He forgot the unlock pattern for the tablet and trying to guess it, we got totally locked out. You could still reset it with your google account, but the wifi was off and there is no way to turn it on whilst locked out. So +Nicholas Thompson and I spent some hours figuring out how to reset this tablet.
I found out this tablet uses a rk2918 (Rockchip) SoC (you can open it up or if you know someone else with the same tablet, go to Settings > About Device and check the 'Model Number', mine was 'Full AOSP on Rk29sdk')
First I had to get the tablet into recovery mode. The tablet has no volume buttons, so it has a different key combination from most tablets. So to get into recovery mode make sure the data cable is disconnected, turn off the tablet, then hold the power and menu buttons until the android logo appears. It should now be in recovery mode. Connect the data cable to the computer and run:
lsusbYou will get something like:
Bus 001 Device 011: ID 18d1:d001 Google Inc.For some reason this is a Google Inc device because of its Vendor ID (list of vendors for those interested). You will need to get adb somewhere, I got it from the android website but it is a big download. You can download just the platform-tools here or run:
wget http://dl.google.com/android/repository/platform-tools_r18.0.1-linux.zip unzip platform-tools_r18.0.1-linux.zip cd platform-tools/
You should see a device with the command:
./adb deviceslisted as:
???????????? no permissions
Add the tablet's vendor to the udev file to get the correct permissions:
disconnect and reconnect the data cables and run ./adb devices again and you should get:echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="18d1" , MODE="0666", GROUP="plugdev"' >> /etc/udev/rules.d/51-android.rules
0123456789ABCDEF recoveryTo get the tablet info flash mode run:
./adb reboot bootloader
The tablet screen will go black, but it is not off, you will see it if you run lsusb again. It should be listed as something like Bus 001 Device 013: ID 2207:281a. Add this device to the udev rules as well:
echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="2207", MODE="0666", GROUP="plugdev"' >> /etc/udev/rules.d/51-android.rules
For the next step you will need Rockbatchtool. I found some instructions and a linux version here.
You need to install the needed package and build the executable:
wget -O rkflashtool-v2.zip http://forum.xda-developers.com/attachment.php?attachmentid=785592&d=1321547155 unzip rkflashtool-v2.zip sudo apt-get install libusb-1.0-0-dev gcc -o rkflashtool rkflashtool.c -lusb-1.0 -O2 -W -Wall -s
Find the tablet's partition table by running:
./rkflashtool r 0x0000 0x2000 >parm
then check the start of this file with a hex dump:
xxd parm | less
mine looked like this:
0000000: 5041 524d 5302 0000 4649 524d 5741 5245 PARMS...FIRMWARE 0000010: 5f56 4552 3a30 2e32 2e33 0d0a 4d41 4348 _VER:0.2.3..MACH 0000020: 494e 455f 4d4f 4445 4c3a 4675 6c6c 2041 INE_MODEL:Full A 0000030: 4f53 5020 6f6e 2052 6b32 3973 646b 200d OSP on Rk29sdk . 0000040: 0a4d 4143 4849 4e45 5f49 443a 3030 370d .MACHINE_ID:007. 0000050: 0a4d 414e 5546 4143 5455 5245 523a 524b .MANUFACTURER:RK 0000060: 3239 5344 4b0d 0a4d 4147 4943 3a20 3078 29SDK..MAGIC: 0x 0000070: 3530 3431 3532 3442 0d0a 4154 4147 3a20 5041524B..ATAG: 0000080: 3078 3630 3030 3038 3030 0d0a 4d41 4348 0x60000800..MACH 0000090: 494e 453a 2032 3932 390d 0a43 4845 434b INE: 2929..CHECK 00000a0: 5f4d 4153 4b3a 2030 7838 300d 0a4b 4552 _MASK: 0x80..KER 00000b0: 4e45 4c5f 494d 473a 2030 7836 3034 3038 NEL_IMG: 0x60408 00000c0: 3030 300d 0a43 4d44 4c49 4e45 3a20 636f 000..CMDLINE: co 00000d0: 6e73 6f6c 653d 7474 7953 312c 3131 3532 nsole=ttyS1,1152 00000e0: 3030 6e38 6e20 616e 6472 6f69 6462 6f6f 00n8n androidboo 00000f0: 742e 636f 6e73 6f6c 653d 7474 7953 3120 t.console=ttyS1 0000100: 696e 6974 3d2f 696e 6974 2069 6e69 7472 init=/init initr 0000110: 643d 3078 3632 3030 3030 3030 2c30 7838 d=0x62000000,0x8 0000120: 3030 3030 3020 6d74 6470 6172 7473 3d72 00000 mtdparts=r 0000130: 6b32 3978 786e 616e 643a 3078 3030 3030 k29xxnand:0x0000 0000140: 3230 3030 4030 7830 3030 3032 3030 3028 2000@0x00002000( 0000150: 6d69 7363 292c 3078 3030 3030 3430 3030 misc),0x00004000 0000160: 4030 7830 3030 3034 3030 3028 6b65 726e @0x00004000(kern 0000170: 656c 292c 3078 3030 3030 3830 3030 4030 el),0x00008000@0 0000180: 7830 3030 3038 3030 3028 626f 6f74 292c x00008000(boot), 0000190: 3078 3030 3030 3830 3030 4030 7830 3030 0x00008000@0x000 00001a0: 3130 3030 3028 7265 636f 7665 7279 292c 10000(recovery), 00001b0: 3078 3030 3046 3030 3030 4030 7830 3030 0x000F0000@0x000 00001c0: 3138 3030 3028 6261 636b 7570 292c 3078 18000(backup),0x 00001d0: 3030 3033 6130 3030 4030 7830 3031 3038 0003a000@0x00108 00001e0: 3030 3028 6361 6368 6529 2c30 7830 3031 000(cache),0x001 00001f0: 3030 3030 3040 3078 3030 3134 3230 3030 00000@0x00142000 0000200: 2875 7365 7264 6174 6129 2c30 7830 3030 (userdata),0x000 0000210: 3032 3030 3040 3078 3030 3234 3230 3030 02000@0x00242000 0000220: 286b 7061 6e69 6329 2c30 7830 3030 4536 (kpanic),0x000E6 0000230: 3030 3040 3078 3030 3234 3430 3030 2873 000@0x00244000(s 0000240: 7973 7465 6d29 2c2d 4030 7830 3033 3241 ystem),-@0x0032A 0000250: 3030 3028 7573 6572 290d 0a3b ff43 e300 000(user)..;.C..
The relevant parts are:
0x0003a000@0x00108000(cache) and 0x00100000@0x00142000(userdata).
This means the cache partition has a size of 0x0003a000 and starts at 0x00108000 and the userdata a size of 0x00100000 and starts at 0x00142000.
Firstly backup both these partitions (in case this does not work):
0x0003a000@0x00108000(cache) and 0x00100000@0x00142000(userdata).
This means the cache partition has a size of 0x0003a000 and starts at 0x00108000 and the userdata a size of 0x00100000 and starts at 0x00142000.
Firstly backup both these partitions (in case this does not work):
./rkflashtool r 0x108000 0x3a000 >cache_backup ./rkflashtool r 0x142000 0x100000 >userdata_backupThen overwrite both partitions with 0's:
./rkflashtool w 0x108000 0x3a000 </dev/zero ./rkflashtool w 0x142000 0x100000 </dev/zeroLastly reboot the tablet with:
./rkflashtool bThe tablet should now boot as though it was factory reset. I went to the settings menu anyway and did another factory reset from there, just in case.