Mobileread
Let's root the Max Lumi 2
#1  Noctuelles 01-17-2022, 06:39 AM
Disclaimer

I am not responsible for any damage to your device. Please be very careful when doing such low level manipulation. Since we're dealing with partitions, be SURE you're flashing the correct one.

This tutorial will assume you're working with a Linux distribution. However, it can be successfully done under Windows and Mac OS.

Documentation

You can find useful resources that will help you to understand what's at stake.
I highly recommend you to read everything.
I assume you're already familiar with the command line interpreter, if not, i highly recommend you to practice a little bit before doing this tutorial.

Let's root our Max Lumi : original thread for the Max Lumi. Files provided does not apply to the Max Lumi 2.
As said in this thread, you should NOT use any patched Magisk image that don't match your current build.
Magisk installation page : only download the Magisk apk from the original GitHub repo'.
Magisk GitHub
Install ADB on Mac OS, Linux, Windows : this will guide you thought the installation of ADB (Android Debug Bridge), used to debug the device with USB-C connection.
EDL GitHub : an unofficial Qualcomm diag tools. Use to retrieve the boot partition off the device, without any super user permission or adb shell command. Again, use this tool with the greatest precaution.

Preamble

Install ADB, EDL, via the link in the documentation section.
I'll not explain how to install these because the tutorial are straightforward

Enable USB debugging on your Max Lumi 2 :
  1. Go to 'App'
  2. Press the top right button
  3. Go to 'App management'
  4. Tick 'USB Debug Mode'
  5. Plug the tablet into your computer, accept the RSA key.
  6. Go to a terminal, and type adb devices : you should see your tablet under an ID.

Download the attached file 'Qualcomm_662_loader.zip', used to communicate to the device in Emergency DownLoad Mode, and de-compress it in the EDL folder.
show attachment »

Let's get to it.
  1. Plug the Lumi 2 into the computer.
  2. Type
    Code
    adb devices
    to check if your device is properly connected.
  3. Set the device mode into Emergency Download mode :
    Code
    adb reboot edl
  4. At this point the device should hang and freeze : no panic, it's normal. If the ADB command hasn't returned any kind of error, you're in EDL mode.
  5. Navigate in the EDL tool, and inject the elf file by typing : 'edl --loader=Qualcomm_662_loader.elf' you should have this output (excepted the ":
    Code
    Capstone library is missing (optional).
    Keystone library is missing (optional).
    Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
    main - Using loader Qualcomm_662_loader.elf ...
    main - Waiting for the device
    main - Device detected :)
    main - Mode detected: sahara
    Device is in EDL mode .. continuing.
    sahara -
    ------------------------
    HWID: 0x0014d0e100000000 (MSM_ID:0x0014d0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
    CPU detected: "SDM662"
    PK_HASH: 0xd40eee56f3194665574109a39267724ae7944134cd53cb767e293d3c40497955
    Serial: 0x7b6cb5b2
    sahara - Uploading loader Qualcomm_662_loader.elf ...
    Successfully uploaded programmer :)
    firehose - INFO: Chip serial num: 2070721970 (0x7b6cb5b2)
    firehose_client - Target detected: SDM662
    firehose_client
    firehose_client - [LIB]: Based on the chipset, we assume eMMC as default memory type..., if it fails, try using --memory" with "UFS","NAND" or "spinor" instead !
    firehose
    firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
    firehose
    firehose - [LIB]: Couldn't detect TargetName
    firehose - TargetName=Unknown
    firehose - MemoryName=eMMC
    firehose - Version=1
    firehose
    firehose - [LIB]: Memory type eMMC doesn't seem to match (Failed to init). Trying to use UFS instead.
    firehose
    firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
    firehose
    firehose - [LIB]: Couldn't detect TargetName
    firehose - TargetName=Unknown
    firehose - MemoryName=UFS
    firehose - Version=1
    firehose_client - Supported functions:
    -----------------
    program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
  6. You can now dump the boot partition, type
    Code
    edl r boot_a boot.img
    You should see a progress bar indicating the dump status. If everything is ok, then check if the file is present in the folder by typing
    Code
    ls -l boot.img
    The file should be here and should weight approximately 100MB.
    Code
    Capstone library is missing (optional).
    Keystone library is missing (optional).
    Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
    main - Trying with no loader given ...
    main - Waiting for the device
    main - Device detected :)
    main - Mode detected: firehose
    firehose - INFO: UFS Boot Partition Enabled: 0x1
    firehose - INFO: UFS Erase Block Size: 0x2000
    firehose - INFO: UFS Inquiry Command Output: SAMSUNG KM2L9001CM-B518 0100
    firehose
    firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
    firehose
    firehose - [LIB]: Couldn't detect TargetName
    firehose - TargetName=Unknown
    firehose - MemoryName=UFS
    firehose - Version=1
    firehose_client - Supported functions:
    -----------------
    program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
    firehose -
    Reading from physical partition 4, sector 65414, sectors 24576
    Progress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x6000 of 0x6000, ) 34.58 MB/s
    Progress: |██████████████████████████████████████████████████| 100.0% Complete
    Dumped sector 65414 with sector count 24576 as boot.img.
  7. Reboot into android : type
    Code
    edl reset
  8. Now transfer the boot.img file we dumped earlier into the Internal Storage of the Lumi 2 with a standard USB data transfer. You can paste it in the root directory for example.
  9. Go to the Magisk app, and perform the patch with the original boot.img (see Magisk documentation).
  10. Export the patched boot.img on your computer (it should be located in the Download folder of your tablet), in a folder of your choice.
  11. Reboot into a bootloader session with
    Code
    adb reboot bootloader
    The onyx logo is now displaying on the screen.
  12. Navigate on the folder where the patched boot.img lies. Then, try to boot with it using
    Code
    fastboot boot <file_name>
    You should see :
    Code
    downloading 'boot.img'...
    OKAY [ 0.342s]
    booting...
    OKAY [ 0.096s]
    finished. total time: 0.437s
  13. The booting went fine ! Try if your tablet is rooted then : type
    Code
    adb shell
    and execute
    Code
    su
    If the tablet ask you root privilege, you're good. We can now flash the image into the Lumi 2.
  14. Re-do the previous steps to reboot into a bootloader session.
  15. Type
    Code
    fastboot flash boot <file_name>
    You should see :
    Code
    target reported max download size of 805306368 bytes
    sending 'boot_a' (98304 KB)...
    OKAY [ 0.474s]
    writing 'boot_a'...
    OKAY [ 0.681s]
  16. Reboot the device using
    Code
    fastboot reboot
  17. Congratulation ! The Max Lumi 2 is now fully unlocked.


    You can now install a firewall to prevent android phoning back to China, and other super user privileges.
    I'll not provide any .img file for the sake of caution
    Feel free to ask anything.
Reply 

#2  amghwk 02-20-2022, 12:22 AM
Thank you for maintaining this thread. I've got the Max Lumi 2 and was waiting for this rooting info for this device.

I am using Arch Linux and have followed your advice. My problem is :

Code
Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main - Using loader Qualcomm_662_loader.elf ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: sahara
And it just hangs there. Doesn't proceed to Device is in EDL mode .. continuing. line.

How long should I wait? I waited for about 5 mins. Nothing happened.

Reply 

#3  Renate 02-20-2022, 05:48 AM
The Qualcomm EDL Sahara protocol is quite fragile. If it doesn't work, reset and try again. Also, make sure that you're really there. Do a "lsusb" (since you're on Linux) and make sure that you have 9008 (and not 900e). Everything should happen instantly.
Reply 

#4  amghwk 02-21-2022, 09:17 PM
Thanks for the reply.

I rebooted and tried again. Now the message is :

Code
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Using loader Qualcomm_662_loader.elf ...
main - Waiting for the device
main - Device detected :)
sahara - Protocol version: 2.1
main - Mode detected: sahara
sahara -
------------------------
HWID: 0x0014d0e100000000 (MSM_ID:0x0014d0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected: "SDM662"
PK_HASH: 0xd40eee56f3194665574109a39267724ae7944134cd53cb767e293d3c40497955
Serial: 0x34a09711
sahara - Protocol version: 2.1
sahara - Uploading loader Qualcomm_662_loader.elf ...
sahara - 64-Bit mode detected.
sahara - Firehose mode detected, uploading...
sahara - Loader successfully uploaded.
I proceeded with the next steps.


The message for edl r boot_a boot.img is

Code
ualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
DeviceClass
DeviceClass - [LIB]: USB Overflow
main - Mode detected: firehose
main - Trying to connect to firehose loader ...
firehose - INFO: Binary build date: Nov 11 2020 @ 21:33:13
firehose - INFO: Chip serial num: 882939665 (0x34a09711)
firehose - INFO: Supported Functions (15):
firehose - INFO: program
firehose - INFO: read
firehose - INFO: nop
firehose - INFO: patch
firehose - INFO: configure
firehose - INFO: setbootablestoragedrive
firehose - INFO: erase
firehose - INFO: power
firehose - INFO: firmwarewrite
firehose - INFO: getstorageinfo
firehose - INFO: benchmark
firehose - INFO: emmc
firehose - INFO: ufs
firehose - INFO: fixgpt
firehose - INFO: getsha256digest
firehose - INFO: End of supported functions 15
firehose_client
firehose_client - [LIB]: No --memory option set, we assume "UFS" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead !
firehose
firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
firehose
firehose - [LIB]: Couldn't detect TargetName
firehose - TargetName=Unknown
firehose - MemoryName=UFS
firehose - Version=1
firehose - Trying to read first storage sector...
firehose - Running configure...
firehose - Storage report:
firehose - total_blocks:30119936
firehose - block_size:4096
firehose - page_size:4096
firehose - num_physical:6
firehose - manufacturer_id:462
firehose - serial_num:1297306958
firehose - fw_version:100
firehose - mem_type:UFS
firehose - prod_name:KM2L9001CM-B518
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose
firehose - [LIB]: INFO: Calling handler for read
firehose
firehose - [LIB]: ERROR: Failed to open the UFS Device slot 0 partition 6
firehose
firehose - [LIB]: ERROR: Failed to open the device:3 slot:0 partition:6 error:0
firehose
firehose - [LIB]: ERROR: OPEN handle NULL and no error, weird 203949180
firehose
firehose - [LIB]: ERROR: Failed to open device, type:UFS, slot:0, lun:6 error:3
firehose -
Reading from physical partition 4, sector 65414, sectors 24576
Progress: |███-----------------------------------------------| 5.2% Read (Sector 0x500 of 0x6000, 02s left) Progress: |█████---------------------------------------------| 10.4% Read (Sector 0xA00 of 0x6000, 02s left) Progress: |████████------------------------------------------| 15.6% Read (Sector 0xF00 of 0x6000, 02s left) Progress: |██████████----------------------------------------| 20.8% Read (Sector 0x1400 of 0x6000, 02s left)Progress: |█████████████-------------------------------------| 26.0% Read (Sector 0x1900 of 0x6000, 01s left)Progress: |████████████████----------------------------------| 31.2% Read (Sector 0x1E00 of 0x6000, 01s left)Progress: |██████████████████--------------------------------| 36.5% Read (Sector 0x2300 of 0x6000, 01s left)Progress: |█████████████████████-----------------------------| 41.7% Read (Sector 0x2800 of 0x6000, 01s left)Progress: |███████████████████████---------------------------| 46.9% Read (Sector 0x2D00 of 0x6000, 01s left)Progress: |██████████████████████████------------------------| 52.1% Read (Sector 0x3200 of 0x6000, 01s left)Progress: |█████████████████████████████---------------------| 57.3% Read (Sector 0x3700 of 0x6000, 01s left)Progress: |███████████████████████████████-------------------| 62.5% Read (Sector 0x3C00 of 0x6000, ) 35.95 MProgress: |██████████████████████████████████----------------| 67.7% Read (Sector 0x4100 of 0x6000, ) 35.89 MProgress: |████████████████████████████████████--------------| 72.9% Read (Sector 0x4600 of 0x6000, ) 36.03 MProgress: |███████████████████████████████████████-----------| 78.1% Read (Sector 0x4B00 of 0x6000, ) 35.98 MProgress: |██████████████████████████████████████████--------| 83.3% Read (Sector 0x5000 of 0x6000, ) 36.12 MProgress: |████████████████████████████████████████████------| 88.5% Read (Sector 0x5500 of 0x6000, ) 35.87 MProgress: |███████████████████████████████████████████████---| 93.8% Read (Sector 0x5A00 of 0x6000, ) 35.77 MProgress: |██████████████████████████████████████████████████| 99.0% Read (Sector 0x5F00 of 0x6000, ) 35.95 MProgress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x6000 of 0x6000, ) 35.42 MB/s
Dumped sector 65414 with sector count 24576 as boot.img.
The edl reset command just shows the edl help output.

I then need to hard reset to go to adb. I then followed the rest of the step to test if the patched boot.img can be booted into. It boots but no super user permission pops up when I type su.

The problem now stops here.
Reply 

#5  Machinus 04-06-2022, 06:13 PM
I am unable to get the EDL package to work on Windows. I successfully installed "setup.py," but then I don't know how to run the edl command after that. "edl" does not execute in the cmd or the git shells. How do you run the command?

Code
>edl
'edl' is not recognized as an internal or external command,
operable program or batch file.
I could not even get it to install on Linux:
Code
$ python setup.py build
Traceback (most recent call last): File "setup.py", line 2, in <module> from setuptools import setup, find_packages
ImportError: No module named setuptools
Reply 

#6  Renate 04-06-2022, 08:09 PM
Hi @amghwk - sorry that I didn't notice your earlier post.
Edit: Your problem may be different, but you might try my way anyway.
There are also mysterious cases where "fastboot boot" does not work but "fastboot flash" and then regular boot does work. If you have backups you should be able to play safely.

Hi @Machinus

If you have access to a (real, not virtual) Windows box, I can probably help you. I have an EDL utility for Windows. What you are trying to do is very simple, and it should be simple.

Go to the website in my signature and navigate to the EDL page. It's a bit of a beta, but I'm willing to work with anybody that is having problems.

Step 0: Download edl.exe, it's 132kB with no dependencies.
Step 1: Get into EDL (05c6/9008) mode
Step 2: Got a driver for it? If not download "Zadig" and give it one.
Step 3: Got a loader for it? If not download this, it should be the correct one if you have the same model as the OP:
https://github.com/bkerler/Loaders/raw/main/qualcomm/factory/sdm662/0014d0e100000000_d40eee56f3194665_FHPRG.bin
Oh, you were looking forward to downloading 100 Megs of loaders that you will never use. Sorry to disappoint you.
Step 4: Rename the file something sensible.
Step5:
Code
C:\>edl.exe /lsomething-sensible
He, he, I was only kidding about something sensible, don't forget the "/l" before it.
Step 6: Since you're running A/B you have to know which boot_x is the right one:
Code
C:\>edl.exe /u /g
Step 7: One of them is inactive, choose the other one:
Code
C:\>edl.exe /u /r /pboot_a boot.img /t
And the result should be the (correct) ~20Megs and not 20Megs + 80Megs of zeroes.
Step 8: If you are in doubt what you have just downloaded, get my ImgUtil.exe and do:
Code
C:\>imgutil.exe /v boot.img
Header: 596 (00000254)
Kernel: 12,937,496 (00C56918) @ 00008000 Payload: 12,636,840 (00C0D2A8) DTB: 300,656 (00049670)
Ramdisk: 0 (00000000) @ 01000000
Second: 0 (00000000) @ 00F00000
(Or something similar, the numbers will be different for you.)

Good luck!
Reply 

#7  Machinus 04-07-2022, 08:35 AM
Quote Renate
Hi @Machinus

If you have access to a (real, not virtual) Windows box, I can probably help you. I have an EDL utility for Windows. What you are trying to do is very simple, and it should be simple.
Hello Renate,

Thank you for the link! Your page has many valuable files.

I have the same model, the Max Lumi 2, just arrived yesterday. I am using a real Windows 10 system. I also have access to a real Linux system. I installed the Qualcomm USB drivers for Windows (Zadig does not show any uninstalled devices when it is plugged in).

I am not able to open the device with edl.exe:

Code
C:\>adb devices
List of devices attached
16E91C12 device
C:\>adb reboot edl
The device does not restart at this point. The screen dims, and it becomes unresponsive to inputs.

Code
C:\>edl.exe /lumiloader.bin
Found EDL 9008
Could not open device
I cannot issue any commands with edl.exe.
Reply 

#8  Renate 04-07-2022, 08:52 AM
Quote Machinus
I installed the Qualcomm USB drivers for Windows.
Well, don't!
Use Options -> List all devices in Zadig and find your device. Replace the driver with Zadig.

Edit: Oh, and it's probably /llumi... two L's unless your driver is called "umi...".
Reply 

#9  Machinus 04-07-2022, 09:10 AM
Quote Renate
Well, don't!
Use Options -> List all devices in Zadig and find your device. Replace the driver with Zadig.
Sorry, I did not realize that would not work. I can access the device, but not write.

Code
C:\>edl.exe /llumiloader.bin
Found EDL 9008
Serial: a2c376a9
HWID: 0014d0e100000000, QC: 0014d0e1, OEM: 0000, Model: 0000
Hash: d40eee56f3194665-574109a39267724a-e7944134cd53cb76-7e293d3c40497955
Sending lumiloader.bin 100% Ok
Waiting for Firehose... No response
Could not write device
The device disconnects from USB at this point.
Reply 

#10  Renate 04-07-2022, 09:41 AM
Hmm, it looks like it doesn't like your loader.
Just check if your loader is actually 660,620 bytes and MD5 1e7c8fbadbab7127b8982bbcd344f646

A petty point, but I updated the edl.exe and you can download a version that is 131,584 bytes (just uploaded).
It really should have said:
Code
Sending lumiloader.bin 100% Ok
Waiting for Firehose... No response, poking...
Could not write device
But that's just esthetics, it's not the problem.

Try:
Code
C:\>edl.exe /llumiloader.bin /v
Reply 

  Next »  Last »  (1/8)
Today's Posts | Search this Thread | Login | Register