I rooted it!
I bought this tablet on a whim in “as-is” condition from the store of my all-time favourite ebay seller in the world since I’d had good experiences fixing broken items I’ve bought from the company in the past. I bought my laptop “as-is” from this particular company for some astonishingly low price when all that was needed was to replace the cable connecting the LCD to the motherboard. The screen itself was fine. I’ve got e-readers, game consoles, and other items from the two ebay shops this company runs that sell only “as-is” and broken items. All of them have ultimately turned out to be fixable for significantly less than the price of equivalent merchandise that’s not sold “as-is”. It’s a great little secret that I’m hesitant to even mention because now the two people who read this blog will become new competition in the auctions.
In any case, I’ve never owned an Android device before so I thought a $10 tablet was a good place to start. I thought a cheap tablet would be good for a noob like me. Boy howdy, was I sure wrong about that. The tablet was fine when I got it. It was missing the volume keys but that’s not really a problem because you can adjust the volume via the menus using the touch screen. It has a reset hole like old Macintosh computers for when it crashes. You can use a straightened paperclip to press it.
The documentation/support for the tablet is actually decent. The ADB drivers on the Velocity Cruz website actually work. The instructions, however, are incomplete. Although the correct hardware ID is listed in the driver inf file, nowhere does it mention that you must create the file C:\Users\yourname\.android\adb_usb.ini. Note that there’s a period before the name of the directory.
The correct vendor ID for the PS47 is 0x2396. You can verify this by going to Device Manager and clicking on Details and then choosing “Hardware Ids” from the drop-down menu:
If you haven’t yet installed the drivers, look for a device called rk2918sdk, right-click it and choose “update drivers”. Choose “Browse my computer for driver software”-> “Let me pick from a list of device drivers on my computer” -> remove the checkmark from “Show compatible hardware” -> click “Have disk” -> “Browse” and choose the “android_winusb.inf” downloaded from the Velocity Cruz website. Install it anyway if Windows warns you it’s not signed.
Nooo!
Anyway, once I figured out how to get ADB working I saw by running cat /proc/mounts that the /system partition is cramfs, which is not writable. That was why SuperOneClick and all those other “one-click” solutions failed. “Great”, thought I, “I’ve got a useless tablet now. It’s no use at all if you cannot write to /system”. But that’s not true, I’ve since realised. That was why even though I could get an ADB shell as root (as I’ve read is the case with most rk2918 tablets) the command “mount -o remount,rw -t cramfs /dev/block/mtdblock4 /system” still kept giving the error “read-only filesystem”.
I was on the verge of despair until I found this excellent website which explains how to dump your stock ROM, convert it to ext3, and then reflash it to your rk2918 device.
I wanted very much to try the guide but I couldn’t figure out how to get the PS47 into flash mode. The website is correct that you must hold the volume – (minus) button while plugging in the USB cable with the device powered off. I was just not persistent enough at first. Perhaps it’s because the only way I could hold the volume minus button was by using a paperclip, since the buttons themselves are missing on this unit. It ended up taking me about 20 attempts but eventually I got it into flash mode. The thing about flash mode though that’s confusing to a noob like me is that the screen doesn’t turn on on the PS47 when it’s in flash mode. It looks like it’s still turned off. So the only way to know if you’ve succeeded in getting into flash mode or not is to do what the website says and check the results of lsusb (or if you’re using Windows, something like USBDeview). I succeeded eventually though at getting into flash mode and went ahead and flashed the new ext3 image but I couldn’t get the tablet to boot afterwards. The tablet would just hang at the boot logo where it displays “Cruz”. I tried the whole guide again from the beginning but still no luck getting it to boot. I must have missed some additional file that needs to be edited, maybe in the boot.img. Luckily I was able to simply reflash my backup boot.img and system.img to get back to where I started.
Then I had the bright idea of doing everything the guide says except, instead of trying to make an ext3 system.img I would unpack the stock cramfs system.img, chmod 6755 on /system/bin/su, repack it as cramfs, and flash it to my device. This basically worked. I rebooted after flashing the new image, opened the terminal emulator app that I had installed earlier to confirm I wasn’t able to su, tried “su”ing and sure enough, it worked. I then ran “busybox whoami” and it told me what I wanted to hear: I was rooted. Superuser.apk works, too. So does ROM manager. Unfortunately, this hasn’t allowed me to use Google Play, as I had hoped. But that doesn’t really matter, I suppose.
So here’s the basic process I followed. Most of it is exactly the same as the guide posted on the rk2918 tools website minus the ext3 bit. There’s no need to modify the boot.img at all for what I did. I don’t know if it was actually necessary or not, but I did the whole thing as root on a computer running Ubuntu.
cd ~/rk2918tools
./dump_imgs.py stock_imgs
cp -a stock_imgs new_imgs
cd new_imgs
sudo cramfsck -x system system.img
#Add the su binary from http://androidsu.com/superuser/
wget http://downloads.androidsu.com/superuser/su-bin-3.0.3.2-efghi-signed.zip
sudo unzip su-bin-3.0.3.2-efghi-signed.zip system/bin/su
sudo chmod 6755 system/bin/su
sudo chmod 777 system
sudo chown root:root system
mkcramfs system system_new.img
cd ../
./img-manager.py write system system_new.img
#wait to see the message "Image written successfully"
./rkflashtool b
Update: I discovered that Google Market works if you put vending.apk in /system/app before building the system.img and follow this guide. However, even after doing so I still couldn’t install Chaos Rings. It tells me my device isn’t compatible, though it does occur to me that it might actually not be related to hardware but instead simply because Square Enix can see I’m trying to install it from the United States, not Japan.
This may be off topic so please excuse the question. I have 2 CRUZ PS47’s that my nephew locked and then promptly forgot both the unlock design and the appropriate gmail information that is needed to unlock the device.
I do not need any of the personal information on the devices. I just want to be able to use them again.
Is there a way for me to do this with these Cruz PS47 tablets? I have contacted Cruz directly and they will only assist me if they were under warranty which they are not.
Thanks for your help.
PS. I run Windows XP and when I plug in the USB plug the PS47 shows up as an empty drive that I cannot access.
I’m a real noob at Android, so I’m sorry but I’m not sure where the password is stored on the device, let alone if it’s even stored in plain text at all. As I take it you’ve learned the hard way, there’s no way, as far as I know, the get the PS47 to boot into recovery. Even “adb reboot recovery” just makes it reboot normally.
The following won’t get you the password, but it will get you the Gmail address with which the device is registered and if you find out the Gmail address you can then go to Google.com and use the password recovery feature to find out the password.
Install the ADB driver from the Cruz website. Be sure to make the file adb_usb.ini as I described above in addition to following the Cruz instructions or else ADB probably won’t see your device.
From an ADB shell type the following to verify that your device is recognized:
adb devices
You should see the serial number (which will probably just be 123456789ABCDEF) and the word “device” to the right of the serial number. If not, try rebooting.
When ADB recognizes your device properly, type:
adb pull /data/system/sync/accounts.xml
A file called accounts.xml should then appear in the same directory as adb.exe. Open this in Notepad and you’ll see the email address. If that doesn’t work you can also try accounts.db since it also has your email address in it:
adb pull /data/system/accounts.db
As for the unlock pattern, I’m sorry, but I’ve got no idea what you can do about that. I’ve never actually used one. A Google search came up with this, but it seems to be about removing a PIN, not an unlock pattern.
Thank you so much for taking the time to answer my plea for help. I may not be in any better position when I find the GMAIL address as my nephew does not remember what he typed for a password. He now thinks he had “fat fingers” and when hitting what he thought was one letter another was actually activated.
I do have the 3rd working PS47. Is there a way to download the firmware from it and then upload that firmware to the 2 locked PS47’s?
Thank you again for your help.
Alan
I’ve got to be honest with you that what you’re asking is a bit over my head and I don’t want to inadvertently give you bad advice. Now, having said that, if you have a computer that runs any linux operating system you can use the rk2918tools to dump the firmware from the functional PS47 and then flash it onto the 2 locked PS47s. But I really don’t know if this would help, since I think the files that need to be modified to remove the lock are somewhere in the /data directory. I just don’t know which files they are. If I did know, I’d just tell you to use “adb pull filename” to copy that file to your computer, edit it to turn off the lock, and then replace the file on the device with the modified one with “adb push filename” since the PS47 always gives you shell access as root out of the box.
It’s a good idea though to dump the stock firmware from the working PS47 anyway just to have it as a backup. You can try flashing it to the locked PS47 if you want. You don’t have much to lose except time, I suppose.
The instructions on the developer’s site are much better than anything I can tell you, but this is the basic idea on Ubuntu:
sudo apt-get install git
git clone git://github.com/lamegopinto/rk2918tools
cd rk2918tools
make
Now you must get the functional PS47 into flash mode by following these instructions. I had a lot of trouble doing this, but you just have to keep trying if it doesn’t seem to work. It’ll work eventually.
#dump the firmware from the functional PS47 and reboot
./dump_imgs.py stock_imgs
./rkflashtool b
Then you disconnect the functional PS47, and connect one of the locked PS47s in flash mode. If there’s an SD card inserted it will be left untouched.
You can flash the system.img to the locked device like this:
./img-manager.py write system stock_imgs/system.img
./rkflashtool b
Something else to look into is this screen lock bypass app. I’ve never heard of it but I found it just now with a google search. You can install it even without being able to unlock the device with adb install app.apk.
I do not have access to a Linux computer. Is there a way of doing the same thing with Windows XP?
There’s probably a way of doing it with Cygwin directly in Windows, but I’ve never really used it so I don’t know how.
I think the rk2918tools should probably work if you ran them in an Ubuntu virtual machine in Virtualbox.
I doubt this will work, but if you get the ADB driver working either in Windows or in a virtual machine you might want to try this first, simply because it’s probably much easier and faster than dumping and flashing firmware. You can install it from the command line with “adb install filename.apk” (replace “filename.apk” with the name of the apk). I don’t know if it would really work though because the instructions say you must install it via Google Play and you can’t do that on a PS47, even if it’s not locked.
I have loaded Ubunto on a dual boot with my XP Home.. It will take me a few days to figure it out. When I downloaded the ADB driver from the Micro CRuz site the two sub directories that should have had the drivers were empty. Do you know of an alternative site? I have looked around and found nothing.
I just downloaded the zip file and both the amd64 and i386 subdirectories look good to me. Make sure your antivirus isn’t being overzealous and quarantining or deleting the files as soon as you download them.
Anyway, you can try downloading it here (even though it’s just the same zip file I downloaded from the Cruz website). If Windows can’t install the driver when you select the “usb_driver” directory you can try installing it manually by choosing something along the lines of “I have the disc” and browsing to the “android_winusb.inf” file.
Just so you know, you don’t need to install any drivers in Ubuntu. You only need to install them in Windows. Good luck.
hello there, i too have the ps47! please help, i cant seem to follow what you did in order to root my tablet….ive got the adb drivers etc installed my device manager recognizes it as “android phone, android composite adb interface” i can do a cmd shell on my pc, but that is as far as i can go…please help. thanks
ps. of all the other blogs like xd developer or slate droid etc., you are the only one who has posted a successful root for the ps47!!!! ive looked everywhere!!!! congrats.
Thanks, but I didn’t come up with this process or anything. It just looks like I’m the first to use it on the PS47 is all. The basic idea is to run these three simple commands:
sudo chmod 6755 system/bin/su
sudo chmod 777 system
sudo chown root:root system
Normally you could do that from an adb shell. Unfortunately, since the PS47 uses cramfs, which is unmodifiable, you must first dump the system.img using the rk2918tools, then unpack it on your computer. Once you’ve unpacked it you can change it however you like. Since I’m new to this and didn’t really know what I was doing, I didn’t make any changes other than the ones listed at the rk2918tools website. Only later did I find that moving vending.apk to /system/app/ makes Google Play work.
It sounds like you’re trying to do this on Windows though. As far as I know, you must run the rk2918tools on some Linux operating system. It’s possible you could use Cygwin to get it to work on Windows but I have no idea how to do that since I have no experience with Cygwin. Again, since I don’t really know what I’m doing and I didn’t want to brick my one and only PS47 I used Ubuntu, which is very easy to use for people like me who are used to Windows (also since I already happened to be running it on my laptop it was convenient).
I downloaded rk2918toosl via git. You can install git by “sudo apt-get install git” or using a package manager like Synaptic. It was very easy to make the rk2918tools. I just typed “make” in the directory and it built without any errors. Then I just dumped the images as it describes in the beginning of the guide about converting cramfs to ext3. I did try converting to ext3 but I got some errors and I didn’t understand what they meant, so I decided not to pursue that any farther.
As long as you’re not scared of possibly bricking your device, go ahead and follow the steps at the bottom of the blog post and it should work. Be sure that before flashing your modified system.img you copy your stock images to a safe place so that if the modified system.img doesn’t boot, you can always flash the stock system.img back to your device and you won’t be any worse off than when you started. I had to do this once when I flashed an image that wouldn’t boot. Actually, I’d say that as long as you have backups, the risk of irreversibly bricking your device is pretty low. Remember that the only image you have to modify is system.img. I left the rest untouched.
the problem is your giving an explantion for linux systems only I like many others on here are using windows which does not support the commands that linux terminal does…I also can’t get it to want to install a driver while in flash mode so if you could upload the driver that would be great…I have adb installed and working when not in flash mode….it would be nice to see some intructions for how to do it on windows as many people have never worked with linux
Yeah, I’m sorry but I don’t know how to do this on Windows. I’m not a Linux user either, so I hear you loud and clear.
Like I said, it might be possible to use the rk2918tools with Cygwin, but I can’t help you there since I don’t know how to use Cygwin. It also might be possible to use an Ubuntu virtual machine on a Windows host as long as the VM has access to the host’s USB ports. I haven’t tried that either, but I don’t see any reason why it wouldn’t work.
As for the driver, I never got it working on Windows in flash mode. I uploaded the driverhere, if that helps, but it’s the same as the one from the Cruz website.
If you go to device manager, right-click on the device and choose “Update Driver Software”->Browse my computer for driver software->Let me pick from a list of device drivers on my computer-> and finally unclick “show compatible hardware” there should be three choices:
“Android ADB Interface”
“Android Bootloader Interface”
“Android Composite ADB Interface”
You could try each one to see if one of them works in flash mode. I don’t think any of them do, but I can’t remember if I actually tried each. If you do get the PS47 working with “fastboot” from the Android SDK, in theory it might be possible to make the device boot off of a custom recovery like OpenRecovery, dump the images to the SD card, and then copy them to your computer to modify. Then you could use fastboot to flash them to the device. I don’t know how to do any of that though, so I’m afraid I wouldn’t be of much help.
Good luck.
yea i had already tried fastboot long ago with a cwm recovery with no luck I understand how everything in the instructions are done I would just rather not have to install ubuntu to do it…I have tried pubuntu which is a portable version of ubuntu that works directly in windows using cygwin but I had no luck with it detecting the device to dump the image…starting to look like the last resort will be having to dual boot windows and ubuntu…have been waiting for a root for this device since I bought it in february though…you think you could upload your system.img and boot.img?
thanks for your replies….but im still lost…oh well…
the only reason i wanted to root was so that i could debloat my tablet. i can down load all apps from the market via my pc(google play store recognizes it) thanks for all your help.
do you guys know if the ps47 has a removable sd card or is it just a flash memory?
i meant a removable internal sd card….
Here’s the rooted system.img and boot.img. The boot.img is identical to the stock boot.img though so you don’t need to flash it. I considered uploading these before but I didn’t want to be responsible for people potentially bricking their devices (since I swear I don’t know what the heck I’m talking about), but if it’s helpful, be my guest and flash it to your device. I misspoke when I said Google Play works. It was Google Market that worked for me. I didn’t actually try Google Play. The vending.apk in /system/app in this system.img is for Google Market.
Here’s are two mirrors for the stock system.img. Both links are for the same file. It’s probably best if you dump the stock system.img from your own device though since it’s always possible there could be some slight difference in the hardware.
I don’t know if there’s an internal SD card or not since I haven’t opened my PS47. For what it’s worth though, I do have a generic Chinese tablet that has an internal SD card on the main board and whenever I turn it on I get the “preparing SD card” notification even when I don’t have an SD card in the externally accessible slot. When I connect it to my PC without an SD card in the slot the internal SD card mounts like any other USB storage device. Neither of those things happen with the PS47 so I bet it doesn’t have an internal SD card.
just to clear some thing up flashing your file should cause no ill effects to anothers ps47 if something like that was ever the case then people wouldn’t be able to flash stock roms created for their phones/tablets but dumped by another person…as for google market/google play to work it takes much more then just having vending.apk you need the full google apps pack for it to work but even then there is a chance the build.prop changes won’t effect anything and you won’t be able to install anything from google play…
just wanted to confirm thats flashing with your system.img worked fine
hey deathblade….so you are saying, your ps47 is rooted???
yes it is after I was able to root it after flashing his system.img (using linux of course) I went back and edited his system.img to remove all the bloat apps and flashed it once again…removed the dialer and everything else that isn’t needed…works much faster now…all of the apps that need root access work for me except cpu apps…you of course need to install superuser.apk as a user app if you do not add it into the system folder before you flash the system.img
hey thanks for replying, i dont have access to lynux…how about on a pc?? any ideas?
all you need to do is dual boot xbuntu with windows thats how I did it
Hello I recently tried rooting my ps47 and it didn’t work so when I turn it back on the wifi and Bluetooth didn’t work can u help me please???
Hmm… is it it possible the tablet somehow got put into airplane mode when you tried to root it? I’d check that first.
If that’s not the problem, you could also try restoring to factory settings through Privacy -> Factory data reset after backing up all your data that you want to save to the SD card.
I did factory restore that didn’t work
Its like when I turn on wifi it keep saying error
Can someone help me please
Hi, I’m really sorry I didn’t respond. I thought I had email alerts turned on for new comments, but I guess I didn’t. If you haven’t solved the problem by now, the only other thing I can think of would be to take the back off of the unit and make sure the WiFi antenna is connected properly. This is what it’s supposed to look like inside there. Try disconnecting and reconnecting everything. It can’t hurt, I suppose.
I have a Cruz PS47 last Sept. I searched this nice web page about the cramfs system well. Before I try to flash this rooted system.img, I also like to have a stock recovery.img. The stock recovery.img will set to original factory setting via adb command, even in a bricked device. SmileCitrus posted the two mirror web sites of stock system.img. They were gone. Can anyone help to get a stock recovery.img of Crus PS47 ?
Here’s the recovery.img and the stock system.img. The file size limitation on Mediafire is 200MB so the system.img is compressed. You can extract it with 7-Zip.
Thanks for the stock recovery.img and stock system.img. I am not familiar with Linux., but I know how to flash stock image using fastboot in Windows. Third party application can change the partition of a root device. For example, Clockworkmod will backup the recovery.img and modify the recovery partition. You cannot reset it back to factory via Privacy > factory data reset, once the recovery partition changed. The stock recovery.img put you back to warranty, when you flash the stock recovery.img back to the recovery partition of your device.
I found a Windows tool to unpack and pack the root system.img. How did you change the permission of vending.apk before packing the system.img? I noticed that superuser.apk was not installed in /system/app.
Hello from Germany,
i have also forget the unlock-Code.
Have anyone a step by step Manual to flash the PS47 ?
If it’s a pattern lock, the second method on this page should work. I tested it just now.
Unfortunately, I don’t know how to remove a password lock though.
hello, i ve rooted my ps47, now. worked fine thx for the perfect Manual 🙂 and now I ve modify/delete some of the useless systemapps ^^ a very great Job from you
I followed the guide but can’t communicate with Ubuntu in flash mode. Lsusb sees the device.
I got it. Added the dev rules to 99-android.rules and deleted 51-android.rules. Thanks for your help.
I’m having trouble “git”ing the rk2918tools. go you have a download somewhere.
P.S. this is a fantastic tutorial.
Here you go: http://www.mediafire.com/?os5xxt2871k7ztb
I think, I found out about the problem, wha you didn’t get the systemimage mounted as an ext2 and writable.
The website https://sites.google.com/site/rk2918tools/convert-cramfs-system-img-to-ext3 incorprates an error.
The systemimage is build within the /tmp directory but it is installed from the ~/new_imgs/ directory.
If you follow the instructions from that site, you have to change the command “./img-manager.py write system new_imgs/system.img” to ./img-manager.py write system /tmp/system.img”.
This way I got the PS47 to work with a writable /system.
And I was able to install busybox, wich was nor possible before.
But it took me a few hours of testing, to find out this very simple error.
Very cool. Thanks for the correction.
Only one problem I face with the ext3-filesystem:
I am not able to shut the system down.
My goal is to get the PS47 online via bluetooth tethering with my mobile phone.
Now I gat add “pon” and “poff” scripts to android an edit configfiles to see, if can get it working.
After that I cab either download the ext3-image and reconvert ist to cramfs or I will try to find out, why the system does not shut down.
Maybe there is a umount command to be adjusted to the ext3 filesystem.
Today I found a script named “shutdown” in /system/bin.
In it there is a mount-command. I can’t find out wich directoty is to be mounted by this command, but this might be the reason, why the system won’t shutdown, after converting the filesystem to ext3.
I will not search any longer because I found out, there is not way for me, to get bt-tethering with my mobile for internet-access to work.
The kernel lacks ppp-support.
I will give up at this point, because I have others things to do.
Hi guys,
Can someone plesse email or at least send a link to the ps47 stock firmware (like an update.img) im currently fixing a friend’s ps47 which was invaded by this nabi kids software thing,
I’m using a rk2918 flasher, hence the update.img
Please email me at [email protected]
Cheers,
Cameron Whale