Overview
This rooting method is based on a new vulnerability in the ARM Mali GPU driver (CVE-2022-46395) discovered by security researcher Man Yue Mo at GitHub Security Lab, to gain root access to the 3rd gen Cube that is on firmware PS7646/3550 or older. You can also check the older root method that works up to firmware PS7613/3701.
The exploit program (gazelle_buf) is run directly on the Cube to spawn a temporary root shell for quick access. On average it takes 20-60sec for the exploit to gain root access. For best results, run gazelle_buf after a fresh reboot.
Temporary Root
Open an adb root shell to for quick access admin access
Pros:
Access all files and folders from ADB
Simple to use, runs in RAM and doesn't make any changes to the Cube, no chance of bricking.
Remove app package protection so that you can enable/disable any app even without root (eg custom launchers, disabling updates, debloat, etc).
Cons:
Only enables ADB root
NOTE: raven_buf won't brick your device, but what you do with that root access can. DM-verity is still in place checking the integrity of the system/vendor partitions, do NOT modify anything in those directories, or the boot partition!!
Instructions
Enable ADB debugging in FireOS settings
Download, unzip and copy gazelle_buf to your Cube
adb push gazelle_buf /data/local/tmp/
Open an ADB shell and give gazelle_buf execution permission (only needs to be done once)
adb shell ---> opens a 'gazelle: / $' prompt
gazelle:/ $ chmod +x /data/local/tmp/gazelle_buf
Run the program. Takes 20-60sec on average.
Root access is gained when the '$' prompt changes to '#' (gazelle:/ $ --> gazelle:/ #)
gazelle:/ $ /data/local/tmp/gazelle_buf
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Disable package protections
Use gazelle_shrinker to open a root shell and delete all the apps listed in the file /data/system/PackageManagerDenyList
gazelle:/ # setenforce 0
gazelle:/ # echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
Disable Arcus Proxy, to keep package protections off
gazelle:/ # pm clear com.fireos.arcus.proxy
gazelle:/ # pm disable-user com.fireos.arcus.proxy
Disable Amazon's ability to block apps on your device (eg Launcher Manager)
gazelle:/ # pm disable-user com.amazon.adep
gazelle:/ # pm clear com.amazon.adep
Disable OTA updates
gazelle:/ # pm disable-user com.amazon.device.software.ota
gazelle:/ # pm clear com.amazon.device.software.ota
gazelle:/ # pm disable-user com.amazon.device.software.ota.override
gazelle:/ # pm disable-user com.amazon.tv.forcedotaupdater.v2
A reboot is required before the package protections removal takes effect. Check & confirm the list of disabled apps:
gazelle:/ $ pm list packages -d
Contributors:
Man Yue Mo, @Functioner, @Pro-me3us
Thanks to @Renate for many great tools
@RiCkLaR for tip on disabling ADEP and AppBlockList
reserved
reserved
is this for the latest update for the cube?
Eagle1337 said:
is this for the latest update for the cube?
Click to expand...
Click to collapse
Yes, this will work on any 3rd gen firmware including the most recent PS7646 from the last two weeks.
If you are still on PS7613/3701 and using the older method, I don't recommend updating to PS7646. I haven't seen any benefits to the new firmware, and it's likely just got more Amazon tricks & restrictions to look out for.
IF you care about an eventual bootloader unlock, if anyone ever finds a way , staying on an older firmware increases the chances of being able to use it.
Hello. Followed your instructions on my 3rd gen Fire TV Cube, and saw the ADB Shell prompt change from $ to #.
Then entered in the suggested shell commands to disable OTA updates etc.
I then rebooted my device.
I am a bit confused, as when I re-established ADB connection, the shell prompt is back to a $, and not #.
Is that normal?, ie. to change anything, I have to redo the process after each restart?
Excuse my ignorance, kind of new to all this stuff.
three6zerocool said:
Hello. Followed your instructions on my 3rd gen Fire TV Cube, and saw the ADB Shell prompt change from $ to #.
Then entered in the suggested shell commands to disable OTA updates etc.
I then rebooted my device.
I am a bit confused, as when I re-established ADB connection, the shell prompt is back to a $, and not #.
Is that normal?, ie. to change anything, I have to redo the process after each restart?
Excuse my ignorance, kind of new to all this stuff.
Click to expand...
Click to collapse
Read:
4. Run the program. Takes 20-60sec on average.
Root access is gained when the '$' prompt changes to '#' (gazelle:/ $ --> gazelle:/ #)
No you dont need to do it after every restart. It's disabled until you change it back..
three6zerocool said:
I am a bit confused, as when I re-established ADB connection, the shell prompt is back to a $, and not #.
Is that normal?, ie. to change anything, I have to redo the process after each restart?
Click to expand...
Click to collapse
Yeah that's to be expected. If you cleared the PackageManagerDenyList described in the op instructions, then you won't need root access anymore to disable/enable any apps.
If you need root access for something else, then you only need to run gazelle_buf again
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/# setenforce 0
If you need routine root access or to be able to grant SU to apps, you can check the description of bootless Magisk from the previous exploit. That would give you the ability to open a root shell whenever you type gazelle:/ $ su
I still consider bootless Magisk experimental until a handful of people report back that they have been using it for a month+. I can update the older start script to work with gazelle_buf if you want to test it out.
Pro-me3us said:
Yeah that's to be expected. If you cleared the PackageManagerDenyList described in the op instructions, then you won't need root access anymore to disable/enable any apps.
If you need root access for something else, then you only need to run gazelle_buf again
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/# setenforce 0
If you need routine root access or to be able to grant SU to apps, you can check the description of bootless Magisk from the previous exploit. That would give you the ability to open a root shell whenever you type gazelle:/ $ su
I still consider bootless Magisk experimental until a handful of people report back that they have been using it for a month+. I can update the older start script to work with gazelle_buf if you want to test it out.
Click to expand...
Click to collapse
Thanks for the reply and explanation.
I mainly wanted to use this exploit to stop Amazon auto removing Launcher Manager, as I like to use custom Launcher.
I think I have done things correctly, but just noticed that Launcher Manager has been removed again.
I am sure I entered all the commands in correctly, as I noticed inside LM that Amazon Updates etc were already blocked.
Could it be the settings I have used in LM?
ie. I used the old method and it brought up an ADB permission request, then I enabled the original handler, and chose my custom launcher. (Wolf Launcher)
Have also tried the new method, but LM still keeps getting removed.
What's been happening is that Launcher Manager disappears, and home button still goes to Wolf Launcher, but I can no longer access any settings menus. (until I reinstall LM)
three6zerocool said:
I mainly wanted to use this exploit to stop Amazon auto removing Launcher Manager, as I like to use custom Launcher.
Click to expand...
Click to collapse
@RiCkLaR posted about this earlier, and I think he's right. I'll add it to the instructions in the OP in a day once it's confirmed.
For now, it appears that Launcher Manager is disabled by the app Adep. You can disable it, and that should be enough to stop having to do any more reinstalls.
gazelle:/ $ pm disable-user com.amazon.adep
gazelle:/ $ pm clear com.amazon.adep
Since you have root, if you want, you can keep Amazon Launcher enabled, and only disable the Amazon homescreen. This will allow you to use your custom launcher, and not break Amazon Launcher dependent functions. Things that will work: Amazon App Store search, homescreen search, FireOS settings menu, remote recent button, other things i'm forgetting
EDIT: I forgot that doing this causes the LiveTV app to hammer the OS, so that app has to be disabled. Clearing the LiveTV app data appears to be enough to keep that app from misbehaving.
To do this follow these steps:
gazelle:/ $ pm disable-user com.amazon.firehomestarter
gazelle:/ $ pm enable com.amazon.tv.launcher
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/ # setenforce 0
gazelle:/ # pm disable com.amazon.tv.launcher/.ui.HomeActivity_vNext
gazelle:/ # pm clear com.amazon.tv.livetv
gazelle:/ # exit
Pro-me3us said:
Since you have root, if you want, you can keep Amazon Launcher enabled, and only disable the Amazon homescreen. This will allow you to use your custom launcher, and not break Amazon Launcher dependent functions. Things that will work: Amazon App Store search, homescreen search, FireOS settings menu, remote recent button, other things i'm forgetting
EDIT: I forgot that doing this causes the LiveTV app to hammer the OS, so that app has to be disabled.
To do this follow these steps:
gazelle:/ $ pm disable-user com.amazon.firehomestarter
gazelle:/ $ pm enable com.amazon.tv.launcher
gazelle:/ $ pm disable-user com.amazon.tv.livetv
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/ # setenforce 0
gazelle:/ # pm disable com.amazon.tv.launcher/.ui.HomeActivity_vNext
gazelle:/ # exit
Click to expand...
Click to collapse
Thankyou oh so much, that is fantastic advice, and I followed your above instructions, and it worked wonderfully.
You are right, it is really nice using the native preferences over Launcher Manager ones.
Also it is really good to be able to search for apps etc.
Thankyou once again!.
I was taking another look at the method in post #10, I think it's fine to keep com.amazon.tv.livetv enabled, and that just clearing the app data after disabling the Amazon homescreen is enough to keep the LiveTV app from hammering the OS. I made a small edit to the steps to clear data, rather than disable LiveTV.
Since you already ran through the steps above, you can just clear the LiveTV app data, and re-enable the app without root
gazelle:/ $ pm clear com.amazon.tv.livetv
gazelle:/ $ pm enable com.amazon.tv.livetv
To verify that there are no apps acting up, use
gazelle:/ $ top
It will show all the running apps, memory & CPU usage. When you are on your custom launcher homescreen, the Cube should idle at ~720-750% CPU usage free (800% total = 100% x 8 cores). Verify that LiveTV app isn't at the top of the CPU usage list using +50-100%.
Related
I found this website: http://www.androidkit.com/steps-to-install-and-uninstall-apk-file-on-android-g1-device
Section 3: Uninstalling the .apk file from the G1 device before installing the same .apk again.
1. In the G1 Phone, Go to Applications Menu ->Settings->Manage Applications.
2. Select the application which you want to Uninistall, and click on the ‘Uninstall’ button.
3. Follow steps 6 and 7 of Section 1.
Section 4: Uninstalling the .apk file (from the Device or Emulator) using adb shell.
There is an adb uninstall command which always shows Failure!!!
Using adb shell :
Important: The device has to be unplugged from USB if you are trying to uninstall from the emulator, else emulator should not be open and device needs to be plugged in the USB of the PC if you are trying to uninstall from the G1 Device. If either of them are not connected the adb shell command will not work
Go to the shell and making sure adb is in PATH:
Go to shell (from cmd->adb shell or directly through a terminal)
#
#cd data
#cd app
#cd ls
You will get a list of installed application with the complete package name of the package containing the main activity. e.g com.company.product.apk
#rm com.company.product.apk
#cd ls
You will not find the application – you just removed it!.
Click to expand...
Click to collapse
So, when I type:
Cd Data
Cd App
Cd ls
in my command prompt I get:
cd: can't cd to ls
$
as a prompt feedback.
----
I found an .APK to enable my headphone adapter working ( see this thread: http://forum.xda-developers.com/showthread.php?t=575534 ) via this board ( see this thread: http://forum.xda-developers.com/showthread.php?t=511704 ), and if it doesn't work, I'm taking precautions on how to uninstall it.
Anyone know why it's doing this?
Thanks people.
Minifig said:
I found this website: http://www.androidkit.com/steps-to-install-and-uninstall-apk-file-on-android-g1-device
So, when I type:
Cd Data
Cd App
Cd ls
in my command prompt I get:
cd: can't cd to ls
$
as a prompt feedback.
----
I found an .APK to enable my headphone adapter working ( see this thread: http://forum.xda-developers.com/showthread.php?t=575534 ) via this board ( see this thread: http://forum.xda-developers.com/showthread.php?t=511704 ), and if it doesn't work, I'm taking precautions on how to uninstall it.
Anyone know why it's doing this?
Thanks people.
Click to expand...
Click to collapse
the command should be "ls" not "cd ls"
also, if you know the package name you could use adb: adb uninstall <package_name>
and if you're just trying to install an app that you already have (such as updating the app) you could use adb and not have to uninstall first with: adb install -r app_name.apk
OK.
I'm just going to make sure before I even install this thing:
http://code.google.com/p/toggleheadset/downloads/detail?name=ToggleHeadset.apk&can=2&q=
This is just a widget, so it won't replace anything in my phone..
If I can't find it on the shell command, I'll be able to uninstall it via the phone like the Date widget I have as well?
Right?
I am in the position of having to manually apply the defult sepolicy patch, init,?*init_shell?* and?*recovery?*permissive, and as the title states when using the supolicy tool to modify my supplieded sepolicy it is not being produced and on closer inspection throwing an error. I have attached both the images and the sepolicy file I am trying to applie these change to.
Have I been doing something wrong or is the file corrupted??
If you need more info just ask
Note: when I first tried it inside an adb shell it reported a segumentation fault, but I was unable to reproduce that condition to be provided with as a screen shot.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
EDIT: I at least can say that the possibility of a corrupt file is now smaller becuse I am able to run dumpav and dump its contents to a txt file and then do afb pull back to pc. So amyone know any way to applie the defult P atchs needed to sysyemless root?
@Chainfire Since this is your binary files, you should know the most about it.
Commands to gain application root on emulator
Code:
adb shell df #Check Available Space
adb shell mount -o remount,rw /system
adb push su /system/bin/su
adb shell chmod 0755 /system/bin/su
adb push su /system/xbin/su
adb shell chmod 0755 /system/xbin/su
adb shell su --install
adb shell "su --daemon&"
adb install superuser.apk
adb install rootcheck.apk
I then proceed to patch the sepolicy file with the following commands
Code:
adb push sepolicy /data/local/tmp/sepolicy
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out" #There is no sepolicy_out file
adb shell su -c "chmod 0644 /data/local/tmp/sepolicy_out"
adb pull /data/local/tmp/sepolicy_out sepolicy_out
So what am I able to do?
Are you able to
A) Help me debug the problem
Or
B) Patch the sepolicy file and post the output back to me/here
Matt07211 said:
...
Click to expand...
Click to collapse
Works fine on my device... could be an x86 specific issue? Unfortunately I don't have any x86 devices to test with.
Thanks for that. Yes, I am trying to patch the policy for my armv8 (arm64) cpu device (just realised, but would trying to patch the sepolicy from one architecture using the supolicy for a different architecture have new the problem?, if so I feel dumb). And since I didn't have a spare device devce that met the requirements, I resorted to use the already setup emulator in my Windows installation.
I had proceeded to root and run the supolicy tool for which nothing out-putted (tried different directorys), I then created a new sub-directory, test, in /data/local/tmp and chmod it with read and write permissions. I tried again and failed, I then ran a dumpav in the sepolicy I was trying to patch and outputted it to /data/local/tmp/test/dumpav.txt which worked.
I am just wondering why it didn't work for me .
Thanks again for the sepolic_out file, I really do apperciate it.
Ah you're saying the segmentation fault occurred on the emulator? That's interesting. Might be reproducable on my end.
Note: look at my first image with cms in the foreground and near the bottom of the command window you should see the segfault message, around second last command or so.
To reproduce that segfault (hopefully):
1) https://software.intel.com/en-us/android/articles/android-44-kitkat-x86-emulator-system-image Download the system image from here (had to direct download instead of sdk as internet was running through profile and ask wouldn't work through it)
2) used the 2.78 SuperSu zip and run above commands to gain root
3) run above commands to try and modify sepolicy (it doesn't produce anything)
4) start an adb shell and then run the commands inside the shell. Know the outputs shown was segfault the first time running the commands, every time afterwards it would show the error in the above screenshots
If you figure out what cause the segfault can you please tell me ?
Matt07211 said:
Note: look at my first image with cms in the foreground and near the bottom of the command window you should see the segfault message, around second last command or so.
To reproduce that segfault (hopefully):
1) https://software.intel.com/en-us/android/articles/android-44-kitkat-x86-emulator-system-image Download the system image from here (had to direct download instead of sdk as internet was running through profile and ask wouldn't work through it)
2) used the 2.78 SuperSu zip and run above commands to gain root
3) run above commands to try and modify sepolicy (it doesn't produce anything)
4) start an adb shell and then run the commands inside the shell. Know the outputs shown was segfault the first time running the commands, every time afterwards it would show the error in the above screenshots
If you figure out what cause the segfault can you please tell me ?
Click to expand...
Click to collapse
Before I go do all this, can you make sure the issue persists with the v2.78 SR1 version from the BETA thread ? Some issues with supolicy were fixed in that release.
Started with a fresh emulator and the newest SuperSu and ran these commands to gain root (I am placing everything as described in update-binary in the right places just to eliminate one thing, missing dependencies)
Code:
adb shell df
adb shell mount -o remount,rw /system
adb push Superuser.apk /system/app/Superuser.apk
adb shell chmod 0644 /system/app/Superuser.apk
adb push install-recovery.sh /system/etc/install-recovery.sh
adb shell ln -s /system/etc/install-recovery.sh /system/bin/install-recovery.sh
adb shell chmod 0755 /system/etc/install-recovery.sh
adb push su /system/xbin/su
adb shell chmod 0755 /system/xbin/su
adb push su /system/bin/.ext/.su
adb shell chmod 0755 /system/bin/.ext/.su
adb push su /system/xbin/daemonsu
adb shell chmod 0755 /system/xbin/daemonsu
adb push su /system/xbin/sugote
adb shell chmod 0755 /system/xbin/sugote
adb push supolicy /system/xbin/supolicy
adb shell chmod 0755 /system/xbin/supolicy
adb push libsupol.so /system/lib/libsupol.so
adb shell chmod 0644 /system/lib/libsupol.so
adb push 99SuperSUDaemon /system/etc/init.d/99SuperSUDaemon
adb shell chmod 0755 /system/etc/init.d/99SuperSUDaemon
adb shell su --install
adb shell "su --daemon&"
adb install superuser.apk
adb install rootcheck.apk
No everything should be in place, and we now can eliminate one thing (supolicy not finding needed dependencies)
Opened up SuperSu and let it install/update binary (succesful)
I then proceeded to patch the sepolicy file like so
Code:
adb push sepolicy /data/local/tmp/sepolicy
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out"
I then did "ls" in the directory and no file out-putted. So I went into a shell and ran
Code:
supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out
And it throw the error shown in the image below. First time running that command in shell it says stopped, but the second time it says stopped as well as segfault.
Keep in mind I am trying to patch a sepolicy file that originates from an armv8 cpu (arm64) on an x86 Intel emulator.
Any more info needed? I am happy to help @Chainfire
So, I think it has something to do with your emulator image (perhaps its too old ?)
I took SuperSU's ZIP file and extracted it, changed to that folder, then:
(note that my adb shell to my emulator image has # root by default)
Code:
adb push c:\download\sepolicy /data/local/tmp/sepolicy
adb push x86\. /data/local/tmp/.
adb shell
cd /data/local/tmp
chmod 0755 supolicy
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy --file sepolicy sepolicy_out
exit
Resulting in:
Code:
supolicy v2.78 (ndk:x86) - Copyright (C) 2014-2016 - Chainfire
Patching policy [sepolicy] --> [sepolicy_out] ...
- Success
So, I'm really not sure what might be going on with your setup, but I don't think its SuperSU itself, but rather the emulator.
Note that to use supolicy --file, you only need supolicy and libsupol.so, you don't even need root.
Chainfire said:
So, I think it has something to do with your emulator image (perhaps its too old ?)
I took SuperSU's ZIP file and extracted it, changed to that folder, then:
(note that my adb shell to my emulator image has # root by default)
Resulting in:
So, I'm really not sure what might be going on with your setup, but I don't think its SuperSU itself, but rather the emulator.
Note that to use supolicy --file, you only need supolicy and libsupol.so, you don't even need root.
Click to expand...
Click to collapse
Hmm, I really don't know what is wrong, I will try exactly what you have done later today, to see If can reproduce the output. If it doesn't work then we can pin it down to the emulator itself. What emulator image did you use?
I also realise that so emulator are rooted in the sense that web shell has root acess, just wasn't sure what dependices supolicy had at the time.
Matt07211 said:
Hmm, I really don't know what is wrong, I will try exactly what you have done later today, to see If can reproduce the output. If it doesn't work then we can pin it down to the emulator itself. What emulator image did you use?
I also realise that so emulator are rooted in the sense that web shell has root acess, just wasn't sure what dependices supolicy had at the time.
Click to expand...
Click to collapse
I created an API 22 Google Nexus x86_64 AVD in Android Studio
I should be able to try that in about 20-30 mins after I download it, I was using api level 19, Intel's emulator image.
I ran these commands on the Intel api 19 x86 emulator image.
Code:
adb push libsupol.so /system/lib/libsupol.so
adb shell chmod 0644 /system/lib/libsupol.so
adb push /system/xbin/supolicy
adb shell chmod 0755 /system/xbin/supolicy
adb push supolicy /data/local/tmp/supolicy
adb shell chmod 0755 /data/local/tmp/supolicy
adb push sepolicy /data/local/tmp/sepolicy
adb shell
cd /data/local/tmp
chmod 0755 supolicy
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy --file sepolicy sepolicy_out
and it results in the error(shown in screenshot)
Code:
libsepol.policydb_read: policydb magic number 0x464c457f does not match expected magic number 0xf97cff8c or 0xf97cff8d
-Failure!
I then tried it on the Intel x86_64 api 22 emulator image (running the same commands as the first one, resulting in a succes, with the file being outputted as the sepolicy_out.
So as you have stated @Chainfire , it looks like a problem with the emulator itself, and most likely not the supolicy tool.
Chainfire said:
So, I think it has something to do with your emulator image (perhaps its too old ?)
I took SuperSU's ZIP file and extracted it, changed to that folder, then:
(note that my adb shell to my emulator image has # root by default)
Code:
adb push c:\download\sepolicy /data/local/tmp/sepolicy
adb push x86\. /data/local/tmp/.
adb shell
cd /data/local/tmp
chmod 0755 supolicy
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy --file sepolicy sepolicy_out
exit
Resulting in:
Code:
supolicy v2.78 (ndk:x86) - Copyright (C) 2014-2016 - Chainfire
Patching policy [sepolicy] --> [sepolicy_out] ...
- Success
So, I'm really not sure what might be going on with your setup, but I don't think its SuperSU itself, but rather the emulator.
Note that to use supolicy --file, you only need supolicy and libsupol.so, you don't even need root.
Click to expand...
Click to collapse
@Chainfire, I'm trying to patch sepolicy for a Samsung device running Nougat, so that Supersu can be installed in system mode. Could you confirm if the --sdk=24 parameter is required?
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out --sdk=24"
Thanks, appreciate your time.
ashyx said:
@Chainfire, I'm trying to patch sepolicy for a Samsung device running Nougat, so that Supersu can be installed in system mode. Could you confirm if the --sdk=24 parameter is required?
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out --sdk=24"
Thanks, appreciate your time.
Click to expand...
Click to collapse
Yes it is.
System mode hasn't been tested at all on 7.0 though. I'm not sure anybody has been able to get it to work at this point.
If you do, let me know and with the steps
Chainfire said:
Yes it is.
System mode hasn't been tested at all on 7.0 though. I'm not sure anybody has been able to get it to work at this point.
If you do, let me know and with the steps
Click to expand...
Click to collapse
Hmm wasn't aware of the lack of support for system mode in nougat, any plans to implement?
It seems system mode root renders the device unbootable according to reports from my tester.
Question, if I modify the supersu script to mount su.img from /system am I likely to hit issues?
Seems a strange query I know.
Reason is we have a Samsung device that for some reason will not boot from a source built custom Nougat kernel. Not sure if this is related to AVB yet or something else.
However we can get a half assed TWRP to boot with the stock kernel.
Only problem is, no matter what, only /system can be mounted and accessed with write permission due to permission denied issues with the rest of partitions. Pretty sure this is an SELinux issue.
Meaning systemless root cannot be installed as normal. No access to /data or /cache.
I can patch the boot.img ramdisk manually for systemless, but for root to work I would need to push su.img to system and mount it from there.
Is it possible to still mount su.img from system if I modify the ramdisk init as required?
The other avenue is to flash su.img to /data or /cache via ODIN.
If it was flashed to /cache would supersu automatically pick up its location and copy it to /data or would a flag need to be set?
Just trying to keep my options open here.
ashyx said:
Hmm wasn't aware of the lack of support for system mode in nougat, any plans to implement?
It seems system mode root renders the device unbootable according to reports from my tester.
Click to expand...
Click to collapse
It is on my list of things to test/fix, but that list is long and full of terrors.
Question, if I modify the supersu script to mount su.img from /system am I likely to hit issues?
Is it possible to still mount su.img from system if I modify the ramdisk init as required?
Click to expand...
Click to collapse
I think that could work, yes.
The other avenue is to flash su.img to /data or /cache via ODIN.
If it was flashed to /cache would supersu automatically pick up its location and copy it to /data or would a flag need to be set?
Just trying to keep my options open here.
Click to expand...
Click to collapse
SuperSU should pick it up from /cache. Alternatively, try SuperSU's FRP mode, which stores a copy of the needed files in the boot-image and re-creates /data/su.img as needed.
Chainfire said:
It is on my list of things to test/fix, but that list is long and full of terrors.
I think that could work, yes.
SuperSU should pick it up from /cache. Alternatively, try SuperSU's FRP mode, which stores a copy of the needed files in the boot-image and re-creates /data/su.img as needed.
Click to expand...
Click to collapse
Thanks, great info as always. Finally managed to root the damn thing by adding a short script to the init which copies su.img to cache.
However FRP mode sounds like a more elegant solution if I can work out how to implement it in the Ramdisk.
Much appreciate your input.
ashyx said:
So, I think it has something to do with your emulator image (perhaps its too old ?)
...
Could you confirm if the --sdk=24 parameter is required?
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out --sdk=24"
Thanks, appreciate your time.
Click to expand...
Click to collapse
Yea believe it was segfaulting due to the Android version, I think I was using KitKat and it wasn't working, bumped up to lollipop and above and it worked fine
Oh, the SDK parameter, never heard of it, what does it do? Geuss I'll Google that then.
ashyx said:
Thanks, great info as always. Finally managed to root the damn thing by adding a short script to the init which copies su.img to cache.
However FRP mode sounds like a more elegant solution if I can work out how to implement it in the Ramdisk.
Much appreciate your input.
Click to expand...
Click to collapse
I did the same thing for my device, add a little script to move it to data. Had no other way to get it to a locked down device without TWRP. Hehe. Good job
Can you please tell me how to manually patch init by supersu ?
I've googled a lot, but haven't found a way to manually patch init by supersu.
My model is Honor v10, there isn't a custom recovery, so i have to make a boot.img with supersu inside to get root.
Hi,
A long time ago I've followed a step-by-step tutorial to deactivate (almost) all Amazon apps so I can install Google Play and other custom apps on my kid's Kindle (7.1.2). Unfortunately, I don't have the link to that how to page. What I remember though, is that the script removed and disabled the apps.
What I need now is the Accessibility menu to appear in the Settings, and I think this is either com.amazon.settings or com.amazon.device.settings, both of them being disabled (ss seen after running the
Code:
pm list packaged -d
command.
1. This is what I have tried and the errors:
Code:
mustang:/ $ pm install com.amazon.settings
Error: failed to write; com.amazon.settings (No such file or directory)
1|mustang:/ $ pm install --user 0 "com.amazon.settings"
Error: failed to write; com.amazon.settings (No such file or directory)
1|mustang:/ $ pm enable --user 0 "com.amazon.settings"
Error: java.lang.SecurityException: Shell cannot change component state for com.amazon.settings/null to 1
1|mustang:/ $ pm enable com.amazon.settings
Error: java.lang.SecurityException: Shell cannot change component state for com.amazon.settings/null to 1
2. I've also searched for the .apks to download and install manually, but I think Amazon hides them very well 'cause googling didn't lead to any positive results.
So, if you know how to do this, or have any idea that might work, please advice. If it helps, the only reason I want to do this is because I am trying to set the Microsoft Launcher for my kid's tablet, and this needs the accessibility permission that cannot be enabled because the " App isn't installed". Also,
3. I have installed the Android Accessibility Suite directly from the Google Play, but it doesn't appear in thee Settings as in a normal Android device. So I believe the Kindle needs the original Amazon's settings for this to work.
Again, any help is appreciated.
Using ADB shell i was able to uninstall bloatware apps from my OPPO F9 pro ,and all those apps that i uninstalled using -
Code:
adb shell
pm uninstall -k --user 0 <package_name>
were also those apps being identified by app inspector ,means i was able to see the their package name in app inspector and they were system apps as well but ,there are some other system apps like oppo appstore,compass, oppo theme store,oppo game center,etc those are neither shown in app inspector(idk why) where package information of other system+user apps is available and nor i can delete them ,BUT they are installed in my phone.
I receive the following error while uninstalling these system apps(taking example when i try 2 uninstall game center)-
Code:
adb shell
pm uninstall -k --user 0 com.coloros.gamespace
Failure [not installed for 0]
Now , "Failure [not installed for 0]" is the error when i try to uninstall any app that already is uninstalled (OR) doesn't exist on the android, BUT again ,these apps those im facing error to uninstall are actually there in my phone.
You might also wish 2 know that for these same apps ,how do i got the package name like the one in the example;com.coloros.gamespace since its package was not even shown in app inspector(or any other app) ,then i would like 2 tell u that i just searched in google typing "list of oppo bloatware" ,searched for the package name of these apps from websites those app inspector was unable to identify.
If anyone can help me in this issue i would really be thankful
... probably NOT in the S21ULTRA thread....
armankang said:
If anyone can help me in this issue i would really be thankful
Click to expand...
Click to collapse
Not an OPPO thread but you need to look for your phone specific packages with:
adb shell pm list packages
Using the above ADB Shell command, you can print the list of the app package names for all apps installed on your Android device. You can use this command with different parameters to get a more specific list of app packages.
For instance, if you want to list the system apps only, use
adb shell pm list packages -s
In order to list all third-party apps installed on your Android phone or tablet, you issue the following command.
adb shell pm list packages -3
Do you want ADB Shell to show the list of all enabled or disabled apps on your device, try the command with parameters like ‘-d‘ (for disabled apps), ‘-e‘ (for enabled apps), and ‘-u‘ (for uninstalled apps).
adb shell pm list packages -d
adb shell pm list packages -epm list packages
adb shell pm list packages -u
To list app packages with specific keywords filter.
adb shell pm list packages <keywords>
To find the list of apps along with their associated packages, execute the following command
adb shell pm list packages -f
You can easily get a list of group packages by a certain manufacturer, or come common term. For instance, if you want to list all apps by Google, you can use the following command.
adb shell pm list packages | grep 'google'
You can replace “google” with “samsung”, “huawei”, “xiaomi”, “miui”, “evenwell”, “android”, “facebook”, etc. to get desired list of packages.
Ipse_Tase said:
... probably NOT in the S21ULTRA thread....
Click to expand...
Click to collapse
sorry bro i will change it i was just confused as it was my 3rd time only using xda threads to ask questions
mzsquared said:
Not an OPPO thread but you need to look for your phone specific packages with:
adb shell pm list packages
Using the above ADB Shell command, you can print the list of the app package names for all apps installed on your Android device. You can use this command with different parameters to get a more specific list of app packages.
For instance, if you want to list the system apps only, use
adb shell pm list packages -s
In order to list all third-party apps installed on your Android phone or tablet, you issue the following command.
adb shell pm list packages -3
Do you want ADB Shell to show the list of all enabled or disabled apps on your device, try the command with parameters like ‘-d‘ (for disabled apps), ‘-e‘ (for enabled apps), and ‘-u‘ (for uninstalled apps).
adb shell pm list packages -d
adb shell pm list packages -epm list packages
adb shell pm list packages -u
To list app packages with specific keywords filter.
adb shell pm list packages <keywords>
To find the list of apps along with their associated packages, execute the following command
adb shell pm list packages -f
You can easily get a list of group packages by a certain manufacturer, or come common term. For instance, if you want to list all apps by Google, you can use the following command.
adb shell pm list packages | grep 'google'
You can replace “google” with “samsung”, “huawei”, “xiaomi”, “miui”, “evenwell”, “android”, “facebook”, etc. to get desired list of packages.
Click to expand...
Click to collapse
Thanks for replying bro.
So i got to know that i was getting that "Failure [not installed for 0]" error because the app packages given(for the same apps) those i searched for in google were not the same as for mine device's system apps ,so i got that error.
So when i just opened the list of packages using "pm list packages -___" i got the package names for those apps ,BUT still even now when i try to uninstall
those system apps using adb command with their correct package name i get a new error-
Code:
adb shell
pm uninstall --user 0 <package_name>
Failure [DELETE_FAILED_INTERNAL_ERROR]
In fact i can't even disable them like usually i can disable other system apps/user apps.
*When i use command pm disable for those apps showing no error-
Code:
adb shell
pm disable-user --user 0 <pkg_name>
Package <pkg_name> new state: disabled-user
*When i get error(maybe not error but app stays in default state with no change) for other system apps-
Code:
adb shell
pm disable-user --user 0 <pkg_name>
Package <pkg_name> new state: default
In short, neither i am able to uninstall them nor i can disable them, if it is because the system isn't giving me permission to do so then is there any other adb command that needed to be executed before these to get access first and then uninstall/disable.
BTW im fully relying on ADB shell to grant permissions or perform any operation ,i don't have root in my phone ,so plz tell if there is any method for non-rooted devices,thx
PLZ help.
without root you wont be able to delete system level apps.
uicnren said:
without root you wont be able to delete system level apps.
Click to expand...
Click to collapse
ok bro thanks
armankang said:
Thanks for replying bro.
So i got to know that i was getting that "Failure [not installed for 0]" error because the app packages given(for the same apps) those i searched for in google were not the same as for mine device's system apps ,so i got that error.
So when i just opened the list of packages using "pm list packages -___" i got the package names for those apps ,BUT still even now when i try to uninstall
those system apps using adb command with their correct package name i get a new error-
Code:
adb shell
pm uninstall --user 0 <package_name>
Failure [DELETE_FAILED_INTERNAL_ERROR]
In fact i can't even disable them like usually i can disable other system apps/user apps.
*When i use command pm disable for those apps showing no error-
Code:
adb shell
pm disable-user --user 0 <pkg_name>
Package <pkg_name> new state: disabled-user
*When i get error(maybe not error but app stays in default state with no change) for other system apps-
Code:
adb shell
pm disable-user --user 0 <pkg_name>
Package <pkg_name> new state: default
In short, neither i am able to uninstall them nor i can disable them, if it is because the system isn't giving me permission to do so then is there any other adb command that needed to be executed before these to get access first and then uninstall/disable.
BTW im fully relying on ADB shell to grant permissions or perform any operation ,i don't have root in my phone ,so plz tell if there is any method for non-rooted devices,thx
PLZ help.
Click to expand...
Click to collapse
Are Google Apps, system apps?
****Hawk said:
Are Google Apps, system apps?
Click to expand...
Click to collapse
Afaik every app that you can't uninstall without adb is a system app
Overview
This rooting method is based on a vulnerability in the ARM Mali GPU driver (CVE-2022-38181) discovered by security researcher Man Yue Mo at GitHub Security Lab, to gain root access to the 3rd gen Cube that is on firmware PS7613/3701 or older. Newer method for PS7646 here.
The exploit program (gazelle_shrinker) is run directly on the Cube to spawn a temporary root shell for quick access. It can also be run automatically on every boot in combination with @diplomatic's bootless Magisk script to grant apps root access.
For best results, run gazelle_shrinker 30-90sec after boot up, when loading is complete and the device is idle.
Two options for root depending on your needs & comfort level
1) Temporary ADB root - Open an ADB root shell for quick access (PS7613/3701 or older)
Pros:
Access all files and folders from ADB
Simple to use, runs in RAM and doesn't make any changes to the Cube, no chance of bricking.
Remove app package protection so that you can enable/disable any app even without root (eg custom launchers, disabling updates, debloat, etc).
Cons:
Only enables ADB root
gazelle_shrinker occasionally crashes/reboots the Cube when being run. Run it 30-90sec after bootup for greater reliability.
NOTE: gazelle_shrinker won't brick your device, but what you do with that root access can. DM-verity is still in place checking the integrity of the system/vendor partitions, do NOT modify anything in those directories, or the boot partition!!
2) Bootless Magisk - Automatically start a lite version of Magisk that runs entirely from the data partition, (PS7613/3701 or older).
Pros:
Both ADB root and ability to grant root to apps through Magisk Manager
Once the Magisk dameon has started, root can be granted stably whenever needed
Doesn't modify boot or system/vendor partitions, DM-verity is preserved
Cons:
This is experimental, use at your own risk! It's been working stabably during my testing but it's impossible to foresee every issue.
Still relies on gazelle_shrinker to start, and may occasionally crash when gazelle_shrinker runs at boot
Most Magisk modules don't work.
NOTE: Be careful of what apps you give root access to. Giving root access to an app that modifies the boot, system or vendor partitions will brick your device. Again, DM-verity is still actively checking that no changes have been made to system/vendor directories.
Contributors:
Man Yue Mo, @Functioner, @Pro-me3us
@ Thanks to @diplomatic for bootless Magisk script, and @SweenWolf for Launcher Manager
@ Thanks to @Renate for many great tools
@ Thanks to all the folks who have worked on TWRP & Magisk
Temporary ADB root (PS7613/3701 or older)
Disclaimer: Use this at your own risk, I'm not responsible for any data loss or corruption to your device. There is a nonzero chance of bricking the Cube, and little to no recovery options.
Instructions
Enable ADB debugging in FireOS settings
Download, unzip and copy gazelle_shrinker to your Cube
Code:
adb push gazelle_shrinker /data/local/tmp/
Give gazelle_shrinker executable permissions
Code:
adb shell
chmod +x /data/local/tmp/gazelle_shrinker
Open an adb shell and run the program
For best results, run gazelle_shrinker 30-90sec after boot up, when loading is complete and the device is idle.
Code:
adb shell
/data/local/tmp/gazelle_shrinker
setenforce 0
How to disable package protection
Use gazelle_shrinker to open a root shell, setenforce 0 and delete all the apps listed in the file /data/system/PackageManagerDenyList
Code:
/data/local/tmp/gazelle
setenforce 0
Code:
echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
Clear Arcus Proxy, disable Arcus Proxy
Code:
pm clear com.fireos.arcus.proxy
pm disable-user com.fireos.arcus.proxy
Optional but strongly recommended, disable updates
Code:
pm disable-user com.amazon.device.software.ota
pm clear com.amazon.device.software.ota
pm disable-user com.amazon.device.software.ota.override
pm disable-user com.amazon.tv.forcedotaupdater.v2
A reboot is required before the protection removal changes take effect.
Verify that any apps you disable actually are disabled. Then reboot, and verify again!
Code:
pm list packages -d
Bootless Magisk (PS7613/3701 or older)
These instructions use an adapted version of @diplomatic's bootless Magisk script & @SweenWolf's Launcher Manager to autoboot, it's recommended you read the original Bootless Magisk post to better understand how it works, and it's limitations.
Disclaimer: Use this at your own risk, I'm not responsible for any data loss or corruption to your device. There is a nonzero chance of bricking the Cube, and little to no recovery options.
Instructions
Enable ADB debugging in FireOS settings
Download gazelle_bootless_magisk, unzip it, and copy it to your Cube keeping the same directory structure
Code:
adb shell mkdir /data/local/tmp/bin
adb push gazelle_bootless_magisk/* /data/local/tmp/
adb shell pm install -r /data/local/tmp/magisk_manager.apk
Give scripts & binaries executable permissions
Code:
adb shell
chmod +x /data/local/tmp/magisk-boot.sh
chmod +x /data/local/tmp/start.sh
chmod +x /data/local/tmp/bin/magiskinit
chmod +x /data/local/tmp/bin/gazelle_shrinker
Install Launcher Manager on your Cube, open, navigate to 'other settings', 'ADB Commands'
Tap on the + icon in the top right corner to create a new command
Enter Name: Start Magisk
Enter Command: sleep 30 && /data/local/tmp/start.sh
Check 'Execute on Boot'
Save
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
When you reboot your Cube, bootless Magisk will automatically start ~30sec after your homescreen loads. It's important that FireOS has loaded and that the device isn't busy, so don't open any apps until after Magisk has loaded. There's a greater chance that gazelle_shrinker will fail or reboot the Cube while launching Magisk if the device is busy.
TO AVOID BRICKING YOUR DEVICE:
Be careful of what apps you give root access to. Giving root access to an app that modifies the boot, system or vendor partitions will brick your device. DM-verity is still actively checking that system/vendor directories haven't been tampered with.
Don't run the boot-magisk.sh script (from either ADB or Launcher Manager) more than once per boot. Doing so will mess up the mounting and module initiation.
Never toggle ADB debugging off/on in the Developer's menu while Magisk is running. This will kill the Magisk daemon running in the background, and could corrupt your device if it's in the middle of an important process.
Only use WiFi ADB, not USB ADB. Booting the Cube with an USB attached computer puts USB in device mode, and ADB will close and kill Magisk when the Cube sleeps in device mode.
This release includes Magisk v21.4 (magiskinit) and Magisk Manager v8.0.7. Don't update Magisk! Patching your boot image will brick your device!
Manually update new 3rd gen Cube firmware PS7299/3052 --> PS7613/3701
New 3rd gen Cubes are (as of June 7th, 2023) shipped with firmware PS7299/3052. To update the device firmware to the latest version (PS7613/3701) that gazelle_shrinker still works on, follow these steps:
Download PS7613/3701 firmware to your Cube's 'Download' folder (Downloader code: 271370)
Run the following commands:
gazelle:/ $ /data/local/tmp/gazelle_shrinker
gazelle:/ # setenforce 0
gazelle:/ # mv /sdcard/Download/update-kindle-gazelle-PS7613_user_3701_0025401652612.bin /data/ota_package/update-kindle-gazelle-PS7613_user_3701_0025401652612.bin
gazelle:/ # echo 'recovery\n--update_package=/data/ota_package/update-kindle-gazelle-PS7613_user_3701_0025401652612.bin' > /cache/recovery/command
gazelle:/ # reboot recovery
Done. The Cube will reboot to recovery and update. This method requires root access, and can only be used to upgrade firmware, NOT downgrade firmware.
reserved
This is really interesting and exciting. I wonder if this vulnerability affects any other Fire HD devices as well (obviously those using Mali GPUs). If you don't mind me asking, what are your plans regarding the PoC's source code? (nevermind, I think I found the original POC here). Could you give some hints regarding to what needs to be changed in order to port the exploit to other devices? I'd love to test it and learn more about this CVE.
Rortiz2 said:
I wonder if this vulnerability affects any other Fire HD devices
Click to expand...
Click to collapse
I made a post on the FireHD section about this yesterday, I can add details there. I want to keep this thread focused on the 3rd gen Cube and issues with the rooting binary
Amazing work @Pro-me3us! I'm soon going to buy one if I have the time and try it out before it's patched. I wonder how @k4y0z unlocked the sheldon/p devices with the decryption to see what we can do to decrypt the 3rd gen Cube as well since it sounds so similar to this thread with the firmware version to unlock the sheldon/p and root the device. And for what it's worth it's better to stay locked on 7.6.1.3 and below like you said.
Skel40 said:
since it sounds so similar to this thread with the firmware version to unlock the sheldon/p and root the device. And for what it's worth it's better to stay locked on 7.6.1.3 and below like you said.
Click to expand...
Click to collapse
I admit I haven't followed the MTK exploits closely. Any bootloader unlocking these days is going to require 2 (or more) exploits. One exploit for the bootloader itself, and a second exploit to put that first exploit in place. Gazelle is missing a bootloader exploit. Amlogic and MTK devices use very different bootloaders, and aren't likely to have any overlapping vulnerabilities. I hope that gazelle_shrinker can give someone else a foot in the door to find something, but bootloader vulnerabilities are rare.
Sorry, I know this is an absolutely idiotic question but how to I do this
Use gazelle_shrinker to open a root shell, setenforce 0 and delete all the apps listed in the file /data/system/PackageManagerDenyList
I'm using the concole in adblink2. I know nothing about this stuff so was basically just following the guide, but no idea what that means. Again, I realise it’s probably stupid, but if I don't ask I don't learn.
Jerri1240 said:
Use gazelle_shrinker to open a root shell, setenforce 0 and delete all the apps listed in the file /data/system/PackageManagerDenyList
Click to expand...
Click to collapse
No problem, in the guide above I'm summarizing the instructions, an then providing the commands to copy and paste below each summary.
I'm assuming that you have already copied gazelle_shrinker to /data/local/tmp/ on your Cube
Instead of using ADBLink's console button, use the ADB shell button, to open a terminal window on your Cube where you can enter the commands in the instructions (you will see this gazelle:/ $ prompt). Hopefully this gives you an idea of the flow of the instructions:
You want to paste in each of these commands one by one
gazelle:/ $ chmod +x /data/local/tmp/gazelle_shrinker
gazelle:/ $ /data/local/tmp/gazelle_shrinker
gazelle:/ # setenforce 0
gazelle:/ # echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
gazelle:/ # pm clear com.fireos.arcus.proxy
gazelle:/ # pm disable-user com.fireos.arcus.proxy
You are going to want to disable updates, since Amazon is definitely going to patch this type of access to the Cube
Got one yesterday and tried the temp shrinker root and all works good for now. I just want to give a heads up to anybody trying this guide to go ahead and update to 7.6.1.3. Disable HDR is available instead of Adaptive and the Always HDR mode. I'm now stuck on the Magisk temp root guide above.
Pro-me3us said:
No problem, in the guide above I'm summarizing the instructions, an then providing the commands to copy and paste below each summary.
I'm assuming that you have already copied gazelle_shrinker to /data/local/tmp/ on your Cube
Instead of using ADBLink's console button, use the ADB shell button, to open a terminal window on your Cube where you can enter the commands in the instructions (you will see this gazelle:/ $ prompt). Hopefully this gives you an idea of the flow of the instructions:
You want to paste in each of these commands one by one
gazelle:/ $ chmod +x /data/local/tmp/gazelle_shrinker
gazelle:/ $ /data/local/tmp/gazelle_shrinker
gazelle:/ # setenforce 0
gazelle:/ # echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
gazelle:/ # pm clear com.fireos.arcus.proxy
gazelle:/ # pm disable-user com.fireos.arcus.proxy
You are going to want to disable updates, since Amazon is definitely going to patch this type of access to the Cube
Click to expand...
Click to collapse
Thank you, really do appreciate it.
I basically don't want to look at Amazon's launcher so had been using sweenwolfs manager, but if I can disable updates that's even better. I've been using wolf launcher on my gen2 cube and just got the gen3 this week so really happy to have been able to do this. Thanks again for the idiots guide.
Second idiot question, is there a lost of things I should install, and if updates are stuck on 'checking now...' I assume turning off updates has worked? And lastly, do I want to install bootless magisk too?
Jerri1240 said:
Second idiot question, is there a lost of things I should install, and lastly, if updates are stuck on 'checking now...' I assume turning off updates has worked?
Click to expand...
Click to collapse
Other than the temp gazelle exploit shell you inputted the only thing left is Magisk temp root which you'd have to be careful in case you want to have root apps. Since the updates are stuck on 'Checking now' yes it means it has worked and typing in adb shell pm list packages -d should show com.amazon.device.software.ota and other packages disabled meaning it has worked. To be safe to verify reboot and run the command again to quickly check that the system didn't encrypt the package manager.
Skel40 said:
Other than the temp gazelle exploit shell you inputted the only thing left is Magisk temp root which you'd have to be careful in case you want to have root apps. Since the updates are stuck on 'Checking now' yes it means it has worked and typing in adb shell pm list packages -d should show com.amazon.device.software.ota and other packages disabled meaning it has worked
Click to expand...
Click to collapse
Thank you. No, I just want to be able to use a launcher I like and not have an Amazon update disable it. So I can just leave as is.
Jerri1240 said:
Thank you. No, I just want to be able to use a launcher I like and not have an Amazon update disable it. So I can just leave as is.
Click to expand...
Click to collapse
No problem and yeah honestly due to its limitations I'd rather not take any risks given the price of the device but we're definitely getting somewhere for sure with having control at least.
Jerri1240 said:
is there a lost of things I should install, and if updates are stuck on 'checking now...' I assume turning off updates has worked? And lastly, do I want to install bootless magisk too?
Click to expand...
Click to collapse
When you disable the OTA apps, you should get a near instant 'Update Error' when checking updates
gazelle:/ $ pm disable-user com.amazon.device.software.ota
gazelle:/ $ pm disable-user com.amazon.device.software.ota.override
gazelle:/ $ pm disable-user com.amazon.tv.forcedotaupdater.v2
Now that you have removed the package protections, you can use Launcher Manager to disable the OTA packages above
Launcher Manager / Other settings / Amazon OS Updates / Block updates
This will have Launcher Manager run the pm disable-user commands for you.
Do as @Skel40 recommended, verify that all the apps you disabled, are actually disabled from the command line, especially Arcus Proxy.
gazelle:/ $ pm list packages -d
I also agree with Skel40 about Magisk, if you don't need it for any apps you are using, it's an extra complication that you are better off without.
@Skel40 thanks for confirming everything is working! If you have any issues getting bootless Magisk working let me know. You can enable/disable it by just checking/unchecking 'execute on boot' in Launcher Manager and rebooting the Cube.
Pro-me3us said:
pm disable-user com.amazon.device.software.ota
Click to expand...
Click to collapse
No update error. just 'checking now', launcher manager lists update status as blocked, though.
pm list packages -d gets me the following
package:com.android.nfc
package:com.fireos.arcus.proxy
package:com.amazon.tv.forcedotaupdater.v2
package:com.amazon.device.software.ota
package:com.amazon.device.software.ota.override
Jerri1240 said:
No update error. just 'checking now', launcher manager lists update status as blocked, though.
pm list packages -d gets me the following
package:com.android.nfc
package:com.fireos.arcus.proxy
package:com.amazon.tv.forcedotaupdater.v2
package:com.amazon.device.software.ota
package:com.amazon.device.software.ota.override
Click to expand...
Click to collapse
Since pm list packages -d has it listed as disabled, that's all that really matters.
Pro-me3us said:
Since pm list packages -d has it listed as disabled, that's all that really matters.
Click to expand...
Click to collapse
Thanks again for the help. Really appreciate it.