_pro

Rooting the Blackview BV5300 Pro Android Phone

Model Blackview BV5300 Pro
Size 162.5 x 79.5 x 16.7 mm, 280 g
RAM 4.0 Gb
CPU MediaTek Helio P35 (MT6765) - ARM Cortex-A53, 8 Cores (4 x 2.35 GHz, 4 x 1.8 GHz)
GPU PowerVR GE8320
Internal Memory 64 Gb
Screen 6.1 inches, 720 x 1560, brightness 500 cd/m² typical
Battery Non removable 6580 mAh
Connector USB C
Android version 13
Build number BV5300_Pro_13_EEA_TE105_V1.0_20230927V03
A/B (Seamless) System Updates Yes
Partitions boot_a and boot_b do exist
fastboot getvar current-slot returned current-slot: a
Anti-Rollback Protection No
fastboot getvar anti returned GetVar Variable Not found

Notable features:

  • The phone is waterproof at least to heavy rain. I used it as a GPS navigation system mounted on a motorbike during a huge rain storm for about two hours, without any problem.
  • It can record phone calls. Enable the feature from SettingsAuxiliary functionCall recording.
  • Blue/red LED for notifications and charging.
  • The FM Radio is non functional because there is no 3.5 mm socket and it is not possible to connect the earphones cable.
  • Aggressive power saving kills background apps, i.e. apps are automatically cleaned from the recents. Widgets in several apps have trouble initializing themself after reboot; may stop working or may not update contents. Apps are automatically cleaned from the recents. Beside the settings available in Apps & notifications (permissions, pause app if unused, unrestricted battery, battery manager. etc.) there is a custom app called System Manager which may solve the issues; see Power saving in Blackview costomization of Android 12 and 13.
  • No system updates available: in September 2024 it is still stuck to Android 13, security update September 5, 2023.

Rooting the phone

The rooting method that actually worked is resumed here:

  1. On the smartphone enable the Developer options, USB debugging and OEM unlocking.
  2. Unlock the bootloader using the fastboot mode (does a factory reset!).
  3. After the factory reset, re-enable the Developer options and the USB debugging.
  4. Download (read-back) the boot.img and vbmeta.img images from the phone using SP Flash Tool.
  5. Install the Magisk v26.4 app into the phone and patch the stock boot.img file on the phone itself.
  6. On the PC, sign the patched boot image with an RSA public/private key.
  7. On the PC, create a custom vbmeta image where the the public key of the boot image is the one used in the previous step.
  8. Flash (write) the patched boot and custom vbmeta images on the phone using the fastboot mode.

Creating the scatter file

:!: NOTICE: If you don't want to follow the full procedure and you just need the scatter file, here it is the file that I produced: MT6765_Android_scatter-bv5300-pro.txt.

A Scatter File is a text file which is used to describe parts of flash memory in an Android device which is running on a MediaTek’s MTK chipeset. Usually, such files are needed at the time of flashing firmware using tools like the SP Flash Tool. The file is required also to backup the stock images from the Android device, (the Readback operation in SP Flash Tool).

Generally you find the scatter file for your specific device included into the firmware archive, but for the BV5300 Pro I did not find any official firmware to download, nor the simple scatter file. Using the following procedure I managed to create my MT6765_Android_scatter-bv5300-pro.txt (download below).

Tools required (GNU/Linux or Wine)

Get the preloader and the GPT table from the smartphone

To create the scatter file you need to exctract two memory regions from the smartphone flash: the preloader and the partition table. You can use the SP Flash Tool to read them directly from the phone:

  • Using SP_Flash_Tool_v5.2228_Linux:
    • Run flash_tool.sh
    • In the Download tab, Scatter-loading File: choose any scatter file for the MT6765 chip you have on your hard disk (this step is required to unlock the Readback function below).
    • Click on the Readback tab and delete all the partitions defined by the scatter file you loaded.
    • Add two regions to be read-back:
      • Filename: preloader.bin
        • Region: EMMC_BOOT1
        • Start Address: 0x0
        • Length: 0x100000 (1 Mb, but 256 kb should suffice)
      • Filename: pgpt.bin
        • Region: EMMC_USER
        • Start Address: 0x0
        • Length: 0x8000
    • Click on the Readback button.
    • Turn off the phone and connect it to the USB cable; the read-back should start automatically.

Create the scatter file using the WwR MTK v2.51 tool

The WwR MTK (Working with Rom MediaTek) program can create the scatter file by reading the partition table and the preloader image extracted in the previous step. The program is for the Windows operating system, but it runs also under the GNU/Linux Wine environment:

  • Using WwR MTK v2.51:
    • If you use GNU/Linux and Wine: install the wine32:i386 and wine64 packages, clean any Wine settings by removing the $HOME/.wine/ and $HOME/.wine64/ directories. Run winecfg and set Windows 7 emulation.
    • Unpack the program archive and enter the WwR_MTK_v2.51 directory. Execute wine WwR_MTK_2.51.exe (wait the 120 seconds pause or pay for the program).
    • Beside The file to be used, click Select file and open the pgpt.bin file. The Table of sections (Table chart of GPT) will be shown.
    • Right click on the Table of sections and select Create scatter file from the context menu (wait the pause).
    • The program requires to read the preloader image (the EMMC_BOOT1 region saved with SP Flash Tool); select the preloader.bin from the files.
    • When prompted Enter the platform (CPU type), reply with MT6765; the progam will propose to save the scatter file as MT6765_Android_scatter.txt (the program tries to launch the notepad editor to show the newly created scatter file).

:!: WARNING: The scatter file created above have the attribute is_download: false for several partitions, you need to edit the file for the partitions that you want to readback, defining is_download and file_name:

- partition_index: SYS30
  partition_name: vbmeta_system_a
  file_name: vbmeta_system_a.img
  is_download: true
  ...

Readback the stock partitions

Rooting the BV5300 Pro phone basically means overwriting (flashing) the boot and vbmeta partitions with patched versions. For backup purpose and to prepare the custom partitions, you must firstly read-back some of the stock partitions from the phone. You can use the SP Flash Tool program for this task, I used SP Flash Tool v5.2228 for Linux.

This phone uses the A/B (seamless) system updates feature, so you have actually two copies of each partitions: boot_a, boot_b, vbmeta_a and vbmeta_b. In my case the active slot was A, so I worked with boot_a and vbmeta_a partitions. Putting the device in fastboot mode you can check the current active slot with the command fastboot getvar current-slot.

WARNING: In my case the current slot was A and it turned out that the partitions *_b were empty (all zeroes).

Beware that if you want to receive operating system updates on-the-air (OTA updates for the stock software), you must re-flash the stock partitions, allow the update to install, and then re-do the rooting process.

Execute the SP Flash Tool on your GNU/Linux PC launching the flash_tool.sh script. You must have the permissions to access the /dev/ttyACM0 device, usually granted to the dialout group).

Into the program, load the scatter file of the Blackview BV5300 Pro using Scatter-loading file box.

Click the Readback tab: gathering the info from the the scatter file you must add the data to read the following partitions:

partition_name: boot_a
file_name boot_a.img
physical_start_addr 0x1C000000
partition_size 0x2000000
region EMMC_USER
partition_name: dtbo_a
file_name dtbo_a.img
physical_start_addr 0x22800000
partition_size 0x800000
region EMMC_USER
partition_name: vbmeta_a
file_name vbmeta_a.img
physical_start_addr 0x23500000
partition_size 0x800000
region EMMC_USER
partition_name: vbmeta_system_a
file_name vbmeta_system_a.img
physical_start_addr 0x23D00000
partition_size 0x800000
region EMMC_USER
partition_name: vbmeta_vendor_a
file_name vbmeta_vendor_a.img
physical_start_addr 0x24500000
partition_size 0xB00000
region EMMC_USER
partition_name: lk_a
file_name lk.img
physical_start_addr 0x1BF00000
partition_size 0x100000
region EMMC_USER

Once entered the data, click the Read Back button. Turn off the phone and connect the USB cable: the reading of the partitions should start automatically and the files will be saved.

Patching the partitions for root

The only two partitions that must be actually patched are boot_a and vbmeta_a.

Patching the boot partition means actually let the Magisk app add the required software to get root privileges (the su program, etc.). The partition, once patched, must be cryptographically signed with an RSA key.

Patching the vbmeta parition means actually re-create the whole partition replacing the entry about the boot parition with the new signing key.

Patch the boot_a.img with Magisk

To patch the stock boot image we use the Magisk app installed into the smartphone iteself. So we have to copy the Magisk-v26.4.apk file and the downloaded boot_a.img file to the smartphone (I used the adb push command). Install the Magisk apk.

Launch the Magisk app on the phone and select MagiskInstallSelect and Patch a File: point the program to the boot_a.img file that you uploaded into the phone storage. After a little of work you should obtain a modified boot image saved into a file like /sdcard/Download/magisk_patched-26400_AFhJf.img. The image should contain a modified ramdisk, which will provide the su command (superuser) when the Android system is running, but actually without modifying the system partition.

Download the patched boot image to your PC using the adb pull command.

Sign the patched boot_a.img

The Blackview BV5300 Pro is based on Android 13 and the Android Verified Boot process cannot be disabled. So the patched boot_a.img must be signed with an RSA public/private key and the public part must be included into the vbmeta_a.img partition.

Transfer the patched image magisk_patched-26400_AFhJf.img from the smartphone to the PC. Then you need the avbtool.py tool (it is a Python 3 script, so you must have Python 3 installed); with that script you can get some info from the original boot_a.img:

python3 avbtool.py info_image --image 'boot_a.img'

The output will reveal the Image size (33554432 bytes, which is exactly the size of the file) and that the public key algorithm is SHA256_RSA2048.

Then you need a 2048 bit RSA key; you can create your own, but it is common practice to use the one included into the Android SDK. Download the RSA key named testkey_rsa2048.pem.

With all this information, you can sign the file (actually add an hash footer inside the file). Beware that the file will be patched in-place, so make a backup copy before running the command:

cp 'magisk_patched-26400_AFhJf.img' 'magisk_patched-26400_AFhJf-signed.img'
 
python3 avbtool.py add_hash_footer \
    --image 'magisk_patched-26400_AFhJf-signed.img' \
    --partition_name 'boot' --partition_size '33554432' \
    --key 'testkey_rsa2048.pem' --algorithm 'SHA256_RSA2048'

Creating a vbmeta custom image

The vbmeta partition contains verification data (e.g. cryptographic digests) for verifying required Android images to boot. Generally, in modern Android devices, it is not possibile to disable the verification and the dm-verity (Device Mapper verity), so we have to sign the custom boot partition with a key and build a new vbmeta partition with all the correct data.

Using the avbtool.py script we can inspect the content of the stock vbmeta_a partition:

python3 avbtool.py info_image --image 'vbmeta_a.img'

This is the output:

Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     320 bytes
Auxiliary Block:          2816 bytes
Public key (sha1):        cdbb77177f731920bbe0a0f94f84d9038ae0617d
Algorithm:                SHA256_RSA2048
Rollback Index:           0
Flags:                    0
Rollback Index Location:  0
Release String:           'avbtool 1.2.0'
Descriptors:
    Chain Partition descriptor:
      Partition Name:          boot
      Rollback Index Location: 3
      Public key (sha1):       9d808b0995768d0677fccb1efcddb7cf9e153d99
    Chain Partition descriptor:
      Partition Name:          vbmeta_system
      Rollback Index Location: 2
      Public key (sha1):       fa41159a5d696abdef93176a07d0b0d001263f01
    Chain Partition descriptor:
      Partition Name:          vbmeta_vendor
      Rollback Index Location: 4
      Public key (sha1):       9577bc6c0772975ecce93c4d8a178662c728dadf
    Prop: com.android.build.dtbo.fingerprint -> 'Blackview/BV5300_Pro_13_EEA/BV5300_Pro:12/SP1A.210812.016/1695812099:user/release-keys'
    Hash descriptor:
      Image Size:            65328 bytes
      Hash Algorithm:        sha256
      Partition Name:        dtbo
      Salt:                  004063897606313a609b19f2e9eefc5142de27213cb8d79c078f8f0d3146e66e
      Digest:                d77b2bf9160ff4132c2df0a90d24c77388cc524ecc51f3b35bc7d2dd4b17f08e
      Flags:                 0

The descriptors contained into the image are:

  • The chain partition descriptor of boot.
  • The chain partition descriptor of vbmeta_system.
  • The chain partition descriptor of vbmeta_vendor.
  • A prop descriptor.
  • The hash footer descriptor of the dtbo partition.

We have to re-generate the chain partition descriptor for the boot image, because we modified the image and signed it with a different key. The descriptors for the vbmeta_system and vbmeta_vendor partitions must remain unaltered. The prop and the hash footer descriptors are contained into the dtbo image and must be read back from it.

Keep note also of the Rollback Index Location for each partition, we need them when creating the custom vbmeta.

Using an hex viewer over the vbmeta_a.img file, we discovered the starting offset of each key (the byte just after the name), using dd it is possibile to extract them. They are 520 bytes long:

dd if='vbmeta_a.img' of='key_boot.bin'           bs=1 skip='672'  count='520'
dd if='vbmeta_a.img' of='key_vbmeta_system.bin'  bs=1 skip='1297' count='520'
dd if='vbmeta_a.img' of='key_vbmeta_vendor.bin'  bs=1 skip='1929' count='520'

With the following command we extract the public part of the RSA key we used to sign the boot image. The public key will be inserted into the vbmeta image:

python3 avbtool.py extract_public_key \
    --key 'testkey_rsa2048.pem' \
    --output 'testkey_rsa2048_pub.bin'

The final command to assemble the custom vbmeta image is the following. Notice that we specified the rollback index for each partition and the size of the whole stock vbmeta file:

python3 avbtool.py make_vbmeta_image \
    --key 'testkey_rsa2048.pem' --algorithm 'SHA256_RSA2048' --flag 0 \
    --chain_partition boot:3:'testkey_rsa2048_pub.bin' \
    --chain_partition vbmeta_system:2:'key_vbmeta_system.bin' \
    --chain_partition vbmeta_vendor:4:'key_vbmeta_vendor.bin' \
    --include_descriptors_from_image 'dtbo_a.img' \
    --padding_size '8388608' --output 'vbmeta-custom-signed.img'

Flashing the custom partitions

Once you have the boot partition image with root enabled and the vbmeta partition image with the updated signing data, you can flash the images into the smartphone and gain root privileges. Boot the phone in normal system, attach the USB cable to the PC and execute the following on the PC:

adb reboot bootloader

The phone will reboot into the => FASTBOOT mode... prompt.

fastboot flash boot 'magisk_patched-26400_AFhJf-signed.img'
fastboot flash vbmeta 'vbmeta-custom-signed.img'
fastboot reboot

The full output will be:

$ fastboot flash boot 'magisk_patched-26400_AFhJf-signed.img'
Sending 'boot_a' (32768 KB)                        OKAY [  1.033s]
Writing 'boot_a'                                   OKAY [  0.435s]
Finished. Total time: 1.470s
$ fastboot flash vbmeta 'vbmeta-custom-signed.img'
Sending 'vbmeta_a' (8192 KB)                       OKAY [  0.265s]
Writing 'vbmeta_a'                                 OKAY [  0.106s]
Finished. Total time: 0.373s
$ fastboot reboot
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 0.101s

FIXME: check root and manage permissions.

MagiskHide vs Zygisk

Magisk v26.4: Zygisk feature Older versions of Magisk had the MagiskHide feature, i.e. the ability to hide the rooted status of the phone to selected apps. This is because some apps, like home banking, OTP managers, etc. refuse to operate or show warnings if they find that the device was tampered; the hide function allows these apps to run flawlessy. The MagiskHide feature is available e.g. in Magisk v23.0, but it does not exist in Magisk 26.x. It was speculated that the author John Wu removed the MagiskHide feature because he started to work for Android security team in 2021.

The reality is that Magisk 26.4 has the Zygisk feature, which you can enable in the Magisk Settings menu. If you enable this feature, some parts of Magisk runs at an higher level of privilege into the zygote daemon (i.e. the process which is responsible of launching Android applications). If you enable this, you can enable the Enforce DenyList option and configure the DenyList, selecting which applications cannot see the rooting status of the device.

Generally it is mandatory to run the same version of the Magisk app as the one used to patch the boot image, i.e. you cannot patch the boot image with Magisk v26.x to get root, and then run the Magisk v23.x app to manage the root permissions and the hide function.

The Recovery Menu

  • Power off the phone
  • Press Power + Volume UP keys and keep them pressed untill the Blackview logo appears.

The phone should enter the Android Recovery menu:

Android Recovery
Blackview/BV5300_Pro_13_EEA/BV5300_Pro
12/SP1A.210812.016/1695812099
user/release-keys
Use volume up/down and power.
--------------------------------------
Reboot system now
Reboot to bootloader
Enter fastboot
Apply update from ADB
Apply update from SD card
Wipe data/factory reset
Mount /system
View recovery logs
Run graphics test
Run locale test
Power off
--------------------------------------

The Fastboot Menu

It is possibile to reboot the phone into fastboot mode from normal system, just connect a PC via the USB cable and issue the command on the PC (must have enabled the USB debugging option):

adb reboot bootloader

Alternatively you can reach fastboot mode operating the phone buttons only:

  1. Power off the phone
  2. Press Power + Volume UP keys and keep them pressed untill the Blackview logo appears.
  3. The Android Recovery menu appears, select the Enter fastboot item with Volume DOWN and confirm with Power.
  4. The Android Fastboot menu appears, select the Reboot to bootloader item with Volume DOWN and configrm with Power.
  5. The prompt ⇒ FASTBOOT Mode… appears in the lower left corner of the screen.

Hiding the Orange State warning message

Once you have unlocked the bootloader, the device will show at every bootstrap the warning message:

Orange State

Your device has been unlocked and can't be trusted
Your device will boot in 5 seconds

It is easy to hide that message: just patch the lk partition replacing the ASCII strings with a newline (0x0A char) and zeroes. Use your preferred hex editor for that. Then boot the phone in fastboot mode and write (flash) the patched partition:

fastboot flash lk 'lk-orange-state-hidden.img'
fastboot reboot

Download

Resource Local download Official link Notes
Scatter File MT6765_Android_scatter-bv5300-pro.txt N/A Created using the SP Flash Tool and WwR MTK programs.
Custom boot and vbmeta partitions BV5300 Pro 13 EEA TE105 V1.0 20230927V03-root.tgz N/A This archive contains the two partition images required to root the BV5300 Pro smartphone: the boot partition patched with Magisk 26.4 and the vbmeta partition with the updated signing key. The archive contains also the original stock images, required to remove root and to allow system upgrades. If you want to use SP Flash Tool, the scatter file is included too.
Custom lk partition lk-image-hide-orange-state.tgz N/A This is the image of the lk partition, patched to hide the Orange State warning message displayed at boot time once the bootloader is unlocked.
avbtool.py avbtool.py android.googlesource.com Python script used to create the custom vbmeta image.
Magisk v26.4 Magisk-v26.4.apk github.com/topjohnwu/Magisk Magisk v26.x is capable of patching the boot image and install root. That version does not have the MagiskHide feature but has the Zygisk one, which is equally capable of hiding Magisk to selected apps. Magisk v23.x has the MagiskHide function, but it is not capable to root-patch the boot image.
SP Flash Tool SP_Flash_Tool_v5.2228_Linux.zip spflashtools.com WARNINIG: The site is not managed by MediaTek; other sites exist, but none seems to be the official one.
WwR MTK WwR_MTK_v2.51.zip N/A WARNINIG: It seems that an offical site for WwR MTK does not exist; on the internet you can find many which have re-packaged the same archive, like this androiddatahost.com and this www.gsmfirmware.net.
testkey_rsa2048.pem testkey_rsa2048.pem cs.android.com This is the RSA private/public key used for testing in Android SDK.

Power saving

On this smartphone the battery and power management operated by the Android o.s. is very aggressive. There are several settings that can be adjusted:

  • Battery Manager (system setting): Settings ⇒ Battery ⇒ Battery Manager ⇒ Manage apps automatically.
  • Battery Saver (system setting): Settings ⇒ Battery ⇒ Battery Saver ⇒ Use Battery Saver.
  • Pause app if unused (per-app setting): Settings ⇒ Apps & notifications ⇒ App info ⇒ App permissions ⇒ Pause app activity if unused.
  • Battery (per-app setting): Settings ⇒ Apps & notifications ⇒ App info ⇒ Battery ⇒ Unrestricted, Optimized or Restricted.

Other important settings can be operated into the custom System Manager app. See the page Power saving in Blackview costomization of Android 12 and 13, it is about the customization made by Blackview on the Android operating system regarding several power saving features. It applies on both Android 12 and Android 13 versions.

Storage (problem with widgets and SD card)

When you add an SD card to the smartphone, you can use it as:

Portable storage You can save files, like photos and videos, on the SD card.
You can’t install apps on the SD card.
You can transfer the SD card between devices.
Adoptable or Internal storage You can load files, like photos and videos, on the SD card.
You can install apps on the SD card.
You can’t transfer the SD card between devices.
The SD card can be used in addition to your device's storage.

If you use the SD card as internal storage all the compatible apps will be moved to that storage (if you tell so) and new installed apps will follow the same destination. You can check if an app is installed into the SD by tapping SettingsStorageSD cardApps ⇒ (select the app) ⇒ Storage used. In this menu you can tap the CHANGE button to move the app into the other storage.

I found a problem on my Blackview BV5300 Pro, because some apps installed into the SD card were not seen as widget providers, i.e. I was not able to add the widget on the home screen, just because the app was not shown into the list. Moving the app to the internal storage, the problem was resolved.

Wallpaper scrolling effect

It is possibile to have a wallpaper with scrolling effect. This requires a wallpaper picture which is wider than the physical screen; when you swipe left or right through the home screens, the wallpaper picture scrolls (pan) left or right too. To get such effect, you have to set the wallpaper using an app (e.g. with Fossify Gallery, long-tapping over an image). If you set the wallpaper with the launcher app (the stock BVLauncher or the alternative Lawnchair) the scrolling effetc will not be enabled.

Changing the default launcher BvLauncher

See the page Changing the default launcher on the Blackview BV5300 Pro, it is about the installation of a custom launcher and removing unnecessary system apps (de-bloating).

Web Resources

doc/appunti/hardware/blackview_bv5300_pro.txt · Last modified: 2024/08/27 07:34 by niccolo