Related
This has been resolved by using the flash lite exploit to gain root access allowing the misc partition to be flashed with a downgraded main version number which allows the old leaked Eng RUU we have to be flashed!
GUI for how to root
http://forum.xda-developers.com/showthread.php?t=720565
Old and Outdated information from the Original Post listed below for historical purposes ONLY
Who is Affected: If you've flashed the official OTA update on top of a non rooted ROM or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
What is Patched by the OTA: Through the radio.img which the OTA flashes, it updates the Main Version in the bootloader preventing Toast's root methods from working. It also flashes back the stock recovery, removing our root access in recovery mode and ability to apply .zip files. And last of all, the OTA patches the exploit hole in /system/bin/hstools used for unrevoked1 root.
Successfully eliminating all released methods of obtaining root access.
Conclusion:
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
Future:
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Details of the tested known root methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootloader error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. partition with write access for non-root user and allows executing is /data/local . flash_image can't write to the partitions w/o being run with root permissions. chownto and chown of flash_image to user root - permission denied.
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Modifying PC36IMG.zip - using a hex editor to attempt at changing the MainVer stored in the android-info.txt, if any bit changes, it seems to fail the validation by the bootloader.
I tried almost all of these after the OTA hit my wifes phone. No dice. Subscribed to further updates on this thread.
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
frankenstein\ said:
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
Click to expand...
Click to collapse
im guessing the only reason it allowed you to flash a PC36IMG.zip which wasn't HTC signed is because you're using the hboot from the eng build of the PC36IMG.zip which doesn't check for HTC signatures on the PC36IMG.zip file. Not sure if it looks at the MainVer or not ...
once you're on a stock hboot, the PC36IMG.zip file has to be signed by HTC in order to flash!
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
We had to do things like this when working with mach_kernel when we got ahold of the first developer build of OS X for Intel. It was a pain in the ass and took weeks before we cracked the kernel.
There is even more risk with this though since tampering with the bootloader can definitely permanently brick devices.
joeykrim said:
If you've flashed the official OTA update or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Here are details of the tested methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootlaoder error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe- Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Click to expand...
Click to collapse
since my frien did the OTA update yesterday and "bricked" his phone i have been trying to fix the phone (i have access to bootloader so it seems to me that maybe, just maybe i can save the phone) anyways, i have been getting a lot of the same error messages anytime i try to update/load any stock rom via bootloader.
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu? i have looked all over htc's website, but they don't even acknowlege the existence of the evo, at least not that i can find.
joeykrim said:
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
...
Click to expand...
Click to collapse
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Sorry for the long multi quote, there are quite a few good ideas and I wanted to make sure I explored each of them as far as the original poster intended.
EtherealRemnant said:
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
Click to expand...
Click to collapse
interesting ... circumventing the HTC signature check would be perfect and essentially give us an eng build bootloader.
in the RUU.exe rom.zip files, the android-info.txt indicate the MainVer along with a separate hboot.img file. the official OTA didn't have an hboot.img file. It only had a radio.img file which must have updated the MainVer value.
Not sure where on the phone this MainVer value is stored? in the radio?
you're suggesting, compare the bootloader, which is obviously stored somewhere in radio.img as thats the only file being flashed thru the OTA which increments the bootloader version number, against an older radio.img to attempt and find which bytes were changed for the version number?
The radio.img files are all around 22mbs ... ugh
if we're able to find the change in version number on the radio.img, not sure how it would help in flashing over it?
i was kind of thinking down these lines...since the bootloader checks the version number of any file it attempts to flash, the version number is going to be the key.
if we're able to increment (or temp change) the main version number in the file being flashed w/o messing up the htc signature, that could work.
2002wrex said:
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu?
Click to expand...
Click to collapse
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
unknown_owner said:
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Click to expand...
Click to collapse
very clever concept!
i'm not 100% sure on all the different approaches in the suggestion, but here are the ones it prompted me to explore.
unfortunately, every time the /sdcard is mounted on the phone, its mounted as noexec, meaning no files located on the /sdcard can be executed like programs.
also the /sdcard is mounted with uid=1000 and gid=1015 meaning all files mounted on the /sdcard have their uid/gid overwrote so none of them are allowed root ownership.
without being able to "su" to root access, we aren't able to run any programs with root access.
trying to chownto flash_image to any reference file as root results in:
chownto flash_image /system/bin/chown
Can't change user/group to root!
chown root flash_image
Unable to chmod flash_image: Operation not permitted
if i missed the suggested approach, could you elaborate?
Oh boy...... I thought I was alone in this. I try everything I can and now gave up. Any one can rooted this new OTA please let me know. I really need to downgrade from this.
Made me think of a problem that happened with the Directivo a few years back...
ht t p://dealdatabase.com/forum/showthread.php?t=22154
I was looking around, trying to figure out some way to hack the hdvr2 w/o modifying the prom. I recalled something from the xbox-linux team's presentation for CCC, which was something close to "once you break the chain of trust, the box is forever compromised." I thought to myself: "self, if we can load one kernel via BASH_ENV, why can't we load a second kernel?"
Click to expand...
Click to collapse
So, is there a way we could compromise the kernel? If so, then...
Subscribed...
Not really interested in rooting until froyo is working, and I could really use the wifi fixes this OTA is supposed to offer, but I'll hold off installing it until we know it can eventually be rooted.
Mikesus said:
http://dealdatabase.com/forum/showthread.php?t=22154
So, is there a way we could compromise the kernel? If so, then...
Click to expand...
Click to collapse
i read thru the thread. im not clear on how they used BASH_ENV or any other method to load a 2nd kernel.
unfortunately, i think we have an extra layer of security that they dont. thanks HTC!
without nand unlocked on the kernel partition no data can be stored there including a 2nd kernel.
appreciate the link and info. perhaps the ideas or concepts will spur some innovation!
joeykrim said:
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
Click to expand...
Click to collapse
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
i appreciate the help joey, obviously you are busy with your own problems and a lot of people around here just throw you the old "SEARCH BUTTON" response. any help is greatly appreciated!
2002wrex said:
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
Click to expand...
Click to collapse
interesting again .. so the RUU .exe files for android, do have a payload stored in a rom.zip file which is dumped to a temp directory after the RUU .exe starts and before it finishes.
now, the rom.zip files have been pulled and posted in each of the two RUU .exe threads we currently have. these rom.zip files do contain all .img files which are flashed to the phone. the catch is though, just as the PC36IMG.zip files used in root, these rom.zip files seem to have a special HTC signature (checksum?) in their header.
if you open these rom.zip files from the RUU in winzip, it will error out, but using 7zip, they open just fine.
im new to HTC, this is my first HTC android phone and its almost been 4 weeks so this is as much as i know. it seems, if we're able to alter these rom.zip files either used in the RUU .exe or naming them PC36IMG.zip flashed thru the bootloader and the phone excepts them, we would be golden!
to help save you some searching and let you see what im talking about, here is the latest RUU rom.zip file
http://www.joeyconway.me/evo/stock/RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rom.zip
Subscribed, I was able to Order my EVO today so I will be watching for development. I pledge my donations to whoever is able to figure it out. I really appreciate the efforts of this community.
I second that pledge for donations! I, like many others here, updated while knowing that I probably shouldn't have. I knew better...
Subscribed.
Thanks for all the effort and work. I hope ya'll get it figured out.
dang, I just got my evo yesterday and got the update message so I thought it'd be ok to update it as I thought it might have been old.
Came home and was excited to do all my customization and tweaks, but w/ no prevail
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
EtherealRemnant said:
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
Click to expand...
Click to collapse
Try calling them ahead of time before picking it up and asking if you can just swing by and pick it up yourself and call Sprint to activate yourself. Tell them you are in a rush, make up a story, and see if they just let you pay for it and run.
I'd like to remove root and go back to stock. I have a rogers one x and I've tried using the rogers RUU PJ83IMG.... to flash back to stock, but I can't use fastboot since my phone is bootloader locked, and I can't run the RUU because it is a .zip file and not a .exe. Renaming it to an .exe and running it does nothing.
Any help is appreciated!
Try un-zipping the file and run the exe in the folder created. Also, since we do not have s-off yet, we are able to remove tampered banner, but it will say re-locked. No estimated arrival of s-off at this point.
Sent from my HTC One X using XDA
shortyboy said:
Try un-zipping the file and run the exe in the folder created.
Click to expand...
Click to collapse
This. The RUU file is not meant to be run as-is. Unzip the contents onto your PC (such as into a folder on your PC desktop), then run the .exe that is inside the extracted contents.
And where did you get the idea of changing the extension from .zip to .exe? That's probably a bad idea in almost all circumstances. You can't just change the type of file by renaming it.
shortyboy said:
Also, since we do not have s-off yet, we are able to remove tampered banner, but it will say re-locked. No estimated arrival of s-off at this point.
Click to expand...
Click to collapse
The "tampered" flag will be removed after RUU. Tampered flag is for root, not BL unlock. And the OP said he is still BL locked.
redpoint73 said:
This. The RUU file is not meant to be run as-is. Unzip the contents onto your PC (such as into a folder on your PC desktop), then run the .exe that is inside the extracted contents.
And where did you get the idea of changing the extension from .zip to .exe? That's probably a bad idea in almost all circumstances. You can't just change the type of file by renaming it.
The "tampered" flag will be removed after RUU. Tampered flag is for root, not BL unlock. And the OP said he is still BL locked.
Click to expand...
Click to collapse
Thanks for your replies. Unfortunately there is no .exe in the RUU. I have googled extensively but cannot find one with an executable. Would either of you be able to link me? I need Rogers 1.73. Thanks for your help
Edit: I discovered this and tried it: http://forum.xda-developers.com/showthread.php?t=1658929 however i get an IMAGE UPDATING ERROR: This ROm update utility cannot update your device.
if you go to setting about/software information what does it say under software version?
also if your bootloader is unlocked relock it in fastboot with the command "fastboot oem lock"
gunnyman said:
if you go to setting about/software information what does it say under software version?
also if your bootloader is unlocked relock it in fastboot with the command "fastboot oem lock"
Click to expand...
Click to collapse
Software version 1.73.631.1
Just to clarify, I have not unlocked my phone, only root.
toastyy said:
Software version 1.73.631.1
Just to clarify, I have not unlocked my phone, only root.
Click to expand...
Click to collapse
when you flashed it did you get an error 155 or an error 140?
also THIS is the RUU you need http://www.filefactory.com/file/9qe....09.06_10.81.32.14L_release_254934_signed.zip
And you didn't mess with the CID ever? If not, I don't see any reason why the correct (Rogers) RUU would not work. Make sure HTC Sync is installed (maybe re-install, just to be safe), reboot the computer and try again. Perhaps try to download the RUU again, just to make sure the download isn't corrupt.
redpoint73 said:
And you didn't mess with the CID ever? If not, I don't see any reason why the correct (Rogers) RUU would not work. Make sure HTC Sync is installed (maybe re-install, just to be safe), reboot the computer and try again. Perhaps try to download the RUU again, just to make sure the download isn't corrupt.
Click to expand...
Click to collapse
Ohh, you're right! I changed the Cid to 1111111.. For supercid. How do I change that back?
As for the ruu, I can't run them because I have no exercise file to run. Changing the zip to an exercise gives me an error about my computer not being able to run it. I will download the above ruu and try it when I get home in an hr.
Thanks for your help!
You should be able to run the Rogers RUU with SuperCID. That's what SuperCID is, it lets you install firmware regardless of the CID that its intended for.
Not sure how to change the CID back to Rogers. Look on the SuperCID thread (not the one-click method, but the original "longer" method) and see if there is discussion on changing it back.
And to reiterate, you can't magically change a file from one type to another, just by changing the file extension from .zip to .exe. The RUU package should have ARUWIzard.exe inside once you unzip it. Are you sure you are unzipping it properly?
redpoint73 said:
You should be able to run the Rogers RUU with SuperCID. That's what SuperCID is, it lets you install firmware regardless of the CID that its intended for.
Not sure how to change the CID back to Rogers. Look on the SuperCID thread (not the one-click method, but the original "longer" method) and see if there is discussion on changing it back.
And to reiterate, you can't magically change a file from one type to another, just by changing the file extension from .zip to .exe. The RUU package should have ARUWIzard.exe inside once you unzip it. Are you sure you are unzipping it properly?
Click to expand...
Click to collapse
The problem is the rogers file isn't an EXE it's a zip file. There's a post somewhere around here explainng how to install it.
gunnyman said:
The problem is the rogers file isn't an EXE it's a zip file. There's a post somewhere around here explainng how to install it.
Click to expand...
Click to collapse
Ahh, I see the problem. The Rogers files is not a true RUU package, just the zip file usually contained in the "larger" RUU zip file. Is that right? The OP still can't change the file extension to .exe and make it run that way. Sounds like from the thread the OP linked in post 4 above, he needs to have a folder with the "other" RUU contents (including ARUWizard.exe), drop the file you linked (from Filefactory), then run the ARUWizard. Its not completely clear, but this seems to be the way?
He could also I thing just put that pdimg. Zip file on the SD card and boots into recovery and it should flash right?
gunnyman said:
He could also I thing just put that pdimg. Zip file on the SD card and boots into recovery and it should flash right?
Click to expand...
Click to collapse
Not sure. I've never in my life flashed anything from stock recovery
But it seems logical. I think normally the ARUWizard says its pushing the file to the phone, so it would make sense it just flashes from stock recovery.
I understand that I can't change the filetype like that . I just saw peterhtc mention having to do that in another thread. I am sure i have unzipped it properly. I'll try again with the other ruu linked above.
toastyy said:
I understand that I can't change the filetype like that . I just saw peterhtc mention having to do that in another thread. I am sure i have unzipped it properly. I'll try again with the other ruu linked above.
Click to expand...
Click to collapse
if you unzip it and see a zip file that starts with pd and some number I THINK it's 83 put that file on the root of your SD card space and reboot to bootloader. Then choose recovery. If all goes well it will detect that file and allow you to flash it. It should work fine because it's a signed zip from HTC.
---------- Post added at 03:59 PM ---------- Previous post was at 03:54 PM ----------
I just realized we're helping you return the most awesome phone in the world ™
Jumping ship?
gunnyman said:
if you unzip it and see a zip file that starts with pd and some number I THINK it's 83 put that file on the root of your SD card space and reboot to bootloader. Then choose recovery. If all goes well it will detect that file and allow you to flash it. It should work fine because it's a signed zip from HTC.
---------- Post added at 03:59 PM ---------- Previous post was at 03:54 PM ----------
I just realized we're helping you return the most awesome phone in the world ™
Jumping ship?
Click to expand...
Click to collapse
Haha well no not exactly. I have been dealing with rogers for 2 months trying to return the phone I bought outright in order to get a new one on a plan. I originally wanted to see how the SG3 was so I could still return the onex in time to pick that up, but I think i'll be sticking with the HTC (the sg3 is SO ugly). I assure you I am not jumping ship
gunnyman said:
He could also I thing just put that pdimg. Zip file on the SD card and boots into recovery and it should flash right?
Click to expand...
Click to collapse
So I tried to place the full zip file onto the phone in the main directory, both as the full file name and then just as the P83..etc name, rebooted into recovery, but I just got a pic of the phone with a red triangle+ exclamation mark. Currently I am extracting the whole zip onto the main directory and will try flashing recovery like this. Is that safe? I assume the phone will be able to tell which .img it needs. There is no file that begins with P83 in the actual zip
toastyy said:
So I tried to place the full zip file onto the phone in the main directory, both as the full file name and then just as the P83..etc name, rebooted into recovery, but I just got a pic of the phone with a red triangle+ exclamation mark. Currently I am extracting the whole zip onto the main directory and will try flashing recovery like this. Is that safe? I assume the phone will be able to tell which .img it needs. There is no file that begins with P83 in the actual zip
Click to expand...
Click to collapse
I'm curious about the contents of that zip I'll download it and check it out.
holy crap file factory is slow.
gunnyman said:
I'm curious about the contents of that zip I'll download it and check it out.
Click to expand...
Click to collapse
The download is quite slow - here are the contents
http://puu.sh/BU6B
Hello,
My device is the Mate 9 (MHA-L29C185B110) and I seem to have a problem with the camera.
When pressing the button to take a photo, the camera app restarts itself. I try again, but didn't work, to no avail.
I also tried to record a video. It seems to work, but the camera freezes but it's still counting, otherwise recording.
I have just recently flashed a custom recovery img (TWRP), the boot img on another thread that prevents the device from being automatically encrypted, and SuperSU root.
Do any of you have a solution to this problem?
Would this be because I haven't flashed Public_data.zip and Full_HW_data.zip?
And will this problem fix if I completely install the MHA-L29C185B172's firmware?
SeanPHTRPW said:
Hello,
My device is the Mate 9 (MHA-L29C185B110) and I seem to have a problem with the camera.
When pressing the button to take a photo, the camera app restarts itself. I try again, but didn't work, to no avail.
I also tried to record a video. It seems to work, but the camera freezes but it's still counting, otherwise recording.
I have just recently flashed a custom recovery img (TWRP), the boot img on another thread that prevents the device from being automatically encrypted, and SuperSU root.
Do any of you have a solution to this problem?
Would this be because I haven't flashed Public_data.zip and Full_HW_data.zip?
And will this problem fix if I completely install the MHA-L29C185B172's firmware?
Click to expand...
Click to collapse
It could be a problem if you flashed a boot image for a different model. You need boot image for C185B110. It should work without hw and Public zips, but a lot of other things break without flashing those. Updating to C185B172 will fix it.
By the way, which supersu did you use?
If the one from the "Decrypt" thread in Guides you don't need to flash a pre-decrypted boot image, the installer does it for you.
ante0 said:
It could be a problem if you flashed a boot image for a different model. You need boot image for C185B110. It should work without hw and Public zips, but a lot of other things break without flashing those. Updating to C185B172 will fix it.
By the way, which supersu did you use?
If the one from the "Decrypt" thread in Guides you don't need to flash a pre-decrypted boot image, the installer does it for you.
Click to expand...
Click to collapse
As for the SuperSU, I think I took it from the full root guide w/o decrypt img, but obviously I had to use a decrypt img because of stock
SUPERSU-2.79-MATE9-init.d_support
For the boot (No force encryption boot)
This is probably where things went wrong. I flashed the wrong build image.
https://forum.xda-developers.com/mate-9/development/stock-boot-img-library-t3573312
I had to use above link because I couldn't flash SuperSU since I don't have an external sd to extract it from (Since you have to format your data before flashing it)
I couldn't find the hw and public zips for C185B110, so if you have it, a link would be generous.
Would flashing stock boot img for MHA-L29C185B110 fix it?
and what would happen if i flash stock boot.img?
and do you have a decrypt boot.img for C185B110?
Thanks!
SeanPHTRPW said:
As for the SuperSU, I think I took it from the full root guide w/o decrypt img, but obviously I had to use a decrypt img because of stock
SUPERSU-2.79-MATE9-init.d_support
For the boot (No force encryption boot)
This is probably where things went wrong. I flashed the wrong build image.
https://forum.xda-developers.com/mate-9/development/stock-boot-img-library-t3573312
I had to use above link because I couldn't flash SuperSU since I don't have an external sd to extract it from (Since you have to format your data before flashing it)
I couldn't find the hw and public zips for C185B110, so if you have it, a link would be generous.
Would flashing stock boot img for MHA-L29C185B110 fix it?
and what would happen if i flash stock boot.img?
and do you have a decrypt boot.img for C185B110?
Thanks!
Click to expand...
Click to collapse
It would probably fix it yes, but no boot image or hw/public exist for B110 so I'm guessing it shipped with that build.
You'd have to update, using https://forum.xda-developers.com/mate-9/how-to/guide-mate-9-flash-update-package-t3593108
I don't think you can use Firmware Finder as you're probably missing the System Update feature.
Either that one I linked or FunkyHuawei, but Funky cost money to use.
Thanks,
I will try using the link you used.
although it is not clear.
On manual update step A, do you need to download all three?
the base, the OS(windows) and the model?
and where do i put these files?
and on b and c on update zip
do i have to download two update.zip?
for example, C185B110 and C185B172
do i also need to download full ota instead of just ota? fullota is incompatible, says firmware finder on mobile
SeanPHTRPW said:
Thanks,
I will try using the link you used.
although it is not clear.
On manual update step A, do you need to download all three?
the base, the OS(windows) and the model?
and where do i put these files?
and on b and c on update zip
do i have to download two update.zip?
for example, C185B110 and C185B172
do i also need to download full ota instead of just ota? fullota is incompatible, says firmware finder on mobile
Click to expand...
Click to collapse
Yes, download base, os and MHA. Extract all to the same folder. You should only have one folder named HWOTA and the files/folders in that. If it extracts to a folder with the same name as the zips, enter the folders and copy hwota folder then go back one folder and paste/merge so you end up with one folder named HWOTA. Easiest way is putting it directly in C:\hwota\, if your windows version allows it. Else place it on desktop. (long file paths or a path containing spaces might make hwota not function correctly).
You need to download all 3 files (fullota update.zip, hw zip and Public zip), easiest way is using firmware finder to download. Either mobile or the pc version. For pc go to the common base tab and search for your model and then download the build you want including public and HW zips.
You only need to download the fullota update, hw and Public zip of the build you're updating to. If you're on b110 and going to update to B172 you only need to download B172.
Rename the files according to the guide (update.zip, update_all_hw.zip and update_data_public.zip), place them in either hwota/update folder or make a HWOTA folder on your sdcard and put the renamed files there.
When running hwota, select script update folder or sdcard update folder depending on where you put the files. Select same model update.
One last question:
Does it have to be FULLOTA, not just OTA?
Here's the direct link for the 20a Oreo OTA update bin file used for LG V20 VS995. Not sure if it's of any use, just wanted to have some fun trying to find it
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
If anyone finds a way to extract the contents let me know. Can't figure it out :/
If you already have TWRP and want a flashable zip, have a look at NotYetADev's post.
https://forum.xda-developers.com/v20/development/vs995-verizon-lg-v20-stock-oreo-rooted-t3845669
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
And thank you for that little piece of info. I didn't know LG UP could flash OTA bin files. That is another attack vector
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
runningnak3d said:
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
Click to expand...
Click to collapse
How do you know the file isn't signed? I assumed it had the same type of validation as the KDZ files.
I'd be happy to share a USB capture, is that something wireshark can do?
---------- Post added at 01:03 AM ---------- Previous post was at 12:05 AM ----------
I'm sure there is some magic hash hidden somewhere in the file. I'll see if it's possible to flash an edited .up file.
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
I'll capture the flash when I got home
here are links for the other OTA updates, in case anyone is interested.
Code:
VS99512A_06 -> VS99513A_04
https://cdn.vzwdm.com/LG_VS995_12A_13A_04.bin
VS99513A_04 -> VS99514B_00
https://cdn.vzwdm.com/LG_VS995_13A_14B_00.bin
VS99514B_00 -> VS99515A_10
https://cdn.vzwdm.com/LG_VS995_14B_15A_10.bin
VS99515A_10 -> VS99516B_00
https://cdn.vzwdm.com/LG_VS995_15A_16B_00.bin
VS99516B_00 -> VS99517A_00
https://cdn.vzwdm.com/LG_VS995_16B_17A_00.bin
VS99517A_00 -> VS99518A_00
https://cdn.vzwdm.com/LG_VS995_17A_18A_00.bin
VS99518A_00 -> VS99519A_10
https://cdn.vzwdm.com/LG_VS995_18A_19A_10.bin
VS99519A_10 -> VS9951AA_01
https://cdn.vzwdm.com/LG_VS995_19A_1AA_01.bin
VS9951AA_01 -> VS9951BA_01
https://cdn.vzwdm.com/LG_VS995_1AA_1BA_01.bin
VS9951BA_01 -> VS9951CA_01
https://cdn.vzwdm.com/LG_VS995_1BA_1CA_01.bin
VS9951CA_01 -> VS99520A_03
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
runningnak3d said:
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
Click to expand...
Click to collapse
I've got the USB capture for you and any other developers who're interested.
I will download it just as soon as I get to work. Thanks
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
I have same error
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
justmike80386 said:
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
Click to expand...
Click to collapse
Step by Step
1. Add Extension file .up
2. Install LG UP MOD
3. Turn on USB Debugging in your phone and make sure your phone allow PC adb command via USB (adb devices > enter)
4. Open LG UP Mod, Choose file .up (step 1). Choose OTA Upgrade and START.
Note: backup your data before upgrade, maybe failed to upgrade and lost data
I'm from Viet Nam, sorry for bad English
I am sharing with you here my version of HuRUpdater 0.4 customized for the Mediapad M5. I am not taking any credit here for HuRUpdater, the original work can be found here: https://forum.xda-developers.com/honor-9/development/tool-flash-official-firmware-recovery-t3769279. Please follow the instructions there on how to install it to an SD card. Also unzip the hurupdater zip, and in a sub folder you will find huruupdate-binary and busybox. Place these two files in the same folder on the as card where you have the other zips. Finally run it from custom recovery.
Your boot loader needs to be unlocked.
HuRUpdater can be used to:
Recover the tablet from a soft brick or bootloop. As long as you can install and access TWRP, it should be good to go.
Restore the tablet back to stock after installing a custom ROM.
Install full OTA updates after unlocking the bootloader, since it appears you cannot install OTAs anymore once the bootloader is unlocked.
Revert back to an older version of the ROM (watch out for XLOADER versions though, make sure that match https://forum.xda-developers.com/mate-10/how-to/beware-bla-l29c432b147-t3817241)
When I was trying to install an OTA after unlocking my bootloader and installing a custom ROM, I found out that HuRUpdater doesn't work out of the box for the Mediapad M5, so I made some minor customizations:
HuRUpdater looks for the volume keys when it starts up in order to read user inputs, and if it doesn't find it, it bails out. I removed that check for the volume keys, so the script will now run without requiring any user input.
HuRUPdater brings its own busybox binary, but it uses unzip trying to install it, which doesn't seem to be available on the M5. I changed it to copy it to the destination instead from the same folder as the other zips.
HuRUpdater checks whether the update will lock your bootloader, and then require you to press a volume key to confirm. Since volume keys are not working and this locking is probably undesired, the script will now bail out if it finds that your booloader may become locked.
NOTE: After successful flash you have to factory reset! And this must be done using the stock recovery, not TWRP!
I have only used it successfully on the Mediapad M5, but but there should be no reason why it wouldn't work on other devices on which HuRUpdate fails when looking for volume keys.
First big thanks for your post! I have a blank Mediapad here without anything any system flashed on it. When I flash HuRU it states an error with the following lines in recovery.log:
Code:
mkdir: 'utils': File exists
cp: bad '/external_sd/CMR-W09C432/hurupdate-binary': No such file or directory
chmod: utils/hurupdate-binary: No such file or directory
cp: bad '/external_sd/CMR-W09C432/busybox': No such file or directory
chmod: utils/busybox: No such file or directory
/tmp/updater[261]: unzip: not found
/tmp/updater[261]: /tmp/utils/busybox: not found
Error with update.zip file. See recovery.log for more details
Updater process ended with ERROR: 1
Any idea on how to fix this?
valko8877 said:
First big thanks for your post! I have a blank Mediapad here without anything any system flashed on it. When I flash HuRU it states an error with the following lines in recovery.log:
Code:
mkdir: 'utils': File exists
cp: bad '/external_sd/CMR-W09C432/hurupdate-binary': No such file or directory
chmod: utils/hurupdate-binary: No such file or directory
cp: bad '/external_sd/CMR-W09C432/busybox': No such file or directory
chmod: utils/busybox: No such file or directory
/tmp/updater[261]: unzip: not found
/tmp/updater[261]: /tmp/utils/busybox: not found
Error with update.zip file. See recovery.log for more details
Updater process ended with ERROR: 1
Any idea on how to fix this?
Click to expand...
Click to collapse
Oh, sorry, think you found a bug and I need to update the instructions. Please unzip the hurupdater zip, and in a sub folder you will find huruupdate-binary and busybox. Place these two files in the same folder on the sd card where you have the zips and try again.
konradsa said:
Please unzip the hurupdater zip, and in a sub folder you will find huruupdate-binary and busybox. Place these two files in the same folder on the sd card where you have the zips and try again.
Click to expand...
Click to collapse
Thanks a lot! That worked. It got way too late for me, to come to this idea by my own. Spent several hours to revert to stock firmware and now your version of HuRU seems to to do its work. Currently its flashing Huawei's ZIP files.
valko8877 said:
Thanks a lot! That worked. It got way too late for me, to come to this idea by my own. Spent several hours to revert to stock firmware and now your version of HuRU seems to to do its work. Currently its flashing Huawei's ZIP files.
Click to expand...
Click to collapse
Great, glad it worked for you, I updated the instructions in the first post. The reason I ended up with variant of hurupdater is just like you I found out nothing else works, I was trying to install an OTA.l after unlocking boot loader. When I have some time I will think about how to make this a little more seamless. Let me know if you see any other problems.
konradsa said:
Let me know if you see any other problems.
Click to expand...
Click to collapse
Yeah, so far so good, tablet is now on stock firmware. The flash was successful, after extracting both binaries from your HuRU ZIP to same folder as the other ZIP's including HuRU, flashing the HuRU ZIP itself again and letting it do it's magic. That tool saved me a lot of more hours of working out on how to revert to Stock, while every Huawei way to go and also the Androids way to go have failed. Thanks again! I can also confirm, that the "vanilla" version of HuRU does not work on Mediapad because of the mentioned error of not finding the user input device. Using the specialized Mediapad one instead did it's thing. Thumbs up!
You really saved me!!!! I tried everything before this post... I was about to give up.
Wanted to install multi user function (which has been deleted in the lite version), gone through a series of steps and post including unlocking, rooting, flashing custom bootloader, installing a mask, etc... throughout the way something happened and I got stuck at the TWRP bootloader, nothing worked, everything I tried yielded an error of some kind. This was my salvation! I'll be forever in debt! Tanks a lot!!!!