collected: shiny new update keys for 1.2.4

posted by on 2013.10.24, under general, linux, collected

some background on how the update works

On startup the shine checks the external sdcard for some special files. If there is a file named, the system starts with /dev/block/mmcblk0p4 mounted as filesystem root – and /sbin/recovery is executed.

You can find the code that forms that little binary here.
_note: in the head section of recovery.cpp you can find a short outline on how update „notification“ works

First recovery checks the cryptographic signature of the by

  1.  reading the public keys (yes, plural is possible – see load_keys in verifier.cpp) from /res/keys (stored in the recovery partition),
  2.  creating the hash over the,
  3.  extracting the signature embedded in the comment section,
  4.  decrypt hash by using the public keys from /res/keys and
  5.  compare own hash with hash from the signature.

After a successful verification of the the zip-container itself is opened and recovery checks for /META-INF/com/google/android/update-binary and – if it is present – executes it. The binary then starts running the script stored in /META-INF/com/google/android/updater-script that performs the installation steps. The script itself is written in edify – see here for a short overview.

_note: for hunting bugs during the update process cat /tmp/recovery.log

replace the key – old version / pre 1.2.4

Currently only the public key used by the Telekom is stored in the /res/keys-file. So only the owner of the private key – the Telekom – can create valid update-files (by signing them).

By replacing the public key in the shine by using the well-known testing key contained in the android sources everyone can create valid update files (and of course – you can re-sign the public update from the Telekom to use them too – if you want).

_note: you can find the keys here

First you must convert the key to the format the recovery expects. This is done by using the tool dumpkey – you can find the source here.

java -jar dumpkey.jar testkey.x509.pem > testkey.x509.c

gives you


If your shine is already rooted, use your ADB shell and do the following:

# cd /mnt/sdcard
# mkdir mnt_recovery
# mount -t ext2 /dev/block/mmcblk0p4 mnt_recovery
# busybox cp mnt_recovery/res/keys mnt_recovery/res/keys.bck
# cat << 'EOF' > mnt_recovery/res/keys
# sync

Of course – you can also add the testkey to the key already contained in the key file. Just run step 5 in the following color:

cat << 'EOF' >> mnt_recovery/res/keys
, {64,0xc926ad21,{1795090719,2141396315,950055447,-1713398866,-26044131,1920809988,546586521,-795969498,1776797858,-554906482,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,-1731647369,323993566,28517732,609753416,1826472888,215237850,-33324596,-245884705,-1066504894,774857746,154822455,-1797768399,-1536767878,-1275951968,-1500189652,87251430,-1760039318,120774784,571297800,-599067824,-1815042109,-483341846,-893134306,-1900097649,-1027721089,950095497,555058928,414729973,1136544882,-1250377212,465547824,-236820568,-1563171242,1689838846,-404210357,1048029507,895090649,247140249,178744550,-747082073,-1129788053,109881576,-350362881,1044303212,-522594267,-1309816990,-557446364,-695002876},{-857949815,-510492167,-1494742324,-1208744608,251333580,2131931323,512774938,325948880,-1637480859,2102694287,-474399070,792812816,1026422502,2053275343,-1494078096,-1181380486,165549746,-21447327,-229719404,1902789247,772932719,-353118870,-642223187,216871947,-1130566647,1942378755,-298201445,1055777370,964047799,629391717,-2062222979,-384408304,191868569,-1536083459,-612150544,-1297252564,-1592438046,-724266841,-518093464,-370899750,-739277751,-1536141862,1323144535,61311905,1997411085,376844204,213777604,-217643712,9135381,1625809335,-1490225159,-1342673351,1117190829,-57654514,1825108855,-1281819325,1111251351,-1726129724,1684324211,-1773988491,367251975,810756730,-1941182952,1175080310}}

Note the comma surrounded by TWO spaces (SPACEKOMMASPACE) in front of the key (and the >> instead of > to append data). If you keep the Telekom key inside of the key-file you can install Telekom update-files without doing anything (but that contains the risk that the big magenta just kicks out the testkey – and locks the device finally).

_note: if you accidentally whipped out the Telekom key (as I did) – here is a backup:


If your shine is not rooted yet (and the serial number is below 20311241 – and you have not installed the update 1.2.4) you can just download the recovery.img.fixed_initrd_and_testkey, put it on a sdcard (!!!DO NOT FORGET TO RENAME IT TO recovery.img!!!) and restart your shine. On boot the shine starts to install the image in the background – so just wait (do nothing) till the reader goes down. Power it on again and your shine has ADB access and the testkey installed.

To sign an just run

java -jar signapk.jar -w testkey.x509.pem testkey.pk8

Then copy the to your sdcard (and rename it to

Example: update zip that just replaces the startup logo of the shine…

Intermezzo: The startup logo

The system/bin/ tells us that the logo lives in /dev/block/mmcblk0@18432 (bs=512). The name suggest that the image uses a 4 bit raw format – native resolution of the display is 1024×758 (makes 388096 bytes).

To prove that, I did a quick

dd if=/dev/block/mmcblk0 bs=1 skip=9437184 count=388096 of=raw_logo

Moved the file to my desktop and fired

cat | convert -depth 4 -size 1024x758+0 gray:- pic.png

on it. Result:

Tolino Shine startup logo

Tolino Shine startup logo

_note: convert is part of imagemagic

After changing the image recreate the 4-bit-grayscale image with

convert logo_rework.png -size 1024x758+0 -depth 4 logo_rework.gray

Now write the raw image back to the shine using dd again:

dd if=logo_rework.gray of=/dev/block/mmcblk0 bs=1 seek=9437184

Reboot and enjoy your new startup logo!

back to the update example…

It just contains a short example of the META-INF/com/google/android/updater-script that invokes a one-liner shell script – nothing more.

ui_print("!!! this is only a demo !!!");
show_progress(0.05, 2);
assert(getprop("ro.product.device") == "imx50_rdp" || getprop("") == "imx50_rdp");
ui_print("Target device check: ok");
ui_print("use it for something usefull...");
show_progress(0.45, 90);
package_extract_file("", "/tmp/");
package_extract_file("logo.raw", "/tmp/logo.raw");
set_perm(0, 0, 0755, "/tmp/");
set_perm(0, 0, 0555, "/tmp/logo.raw");

_note: never forget the empty newline at the end of the edify scripts!
_note: never forget to set proper permissions for your shell scripts!!
_note: never forget to add the bash bang on top of your shell scripts!!!

important_note: after installing 1.2.4 the shine reports itself as imx50_rdp_2 – so the above example must be adapted!!!

This update can be used to check if the testkey is installed.

the 1.2.4 update

I used the ability to sign my own update-packages to rework the latest update for the old shine. A rough overview of what I have done:

  • add android testkey to all /res/keys
  • add ADB on startup (hardcoded in, /system/bin/adb)
  • add su (/system/bin/su)
  • fixes wrong waveform-target in
  • adds in
  • re-enables recovery.img-hook in
  • add links to some tools (no need to write busybox in front of every important command)
  • enable ADB in recovery
  • added imx50_rdp_2 in the target test of the updater-script („big update“ can be installed over and over)

I used the update downloaded from Hugendubel. See the script in the downloads to get an idea on how it is done (trust me – its easy). To proceed for your own, just

  1. unpack the
  2. unpack the orig_update inside the update to orig_update
  3. replace META-INF/com/google/android/updater-script in update and orig_update by the ones used in the provided reworked
  4. replace all /res/keys-files to add testkey
  5. change the default.prop (secure = 0; debug=1, adb = 1)
  6. replace all by provided one
  7. run…

_note: Watch the asserts inside of the updater-script. If they catch in the updater may tell misleading error messages. Just add verbose debug! And as noted above: have an eye to cat /tmp/recovery.log…

_note: tested by starting on a shine with 1.0.1 (rooted), installed recovery that brings the testkeys, than loaded the reworked 1.2.4 update…

the dead end – waveform.bin

Together with frank-w from the we discussed an upgrade-way over the waveform cause it is also written by – without any checks:

elif [ -e /mnt/sdcard/extsd/waveform.bin ]; then
echo "---> Programming waveform ----------------------------------------"
busybox dd if=/mnt/sdcard/extsd/waveform.bin of=/dev/mmcblk0 bs=512 seek=14336

Since the waveform binary is located in front of /mmcblk0p1 („MEIN TOLINO“) and – even more important – /mmcblk0p2 aka /system we had the idea to overwrite these two partitions by offering a waveform image that contains these parts. It sounded promising and worked on the console (directly on the shine – just dd the waveform + partition image). But on startup – the upgrade_check catches in and starts writing – the shine goes mad and killed all processes cause he runs out of memory… strange. But then, ohhhhh, that hurts so much: the actual device on the shine lives in /dev/block/mmcblk0 – but the upgrade_check writes to /dev/mmcblk0. And that is mounted via tmpfs. So on start – while writing to the NEW file /dev/mmcblk0 dd eats all the memory. Nice bug. Or was that intentional, Mr. big magenta? Huh?

left overs…

The process of changing the keys / building updates etc was not really straight forward. It took some hours of testing… here are some snippets that turned out to be useful…

If you wanna change the /system – remount rw:

mount -o remount,rw /dev/block/mmcblk0p2 /system

The su binary needs the set u-id permissions:

chmod 6555 /system/bin/su

Script that adds the testkeys in /mmcblk0p4/res/keys (recovery partition):

mkdir /mnt/sdcard/recovery
mount -t ext2 /dev/block/mmcblk0p4 /mnt/sdcard/recovery
cp /mnt/sdcard/recovery/res/keys /mnt/sdcard/recovery/res/
echo " , {64,0xc926ad21,{1795090719,2141396315,950055447,-1713398866,-26044131,1920809988,546586521,-795969498,1776797858,-554906482,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,-1731647369,323993566,28517732,609753416,1826472888,215237850,-33324596,-245884705,-1066504894,774857746,154822455,-1797768399,-1536767878,-1275951968,-1500189652,87251430,-1760039318,120774784,571297800,-599067824,-1815042109,-483341846,-893134306,-1900097649,-1027721089,950095497,555058928,414729973,1136544882,-1250377212,465547824,-236820568,-1563171242,1689838846,-404210357,1048029507,895090649,247140249,178744550,-747082073,-1129788053,109881576,-350362881,1044303212,-522594267,-1309816990,-557446364,-695002876},{-857949815,-510492167,-1494742324,-1208744608,251333580,2131931323,512774938,325948880,-1637480859,2102694287,-474399070,792812816,1026422502,2053275343,-1494078096,-1181380486,165549746,-21447327,-229719404,1902789247,772932719,-353118870,-642223187,216871947,-1130566647,1942378755,-298201445,1055777370,964047799,629391717,-2062222979,-384408304,191868569,-1536083459,-612150544,-1297252564,-1592438046,-724266841,-518093464,-370899750,-739277751,-1536141862,1323144535,61311905,1997411085,376844204,213777604,-217643712,9135381,1625809335,-1490225159,-1342673351,1117190829,-57654514,1825108855,-1281819325,1111251351,-1726129724,1684324211,-1773988491,367251975,810756730,-1941182952,1175080310}}" >>/mnt/sdcard/recovery/res/keys
umount /mnt/sdcard/recovery/

Just put it on your external sd card, name it If everything was okay, you will find the script (after restarting the shine) renamed to If anything went wrong and the script does not return 0 the file becomes

If you miss some links to busybox tools:

nice_to_have="touch chgrp cp diff find vi nc pidof grep tar zip unzip wget du sed watch more arp seq sleep usleep tail head wc"; for tool in $nice_to_have ; do ln /system/bin/busybox /system/bin/$tool ; done



file content size/mb md5
  • dumpkey.jar – output public key as c-source (used in res/keys)
  • keys.telekom_and_testkey – /res/keys-file containing original and testkey
  • – old script from the Android repos to generate own keys
  • recovery.img.fixed_initrd_and_testkey – Tolino recovery.img containing adb, root – and the testkey (but only the testkey – so you can install the reworked 1.2.4 update)
  • signapk.jar – tool to sign apks / zips
  • testkey.pk8 , testkey.x509.pem – the Android testkeys
  • su, adbd – tolino binaries from old versions
  • – update that was signed with the testkey, replaces the startlogo of the shine
  • – reworked upgrade_check
  • updater-script – adds links for important tools, set su permissions, allows rdp and rdp_2
  • – just fade the backlight (to signal something is currently running)
  • – automate packing and signing for 1.2.4
72 13362ef4bf5c73c9f9cfd0bd4f1628ce
  • 1.2.4 update from hugendubel
  • ADB + root
  • original and testkey
  • user_script install hook
  • re-enabled recovery.img in upgrade_check
136 b80ed49bdb04685975bae414ade5d538 detailed pictures of the plastic enclosure of the shine (in case you have to open it – note the noses around the border of the back part, the top cover is also glued to the display frame and the housing of the connectors at the bottom with double sided tape – lift it carefully and slowly. maybe some warm air from a hairdryer removes some adhesive power. but be careful to not overheat the display – stay cool at all) 0.7 31f8869f0de1c1ee3b3f629a1698dc69

Have phun!


First of all, thanks for your extensive work and providing us with valuable instructions on the Tolino Shine!

I have a question regarding the following restriction:
„If your shine is not rooted yet (and the serial number is below 20311241 – and you have not installed the update 1.2.4) you can just download.. []“
Why does the serial number have to be below 20311241? Are the new Tolino Shine 2 versions starting from that number?
Having a new Tolino Shine 2 with serial number 2034xxxx and firmware 1.2.0, am I somehow also able to get root?

Thanks and best regards!

Thomas ( 31/10/2013 um 12:05 )

    As far as I know the support for the recovery.img was removed in 1.2.0 and the dd command for the waveform in is buggy. So there is no easy way (beside opening the Shine) to gain root and enable ADB. Unfortunately I can’t found any 1.2.0 update file – so I can’t double check that.

    hecke ( 01/11/2013 um 11:18 )

      Mmh, is there maybe a way for me to retrieve version 1.2.0 from my device and then send it to you?

      Thomas ( 01/11/2013 um 17:31 )

        Only if your device has ADB and you run an update to 1.2.0 – then you can copy the… but it seems that only the latest update is applied. Even if you start an update with version 1.0.1 – you get 1.2.4… but anyway: thanks for the offer.

        hecke ( 01/11/2013 um 17:42 )

          Mmh, too bad. Hopefully, someday and somehow root can be achieved also for post 1.1 versions, maybe with another trick.. Thanks for your help!

          Thomas ( 01/11/2013 um 17:52 )

Thank you for your work, but unfortunately I already did the update to the newest.
recovery.img is now ignored.
Than I tried to go back to the old version using an old from 15.8.2013.
But after about 20 percent, I receive the message:

Finding update package…
Opening update package…
Verifying update package…
Upgrade : ALL
assert failed: getprop(„ro.product.device“) == „imx50_rdp“ || getprop („ro.puild.product“) == „imx50_rdp“
E:Error in /sdcard/extsd/
(Status 7)
Installation aborted.

As Total Commander is still in the Tolino I checked /system/build.prop and found:


Why the assert?
Anyway it is read only, I could not change it.
Does a „Recover the system (all of your files and settings will be deleted)“ help?

Peter (Gast) ( 31/10/2013 um 15:03 )

    Thats cause the updated shine reports itself as an imx50_rdp_2 device – but the old update script (<1.2) checks for imx50_rdp. So the install process is killed by the assert on top of the script.

    By this the manufacturer prevents you from going back to a "rootable" version. In fact, the 1.2.4 contains a second update that replaces the former one - so even if you try a system recovery you can't go below 1.2.4.

    That was the main reason for me to add the second key so we can create our own updates to allow up- and downgrades.

    hecke ( 01/11/2013 um 11:23 )

I did a „Recover the system“.
It is still 1.2.4 and all of my apps (including Total Commander) are gone.
The value of my Tolino has dropped to 50 percent with the update 1.2.4.
I had never bought it, whithout the freedom to add Android Apps!

Peter (Gast) ( 31/10/2013 um 15:40 )

    1. Print the advertisement from the Tolino Shine page that outlines an „open Android device“.
    2. Contact your seller and tell him that the product does not fit its description.
    3. Say, you accept a rectification.
    4. Manufacturer publishes an update that contains an app to install own software.
    5. Profit!

    Just kidding. Yes. You, the customer, owns a device that was advertised as open in different ways. It runs an operating system that is based on open and (partly) free software. The entire infrastructure runs mostly on open applications. It is developed by a company that claims to be open source friendly. A company that runs a large infrastructure – also using open source software. Its a great story about making money with other peoples intellectual properties… by fu**ing customers. Sorry dude, you need a big lobby to overcome that problem. Or a good lawyer.

    hecke ( 01/11/2013 um 11:36 )

Can you please upload the image of the latest version (with adb and root) so that it can be dd to the internal storage?

darkShine ( 28/11/2013 um 17:21 )

    You mean the full SD-card-image?

    hecke ( 05/12/2013 um 19:24 )


what about to find out what the device is communicating with its servers?
Upgrade URL, Device Settings etc.

Maybe you could modify the URL Param CONFIG_URL in the of the de.telekom.epub.apk and let the device go over a proxy and trace everything.


Sven ( 03/12/2013 um 17:56 )

    A pure proxy won’t work cause the communication uses SSL. And for something like CharlesProxy you must add a CA to the config of the Shine.
    Replacing the relevant libs with a „tap version“ to intercept the packets directly on the shine makes more sense.

    hecke ( 05/12/2013 um 19:24 )


did you tried something like a USB Jig? I’ve seen in the pictures that the pin 4 of the micro USB connector is used for something.

The i.MX507 has a USB Download mode, or it could change the boot order, to boot the external SD or something.

Regards Sven

Sven ( 22/12/2013 um 17:01 )

    Tried it today – without any success. But PIN_4 is not connected to ground. Has ~3.2K against PIN_5 – so _maybe_ some input with a cap against GND.
    But anyway: nice tip. Thank you.

    hecke ( 23/12/2013 um 21:38 )

So, as i have a tolino with update 1.3.0 the only way to update it would be to open it?
i got the lowest basic of informatics knowledge but is there an easy way that even i can my tolino rooted? for example, i didn’t find something on how to root an opened tolino…
what will i need to root an opened tolino?
The reason i want my tolino rooted is that i want to use it as a 2nd monitor for my pc or notebook and as a remotecontrol if possible to switch between songs and trigger some macros/scripts and to use chatprogramms (i got no smartphone and i’m using bluestacks at the moment)
ps: i’m just a casual win7 user…

uelz ( 02/01/2014 um 20:57 )

    Currently – for > 1.2.x – yes, you must open the device. Theoretical possible: drill one small hole (0.3 mm or so) over the serial connector pin (RX) and use
    a external device to run a script over the serial port that „fixes“ the problem… but since I only own an old version of the shine I can’t provide you a template
    for the drilling part.

    If the shine is open, you can access the internal SD card that contains the system files. And then… read all of my posts related to that and by this you may learn a lot
    and finally you will be able to change the needed parts to get adb/root on the shiny shine. It’s not very complicated – but I think you need some basic skills using a terminal.
    To do all the stuff you should use a *nix-box, so you may start by installing an easy to use Linux in a virtual machine inside of your Windows box. Not strictly needed – but
    it is „more painless“.

    And have a look at IIRC frankw ore someone else already did the root-a-1.3.0-firmware step. So you can ask for an image of the sdcard and install it on yours (after
    opening the shine) by copy the data on your card (by using dd of course).

    hecke ( 06/01/2014 um 19:44 )

Hi guys, perhaps I am too tired, or I am not following: I have one of the first Tolino, v1.1 rooted, and I read on several websites that v1.2 or later cannot be rooted. Have you found a way to root 1.2+ versions, or a way to update 1.1 rooted devices to 1.2.4 and still staying rooted? (which for me and my girlfriend would be fantastic as with both have the first units 1.1 rooted).

rmcrys ( 04/01/2014 um 21:38 )

    The vendor removed the easy way to open the device for >= 1.2. So I added the test key to the keyfile used to validate update files. By this it is possible to take a vendor-published update, apply the changes needed to get adb and gain root, sign it and load/install it via sd card on the shine. Have a look at – there are some guys still active in that area (I only created an update
    from the hugendubel image for 1.2.4).

    hecke ( 06/01/2014 um 19:29 )

Please Leave a Reply