RabbitHoleEscapeR1 / r1_escape

339 stars 34 forks source link

Soft locked / Firmware update fails after restoring stock OS #75

Open prnthh opened 4 weeks ago

prnthh commented 4 weeks ago

After successfully jailbreaking and trying Android 12 for a while, I decided to go back to the stock Rabbit OS by flashing the backup from the readme.

After flashing, I get a fastboot screen that says to factory reset the firmware because boot failed. After factory reset, everything seems to work fine, it connects to wifi and finds out there is a firmware update.

This firmware update fails, and it says 'there's a problem with your connection', leaving the Rabbit essentially soft locked in a failed update loop.

prnthh commented 3 weeks ago

speculation on the discord is that there are multiple "revisions" of the preloader, and the rom floating around works for older ones.

DavidBuchanan314 commented 1 week ago

It is indeed a preloader version mismatch issue, and it can be fixed by restoring a matching preloader version.

Rabbit Inc updated their preloader at some point in the last few months (I'm not exactly sure when). So, anyone who installed r1_escape after that point will end up with a mismatched preloader after trying to restore stock RabbitOS using the backup linked in the r1_escape readme (I will refer to that as the "r1_escape backup"), since that backup was made before the preloader update.

Anyone installing r1_escape in the future can avoid this whole issue by making your own backups first, which guarantees the versions will match up. You'll save yourself time in the long run too, because you won't have to sit through so many OTA updates after you restore it.

Preloader is stored in the boot0 and boot1 emmc partitions (not to be confused with boot/boot_a/boot_b, those are GPT partitions). Unfortunately, nobody has been backing up these partitions. Fortunately, I'm more thorough than most, and I have a backup of boot0 and boot1 partitions that match the rest of the r1_escape backup. My boot0/boot1 backups can be found here: https://github.com/DavidBuchanan314/rabbit_r1_boot_notes/tree/main/dumped_bins - and I'll attach them here too for good measure: preloader_backup.zip

First, restore the r1_escape backup following the instructions in the readme. You should be able to boot up into RabbitOS (with no orange state warnings etc.), but OTAs will fail with the "there's a problem with your connection" error. This error message is of course garbage, that isn't the problem at all. If you're getting any other errors, that's probably something unrelated, and you should fix whatever it is before proceeding further.

Next (and this is not strictly necessary) make a backup of the current state of your preloader using mtkclient:

mtk.py r preloader boot0_backup.bin --parttype boot1
mtk.py r preloader boot1_backup.bin --parttype boot2

Finally, restore preloader using my backup files that you downloaded from https://github.com/DavidBuchanan314/rabbit_r1_boot_notes/tree/main/dumped_bins

mtk.py w preloader /path/to/downloaded/boot0 --parttype boot1
mtk.py w preloader /path/to/downloaded/boot1 --parttype boot2

(Of course, you will need to edit the /path/to/downloaded/ part as appropriate)

It is critically important that you're restoring the right files here, if you do this wrong you might brick your device (possibly recoverable through brom mode but it's best not to find out...). If you'd like to check the md5 hashes, their expected values are:

$ md5sum boot0 boot1 
e03d3ce7cf11eea0afb4a84158956615  boot0
d5ffd2c97e00a0b3dc551032ffb1b983  boot1

Once you've done this, you can reboot your device, and it should boot back up into RabbitOS and have working OTAs. You'll have to sit through a lot of updates before you can use the device again though (it takes literally hours to apply them all).