Model | Blackview BV5300 Pro |
---|---|
Size | 162.5 x 79.5 x 16.7 mm, 280 g |
RAM | 4.0 Gb |
CPU | MediaTek Helio P35 (MT6765) - ARM Cortex-A53, 8 Cores (4 x 2.35 GHz, 4 x 1.8 GHz) |
GPU | PowerVR GE8320 |
Internal Memory | 64 Gb |
Screen | 6.1 inches, 720 x 1560, brightness 500 cd/m² typical |
Battery | Non removable 6580 mAh |
Connector | USB C |
Android version | 13 |
Build number | BV5300_Pro_13_EEA_TE105_V1.0_20230927V03 |
A/B (Seamless) System Updates | Yes Partitions boot_a and boot_b do exist fastboot getvar current-slot returned current-slot: a |
Anti-Rollback Protection | Nofastboot getvar anti returned GetVar Variable Not found |
Notable features:
The rooting method that actually worked is resumed here:
NOTICE: If you don't want to follow the full procedure and you just need the scatter file, here it is the file that I produced: MT6765_Android_scatter-bv5300-pro.txt.
A Scatter File is a text file which is used to describe parts of flash memory in an Android device which is running on a MediaTek’s MTK chipeset. Usually, such files are needed at the time of flashing firmware using tools like the SP Flash Tool. The file is required also to backup the stock images from the Android device, (the Readback operation in SP Flash Tool).
Generally you find the scatter file for your specific device included into the firmware archive, but for the BV5300 Pro I did not find any official firmware to download, nor the simple scatter file. Using the following procedure I managed to create my MT6765_Android_scatter-bv5300-pro.txt
(download below).
To create the scatter file you need to exctract two memory regions from the smartphone flash: the preloader and the partition table. You can use the SP Flash Tool to read them directly from the phone:
The WwR MTK (Working with Rom MediaTek) program can create the scatter file by reading the partition table and the preloader image extracted in the previous step. The program is for the Windows operating system, but it runs also under the GNU/Linux Wine environment:
WwR_MTK_v2.51
directory. Execute wine WwR_MTK_2.51.exe (wait the 120 seconds pause or pay for the program).WARNING: The scatter file created above have the attribute is_download: false for several partitions, you need to edit the file for the partitions that you want to readback, defining is_download and file_name:
- partition_index: SYS30 partition_name: vbmeta_system_a file_name: vbmeta_system_a.img is_download: true ...
Rooting the BV5300 Pro phone basically means overwriting (flashing) the boot and vbmeta partitions with patched versions. For backup purpose and to prepare the custom partitions, you must firstly read-back some of the stock partitions from the phone. You can use the SP Flash Tool program for this task, I used SP Flash Tool v5.2228 for Linux.
This phone uses the A/B (seamless) system updates feature, so you have actually two copies of each partitions: boot_a, boot_b, vbmeta_a and vbmeta_b. In my case the active slot was A, so I worked with boot_a and vbmeta_a partitions. Putting the device in fastboot mode you can check the current active slot with the command fastboot getvar current-slot
.
WARNING: In my case the current slot was A and it turned out that the partitions *_b were empty (all zeroes).
Beware that if you want to receive operating system updates on-the-air (OTA updates for the stock software), you must re-flash the stock partitions, allow the update to install, and then re-do the rooting process.
Execute the SP Flash Tool on your GNU/Linux PC launching the flash_tool.sh
script. You must have the permissions to access the /dev/ttyACM0
device, usually granted to the dialout
group).
Into the program, load the scatter file of the Blackview BV5300 Pro using Scatter-loading file box.
Click the Readback tab: gathering the info from the the scatter file you must add the data to read the following partitions:
partition_name: boot_a | |
---|---|
file_name | boot_a.img |
physical_start_addr | 0x1C000000 |
partition_size | 0x2000000 |
region | EMMC_USER |
partition_name: dtbo_a | |
file_name | dtbo_a.img |
physical_start_addr | 0x22800000 |
partition_size | 0x800000 |
region | EMMC_USER |
partition_name: vbmeta_a | |
file_name | vbmeta_a.img |
physical_start_addr | 0x23500000 |
partition_size | 0x800000 |
region | EMMC_USER |
partition_name: vbmeta_system_a | |
file_name | vbmeta_system_a.img |
physical_start_addr | 0x23D00000 |
partition_size | 0x800000 |
region | EMMC_USER |
partition_name: vbmeta_vendor_a | |
file_name | vbmeta_vendor_a.img |
physical_start_addr | 0x24500000 |
partition_size | 0xB00000 |
region | EMMC_USER |
partition_name: lk_a | |
file_name | lk.img |
physical_start_addr | 0x1BF00000 |
partition_size | 0x100000 |
region | EMMC_USER |
Once entered the data, click the Read Back button. Turn off the phone and connect the USB cable: the reading of the partitions should start automatically and the files will be saved.
The only two partitions that must be actually patched are boot_a and vbmeta_a.
Patching the boot partition means actually let the Magisk app add the required software to get root privileges (the su program, etc.). The partition, once patched, must be cryptographically signed with an RSA key.
Patching the vbmeta parition means actually re-create the whole partition replacing the entry about the boot parition with the new signing key.
To patch the stock boot image we use the Magisk app installed into the smartphone iteself. So we have to copy the Magisk-v26.4.apk file and the downloaded boot_a.img file to the smartphone (I used the adb push command). Install the Magisk apk.
Launch the Magisk app on the phone and select Magisk ⇒ Install ⇒ Select and Patch a File: point the program to the boot_a.img file that you uploaded into the phone storage. After a little of work you should obtain a modified boot image saved into a file like /sdcard/Download/magisk_patched-26400_AFhJf.img
. The image should contain a modified ramdisk, which will provide the su command (superuser) when the Android system is running, but actually without modifying the system partition.
Download the patched boot image to your PC using the adb pull command.
The Blackview BV5300 Pro is based on Android 13 and the Android Verified Boot process cannot be disabled. So the patched boot_a.img must be signed with an RSA public/private key and the public part must be included into the vbmeta_a.img partition.
Transfer the patched image magisk_patched-26400_AFhJf.img
from the smartphone to the PC. Then you need the avbtool.py tool (it is a Python 3 script, so you must have Python 3 installed); with that script you can get some info from the original boot_a.img:
python3 avbtool.py info_image --image 'boot_a.img'
The output will reveal the Image size (33554432 bytes, which is exactly the size of the file) and that the public key algorithm is SHA256_RSA2048.
Then you need a 2048 bit RSA key; you can create your own, but it is common practice to use the one included into the Android SDK. Download the RSA key named testkey_rsa2048.pem.
With all this information, you can sign the file (actually add an hash footer inside the file). Beware that the file will be patched in-place, so make a backup copy before running the command:
cp 'magisk_patched-26400_AFhJf.img' 'magisk_patched-26400_AFhJf-signed.img' python3 avbtool.py add_hash_footer \ --image 'magisk_patched-26400_AFhJf-signed.img' \ --partition_name 'boot' --partition_size '33554432' \ --key 'testkey_rsa2048.pem' --algorithm 'SHA256_RSA2048'
The vbmeta partition contains verification data (e.g. cryptographic digests) for verifying required Android images to boot. Generally, in modern Android devices, it is not possibile to disable the verification and the dm-verity (Device Mapper verity), so we have to sign the custom boot partition with a key and build a new vbmeta partition with all the correct data.
Using the avbtool.py script we can inspect the content of the stock vbmeta_a partition:
python3 avbtool.py info_image --image 'vbmeta_a.img'
This is the output:
Minimum libavb version: 1.0 Header Block: 256 bytes Authentication Block: 320 bytes Auxiliary Block: 2816 bytes Public key (sha1): cdbb77177f731920bbe0a0f94f84d9038ae0617d Algorithm: SHA256_RSA2048 Rollback Index: 0 Flags: 0 Rollback Index Location: 0 Release String: 'avbtool 1.2.0' Descriptors: Chain Partition descriptor: Partition Name: boot Rollback Index Location: 3 Public key (sha1): 9d808b0995768d0677fccb1efcddb7cf9e153d99 Chain Partition descriptor: Partition Name: vbmeta_system Rollback Index Location: 2 Public key (sha1): fa41159a5d696abdef93176a07d0b0d001263f01 Chain Partition descriptor: Partition Name: vbmeta_vendor Rollback Index Location: 4 Public key (sha1): 9577bc6c0772975ecce93c4d8a178662c728dadf Prop: com.android.build.dtbo.fingerprint -> 'Blackview/BV5300_Pro_13_EEA/BV5300_Pro:12/SP1A.210812.016/1695812099:user/release-keys' Hash descriptor: Image Size: 65328 bytes Hash Algorithm: sha256 Partition Name: dtbo Salt: 004063897606313a609b19f2e9eefc5142de27213cb8d79c078f8f0d3146e66e Digest: d77b2bf9160ff4132c2df0a90d24c77388cc524ecc51f3b35bc7d2dd4b17f08e Flags: 0
The descriptors contained into the image are:
We have to re-generate the chain partition descriptor for the boot image, because we modified the image and signed it with a different key. The descriptors for the vbmeta_system and vbmeta_vendor partitions must remain unaltered. The prop and the hash footer descriptors are contained into the dtbo image and must be read back from it.
Keep note also of the Rollback Index Location for each partition, we need them when creating the custom vbmeta.
Using an hex viewer over the vbmeta_a.img file, we discovered the starting offset of each key (the byte just after the name), using dd it is possibile to extract them. They are 520 bytes long:
dd if='vbmeta_a.img' of='key_boot.bin' bs=1 skip='672' count='520' dd if='vbmeta_a.img' of='key_vbmeta_system.bin' bs=1 skip='1297' count='520' dd if='vbmeta_a.img' of='key_vbmeta_vendor.bin' bs=1 skip='1929' count='520'
With the following command we extract the public part of the RSA key we used to sign the boot image. The public key will be inserted into the vbmeta image:
python3 avbtool.py extract_public_key \ --key 'testkey_rsa2048.pem' \ --output 'testkey_rsa2048_pub.bin'
The final command to assemble the custom vbmeta image is the following. Notice that we specified the rollback index for each partition and the size of the whole stock vbmeta file:
python3 avbtool.py make_vbmeta_image \ --key 'testkey_rsa2048.pem' --algorithm 'SHA256_RSA2048' --flag 0 \ --chain_partition boot:3:'testkey_rsa2048_pub.bin' \ --chain_partition vbmeta_system:2:'key_vbmeta_system.bin' \ --chain_partition vbmeta_vendor:4:'key_vbmeta_vendor.bin' \ --include_descriptors_from_image 'dtbo_a.img' \ --padding_size '8388608' --output 'vbmeta-custom-signed.img'
Once you have the boot partition image with root enabled and the vbmeta partition image with the updated signing data, you can flash the images into the smartphone and gain root privileges. Boot the phone in normal system, attach the USB cable to the PC and execute the following on the PC:
adb reboot bootloader
The phone will reboot into the => FASTBOOT mode... prompt.
fastboot flash boot 'magisk_patched-26400_AFhJf-signed.img' fastboot flash vbmeta 'vbmeta-custom-signed.img' fastboot reboot
The full output will be:
$ fastboot flash boot 'magisk_patched-26400_AFhJf-signed.img' Sending 'boot_a' (32768 KB) OKAY [ 1.033s] Writing 'boot_a' OKAY [ 0.435s] Finished. Total time: 1.470s $ fastboot flash vbmeta 'vbmeta-custom-signed.img' Sending 'vbmeta_a' (8192 KB) OKAY [ 0.265s] Writing 'vbmeta_a' OKAY [ 0.106s] Finished. Total time: 0.373s $ fastboot reboot Rebooting OKAY [ 0.000s] Finished. Total time: 0.101s
: check root and manage permissions.
Older versions of Magisk had the MagiskHide feature, i.e. the ability to hide the rooted status of the phone to selected apps. This is because some apps, like home banking, OTP managers, etc. refuse to operate or show warnings if they find that the device was tampered; the hide function allows these apps to run flawlessy. The MagiskHide feature is available e.g. in Magisk v23.0, but it does not exist in Magisk 26.x. It was speculated that the author John Wu removed the MagiskHide feature because he started to work for Android security team in 2021.
The reality is that Magisk 26.4 has the Zygisk feature, which you can enable in the Magisk Settings menu. If you enable this feature, some parts of Magisk runs at an higher level of privilege into the zygote daemon (i.e. the process which is responsible of launching Android applications). If you enable this, you can enable the Enforce DenyList option and configure the DenyList, selecting which applications cannot see the rooting status of the device.
Generally it is mandatory to run the same version of the Magisk app as the one used to patch the boot image, i.e. you cannot patch the boot image with Magisk v26.x to get root, and then run the Magisk v23.x app to manage the root permissions and the hide function.
The phone should enter the Android Recovery menu:
Android Recovery Blackview/BV5300_Pro_13_EEA/BV5300_Pro 12/SP1A.210812.016/1695812099 user/release-keys Use volume up/down and power. -------------------------------------- Reboot system now Reboot to bootloader Enter fastboot Apply update from ADB Apply update from SD card Wipe data/factory reset Mount /system View recovery logs Run graphics test Run locale test Power off --------------------------------------
It is possibile to reboot the phone into fastboot mode from normal system, just connect a PC via the USB cable and issue the command on the PC (must have enabled the USB debugging option):
adb reboot bootloader
Alternatively you can reach fastboot mode operating the phone buttons only:
Once you have unlocked the bootloader, the device will show at every bootstrap the warning message:
Orange State Your device has been unlocked and can't be trusted Your device will boot in 5 seconds
It is easy to hide that message: just patch the lk partition replacing the ASCII strings with a newline (0x0A char) and zeroes. Use your preferred hex editor for that. Then boot the phone in fastboot mode and write (flash) the patched partition:
fastboot flash lk 'lk-orange-state-hidden.img'
fastboot reboot
Resource | Local download | Official link | Notes |
---|---|---|---|
Scatter File | MT6765_Android_scatter-bv5300-pro.txt | N/A | Created using the SP Flash Tool and WwR MTK programs. |
Custom boot and vbmeta partitions | BV5300 Pro 13 EEA TE105 V1.0 20230927V03-root.tgz | N/A | This archive contains the two partition images required to root the BV5300 Pro smartphone: the boot partition patched with Magisk 26.4 and the vbmeta partition with the updated signing key. The archive contains also the original stock images, required to remove root and to allow system upgrades. If you want to use SP Flash Tool, the scatter file is included too. |
Custom lk partition | lk-image-hide-orange-state.tgz | N/A | This is the image of the lk partition, patched to hide the Orange State warning message displayed at boot time once the bootloader is unlocked. |
avbtool.py | avbtool.py | android.googlesource.com | Python script used to create the custom vbmeta image. |
Magisk v26.4 | Magisk-v26.4.apk | github.com/topjohnwu/Magisk | Magisk v26.x is capable of patching the boot image and install root. That version does not have the MagiskHide feature but has the Zygisk one, which is equally capable of hiding Magisk to selected apps. Magisk v23.x has the MagiskHide function, but it is not capable to root-patch the boot image. |
SP Flash Tool | SP_Flash_Tool_v5.2228_Linux.zip | spflashtools.com | WARNINIG: The site is not managed by MediaTek; other sites exist, but none seems to be the official one. |
WwR MTK | WwR_MTK_v2.51.zip | N/A | WARNINIG: It seems that an offical site for WwR MTK does not exist; on the internet you can find many which have re-packaged the same archive, like this androiddatahost.com and this www.gsmfirmware.net. |
testkey_rsa2048.pem | testkey_rsa2048.pem | cs.android.com | This is the RSA private/public key used for testing in Android SDK. |
On this smartphone the battery and power management operated by the Android o.s. is very aggressive. There are several settings that can be adjusted:
Other important settings can be operated into the custom System Manager app. See the page Power saving in Blackview costomization of Android 12 and 13, it is about the customization made by Blackview on the Android operating system regarding several power saving features. It applies on both Android 12 and Android 13 versions.
When you add an SD card to the smartphone, you can use it as:
Portable storage | You can save files, like photos and videos, on the SD card. You can’t install apps on the SD card. You can transfer the SD card between devices. |
---|---|
Adoptable or Internal storage | You can load files, like photos and videos, on the SD card. You can install apps on the SD card. You can’t transfer the SD card between devices. The SD card can be used in addition to your device's storage. |
If you use the SD card as internal storage all the compatible apps will be moved to that storage (if you tell so) and new installed apps will follow the same destination. You can check if an app is installed into the SD by tapping Settings ⇒ Storage ⇒ SD card ⇒ Apps ⇒ (select the app) ⇒ Storage used. In this menu you can tap the CHANGE button to move the app into the other storage.
I found a problem on my Blackview BV5300 Pro, because some apps installed into the SD card were not seen as widget providers, i.e. I was not able to add the widget on the home screen, just because the app was not shown into the list. Moving the app to the internal storage, the problem was resolved.
It is possibile to have a wallpaper with scrolling effect. This requires a wallpaper picture which is wider than the physical screen; when you swipe left or right through the home screens, the wallpaper picture scrolls (pan) left or right too. To get such effect, you have to set the wallpaper using an app (e.g. with Fossify Gallery, long-tapping over an image). If you set the wallpaper with the launcher app (the stock BVLauncher or the alternative Lawnchair) the scrolling effetc will not be enabled.
See the page Changing the default launcher on the Blackview BV5300 Pro, it is about the installation of a custom launcher and removing unnecessary system apps (de-bloating).