search

RabbitHoleEscapeR1 / r1_escape

340 stars 34 forks source link

system.img not found #10

Closed samliu closed 5 months ago

samliu commented 5 months ago

Does anyone know where I can download the "userdebug system image of AOSP-13" (system.img) mentioned here? It's not included in the repo.

(venv) (base) [nr200ubuntu]r1_escape ➤ ./r1.sh                                                                                                                              git:main*
Hit:1 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                                                        
Hit:2 https://cli.github.com/packages stable InRelease                                                                                                                               
Hit:3 https://downloads.plex.tv/repo/deb public InRelease                                                                                                                            
Hit:5 http://archive.ubuntu.com/ubuntu jammy InRelease                                                                                                                               
Hit:6 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64  InRelease                                                                                          
Hit:7 https://repo.steampowered.com/steam stable InRelease                                                                                                                           
Hit:8 http://prerelease.keybase.io/deb stable InRelease                                                                                                                              
Hit:4 https://packages.microsoft.com/repos/code stable InRelease                                                                                                                     
Hit:9 https://repo.nordvpn.com//deb/nordvpn/debian stable InRelease                                                                                                                  
Hit:10 http://security.ubuntu.com/ubuntu jammy-security InRelease                                                                                                                    
Get:11 https://repo.jellyfin.org/ubuntu jammy InRelease [6,660 B]                                                                                                                    
Hit:12 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security InRelease                                                                                      
Get:13 https://apt.syncthing.net syncthing InRelease [15.1 kB]                                                                
Hit:14 https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates InRelease                                                                    
Hit:15 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security InRelease                                                                 
Hit:16 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates InRelease                               
Hit:17 https://ppa.launchpadcontent.net/cappelikan/ppa/ubuntu jammy InRelease
Hit:18 https://ppa.launchpadcontent.net/graphics-drivers/ppa/ubuntu jammy InRelease
Hit:19 https://ppa.launchpadcontent.net/libretro/stable/ubuntu jammy InRelease
Hit:20 https://ppa.launchpadcontent.net/musicbrainz-developers/stable/ubuntu jammy InRelease
Hit:21 http://us.archive.ubuntu.com/ubuntu jammy InRelease
Hit:22 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:23 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease
Fetched 21.8 kB in 3s (6,812 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
4 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://prerelease.keybase.io/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://prerelease.keybase.io/deb stable InRelease' doesn't support architecture 'i386'
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
adb is already the newest version (1:10.0.0+r36-9).
fastboot is already the newest version (1:10.0.0+r36-9).
The following packages were automatically installed and are no longer required:
  at libappindicator1 libdbusmenu-gtk4
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Looking in indexes: https://pypi.org/simple, https://pypi.ngc.nvidia.com
Requirement already satisfied: wheel>=0.37.1 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 1)) (0.43.0)
Requirement already satisfied: pyusb>=1.2.1 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 2)) (1.2.1)
Requirement already satisfied: pycryptodome>=3.15.0 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 3)) (3.20.0)
Requirement already satisfied: pycryptodomex in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 4)) (3.20.0)
Requirement already satisfied: colorama>=0.4.4 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 5)) (0.4.6)
Requirement already satisfied: shiboken6>=6.4.0.1 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 6)) (6.7.1)
Requirement already satisfied: pyside6>=6.4.0.1 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 7)) (6.7.1)
Requirement already satisfied: mock>=4.0.3 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 8)) (5.1.0)
Requirement already satisfied: pyserial>=3.5 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 9)) (3.5)
Requirement already satisfied: flake8 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 10)) (7.0.0)
Requirement already satisfied: keystone-engine in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 11)) (0.9.2)
Requirement already satisfied: capstone in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 12)) (5.0.1)
Requirement already satisfied: unicorn in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 13)) (2.0.1.post1)
Requirement already satisfied: fusepy in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from -r requirements.txt (line 14)) (3.0.1)
Requirement already satisfied: PySide6-Essentials==6.7.1 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from pyside6>=6.4.0.1->-r requirements.txt (line 7)) (6.7.1)
Requirement already satisfied: PySide6-Addons==6.7.1 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from pyside6>=6.4.0.1->-r requirements.txt (line 7)) (6.7.1)
Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from flake8->-r requirements.txt (line 10)) (0.7.0)
Requirement already satisfied: pycodestyle<2.12.0,>=2.11.0 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from flake8->-r requirements.txt (line 10)) (2.11.1)
Requirement already satisfied: pyflakes<3.3.0,>=3.2.0 in /home/samliu/code/r1_escape/venv/lib/python3.9/site-packages (from flake8->-r requirements.txt (line 10)) (3.2.0)
[*] Power off your device, press ENTER plug it into your PC
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

.....Port - Device detected :)
Preloader -     CPU:            MT6765/MT8768t(Helio P35/G35)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0x25
Preloader - Disabling Watchdog...
Preloader - HW code:            0x766
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          7789D12B86EE6F1310CCA235313A4B81
Preloader - SOC_ID:         D4A3B903E39611E5047DC32BE008C92F4E2940E9FF06BD35914B20BB2D816ED1
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode.
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
xflashext - DA version anti-rollback patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer:      0x0
DAXFlash - EMMC ID:         DV6DAB
DAXFlash - EMMC CID:        150100445636444142028d2ad24139ef
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size:   0x0
DAXFlash - EMMC GP2 Size:   0x0
DAXFlash - EMMC GP3 Size:   0x0
DAXFlash - EMMC GP4 Size:   0x0
DAXFlash - EMMC RPMB Size:  0x1000000
DAXFlash - EMMC USER Size:  0x1d1ec00000
DAXFlash - HW-CODE         : 0x766
DAXFlash - HWSUB-CODE      : 0x8A00
DAXFlash - HW-VERSION      : 0xCA00
DAXFlash - SW-VERSION      : 0x0
DAXFlash - CHIP-EVOLUTION  : 0x0
DAXFlash - DA-VERSION      : 1.0
DAXFlash - Extensions were accepted. Jumping to extensions...
DAXFlash - DA Extensions successfully added
DA_handler - Requesting available partitions ....
DA_handler - Dumping partition "frp"
Progress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x800 of 0x800, ) 7.85 MB/s
DA_handler - Dumped sector 44096 with sector count 2048 as frp.bin.
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023

DAXFlash - HW-CODE         : 0x766
DAXFlash - HWSUB-CODE      : 0x8A00
DAXFlash - HW-VERSION      : 0xCA00
DAXFlash - SW-VERSION      : 0x0
DAXFlash - CHIP-EVOLUTION  : 0x0
DAXFlash - DA-VERSION      : 1.0
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x800 of 0x800, ) 8.68 MB/s
Wrote frp.bin to sector 44096 with sector count 2048.
[*] Unplug your device, press ENTER, plug it back in
Listening for ports!
Found /dev/ttyACM0 with description: MT65xx Preloader - CDC ACM Communication Interface
HWID: USB VID:PID=0E8D:2000 LOCATION=1-4:1.0
Got port: /dev/ttyACM0
Initializing port /dev/ttyACM0
b'FASTBOOT' cmd sent
[*] Waiting for fastboot...
(bootloader) Start unlock flow

OKAY [  3.036s]
Finished. Total time: 3.036s
Erasing 'userdata'                                 OKAY [  0.317s]
mke2fs 1.46.6 (1-Feb-2023)
Creating filesystem with 28164344 4k blocks and 7045120 inodes
Filesystem UUID: 857f7856-1fa3-4c1f-a36e-db3fee18281e
Superblock backups stored on blocks: 
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
    4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (131072 blocks): done
Writing superblocks and filesystem accounting information: done   

Warning: skip copying userdata image avb footer due to sparse image.
Sending 'userdata' (544 KB)                        OKAY [  0.018s]
Writing 'userdata'                                 OKAY [  0.025s]
wipe task partition not found: cache
Erasing 'metadata'                                 OKAY [  0.008s]
Erase successful, but not automatically formatting.
File system type raw data not supported.
Finished. Total time: 0.495s
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta_a' (4 KB)                          OKAY [  0.005s]
Writing 'vbmeta_a'                                 OKAY [  0.002s]
Finished. Total time: 0.009s
Rebooting into fastboot                            OKAY [  0.001s]
< waiting for any device >
Finished. Total time: 23.146s
fastboot: error: cannot load 'system.img': No such file or directory
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 0.050s
samliu commented 5 months ago

Oh nevermind, I figured it out.

For folks wondering the same thing, the image is on the releases page. It's compressed, so you need to decompress it.

wget https://github.com/RabbitHoleEscapeR1/r1_escape/releases/download/20240605/system.img.xz
unxz system.img.xz