Does anyone know if those perfect-SPLs accept a NHB signed with test-keys?
I have the feeling that it will not work but I'll ask anyway...
I'm trying to generate a NHB with Qmat 446 so I'll need to use a pvk file instead of the pem and pk8 test-key files...
Could someone with Openssl knowledge tell me how to convert those test-key files to a pvk file?
Amon_RA said:
Does anyone know if those perfect-SPLs accept a NHB signed with test-keys?
I have the feeling that it will not work but I'll ask anyway...
I'm trying to generate a NHB with Qmat 446 so I'll need to use a pvk file instead of the pem and pk8 test-key files...
Could someone with Openssl knowledge tell me how to convert those test-key files to a pvk file?
Click to expand...
Click to collapse
We tried flashing an NBH signed with test keys but it didn't work. Our only hope is an NBH signed with release keys that has an SPL that supports fastboot. The Vodafone one would appear to be ideal. However, it still would rely on the gold card working. If, using a gold card, we still can't flash the Vodafone NBH, I'm afraid we may be out of luck as far as an easy way to achieve root.
Related
I am still testing but... well another user gave us the info to the update file... and it gives us the radio.img, the boot.img, and an editable system folder... I wonder if it will let you update it if you change the files... Wonder if you can sign it yourself.
Well please do let us know!
It is too late to do it tonight (for me anyways) I will be deleting files and seeing if it keeps it signed status tomorrow (you know how HTC likes every signed a certain way LOL) will keep you informed. BTW there is another thread with the file.
You get hat Structure from the Following File
https://android.clients.google.com/updates/signed-kila-ota-115247-prereq.TC4-RC19+RC28.zip
Making the Customised Image is not an Issue though but how can we signed it to Possible load it on Device.
We must get Cracked Boot loader to flash Unsigned Object and file like we have done it so far to Windows Based HTC Devices.
Yeah, I think that the signature of those files (found in the MANIFEST.MF) is crucial to get it to flash.
If, however, you can get it to flash with those things changed - that'd be pretty awesome.
The easiest way to test it, I think, would be to leave the files intact but to alter one of the signatures in the MANIFEST.MF file so that you are effectively breaking the signing (which is the same thing changing one of those files would do) - once you have done that - if the device will still flash then you KNOW you are in business.
Just don't want to waste a lot of time building some sweet image only to find out you can't do anything with it.
Just my 2 cents.
The other question is - once you've run an update from the SD card with the RC29 update can you re-run the update?
RyeBrye said:
The easiest way to test it, I think, would be to leave the files intact but to alter one of the signatures in the MANIFEST.MF file so that you are effectively breaking the signing (which is the same thing changing one of those files would do) - once you have done that - if the device will still flash then you KNOW you are in business.
{...}
The other question is - once you've run an update from the SD card with the RC29 update can you re-run the update?
Click to expand...
Click to collapse
I can test it out for you. Just change any value in the file?
And someone else had stated that you can re-update, but I'll try it again with the file changed.
Okay... so you can run the update again, just confirming.
I removed a ringtone from the /system/media/audio/ringtones but didn't change anything in the MANIFEST.MF file.
"Verification failed
Installation aborted."
Next i'll try to change the value for it in the MANIFEST.MF file and see if it goes thru.
Changin the MANIFES.MF file failed because it checks with CERT.SF
Chaning CERT.SF to be the same.
Now I got the following
E:No signature (414 files)
E: Verification failed
Installation aborted.
Time to tinker away... If someone can guide me just a lil, that would be apreciated. I'm still going to waste my time doing whatever "I beleave" is progress in the mean time
quedijo said:
Now I got the following
E:No signature (414 files)
E: Verification failed
Installation aborted.
Time to tinker away... If someone can guide me just a lil, that would be apreciated. I'm still going to waste my time doing whatever "I beleave" is progress in the mean time
Click to expand...
Click to collapse
I wish i knew anything about linux permission, i would like to help
apatcas said:
I wish i knew anything about linux permission, i would like to help
Click to expand...
Click to collapse
Thoughts count aswell
I got to go do a job right quick... should be back in 4hrs or less, I hope
i'll try to help as much as i can
Ill look into how the manifest works, ill work on it as much as I can
Let's get this baby customized
The cert is referencing a checksum to the manifest. It seems that they are using sha1-digest as stated plainly in the manifest file but i believe it is further encoded by base32 encoding. Does anybody have a base32 encoder handy?
Digests and the Signature File JDK
I believe the second line in CERT.SF is a hash for MANIFEST.MF. You need that hash to match the hash for the actual file MANIFEST.MF. There could be something that also hashes CERT.SF to see if you messed with it, but I don't see that right now.
So, edit CERT.SF so the line:
SHA1-Digest-Manifest: lsGC/wXGYwKahxByTQdTNs2K5oY=
Matches the SHA1-Digest (in base32) of MANIFEST.MF and try again.
Just to clear up some things for those following this thread...
The update image is signed with a private key by either HTC or Google (honestly not sure which, probably google). When your phone receives the image it decrypts the signature with each of the public keys it has installed, if one matches it installs.
The keys are made in pairs, the private key (which only the signer has and we will not obtain) signs and the public key (which is installed on the device as trusted) is used to decrypt.
Of course if someone can manage root access to the phone through one of the processes running as root by using a buffer overflow or something of that nature we can simply add OUR OWN public key to the phone's repository, and sign our images with OUR OWN private key. This would allow a new image to be made that once installed could auto-check for updates and pull off the same kind of update process that we see with rc29...
netcmd said:
I believe the second line in CERT.SF is a hash for MANIFEST.MF. You need that hash to match the hash for the actual file MANIFEST.MF. There could be something that also hashes CERT.SF to see if you messed with it, but I don't see that right now.
So, edit CERT.SF so the line:
SHA1-Digest-Manifest: lsGC/wXGYwKahxByTQdTNs2K5oY=
Matches the SHA1-Digest (in base32) of MANIFEST.MF and try again.
Click to expand...
Click to collapse
It is the hash for MANIFES.MF
I did that and still gives the following:
E:No signature (414 files)
E:Verification failed
syrusfrost said:
Just to clear up some things for those following this thread...
The update image is signed with a private key by either HTC or Google (honestly not sure which, probably google). When your phone receives the image it decrypts the signature with each of the public keys it has installed, if one matches it installs.
The keys are made in pairs, the private key (which only the signer has and we will not obtain) signs and the public key (which is installed on the device as trusted) is used to decrypt.
Of course if someone can manage root access to the phone through one of the processes running as root by using a buffer overflow or something of that nature we can simply add OUR OWN public key to the phone's repository, and sign our images with OUR OWN private key. This would allow a new image to be made that once installed could auto-check for updates and pull off the same kind of update process that we see with rc29...
Click to expand...
Click to collapse
@syrusfrost: It's true that the zip is signed with a private key from HTC, however we can easily resign the package using our own key. The question is will the G1 accept this?
Has anyone tried resigning the application with the jarsigner? The errors people have been listing, and the files located in META-INF corrospond to the same errors you get after patching a dalvik-executable (dex file) and not resign the package.
If the system files are NOT verifying it to the the specific HTC key we should be able to resign and have it accept out own update file...
I'm currently not at my development machine but I'm thinking we might be able to get somewhere using the permissions.xml file located in /system/etc/ - though this is considered a 'read-only' file in both the emulator and in the G1 hardware so changing it has thus far been unable to happen... Possibly a minor change like the following;
Code:
<!-- Test to see if we can gain cache access by assigning permissions and getting new
update -->
<assign-permission name="android.permission.ACCESS_CACHE_FILESYSTEM" uid="shell" />
Then resigning the whole package would let us get access to the /data/dalvik-cache system? Any takers on my... Seemingly stretching assumption?
strazzere said:
Then resigning the whole package would let us get access to the /data/dalvik-cache system? Any takers on my... Seemingly stretching assumption?
Click to expand...
Click to collapse
Okay bare with me. I wan't instructions on how to get the SHA1-digest of a file.
I found some instructions to use PHP and I can boot a LiveUSB Distro of Fedora but i'm sitll a bit lost
I have installed CyoHash for vista and the SHA1 base64 are exactly the same as the ones in the MANIFEST.CF but different for CERT.CF
So are the hashes for MANIFEST.CF SHA1 base64 and SHA1-Digest base32 for CERT.CF?
quedijo said:
Okay bare with me. I wan't instructions on how to get the SHA1-digest of a file.
I found some instructions to use PHP and I can boot a LiveUSB Distro of Fedora but i'm sitll a bit lost
I have installed CyoHash for vista and the SHA1 base64 are exactly the same as the ones in the MANIFEST.CF but different for CERT.CF
So are the hashes for MANIFEST.CF SHA1 base64 and SHA1-Digest base32 for CERT.CF?
Click to expand...
Click to collapse
I think Manifest.cf is just a regular hash checking file to make sure all files are there. While Cert.cf is the one that makes sure they are signed by the RSA
EDIT: CERT.CF is signed with HMAC-SHA1 The RSA is the public Key used to decrypt the hash correctly. I believe this means we can definitely use our own private/public keys to sign the package.
Anyone wanna help me figure out how to sign a HMAC-SHA1?
Any chance that we can use the .bin file in the bootloader update, rename it to DREAIMG.nbh, put it on a SD card (even for OTA RC30), reboot to SPL (camera+END) and flash the ROM for OTA RC30?
trying this now on stock rc30...standby.
ok, RC30 stock bootloader does not recognize DREAIMG.nbh
ok, also tried it on modded RC30 and bootloader says no image found.
Ok, that was the name I found on other threads. Maybe that is not the name to be used.
i also tried DREAIMG.IMG but still the same....
scanta2 said:
Any chance that we can use the .bin file in the bootloader update, rename it to DREAIMG.nbh, put it on a SD card (even for OTA RC30), reboot to SPL (camera+END) and flash the ROM for OTA RC30?
Click to expand...
Click to collapse
Nope, no chance. The stock bootloader - although it will see DREAIMG.nbh files on fat32 sdcards - it will only accept NBH files signed by HTC's private key.
I thought i recalled a post about finding HTCs key when dumping the NAND, am i dillusional?????lol....
korndub said:
I thought i recalled a post about finding HTCs key when dumping the NAND, am i dillusional?????lol....
Click to expand...
Click to collapse
Probably a public key. Public keys are used to verify files signed with a private key. As the name implies, the private key is not disseminated.
http://en.wikipedia.org/wiki/Public_key_infrastructure
Hi
can anyone give me img of stock bootloader, and where is this public cert of HTC?
Vilko said:
Hi
can anyone give me img of stock bootloader, and where is this public cert of HTC?
Click to expand...
Click to collapse
Stock bootloader is attached to this thread. Public cert is located in /etc/security. That's the cert for update files though. No idea if it's the same as used for nbh, especially since no nbh have been publicly released. Analyze the dumped stock bootloader.
Does anyone know what type of a file a .nbh is and how to make it veiwable/modifiable. If there was a way that we can mod the NBH file that I believe would be the successful way of rooting the MyTouch 3G. I will be getting one of the production devices in a week or so anyone want to have anything dumped let me know.
the nbh is a ROM and you can't flash it without a modified SPL. i'm not even sure the SPL used for android even supports the file type but any kitchen from winmo can decompile it
Not really so much an android thing but is a hardware thing of HTC. The Dream and Sappihre support these files. There is a NBH file which will take you all the way back to RC29 and also flashes back the original SPL as well. So it is my belief that if we can make a compatible NBH for the sapphire it will accomplish the end result.
Of course it will... That's what NBH files are made for. I don't think you can make one since it's signed (or something) with a key we don't have.
Ehh, i have an idea:
Some has to decompile .nbh and modify it to work on mytouch 3g.
Than you have to create a goldcard.. not sure about if viperbjk is putting sapphire into qmat..
Yeh I have tried to decode with hex editor and have not had any real luck with it at all. Looks coded. Just wondering if anyone knows how to decode would be greatly appreciated. I have tried to use some of the old Windows mobile kitchen tools.
There are lots of tools to extract NBH files, they should work if HTC hasn't changed anything...look for other devices kitchens and you'll find the tools.
Also there's a project which tries to achieve the same result under linux http://code.google.com/p/htc-flasher/.
where did you guys get an android nbh? this is odd because android is updated by placing and update.zip on the root of the sd card (among other ways) which is handled by the SPL. why wouldn't HTC just stick with nbh then?
sammypwns said:
where did you guys get an android nbh? this is odd because android is updated by placing and update.zip on the root of the sd card (among other ways) which is handled by the SPL. why wouldn't HTC just stick with nbh then?
Click to expand...
Click to collapse
android is updated by .zip but NBH is an all in one image type file that flashes htc phones to factory defaults. its usually used by the support techs to restore phones.
android/google=zip
htc =nbh
tripledes said:
There are lots of tools to extract NBH files, they should work if HTC hasn't changed anything...look for other devices kitchens and you'll find the tools.
Also there's a project which tries to achieve the same result under linux http://code.google.com/p/htc-flasher/.
Click to expand...
Click to collapse
this looks promising...i wonder if we can figure out how to resign it....
Hi,
I have just tested the HTC-Flasher and unfortunately it does not work with the DREAIMG.nbh
So i someone know how to extract and re-flash the dream NBH please help.
Bye
Herc. 8)
Hi,
I have an unlocked Treo Pro GSM phone and after doing a lot of reading I have managed to dump its ROM and I now have the four RAW files. However, I still can't find a way to rebuild the ROM and create a .nbh file out of them. Could someone please point me in the right direction or help me by rebuilding the ROM? I know I should only need part01 and part02.
I'm currently downloading Treo Pro kitchen and I assume it will be possible to rebuild the ROM with it, I just need some guidance. If anybody wants the RAW files please let me know and I'll upload them for you.
Thanks in advance.
Edit: Using the kitchen posted here I have managed to create a os-new.nb file by clicking on Extra Buttons and then RAWS2NBH then I got a message "Need the ROM nbmerge command? I clicked Yes then got the message Execute NbhUtils to build nbh file? I clicked Yes, the NBH Utility pops up and I select PANT100 under Target Device and finally under NBH Items I select the path of the os-new.nb file for the OS item and clicked on Build NBH! I chose the output location but after I get a message saying that it is done there is no nbh file in the location I selected.
palmerx said:
Hi,
I have an unlocked Treo Pro GSM phone and after doing a lot of reading I have managed to dump its ROM and I now have the four RAW files. However, I still can't find a way to rebuild the ROM and create a .nbh file out of them. Could someone please point me in the right direction or help me by rebuilding the ROM? I know I should only need part01 and part02.
I'm currently downloading Treo Pro kitchen and I assume it will be possible to rebuild the ROM with it, I just need some guidance. If anybody wants the RAW files please let me know and I'll upload them for you.
Thanks in advance.
Edit: Using the kitchen posted here I have managed to create a os-new.nb file by clicking on Extra Buttons and then RAWS2NBH then I got a message "Need the ROM nbmerge command? I clicked Yes then got the message Execute NbhUtils to build nbh file? I clicked Yes, the NBH Utility pops up and I select PANT100 under Target Device and finally under NBH Items I select the path of the os-new.nb file for the OS item and clicked on Build NBH! I chose the output location but after I get a message saying that it is done there is no nbh file in the location I selected.
Click to expand...
Click to collapse
could i have the .raw files for part 00 to part 3 this would help me create a thread that has all stock ROMS for referance i regret the fact that i didnt do this before because most of the links to the stock ROM are dead
i try to load some xap files into my phone using Tom XAP Installer v1.1, but i consistently got some error messages. i tried every method and can not fix it.
1. make sure your phone is unlocked
2. make sure you connected device to pc and zune launched.
My device is 100% sure unlocked and i have every tool installed in my machine.
Finally i used application deployment tool by MS, and i got error message:
"xap package signature is not valid or the wp manifest file is invalid. re-sign with valid signature and fix the manifest file."
what should i do? thanks for you help.
The XAP's are DRM protected. I know multiple ways to strip off the DRM, but that would be illegal and therefore I will not give you instructions on this forum. That would violate the rules of XDA forum.
The guy who gave you the xap used the wrong compression method to generate it.
- Rename it to .zip
- Decompress the zip
- Compress the decompressed files with Windows Integrated ZIP (Right Click->Send To)
- Rename .zip to .xap
so basically if you knew multiple ways to strip off the DRM, i can google it and do it by myself.
anyway, thanks.
Heathcliff74 said:
The XAP's are DRM protected. I know multiple ways to strip off the DRM, but that would be illegal and therefore I will not give you instructions on this forum. That would violate the rules of XDA forum.
Click to expand...
Click to collapse
simply re-decompressing the file will solve my problem? i doubt.
but i will try later. thanks.
kuerbis2 said:
The guy who gave you the xap used the wrong compression method to generate it.
- Rename it to .zip
- Decompress the zip
- Compress the decompressed files with Windows Integrated ZIP (Right Click->Send To)
- Rename .zip to .xap
Click to expand...
Click to collapse
thanks it's working...
does not work for me, but thanks?
I think you can use WP7-DesktopMarketplace
And remember to choose Remove DRM & Replace signature