Related
WARNING: Following these instructions may brick your phone, void your warranty and kill your dog. You don't want your dog to die do you?
Once I got root access on my G1, I've been messing around with trying to build reflash the recovery partition. That project is still in progress, but I have learned a bit about how to flash the various partitions on the G1.
First things first, you have to have root access. See this thread.
There are 6 mtd devices or partitions on the G1, mtd0-mtd5. They are located at /dev/mtd. You can use the /system/bin/flash_image tool to flash an image to any of these.
The syntax for the flash_image tool is:
Code:
# flash_image
usage: flash_image partition file.img
#
You can see a list of partition names and which device they are associated with by doing a "cat /proc/mtd".
Code:
#cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00020000 "misc"
mtd1: 00500000 00020000 "recovery"
mtd2: 00280000 00020000 "boot"
mtd3: 04380000 00020000 "system"
mtd4: 04380000 00020000 "cache"
mtd5: 04ac0000 00020000 "userdata"
#
These should all be self explanatory, except maybe "misc", which just appears to have a few string values.. Not really sure what it's used for..
Before you do any erasing or writing, it's a "really good idea" (tm) to make backups of each of these. Even if you don't plan on writing to them. I had accidentally erased the bootloader partition (typed mtd0 instead of mtd1), which I'm fairly sure would have bricked my phone if I had tried to reboot it. Ugh! Luckily, I had created a backup earlier, so I was able to restore it. (And then was nervous as heck when I tried to reboot it... "Please boot up! Please boot up!")
To create the backups:
Code:
# cat /dev/mtd/mtd0 > /sdcard/mtd0.img
# cat /dev/mtd/mtd1 > /sdcard/mtd1.img
# cat /dev/mtd/mtd2 > /sdcard/mtd2.img
# cat /dev/mtd/mtd3 > /sdcard/mtd3.img
# cat /dev/mtd/mtd4 > /sdcard/mtd4.img
# cat /dev/mtd/mtd5 > /sdcard/mtd4.img
#
Now you can use flash_image to write the new image.
Code:
#flash_image recovery /system/recovery.img
#
And that's how it's done.
Update: You normally don't need to erase the flash before you write, as long as you don't corrupt the flash first, by trying to "cat" an image directly to the mtd device, like I did . If you get a lot of ECC errors when you use flash_image then you need to erase it
Code:
# cat /dev/zero > /dev/mtd/mtd1
write: No space left on device
#
On a related note, Based on my experience so far, the recovery partition is not critical to booting the G1. When I first tried this, I used flash_image to write a new image without erasing the partition first, and it corrupted it pretty good. When I tried to boot the G1 into recovery mode (power+home), it would go to the bootloader screen instead. But it would boot into normal mode just fine.
Additionally, I've verified that the device will boot into recovery mode if you screw up the boot partition (mtd2). So as long as you at least have a good recovery image *or* a good boot image, you should be able to get back in business. Just don't try to update both at the same time.
Even so.. be careful, and don't come crying to me when you brick your phone. Or if your dog dies. You don't want your dog to die do you?
Excellent work!
So if misc is the boot loader, it looks like it is roughly 266k. If you can dump it, have you tried to "open" the image and see if you can see files?
Now you have given me more ideas
readonly sdcard?
When I run: cat /dev/mtd/mtd1 > /sdcard/mtd1.img
I got this:
cannot create /sdcard/mtd1.img: read-only file system
I know I am root...
staulkor said:
So if misc is the boot loader, it looks like it is roughly 266k. If you can dump it, have you tried to "open" the image and see if you can see files?
Click to expand...
Click to collapse
Actually, now that I look at it.. I'm not positive that mtd0 is the bootloader. There's not much data there at all. Just a few strings in the beginning, then lots of nothing. Mostly all FFs, with a few blocks of 00s thrown in. It doesn't look like there's any code at all, so it can't be the bootloader.
Nice work. How about the signing? Does the image you flash have to be correctly signed this way?
blues said:
When I run: cat /dev/mtd/mtd1 > /sdcard/mtd1.img
I got this:
cannot create /sdcard/mtd1.img: read-only file system
I know I am root...
Click to expand...
Click to collapse
Do you have the sdcard mounted for USB access? If so, just unplug the usb cable and plug it back in. (don't select "mount" in the usb notification thingy that pops up)
Chainfire said:
Nice work. How about the signing? Does the image you flash have to be correctly signed this way?
Click to expand...
Click to collapse
Nope. This is a raw write directly to the flash device. The whole signing thing is only applicable to the OTA updates (or Update.zip style update).
But the other project I'm working on is to rebuild the recovery mode and disable the signature check for OTA/update.zip updates.
If you check out the SDK and build the open-source version for the phone, it builds a custom recovery-image that accepts only things signed with the testkeys - which is cool. Since the test keys are in the directory, you can easily resign the images yourself.
I know a guy who has done this now. I'll do it when I get a chance.
There are two proprietary files that you have to suck off the device in addition to the ones that the "extract_files" script in the android build pulls off - I sent in a patch to fix this but who knows if they'll apply it or not (I thnk they think that the crap in the msm7k dir will do something)
What I'm wondering is if we can write an update mode that will backup the contents of the /cache and /data to the SDCard - then erase the three partitions - then recreate /data as a huge partition and leave only 10 or 15 megs for /cache - because... well.. /cache is worthless since OTA updates aren't gonna happen to our phones anymore anyway. It would be nice to get an extra 40 megs for app storage.
JesusFreke said:
Actually, now that I look at it.. I'm not positive that mtd0 is the bootloader. There's not much data there at all. Just a few strings in the beginning, then lots of nothing. Mostly all FFs, with a few blocks of 00s thrown in. It doesn't look like there's any code at all, so it can't be the bootloader.
Click to expand...
Click to collapse
I just looked at my dumped mtd0.img and I see a few interesting strings:
T-MOB010
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
And then a mountain of FFs, lol
You are right. I am on XP machine. So I disabled the usb storage, and it works fine
JesusFreke said:
Nope. This is a raw write directly to the flash device. The whole signing thing is only applicable to the OTA updates (or Update.zip style update).
But the other project I'm working on is to rebuild the recovery mode and disable the signature check for OTA/update.zip updates.
Click to expand...
Click to collapse
It works for me now.
RyeBrye said:
If you check out the SDK and build the open-source version for the phone, it builds a custom recovery-image that accepts only things signed with the testkeys - which is cool. Since the test keys are in the directory, you can easily resign the images yourself.
Click to expand...
Click to collapse
Yep, that's exactly what I'm doing. I'm planning on posting a recovery.img for others to use, since trying to build the thing from scratch is a pain, and takes forever.
RyeBrye said:
There are two proprietary files that you have to suck off the device in addition to the ones that the "extract_files" script in the android build pulls off - I sent in a patch to fix this but who knows if they'll apply it or not (I thnk they think that the crap in the msm7k dir will do something)
Click to expand...
Click to collapse
I assume you're talking about libaudio.so and librpc.so?
RyeBrye said:
What I'm wondering is if we can write an update mode that will backup the contents of the /cache and /data to the SDCard - then erase the three partitions - then recreate /data as a huge partition and leave only 10 or 15 megs for /cache - because... well.. /cache is worthless since OTA updates aren't gonna happen to our phones anymore anyway. It would be nice to get an extra 40 megs for app storage.
Click to expand...
Click to collapse
Good idea. Even better would be if we could put the installed apps and all data on the sdcard.. But that would probably be a harder modification than just resizing the partitions.
staulkor said:
I just looked at my dumped mtd0.img and I see a few interesting strings:
T-MOB010
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
And then a mountain of FFs, lol
Click to expand...
Click to collapse
that partition is the config partition, standard HTC stuff.
T-MOB010 is your CID (carrier ID, spl checks this when flashing NBH), but it is only a backup copy of it, the real CID is in radio part of nand (protected!).
and the rest is just config stuff for SPL and radio. (yes HTC uses strings to set these configs - SPL reads the strings from specific nand addresses and decides what to do)
JesusFreke said:
On a related note, Based on my experience so far, the recovery partition is not critical to booting the G1. When I first tried this, I used flash_image to write a new image without erasing the partition first, and it corrupted it pretty good. When I tried to boot the G1 into recovery mode (power+home), it would go to the bootloader screen instead. But it would boot into normal mode just fine.
Click to expand...
Click to collapse
very nice stuff! have you been able to reflash a recovery.img then to fix the corruption?
and you are right about the boot order... it's : radio bootloader -> SPL (that tricolour screen is SPL mode) -> boot.img or recovery.img.
(if boot.img then the OS loads)
cmonex said:
very nice stuff! have you been able to reflash a recovery.img then to fix the corruption?
Click to expand...
Click to collapse
Yep. I screwed up the recovery partition and rebooted, and wasn't able to boot into recovery mode. It just went into SPL mode when I tried. Then I normal booted and re-flashed with the original recovery.img and rebooted, and was able to boot into recovery mode.
Thanks for the info on the boot order. I didn't realize the radio image was used for booting, I figured it was just firmware for the 3G chip or something.
I'm getting close to being able to apply my own update.zip style update. I've been able to reflash the recovery partition with a custom built recovery image that skips the signature verification. I'm having a touch of trouble getting it to actually install an update.zip though. It keeps saying "update script not found", even though there is a "META-INF/com/google/android/update-script" file in the zip. Arg! Anyways.. I'm in the process of tracking the issue down. More to come!
cmonex said:
that partition is the config partition, standard HTC stuff.
T-MOB010 is your CID (carrier ID, spl checks this when flashing NBH), but it is only a backup copy of it, the real CID is in radio part of nand (protected!).
and the rest is just config stuff for SPL and radio. (yes HTC uses strings to set these configs - SPL reads the strings from specific nand addresses and decides what to do)
Click to expand...
Click to collapse
Ah! Excellent info.
I was finally able to get the rebuilt recovery tool to work. The problem with the update.zip was due to the fact that the zip was built in windows, so it had the wrong path separators. It was looking for META-INF/com/google/android/update-script, but the zip file contained META-INF\com\google\android\update-script
After switching the slashes around in a hex editor, it installed the update no problem.
Next, I was tempted to try to flash the boot partition. I was somewhat sure that I would be able to recover from a bad boot flash, with my nifty new recovery tool. But after reading about the guy that bricked his phone (over in the root thread), I was a bit scared.
But I finally went ahead and decided to give it a try. You only live once, right?
So I opened up a root console, and just wiped the boot partition clean. "cat /dev/zero > /dev/mtd/mtd2" and rebooted. Palms sweaty.. breathing hard.. shaking.. Powered the phone on (without holding down home), and it comes up to the recovery tool. So far so good. Then I ran the update on the sdcard - it was a smallish update I had created before hand that just flashed the original boot image back to mtd2. Update runs fine.. phone reboots....
And it boots up normally.
yes!
*takes a big sigh of relief*
So now I can mess around with the boot partition, and know that I have that recovery tool safety net.
And now. It's time to sleep. *head hits the keyboard*
very cinematic good job mate!
Very nice work
Congrats on the successful flash!
strings in mda1.img include:
Code:
ANDROID!
no_console_suspend=1
-- System halted
ran out of input data
Malloc error
Memory error
Out of memory
incomplete literal tree
incomplete distance tree
bad gzip magic numbers
internal error, invalid method
Input is encrypted
Multi part input
Input has invalid flags
invalid compressed format (err=1)
invalid compressed format (err=2)
out of memory
invalid compressed format (other)
crc error
length error
Uncompressing Linux...
done, booting the kernel.
What are these images? Are they filesystem images that you could theoretically mount? If so, what filesystem (I haven't gotten anything to work).
So, I wanted to test HTC sense, but didn't want to brick my phone, use non official images nor change the SLP. There was a problem thou, the latest rom released in Taiwan has a big (153Mb) system.img, which is bigger than the 92Mb that the older SPL assign for the system partition, making it impossible to put the new system files in your phone without the new SPL. BUT!!! you can tell the kernel how to "partition" the NAND. Here is how to do it:
DISCLAIMER:
- This could brick your phone. Don't try it if u don't know what u're doing!!!! I hate seeing bricked phones.
- The steps come from my memory and my PC's history, so think before typing anything.
- This was done in a PVT 32A.
1. BACKUP WITH NANDROID!!!!
2. Get a working kernel. I compiled the "android-msm-2.6.27" with the 2.17.401.2_HTC_CH config. But lots of hardware didn't work, it was ok for me, I was just trying to see/feel, multitouch and the Sense UI.
3. Generate a boot.img from the kernel from point 1. and the 3.03.751.4's ramdisk:
This is for PVT 32A: (I think u only need to remove the base for 32B)
Code:
mkbootimg --base 0x19200000 --cmdline "no_console_suspend=1 mtdparts=msm_nand:[email protected](misc),[email protected](recovery),[email protected](boot),[email protected](system),[email protected](cache),[email protected](userdata) " --kernel zImage --ramdisk boot.img-ramdisk.gz -o boot_bigmtd.img
4. Copy the system.img and boot_bigmtd.img to the sdcard.
5. Run fastboot to erase system, cache and userdata. ej: (I'm sure there are better ways to create yaffs file systems, mkfs.yaffs? , but I tried fastboot it worked and I didn't care)
Code:
fastboot erase system
fastboot erase userdata
fastboot erase cache
6. Boot RA's recovery, or any other recovery that lets u unyaffs an image. You have to set the new SLP "partition" sizes, ej:
Code:
fastboot -c " mtdparts=msm_nand:[email protected](misc),[email protected](recovery),[email protected](boot),[email protected](system),[email protected](cache),[email protected](userdata) " boot recovery-RA-magic-v1.2.3H.img
7. Mount system and sdcard. ej
Code:
$ adb shell mount /system
$ adb shell mount /sdcard
8. flash the boot image and unyaffs the system image.
Code:
$ adb shell
# flash_image boot /sdcard/[path to the boot_bigmtd.img]/boot_bigmtd.img
# cd /system
# unyaffs /sdcard/[path to the system.img]/system.img
# cd /
# sync
# umount /sdcard
# umount /system
9. Reboot! Give the phone some time to boot, mine did. but YMMV. I saw something weird during the boot, before the 3rd splash (the one loaded from system), the phone displayed residual garbage from what was displayed right before the previous shut down.
Drawbacks:
- Fastboot theoretically (not tested yet) could wrack your system, as it still thinks that the system size is 92Mb.
- You have to be careful not to destroy the data of any of the modified partitions, by writing into it without the good MTD table
- U still have to get all the hardware working. I didn't try, but easy to do, get the 3.03.751.4's kernel config, that should take care of most of the things.
For more info, see:
http://forum.xda-developers.com/showthread.php?t=542688
http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images
great article. I got 2 questions.
1. why did you build a new boot.img but not use the one comes with update?
2. after set the new SLP "partition" sizes, can I still restore with nandroid?
thank you.
Hi snakejoe,
I haven't tried it, but you can update the radio and a new (1.76.2007) Engineering spl, see:
http://forum.xda-developers.com/showthread.php?t=589722
Ps:
1. I don't remember why I tried a different kernel, but I guess that the shipped one should have worked unless the radio needed that kernel.
2. I didn't try to restore backup with nandroid, but it should work, as long as you load the rescue with the “right” partition sizes.
It's been a long time since the last time I made a bat file and it seems I can't remember how to exactly make one xD... I'm kind of tired of having to put the commands to change the radio, spl and recovery every time, so I've decided to make a simple bat file to be able to choose what files to install if files 1 or 2 (1 being old radio, spl, recovery, and 2 being the new)...
Here is what I got so far xD...
Code:
@echo off
cls
:start
echo.
echo 1. Press 1 to install old files
echo 2. Press 2 to install new files
set choice=
set /p choice=Press 1 or 2 to continue
<--- This section is for option 1 --->(this lines are just to show what option is each)
C:\Android\fastboot flash radio Radio1.img
C:\Android\fastboot flash hboot hboot1.img
C:\Android\fastboot flash recovery recovery1.img
C:\Android\fastboot erase system -w
C:\Android\fastboot reboot-bootloader
<--- End sextion 1 --->
<--- This section is for option 2 --->
C:\Android\fastboot flash radio Radio2.img
C:\Android\fastboot flash hboot hboot2.img
C:\Android\fastboot flash recovery recovery2.img
C:\Android\fastboot erase system -w
C:\Android\fastboot reboot-bootloader
<--- End section 2 --->
fin:
I hope anybody can give me a hand into this =P... I've forgot almost everything in creating this kind of files xD... I know I can make 2 different batch files for the diferents files, but is more commfortable to have everything in just 1 file...
Thanks in advance
YEah..... Not sure how much you want to mess with automated Radio/spl installing. those are the 2 most dangerous parts and what happens if you get an error mid way through?
Be careful
crypysmoker said:
YEah..... Not sure how much you want to mess with automated Radio/spl installing. those are the 2 most dangerous parts and what happens if you get an error mid way through?
Be careful
Click to expand...
Click to collapse
That's why I'm including a "press a key to continue" after each part ...
The only problem so far, wast test the script and forgot to make a nandroid backup xD...
I think this is what you want:
Code:
@echo off
:start
cls
echo 1. Press 1 to install old files
echo 2. Press 2 to install new files
set /p choice=Press 1 or 2 to continue:
if %choice%==1 goto choice1
if %choice%==2 goto choice2
:choice1
echo Choice1 command should go here
set /p anykey=Command complete, press any key to continue...
exit
:choice2
echo Choice2 command should go here
set /p anykey=Command complete, press any key to continue...
exit
Reference:http://en.wikipedia.org/wiki/Batch_file
Thanks, I've already got a functional batch file...
Now I'm gonna port it to C or something to get a program that works for everybody, that way it would be easier to change the radios and stuff...
Code:
#include <std_disclaimer.h>
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, you getting fired because the alarm app failed, or anything whatsoever.
* Please do some research if you have any concerns about things covered in this guide
* before flashing! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
(Thank you CM Team for that bit of advice)
What is a Splash1?
Splash1 is the image that shows up before recovery / your ROM's bootsplash / etc. By default, it is the white screen with green HTC lettering (if you have flashed Sprint's 2.1 release.)
How do I change it?
Follow these steps to create the image, then the steps to flash the image.
Creating a splash1, Tool method:
1. Pick your image of choice, and crop it to 320x480 (width x height). This resolution is meant for the HTC Hero and screens of similar size. If you're looking to adapt this to other phones, make sure you know your resolution. It could be 480x800 (e.g. HTC Evo), or even 480x854 (Droid X).
2. Use the attached CreateG1Splash tool to convert your image to R5G6B5 format. It should output a file named 'mysplash.rgb565'.
Creating a splash1, GIMP method:
Note: This seems to have strange results in Windows. In my personal tests, the images ended up upside down, mirrored, and shifted to the right when they were flashed. You can use Tomatosoup's Gimp Script to fix it.
1. Open your desired image in GIMP. Use the appropriate tools (e.g. Scale, Canvas Size) to edit your image to the correct size. (Again, 320x480 for HTC Hero).
2. Go to Image => Print Size and make sure it is set to 72 pixels per inch.
3. Hit Save As => Extension => BMP => Save => Advanced => R5 G6 B5 Format => Save.
Flashing a splash1, Fastboot method:
IMPORTANT! This method is for users who have an ENG SPL. Browse through the relevant forums here on XDA to find out how to achieve this. This method does not work with Unrevoked Forever.
1. Open up a command prompt / terminal / console, and type:
Code:
adb reboot bootloader
OR power your phone off, then power it back on while holding VOL UP.
2. Once you're in fastboot, make sure the phone says "FASTBOOT USB", and when you type "fastboot devices" in the console, it returns the device name. If it returns anything strange, make sure your phone's USB drivers are installed and anything else that might use the phone is closed (e.g. HTC Sync).
3. In your command line / console / terminal, and type this, replacing "path to" with the right directories:
Windows Users:
Code:
fastboot flash splash1 C:\path\to\mysplash.rgb565
Linux Users:
Code:
fastboot flash splash1 /path/to/mysplash.rgb565
You should see "Sending splash1... OK ; Flashing splash1... OK"
4. Now enter:
Code:
fastboot reboot
Your new splash1 should be visible!
Flashing a splash1, HERCIMG method:
This method is compatible with Unrevoked Forever and people getting "Remote: Not Allow" errors.
1. Download the attached HERCIMG.zip to use as an example.
2. Extract the two files: android-info.txt and splash1.nb0
This is the template for the HERCIMG you will create and flash.
3. Delete the splash1.nb0 in the zip. Take the splash1 you created, rename it splash1.nb0
4. Select your splash1.nb0, and the android-info.txt, and zip them together. Rename the zip as HERCIMG.zip
NOTE: Zip ONLY the two files, DO NOT zip the folder containing the files or anything else!
5. Put the HERCIMG.zip on the root of your sdcard:
Code:
adb push HERCIMG.zip /sdcard/HERCIMG.zip
6. Reboot into HBoot either by holding VOL DOWN while you power your phone on, or:
Code:
adb reboot bootloader
Then press VOL DOWN to enter HBoot Mode.
7. Your phone should say:
Code:
Parsing...[SD ZIP]
[1] SPLASH1
Do you want to start update?
<ACTION> Yes
<SEND> No
Press ACTION (Trackball button) to flash the HERCIMG.zip.
It should now say OK. Press ACTION again to reboot the device.
Your new splash1 should be visible!
Attached is a preview of a CM6 splash1 I converted, and a zip file containing the mysplash.rgb565 file.
The attached cyanogenmodsplash.zip is not a flashable zip!
Credits to:
CyanogenMod team for the disclaimer.
toastcfh and darchstar for the ENG SPL.
regaw_leinad and Unrevoked Team for Unrevoked Forever.
Koushik Dutta for his CreateG1Splash tool.
tomatosoup for GIMP Method.
And anyone else that deserves credit.
Koush's full CreateG1Splash tool.
didnt work for me im s off and all i got back was error: cannot load ' /path/to/mysplash.rgb565
It's not literally /path/to/mysplash.rgb565, you're supposed to replace it with the path to the file you created, like C:\Users\JimBob\Desktop\mysplash.rgb565
didnt work
tehdarkknight said:
It's not literally /path/to/mysplash.rgb565, you're supposed to replace it with the path to the file you created, like C:\Users\JimBob\Desktop\mysplash.rgb565
Click to expand...
Click to collapse
gave me same error
i placed the rgb in the desktop and i even changed users name to JimBob so the path would be the same as the one u posted
It stays on the Sending Splash.... forever. What am I doing wrong?
thegod2012 said:
gave me same error
i placed the rgb in the desktop and i even changed users name to JimBob so the path would be the same as the one u posted
Click to expand...
Click to collapse
That error means you're not using the correct path. The JimBob thing was just an example, you need to supply it with the relevant file name on your computer.
mquinn24 said:
It stays on the Sending Splash.... forever. What am I doing wrong?
Click to expand...
Click to collapse
When you plug in your phone and reboot into fastboot, double check that it's properly connected:
Code:
fastboot devices
It should return something like: "HT039HF01009 fastboot"
Also double check that your phone's screen says "FASTBOOT USB"
doesn't work
i placed the rgb565 file in desktop and i enter the fastboot flash splash1 C:\Users\oden\Desktop\mysplash.rgb565
i get back
sending 'splash1' <300KB>... FAILED <remote:not allow>
finished. total time: 0.001s
I checked all of that and I'm good. Now I get "sending ' splash' <300kb> ... Failed <remote :not allowed>
Edit: I need to find the correct path
The "Failed <remote: not allowed>" error message probably means your HBOOT won't let you flash unsigned images, in other words you're using the stock HBOOT.
Try flashing darchstar's ENG SPL or regaw_leinad's S-OFF NAND Unlock method.
interesting....
wil there be an issue if i flash both i already have s off
hboot
tehdarkknight said:
The "Failed <remote: not allowed>" error message probably means your HBOOT won't let you flash unsigned images, in other words you're using the stock HBOOT.
Try flashing darchstar's ENG SPL or regaw_leinad's S-OFF NAND Unlock method.
Click to expand...
Click to collapse
i just flashed darchstars spl i'll let u know
it worked by changing the hboot with darch SPL thanks
Attached is another splash1 I converted, created by Vigan on the CM forums.
The .png is the preview, the mysplash.rgb565 is contained in the zip.
Hope you enjoy!
I updated the first post to reflect that this method of flashing a splash1 will not currently work with Unrevoked Forever.
You should be able to safely flash darchstar's ENG SPL from recovery even if you've already flashed Unrevoked Forever.
Thanks I got it to work on Darch's
Hey everyone, I started a thread in the Themes and Apps section called
[SPLASH IMAGES] Gallery of Custom Splash Images if anyone wants to post and share their custom splash images they've created.
tehdarkknight, would you consider posting the link to it in your main OP? And please feel free to go post the couple you already have in this thread over into that gallery.
Complete noob to flashing splash images. My cmd is saying fastboot is an invalid action? I feel like a retard...
whosthat123 said:
Complete noob to flashing splash images. My cmd is saying fastboot is an invalid action? I feel like a retard...
Click to expand...
Click to collapse
Make sure the android sdk is installed, there are plenty of guides on how to do so.
Sent from my HERO200 using XDA App
I'm a retard for sure. Had sdk installed. I wasn't in adb. Works like a charm. Thanks!
Well, I've been working with some 32As by flashing Froyo to them and all. So far it's cool, but the process is a bit tiresome... they always come with some Cupcake 1.6 I need to flash over with a 2.2 RUU from Rogers using a goldcard so it fixes the SPL it originally comes with, then flashing ENG SPL (S-OFF) and then flashing SPL+Radio+Recovery (6.35 in my case) prior to installing a ROM.
Now, I've been investigating the RUU wizard a bit and this is what I've found the RUU does:
Code:
adb devices
adb devices
adb devices
# Presumably check for battery level before attempting RUU?
adb -s <SERIAL> shell cat /sys/class/power_supply/battery/capacity
adb devices
adb devices
# Gets the build number (to compare against the one in android_info.txt, I assume)
adb -s <SERIAL> shell getprop ro.build.description
adb devices
adb devices
adb -s <SERIAL> shell getprop ro.build.description
adb devices
adb devices
# THIS REBOOTS INTO RUU MODE
adb -s <SERIAL> shell reboot oem-78
adb devices
fastboot devices
# If mode is "RUU"...
fastboot -s <SERIAL> getvar boot-mode
# Flash first ROM.zip (it seems to be a special fastboot hboot image which allows flashing SPL (!))
fastboot -s <SERIAL> erase cache
fastboot -s <SERIAL> flash zip "<path>\rom.zip"
fastboot -s <SERIAL> oem rebootRUU
adb devices
fastboot devices
# Flash the full ROM1.zip
fastboot -s <SERIAL> getvar boot-mode
fastboot -s <SERIAL> flash zip "<path>\rom1.zip"
adb devices
fastboot devices
# All ok? reboot into normal mode
fastboot -s <SERIAL> getvar boot-mode
fastboot -s <SERIAL> reboot
adb kill-server
Taking a look at rom.zip, I can find android_info.txt contains the following files:
Code:
android-info.txt
boot_special.img
hboot_7200A_1.76.0008_091103.nb0
radio.img
And rom1.zip:
Code:
android-info.txt
boot.img
recovery.img
splash1_HTC_Magic.nb0
system.img
userdata.img
Wherein android-info.txt contains:
Code:
MODELID: SAPP10000
CIDNUM: HTC__N34
CIDNUM: HTC__Y13
CIDNUM: HTC__506
CIDNUM: HTC__140
CIDNUM: HTC__139
CIDNUM: ORANGB10
CIDNUM: VODAPC23
CIDNUM: 11111111
MAINVER: 3.05.401.1
hbootpreupdate: 0
Now, I only have theories I'm willing to try once I get a new phone (in case mine bricks while testing, which I don't think it can happen but it's my everyday phone so...), which I need somebody here to be brave enough to test (or at least someome who has a JTAG debrick kit) so maybe, we can find a solution to removing S-ON and maybe even doing everything in one shot using a SAPPIMG.ZIP or something like that.
Here are my theories:
1) Adding CIDNUM: <your phone's CID here, mine isn't on the list > could help the RUU to flash everything correctly, thus removing the need for a goldcard?
2) What about making our own ROM.zip with 6.35.10.19 radio, S-OFF 1.76.2007 HBOOT and ROM1.zip with a custom recovery, and using it instead of the original? even better, without system.img or userdata.img, so you would only need to boot into recovery and flash a ROM?
3) Actually, what if step 2 worked with a ROM already installed? I mean, I wish to know if, when fastboot does the rom1.zip flashing, erases system & data too. It doesn't seem it does, so I think one can put S-OFF without even doing a full RUU procedure?
I think I had more questions related to this, but it's late and this is what comes to mind. What do you guys think? you guys think something can be made out of this? anybody up to check if my theories are right?
Any info you can provide is greatly appreciated! ^^
- DARKGuy
1. No
2. No
Phone checks for signature (checksum) of zips. If you will change something inside rom.zip - you will get signature error.
There is easy method to remove S-ON on Magic32A (not mt3g v1.2)
5[Strogino] said:
1. No
2. No
Phone checks for signature (checksum) of zips. If you will change something inside rom.zip - you will get signature error.
There is easy method to remove S-ON on Magic32A (not mt3g v1.2)
Click to expand...
Click to collapse
Thing is, what does it checksum against? those ZIPs don't have a signature anywhere (not like update.zips for example) unless it does some kind of CRC check or something (which would be very basic).
My idea was to find a way to skip all that (+ optionally skipping the goldcard) and also install a proper radio/s-off SPL/recovery combination without the manual work.
darkguy2008 said:
Thing is, what does it checksum against? those ZIPs don't have a signature anywhere (not like update.zips for example) unless it does some kind of CRC check or something (which would be very basic).
My idea was to find a way to skip all that (+ optionally skipping the goldcard) and also install a proper radio/s-off SPL/recovery combination without the manual work.
Click to expand...
Click to collapse
I think it does CRC check (or other basic check), but this check in HBoot. To avoid it you need change HBoot to ENGineering.
Hboot on Magics has two security levels:
- S-ON / S-OFF (with s-off you can change any partition)
- HBoot ability to process remote commands. If hboot is named as 'perfected', so it does not receive fastboot-commands (like flash, boot, erase...). Many of hboots are perfected...
Interesting? To flash s-off spl you need avoid CRC check. To avoid CRC check you need flash s-off spl =)
5[Strogino] said:
I think it does CRC check (or other basic check), but this check in HBoot. To avoid it you need change HBoot to ENGineering.
Hboot on Magics has two security levels:
- S-ON / S-OFF (with s-off you can change any partition)
- HBoot ability to process remote commands. If hboot is named as 'perfected', so it does not receive fastboot-commands (like flash, boot, erase...). Many of hboots are perfected...
Interesting? To flash s-off spl you need avoid CRC check. To avoid CRC check you need flash s-off spl =)
Click to expand...
Click to collapse
Okay, that's some interesting info ^^ I have a few ideas now:
1) Considering "boot_special.img" is there a way to open those .img files and see what do they contain? (like when you edit boot.img for kernel zips?)
2) Also, "hboot_7200A_1.76.0008_091103.nb0", since it doesn't have "perfected" on its name, what about using another hboot file instead?
3) Or, another idea! considering that hboot isn't perfected, once applied, can I put a S-OFF hboot.img in rom1.zip (which is flashed after rom.zip) instead?
4) I'm also thinking that maybe a sappimg.zip file with S-OFF hboot, the ROM, no userdata.img file and the kernel (in boot.zip) would at least skip some manual steps?
2) and 3) ...
Mmm... Word "Perfected" was chosen people from XDA to differentiate between power and weakness) It is not a part of filename.
I don't remember exactly, but if in fastboot-mode you can see androids on skates - it is non-perfected hboot. Any other hboot is perfected. Official ROMs are going with perfected hboot usually.
1)
Any img-file can be unpacked as other (boot.img, system.img, recovery.img). It should contain zImage and ramdisk too. But not all official ROMs have boot_special.img
I think this file is used when HTC needs expand MTD sizes. Old official ROMs (Magic 32A) have less than 100MB system image (partition). New official ROMs (3.05.XXX.X and higher) have more than 100 MB system (partition).
4)
We are staying at same place. How you will avoid crc check? How to use minimal efforts in this case?
5)
We need remember what there are three types of Magics - Magic 32A, Magic 32B, MT3G v1.2 (3.5). Many things are different within, especially hboots.
p.s. To do less manual work we can ask dev of SuperOneClick to add feature 'Install recovery via flash_image'. But other steps (like flash something via recovery) are staying manual.