Rooting The Lenovo Ideapad K1 (MESSY)
This method is a messy method, it should work but IT WILL ERASE EVERYTHING OFF YOUR SYSTEM!! Please backup everything as I outline in the instructions. I AM NOT RESPONSIBLE FOR ANY DAMAGE TO YOUR HARDWARE OR SOFTWARE.
RECCOMMENDED ONLY FOR ADVANCED USERS..... do not do this if you don't understand whats going on. I am working on a recovery that should make this easier (just trying to work out some kinks) the images i included include my current recovery attempts (not working)... if you want the stock recovery thats fine when it gets to that step see the comments.
Read through this whole thing first so you know what your getting into.
These instuctions assume you are using linux, although the methods should be similar for windows. (you will need to modify drivers to work with windows if you go that route)
Files you will need:
NVFLASH (with ideapad bootloader.bin, flash.bct) - This was leaked, it can be found here see post #18: http://forum.xda-dev...=1180266&page=2
Transformer bootloader.bin - see download link below
ADB - you must have adb on your computer.
**make_ext4fs - must be compiled for your system, if you need to compile it you need to essentially build android from source which will compile the tools as part of the process - see downloads below for a precompiled linux file
**latest lenovo ota - (this method tested with US builds 111017 and 110829 although it should work with any (as long as it has a complete system file) download from http://download.leno.../slates/k1/OTA/
** Only needed if you want to make your own /system from the OTA, i have included prebuilt ones already (for ota111017).
Link to these files: http://www.megaupload.com/?d=NQLCZDUZ
sha1sum for the tools:
45f50a332c9de03c2b140fb865fcfc67ab5abd7d ideapad_root_tools.zip
##################STEP 1###############
Setting up the environment.
The NVFlash that was leaked is the key to this whole thing. In the leaked files there is a .bat with the needed sbk key: 0x0d0a6f49 0x6c577634 0x4d634e55 0x47336d55. This key is essential to the method, without it we could not use this method.
NOTE: may have to run commands as root if you have not setup udev for your user -> this is because you will not have permissions to the USB devices if not. if you don't know what this means just run the commands with as root (sudo).
1. unzip the NVFLASH zip to whatever directory you choose. If you get this file from the source listed above it will include a couple of different folders, you need to go to Lenovo_windows>Burn_image . This is the directory where the magic will happen. From now on will refer to this directory as NVFLASH_HOME.
2. put the transformer bootloader into NVFLASH_HOME. Name it transformer_bootloader.bin (if not already named as such DO NOT REPLACE ideapad's bootloader)
3. Remove boot.img, (recovery.img if you want to see/use my cwm progress not working though only for advanced Devs) and system.img from NVFLASH_HOME. you can put them in another directory inside NVFLASH_HOME called ORIG_IMG
4. Whenever using NVFLASH, you must put the tablet in APX mode by holding vol up vol down and powering on the unit. It will turn on to a blank black screen.
##################STEP 2###############
BACKUP your system ... this may take a little while but its worth it. This should just about garuntee that you can get back to your original system should something not go right.
1. create BACKUP_ORIG directory in NVFLASH_HOME.
2. navigate to NVFLASH_HOME in terminal
3. type in terminal "./nvflash --sbk 0x0d0a6f49 0x6c577634 0x4d634e55 0x47336d55 --bct flash.bct --setbct --odmdata 0x300c0011 --configfile flash.cfg --bl transformer_bootloader.bin --sync" (this assumes you got nvflash and accompanied files via above dload, if not your filenames could be different NOTICE: we use transformer_bootloader.bin instead of ideapad's bootloader!)
4. type in terminal "./nvflash -r --getpartitiontable ./BACKUP_ORIG/partitions.cfg" - this pulls your patition table to your backup folder
5. open the partitions.cfg (its a text file) in it will list the paritions and there partition ID numbers for example:
=============SAMPLE partitions.cfg================================
PartitionId=2
Name=BCT
DeviceId=18
StartSector=0
NumSectors=1536
BytesPerSector=2048
PartitionId=3
Name=PT
DeviceId=18
StartSector=1536
NumSectors=256
BytesPerSector=2048
PartitionId=4
Name=EBT
DeviceId=18
StartSector=1792
NumSectors=1536
BytesPerSector=2048
==================================================================
These PartitionId numbers will be used to backup the complete system.
6. Backup each partition using the following commands (in the same terminal we have not exited)
"./nvflash -r --read BOOTPARTID PART_NAME.img" Replace BOOTPARTID with a Partition ID from partition.cfg and replace PART_NAME.img with the name of the parition that corresponds to the parition id. for example
=============SAMPLE partitions.cfg================================
"./nvflash -r --read 4 BACKUP_ORIG/EBT.img" (this command would copy the EBT partition to the file EBT.img in the BACKUP_ORIG directory that you made)
"./nvflash -r --read 2 BACKUP_ORIG/BCT.img" (does the same thing just for a different parition (BCT partition))
==================================================================
Do this for every parition.
Especially these:
BCT - boot config table
PT - partition Table
EBT - bootloader
SOS - recovery partion
LNX - boot.img / boot partition
APP - /system
UDA - User data - i think this is user data where all the premium apps are stored that came with it. Back this up if you want them back
There are other partitions as well... and i am not sure of all of them.... use due diligence and back them all up its worth your patience.
THIS STEP WILL TAKE TIME AND REQUIRE A GOOD AMOUNT OF HARD DRIVE SPACE Approx 30GB to get it all!
if thats a problem and there is no way at lease back up userdata and bootloader and parition table! (userdata will take up approx 3.3 GB alone)
You can calulate the space per partition yourself just multiply bytes per sector by NumSectors, and that gives you how many bytes. Divide that number by 1073741824 to put convert to Gigabytes)
##################STEP 3###############
MAKE SURE YOU HAVE BACKED UP BEFORE THIS
Now we will format the tablet and load up the rooted img files.
1. Unpack the system.img, (recovery.img from dload and name it as such if you want the cwm i am working on it does not work right though... advanced users only), and boot.img to NVFLASH_HOME from the download listed above.
2. Run this command in terminal: "./nvflash --bct flash.bct --setbct --odmdata 0x300c0011 --sbk 0x0d0a6f49 0x6c577634 0x4d634e55 0x47336d55 --configfile flash.cfg --create --bl bootloader.bin --go" (note this time we use the ideapad booloader!!!! NOT transformer bootloader)
4. This will take a little while to complete. When done it should reboot into your new rooted OS!!!! (although right now you can only get root through ADB)
################STEP 4###############3
This will allow you to access root from inside android, and allow other apps to use root when needed. (note that the image already included the superuser.apk
1. in terminal use adb to push the modified su to /system/xbin/ do this first remount the filesystem as read/write (rw) "./adb remount" (should show remount successful)
2. in terminal "./adb push <location of su on computer. /system/xbin/su"
3. adb shell into the tablet to change permissions of su "./adb shell"
4. in the adb shell: "cd /system/xbin"
5. still in adb shell: "chmod 4755 su" (this changes permission so that any user can access it and assume root through it)
6. in adb shell: "exit"
THATS IT!! you should now have root... download a terminal emulator from marketplace and see if you can su! (superuser should ask you to whitelist the app) and thats it
I will need to update this guide to show people how to build the image themselves this is for those who are feeling antsy.
###############Making your own system.img files####################
Currently and the main problem with this method, is that you must wipe your entire system to use the new image. This is why a working recovery would be so nice. This is a quick writeup of how to. Note that you actually get root access from the boot.img file. This file is not particularly unique as compared to other androids systems. however if you want guidance on how to edit boot.img i will include this upon request. (The tools to do so i have already posted)
Use the system folder from an OTA update, you can modify it as you deem. You must add the symlinks back to the system folder. They should be added to "/system/bin/" These can be found in the img that i have already included. They are:
cat
chmod
chown
cmp
date
dd
df
dmesg
getevent
getprop
hd
id
ifconfig
iftop
insmod
ioctl
ionice
kill
ln
log
ls
lsmod
lsof
mkdir
mount
mv
nandread
netstat
newfs_msdos
notify
printenv
ps
reboot
renice
rm
rmdir
rmmod
route
schedtop
sendevent
setprop
sh
sleep
smd
start
stop
sync
top
umount
uptime
vmstat
watchprops
wipe
Next you must set the permissions for system so they are appropriate for android. to do this in terminal assuming your in the system directory type: "sudo chown 0:0 -R ."
This sets the owner to root
then type "sudo chmod 777 -R ."
This sets the access permissions for all (they will be overwritten when loaded by the phone however)
next you must run the included make_ext4fs with the following command:
"sudo ./make_ext4fs -l 400M -a system system.img.new dir_of_system_folder"
This command will convert the system folder found at dir_of_system_folder and create a system.img.new file for it.
You must rename this file to system.img and put it in the directory of nvflash in place of the system.img file there. Then just reflash the system as described above.
NOTE: if you are looking to just modify some files in the exising system folder you could probably do so by just using the adb push command. This would allow you to potentially moify the system files without reflashing again.
This method is a messy method, it should work but IT WILL ERASE EVERYTHING OFF YOUR SYSTEM!! Please backup everything as I outline in the instructions. I AM NOT RESPONSIBLE FOR ANY DAMAGE TO YOUR HARDWARE OR SOFTWARE.
RECCOMMENDED ONLY FOR ADVANCED USERS..... do not do this if you don't understand whats going on. I am working on a recovery that should make this easier (just trying to work out some kinks) the images i included include my current recovery attempts (not working)... if you want the stock recovery thats fine when it gets to that step see the comments.
Read through this whole thing first so you know what your getting into.
These instuctions assume you are using linux, although the methods should be similar for windows. (you will need to modify drivers to work with windows if you go that route)
Files you will need:
NVFLASH (with ideapad bootloader.bin, flash.bct) - This was leaked, it can be found here see post #18: http://forum.xda-dev...=1180266&page=2
Transformer bootloader.bin - see download link below
ADB - you must have adb on your computer.
**make_ext4fs - must be compiled for your system, if you need to compile it you need to essentially build android from source which will compile the tools as part of the process - see downloads below for a precompiled linux file
**latest lenovo ota - (this method tested with US builds 111017 and 110829 although it should work with any (as long as it has a complete system file) download from http://download.leno.../slates/k1/OTA/
** Only needed if you want to make your own /system from the OTA, i have included prebuilt ones already (for ota111017).
Link to these files: http://www.megaupload.com/?d=NQLCZDUZ
sha1sum for the tools:
45f50a332c9de03c2b140fb865fcfc67ab5abd7d ideapad_root_tools.zip
##################STEP 1###############
Setting up the environment.
The NVFlash that was leaked is the key to this whole thing. In the leaked files there is a .bat with the needed sbk key: 0x0d0a6f49 0x6c577634 0x4d634e55 0x47336d55. This key is essential to the method, without it we could not use this method.
NOTE: may have to run commands as root if you have not setup udev for your user -> this is because you will not have permissions to the USB devices if not. if you don't know what this means just run the commands with as root (sudo).
1. unzip the NVFLASH zip to whatever directory you choose. If you get this file from the source listed above it will include a couple of different folders, you need to go to Lenovo_windows>Burn_image . This is the directory where the magic will happen. From now on will refer to this directory as NVFLASH_HOME.
2. put the transformer bootloader into NVFLASH_HOME. Name it transformer_bootloader.bin (if not already named as such DO NOT REPLACE ideapad's bootloader)
3. Remove boot.img, (recovery.img if you want to see/use my cwm progress not working though only for advanced Devs) and system.img from NVFLASH_HOME. you can put them in another directory inside NVFLASH_HOME called ORIG_IMG
4. Whenever using NVFLASH, you must put the tablet in APX mode by holding vol up vol down and powering on the unit. It will turn on to a blank black screen.
##################STEP 2###############
BACKUP your system ... this may take a little while but its worth it. This should just about garuntee that you can get back to your original system should something not go right.
1. create BACKUP_ORIG directory in NVFLASH_HOME.
2. navigate to NVFLASH_HOME in terminal
3. type in terminal "./nvflash --sbk 0x0d0a6f49 0x6c577634 0x4d634e55 0x47336d55 --bct flash.bct --setbct --odmdata 0x300c0011 --configfile flash.cfg --bl transformer_bootloader.bin --sync" (this assumes you got nvflash and accompanied files via above dload, if not your filenames could be different NOTICE: we use transformer_bootloader.bin instead of ideapad's bootloader!)
4. type in terminal "./nvflash -r --getpartitiontable ./BACKUP_ORIG/partitions.cfg" - this pulls your patition table to your backup folder
5. open the partitions.cfg (its a text file) in it will list the paritions and there partition ID numbers for example:
=============SAMPLE partitions.cfg================================
PartitionId=2
Name=BCT
DeviceId=18
StartSector=0
NumSectors=1536
BytesPerSector=2048
PartitionId=3
Name=PT
DeviceId=18
StartSector=1536
NumSectors=256
BytesPerSector=2048
PartitionId=4
Name=EBT
DeviceId=18
StartSector=1792
NumSectors=1536
BytesPerSector=2048
==================================================================
These PartitionId numbers will be used to backup the complete system.
6. Backup each partition using the following commands (in the same terminal we have not exited)
"./nvflash -r --read BOOTPARTID PART_NAME.img" Replace BOOTPARTID with a Partition ID from partition.cfg and replace PART_NAME.img with the name of the parition that corresponds to the parition id. for example
=============SAMPLE partitions.cfg================================
"./nvflash -r --read 4 BACKUP_ORIG/EBT.img" (this command would copy the EBT partition to the file EBT.img in the BACKUP_ORIG directory that you made)
"./nvflash -r --read 2 BACKUP_ORIG/BCT.img" (does the same thing just for a different parition (BCT partition))
==================================================================
Do this for every parition.
Especially these:
BCT - boot config table
PT - partition Table
EBT - bootloader
SOS - recovery partion
LNX - boot.img / boot partition
APP - /system
UDA - User data - i think this is user data where all the premium apps are stored that came with it. Back this up if you want them back
There are other partitions as well... and i am not sure of all of them.... use due diligence and back them all up its worth your patience.
THIS STEP WILL TAKE TIME AND REQUIRE A GOOD AMOUNT OF HARD DRIVE SPACE Approx 30GB to get it all!
if thats a problem and there is no way at lease back up userdata and bootloader and parition table! (userdata will take up approx 3.3 GB alone)
You can calulate the space per partition yourself just multiply bytes per sector by NumSectors, and that gives you how many bytes. Divide that number by 1073741824 to put convert to Gigabytes)
##################STEP 3###############
MAKE SURE YOU HAVE BACKED UP BEFORE THIS
Now we will format the tablet and load up the rooted img files.
1. Unpack the system.img, (recovery.img from dload and name it as such if you want the cwm i am working on it does not work right though... advanced users only), and boot.img to NVFLASH_HOME from the download listed above.
2. Run this command in terminal: "./nvflash --bct flash.bct --setbct --odmdata 0x300c0011 --sbk 0x0d0a6f49 0x6c577634 0x4d634e55 0x47336d55 --configfile flash.cfg --create --bl bootloader.bin --go" (note this time we use the ideapad booloader!!!! NOT transformer bootloader)
4. This will take a little while to complete. When done it should reboot into your new rooted OS!!!! (although right now you can only get root through ADB)
################STEP 4###############3
This will allow you to access root from inside android, and allow other apps to use root when needed. (note that the image already included the superuser.apk
1. in terminal use adb to push the modified su to /system/xbin/ do this first remount the filesystem as read/write (rw) "./adb remount" (should show remount successful)
2. in terminal "./adb push <location of su on computer. /system/xbin/su"
3. adb shell into the tablet to change permissions of su "./adb shell"
4. in the adb shell: "cd /system/xbin"
5. still in adb shell: "chmod 4755 su" (this changes permission so that any user can access it and assume root through it)
6. in adb shell: "exit"
THATS IT!! you should now have root... download a terminal emulator from marketplace and see if you can su! (superuser should ask you to whitelist the app) and thats it
I will need to update this guide to show people how to build the image themselves this is for those who are feeling antsy.
###############Making your own system.img files####################
Currently and the main problem with this method, is that you must wipe your entire system to use the new image. This is why a working recovery would be so nice. This is a quick writeup of how to. Note that you actually get root access from the boot.img file. This file is not particularly unique as compared to other androids systems. however if you want guidance on how to edit boot.img i will include this upon request. (The tools to do so i have already posted)
Use the system folder from an OTA update, you can modify it as you deem. You must add the symlinks back to the system folder. They should be added to "/system/bin/" These can be found in the img that i have already included. They are:
cat
chmod
chown
cmp
date
dd
df
dmesg
getevent
getprop
hd
id
ifconfig
iftop
insmod
ioctl
ionice
kill
ln
log
ls
lsmod
lsof
mkdir
mount
mv
nandread
netstat
newfs_msdos
notify
printenv
ps
reboot
renice
rm
rmdir
rmmod
route
schedtop
sendevent
setprop
sh
sleep
smd
start
stop
sync
top
umount
uptime
vmstat
watchprops
wipe
Next you must set the permissions for system so they are appropriate for android. to do this in terminal assuming your in the system directory type: "sudo chown 0:0 -R ."
This sets the owner to root
then type "sudo chmod 777 -R ."
This sets the access permissions for all (they will be overwritten when loaded by the phone however)
next you must run the included make_ext4fs with the following command:
"sudo ./make_ext4fs -l 400M -a system system.img.new dir_of_system_folder"
This command will convert the system folder found at dir_of_system_folder and create a system.img.new file for it.
You must rename this file to system.img and put it in the directory of nvflash in place of the system.img file there. Then just reflash the system as described above.
NOTE: if you are looking to just modify some files in the exising system folder you could probably do so by just using the adb push command. This would allow you to potentially moify the system files without reflashing again.
Also i put it above, its a rough outline, if you have questions let me know. Still no luck on the recovery, i have not had alot of time recently to work at it :
