This is a guide to extract the boot image from a cheap Android tablet based on Allwinner A133 using U-Boot (accessed via UART). The original firmware was not found on the internet. With the boot image and Magisk, you can root your Android tablet to make it more useful.
Pritom P7 is a very cheap Android tablet. I bought it for 33 USD from AliExpress, but it can be found for as low as 27 USD. This is a Google GMS-certified device (it passes Play Integrity, no malware was found when I received it), and it uses 32-bit Android Go. I am only using this to test some 32-bit Android app compatibility.
They may have several variants of this model with different specifications. Mine is: Alwinner A133, 1.5GB RAM (advertised as 2GB, and shown as 2GB in the Android info), 32 GB ROM, only 2.4 GHz WIFI, no GPS.
Unlockable Bootloader
Luckily, we are allowed to unlock the bootloader of this device using the developer menu, adb reboot bootloader then using fastboot oem unlock. Some cheap Android devices don’t allow unlocking (for example, the ones that are based on recent Unisoc SOC).
The product ID of my tablet is P7_EEA (Android 11) with kernel version Linux localhost 5.4.180-svn33409-ab20220924-092422 #28 SMP PREEMPT Sun Aug 20 19:13:45 CST 2023 armv8l. The build number is PRITOM_P7_EEA_20230820.
I did not find any Android exploit for this device, and I also didn’t find any backdoors. From my experience, some of these cheap Android devices have hidden su backdoors. Unable to find an exploit, I gave up trying to extract boot image from user space.
With some SOC, you can easily read/dump/extract the flash using PC software. I didn’t find any software for this Allwinner chip. An example of a SOC that allows flash reading is Unisoc (formerly Spreadtrum), but on the other hand, the bootloader on phones and tablets with the latest SOCs from Unisoc (that I know of) is not unlockable.
UART
Fortunately, this device is easy to open, and a UART pin is on the top left near the camera.
Here is a close-up:
The right-most pin is FEL if you want to enter FEL mode. But entering FEL mode can be done easily using: adb reboot efex.
To test that the pin does output something, I just connected the ground to the USB-C ground and held my hand, pressing a cable on the TX pad during startup.
U-Boot
Fortunately, we can break into u-boot (not locked down); from there, it is easy to dump the bootloader. There are many ways to do it, but this is how I did it. First, print the environment using env print to see what commands are used to load the boot partition:
bootdelay=0
boot_normal=sunxi_flash read 45000000 boot;bootm 45000000
Note: I suggest you change the bootdelay to make it easier to enter U-boot next time.
We can see that we can read the flash partition to a certain memory location using:
sunxi_flash read 45000000 boot
Now, we need to write this memory area to an SD Card. I prepared a FAT-formatted SD Card. Insert it, then: sunxi_card0_probe. This will detect the card. I need to do mmcinfo otherwise, the next command won’t work:mmc part
Now we can test listing the content of the card: fatls mmc 0:1. It should be empty since we just format it. Next is to write the memory to a file: fatwrite mmc 0:1 45000000 boot.img 4000000. Note: all numbers are in hexadecimal. 64 Megabytes is just a common size for the boot partition.
We can install Magisk APK to the tablet, run it, and then choose “Install” and “Select and patch file”. Patch our boot.img, then the magisk_patched_xx.img file can be flashed using : fastboot flash boot magisk_patched_xx.img.
I could have dumped all the partitions using u-boot, but I felt that u-boot is slow in writing to the SD Card. After we have a root access, we can easily dump the rest of the partitions by accessing the files in /dev/block/by-name.
Conclusion
I hope this guide can help you root your Allwinner device, even when you don’t have the original firmware.
I think this device is not worth buying unless you have a specific need for it. This tablet is OK if you want to test your app for Android Go or 32-bit Android libraries. This is also a good tablet for learning to hack Android hardware.
If you are using the same device and want to have the boot partition, you can download it here: please make sure that your hardware is exactly the same as mine to prevent bricking it.
ivan@M16 ~ % fastboot devices
3c000c4543c48701e19 fastboot
ivan@M16 ~ % fastboot oem unlock
FAILED (remote: ‘Oem unlock ability is 0. Permission denied for this command!’)
fastboot: error: Command failed
Please help to unlock
Developer options – ON, OEM Unlocking – ON
(bootloader) treble-enabled:true
(bootloader) first-api-level:30
(bootloader) dynamic-partition:true
(bootloader) system-fingerprint:PRITOM/P7_A1/P7_A1:11/RP1A.201005.006/20220915-103124:user/release-keys
(bootloader) snapshot-update-status:none
(bootloader) super-partition-name:super
(bootloader) hw-revision:0
(bootloader) off-mode-charge:0
(bootloader) battery-voltage:0
(bootloader) is-userspace:yes
(bootloader) partition-type:bootloader_b:raw
(bootloader) partition-type:dtbo_a:raw
(bootloader) partition-type:vbmeta_vendor_b:raw
(bootloader) partition-type:vendor_boot_b:raw
(bootloader) partition-type:bootloader_a:raw
(bootloader) partition-type:vbmeta_system_b:raw
(bootloader) partition-type:userdata:raw
(bootloader) partition-type:env_b:raw
(bootloader) partition-type:boot_b:raw
(bootloader) partition-type:misc:raw
(bootloader) partition-type:dtbo_b:raw
(bootloader) partition-type:env_a:raw
(bootloader) partition-type:vendor_boot_a:raw
(bootloader) partition-type:vbmeta_b:raw
(bootloader) partition-type:vbmeta_a:raw
(bootloader) partition-type:vbmeta_system_a:raw
(bootloader) partition-type:media_data:raw
(bootloader) partition-type:vbmeta_vendor_a:raw
(bootloader) partition-type:boot_a:raw
(bootloader) partition-type:metadata:raw
(bootloader) partition-type:super:raw
(bootloader) partition-type:system_a:raw
(bootloader) partition-type:system_b:raw
(bootloader) partition-type:vendor_a:raw
(bootloader) partition-type:vendor_b:raw
(bootloader) partition-type:product_a:raw
(bootloader) partition-type:product_b:raw
(bootloader) secure:yes
(bootloader) battery-soc-ok:yes
(bootloader) serialno:3c000c4543c48701e19
(bootloader) slot-count:2
(bootloader) cpu-abi:armeabi-v7a
(bootloader) variant:NA
(bootloader) has-slot:bootloader:yes
(bootloader) has-slot:dtbo:yes
(bootloader) has-slot:vbmeta_vendor:yes
(bootloader) has-slot:vendor_boot:yes
(bootloader) has-slot:vbmeta_system:yes
(bootloader) has-slot:userdata:no
(bootloader) has-slot:env:yes
(bootloader) has-slot:boot:yes
(bootloader) has-slot:misc:no
(bootloader) has-slot:vbmeta:yes
(bootloader) has-slot:media_data:no
(bootloader) has-slot:metadata:no
(bootloader) has-slot:super:no
(bootloader) has-slot:system:yes
(bootloader) has-slot:vendor:yes
(bootloader) has-slot:product:yes
(bootloader) product:P7_A1
(bootloader) is-logical:bootloader_b:no
(bootloader) is-logical:dtbo_a:no
(bootloader) is-logical:vbmeta_vendor_b:no
(bootloader) is-logical:vendor_boot_b:no
(bootloader) is-logical:bootloader_a:no
(bootloader) is-logical:vbmeta_system_b:no
(bootloader) is-logical:userdata:no
(bootloader) is-logical:env_b:no
(bootloader) is-logical:boot_b:no
(bootloader) is-logical:misc:no
(bootloader) is-logical:dtbo_b:no
(bootloader) is-logical:env_a:no
(bootloader) is-logical:vendor_boot_a:no
(bootloader) is-logical:vbmeta_b:no
(bootloader) is-logical:vbmeta_a:no
(bootloader) is-logical:vbmeta_system_a:no
(bootloader) is-logical:media_data:no
(bootloader) is-logical:vbmeta_vendor_a:no
(bootloader) is-logical:boot_a:no
(bootloader) is-logical:metadata:no
(bootloader) is-logical:super:no
(bootloader) is-logical:system_a:yes
(bootloader) is-logical:system_b:yes
(bootloader) is-logical:vendor_a:yes
(bootloader) is-logical:vendor_b:yes
(bootloader) is-logical:product_a:yes
(bootloader) is-logical:product_b:yes
(bootloader) vendor-fingerprint:PRITOM/P7_A1/P7_A1:11/RP1A.201005.006/20220915-103124:user/release-keys
(bootloader) version-vndk:30
(bootloader) unlocked:no
(bootloader) current-slot:a
(bootloader) version-os:11
(bootloader) version-baseband:
(bootloader) max-download-size:0x10000000
(bootloader) partition-size:bootloader_b:0x2000000
(bootloader) partition-size:dtbo_a:0x200000
(bootloader) partition-size:vbmeta_vendor_b:0x10000
(bootloader) partition-size:vendor_boot_b:0x2000000
(bootloader) partition-size:bootloader_a:0x2000000
(bootloader) partition-size:vbmeta_system_b:0x10000
(bootloader) partition-size:userdata:0x67C77BE00
(bootloader) partition-size:env_b:0x40000
(bootloader) partition-size:boot_b:0x4000000
(bootloader) partition-size:misc:0x1000000
(bootloader) partition-size:dtbo_b:0x200000
(bootloader) partition-size:env_a:0x40000
(bootloader) partition-size:vendor_boot_a:0x2000000
(bootloader) partition-size:vbmeta_b:0x20000
(bootloader) partition-size:vbmeta_a:0x20000
(bootloader) partition-size:vbmeta_system_a:0x10000
(bootloader) partition-size:media_data:0x1000000
(bootloader) partition-size:vbmeta_vendor_a:0x10000
(bootloader) partition-size:boot_a:0x4000000
(bootloader) partition-size:metadata:0x1000000
(bootloader) partition-size:super:0xC0000000
(bootloader) partition-size:system_a:0x305EA000
(bootloader) partition-size:system_b:0x0
(bootloader) partition-size:vendor_a:0x4F91000
(bootloader) partition-size:vendor_b:0x0
(bootloader) partition-size:product_a:0x4822D000
(bootloader) partition-size:product_b:0x0
(bootloader) security-patch-level:2022-10-05
(bootloader) version-bootloader:unknown
(bootloader) version:0.4
Also I can’t flash your boot image
ivan@M16 ~ % fastboot flash boot /Volumes/Temp/pritom-P7_EEA-boot.img
Sending ‘boot_a’ (65536 KB) FAILED (remote: ‘Download is not allowed on locked devices’)
fastboot: error: Command failed
I think you are using a different device (not the same one as mine). So I am not sure what to do for your device.
I just bought one of these tablets, and they can be okay for a grandparent or a child (or for playing around with root or for 3D printer screen etc.). Your detailed description of the process has helped me a lot. I would like to say thank you to everyone who wants to play around with this tablet (I ordered mine for 33 euros, and it has the same specs as yours).