bootloader unlocked

It does boot, but there's constant crashes, mostly with launcher3. Looking at the logs and some sifting through AOSP, I realised, vendor doesn't have handheld_core_hardware.xml and other standard handheld smartphone permission files & configs.

I copied over the GSI target from AOSP and started working on that, adding what was missing, initial IMS port and figuring out what to do with the keys and camera. For keys, you have 2 approaches:
1. framework keyhandler
2. keylayout
I have both on my tree, but I'm actively using only the framework keyhandler approach, since it lets me retain default behaviour for when someone manages to port a simple rabbitlauncher apk.

That brings us to reversing the rabbit launcher that actually teaches us quite a bit!

step_motor_ms35774 -> camera orientation step motor
och1970_holl_key -> scroll wheel

Further, the most annoying bit of the device is that long pressing power DOES NOT hard reset the device, unless you are talking to preloader or brom, and something has disabled its watchdog.

was looking at ifixit’s photos and noticed the button (next to the 2 unmarked golden pads)

In the sim tray, theres a very tiny button, if you press this, it hard resets the soc

For the step motor, you can use a QS tile like such:
https://github.com/RabbitHoleEscapeR1/device_rabbit_r1/tree/main/StepMotorControls

This will toggle it between its 3 "most useful states", but realistically it takes any value between 0 and 180

The second most annoying thing of this device: the prebuilt kernel. The kernel does not for the love-of-god let you go permissive

good luck auditing denials here :))))

Process to install magisk is much like any other device, I wont dive into it here.

The kernel is a not-yet-open(?) linux kernel:
Linux version 4.19.191-g9f720735273f
Which from what i gather it mtk's last 4.19 release for 6765. Should be pretty easy to rewrite the kernel, but it could take some time to redo ms35774 and och1970 from data sheets.

Adding google services inevitably makes GMS yell at me from every single Google app it has in its arsenal on the device, I'll bother with this later too

https://github.com/RabbitHoleEscapeR1/r1_escape
Here's a (hopefully) all in one script that should automate the unlocking and flashing process on both linux and windows. If someone can help me get mtkclient working on macOS, I'd be happy to add macOS support too.

I did make a few changes to mtkclient to have it work directly with the serial port without usbdk (doesn't work at all on latest W11 for me); serial mode on linux and macos doesn't work for me either. libusb works perfectly on linux, and only works in brom on macOS. Preloader connection just stalls with some weirdo "kernel driver unimplemented" error on macOS.:

https://github.com/bkerler/mtkclient/commit/9e54803fb5b6cb34842bcf95aaeb5d4a2e7df5ea
https://github.com/bkerler/mtkclient/commit/c3eb4b1183c9ca3698994f5fb3b27b4cb9705ab7

https://ota.transactional.pub/qa/rabbit_OS_v0.8.83_20240509120550.json
Rabbit OTA server URL to latest update, seems to be an incr

After some smali patching, RabbitLauncher (kind of) works on my AOSP GSI build. I can link it to my account, but it understandably fails when trying to open a socket via it's wss classes. It seems to pass its build fingerprint and a key that comes from some jni. Should be easy to fix, but again I haven't had much time on the same.