Before we begin. This solution is for people who have tried everything multiple times, and failed. If you haven't read and have not tried the following solutions yet, please do so first:
How to start over: From original stock to rooted latest OTA (WiMAX working!)
[GUIDE] Bad WiMax MAC? Broken 4G after update? Fix HERE!
The guide below is ONLY for people who did not have success with above methods (i.e. they are really really hosed). And there are limitations for now, until everything is confirmed and tested. The most important part you need access to a second, healthy and rooted EVO. As of yet, this is the only way to guarantee that one binary dump is not used a million times, negating the effect.
Please read the whole guide before starting the process, so that you know the risks, limitations, and potential issues with all this.
I am going to sign off for a few hours, and go enjoy my life for a brief time, before returning to answer any questions that may arise.
Ok, so for now, this is more of a proof of concept solution, since I understand not everyone has more than one EVO to do what I did.
My idea about partitions was correct, so without further ado, here is how to restore a botched wimax.
What you need.
2 Fully rooted EVOs (step 1 and step 2), one with working 4G (any version of all firmware on either, all we care for is working WiMax)
System which can do fastboot commands. That means you will have to have Android SDK installed. I also add path to /tools folder into my system PATH, so I don't have to type out the full path to adb or fastboot every time
Custom recovery. I use clockwork for this, since I am not sure all the files are signed, as required by Amon RA's recovery
Broken EVO backup
Backup your existing wimax partition on your broken EVO. We may need it some day.
Open command line window (cmd)
Make sure you have no PC36IMG.zip files in the root of your SD Card, or it will take a while to power your phone up
Power down your phone
Power it up while holding down the Volume Down key
HBOOT will attempt to scan for PC36IMG files. Let's hope you read carefully and don't have it on your SD Card root
Once HBOOT fails to find the file, use Vol Up/Down buttons to go into Fastboot mode
Connect the USB cable to your phone (and PC). You may have to install the USB drivers that come with Android SDK, but chances are if you are looking for this solution, you already have them installed and working
The FASTBOOT mode will switch to FASTBOOT USB (that's good)
Test your fastboot by typing "fastboot oem h" in command window you opened earlier (note, no adb, or adb shell anywhere, the command is "fastboot oem h". From here on all fastboot commands are issued in that window
If you see less than ~40 lines of output, you don't have a propertly rooted phone, and you need to do step 1 and step 2 (see above)
Dump your wimax data by issuing "fastboot oem saveprt2sd wimax -n wimax.bin" command (varies, anywhere between 7 to 8.5 MB, mine was 7MB)
Dump complete partition (~12MB) by issuing "fastboot oem saveprt2sd wimax -n wimax.bin -a" command
Reboot your phone
Pull the data files you dumped to a safe place ("adb pull /sdcard/WIMAX.BIN" and "adb pull /sdcard/WIMAXRAW.BIN"). Note the capitalization, it's important
We are done with your "bricked" phone.
Getting correct wimax image from a working phone
Now, repeat the same steps for your working phone (steps 1-14)
Pull the files to a different (safer) place, and cherish them like they are the only thing you care about in this world (which you do, right?)
Make a copy of your WIMAX.BIN file from the working phone (do NOT edit the actual file, just in case something breaks with your working phone at any time)
Use hex editor to update the working file in 2 places, and change the MAC address (which should be your working evo MAC - 1) to your broken evo MAC - 1 (remember, A becomes 9, F becomes E, etc). It's a big file, so search for "00:18" to find the 2 places. There will be exactly 2, not 3+ and not 1.
Rename the file you just edited to "wimax_25641R01.img"
Fixing your bricked phone
Push it to your sd card root: "adb push wimax_25641R01.img /sdcard"
Push the attached zip file to sdcard root: "adb push new_wimax.zip /sdcard"
Reboot your bricked phone into recovery
Flash new_wimax.zip. This will force write wimax_25641R01.img you pushed earlier, including the certificates in it
Reboot from recovery, let it finish, and boot up into Android
If not running the latest evo WiMax firmware yet, use the second attached zip to do so
Reboot your phone. Allow everything to complete and boot into Android
If needed, update PRL/Profile (I didn't need to, but I already updated it 50 times by now, so YMMV)
Now, I can not attach any of my dumps yet, before I test and make sure whether both phones can stay online on 4G without interruption, I will do some more testing later, since the Encryption keys are different (between 2 working evos I dumped binaries from). I still have 1 more phone to check when I get home. So if you have another evo (friend, family, etc) - you can do that already.
Otherwise, be patient, more testing is needed to make sure we are not going to steal anything from your friend, family, etc, since encryption keys are unique.
But the above solution works for completely restoring your 4G into working state.
I am currently running latest rooted OTA update, too, so it definitely works fine on latest and greatest.
Red,
Have you actually seen the encryption keys in plain text? How many bits are they?
Also, when you restored the wimax part from the working phone to your non-wimax-working phone, did you keep the MAC the same between the two phones?
Red,
Now that you have 4g fixed, can you take a look at your *.tree.xml files? Look at the ones from when 4g was broke, and then look after. Everything from boot.bin gets written into that file, and I'm hoping the signature does as well. If so, we may be able to pull it out of an old xml file and somehow work it back into the wimax.img.
Thanks
EDIT: On second thought, I do recall there being a way to flash the signature via fastboot..
MAC addresses were kept different, exactly what they are on a label behind the battery. For each phone. Hence, the editing step for the wimax partition dump.
Tree.xml does not contain any signatures, I verified this some time ago before I even started playing with the wimax partition by taking one from a working evo.
The keys are in plain text, simple RSA keys, judging by the size looks like 1024 bit. both public and private key are stored. Who knows, maybe just faking one will do it but I am guessing they are signed by some sort of CA otherwise it would be too insecure of Sprint.
So if we had a Nandroid backup from when Wimax was working, the boot.bin in that backup would have the key in it right?
Let's pretend it does, it would get written over when you powered on the phone after flashing. What if we didn't reboot after the restore and went back to recovery? We would then be able to get the boot.bin via adb and get our respective signatures. If they are indeed 1024bit, I don't see us being able to regenerate them anytime soon.
This may be worth a shot. I am not sure boot.bin has the signatures, but I will check later tonight. If it does, I am guessing we should be able to just do a drop in replacement of signatures in the image file and it should work.
Sent from my PC36100 using XDA App
Also since nandroid is just a simple copy and I'd the keys are indeed preserved, I would think we can pull them from there.
Sent from my PC36100 using XDA App
mpa4712 said:
So if we had a Nandroid backup from when Wimax was working, the boot.bin in that backup would have the key in it right?
Let's pretend it does, it would get written over when you powered on the phone after flashing. What if we didn't reboot after the restore and went back to recovery? We would then be able to get the boot.bin via adb and get our respective signatures. If they are indeed 1024bit, I don't see us being able to regenerate them anytime soon.
Click to expand...
Click to collapse
Does the Boot.bin actually store the keys? You are correct that once you restore a nandroid your working Boot.bin is replaced on boot of Android, in fact from what I saw it seemed it was replaced upon every boot but I could just be mistaken. With that said once you nandroid you can pull it by adb shell mount -a then adb pull /data/wimax/Boot.bin all from right within recovery without booting back into Android.
redsolar said:
Also since nandroid is just a simple copy and I'd the keys are indeed preserved, I would think we can pull them from there.
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
Cordy said:
Does the Boot.bin actually store the keys? You are correct that once you restore a nandroid your working Boot.bin is replaced on boot of Android, in fact from what I saw it seemed it was replaced upon every boot but I could just be mistaken. With that said once you nandroid you can pull it by adb shell mount -a then adb pull /data/wimax/Boot.bin all from right within recovery without booting back into Android.
Click to expand...
Click to collapse
My thoughts exactly gentleman.
The only problem I forsee is that when you restore a nandroid backup, doesn't the phone reboot automatically afterwards? I think it does.
mpa4712 said:
My thoughts exactly gentleman.
The only problem I forsee is that when you restore a nandroid backup, doesn't the phone reboot automatically afterwards? I think it does.
Click to expand...
Click to collapse
ugh it shouldn't, not sure what recovery you're using but using toasts or Amon_Ra's recovery it just restores the nandroid and then you choose manually to reboot. In fact I've already pulled my Boot.bin from before I messed up my MAC this way already, I actually puled the whole wimax folder.
you can unyaff your data.img in your nandroid and dig thru watever you want.
david279 said:
you can unyaff your data.img in your nandroid and dig thru watever you want.
Click to expand...
Click to collapse
*grumble* going to compile it now....*grumble*
david279 said:
you can unyaff your data.img in your nandroid and dig thru watever you want.
Click to expand...
Click to collapse
lol or do that so much easier huh!
looking at my boot.bin from 6/20, I don't *think* the signature is in it. However, I will let Red confirm that since he knows exactly what to look for.
I've only dealt with rsa encryption using openssl, in a full screen terminal, not a tiny hex editor.
There are some fw files in the wimax directory that are worth a look too though.
mpa4712 said:
looking at my boot.bin from 6/20, I don't *think* the signature is in it. However, I will let Red confirm that since he knows exactly what to look for.
I've only dealt with rsa encryption using openssl, in a full screen terminal, not a tiny hex editor.
There are some fw files in the wimax directory that are worth a look too though.
Click to expand...
Click to collapse
That was the reason I asked, I as well as others have looked through the Boot.bin before. I also looked through all the firmware files. Interestingly there is a default firmware and that a manufacturer firmware I'm guessing one to fall back on the other. You're mac is in the Boot.bin as well as wimax_properties. If these files stored the keys great, but either way they'd have to be changed on the actual firmware.
Interestingly enough, my boot.bin from my broken wimax is about 10kb smaller than my boot.bin from my nandroid backup that had working wimax.
Clearly there is something in that file that the other one does not have. I do think the rsa keys need to be stored somewhere though. I really do not believe the phone does on the fly encryption/decryption with them from the wimax partition.
If they come in an actual file, red will be able to extract the wimax.img he made and look.
mpa4712 said:
Interestingly enough, my boot.bin from my broken wimax is about 10kb smaller than my boot.bin from my nandroid backup that had working wimax.
Clearly there is something in that file that the other one does not have. I do think the rsa keys need to be stored somewhere though. I really do not believe the phone does on the fly encryption/decryption with them from the wimax partition.
If they come in an actual file, red will be able to extract the wimax.img he made and look.
Click to expand...
Click to collapse
you know for something that obvious I never noticed that. I never ran a diff on them. I just scanned through it to see if there was anything that struck out as being different and I stopped when I saw the different MAC's
I just went through the two boot.bin files and I'm pretty sure the keys are not in there. However, there are plenty of files that get overwritten on every boot, so I'm going to go through all of them. A 1024bit key should stick like a sore thumb if it's in plain text..
How can I tell if my keys were effed up? I'm currently out of 4G coverage and will be for the next week or so, but I'd like to get it fixed.
I know it was broken because my MAC was changed, I've fixed everything, my boot.bin is the same as pre-screwup as is wimax_properties, everything appears to be working fine, but I can't tell without coverage.
I just wanna know if I messed my keys up too, but I'm not sure whether I did or not?
Geniusdog254 said:
How can I tell if my keys were effed up? I'm currently out of 4G coverage and will be for the next week or so, but I'd like to get it fixed.
I know it was broken because my MAC was changed, I've fixed everything, my boot.bin is the same as pre-screwup as is wimax_properties, everything appears to be working fine, but I can't tell without coverage.
I just wanna know if I messed my keys up too, but I'm not sure whether I did or not?
Click to expand...
Click to collapse
From what we know, if you ever had a messed up MAC then your keys are also gone.
Related
Well I know I'm not the only one who got a bad WiMax MAC address after trying to update my WiMax radio image. I should learn to not try and fix things if they aren't broken
If you've gotten the dreaded "00:16:08:00:24:05" MAC address like I did, this guide will help you fix it. You'll need fastboot set up, a NAND unlocked phone with Toast's part 2 method, your correct MAC address for WiMax, and the files below.
FILES:
New radio
New WiMax
You MUST download & flash these again even if you already have. I don't care if you think you already have the right ones, download these. If you don't, don't ask me for help if you use the wrong ones.
STEP 1: Fix MAC
First, get your right MAC address. It can be found under the battery by the WiMax tag, or on your box under the WiMax barcode. It should be 12 digits long, with no colons in it. If it were supposed to be "00:16:08:00:24:05" it would look like 001608002405 on the box. Write that address down with a colon between every two characters to get it in the right format.
Next, boot your phone into fastboot mode. If you don't know how to do this, hold down volume and press power to boot into the bootloader. After it brings up the menu where "FASTBOOT" is highlighted, press power. It should say "FASTBOOT USB" in red where it previously said "HBOOT" in green.
On your PC, open a shell. First off, lets see if you have a bad MAC, run
Code:
fastboot oem wimaxrmac
It should return something like
Code:
INFOcmd_wimaxrmac
INFODev MAC = *Your MAC address will be here*
OKAY
If it doesn't match the code you wrote down, then you have a bad MAC. If it does match the code you wrote, then skip to step 2.
To fix it, you need to run:
Code:
fastboot oem wimaxwmac *Address you wrote down here*
Like if you wanted it to be "00:16:08:00:24:05" then you would run:
Code:
fastboot oem wimaxwmac 00:16:08:00:24:05
It should return something like:
Code:
INFOcmd_wimaxwmac
IFNOWrite OK! MAC = *Address you entered here*
OKAY
Then just run
Code:
fastboot reboot
To reboot back into Android with your correct MAC address.
STEP 2: Flash the images again
Now push those files to your SD card & reboot into recovery.
Once you're in recovery, flash the "evo.2.05.00.06.10.zip" file. Reboot from the menu like it tells you. Once you're in Android, update your Profile & update your PRL.
Now reboot into recovery again, this time flash the "evo.wimax.25641_r01.zip" file. Reboot again from the menu, and guess what. Once again, update your Profile & PRL. Reboot one more time for good measure, and you should have working 4G. I haven't been able to confirm 4G myself, but others have reported it working with my method. My logcat no longer shows any 4G errors and neither does the kernel log, plus all the data now matches how it was before my update, so that leads me to believe it's working.
I wrecked my MAC with the update and fixed it like this, but I haven't had a chance to try out 4G yet since I won't be going into the city where I'll have coverage until Saturday.
Please post here if it works for you or if it isn't clear then just post & I'll try and clear it up.
Regards,
Jesse C.
EDIT: As a few posters had trouble, it came to my attention that you MUST have run Toast's root part 2 image to have access to fastboot oem commands.
EDIT 2: Now full 4G fix.
Thank you so much!
Sent from my PC36100 using XDA App
On it.....!!!!
It's possible this may only update the MAC and not the key, Joshua (unrevoked) told me and a few others that was their main issue.
Let's see what results show.
Hot damn!!!! It works!!!
Neotelos_com said:
It's possible this may only update the MAC and not the key, Joshua (unrevoked) told me and a few others that was their main issue.
Let's see what results show.
Click to expand...
Click to collapse
If it really is the key, we can modify that here too. If we can pull a copy off a working device, we can write it with fastboot too I'm pretty sure
Geniusdog254 said:
If it really is the key, we can modify that here too. If we can pull a copy off a working device, we can write it with fastboot too I'm pretty sure
Click to expand...
Click to collapse
My understanding is the key is specific to each MAC, either way someone reported it works.
We just need people to post their before and after MAC address to confirm.
It does seem there are two variations of the bad MAC from different roms (at least from reports I've heard).
Well i changes the mac....i dont know if 4G is working on it.....
ON XP opening a shell using CMD? I'm not sure how to communicate with my EVO. Been without 4G for a while, trying to get it back up and running.
( waiting for device )
*nevermind*
Sleep..needed badly
Travyevo said:
ON XP opening a shell using CMD? I'm not sure how to communicate with my EVO. Been without 4G for a while, trying to get it back up and running.
Click to expand...
Click to collapse
You need adb from the Android SDK.
You also need to set your phone for USB debugging.
If you look around there's hundreds of tips on doing all this.
asrebel said:
*nevermind*
Sleep..needed badly
Click to expand...
Click to collapse
are you in fastboot?
Neotelos_com said:
My understanding is the key is specific to each MAC, either way someone reported it works.
We just need people to post their before and after MAC address to confirm.
It does seem there are two variations of the bad MAC from different roms (at least from reports I've heard).
Click to expand...
Click to collapse
I saw the same thing. I ended up with the one i posted in the OP but it seems they all start with the 00:16:08 characters.
I don't think its safe to post the after MAC address, sicne it's unique to every device. It won't hurt anything, but I'd rather keep mine private
Neotelos_com said:
You need adb from the Android SDK.
You also need to set your phone for USB debugging.
If you look around there's hundreds of tips on doing all this.
Click to expand...
Click to collapse
ADB appeared to install when i connected it. I'll take a look.
Thanks
my fastboot doesn't seem to recognize the 'oem' command. Is that a function of fastboot?
Anyone 4G back working using this method?
rocolema said:
my fastboot doesn't seem to recognize the 'oem' command. Is that a function of fastboot?
Click to expand...
Click to collapse
Yes. It should work for everyone. Do you have the newest fastboot?
david279 said:
Anyone 4G back working using this method?
Click to expand...
Click to collapse
I thought you said you had it working? Do you not have 4G or did it not fix the 4G errors
It fixed my MAC address. I have no 4G to test to see if thats working.
This is an interesting method.
I have restored my MAC via a different route, but I believe if I were to flash an offical wimax right now, I would lose my MAC again. What I have done requires modification to the wimax.img file.
Does this persist through reboots? If it does, this would likely be the best answer to the problem of the bad mac addresses.
david279 said:
It fixed my MAC address. I have no 4G to test to see if thats working.
Click to expand...
Click to collapse
Ah okay. I'm in the same boat
Seems like it would be a good idea to get people in the habit of backing up absolutely everything before rooting, installing roms, etc. We could perhaps avoid problems with people overwriting their 4G keys or other unforeseen consequences.
Problem is, I don't know how to do it. Could someone please write a quick guide on how to backup everything (nand, ext, wimax, radio, etc.) and also how to restore it when something goes wrong?
gthing said:
Seems like it would be a good idea to get people in the habit of backing up absolutely everything before rooting, installing roms, etc. We could perhaps avoid problems with people overwriting their 4G keys or other unforeseen consequences.
Problem is, I don't know how to do it. Could someone please write a quick guide on how to backup everything (nand, ext, wimax, radio, etc.) and also how to restore it when something goes wrong?
Click to expand...
Click to collapse
1. Reboot into recovery (Clockwork/RA)
2. Select nandroid backup
3...
4. Profit
imaxreed said:
1. Reboot into recovery (Clockwork/RA)
2. Select nandroid backup
3...
4. Profit
Click to expand...
Click to collapse
A nandroid backup will backup the wimax partition? Pretty sure radio/wimax partitions are not included.
Doesn't that put the previous rom you had when backed up back on there so if you flash a new one then restore the new rom is gone and your back to where you were?
Sent from my PC36100 using XDA App
krizno said:
Doesn't that put the previous rom you had when backed up back on there so if you flash a new one then restore the new rom is gone and your back to where you were?
Click to expand...
Click to collapse
Yes, but some things, like the radios, are not included in the backup.
So you want to be able to back up the radio too i get you I guess you would just have to download the newest radio off here or find the download for the radio you have that works for you and save it to the root of sd and just flash it over when you need it just a suggestion
Sent from my PC36100 using XDA App
gthing said:
Seems like it would be a good idea to get people in the habit of backing up absolutely everything before rooting, installing roms, etc. We could perhaps avoid problems with people overwriting their 4G keys or other unforeseen consequences.
Problem is, I don't know how to do it. Could someone please write a quick guide on how to backup everything (nand, ext, wimax, radio, etc.) and also how to restore it when something goes wrong?
Click to expand...
Click to collapse
Scratch what I had.
I guess nandroid doesn't backup radio and wimax.
My guide I wrote doesn't get this far in depth, but covers boot partition pretty well.
+1 on this request.
I'm not doing any radio changes until I can back up the originals first. (Hence my low post count.)
I found this from the broken 4G thread:
redsolar said:
Broken EVO backup
Backup your existing wimax partition on your broken EVO. We may need it some day.
Open command line window (cmd)
Make sure you have no PC36IMG.zip files in the root of your SD Card, or it will take a while to power your phone up
Power down your phone
Power it up while holding down the Volume Down key
HBOOT will attempt to scan for PC36IMG files. Let's hope you read carefully and don't have it on your SD Card root
Once HBOOT fails to find the file, use Vol Up/Down buttons to go into Fastboot mode
Connect the USB cable to your phone (and PC). You may have to install the USB drivers that come with Android SDK, but chances are if you are looking for this solution, you already have them installed and working
The FASTBOOT mode will switch to FASTBOOT USB (that's good)
Test your fastboot by typing "fastboot oem h" in command window you opened earlier (note, no adb, or adb shell anywhere, the command is "fastboot oem h". From here on all fastboot commands are issued in that window
If you see less than ~40 lines of output, you don't have a propertly rooted phone, and you need to do step 1 and step 2 (see above)
Dump your wimax data by issuing "fastboot oem saveprt2sd wimax -n wimax.bin" command (varies, anywhere between 7 to 8.5 MB, mine was 7MB)
Dump complete partition (~12MB) by issuing "fastboot oem saveprt2sd wimax -n wimax.bin -a" command
Reboot your phone
Pull the data files you dumped to a safe place ("adb pull /sdcard/WIMAX.BIN" and "adb pull /sdcard/WIMAXRAW.BIN"). Note the capitalization, it's important
SNIP
Click to expand...
Click to collapse
Edit:
Haven't tried this yet, but it would backup wimax. How do we back up radio?
krizno said:
So you want to be able to back up the radio too i get you I guess you would just have to download the newest radio off here or find the download for the radio you have that works for you and save it to the root of sd and just flash it over when you need it just a suggestion
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
The reason you would want your own backup is because it could contain wimax keys, etc. If everyone had backed up we wouldn't have tons of people running around with bricked 4G radios now. Some things you can't fix with a generic download - you need a backup.
nefas110 said:
+1 on this request.
I'm not doing any radio changes until I can back up the originals first. (Hence my low post count.)
I found this from the broken 4G thread:
Edit:
Haven't tried this yet, but it would backup wimax. How do we back up radio?
Click to expand...
Click to collapse
why do you need to backup the radio? there's a list of radio and wimax in the development section, you can always download those file and save it onto your computer or your sdcard if you ever need to use them again.
the PC36IMG.zip itself contain the wimax and the radio in it. i've downgrade from 1.47...OTA update with the new radio and wimax, and it downgraded just fine along with the radio and wimax.
if you wanna backup your wimax, try this.
in a shell,
Code:
cat /proc/mtd
you should get a list from mtd0 through mtd7. wimax should show up as mtd0.
to back up the wimax img to your sdcard,
Code:
cat /dev/mtd/mtd0 > /sdcard/mtd0.img
that should back up your wimax image to your sdcard. i'm now sure if you could flash that like you flash a radio through your recovery(i wouldn't try it) but if you wanna revert you could probably do something like
Code:
cat /sdcard/mtd0.img > /dev/mtd/mtd0
another method may be to use fastboot. i'm not sure if you can do this or not, and i can't verify it since i'm not at home, but maybe do something like
Code:
fastboot flash wimax /sdcard/mtd0.img
might work. but if you try this and something breaks... it's not my fault.
campchi said:
why do you need to backup the radio? there's a list of radio and wimax in the development section, you can always download those file and save it onto your computer or your sdcard if you ever need to use them again.
the PC36IMG.zip itself contain the wimax and the radio in it. i've downgrade from 1.47...OTA update with the new radio and wimax, and it downgraded just fine along with the radio and wimax.
Click to expand...
Click to collapse
Those don't include the unique encryption key embedded on each phone. It's too bad none of the backup solutions out there do a complete backup.
campchi said:
why do you need to backup the radio? there's a list of radio and wimax in the development section, you can always download those file and save it onto your computer or your sdcard if you ever need to use them again.
the PC36IMG.zip itself contain the wimax and the radio in it. i've downgrade from 1.47...OTA update with the new radio and wimax, and it downgraded just fine along with the radio and wimax.
Click to expand...
Click to collapse
Read that thread by redsolar: [TUTORIAL] Proof of concept solution on fixing badly broken 4G after bad MAC, etc
To summarize, each Evo comes equipped with security keys for wimax that are SPECIFIC TO THAT ONE DEVICE. If you loose those keys, there is no way to revive your bricked 4G at this time. You can lose the keys if you flash a bad image (this is what happened to people) or you can have a bad flash (can happen at random). Now do you want to backup your wimax?
As for the rest of the radio, how can we be certain a generic image will restore the device? The only way to be sure is to make a backup of that image too.
I read that nandroid used to backup the radio. That feature should be brought back as an option. Does anyone know who runs nandroid now? I would like to write to the suggestion box.
justinisyoung said:
if you wanna backup your wimax, try this.
in a shell,
Code:
cat /proc/mtd
you should get a list from mtd0 through mtd7. wimax should show up as mtd0.
to back up the wimax img to your sdcard,
Code:
cat /dev/mtd/mtd0 > /sdcard/mtd0.img
Click to expand...
Click to collapse
Thanks, this part works. I used a hexeditor to at least find and copy my encryption keys. (Search for BEGIN RSA PRIVATE KEY).
justinisyoung said:
if you wanna backup your wimax, try this.
in a shell,
Code:
cat /proc/mtd
you should get a list from mtd0 through mtd7. wimax should show up as mtd0.
to back up the wimax img to your sdcard,
Code:
cat /dev/mtd/mtd0 > /sdcard/mtd0.img
that should back up your wimax image to your sdcard. i'm now sure if you could flash that like you flash a radio through your recovery(i wouldn't try it) but if you wanna revert you could probably do something like
Code:
cat /sdcard/mtd0.img > /dev/mtd/mtd0
another method may be to use fastboot. i'm not sure if you can do this or not, and i can't verify it since i'm not at home, but maybe do something like
Code:
fastboot flash wimax /sdcard/mtd0.img
might work. but if you try this and something breaks... it's not my fault.
Click to expand...
Click to collapse
While this does work for a sheer purpose of extracting wimax key and certificate, the resulting file is not binary safe. cat appears to do some codepage interpretation, so the resulting file is not consistent between phones, even when firmware is mostly identical, and the differences are just MAC address and RSA key/SSL certificate.
So far, the only safe (and restorable) way to do a backup is described here. I verified, and backing up/rewriting image this way does work, and works correctly.
To outline my situation, I have installed CWM to my phone, and flashed version 2.5.1.2 of Galaxy S i9000 (but the recovery boot doesn't show as CWM) on a Samsung InFuse 4G (this part I managed to find by scouring the forums) with Firmware version 2.2.1, Kernel 2.6.32.9, with Build FROYO.UCKH1. This is as far as I have gotten because I cannot seem to get a backup of my phone's ROM made. So, my question is can someone explain (without jargon, I haven't quite learned it yet) in simple steps how to resolve this issue and help me continue my way to flashing a custom ROM? I've checked and read so many other guides, but they are confusing because the steps aren't (sad to say) dumbed down for me. Here's an example of what I read:
1: dl CWM (actually had to go look this up and figure out what it was)
2: flash CWM (my phone model wasn't on the list, but after an extensive search found out that I could use the Galaxy S i9000 [supposedly])
3: boot into CWM Recovery (can't do it, for some reason it won't load on my phone.)
4: perform backup with CWM (as before, can't do it, read I could use Titanium backup but no depth was given)
5: dl a rom and place it on your sd card (this one is understood, short and to the point)
6: boot into CWM and flash rom
Unfortunately, when I start out on a new OS (already owning Windows and getting good at Linux) I tend to not even understand these so-called "Dummies Guides." I need something filled with minimal jargon that is short and sweet. Any information would be helpful
Also, I would like to know the likelihood of bricking my phone (based off of its specs) if it is possible to find out...
I'm a little bit confused here. How come you've flashed an i9000 (Galaxy S) firmware onto an Infuse? I think we can work out your backup problems though
I mean that I flashed the Galaxy S i9000 version of CWM Recovery to my phone because there wasn't an InFuse option. (according to one thread, it said that the i9000 version was compatible with the InFuse)
However, I flashed the Recovery, but when I booted into recovery mode, I was still in the stock recovery. Any explanation for this and everything else?
I don't really know anything about the Android system yet, but I hope to be good enough to become a developer one day.
DeltaOps said:
I mean that I flashed the Galaxy S i9000 version of CWM Recovery to my phone because there wasn't an InFuse option. (according to one thread, it said that the i9000 version was compatible with the InFuse)
However, I flashed the Recovery, but when I booted into recovery mode, I was still in the stock recovery. Any explanation for this and everything else?
I don't really know anything about the Android system yet, but I hope to be good enough to become a developer one day.
Click to expand...
Click to collapse
Gotcha. Sounds like the recovery hasn't flashed properly. Did you have the phone rooted before flashing the recovery?
Here is an awesome thread with video guides on just about everything you could need. Here is another. I take it you've already followed at least one of these to get the recovery flashed, so it might pay to try the 3E recovery instead and see if that works.
You may need to go right back to stock and start over. If you do, AdamOutler has got you covered right here.
I'll stay subscribed in case you need anything else, best of luck mate
My phone was rooted with SuperOneClick. Superuser was still intact. I read on a thread that the CWM Recovery could "fake flash" and that it would still be accessible by selecting "boot into recovery" but it doesn't show.
It says 3E in my recovery mode, is that the modified or is it actually stock?
I downloaded CWM from the market (method 2) but for some reason have update.zip on my phone (method 1). Any explanation? I don't exactly remember downloading a .zip file...
DeltaOps said:
My phone was rooted with SuperOneClick. Superuser was still intact. I read on a thread that the CWM Recovery could "fake flash" and that it would still be accessible by selecting "boot into recovery" but it doesn't show.
It says 3E in my recovery mode, is that the modified or is it actually stock?
I downloaded CWM from the market (method 2) but for some reason have update.zip on my phone (method 1). Any explanation? I don't exactly remember downloading a .zip file...
Click to expand...
Click to collapse
It may have 'fake flashed' and not worked at all. Both stock and modified recovery will say 3E, the difference is in the version numbers although I can't picture them off the top of my head. If CWM had worked, you would not be seeing 3E, you would see the typical array of CWM options. The modified 3E does not give you the same options CWM does, it just gives you the option to flash an 'unsigned' image from Recovery.
I have never had any luck with ROM Manager personally, although a lot of people swear by it. I found it especially flaky flashing recoveries to any device, very hit-and-miss. I personally prefer, and recommend, flashing recoveries manually via ADB. A little trickier, but a lot more trustworthy.
That said, try flashing recovery through RM again before taking any further steps. Flashing a recovery over a recovery won't hurt
I've tried three separate times to install the CWM recovery, but all were unsuccessful. What's this about ADB? I remember seeing the ADB Daemon in the SuperOneClick rooting process. And how tricky is it exactly, does it require code?
I have the Titanium Backup app on my phone, and I have backed up all the system and app data, but they are all separate files instead of a single (what, .md5?) file. I remember reading another thread that said you could back up a ROM via TB but I can't find a back up ROM option. Is there a particular way to do this or do I have to have the Premium/Pro version of TB? Or have I pretty much done all I can do with TB?
DeltaOps said:
I've tried three separate times to install the CWM recovery, but all were unsuccessful. What's this about ADB? I remember seeing the ADB Daemon in the SuperOneClick rooting process. And how tricky is it exactly, does it require code?
I have the Titanium Backup app on my phone, and I have backed up all the system and app data, but they are all separate files instead of a single (what, .md5?) file. I remember reading another thread that said you could back up a ROM via TB but I can't find a back up ROM option. Is there a particular way to do this or do I have to have the Premium/Pro version of TB? Or have I pretty much done all I can do with TB?
Click to expand...
Click to collapse
ADB is a command-line interface between your PC and your phone. You enable USB debugging and connect the phone via USB to the computer. Once you have the correct drivers installed, you can then use ADB (part of the Android SDK available for download) to send commands to your phone, as well as push and pull files. This requires full root, which you already have.
For example you can grab the recovery.img for CWN on the Infuse and tell ADB to 'flash recovery recovery.img' and actually ensure it flashes.
There are some excellent ADB tutorials floating around, this one in particular got me started. Make sure you do a bit of reading first though: the wrong command can royally screw you.
After you're familiar, you should be able to use ADB to push a recovery to your phone, whether it be unsecured 3E, or CWM.
I'll stay subscribed for any queries you may have
How close is the ADB interface to other command-line interfaces like Linux or Windows? I use both operating systems on my laptop and I have familiarized myself with both of them (mostly). What am I supposed to be expecting when I use it? Also, I can't seem to find the recovery.img file, what folder would that be under?
DeltaOps said:
How close is the ADB interface to other command-line interfaces like Linux or Windows? I use both operating systems on my laptop and I have familiarized myself with both of them (mostly). What am I supposed to be expecting when I use it? Also, I can't seem to find the recovery.img file, what folder would that be under?
Click to expand...
Click to collapse
Don't know about Linux, but ADB works through a Windows command prompt so its pretty much the same. You will need to have ADB, Fastboot plus whatever you wish to flash (recovery.img) in a 'working' directory, then run a command prompt from that directory.
You will probably need to download the recovery.img file.from XDA. It may be zipped up (they usually are).
Sent from my Galaxy Note using XDA Premium
I've successfully got ADB started in the command prompt (not that bad :]) but when I try to pull the directory map from my phone, it says: remote object "xxxxxxxxx" does not exist. And what's this about Fastboot? Edit: Did a bootloader command test, worked just fine. No success on pulling directory
Command I used: "adb pull -s xxxxxxxxxxx C:\"
DeltaOps said:
I've successfully got ADB started in the command prompt (not that bad :]) but when I try to pull the directory map from my phone, it says: remote object "xxxxxxxxx" does not exist. And what's this about Fastboot? Edit: Did a bootloader command test, worked just fine. No success on pulling directory
Command I used: "adb pull -s xxxxxxxxxxx C:\"
Click to expand...
Click to collapse
I don't think that's the correct format to pull directory structure. I'll have to read up on that one
Fastboot is another tool you can use to flash bootloaders, radios, recoveries etc through the command prompt.
Sent from my Galaxy Note using XDA Premium
You're right, tried using the <remote> variable as a file instead of the device serial. Typed:
adb pull .. files
prompt skitzed out after that. I know it won't damage anything since it's a copy procedure but I'm looking for the file and it's not there. it said it's pulling everything after skipping "special files"
Edit: It just finished, said it couldn't create the file because for some reason it was trying to copy the files from the phone to the phone
DeltaOps said:
You're right, tried using the <remote> variable as a file instead of the device serial. Typed:
adb pull .. files
prompt skitzed out after that. I know it won't damage anything since it's a copy procedure but I'm looking for the file and it's not there. it said it's pulling everything after skipping "special files"
Edit: It just finished, said it couldn't create the file because for some reason it was trying to copy the files from the phone to the phone
Click to expand...
Click to collapse
Yeah, you'll have to give it a target directory, I think it's like this '.\sdcard' to write them to the SD card?
Sent from my Galaxy Note using XDA Premium
If that's the case, then how do I make the file copy to my HDD? The drive doesn't show up on my computer (does it)?
DeltaOps said:
If that's the case, then how do I make the file copy to my HDD? The drive doesn't show up on my computer (does it)?
Click to expand...
Click to collapse
I'm sure that with the correct command, you will be able to pull the structure to your hard drive. I'm not sure if it's .\C:/ or not, I'll have a look when I'm on a proper rig and can do a proper search
Sent from my Galaxy Note using XDA Premium
Thanks! You've been great so far
That noob video was right, XDA is full of awesome people!
Edit: Got it Thanks for the pointers. Now I need to find out how to back up the entire ROM... :/
DeltaOps said:
Thanks! You've been great so far
That noob video was right, XDA is full of awesome people!
Edit: Got it Thanks for the pointers. Now I need to find out how to back up the entire ROM... :/
Click to expand...
Click to collapse
Glad you got it and glad to help. There are a hell of a lot of good people here If there's anything else you need, feel free to PM me.
Good luck buddy!
Sent from my Galaxy Note using XDA Premium
Is there perhaps any way to perform a ROM backup with ADB?
DeltaOps said:
Is there perhaps any way to perform a ROM backup with ADB?
Click to expand...
Click to collapse
Ooh good question. I don't think so, but I'm not sure. I know you can pull directories like /system/ and whatnot, but as for repackaging them into a working backup, that may be a bit more involved. I would use ADB to.push a working CWM and do it that way, but it sounds.like you're a bit better at the command-line stuff than I so you may be able to work it!
Sent from my Galaxy Note using XDA Premium
Ok, so tried to install a theme from this thread
http://forum.xda-developers.com/showthread.php?t=1533858
I ran the 4th command and it said /sdcard/blurhome2.apk no such file or directory then my phone reboots out of nowhere.
I did copy the file to my SDCARD but it says it wasnt there and rebooted on its own. Now I get to the ATT logo and it stays there. I can still run ADB commands if I reboot in BP Tools or something like that.
Is there any way to unsoftbrick it to recover my data? I knew I should of have done a backup of it before starting but it never gave me problems before so I said eff it. I regret it now.
EDIT: I just realized where it all went wrong, I was in mass storage mode instead of Charge Only. So yea, any way to help me recover my data? I don't mind wiping and starting from scratch, I just need to get some text messages and some #'s, the rest doesn't matter. I already have the FXZ and RSD lite prepared but I dont want to do it till jim, JRW or LFABER or any other knowledgeable dev says "You're SOL, nothing you can do"
EDIT #2: I can receive calls, but the home launcher will not show up and the drop down thing wont work. But it seems all my background processes are working (JuiceDefender, APPLOCK, 3g Watchdog)
EDIT #3: Using Droid explorer (Windows software to view your device) I am able to see all the files my phone has and its missing Blurhome2.apk in the /System/App folder. I cant seem to copy it in there. Its still in mass storage mode too whenever i connect it.
EDIT #4: WOOOOOHOOOOOOO!!!!!!!!!!! I got it working, followed jims steps on another post that had nothing to do with this. Just pushed the blurhome2.apk onto my /data/local/ folder and then ran adb through the shell, remounted the system and copied the apk into the /system/app/ folder. Ran chmod command, reboot and voila back in business *goes and makes a CWM backup*
So many edits. Lol
Sent from my MB865 using XDA
Well, good to see you got it worked out .
Just for the record, if you ever do get in one of those situations where RSD Lite is your only option you can easily edit the xml file to remove the part where it wipes userdata... i.e. it flashes back to stock and retains your data
cogeary said:
Well, good to see you got it worked out .
Just for the record, if you ever do get in one of those situations where RSD Lite is your only option you can easily edit the xml file to remove the part where it wipes userdata... i.e. it flashes back to stock and retains your data
Click to expand...
Click to collapse
TUTORIAL ON THIS ASAP!!!!!! Why isn't this a sticky? I didn't know that was possible. Show us the way to recover the data off a bricked atrix 2 oh unbricking-while-keeping-your-data-wise-one
I second that! Would love a step-by-step walkthrough
Sent from my unknown using XDA
My H918 is what is currently in the shop (and this would not work on the H910 -- they use a different format), so I can't test this myself. WIth that said, this should be completely safe -- it will either work or it won't
I figured I would look to see what kind of security there was on the OTA update process.
As stated in the title, this is only for the H918 for now since I haven't had a chance to look at other models.
T-Mobile uses the regular SignApk straight out of the AOSP sources to sign their OTA zips.
It also turns out that the LGFOTA.apk will look on the SDcard for the update.zip:
Code:
/cache/fota/update.zip
/cache/fota/update_flag
/data/fota/update.zip
/pkg/SoftwareUpdate
/pkg/SoftwareUpdate/
#/storage/external_SD/SoftwareUpdate
/storage/external_SD/SoftwareUpdate/
/storage/sdcard0/SoftwareUpdate
/storage/sdcard0/SoftwareUpdate/
#/storage/sdcard0/SoftwareUpdate/enc
$/storage/sdcard0/SoftwareUpdate/enc/
Those are the paths that it searches -- the one we care about is /storage/external_SD/SoftwareUpdate/
Now when you sign an update.zip, it obviously needs to be verified with a key. The thing is, they include the key in the zip -- otacert -- why?
I don't have my H918 right now, but that isn't stopping me from looking for other attack vectors. This time it is stock recovery.
As near as I can tell, stock recovery uses the otacert in the zip to verify the signature of the zi.p. Which is fine from a VERIFICATION point of view. If the zip is modified in any way, the signature will fail. If the otacert file is not valid, the signature will fail. So, you know you are flashing a good file if the signature passes.
Now, from a security point of view, you don't include the cert that checks the signature WITH the file to be checked. I really think they screwed up here.
I don't have an H918 to test this on till mine gets back, but if someone else wants to, I can talk you through making an update.zip.
-- Brian
I'll give it a shot
From Android's developer website, it states that:
Sideloading does not bypass recovery's normal package signature verification mechanism—before installing a package, recovery will verify that it is signed with one of the private keys matching the public keys stored in the recovery partition, just as it would for a package delivered over-the-air...
...The RecoverySystem API checks the signature against public keys stored in the main system, in the file /system/etc/security/otacerts.zip (by default). Recovery checks the signature against public keys stored in the recovery partition RAM disk, in the file /res/keys.
Click to expand...
Click to collapse
Is this somehow bypassing that?
I haven't spent anywhere near the time decompiling lg_fota and recovery (the two main binaries that handle OTA) as I have lafd, but like I said, it looks like if there is an otacert in the zip it uses that instead.
The only way to find out for sure is to test it, and it looks like we have a volunteer
@storm68 I will craft up the zip for you. Gimme an hour to wake up...
-- Brian
runningnak3d said:
I haven't spent anywhere near the time decompiling lg_fota and recovery (the two main binaries that handle OTA) as I have lafd, but like I said, it looks like if there is an otacert in the zip it uses that instead.
The only way to find out for sure is to test it, and it looks like we have a volunteer
@storm68 I will craft up the zip for you. Gimme an hour to wake up...
-- Brian
Click to expand...
Click to collapse
Take your time. In the middle of an oil change. Lol
Also as long it's safe, no brick.
How'd this go? Home all day today and have a back up phone if need be. If you need another volunteer I'm game
Sent from my LG-H918 using Tapatalk
@runningnak3d
Sorry had an issue come up....
Anyway, here is the zip.
First, your bootloader must be unlocked. If not, you will have to flash the KDZ to fix your phone since it will fail the AVB check.
Your SDcard needs to be formatted vfat. Make a directory called SoftwareUpdate (caps matter -- remember this is Linux).
Download the zip and rename it to update.zip and stick it in that directory.
With the phone booted, get an adb shell.
Type (or copy / paste) this:
Code:
am start -n com.lge.lgfota.permission/com.lge.lgfota.permission.DmcEzUpdateStart
Your phone should reboot to recovery, and (crosses fingers) should start to flash. If so, you will have TWRP.
If it fails, I need to know exactly what the error was. If it says that it can't find an OTA, I have a few more things to try. If it says that the OTA failed signature check (or something to that extent), then this was all for nothing.
-- Brian
At work, will try when I get home some time tonight. If it doesn't work will it reboot back to normal?
I also still need to unlock bootloader. I'm still fresh outta the box. Lol
Yep. If it fails due to not finding it, or failing the sig check, you may have to reboot the phone yourself, but no changes will be made.
-- Brian
@runningnak3d
E: footer is wrong
E: signature verification failed
Also from she'll the phone just kinda blacks out for a sec and then nothing happens had to boot into recovery and try it that way
@whojabacod So you used the adb sideload method from recovery? If so, yes, that will fail because it uses the certs that are included with recovery.
I'll have my 918 back in a couple of days, and it will be on 10r or whatever the latest is, so I will have real incentive to get it rooted
-- Brian
With the last few posts being read I think I'll wait till you get your phone back and do your thing.
runningnak3d said:
Sorry had an issue come up....
Anyway, here is the zip.
First, your bootloader must be unlocked. If not, you will have to flash the KDZ to fix your phone since it will fail the AVB check.
Your SDcard needs to be formatted vfat. Make a directory called SoftwareUpdate (caps matter -- remember this is Linux).
Download the zip and rename it to update.zip and stick it in that directory.
With the phone booted, get an adb shell.
Type (or copy / paste) this:
Your phone should reboot to recovery, and (crosses fingers) should start to flash. If so, you will have TWRP.
If it fails, I need to know exactly what the error was. If it says that it can't find an OTA, I have a few more things to try. If it says that the OTA failed signature check (or something to that extent), then this was all for nothing.
-- Brian
Click to expand...
Click to collapse
I'll try this later today. Can I format the SD card via phone?
Sent from my LG V20 using XDA Labs
After browsing around, related to this process. With in The first couple of files I looked at which were related to fota. I will say I'm 100% positive this is how the malware has root on my phone. Explains why my phone says I have an external sd card installed , when i do not have one in. @runningnak3d . I do appreciate all your time and effort you've put into getting root on this phone, again. And this process will work when implemented properly. ( not saying his process is incorrect ) . reason I say I'm certain. Is because the files in my phone. Look reeeeaal.... Firmiliar. Almost like I have seen the words spoken somewhere before.. **cough** previous posts above **cough**
Is this something that still needs a tester? Assuming it's as safe as estimated, since this is my (new) daily driver, I'd be willing to try it with my stock H918 10q.