This has been resolved by using the flash lite exploit to gain root access allowing the misc partition to be flashed with a downgraded main version number which allows the old leaked Eng RUU we have to be flashed!
GUI for how to root
http://forum.xda-developers.com/showthread.php?t=720565
Old and Outdated information from the Original Post listed below for historical purposes ONLY
Who is Affected: If you've flashed the official OTA update on top of a non rooted ROM or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
What is Patched by the OTA: Through the radio.img which the OTA flashes, it updates the Main Version in the bootloader preventing Toast's root methods from working. It also flashes back the stock recovery, removing our root access in recovery mode and ability to apply .zip files. And last of all, the OTA patches the exploit hole in /system/bin/hstools used for unrevoked1 root.
Successfully eliminating all released methods of obtaining root access.
Conclusion:
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
Future:
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Details of the tested known root methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootloader error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. partition with write access for non-root user and allows executing is /data/local . flash_image can't write to the partitions w/o being run with root permissions. chownto and chown of flash_image to user root - permission denied.
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Modifying PC36IMG.zip - using a hex editor to attempt at changing the MainVer stored in the android-info.txt, if any bit changes, it seems to fail the validation by the bootloader.
I tried almost all of these after the OTA hit my wifes phone. No dice. Subscribed to further updates on this thread.
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
frankenstein\ said:
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
Click to expand...
Click to collapse
im guessing the only reason it allowed you to flash a PC36IMG.zip which wasn't HTC signed is because you're using the hboot from the eng build of the PC36IMG.zip which doesn't check for HTC signatures on the PC36IMG.zip file. Not sure if it looks at the MainVer or not ...
once you're on a stock hboot, the PC36IMG.zip file has to be signed by HTC in order to flash!
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
We had to do things like this when working with mach_kernel when we got ahold of the first developer build of OS X for Intel. It was a pain in the ass and took weeks before we cracked the kernel.
There is even more risk with this though since tampering with the bootloader can definitely permanently brick devices.
joeykrim said:
If you've flashed the official OTA update or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Here are details of the tested methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootlaoder error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe- Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Click to expand...
Click to collapse
since my frien did the OTA update yesterday and "bricked" his phone i have been trying to fix the phone (i have access to bootloader so it seems to me that maybe, just maybe i can save the phone) anyways, i have been getting a lot of the same error messages anytime i try to update/load any stock rom via bootloader.
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu? i have looked all over htc's website, but they don't even acknowlege the existence of the evo, at least not that i can find.
joeykrim said:
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
...
Click to expand...
Click to collapse
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Sorry for the long multi quote, there are quite a few good ideas and I wanted to make sure I explored each of them as far as the original poster intended.
EtherealRemnant said:
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
Click to expand...
Click to collapse
interesting ... circumventing the HTC signature check would be perfect and essentially give us an eng build bootloader.
in the RUU.exe rom.zip files, the android-info.txt indicate the MainVer along with a separate hboot.img file. the official OTA didn't have an hboot.img file. It only had a radio.img file which must have updated the MainVer value.
Not sure where on the phone this MainVer value is stored? in the radio?
you're suggesting, compare the bootloader, which is obviously stored somewhere in radio.img as thats the only file being flashed thru the OTA which increments the bootloader version number, against an older radio.img to attempt and find which bytes were changed for the version number?
The radio.img files are all around 22mbs ... ugh
if we're able to find the change in version number on the radio.img, not sure how it would help in flashing over it?
i was kind of thinking down these lines...since the bootloader checks the version number of any file it attempts to flash, the version number is going to be the key.
if we're able to increment (or temp change) the main version number in the file being flashed w/o messing up the htc signature, that could work.
2002wrex said:
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu?
Click to expand...
Click to collapse
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
unknown_owner said:
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Click to expand...
Click to collapse
very clever concept!
i'm not 100% sure on all the different approaches in the suggestion, but here are the ones it prompted me to explore.
unfortunately, every time the /sdcard is mounted on the phone, its mounted as noexec, meaning no files located on the /sdcard can be executed like programs.
also the /sdcard is mounted with uid=1000 and gid=1015 meaning all files mounted on the /sdcard have their uid/gid overwrote so none of them are allowed root ownership.
without being able to "su" to root access, we aren't able to run any programs with root access.
trying to chownto flash_image to any reference file as root results in:
chownto flash_image /system/bin/chown
Can't change user/group to root!
chown root flash_image
Unable to chmod flash_image: Operation not permitted
if i missed the suggested approach, could you elaborate?
Oh boy...... I thought I was alone in this. I try everything I can and now gave up. Any one can rooted this new OTA please let me know. I really need to downgrade from this.
Made me think of a problem that happened with the Directivo a few years back...
ht t p://dealdatabase.com/forum/showthread.php?t=22154
I was looking around, trying to figure out some way to hack the hdvr2 w/o modifying the prom. I recalled something from the xbox-linux team's presentation for CCC, which was something close to "once you break the chain of trust, the box is forever compromised." I thought to myself: "self, if we can load one kernel via BASH_ENV, why can't we load a second kernel?"
Click to expand...
Click to collapse
So, is there a way we could compromise the kernel? If so, then...
Subscribed...
Not really interested in rooting until froyo is working, and I could really use the wifi fixes this OTA is supposed to offer, but I'll hold off installing it until we know it can eventually be rooted.
Mikesus said:
http://dealdatabase.com/forum/showthread.php?t=22154
So, is there a way we could compromise the kernel? If so, then...
Click to expand...
Click to collapse
i read thru the thread. im not clear on how they used BASH_ENV or any other method to load a 2nd kernel.
unfortunately, i think we have an extra layer of security that they dont. thanks HTC!
without nand unlocked on the kernel partition no data can be stored there including a 2nd kernel.
appreciate the link and info. perhaps the ideas or concepts will spur some innovation!
joeykrim said:
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
Click to expand...
Click to collapse
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
i appreciate the help joey, obviously you are busy with your own problems and a lot of people around here just throw you the old "SEARCH BUTTON" response. any help is greatly appreciated!
2002wrex said:
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
Click to expand...
Click to collapse
interesting again .. so the RUU .exe files for android, do have a payload stored in a rom.zip file which is dumped to a temp directory after the RUU .exe starts and before it finishes.
now, the rom.zip files have been pulled and posted in each of the two RUU .exe threads we currently have. these rom.zip files do contain all .img files which are flashed to the phone. the catch is though, just as the PC36IMG.zip files used in root, these rom.zip files seem to have a special HTC signature (checksum?) in their header.
if you open these rom.zip files from the RUU in winzip, it will error out, but using 7zip, they open just fine.
im new to HTC, this is my first HTC android phone and its almost been 4 weeks so this is as much as i know. it seems, if we're able to alter these rom.zip files either used in the RUU .exe or naming them PC36IMG.zip flashed thru the bootloader and the phone excepts them, we would be golden!
to help save you some searching and let you see what im talking about, here is the latest RUU rom.zip file
http://www.joeyconway.me/evo/stock/RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rom.zip
Subscribed, I was able to Order my EVO today so I will be watching for development. I pledge my donations to whoever is able to figure it out. I really appreciate the efforts of this community.
I second that pledge for donations! I, like many others here, updated while knowing that I probably shouldn't have. I knew better...
Subscribed.
Thanks for all the effort and work. I hope ya'll get it figured out.
dang, I just got my evo yesterday and got the update message so I thought it'd be ok to update it as I thought it might have been old.
Came home and was excited to do all my customization and tweaks, but w/ no prevail
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
EtherealRemnant said:
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
Click to expand...
Click to collapse
Try calling them ahead of time before picking it up and asking if you can just swing by and pick it up yourself and call Sprint to activate yourself. Tell them you are in a rush, make up a story, and see if they just let you pay for it and run.
Related
Hi all I am putting together an android app that will making the rooting process much easier. This thread is discuss issues and suggestions with this app.
I have the app near done, the biggest problem is that I cannot format the sdcard as fat32. Is formatting to fat32 required. Why do we do this? What is the real need to do this?
I have not tested the app out yet, but so far this is how it has been put together. There is a main activity with textboxes that have the urls of the files needed to root (dreaimg.nbh, recovery.img, hardsplupdate.zip, JF_RC33update.zip) and there are buttons for each step in the process to download these necessary files and extract them if needed and put them on the sdcard and renaming them properly. You can change the urls to something else if needed.
so you click the first button it downloads the .nbh and puts it on the sdcard and then prompts the user to turn off, power+camera on, flash. when phone is on then reinstall this app and go to step 2 (because it would of been lost when flashed)
you click the second button it downloads recovery.img and hardsplupdate.zip. renames the files appropriately and puts them on the sd. it runs a script to do the recovery.img flash. It then prompts you to restart into recovery mode and gives the instructions on flashing the hardspl. and tells you to reopen this app when done
you click the third button it downloads the latest JF firmware (lets just say the RC33 flavor) puts it on the sdcard and renames it as update.zip. it prompts you to restart into recovery mode and do the flash.
Anybody see any possible problems with this logic? Also what do people think about maybe packing some of these files in the app instead of having them be downloaded?
Update: app is working http://allshadow.com/forum/viewtopic.php?f=9&t=5229
I am still looking for help to make it better.
I need devs to help make it nicer.
I am also looking for someone who's familiar with the update.zip package, to pack the radio, hardspl, and jf_rc33 all in one update file.
If anybody is interested in helping, PM me
I dont think its that big of a deal to format the card yourself, but why not make an app on the desktop that does some of the work for you, like formatting the card, then downloading and renaming the files needed to get started?
Packing the files into the app is going to make the app big. I like this whole idea though.
when you flash the .nbh it does a wipe on its own so one would need to re-download the app after that unless you can get it to stick somehow, i like the idea, is each button of the app just running a script? like to get the dreaimg.nbh have a script that runs:
"$wget [url to the .nbh file]
$echo 'please reboot your phone into SPL by holding the camera and power button'"
or did you have some other idea?
i like the idea but i am just not sure how easy this would be to code as i am just used to writing scripts that do everything for me.
or you could follow Kllian's advice and make a desktop program that does all this. i could easily write a script for linux that would do it, and a .bat file wouldn't be too hard either. you would just need to have adb and you could have the scipt/batch reboot the phone into recovery to do the flashing of each update.zip
pm me if you have an questions or would like me to write a script to do all this
tubaking182 said:
when you flash the .nbh it does a wipe on its own so one would need to re-download the app after that unless you can get it to stick somehow, i like the idea, is each button of the app just running a script?
Click to expand...
Click to collapse
tubaking brings up a good point.
I have an idea that possibly could resolve the "wiping" issue. What you do is, the initial app would be placed on the desktop (assume RC30). From here you'd downgrade the firmware to RC29.
The problem is though, the app you are scripting will be wiped. SO...
How about saving it on the SD temporarily.
THEN modifying the .nbh file to restore the <rooting app> to desktop (from SD)
Just throwing some stuff out there.
IF you need some help, hit me up.
if anyone knows how to convert a .sh bash script from linux to a .bat batch file for windows then i already have the script written, send me a PM to get it. or we could port it into java, but i don't know how to do that stuff. tomorrow i will upload my script onto 4shared and provide a link here as long as it works. keep in mind that i am on a linux machine and my script will not work in M$ windows. i don't know a damn thing about mac, so i have no idea if this will work or not for them.
my script is nearly completely automated, the only thing you need to do is hit ENTER a few dozen times, i will also write a completely automated one that sleeps rather than waits for you to hit enter, but it will take longer to run most likely since i will have to oversetimate the sleep time.
hopefully i can find a windows machine and learn what commands in the cmd are equal to the commands in my terminal
akapoor said:
tubaking brings up a good point.
I have an idea that possibly could resolve the "wiping" issue. What you do is, the initial app would be placed on the desktop (assume RC30). From here you'd downgrade the firmware to RC29.
The problem is though, the app you are scripting will be wiped. SO...
How about saving it on the SD temporarily.
THEN modifying the .nbh file to restore the <rooting app> to desktop (from SD)
Just throwing some stuff out there.
IF you need some help, hit me up.
Click to expand...
Click to collapse
modifying ,nbh files is no easy task, i tried it once and fortunately for many people GSLeon3 was able to help me fix my tilt. i think the .bat or .sh would be the easiest way to root your phone
Tubaking,
Send over the file you have. Ill work on converting it to a .bat, useable from windows.
Email : akapoor92_at_gmail.com
I should have it soon, but since its like 3:30am here, I'm off to bed. Haha
tubaking182 said:
modifying ,nbh files is no easy task, i tried it once and fortunately for many people GSLeon3 was able to help me fix my tilt. i think the .bat or .sh would be the easiest way to root your phone
Click to expand...
Click to collapse
Uh, you'd not only need to modify the nbh file, but you'd also need to sign it with the Google OTA keys - otherwise the phone will refuse to flash it.
If it were possible to create Google-signed nbh files we'd dispense with all this downgrading nonsense and just create an nbh of the latest JF firmware with root and directly flash that.
The issue is that until you've patched the recovery loader the phone won't flash anything that isn't signed by Google. The reason we can get around this is that there is a leaked signed file with the old firmware version, and that version happens to contain a vulnerability that you can use to get root access. Once you have root access you can reflash the recovery loader with a new one which accepts the test keys. At that point you can dispense with the hacks and begin directly flashing whatever you want.
In any case, rooting a phone is serious enough of a matter that we probably shouldn't be encouraging anybody who can download an app to do it. They should at least have some confidence in reading and following obscure instructions online, because of anything goes wrong later that is what they'll be doing...
Thanks for all your input. I have been trying to hold hand people through the root process and it is a real pain. Biggest issues are people not being able to unzip files correctly, rename files correctly, and the biggest thing is the recovery.img step and typing in the commands.
- .nbh cannot be patched because it is signed.
- yes my app will get wiped because of the .nbh flash. It does tell the user to reinstall this app once done with the .nbh step and then continue
- i prefer an android app, so people can do it without a computer and without having to install the sdk
- the app does not run a script to get the files. it uses some android sdk functions to download files. it does use the unzip linux command to unzip, not sure if this will work because of permissions, i may have to figure out how to do it from the sdk. the app does run a script to do the recovery.img step, during this step we should already have root so no issue there with permissions.
Biggest problem I see is Fat32 format I heard it is not absolutely necessary. Does anyone have any more information about why this needs to be done?
it IS necessary, you need the card formatted in order to do the NBH flash, after that you should be ok. most card come formatted in the box they came in so anyone that said they didn't need to format their card is lying because is was already formatted to fat 32
in the RC29 firmware is there a su command in /system/bin/ or are all commands run as root without having to call /system/bin/su ??
moussam said:
in the RC29 firmware is there a su command in /system/bin/ or are all commands run as root without having to call /system/bin/su ??
Click to expand...
Click to collapse
from what i've read, in the RC29 version andything you type on the home screen gets put through a root shell as well all on it's own
I have a feeling whoever makes this app is going to sell iot for a ridiculous price on the market
My script is written but requires the user to do certain things, later I hope to have it be completely automated after a certain point and it will be free. After I get it written in linux shell I will be converting it to use in windows. Expect my automated root to be available for download by the weekend.
I got the app pretty close to done. I hope to put something up tonight or tomorrow that you guys can test. I am not going to charge for this app, I want to give it for free so everybody can have root and a more rich experience.
The place were I am stuck right now is the unzipping of the DREAIMG.NBH file from its zip file after it is downloaded. I am using java.util.zip I am not sure if the problem is because the file is so big or if I am doing it wrong. does anyone have an android java unzip code snippet?
The app now downloads files for you and unzips them if needed. THere is an issue with the unzipping though, after around 25 MB of unzipping DREAIMG.NBH i get this error...
java.io.IOException at java.util.zip.InflaterInputStream.read(InflaterInputStream.java)
anybody have any suggestions? Is their not enough memory to unzip the files or something?
For now I am not going to let the .nbh file be zipped up. THe app instead will have to download the full uncompressed .nbh file.
So it is ready to be tested, if you want to try it out PM me, I do not want to just post it and have everybody use it until it has been tested more.
Good news the app works on downloading the .nbh file and then flashing you to RC29. It then successfully downloads the recovery.img and hardspl update.zip
I had someone testing it and when they ran the recovery script the mount command gave them mount: operation not permitted. Is this correct? I know without root it is supposed to give you mount: permission denied.
If this is correct the app is working, and I just need someone else to confirm.
Mike
Does anybody else want to help with the coding of this project? If so create an open-source repository and I will add the current source in there.
I'd like to remove root and go back to stock. I have a rogers one x and I've tried using the rogers RUU PJ83IMG.... to flash back to stock, but I can't use fastboot since my phone is bootloader locked, and I can't run the RUU because it is a .zip file and not a .exe. Renaming it to an .exe and running it does nothing.
Any help is appreciated!
Try un-zipping the file and run the exe in the folder created. Also, since we do not have s-off yet, we are able to remove tampered banner, but it will say re-locked. No estimated arrival of s-off at this point.
Sent from my HTC One X using XDA
shortyboy said:
Try un-zipping the file and run the exe in the folder created.
Click to expand...
Click to collapse
This. The RUU file is not meant to be run as-is. Unzip the contents onto your PC (such as into a folder on your PC desktop), then run the .exe that is inside the extracted contents.
And where did you get the idea of changing the extension from .zip to .exe? That's probably a bad idea in almost all circumstances. You can't just change the type of file by renaming it.
shortyboy said:
Also, since we do not have s-off yet, we are able to remove tampered banner, but it will say re-locked. No estimated arrival of s-off at this point.
Click to expand...
Click to collapse
The "tampered" flag will be removed after RUU. Tampered flag is for root, not BL unlock. And the OP said he is still BL locked.
redpoint73 said:
This. The RUU file is not meant to be run as-is. Unzip the contents onto your PC (such as into a folder on your PC desktop), then run the .exe that is inside the extracted contents.
And where did you get the idea of changing the extension from .zip to .exe? That's probably a bad idea in almost all circumstances. You can't just change the type of file by renaming it.
The "tampered" flag will be removed after RUU. Tampered flag is for root, not BL unlock. And the OP said he is still BL locked.
Click to expand...
Click to collapse
Thanks for your replies. Unfortunately there is no .exe in the RUU. I have googled extensively but cannot find one with an executable. Would either of you be able to link me? I need Rogers 1.73. Thanks for your help
Edit: I discovered this and tried it: http://forum.xda-developers.com/showthread.php?t=1658929 however i get an IMAGE UPDATING ERROR: This ROm update utility cannot update your device.
if you go to setting about/software information what does it say under software version?
also if your bootloader is unlocked relock it in fastboot with the command "fastboot oem lock"
gunnyman said:
if you go to setting about/software information what does it say under software version?
also if your bootloader is unlocked relock it in fastboot with the command "fastboot oem lock"
Click to expand...
Click to collapse
Software version 1.73.631.1
Just to clarify, I have not unlocked my phone, only root.
toastyy said:
Software version 1.73.631.1
Just to clarify, I have not unlocked my phone, only root.
Click to expand...
Click to collapse
when you flashed it did you get an error 155 or an error 140?
also THIS is the RUU you need http://www.filefactory.com/file/9qe....09.06_10.81.32.14L_release_254934_signed.zip
And you didn't mess with the CID ever? If not, I don't see any reason why the correct (Rogers) RUU would not work. Make sure HTC Sync is installed (maybe re-install, just to be safe), reboot the computer and try again. Perhaps try to download the RUU again, just to make sure the download isn't corrupt.
redpoint73 said:
And you didn't mess with the CID ever? If not, I don't see any reason why the correct (Rogers) RUU would not work. Make sure HTC Sync is installed (maybe re-install, just to be safe), reboot the computer and try again. Perhaps try to download the RUU again, just to make sure the download isn't corrupt.
Click to expand...
Click to collapse
Ohh, you're right! I changed the Cid to 1111111.. For supercid. How do I change that back?
As for the ruu, I can't run them because I have no exercise file to run. Changing the zip to an exercise gives me an error about my computer not being able to run it. I will download the above ruu and try it when I get home in an hr.
Thanks for your help!
You should be able to run the Rogers RUU with SuperCID. That's what SuperCID is, it lets you install firmware regardless of the CID that its intended for.
Not sure how to change the CID back to Rogers. Look on the SuperCID thread (not the one-click method, but the original "longer" method) and see if there is discussion on changing it back.
And to reiterate, you can't magically change a file from one type to another, just by changing the file extension from .zip to .exe. The RUU package should have ARUWIzard.exe inside once you unzip it. Are you sure you are unzipping it properly?
redpoint73 said:
You should be able to run the Rogers RUU with SuperCID. That's what SuperCID is, it lets you install firmware regardless of the CID that its intended for.
Not sure how to change the CID back to Rogers. Look on the SuperCID thread (not the one-click method, but the original "longer" method) and see if there is discussion on changing it back.
And to reiterate, you can't magically change a file from one type to another, just by changing the file extension from .zip to .exe. The RUU package should have ARUWIzard.exe inside once you unzip it. Are you sure you are unzipping it properly?
Click to expand...
Click to collapse
The problem is the rogers file isn't an EXE it's a zip file. There's a post somewhere around here explainng how to install it.
gunnyman said:
The problem is the rogers file isn't an EXE it's a zip file. There's a post somewhere around here explainng how to install it.
Click to expand...
Click to collapse
Ahh, I see the problem. The Rogers files is not a true RUU package, just the zip file usually contained in the "larger" RUU zip file. Is that right? The OP still can't change the file extension to .exe and make it run that way. Sounds like from the thread the OP linked in post 4 above, he needs to have a folder with the "other" RUU contents (including ARUWizard.exe), drop the file you linked (from Filefactory), then run the ARUWizard. Its not completely clear, but this seems to be the way?
He could also I thing just put that pdimg. Zip file on the SD card and boots into recovery and it should flash right?
gunnyman said:
He could also I thing just put that pdimg. Zip file on the SD card and boots into recovery and it should flash right?
Click to expand...
Click to collapse
Not sure. I've never in my life flashed anything from stock recovery
But it seems logical. I think normally the ARUWizard says its pushing the file to the phone, so it would make sense it just flashes from stock recovery.
I understand that I can't change the filetype like that . I just saw peterhtc mention having to do that in another thread. I am sure i have unzipped it properly. I'll try again with the other ruu linked above.
toastyy said:
I understand that I can't change the filetype like that . I just saw peterhtc mention having to do that in another thread. I am sure i have unzipped it properly. I'll try again with the other ruu linked above.
Click to expand...
Click to collapse
if you unzip it and see a zip file that starts with pd and some number I THINK it's 83 put that file on the root of your SD card space and reboot to bootloader. Then choose recovery. If all goes well it will detect that file and allow you to flash it. It should work fine because it's a signed zip from HTC.
---------- Post added at 03:59 PM ---------- Previous post was at 03:54 PM ----------
I just realized we're helping you return the most awesome phone in the world ™
Jumping ship?
gunnyman said:
if you unzip it and see a zip file that starts with pd and some number I THINK it's 83 put that file on the root of your SD card space and reboot to bootloader. Then choose recovery. If all goes well it will detect that file and allow you to flash it. It should work fine because it's a signed zip from HTC.
---------- Post added at 03:59 PM ---------- Previous post was at 03:54 PM ----------
I just realized we're helping you return the most awesome phone in the world ™
Jumping ship?
Click to expand...
Click to collapse
Haha well no not exactly. I have been dealing with rogers for 2 months trying to return the phone I bought outright in order to get a new one on a plan. I originally wanted to see how the SG3 was so I could still return the onex in time to pick that up, but I think i'll be sticking with the HTC (the sg3 is SO ugly). I assure you I am not jumping ship
gunnyman said:
He could also I thing just put that pdimg. Zip file on the SD card and boots into recovery and it should flash right?
Click to expand...
Click to collapse
So I tried to place the full zip file onto the phone in the main directory, both as the full file name and then just as the P83..etc name, rebooted into recovery, but I just got a pic of the phone with a red triangle+ exclamation mark. Currently I am extracting the whole zip onto the main directory and will try flashing recovery like this. Is that safe? I assume the phone will be able to tell which .img it needs. There is no file that begins with P83 in the actual zip
toastyy said:
So I tried to place the full zip file onto the phone in the main directory, both as the full file name and then just as the P83..etc name, rebooted into recovery, but I just got a pic of the phone with a red triangle+ exclamation mark. Currently I am extracting the whole zip onto the main directory and will try flashing recovery like this. Is that safe? I assume the phone will be able to tell which .img it needs. There is no file that begins with P83 in the actual zip
Click to expand...
Click to collapse
I'm curious about the contents of that zip I'll download it and check it out.
holy crap file factory is slow.
gunnyman said:
I'm curious about the contents of that zip I'll download it and check it out.
Click to expand...
Click to collapse
The download is quite slow - here are the contents
http://puu.sh/BU6B
Note: OTA updates don't work on my Nexus 5 due to TWRP blocking them. Now my phone doesn't recognize the OTA update anymore (When my phone went to install the OTA updated and rebooted, it rebooted into TWRP instead and completely ignores the updates existence since then). To fix this I plan to simply push the factory img of 5.0.1 to my device directly. I downloaded the factory .img from Google's website .
However instead of a .img file i'm used to, I got a .tgz. I extracted that and got a .tar and then extracted that to finally get my folder with the .img files. However now I'm not sure which one to push to my device. There is a img file called "radio-hammerhead-m8974a-2.0.50.2.22.img" but judging by the file size, I don't think that's the correct one (only 45MB). There is a .zip file called "image-hammerhead-lrx22c.zip" but this contains multiple .img files, the largest one called "system.img". I'm guessing this is the correct one to push to my device via adb since it's about 1GB in size?
I suspect pushing the entire .zip file to my phone and flashing that would be bad as it looks like it'll overwrite TWRP?
Any help would be greatly appreciated.
Here's a lot of useful information about OTA's Check it out: http://forum.xda-developers.com/google-nexus-5/general/info-nexus-5-ota-help-desk-t2523217
You'll need boot and system at least,
If you plan on keeping twrp and root, you may as well just flash one of the flashable zips already available in the development forum
Actually you should have a radio and bootloader img file. First one is - as the name says - the latest radio software (which is needed for GPS, WiFi, cellular network and so on). Second one is the latest bootloader. I'd update them both.
From the zip archive you should only flash certain imgs - if you flash all your data will be wiped (factory reset). What img files does the zip contain?
Why are you pushing them to your phone? You need to flash with fastboot from your computer. There is not just one img file for the update, there are several for different partitions on the phone. Have a look through some of the guides in the general section. Also, flashing one of the stock flashable zips would be much faster, but why not learn a little as you update.
Vomer has a thread of flashable 5.0 and 5.0.1 stock Google ROMs. Don't worry about factory images because you will lose everything once you flash these and it's a much bigger pain imo to back everything including internal on your phone up.
snappycg1996 said:
Don't worry about factory images because you will lose everything once you flash these
Click to expand...
Click to collapse
Not necessarily true.
You can flash bootloader, radio, and system without losing anything. You'll just have to reroot afterward.
Here's the direct link for the 20a Oreo OTA update bin file used for LG V20 VS995. Not sure if it's of any use, just wanted to have some fun trying to find it
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
If anyone finds a way to extract the contents let me know. Can't figure it out :/
If you already have TWRP and want a flashable zip, have a look at NotYetADev's post.
https://forum.xda-developers.com/v20/development/vs995-verizon-lg-v20-stock-oreo-rooted-t3845669
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
And thank you for that little piece of info. I didn't know LG UP could flash OTA bin files. That is another attack vector
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
runningnak3d said:
I need you to sniff flashing that. Are you at all familiar with USB packet capture? I would flash it, but I have nothing to flash it on.
If not, I can walk you though it.
This file is not signed, it appears to have an unlock key. By unlock key -- I mean a key that unlocks lafd so that it will flash anything.
Now none of this matters on the V20, but for folks that have other LG devices, it will help out a LOT.
-- Brian
Click to expand...
Click to collapse
How do you know the file isn't signed? I assumed it had the same type of validation as the KDZ files.
I'd be happy to share a USB capture, is that something wireshark can do?
---------- Post added at 01:03 AM ---------- Previous post was at 12:05 AM ----------
I'm sure there is some magic hash hidden somewhere in the file. I'll see if it's possible to flash an edited .up file.
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
I'll capture the flash when I got home
here are links for the other OTA updates, in case anyone is interested.
Code:
VS99512A_06 -> VS99513A_04
https://cdn.vzwdm.com/LG_VS995_12A_13A_04.bin
VS99513A_04 -> VS99514B_00
https://cdn.vzwdm.com/LG_VS995_13A_14B_00.bin
VS99514B_00 -> VS99515A_10
https://cdn.vzwdm.com/LG_VS995_14B_15A_10.bin
VS99515A_10 -> VS99516B_00
https://cdn.vzwdm.com/LG_VS995_15A_16B_00.bin
VS99516B_00 -> VS99517A_00
https://cdn.vzwdm.com/LG_VS995_16B_17A_00.bin
VS99517A_00 -> VS99518A_00
https://cdn.vzwdm.com/LG_VS995_17A_18A_00.bin
VS99518A_00 -> VS99519A_10
https://cdn.vzwdm.com/LG_VS995_18A_19A_10.bin
VS99519A_10 -> VS9951AA_01
https://cdn.vzwdm.com/LG_VS995_19A_1AA_01.bin
VS9951AA_01 -> VS9951BA_01
https://cdn.vzwdm.com/LG_VS995_1AA_1BA_01.bin
VS9951BA_01 -> VS9951CA_01
https://cdn.vzwdm.com/LG_VS995_1BA_1CA_01.bin
VS9951CA_01 -> VS99520A_03
https://cdn.vzwdm.com/LG_VS995_1CA_20a_03.bin
runningnak3d said:
I guess I should rephrase that. It isn't signed in the normal way that a KDZ is signed -- with a SIGN payload. There are hashes for the partitions, but there doesn't appear to be anything to check the integrity of the file itself.
I am still tearing it apart, but without seeing a packet capture of LG UP flashing it, it is kinda pointless. If I had to guess, this file is flashed using RSVD IDDD (indirect flashing). If that is the case, having a full dump of exactly how that is done would be awesome.
Maybe I am wrong, and there is some other opcode that I have no idea what it does that sends a signature that I don't recognize -- because I have never seen it.
EDIT: sorry, I guess I should link to the instructions. You actually don't have to install Wireshark (unless you want to look at the capture): link.
If you install USBPcap using those instructions, then you will be left with Wireshark compatible pcap files that you can zip up and send to me (do NOT post them publicly, they will contain info that is specific to your device).
EDIT2: OK, just digging a little more and there is a zip contained within the file that is signed (the same way a normal OTA update.zip is signed). However, lafd doesn't have those keys, and has no way to deal with a signed zip. That only comes into play when flashed through stock recovery -- so the question remains, how does LG UP get this file onto the phone without verifying its integrity? Again, just to be clear, there ARE hashes that verify the partitions being flashed aren't corrupt. However, there doesn't appear to be anything to prevent modifying the file, and then modifying the hashes to match when flashed through laf -- recovery most definitely verifies the integrity of the file.
-- Brian
Click to expand...
Click to collapse
I've got the USB capture for you and any other developers who're interested.
I will download it just as soon as I get to work. Thanks
-- Brian
justmike80386 said:
Thank you for posting this!!!
Change the file extension to .up, then the oreo upgrade can be flashed using the LGUP tool!
0) Make sure your phone already has the 1CA update
1) Connect your phone via USB and select the "File Transfer" mode
2) Run LGUP
3) Select the FOTA option and select the LG_VS995_1CA_20a_03.up file
4) Upgrade!
Click to expand...
Click to collapse
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
I have same error
scytalemk said:
I cannot upgrade this way. It says Error MTP is not running, even if it is in File Transfer mode. I got one time in FOTA Easy Upgrade but noting happened.
Click to expand...
Click to collapse
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
justmike80386 said:
is this on a rooted or unrooted phone? I was able to do this twice using the stock KDZ files for my base system with no issues.
Click to expand...
Click to collapse
Step by Step
1. Add Extension file .up
2. Install LG UP MOD
3. Turn on USB Debugging in your phone and make sure your phone allow PC adb command via USB (adb devices > enter)
4. Open LG UP Mod, Choose file .up (step 1). Choose OTA Upgrade and START.
Note: backup your data before upgrade, maybe failed to upgrade and lost data
I'm from Viet Nam, sorry for bad English
I am sharing with you here my version of HuRUpdater 0.4 customized for the Mediapad M5. I am not taking any credit here for HuRUpdater, the original work can be found here: https://forum.xda-developers.com/honor-9/development/tool-flash-official-firmware-recovery-t3769279. Please follow the instructions there on how to install it to an SD card. Also unzip the hurupdater zip, and in a sub folder you will find huruupdate-binary and busybox. Place these two files in the same folder on the as card where you have the other zips. Finally run it from custom recovery.
Your boot loader needs to be unlocked.
HuRUpdater can be used to:
Recover the tablet from a soft brick or bootloop. As long as you can install and access TWRP, it should be good to go.
Restore the tablet back to stock after installing a custom ROM.
Install full OTA updates after unlocking the bootloader, since it appears you cannot install OTAs anymore once the bootloader is unlocked.
Revert back to an older version of the ROM (watch out for XLOADER versions though, make sure that match https://forum.xda-developers.com/mate-10/how-to/beware-bla-l29c432b147-t3817241)
When I was trying to install an OTA after unlocking my bootloader and installing a custom ROM, I found out that HuRUpdater doesn't work out of the box for the Mediapad M5, so I made some minor customizations:
HuRUpdater looks for the volume keys when it starts up in order to read user inputs, and if it doesn't find it, it bails out. I removed that check for the volume keys, so the script will now run without requiring any user input.
HuRUPdater brings its own busybox binary, but it uses unzip trying to install it, which doesn't seem to be available on the M5. I changed it to copy it to the destination instead from the same folder as the other zips.
HuRUpdater checks whether the update will lock your bootloader, and then require you to press a volume key to confirm. Since volume keys are not working and this locking is probably undesired, the script will now bail out if it finds that your booloader may become locked.
NOTE: After successful flash you have to factory reset! And this must be done using the stock recovery, not TWRP!
I have only used it successfully on the Mediapad M5, but but there should be no reason why it wouldn't work on other devices on which HuRUpdate fails when looking for volume keys.
First big thanks for your post! I have a blank Mediapad here without anything any system flashed on it. When I flash HuRU it states an error with the following lines in recovery.log:
Code:
mkdir: 'utils': File exists
cp: bad '/external_sd/CMR-W09C432/hurupdate-binary': No such file or directory
chmod: utils/hurupdate-binary: No such file or directory
cp: bad '/external_sd/CMR-W09C432/busybox': No such file or directory
chmod: utils/busybox: No such file or directory
/tmp/updater[261]: unzip: not found
/tmp/updater[261]: /tmp/utils/busybox: not found
Error with update.zip file. See recovery.log for more details
Updater process ended with ERROR: 1
Any idea on how to fix this?
valko8877 said:
First big thanks for your post! I have a blank Mediapad here without anything any system flashed on it. When I flash HuRU it states an error with the following lines in recovery.log:
Code:
mkdir: 'utils': File exists
cp: bad '/external_sd/CMR-W09C432/hurupdate-binary': No such file or directory
chmod: utils/hurupdate-binary: No such file or directory
cp: bad '/external_sd/CMR-W09C432/busybox': No such file or directory
chmod: utils/busybox: No such file or directory
/tmp/updater[261]: unzip: not found
/tmp/updater[261]: /tmp/utils/busybox: not found
Error with update.zip file. See recovery.log for more details
Updater process ended with ERROR: 1
Any idea on how to fix this?
Click to expand...
Click to collapse
Oh, sorry, think you found a bug and I need to update the instructions. Please unzip the hurupdater zip, and in a sub folder you will find huruupdate-binary and busybox. Place these two files in the same folder on the sd card where you have the zips and try again.
konradsa said:
Please unzip the hurupdater zip, and in a sub folder you will find huruupdate-binary and busybox. Place these two files in the same folder on the sd card where you have the zips and try again.
Click to expand...
Click to collapse
Thanks a lot! That worked. It got way too late for me, to come to this idea by my own. Spent several hours to revert to stock firmware and now your version of HuRU seems to to do its work. Currently its flashing Huawei's ZIP files.
valko8877 said:
Thanks a lot! That worked. It got way too late for me, to come to this idea by my own. Spent several hours to revert to stock firmware and now your version of HuRU seems to to do its work. Currently its flashing Huawei's ZIP files.
Click to expand...
Click to collapse
Great, glad it worked for you, I updated the instructions in the first post. The reason I ended up with variant of hurupdater is just like you I found out nothing else works, I was trying to install an OTA.l after unlocking boot loader. When I have some time I will think about how to make this a little more seamless. Let me know if you see any other problems.
konradsa said:
Let me know if you see any other problems.
Click to expand...
Click to collapse
Yeah, so far so good, tablet is now on stock firmware. The flash was successful, after extracting both binaries from your HuRU ZIP to same folder as the other ZIP's including HuRU, flashing the HuRU ZIP itself again and letting it do it's magic. That tool saved me a lot of more hours of working out on how to revert to Stock, while every Huawei way to go and also the Androids way to go have failed. Thanks again! I can also confirm, that the "vanilla" version of HuRU does not work on Mediapad because of the mentioned error of not finding the user input device. Using the specialized Mediapad one instead did it's thing. Thumbs up!
You really saved me!!!! I tried everything before this post... I was about to give up.
Wanted to install multi user function (which has been deleted in the lite version), gone through a series of steps and post including unlocking, rooting, flashing custom bootloader, installing a mask, etc... throughout the way something happened and I got stuck at the TWRP bootloader, nothing worked, everything I tried yielded an error of some kind. This was my salvation! I'll be forever in debt! Tanks a lot!!!!