Monday, 23 September 2013

Reset Locked Chinese Tablet

Someone gave me this cheap Chinese tablet:


He forgot the unlock pattern for the tablet and trying to guess it, we got totally locked out. You could still reset it with your google account, but the wifi was off and there is no way to turn it on whilst locked out. So +Nicholas Thompson and I spent some hours figuring out how to reset this tablet.

I found out this tablet uses a rk2918 (Rockchip) SoC (you can open it up or if you know someone else with the same tablet, go to Settings > About Device and check the 'Model Number', mine was 'Full AOSP on Rk29sdk')

First I had to get the tablet into recovery mode. The tablet has no volume buttons, so it has a different key combination from most tablets. So to get into recovery mode make sure the data cable is disconnected, turn off the tablet, then hold the power and menu buttons until the android logo appears. It should now be in recovery mode. Connect the data cable to the computer and run:
lsusb
You will get something like:
Bus 001 Device 011: ID 18d1:d001 Google Inc.
For some reason this is a Google Inc device because of its Vendor ID (list of vendors for those interested). You will need to get adb somewhere, I got it from the android website but it is a big download. You can download just the platform-tools here or run:
wget http://dl.google.com/android/repository/platform-tools_r18.0.1-linux.zip
unzip platform-tools_r18.0.1-linux.zip
cd platform-tools/
You should see a device with the command:
./adb devices
listed as:
???????????? no permissions
Add the tablet's vendor to the udev file to get the correct permissions:
echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="18d1" , MODE="0666", GROUP="plugdev"' >> /etc/udev/rules.d/51-android.rules
disconnect and reconnect the data cables and run ./adb devices again and you should get:
0123456789ABCDEF recovery
To get the tablet info flash mode run:
./adb reboot bootloader
The tablet screen will go black, but it is not off, you will see it if you run lsusb again. It should be listed as something like Bus 001 Device 013: ID 2207:281a. Add this device to the udev rules as well:
echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="2207", MODE="0666", GROUP="plugdev"' >> /etc/udev/rules.d/51-android.rules
For the next step you will need Rockbatchtool. I found some instructions and a linux version here.

You need to install the needed package and build the executable:
wget -O rkflashtool-v2.zip http://forum.xda-developers.com/attachment.php?attachmentid=785592&d=1321547155
unzip rkflashtool-v2.zip
sudo apt-get install libusb-1.0-0-dev
gcc -o rkflashtool rkflashtool.c -lusb-1.0 -O2 -W -Wall -s
Find the tablet's partition table by running:
./rkflashtool r 0x0000 0x2000 >parm
then check the start of this file with a hex dump:
xxd parm | less
mine looked like this:
0000000: 5041 524d 5302 0000 4649 524d 5741 5245  PARMS...FIRMWARE
0000010: 5f56 4552 3a30 2e32 2e33 0d0a 4d41 4348  _VER:0.2.3..MACH
0000020: 494e 455f 4d4f 4445 4c3a 4675 6c6c 2041  INE_MODEL:Full A
0000030: 4f53 5020 6f6e 2052 6b32 3973 646b 200d  OSP on Rk29sdk .
0000040: 0a4d 4143 4849 4e45 5f49 443a 3030 370d  .MACHINE_ID:007.
0000050: 0a4d 414e 5546 4143 5455 5245 523a 524b  .MANUFACTURER:RK
0000060: 3239 5344 4b0d 0a4d 4147 4943 3a20 3078  29SDK..MAGIC: 0x
0000070: 3530 3431 3532 3442 0d0a 4154 4147 3a20  5041524B..ATAG: 
0000080: 3078 3630 3030 3038 3030 0d0a 4d41 4348  0x60000800..MACH
0000090: 494e 453a 2032 3932 390d 0a43 4845 434b  INE: 2929..CHECK
00000a0: 5f4d 4153 4b3a 2030 7838 300d 0a4b 4552  _MASK: 0x80..KER
00000b0: 4e45 4c5f 494d 473a 2030 7836 3034 3038  NEL_IMG: 0x60408
00000c0: 3030 300d 0a43 4d44 4c49 4e45 3a20 636f  000..CMDLINE: co
00000d0: 6e73 6f6c 653d 7474 7953 312c 3131 3532  nsole=ttyS1,1152
00000e0: 3030 6e38 6e20 616e 6472 6f69 6462 6f6f  00n8n androidboo
00000f0: 742e 636f 6e73 6f6c 653d 7474 7953 3120  t.console=ttyS1 
0000100: 696e 6974 3d2f 696e 6974 2069 6e69 7472  init=/init initr
0000110: 643d 3078 3632 3030 3030 3030 2c30 7838  d=0x62000000,0x8
0000120: 3030 3030 3020 6d74 6470 6172 7473 3d72  00000 mtdparts=r
0000130: 6b32 3978 786e 616e 643a 3078 3030 3030  k29xxnand:0x0000
0000140: 3230 3030 4030 7830 3030 3032 3030 3028  2000@0x00002000(
0000150: 6d69 7363 292c 3078 3030 3030 3430 3030  misc),0x00004000
0000160: 4030 7830 3030 3034 3030 3028 6b65 726e  @0x00004000(kern
0000170: 656c 292c 3078 3030 3030 3830 3030 4030  el),0x00008000@0
0000180: 7830 3030 3038 3030 3028 626f 6f74 292c  x00008000(boot),
0000190: 3078 3030 3030 3830 3030 4030 7830 3030  0x00008000@0x000
00001a0: 3130 3030 3028 7265 636f 7665 7279 292c  10000(recovery),
00001b0: 3078 3030 3046 3030 3030 4030 7830 3030  0x000F0000@0x000
00001c0: 3138 3030 3028 6261 636b 7570 292c 3078  18000(backup),0x
00001d0: 3030 3033 6130 3030 4030 7830 3031 3038  0003a000@0x00108
00001e0: 3030 3028 6361 6368 6529 2c30 7830 3031  000(cache),0x001
00001f0: 3030 3030 3040 3078 3030 3134 3230 3030  00000@0x00142000
0000200: 2875 7365 7264 6174 6129 2c30 7830 3030  (userdata),0x000
0000210: 3032 3030 3040 3078 3030 3234 3230 3030  02000@0x00242000
0000220: 286b 7061 6e69 6329 2c30 7830 3030 4536  (kpanic),0x000E6
0000230: 3030 3040 3078 3030 3234 3430 3030 2873  000@0x00244000(s
0000240: 7973 7465 6d29 2c2d 4030 7830 3033 3241  ystem),-@0x0032A
0000250: 3030 3028 7573 6572 290d 0a3b ff43 e300  000(user)..;.C..
The relevant parts are:
0x0003a000@0x00108000(cache) and 0x00100000@0x00142000(userdata).

This means the cache partition has a size of 0x0003a000 and starts at 0x00108000 and the userdata a size of 0x00100000 and starts at 0x00142000.

Firstly backup both these partitions (in case this does not work):
./rkflashtool r 0x108000 0x3a000 >cache_backup
./rkflashtool r 0x142000 0x100000 >userdata_backup
Then overwrite both partitions with 0's:
./rkflashtool w 0x108000 0x3a000 </dev/zero
./rkflashtool w 0x142000 0x100000 </dev/zero
Lastly reboot the tablet with:
./rkflashtool b
The tablet should now boot as though it was factory reset. I went to the settings menu anyway and did another factory reset from there, just in case.