layout: page
On KaiOS 2.5.4 devices, such as the 6300 4G and 8000 4G, ADB and WebIDE can be used to install most third-party apps. However, apps with special ‘forbidden’ permissions are not allowed, including most BananaHackers apps with engmode-extension
like Wallace Toolbox, which can be used to gain exclusive access of the phone. You also cannot make changes to the system. On the 2720 Flip and 800 Tough with KaiOS 2.5.2.2, with HMD/Nokia Mobile changing their release branches from dev-keys
to release-keys
, the situation is even worse as you cannot sideload at all.
This is because in order for WhatsApp's VoIP feature to work on these KaiOS versions, a security module called SELinux[^4] is now set to be Enforced
which checks and reverts system modifications on boot. To get total read-write access to the devices, you'll now have to permanently root them by setting SELinux to Permissive
mode.
The guide below is based on the main guide from BananaHackers website, but has been rewritten to make it easier to follow. The process will take somewhat considerable 30 minutes to an hour, so do this when you have enough time.
[!IMPORTANT] DISCLAIMER: This process will void your phone's warranty, disable its ability to receive WhatsApp calls and over-the-air updates, but you can undo this if you save a copy of the original boot partition. However, you might also brick your phone if you make a mistake in the process, so proceed at your own risk and with caution! I won't be responsible for any damages done to your phone by following these.
Remember, you don't have to root your phone to do things that usually need root access e.g. you can use this fork of Luxferre's AppBuster to disable apps from the launcher instead of deleting them with Wallace Toolbox. You can also install [Luxferre's CrossTweak], a Wallace Toolbox alternative also made by Luxferre that does not need
engmode-extension
and therefore can be easily installed on KaiOS 2.5.4 devices.
Murphy's Law states, "Anything that can go wrong, will go wrong". It's a proverb from the late 1940s, and while it may not be as academically accurate and influential as Newton's laws of motion, it's generally acknowledged in technology as a rule of thumb. Even if you do the best you can, things can unexpectedly go south, so it's always good to prepare for the worst.
certified
apps such as D3SXX's kaios-backup or Fiachra1993's kaios-sms-backup, which uses Firefox OS APIs to export your text messages to JSON or CSV files.DCIM
; whereas recorded voice files are stored under audio
.
For backing up application data (excluding WhatsApp chats), system preferences and partition images, see Back up system partitions.
pip
for edl.py
to work (setup guide can be found for each OS below);
edl.py
package)libusb-win32
driver; do NOT use the older version bundled as it has less chances of successlibusb
and configure the environment for EDL tools (setup guide can be found below)
wsl --install
)andybalholm's EDL cannot be used on 8000 4G and 6300 4G due to structural changes within GPT, which will result in an error AttributeError: 'gpt' object has no attribute 'partentries'. Did you mean: 'num_part_entries'?
. Do note that the command structures used between bkerler's and andybalholm's are different, which we'll mention below.
For the sake of convenience, move the Gerda Recovery image and the MBN file into the root of edl-3.1
or edl-master
folder. If you need to have those in other folders, change the directory path accordingly.
If you're on Linux, Python and ADB can be quickly set up by installing with your built-in package manager. We won't be covering this here, as each Linux distro has its own way of installing from package manager.
Note for Arch Linux users: I've made an experimental
root.sh
that you can use to automate all 4 parts of the process (see the root of the repository) based on @Llixuma's tutorial. Debian-based distro users stay tuned!
This portion of the guide was taken from Development/EDL tools on BananaHackers Wiki so that you don't have to switch tabs. Kudos to Cyan for the guides!
console
sudo apt-get install python pip3
console
sudo -H pip3 install pyusb pyserial capstone keystone-engine docopt
*#*#33284#*#*
, connect it to your computer and type adb reboot edl
in a command-line window.*
and #
at the same time while inserting the USB cable to the phone.In both cases, the phone's screen should blink with a 'enabled by KaiOS' logo then become blank. This is normal behaviour letting you know you're in EDL mode and you can proceed.
Additionally, if you have issue with device access:
/etc/modprobe.d/blacklist.conf
in a text editor and append blacklist qcserial
.51-edl.rules
and 50-android.rules
in the root of extracted EDL tools folder to /etc/udev/rules.d
.Follow the instructions to install Homebrew on its homepage. Basically just open Terminal and copy the long streak of code shown on the page, and type your password when prompted.
While you're in Terminal, type this into the command-line:
brew install python android-platform-tools libusb && pip3 install pyusb pyserial capstone keystone-engine docopt
Switch your phone to EDL mode and connect it to your computer. Either:
*#*#33284#*#*
, connect it to your computer and type adb reboot edl
in a command-line window.*
and #
at the same time while inserting the USB cable to the phone.In both cases, the phone's screen should blink with a 'enabled by KaiOS' logo then become blank. This is normal behaviour letting you know you're in EDL mode and you can proceed.
Proceed with installing Python as usual. If you choose to customize your installation, include pip
. Don't forget to tick the box next to "Add Python to PATH" to add Python as a global environment variable, otherwise you'll have a hard time using Python to run scripts later on.
On Windows 10/11, typing python
or python3
within Command Prompt/Windows Terminal will run the Microsoft Store version of Python. To override this default into running the locally installed version, toggle off App Installer (python.exe) and App Installer (python3.exe) under:
Open Command Prompt/Windows Terminal with administrator privileges and run this command to install the required dependencies for EDL:
pip3 install pyusb pyserial capstone keystone-engine docopt
Extract the previously downloaded EDL package, open Drivers, Windows and run Qualcomm_Diag_QD_Loader_2016_driver.exe
with administrator rights. Proceed with installation and leave everything as default, restart the computer if it prompts you to do so.
Switch your phone to EDL mode and connect it to your computer. Either:
*#*#33284#*#*
, connect it to your computer and type adb reboot edl
in a command-line window.*
and #
at the same time while inserting the USB cable to the phone.In both cases, the phone's screen should blink with an 'enabled by KaiOS' logo then become blank. This is normal behaviour letting you know you're in EDL mode and you can proceed.
qcusbser
driver with libusb-win32
for use with edl.py, download and open Zadig. Tick Options, List All Devices and select QHSUSB__BULK
(your device in EDL mode) in the main dropdown menu. In the target driver box—to which the green arrow is pointing—click the up/down arrows until you see libusb-win32
and then click Replace Driver.
[!NOTE] Windows will automatically create restore points on driver installation, as Zadig suggests in its tooltips. On older PCs, this might cause issues with driver configuration process being lengthened past the 5-minute mark. If Zadig aborts the process and hangs, kill Zadig with Task Manager, remove and re-insert the battery on the phone to exit and re-enter EDL mode, then try to install again.
Beware: due to the firehose loader being malfunctioned, the EDL tool only accepts one command each session, after which you'll have to disconnect the phone and restart the phone in EDL mode. If you try to throw a second command, it'll result in a
bytearray index out of range
error.
Open the extracted EDL folder in a command-line shell. Flash the Gerda Recovery image to the recovery partition by typing:
python edl.py w recovery recovery-8110.img --loader=8k.mbn
If the progress bar stops at 99% (not earlier) and you get error 'usb.core.USBError: [Errno None] b'libusb0-dll:err [_usb_reap_async] timeout error\n'
or usb.core.USBError: [Errno 60] Command timed out
, this is false. Don't mind the error and proceed with the next step.
When finished, disconnect the phone from your computer and exit EDL mode by removing and re-inserting the battery.
Then, hold down the top Power button and *
to turn on the phone in recovery mode. Connect the phone to your computer again.
[!WARNING] Be careful not to boot into system at this point! As stated above, while SELinux is still in
Enforced
mode, it'll try to revert all system modifications on startup, in this case, the custom recovery image we've just flashed will be overwritten by the stock one. If you accidentally start into normal mode (with the usual Nokia chime), you'll have to start over from step 1.
Don't worry if this boots into a white screen: this is because the display driver for the Nokia 8110 4G included in the recovery image are not compatible with the display of 8000 4G/6300 4G.
Check if ADB can recognise the phone by typing adb devices
into the command-line.
Navigate the command-line to the extracted platform-tools
folder (if needed) and pull the boot image from the phone to the current directory on your computer with ADB by typing:
adb pull /dev/block/bootdevice/by-name/boot boot.img
You should now see /dev/block/bootdevice/by-name/boot: 1 file pulled, 0 skipped.
and have a copy of the boot partition with the size of 32.0MB (32,768KB). Fetched boot image will be saved to the current directory.
Reboot the phone into normal mode by typing adb reboot
into the command-line, or remove and re-insert the battery. Our custom Gerda Recovery partition will now be overwritten by the default one.
You can disconnect the phone from your computer for now.
Unlike the 6300 4G and 8000 4G, our phones' EDL loader properly works with both reading and writing, so the steps are more straightforward.
*#*#33284#*#*
, connect it to your computer and type adb reboot edl
in Command Prompt/Terminal;In both cases, the phone's screen should blink with a 'Powered by KaiOS' logo then go blank. This is normal behaviour letting you know you're in EDL mode and you can proceed.
console
python edl.py -r boot boot.img -loader 2720.mbn
console
python edl.py -r boot boot.img -loader 800t.mbn
console
python edl.py -reset -loader 2720.mbn
console
python edl.py -reset -loader 800t.mbn
You can disconnect the phone from your computer for now.[!WARNING] Copy and keep the original boot partition somewhere safe in case you need to restore to the original state for over-the-air updates or re-enabling WhatsApp calls.
8k-boot-patcher
Use Git to clone/download the boot patcher toolkit by typing this into Command Prompt/Terminal. This will download the toolkit and have Docker set it up. Do not omit the dot/period at the end of this command, this tells Docker where our downloaded toolkit are located on the system.
git clone https://gitlab.com/suborg/8k-boot-patcher.git && cd 8k-boot-patcher && docker build -t 8kbootpatcher .
Copy the boot.img
file we've just pulled from our phone to the desktop and do not change its name. Type this into Command Prompt/Terminal to run the patching process:
docker run --rm -it -v %cd%/Desktop:/image 8kbootpatcher
docker run --rm -it -v ~/Desktop:/image 8kbootpatcher
```console
$ docker run --rm -it -v ~/Desktop:/image 8kbootpatcherBoot image found, patching... writing boot image config in bootimg.cfg extracting kernel in zImage extracting ramdisk in initrd.img charger data [...] ueventd.qcom.rc ueventd.rc verity_key 4037 blocks 4979 blocks reading config file bootimg.cfg reading ramdisk from myinitrd.img Writing Boot Image boot.img Boot image patched!
That's it! On your desktop there will be two new image files, the modified `boot.img` and the original `boot-orig.img`. You can now head to [part 4].
![Screenshot of boot.img and boot-orig.img files as shown on desktop](assets/img/after_patch.png)
#### Manual patching with Android Image Kitchen
1. Extract the Android Image Kitchen tools and copy the boot image we've just obtained over to the root of the extracted folder.
![Screenshot of a list of folders and files contained in the extracted Android Image Kitchen folder](assets/img/aik.png)
2. Open the folder in Command Prompt/Terminal and type `unpackimg boot.img`. This will split the image file and unpack the ramdisk to their subdirectories.
![Screenshot of a Windows Command Prompt window showing some logs of the boot partition extracting process after typing the command above](assets/img/unpack.png)
> [!WARNING]
> **Be sure to edit the files correctly, else the phone won't boot!**
3. Let the editing begin! First, open `ramdisk/default.prop` using Notepad++ and change:
- line 7: `ro.secure=1` → `ro.secure=0`
- line 8: `security.perf_harden=1` → `security.perf_harden=0`
- line 10: `ro.debuggable=0` → `ro.debuggable=1`
```diff
@@ -4,9 +4,9 @@
ro.sw.release.date=21-08-13
ro.build.version.fih=20.00.17.01
ro.build.elabel=false
- ro.secure=1
- security.perf_harden=1
+ ro.secure=0
+ security.perf_harden=0
ro.allow.mock.location=0
- ro.debuggable=0
+ ro.debuggable=1
ro.adb.secure=0
ro.zygote=zygote32
ramdisk/init.qcom.early_boot.sh
in Notepad++ and add setenforce 0
as a new line at the end of the file.
```diff
@@ -312,14 +312,14 @@
else
# nand configuration
if [ -e $nand_file ]
then
if grep ${partition_name} $nand_file
then
gps_enabled=false
fi
fi
fisetprop ro.gps.enabled $gps_enabled
<p align="center">
<img src="assets/img/setenforce.png" alt="Screenshot of the modified content of the init.qcom.early_boot.sh file">
</p>
5. Go back to the root Android Image Kitchen folder and open `split_img/boot.img-cmdline` in Notepad++. Without adding a new line, scroll to the end of the first line and append `androidboot.selinux=permissive enforcing=0`.
![Screenshot of the modified content of the boot.img-cmdline file](assets/img/append.png)
6. Open `ramdisk/init.rc` (NOT `ramdisk/init`) and delete line 393 `setprop selinux.reload_policy 1` or mark a comment as shown. This will ultimately prevent SELinux from overwriting the policy changes we made above.
*If you want to know why I put an additional line to set `/sys/module/lowmemorykiller/parameters/enable_lmk` to 0, see [Expanding RAM with swapfile].*
```diff
@@ -390,7 +390,6 @@
setusercryptopolicies /data/user
# Reload policy from /data/security if present.
- setprop selinux.reload_policy 1
# Set SELinux security contexts on upgrade or policy update.
restorecon_recursive /data
@@ -418,9 +418,10 @@
# Memory management. Basic kernel parameters, and allow the high
# level system server to be able to adjust the kernel OOM driver
# parameters to match how it is managing things.
+ write /sys/module/lowmemorykiller/parameters/enable_lmk 0
write /proc/sys/vm/overcommit_memory 1
write /proc/sys/vm/min_free_order_shift 4
chown root system /sys/module/lowmemorykiller/parameters/adj
chmod 0664 /sys/module/lowmemorykiller/parameters/adj
chown root system /sys/module/lowmemorykiller/parameters/minfree
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
repackimg
to package our modified boot partition.If you happen to encounter an error during the signing process, that's likely because the process uses java
to power the boot-signer.jar
sequence and you don't have it installed. The image will still be packaged and ready for flashing, but if you're a perfectionist, you can install JRE and try again.
If the newly packaged image is barely over 1/3 the size of the original image, it's a normal behaviour and you can proceed.
Move the newly created boot.img
, unsigned-new.img
or image-new.img
to the EDL tools folder and open Command Prompt/Terminal within it. From here type either of these commands depending on which image file you have:
python edl.py w boot boot.img --loader=8k.mbn
python edl.py w boot unsigned-new.img --loader=8k.mbn
python edl.py w boot image-new.img --loader=8k.mbn
For Nokia 2720 Flip and Nokia 800 Tough with andybalholm's EDL:
python edl.py -w boot boot.img -loader 2720.mbn
python edl.py -w boot boot.img -loader 800t.mbn
Again, if the progress bar stops at 99% and you get a timeout error, this is because the phone doesn't send any indicator information back to the EDL tool when in fact the image has been successfully written. Don't mind the error and go on with the next step.
Restart the phone to normal operation mode by typing python edl.py reset
. And we're done!
devtools.apps.forbidden-permissions
, then restart B2G by either reboot the phone or hold the top Power button and select Memory Cleaner, Deep Clean Memory.console
echo -n 1 > /data/enforce
mount -o bind /data/enforce /sys/fs/selinux/enforce
If you wish to revert all changes you've made, connect your phone to the computer in EDL mode, move the original boot image file to edl-3.1
or edl-master
folder, open Command Prompt/Terminal within the folder and type:
python edl.py w boot boot.img --loader=8k.mbn
python edl.py reset