Everything I figured out about messing with this device.
All the info regarding the A7CC is scattered troughout many forums and posts. I want to spare you the time by writing down the infos I found to be working.
Caution
This stuff is not listed in order. Just search for what you need here :-)
- Developer Settings
- Recovery + Wipe user data
- Restore to stock rom
- Fastboot
- BACKUP Partitions
- Patch boot.img with Magisk
- GSI
Differently to other phones you have to spam-click Kernel version: Settings -> About Phone -> spam Kernel version
Developer options will then appear in Settings -> System & Updates -> Developer options
So far fastboot -w hasn't seemed to work so I delete userdata trough recovery:
Press E-Ink Button + VolDown + Power Button until the phone reboots.
Warning
This will wipe your userdata!
Download original rom from pan.baidu.com:
Tip
pan.baidu.com asks for chinese phone number only... :-/
If you don't have a chinese BaiDu account, register here: https://passport.baidu.com/v2/?reg&overseas=1 You can then log in on the same page using "已有账号? 登录" in case it redirects you somewhere else :-)
After that you can open the pan.baidu.com link and you are logged in. You need the app to download.
https://fans.hisense.com/forum.php?mod=viewthread&tid=206299
| | | | | | | |
V V V V V V V V
https://pan.baidu.com/s/1vqnu6SUCY6hBpmEdFAx4Vw?#list/path=%2F
code: iops
Put stock rom files on SD Card formatted as FAT32. There should be a folder named HNR320T_TF at the root of the SD Card which then contains the bin files.
Put the SD Card in your phone and press E-Ink Button + VolUp + Power Button. It should then flash the screen after a few seconds. Release the buttons. It should now install the stock rom.
The phone supports fastboot commands when booted into botloader. I wasn't able to flash anything in the bootloader tough.
Using adb reboot bootloader or if you are in the bootloader fastboot reboot fastboot you can get into proper fastboot.
fastboot fetch desn't work so you can't back up partitions this way... :-/
fastboot boot doesn't work either D-:
Warning
Entering autodload aparrently WIPES your splloader! By entering it you will be stuck in emergency download mode (Ask me how I found out :-D). Your phone will NOT boot normally, even with hardware key combos!! It was a huge pain to get this to work. I didn't manage to make the program recognize my phone in Windows, even after installing all the driver shenanigans. Without the program flashing back splloader you phone is unuseable so think about it twice!!!!
Your screen will freeze and be unresponsive as soon as you enter this command until you leave autodload again, so get your sussy stuff off the screen before you run this ;-)
adb reboot autodload
I did this in Linux so I won't cover how to set up windows drivers. This part of the guide is Linux only for now!
spd-dump linux build:
https://github.com/4bitFox/CVE-2022-38694_unlock_bootloader/releases
A7CC Files: Put the executeable and the other files together in the same folder.
https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader/releases
https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader/tree/info/soc/ud710
In case the files are not around anymore in the above link:
https://github.com/4bitFox/CVE-2022-38694_unlock_bootloader/releases
https://github.com/4bitFox/CVE-2022-38694_unlock_bootloader/tree/info/soc/ud710
Tip
Depending on your distro you need to run: (lasts until reboot)
sudo setenforce 0
Depending how your groups and permissions are set up you need to add your user to the correct group. I was just lazy and ran spd_dump with sudo....
./spd_dump exec_addr 0x3f28 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec partition_list partition.xml reset
This will output a file which looks like this:
Use your file as refrence in case stuff is different! I dunno tbh xD We can later use this info to back up partitions....
<Partitions>
<Partition id="miscdata" size="5"/>
<Partition id="misc" size="1"/>
<Partition id="nr_fixnv1" size="8"/>
<Partition id="nr_fixnv2" size="8"/>
<Partition id="prodnv" size="10"/>
<Partition id="nr_runtimenv1" size="10"/>
<Partition id="nr_runtimenv2" size="10"/>
<Partition id="recovery" size="40"/>
<Partition id="trustos" size="6"/>
<Partition id="trustos_bak" size="6"/>
<Partition id="sml" size="1"/>
<Partition id="sml_bak" size="1"/>
<Partition id="uboot" size="1"/>
<Partition id="uboot_bak" size="1"/>
<Partition id="uboot_log" size="4"/>
<Partition id="logo" size="7"/>
<Partition id="fbootlogo" size="7"/>
<Partition id="l_pmsys" size="1"/>
<Partition id="l_agdsp" size="6"/>
<Partition id="gnssmodem" size="1"/>
<Partition id="wcnmodem" size="10"/>
<Partition id="persist" size="2"/>
<Partition id="nr_spl" size="1"/>
<Partition id="nr_sml" size="1"/>
<Partition id="nr_uboot" size="1"/>
<Partition id="nr_boot" size="35"/>
<Partition id="nr_pmsys" size="1"/>
<Partition id="nr_agdsp" size="6"/>
<Partition id="nr_modem" size="40"/>
<Partition id="nr_v3phy" size="8"/>
<Partition id="nr_nrphy" size="8"/>
<Partition id="nr_nrdsp1" size="5"/>
<Partition id="nr_nrdsp2" size="5"/>
<Partition id="nr_deltanv" size="2"/>
<Partition id="teecfg" size="1"/>
<Partition id="teecfg_bak" size="1"/>
<Partition id="boot" size="35"/>
<Partition id="dtbo" size="8"/>
<Partition id="flag" size="1"/>
<Partition id="diag" size="1"/>
<Partition id="tpf" size="8"/>
<Partition id="phonelog" size="100"/>
<Partition id="kdebuginfo" size="200"/>
<Partition id="databackup" size="50"/>
<Partition id="prospecfg" size="1"/>
<Partition id="reserve" size="10"/>
<Partition id="kdebug" size="10"/>
<Partition id="super" size="9216"/>
<Partition id="cache" size="256"/>
<Partition id="socko" size="75"/>
<Partition id="odmko" size="25"/>
<Partition id="vbmeta" size="1"/>
<Partition id="vbmeta_bak" size="1"/>
<Partition id="metadata" size="16"/>
<Partition id="sysdumpdb" size="10"/>
<Partition id="vbmeta_system" size="1"/>
<Partition id="vbmeta_vendor" size="1"/>
<Partition id="userdata" size="0xffffffff"/>
</Partitions>
You decide what you need to back up.
*1 partition id
*2 offset (leave at zero unless you are gigabrain)
*3 size of partition
*4 output file name
*1 *2 *3 *4
./spd_dump exec_addr 0x3f28 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec read_part boot 0 35M boot.img reset
This example backs up the boot partition.
./spd_dump exec_addr 0x3f28 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec read_part boot 0 35M boot.img reset
Here we flash splloader partition so the phone can boot again. Replace u-boot-spl-16k-sign.bin with your splloader in case you have a backup of it before you entered autodload which wiped it.
./spd_dump exec_addr 0x3f28 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec erase_part uboot_log write_part splloader u-boot-spl-16k-sign.bin timeout 100000 reset
Use "Backup" section to extract boot.img
Warning
Always keep a copy of your original boot image in case something goes wrong!!!
Put the extracted boot.img into phone storage. Patch with Magisk app and copy patched img back to the PC.
Get avbtool and key file (put them in same folder):
https://android.googlesource.com/platform/external/avb/+/refs/heads/main/avbtool.py
https://github.com/unisoc-android/unisoc-android.github.io/blob/master/subut/assets/rsa4096_vbmeta.pem
We can now look at our boot image info using:
python3 avbtool.py info_image --image MAGISK_PATCHED_FILENAME.img
Output will look like this:
Footer version: 1.0
Image size: 36700160 bytes
Original image size: 19582976 bytes
VBMeta offset: 19582976
VBMeta size: 2112 bytes
--
Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 576 bytes
Auxiliary Block: 1280 bytes
Public key (sha1): 2597c218aae470a130f61162feaae70afd97f011
Algorithm: SHA256_RSA4096
Rollback Index: 0
Flags: 0
Rollback Index Location: 0
Release String: 'avbtool 1.1.0'
Descriptors:
Hash descriptor:
Image Size: 19773440 bytes
Hash Algorithm: sha256
Partition Name: boot
Salt: 5f55215fd2302d021f850b55912ed48d176784678692dc012e054b1ecd0be025
Digest: 881f81e8fab4830fe1fcc7b54e1e4e51a13d09f70d006f918568fb1361050583
Flags: 0
Using this info we can now enter the command with correct parameters to sign our image:
python3 avbtool.py add_hash_footer --image MAGISK_PATCHED_FILENAME.img --partition_name boot --partition_size 36700160 --key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --salt 5f55215fd2302d021f850b55912ed48d176784678692dc012e054b1ecd0be025
You can now flash the signed image using fastboot.
W̶I̶P̶ ̶t̶o̶g̶e̶t̶h̶e̶r̶ ̶w̶i̶t̶h̶ ̶@̶d̶e̶n̶z̶i̶l̶f̶e̶r̶r̶e̶i̶r̶a̶ ̶H̶u̶g̶e̶ ̶t̶h̶a̶n̶k̶s̶ ̶t̶o̶ ̶h̶i̶m̶ ̶:̶-̶)̶ (I gave up for now... I assume building a full rom or device specific GSI build might be the better bet as nothing seems to work but i don't know tbh. I don't posess the knowledge to do this.)
So far I have messed around with the LineageOS GSIs from Andy Yan. Sadly none of the ones I tried seem to work.
The lineage-21-light and lineage-21-td-vndklite images resulted in the phone rebooting into its bootloader.
The lineage-21-td build and aosp-14-td were different in that they booted into recovery instead.
Huge props to @denzilferreira sensei!! Check out this E-Ink control app (A9 only currently)!
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_white_threshold
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_commit_bitmap
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_usbswitch
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_power
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_contrast
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_connect
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_display_mode
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_force_clear
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_temp
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_black_threshold
/sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_vcom
Values of "cat /sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_display_mode"
clear 1049091
balanced 513
smooth 518
fast 521
echo 1 > /sys/devices/platform/soc/soc:ap-ahb/20400000.dsi/20400000.dsi.0/display/panel0/epd_force_clear clears the screen.