[DEV] S-OFF, PERMROOT, eMMC write [INSTRUCTIONS] - Desire HD Android Development

props to scotty & tmzt
BE CAREFUL WHAT PARTITION YOU'RE DD'ING INTO OTHERWISE YOU'LL END WITH A BRICK.
Instructions
1: Get VISIONary from the market and do a temp root
2: download http://rapidshare.com/files/429891451/dhd_root.zip and extract.
Place these files in /sdcard/ on your DHD (you only need 1 of the .ko, depending on your kernel version - check with uname -a in adb shell)
Go to adb shell, switch to root (su) and do the following:
insmod /sdcard/wp-(version).ko
for example: insmod /sdcard/wp_g5ed1769.ko
This will disable wp (will be enabled on reboot though...)
dd if=/sdcard/hboot_eng.nb0 of=/dev/block/mmcblk0p18
This will install engineering hboot
BE CAREFUL - DOUBLE CHECK THE PARTITION
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p21
OR
save recovery.img somewhere on your HDD, open a shell/cmd in that directory and:
fastboot flash recovery recovery.img
Both ways will install an unsecured recovery (not clockwork yet)
The module is for the release version of DHD (2.32.21-g5ed1769)
If you have another one, you can easily mod it:
check your version via:
cat /proc/version
Download a Hex Editor, search for vermagic in the wp_g5ed1769.ko, and replace patch version with:
g5ed1769
Save
Reload to sdcard and follow instructions from the top.
You can now PERMROOT (once you load the module, just push su and Superuser.apk to /sdcard/)
and
copy su to /system/bin/
and Superuser.apk to /system/app/
Don't forget to suid su:
su
chmod 4755 /system/bin/su
NOTE:
once you load the module, you can confirm a successful load via:
dmesg|tail
here's a sample output
<3>[ 881.934631] mmc0: DMA channel flushed (0x80000004)
<3>[ 881.935241] Flush data: 00000000 00000000 00000103 c0088008 c7e38000 00000001
<6>[ 881.935913] mmc0: Controller has been reset
<6>[ 881.936279] mmc0: Worked around bug 1535304
<3>[ 881.941802] mmcblk0: error -110 sending status comand
<3>[ 881.942443] mmcblk0: error -110 sending read/write command, response 0x0, card status 0x0
<3>[ 881.943084] mmcblk0: error -5 transferring data, sector 327712, nr 8, card status 0x0
<6>[ 881.943695] mmc0: reinit card
<4>[ 881.944030] mmc0: Starting deferred resume
<6>[ 882.010437] mmc0: Deferred resume completed

What about adb pushing su and Superuser.apk WHILE flashing a STOCK ROM via RUU? The eventual signatures check is in the beginning only and thus irrelevant for this procedure.
During this length process, the real SYSTEM: is unlocked, and we should be able to do anything we want during that time.
Basically, we just need to check till /system/bin/su is copied from the RUU, THEN push ours, in order to prevent overwriting by the stock one.
This SHOULD, at least in theory, allow us to have persistent root. Can anybody check that?

While flashing the via RRU every file that is pushed is sig checked... Besides we cant push spcific files in RRU anyway :-|
And before anyone says recovery ADB is locked down in recovery so cant push anything that way :-(
Tbh we have two hopes... Have a singed test recovery to flash we need a shipping desire hd to test this -- (first desire root type)
And the G2 root ppl the hd will have the same protection as the G2
Sent from my GT-I9000 using XDA App

I was just pushing ideas around, things I need to check anyway.
It's hard to do any real work without a device to work on (yet - should be shipped by next week).
It WOULD be great if anyone could come forward with a test/engineering device I could work with. Maybe a test/engineering partitions dump?

Since I am *still* waiting for my device (thanks HT...) and can't field test any of my ideas, I've been filing a few of them in the G2 forum.
The latest one being http://forum.xda-developers.com/showpost.php?p=8818111&postcount=184

adwinp said:
Since I am *still* waiting for my device (thanks HT...) and can't field test any of my ideas, I've been filing a few of them in the G2 forum.
The latest one being http://forum.xda-developers.com/showpost.php?p=8818111&postcount=184
Click to expand...
Click to collapse
Getting my HD on Friday hopefully will hand it over to team villainrom and see what we can do grrrr

R.E is a b*****.
If only we had access to an engineering device, we could dump pmem (since we know at what address HBoot is loaded anyway), compare that to a retail device, and try some binary patching the HBoot via userland and/or a module....

I have just thought about it: can the lock be related to path, not to address or something? Maybe you could symlink /system somewhere in /data (somewhere that is writable normally) and write through this symlink? Kinda improbable but worth trying...
Sent from my HDfied HTC Desire
Sent from my HDfied HTC Desire

K900 said:
I have just thought about it: can the lock be related to path, not to address or something? Maybe you could symlink /system somewhere in /data (somewhere that is writable normally) and write through this symlink? Kinda improbable but worth trying...
Sent from my HDfied HTC Desire
Sent from my HDfied HTC Desire
Click to expand...
Click to collapse
Unfortunately it doesn't work that way.
;]
A symlink inherits all properties of the parent.
It's like trying to change tires in a car with a broken down engine. You won't be able to drive it, no matter what the tires.

adwinp said:
Unfortunately it doesn't work that way.
;]
A symlink inherits all properties of the parent.
It's like trying to change tires in a car with a broken down engine. You won't be able to drive it, no matter what the tires.
Click to expand...
Click to collapse
I think the lock is not in the FS, it's somewhere lower level, so it just might work
Sent from my HDfied HTC Desire

K900 said:
I think the lock is not in the FS, it's somewhere lower level, so it just might work
Sent from my HDfied HTC Desire
Click to expand...
Click to collapse
We do know where the lock is; here, have some nice reading (the parts pertaining to emmc):
http://forum.xda-developers.com/showthread.php?t=803208

adwinp said:
We do know where the lock is; here, have some nice reading (the parts pertaining to emmc):
http://forum.xda-developers.com/showthread.php?t=803208
Click to expand...
Click to collapse
Oh, then it's a phail.
Sent from my HDfied HTC Desire

K900 said:
Oh, then it's a phail.
Sent from my HDfied HTC Desire
Click to expand...
Click to collapse
No. http://tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
Great work is being done by "IntuitiveNipple".

adwinp said:
No. http://tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
Great work is being done by "IntuitiveNipple".
Click to expand...
Click to collapse
Not rooting at all, just my idea
Sent from my HDfied HTC Desire

hey, first post in the android section, still awaiting the arrival of DHD, after alot of reading about getting root, i was thinking, as mentioned above somewhere, the update process does'nt allow pushing of specific files, this got me thinking of a Windows Live games security wich was supposed to block those pesky cheaters of using RAM intercepts of running processes.
isn't it a possibility to intercept the write buffer before it outputs to device and replace neccesary files to gain root access? in other words, patch it with superuser.akp via injection or disable nand security listening?
run a rom installer with a signed rom > output to virtual device(or buffer) > patch the neccesary files > (output altered dataflow in sections we need so physical device still believes its signed as the checks are still there on update.) to physical device
could this work?

What about change one of signed file from oficial ROM/OTA update?
As far as I understand digital signature is based on SHA-1 which is kind of "broken".
So we have to choose some file in official update zip, change its contents to "useful_part+garbage_to_match_sha1" and update
just google "sha-1 broken"

Golomidov said:
What about change one of signed file from oficial ROM/OTA update?
As far as I understand digital signature is based on SHA-1 which is kind of "broken".
So we have to choose some file in official update zip, change its contents to "useful_part+garbage_to_match_sha1" and update
just google "sha-1 broken"
Click to expand...
Click to collapse
It's almost impossible to get a sha1 hash to match. But I wonder if we can reverse engineer the RUU and make it skip hash checks or check against the modified file's hash
Sent from my HDfied HTC Desire

@WendigoNL: the ruu itself doesn't do anything. All the work is done by HBoot.

adwinp said:
@WendigoNL: the ruu itself doesn't do anything. All the work is done by HBoot.
Click to expand...
Click to collapse
i thought the ruu does something?
doesn't send adb reboot bootloader and then fastboot oem -78 command? and put it in ruu mode?but before all that, doesn't it push the rom.zip somewhere? :S
sorry just want clarification. i know this method won't work as the bootloader will check the signed keys on the zip file so you can't hijack the rom.zip file, i.e. in the temp folder replace rom.zip with a test ruu or even a custom rom with SU and and custom recovery pushed in the zip file.
i may be completely wrong and look forward to your answer adwinp.
i may try this when i get home but i know htc arnt THAT stupid

New baseband in 1.32.405.6 update, version number: 12.28b.60.140eU_26.03.02.26_M

Related

How to flash the G1

WARNING: Following these instructions may brick your phone, void your warranty and kill your dog. You don't want your dog to die do you?
Once I got root access on my G1, I've been messing around with trying to build reflash the recovery partition. That project is still in progress, but I have learned a bit about how to flash the various partitions on the G1.
First things first, you have to have root access. See this thread.
There are 6 mtd devices or partitions on the G1, mtd0-mtd5. They are located at /dev/mtd. You can use the /system/bin/flash_image tool to flash an image to any of these.
The syntax for the flash_image tool is:
Code:
# flash_image
usage: flash_image partition file.img
#
You can see a list of partition names and which device they are associated with by doing a "cat /proc/mtd".
Code:
#cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00020000 "misc"
mtd1: 00500000 00020000 "recovery"
mtd2: 00280000 00020000 "boot"
mtd3: 04380000 00020000 "system"
mtd4: 04380000 00020000 "cache"
mtd5: 04ac0000 00020000 "userdata"
#
These should all be self explanatory, except maybe "misc", which just appears to have a few string values.. Not really sure what it's used for..
Before you do any erasing or writing, it's a "really good idea" (tm) to make backups of each of these. Even if you don't plan on writing to them. I had accidentally erased the bootloader partition (typed mtd0 instead of mtd1), which I'm fairly sure would have bricked my phone if I had tried to reboot it. Ugh! Luckily, I had created a backup earlier, so I was able to restore it. (And then was nervous as heck when I tried to reboot it... "Please boot up! Please boot up!")
To create the backups:
Code:
# cat /dev/mtd/mtd0 > /sdcard/mtd0.img
# cat /dev/mtd/mtd1 > /sdcard/mtd1.img
# cat /dev/mtd/mtd2 > /sdcard/mtd2.img
# cat /dev/mtd/mtd3 > /sdcard/mtd3.img
# cat /dev/mtd/mtd4 > /sdcard/mtd4.img
# cat /dev/mtd/mtd5 > /sdcard/mtd4.img
#
Now you can use flash_image to write the new image.
Code:
#flash_image recovery /system/recovery.img
#
And that's how it's done.
Update: You normally don't need to erase the flash before you write, as long as you don't corrupt the flash first, by trying to "cat" an image directly to the mtd device, like I did . If you get a lot of ECC errors when you use flash_image then you need to erase it
Code:
# cat /dev/zero > /dev/mtd/mtd1
write: No space left on device
#
On a related note, Based on my experience so far, the recovery partition is not critical to booting the G1. When I first tried this, I used flash_image to write a new image without erasing the partition first, and it corrupted it pretty good. When I tried to boot the G1 into recovery mode (power+home), it would go to the bootloader screen instead. But it would boot into normal mode just fine.
Additionally, I've verified that the device will boot into recovery mode if you screw up the boot partition (mtd2). So as long as you at least have a good recovery image *or* a good boot image, you should be able to get back in business. Just don't try to update both at the same time.
Even so.. be careful, and don't come crying to me when you brick your phone. Or if your dog dies. You don't want your dog to die do you?
Excellent work!
So if misc is the boot loader, it looks like it is roughly 266k. If you can dump it, have you tried to "open" the image and see if you can see files?
Now you have given me more ideas
readonly sdcard?
When I run: cat /dev/mtd/mtd1 > /sdcard/mtd1.img
I got this:
cannot create /sdcard/mtd1.img: read-only file system
I know I am root...
staulkor said:
So if misc is the boot loader, it looks like it is roughly 266k. If you can dump it, have you tried to "open" the image and see if you can see files?
Click to expand...
Click to collapse
Actually, now that I look at it.. I'm not positive that mtd0 is the bootloader. There's not much data there at all. Just a few strings in the beginning, then lots of nothing. Mostly all FFs, with a few blocks of 00s thrown in. It doesn't look like there's any code at all, so it can't be the bootloader.
Nice work. How about the signing? Does the image you flash have to be correctly signed this way?
blues said:
When I run: cat /dev/mtd/mtd1 > /sdcard/mtd1.img
I got this:
cannot create /sdcard/mtd1.img: read-only file system
I know I am root...
Click to expand...
Click to collapse
Do you have the sdcard mounted for USB access? If so, just unplug the usb cable and plug it back in. (don't select "mount" in the usb notification thingy that pops up)
Chainfire said:
Nice work. How about the signing? Does the image you flash have to be correctly signed this way?
Click to expand...
Click to collapse
Nope. This is a raw write directly to the flash device. The whole signing thing is only applicable to the OTA updates (or Update.zip style update).
But the other project I'm working on is to rebuild the recovery mode and disable the signature check for OTA/update.zip updates.
If you check out the SDK and build the open-source version for the phone, it builds a custom recovery-image that accepts only things signed with the testkeys - which is cool. Since the test keys are in the directory, you can easily resign the images yourself.
I know a guy who has done this now. I'll do it when I get a chance.
There are two proprietary files that you have to suck off the device in addition to the ones that the "extract_files" script in the android build pulls off - I sent in a patch to fix this but who knows if they'll apply it or not (I thnk they think that the crap in the msm7k dir will do something)
What I'm wondering is if we can write an update mode that will backup the contents of the /cache and /data to the SDCard - then erase the three partitions - then recreate /data as a huge partition and leave only 10 or 15 megs for /cache - because... well.. /cache is worthless since OTA updates aren't gonna happen to our phones anymore anyway. It would be nice to get an extra 40 megs for app storage.
JesusFreke said:
Actually, now that I look at it.. I'm not positive that mtd0 is the bootloader. There's not much data there at all. Just a few strings in the beginning, then lots of nothing. Mostly all FFs, with a few blocks of 00s thrown in. It doesn't look like there's any code at all, so it can't be the bootloader.
Click to expand...
Click to collapse
I just looked at my dumped mtd0.img and I see a few interesting strings:
T-MOB010
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
And then a mountain of FFs, lol
You are right. I am on XP machine. So I disabled the usb storage, and it works fine
JesusFreke said:
Nope. This is a raw write directly to the flash device. The whole signing thing is only applicable to the OTA updates (or Update.zip style update).
But the other project I'm working on is to rebuild the recovery mode and disable the signature check for OTA/update.zip updates.
Click to expand...
Click to collapse
It works for me now.
RyeBrye said:
If you check out the SDK and build the open-source version for the phone, it builds a custom recovery-image that accepts only things signed with the testkeys - which is cool. Since the test keys are in the directory, you can easily resign the images yourself.
Click to expand...
Click to collapse
Yep, that's exactly what I'm doing. I'm planning on posting a recovery.img for others to use, since trying to build the thing from scratch is a pain, and takes forever.
RyeBrye said:
There are two proprietary files that you have to suck off the device in addition to the ones that the "extract_files" script in the android build pulls off - I sent in a patch to fix this but who knows if they'll apply it or not (I thnk they think that the crap in the msm7k dir will do something)
Click to expand...
Click to collapse
I assume you're talking about libaudio.so and librpc.so?
RyeBrye said:
What I'm wondering is if we can write an update mode that will backup the contents of the /cache and /data to the SDCard - then erase the three partitions - then recreate /data as a huge partition and leave only 10 or 15 megs for /cache - because... well.. /cache is worthless since OTA updates aren't gonna happen to our phones anymore anyway. It would be nice to get an extra 40 megs for app storage.
Click to expand...
Click to collapse
Good idea. Even better would be if we could put the installed apps and all data on the sdcard.. But that would probably be a harder modification than just resizing the partitions.
staulkor said:
I just looked at my dumped mtd0.img and I see a few interesting strings:
T-MOB010
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
And then a mountain of FFs, lol
Click to expand...
Click to collapse
that partition is the config partition, standard HTC stuff.
T-MOB010 is your CID (carrier ID, spl checks this when flashing NBH), but it is only a backup copy of it, the real CID is in radio part of nand (protected!).
and the rest is just config stuff for SPL and radio. (yes HTC uses strings to set these configs - SPL reads the strings from specific nand addresses and decides what to do)
JesusFreke said:
On a related note, Based on my experience so far, the recovery partition is not critical to booting the G1. When I first tried this, I used flash_image to write a new image without erasing the partition first, and it corrupted it pretty good. When I tried to boot the G1 into recovery mode (power+home), it would go to the bootloader screen instead. But it would boot into normal mode just fine.
Click to expand...
Click to collapse
very nice stuff! have you been able to reflash a recovery.img then to fix the corruption?
and you are right about the boot order... it's : radio bootloader -> SPL (that tricolour screen is SPL mode) -> boot.img or recovery.img.
(if boot.img then the OS loads)
cmonex said:
very nice stuff! have you been able to reflash a recovery.img then to fix the corruption?
Click to expand...
Click to collapse
Yep. I screwed up the recovery partition and rebooted, and wasn't able to boot into recovery mode. It just went into SPL mode when I tried. Then I normal booted and re-flashed with the original recovery.img and rebooted, and was able to boot into recovery mode.
Thanks for the info on the boot order. I didn't realize the radio image was used for booting, I figured it was just firmware for the 3G chip or something.
I'm getting close to being able to apply my own update.zip style update. I've been able to reflash the recovery partition with a custom built recovery image that skips the signature verification. I'm having a touch of trouble getting it to actually install an update.zip though. It keeps saying "update script not found", even though there is a "META-INF/com/google/android/update-script" file in the zip. Arg! Anyways.. I'm in the process of tracking the issue down. More to come!
cmonex said:
that partition is the config partition, standard HTC stuff.
T-MOB010 is your CID (carrier ID, spl checks this when flashing NBH), but it is only a backup copy of it, the real CID is in radio part of nand (protected!).
and the rest is just config stuff for SPL and radio. (yes HTC uses strings to set these configs - SPL reads the strings from specific nand addresses and decides what to do)
Click to expand...
Click to collapse
Ah! Excellent info.
I was finally able to get the rebuilt recovery tool to work. The problem with the update.zip was due to the fact that the zip was built in windows, so it had the wrong path separators. It was looking for META-INF/com/google/android/update-script, but the zip file contained META-INF\com\google\android\update-script
After switching the slashes around in a hex editor, it installed the update no problem.
Next, I was tempted to try to flash the boot partition. I was somewhat sure that I would be able to recover from a bad boot flash, with my nifty new recovery tool. But after reading about the guy that bricked his phone (over in the root thread), I was a bit scared.
But I finally went ahead and decided to give it a try. You only live once, right?
So I opened up a root console, and just wiped the boot partition clean. "cat /dev/zero > /dev/mtd/mtd2" and rebooted. Palms sweaty.. breathing hard.. shaking.. Powered the phone on (without holding down home), and it comes up to the recovery tool. So far so good. Then I ran the update on the sdcard - it was a smallish update I had created before hand that just flashed the original boot image back to mtd2. Update runs fine.. phone reboots....
And it boots up normally.
yes!
*takes a big sigh of relief*
So now I can mess around with the boot partition, and know that I have that recovery tool safety net.
And now. It's time to sleep. *head hits the keyboard*
very cinematic good job mate!
Very nice work
Congrats on the successful flash!
strings in mda1.img include:
Code:
ANDROID!
no_console_suspend=1
-- System halted
ran out of input data
Malloc error
Memory error
Out of memory
incomplete literal tree
incomplete distance tree
bad gzip magic numbers
internal error, invalid method
Input is encrypted
Multi part input
Input has invalid flags
invalid compressed format (err=1)
invalid compressed format (err=2)
out of memory
invalid compressed format (other)
crc error
length error
Uncompressing Linux...
done, booting the kernel.
What are these images? Are they filesystem images that you could theoretically mount? If so, what filesystem (I haven't gotten anything to work).

[ROOT] ROOT Status of Official Sprint 2.1 release RUU: YES! | 6/03

ROOT Status of RUU_Hero_C_Sprint_2.27.651.5_R_signed_release : YES
Update: Regaw finally made it for us all! More info here http://forum.xda-developers.com/showthread.php?t=694572
======================================================
I noticed that someone has mixed up the TEST RUU and the RELEASE RUU. However they are different. The test RUU has su file built inside, other than the release RUU!
I flashed RUU_Hero_C_Sprint_2.27.651.5_R_signed_release.exe and i love it very much.
This update is very great, except that I lose my root access. And I tried every method to get root back again but failed.
1. Using asroot2 to root - Failed
I followed the Sticky GUIDE "How to Root the Sprint CDMA Hero", but failed when running
Code:
/data/local/asroot2 /system/bin/sh
The process was killed.
I know the linux kernel changed to 2.6.29 with the update. Maybe that is the reason why asroot2 does not work.
2. Using flashrec to flash a custom recovery image and then get root - Failed
I installed FlashRec 1.1.3 from zenthought's website, but failed when I tried backingup my recovery image.
3.Using adb to push the su file into the phone - Failed
I dump the su file from damageless's rom and flipz's Fresh 2.1.1 rom. Then using adb to push it into /data/local/ and chmod it to 4777, but running failed. It just said "Permission Denied". However, i push a busybox file into /data/local/ and chmod it to 4777, the busybox command runs ok.
KeithKris pointed that Su doesn't work on /data because that directory is mounted nosuid.
4.Using fastboot to flash a custom recovery image and then get root - Failed
I reboot my phone into fastboot, then connect it to PC using USB. I tried this command "fastboot boot recovery-RA-heroc-v1.6.2.img" but faild, it said "downloading 'boot.img'... FAILED (remote: not allow)".
5.Trying to flash back to RUU_Hero_C_Sprint_2.20.651.1_signed_test.exe - Failed
It said "Error 140: BOOTLOADER Version Error!".
Although regaw_leinad has pointed that the md5s on both(release version and test version) hboots are the EXACT same.
b819083aa9fe456c5a5fbde4917980e2
and
b819083aa9fe456c5a5fbde4917980e2
Click to expand...
Click to collapse
Thanks regaw_leinad for your kind help.
Update: 6. the Volex method - Failed
this volex method is revealed here. Already tested by regaw that 2.1 patched it. It doesn't work.
======================================================
After all these failures, there seems to be at least two ways to get the root back. And regaw_leinad and other guys are working hard on them.
1. Try to make a new asroot2 to exploit the linux 2.6.29/android 2.1 on our cdma hero. Here is the source code of our asroot2 -- heroc 1.5 exploit tool.
2. Try to hack the RUU file (actually we mean the rom.zip in the RUU.exe) and make sure it will pass the Bootloader check and signature check(maybe md5?). Then we could flash a RUU with su built inside and get the root back.
If anyone knows something about how to pass the signature check(maybe md5?) or linux kernel exploit, please share your wisdom. Thank you.
This post will be updated every day until the way to root comes out.
Update: Thanks to the donators in this thread! I believe the devs will find the exploit method soon with your support!
======================================================
BTW: Never ever flash the official 2.1 release RUU.exe unless you know what you are doing. You won't get root access until the exploit method has been found. If you do love the official update, you may flash this damageless's rom dump from the official 2.1 release. And the radio dump from the official 2.1 release is here1 and here2 (thanks to damageless and flipz, and remember flashing radio at your own risk). The only difference between damageless's dump and official RUU's system part is that it has root and busybox and it removed some useless apks.
would it be more like fastboot boot /sdcard/recovery-RA-.........img?
justinisyoung said:
would it be more like fastboot boot /sdcard/recovery-RA-.........img?
Click to expand...
Click to collapse
I tried /sdcard/recovery....img again, faild. Because in this command the image file should be on the PC not on the phone.
1. Make sure you have the Android SDK installed. Read HERE for more info.
2. Download 4shared.com - online file sharing and storage - download flash_image.zip
3. Download 4shared.com - online file sharing and storage - download recovery-RA-heroc-v1.5.2.img
4. Unzip the first file, and place both in your Android SDK/tools folder.
5. Make sure USB debugging is ON
6. Connect your phone to the PC
7. Open the command window and navigate to the Android-sdk/tools folder on your computer.
8. At the prompt enter the following, one line at a time followed by enter
Code:
adb shell
su
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
exit
exit
adb push flash_image /system/bin
adb push recovery-RA-heroc-v1.5.2.img /sdcard
adb shell
chmod 0755 /system/bin/flash_image
reboot
9. Your phone will reboot. When it is finished, back at your command window, once again enter
Code:
adb shell
su
cd /sdcard
flash_image recovery recovery-RA-heroc-v1.5.2.img
reboot recovery
10. With any luck, you'll have the recovery image back and can load custom 2.1 based ROMS again.
__________________
elhead17 said:
1. Make sure you have the Android SDK installed. Read HERE for more info.
2. Download 4shared.com - online file sharing and storage - download flash_image.zip
3. Download 4shared.com - online file sharing and storage - download recovery-RA-heroc-v1.5.2.img
4. Unzip the first file, and place both in your Android SDK/tools folder.
5. Make sure USB debugging is ON
6. Connect your phone to the PC
7. Open the command window and navigate to the Android-sdk/tools folder on your computer.
8. At the prompt enter the following, one line at a time followed by enter
Code:
adb shell
su
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
exit
exit
adb push flash_image /system/bin
adb push recovery-RA-heroc-v1.5.2.img /sdcard
adb shell
chmod 0755 /system/bin/flash_image
reboot
9. Your phone will reboot. When it is finished, back at your command window, once again enter
Code:
adb shell
su
cd /sdcard
flash_image recovery recovery-RA-heroc-v1.5.2.img
reboot recovery
10. With any luck, you'll have the recovery image back and can load custom 2.1 based ROMS again.
__________________
Click to expand...
Click to collapse
Sorry dude, there is NO su file in this released version of RUU.
So you won't run su after adb shell
just a question but can you successfully run the testkeys release RUU on your phone?
I thought with new 2.1 update root access was removed and there was no way workaround to get root access. I might be wrong here.
You might want to try RUU back to 1.56 version and try to gain ROOT access and just flash ROM release by the dev's here which still give us ROOT access.
I'm not sure if it even possible to go back from 2.1 to 1.5 RUU. Maybe some with more knowleadge of RUU can chip in here.
In addition the RUU you flash is same one release by Devs here on their modify ROMs.
i dont think it is possible to ruu back to 1.5. i think a dev said something about hboot being updated so it needs a new way for root.
kashb91 said:
i dont think it is possible to ruu back to 1.5. i think a dev said something about hboot being updated so it needs a new way for root.
Click to expand...
Click to collapse
You are correct sir. There's no way to downgrade hboot (without root), just like why you can't run the 1.29 RUU if you ran the 1.56, or yours came with 1.56 on it.
F.A.I.L.
10chars
aside from people who "accidentally" installed RUU, The push to quickly root this release is probably low priority, first of all this phone is probably end of life, so the chances of it coming out of the factory with 2.1 on it are slim.
2nd I imagine when the Evo gets released this forum will become a ghost town as far as new development is concerned
gunnyman said:
aside from people who "accidentally" installed RUU, The push to quickly root this release is probably low priority, first of all this phone is probably end of life, so the chances of it coming out of the factory with 2.1 on it are slim.
2nd I imagine when the Evo gets released this forum will become a ghost town as far as new development is concerned
Click to expand...
Click to collapse
well, I'll be around here unless someone buys me an EVO &
It is actually possible to go back to 1.5 even if you used the RUU (well I should say the test RUU). I just did it yesterday so I could take my phone in for service. I'll post how I did it when I'm not mobile. Basically I created an update package to flash the old hboot then used a combination of the 2 main unroot threads. Ended up being able to use the sdcard method after flashing the misc.ing from the other method. I know probably doesn't make sense but I've got it all documented at home.
eme82 said:
It is actually possible to go back to 1.5 even if you used the RUU (well I should say the test RUU). I just did it yesterday so I could take my phone in for service. I'll post how I did it when I'm not mobile. Basically I created an update package to flash the old hboot then used a combination of the 2 main unroot threads. Ended up being able to use the sdcard method after flashing the misc.ing from the other method. I know probably doesn't make sense but I've got it all documented at home.
Click to expand...
Click to collapse
I can't WAIT to read how you did this! I have been dying to get back to original HBoot since I ran the first test RUU back in April.
gunnyman said:
aside from people who "accidentally" installed RUU, The push to quickly root this release is probably low priority, first of all this phone is probably end of life, so the chances of it coming out of the factory with 2.1 on it are slim.
2nd I imagine when the Evo gets released this forum will become a ghost town as far as new development is concerned
Click to expand...
Click to collapse
Well, if we are able to root this Sense 2.1 then theoretically the same root method may work on the Evo, thereby cutting down our wait for a rooted Evo. Just a thought.
chuckhriczko said:
Well, if we are able to root this Sense 2.1 then theoretically the same root method may work on the Evo, thereby cutting down our wait for a rooted Evo. Just a thought.
Click to expand...
Click to collapse
Very very good point I'm not getting an evo till its rooted anyway
chuckhriczko said:
Well, if we are able to root this Sense 2.1 then theoretically the same root method may work on the Evo, thereby cutting down our wait for a rooted Evo. Just a thought.
Click to expand...
Click to collapse
Possible, but I doubt it.
Chances are it's an entirely different kernel. My guess is the EVO gets a 2.6.30+ Kernel - It's hardware is completely different from ours. QUALCOM doesn't even make our chipset any more.
I updated to 2.1 using damage sprintupdate2.zip. I want to use wifi-tether now. Where can I find the version I need for this particular build? I looked on wifi-tether website, but it says the 2.1 compatible version is for Nexus One. Is there even a version for Eclair for the Hero?
Would build wireless_tether_2_0_2-pre9.apk for the N1 work?
zemerick said:
I updated to 2.1 using damage sprintupdate2.zip. I want to use wifi-tether now. Where can I find the version I need for this particular build? I looked on wifi-tether website, but it says the 2.1 compatible version is for Nexus One. Is there even a version for Eclair for the Hero?
Would build wireless_tether_2_0_2-pre9.apk for the N1 work?
Click to expand...
Click to collapse
I'm still using pre6 seems to be the one for the Hero.
zemerick said:
I updated to 2.1 using damage sprintupdate2.zip. I want to use wifi-tether now. Where can I find the version I need for this particular build? I looked on wifi-tether website, but it says the 2.1 compatible version is for Nexus One. Is there even a version for Eclair for the Hero?
Would build wireless_tether_2_0_2-pre9.apk for the N1 work?
Click to expand...
Click to collapse
Here's the link: http://code.google.com/p/android-wi...ireless_tether_1_60_htc.apk&can=2&q=HTC+Donut

[GUIDE] How to downgrade 1.7x/1.8x/2.x to 1.32.405.6

DO NOT USE THIS IF YOUR PHONE CAME WITH GINGERBREAD Or newer Software. Use the Ace Hack Kit for DHD ​
How to downgrade to 1.32.405.6 WWE
HTC - Quietly S-OFF. Again.​
About:
The problems started when HTC released their 1.72.405.3 OTA update. That update could not be rooted, and many people got stuck in stock roms. Now a downgrade method has arrived! After this process, you can use any root (+ S-OFF) method you want. Basically your device will be just like any other Desire HD with older build version. Downgrading will completely reset your device to factory defaults, so remember to back up all important data (such as contacts, game saves and sms messages).
System requirements:
HTC Sync (or ADB drivers)
Desire HD with build number 1.72 or higher
[Warning] Telus DHDs may lose sound because the 1.32.405.6 is not fully compatible with the sound chip. Just start using a custom ROM, and it will work fine.
How to downgrade:
Section 1
Disable any antivirus software
If you have a branded / regional (like Indian or Vodaphone) device, you have to make a Goldcard. Use "mmc2" instead of "mmc1"!!
Download the attached file and extract it
Get stock 1.32 PD98IMG.zip ROM, mirror
Put the PD98IMG.zip into your SD card. Do not put it into a folder, and do not extract it.
Click to expand...
Click to collapse
Section 2a [For Froyo ROMs, 1.7x and 1.8x]
Connect Desire HD to a computer. Charge only, USB Debugging enabled!
Open up a cmd and go to Downgrade folder, execute commands:
Code:
adb push psneuter /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/psneuter
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/psneuter
adb shell
Click to expand...
Click to collapse
Section 2b [For Gingerbread ROMs, 2.x]
Connect Desire HD to a computer. Charge only, USB Debugging enabled!
Open up a cmd and go to Downgrade folder, execute commands:
Code:
adb push misc_version /data/local/tmp
adb push fre3vo /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell
./data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF
Click to expand...
Click to collapse
Section 3
If you got "#" in the result, you have temporary root! Proceed with commands:
Code:
cd /data/local/tmp
./misc_version -s 1.31.405.6
Close the CMD. Reboot while holding volume down, it will go to the bootloader
Follow the instructions (start the update)
Done. You can now click my thanks button! Proceed with old S-OFF methods, and remove the PD98IMG.zip from your SD. I recommend Radio S-OFF for new users.
Click to expand...
Click to collapse
Big thanks: Scotty2, Guhl and the fre3vo team
Downloadcount for Downgrade package v1 is 15808, and for v2 it is 32012.
FAQ:
Q: Will I lose all my settings and applications?
- Yes, so make a backup with MyBackup Pro.
Q: I have done Radio S-OFF and SuperCID, do I need this?
- No, with those you do not need this kind of trickery.
Q: I have flashed a custom ROM with e.g. 1.84 build number, do I need this?
- No, with ClockworkMod you can jump between builds freely.
Q: It says '#' but I still cannot use root applications!
- That is normal, this method only gives root in command line. Just go ahead and downgrade.
Q: Is my phone Froyo or Gingerbread?
- Check it in Settings -> About -> Software information -> Android version. 2.2 is Froyo and 2.3 is Gingerbread.
Q: How do I navigate to downgrade folder?
- You can read this short and easy explanation.
Click to expand...
Click to collapse
Troubleshooting:
- "Main version is older"? You did not type everything correctly. Please try it again and see if any errors come up.
- "Error opening backup file"? You did not use "Charge only" -connection, or your SD card is faulty.
- "CID mismatch/CID incorrect"? Your device is branded. Just make a Goldcard, put the PD98IMG.zip to the card again and go to the bootloader.
- "Model ID incorrect"? Some Telus DHDs get this, just make a Goldcard.
- "Failed to set prot mask (Inappropriate ioctl for device)"? Use Gingerbread method to downgrade.
- Zip will not load in bootloader? Format your SD card to FAT32, no quick format! You can also try another SD.
- Problems while making Goldcard? See this post.
- PD98IMG.zip md5sum is: C3D244A9F056E48EE3851A14FF52204C
Click to expand...
Click to collapse
If you like my work, please consider: (or just hit the thanks button )
Am I missing something or is it your link that just ain't there ?? lol
mcnob said:
Am I missing something or is it your link that just ain't there ?? lol
Click to expand...
Click to collapse
He's most likely updating it as we type - hate clutter so lets sit back and wait
http://forum.xda-developers.com/showpost.php?p=10428859&postcount=162
mcnob said:
Am I missing something or is it your link that just ain't there ?? lol
Click to expand...
Click to collapse
Look:
http://forum.xda-developers.com/showpost.php?p=10428115&postcount=54
but you should use DHD RUU (not desire Z) and lower version numer (since unbranded rootable version for DHD is 1.32.405.6)
Great work to everyone involved, now finally those lame "root doesn't work" posts will vanish
Excellent
So has any one tried it?
Got temp root trying to flash old ruu...lets see
I have temproot working. Currently downloading the RUU file on my REALLY slow internet...
I think there is a couple of small errors?
cd /data/local/tmp
./misc-version -s 1.31.405.3
should be
cd /data/local/tmp/
./misc_version -s 1.31.405.3
also, the psneuter is a .txt file, just remove the .txt extension to use the file.
robE9 said:
Got temp root trying to flash old ruu...lets see
Click to expand...
Click to collapse
Second confirmation for temp root but I've ran out of time to flash RUU
"So, rebooted in bootloader, loaded pd98img.zip....checked it but after says Main Version is older ! Update Fail ! Press power to reboot.
Any ideeas to try ?
Once i am home again I shall donate a crate of beer to the team!!
BlackTigerX said:
Great work to everyone involved, now finally those lame "root doesn't work" posts will vanish
Click to expand...
Click to collapse
You still will not have permanent root of 1.72/1.75! but this does allow you to downgrade and attain root on older Firmware
robE9 said:
"So, rebooted in bootloader, loaded pd98img.zip....checked it but after says Main Version is older ! Update Fail ! Press power to reboot.
Any ideeas to try ?
Click to expand...
Click to collapse
Did you get #, and did you run the misc_version executable? Did you write the version number correctly there?
ghostofcain said:
You still will not have root of 1.72/1.75! but this does allow you to downgrade and attain root on older Firmware
Click to expand...
Click to collapse
That is right. The psneuter gives temporary root, but as scotty2 said, it kind of shoots the current rom in the head while doing that..
i tried again with _ instead of - at version and now its updating hope will be ok
.. PD98IMG.zip to apply the file gives me an error
View attachment 483907​
Any ideas?. Thanks!
Is it possible to flash the PD98IMG without using an SD card?
My DHD bricked mine http://forum.xda-developers.com/showthread.php?t=895593
apside said:
.. PD98IMG.zip to apply the file gives me an error
Any ideas?. Thanks!
Click to expand...
Click to collapse
What error? I cannot find error in that screenshot.
xdario said:
Is it possible to flash the PD98IMG without using an SD card?
My DHD bricked mine http://forum.xda-developers.com/showthread.php?t=895593
Click to expand...
Click to collapse
The RUU itself might work, but I would not bet on it. Just get a new SD.
apside said:
.. PD98IMG.zip to apply the file gives me an error
View attachment 483907​
Any ideas?. Thanks!
Click to expand...
Click to collapse
dont write "reboot bootloader" just reboot by power buton and press down the volume button until you are in bootloader
Btw the downgrade was succesfull, i just rooted with visionary thx guys a lot :X
at me work fine

How to DOWNGRADE Desire S with S-ON

Warning! I don't recommend this to users who are new to Android since there is a possibility of bricking your device. I will not be responsible if this happens.
It will downgrade everything even the HBoot using a HTC signed ROM. I've downgraded RUU_Saga_Telstra_WWE_1.36.841.3 with HBoot 0.98.0002 to Hboot 0.98.0000 of RUU_Saga_HTC_Thailand_1.35.1113.2.
First you need below tools and applications. I will not explain everything since I'm assuming you already know how to use it and make it.
1. ADB tool to access you device thru shell.
2. ADB driver - you may install HTC Sync since it has ADB driver in it.
3. HEX Editor - I used HxD.
4. Spare micro SD with Goldcard.
5. Card reader to make your life easier.
6. Update.zip ROM you will use to downgrade(rename it to PG88IMG.zip).
6. GingerBreak-v1.20.apk to temp root our device.
Step 1: Copy GingerBreak-v1.20.apk to your spare micro SD and insert it into your phone.
Step 2: Enable USB debugging in your device and connect it to your PC(Charge only). Make sure the drivers are installed properly. If not, install HTC Sync.
Step 3: Install and run GingerBreak-v1.20.apk. It will force close other apps(this is normal just close it). The gingerbreak application will promp that something goes wrong with the rooting(can't remember the actual spiel) but actually we already have our temp root.
Step 4: Run you ADB tool and issue command su to have root access. You can now see in your device that Superuser app is prompting you to allow the ADB root access. Accept it.
Step 5: On the # prompt, issue command dd if=/dev/block/mmcblk0p17 of=/mnt/sdcard/mmcblk0p17.img (to copy mmcblk0p17 to your SDcard). Power off your device and copy mmcblk0p17.img to your PC.(You can also use the command shell to copy it into your PC if you know how to do it).
Step 6: Open mmcblk0p17.img using your Hex editor. On the 11th line(I think), modify the current version to 1.28.401.1(since this is the lowest version I know). Save it and copy back to SDcard. Insert the sdcard and turn your phone on.
Step 7: Run GingerBreak-v1.20.apk again and follow step 3 to 4.
Step 8: On the # prompt, issue command dd if=/mnt/sdcard/mmcblk0p17.img of=/dev/block/mmcblk0p17 (to copy back mmcblk0p17.img to your phone). Do this as quickly as possible since the temp root access sometimes loose its effect.
Step 9: Power off your device and remove your SDcard. Using your card reader, delete everything(not format) in your microSD(with Goldcard) and paste your PG88IMG.zip.
Step 10: Hold volume down + power to boot to recovery and the phone will do the installation itself. Wait until you have your downgraded ROM.
This is how I do it. Hope you won't encounter any problem with this procedure. Good luck!
I want to give thanks to all the XDA members for the knowledge I acquired for this procedure and to the developer of Gingerbreak.
You may also check sonikz procedure on post #4. I think his procedure is faster. You may use which one is easier for you to follow.
Downgrade to what?To Froyo?
And for what reason?
Sorry for that noob question...
panosfx said:
Downgrade to what?To Froyo?
And for what reason?
Sorry for that noob question...
Click to expand...
Click to collapse
Good question i think, if i remember well, on the desire (or HD?) sometimes downgrading was a way of getting to a version of software where you then could get root again !From that point on you could get a recovery installed and install some nice roms. I dont know if thats whats going on here, i wouldn't dare to hope that ...?
Me n00b me downgrade
Newrad67, I have compiled a n00b way to achieve very similar results:
First off you need to create a Gold Card
Use the memory card that came with the phone, may as well hey!
Install Goldcard helper from market, run it and copy the CID for MMC2
This number has already been reversed so go to here, fill out the required fields.
That will then email you an image file. You can then using Gold Card Tool flash your image file to your phones SD card via the phones USB cable.
Next for the actual downgrade
You'll need this unzipped
in a command prompt, goto the directory you unzipped to
connect the phone via USB
then:
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
Click to expand...
Click to collapse
This copies the files to the phone and changes the permissions so they will function
adb shell
Click to expand...
Click to collapse
This will enter the terminal for the phone
./data/local/tmp/GingerBreak
Click to expand...
Click to collapse
This will then temp root the phone you should now have # at the terminal prompt instead of $, which means you have higher privileges
From this point you can then run misc_version (Thanks to Blezz for the version number) This changes the version reported by the phone to 1.27.405.6, you cannot check this on the phone tho, as it will still report the other number.
cd /data/local/tmp
./misc_version -s 1.27.405.6
Click to expand...
Click to collapse
From here you can then install the update/downgrade from the exe, no need to dump zip files or anything. As with anything here, results may vary and I won't be buying new hardware if it breaks yours! But it works a treat on mine.
This can be used with paulobriens test signed RUU HTC update to get root/boot/recovery installed on s-on .
If it just were public
Sent from my HTC Desire S using XDA Premium App
panosfx said:
Downgrade to what?To Froyo?
And for what reason?
Sorry for that noob question...
Click to expand...
Click to collapse
This is why I recommend this only to advance users.
Our Desire S with S-On was released with Gingerbread ROM and Hboot that still not possible(as of now) to have custom boot recovery. Since we are on S-On, it is still not possible to be rooted and use custom ROM.
As far as I know, we don't have any official ROM except for Gingerbread. Correct me if I'm wrong. The list can be seen in this post. http://forum.xda-developers.com/showthread.php?t=1002506
I'm just sharing this to people who wants to change their ROM if they want to change to a different one. Like me who installed the latest ROM from TELSTRA and find the bloatware annoying. I've done this to get back to the ROM I'm more comfortable using.
Yeah I'm pretty much with you mate, no way to do anything more practical than flash a clean European Rom currently..... Not really a vast amount of progress either. Anything we should be doing to help get permanent root? Anyone?
Sent from my HTC Desire S using XDA App
Thankkssssss
It works on my s-on DS
Thanks a lot
i really like it how sonikz is doing now like it was his idea how to downgrade it using adb gingerbreak and misc_version lol
i'm gonna stop my rooting tries + supporting here for the desire s, hating such people like him
I never said it was my idea and I have in a posted my thanks to the relevant people in other threads, I didn't mean to rub anyone the wrong way... I hadn't seen a adb version of gingerbreak until Friday and I'm sure you know the apk is very unpredictable or at least it is on my phone so I couldn't use misc_version, it just kept kicking errors.... Hey I just threw it out there, my bad
okay
no it isnt the apks fault, maybe u forgot to use "su" in adb shell after using the apk, which u dont need for the command line version
anyway, maybe there is a way to get past the s-offf
in titanium backup there's a recovery exploit to remove files from s-on phones
we just need to know how the exploit is working and if it still working with 2.3
2nd option is i am getting a 2nd desire s soon.. it's a bugged on, radio destroyed and he don't get it repalced so he gives it me
maybe i can get the desire hd bootloader running somehow.. even if i am sure it will be a lot of work to get in
Plz guys... Get a grip.. we share.. whocares about credit.. come on..
Keep sharing.
Sent from my HTC Desire S using XDA Premium App
Worked
Sent from my HTC Desire S using XDA Premium App
@Rexton270: what worked?
@brokenworm: what you meant by the paulobriens test RUU?
@brokenworm:
it's not paul's ruu, the files he published been released 1 day before at 911snipers blog
sadly without ruu too
what ROM to get root
after doing that, what ROM is it better to download in order to become root ?
thanks
pdaGeek13 said:
after doing that, what ROM is it better to download in order to become root ?
thanks
Click to expand...
Click to collapse
If you are on S-ON, none as of now.
Sent from my HTC Desire S using XDA Premium App
> 2 hours
running for more than 2 hours now, normal ?
sonikz said:
Newrad67, I have compiled a n00b way to achieve very similar results:
First off you need to create a Gold Card
Use the memory card that came with the phone, may as well hey!
Install Goldcard helper from market, run it and copy the CID for MMC2
This number has already been reversed so go to here, fill out the required fields.
That will then email you an image file. You can then using Gold Card Tool flash your image file to your phones SD card via the phones USB cable.
Next for the actual downgrade
You'll need this unzipped
in a command prompt, goto the directory you unzipped to
connect the phone via USB
then:
This copies the files to the phone and changes the permissions so they will function
This will enter the terminal for the phone
This will then temp root the phone you should now have # at the terminal prompt instead of $, which means you have higher privileges
From this point you can then run misc_version (Thanks to Blezz for the version number) This changes the version reported by the phone to 1.27.405.6, you cannot check this on the phone tho, as it will still report the other number.
From here you can then install the update/downgrade from the exe, no need to dump zip files or anything. As with anything here, results may vary and I won't be buying new hardware if it breaks yours! But it works a treat on mine.
Click to expand...
Click to collapse
no not normal, restart your phone and try again
cause it's s-on nothing can happen to your system so don't worry and just restart
Blezz said:
no not normal, restart your phone and try again
cause it's s-on nothing can happen to your system so don't worry and just restart
Click to expand...
Click to collapse
same thing with this log:
$ ./GingerBreak
./GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 s
[**] (C) 2010-2011 The Android Exploid Crew. All rig
[**] Kudos to jenzi, the #brownpants-party, the Open
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found system: 0xafd17fd5 strcmp: 0xafd38065
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 25104 GOT start: 0x00014360 GOT end: 0x000
[*] vold: 25104 idx: -1024 fault addr: 0xfffb2284
[*] vold: 25162 idx: -2048 fault addr: 0xfff4e284
[*] vold: 25212 idx: -3072 fault addr: 0xffeea284
[*] vold: 25262 idx: -4096 fault addr: 0xffe86284
[*] vold: 25312 idx: -5120 fault addr: 0xffe22284
[*] vold: 25363 idx: -6144 fault addr: 0xffdbe284
[*] vold: 25414 idx: -7168 fault addr: 0xffd5a284
[*] vold: 25466 idx: -8192 fault addr: 0xffcf6284
etc ....
and sometimes:
[+] fault address in range (0x000132b4,idx=-3072)
[+] Calculated idx: -2005
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
:-(

Hboot information and downgrading

Before I start this thread, I should say that all credit goes to otaking71 for finding this crack.
The two original threads are here
http://forum.xda-developers.com/showthread.php?t=1255043
http://forum.xda-developers.com/showthread.php?t=1255360
All of the work was done in the #htc_evo_shift channel on freenode irc.
Table of contents:
1. Hboot information about the exploit.
2. Downgrading
2.1 Notes
3. Full root(Updated 2.2 root)
4. Links
5. Credits/donation links
I will aim to make it so this mod can be ported to other devices to help downgrade bootloaders and software. Please read the entire thread before flashing anything and trying this.
Hboot
Hboot uses a hidden partition to check everything it flashes against, this partition is "misc", or hboot -1, or on the shift mmcblk0p17(hboot itself is at mmcblk0p18).
Some raw dumps of this partition using strings to filter ascii strings brings out this type of dump.
Locked bootloader for the evo shift's dump
"SPCS_001
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
2.76.651.4
FNOC
FNOC"
Unlocked bootloader for the verizon thunderbolt
"VZW__001
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
1.02.605.6
FNOC
FNOC"
Eng spl unlocked evo shift
"FN0C
FN0C
FN0C"
Now the place to focus at is the version numbers, 2.76.651.4. Hboot will check all items you try to flash via hboot or ruu utility against this number and if it is lower than what you are trying to flash, it will allow you to proceed in flashing through hboot, or ruu. If the number is higher, it will reject the flash. If the number doesn't exist(like in the eng spl) it will assume it is able to flash it(ONLY TESTED ON ENG SPL, not locked bootloaders). So by dumping the TB's misc partition into our own, we made it so the locked hboot would accept flashes. Either by RUU or hboot.
We believe the package you flash still needs to be signed though so that only leaves you with official ruu's and extracted ruu zips.
Joeykrim's history(Located on the second page of this thread)
joeykrim said:
for those curious, a lil bit of history:
same method as used on the evo part 2 thread by toastcfh at xda.
only diff is shift is emmc and evo was mtd. shift emmc partitions are a bit more in number and named differnetly when compared to the evo mtd partitions. on the evo this partition was labeled as "misc" in /proc/partitions. the misc partition being flashed holds the software version number which hboot checks against to verify whether or not it will allow an RUU to be loaded.
also, i want to recall a web site somewhere which allows users to create a custom misc file with a provided version number.
thought this partition was protected by the internal memory write protection but appears it wasn't. not much of a surprise as the first release of the shift didn't have write protection for the hboot partition turned on.
great this works! sadly, they'll prob patch it next OTA around as they did for the evo.
good job on testing (sorry about the lost shift), publishing and releasing! glad to see the shift has unlocked internal memory write protection again!!!
you're path to the internal partition location is incorrect. as the OP states, use:/dev/block/mmcblk0p17
full command: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
great article with the history and usage of dd, its a classic unix/linux command. very good to become familiar with: http://en.wikipedia.org/wiki/Dd_(Unix)
Click to expand...
Click to collapse
How to downgrade your device
For the shift, will be different on other devices with a bit of modding.
1. Temproot(With Fre3vo for the shift) http://forum.xda-developers.com/showthread.php?t=1185243
2. Move the file misc.img to the root of your sdcard, and PG06IMG.zip too if you plan on flashing through hboot.
3. Modify the misc partition to bypass the version check, type the following in an adb shell or a terminal emulator on your phone.
Code:
dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
Note for other devs: misc.img is the image from the TB, could be other images as long as it has a lower version number.
4. This is up to you, you can either use the ruu utility to revert or the PG06IMG.zip in hboot. I'll include links to both. Since both utilities check the misc partition, both are able to flash =)
5. Reboot and then full root like normal on your downgraded device.
Notes
1. When flashing hboot/using this exploit it always flashes twice/stops early and recontinues. Don't worry about it, this is normal(Sometimes it looks like more than 2 but just chill out).
2. Some SDcards are not recognized by hboot, so you will either have to switch cards for this operation or use the ruu utility method.
3. Remove the PG06IMG from your sdcard after flash, or hboot will pick it up next time.
Full root for downgraded 2.2
Flash ENG bootloader
1. Download these files and extract them to the root of your sdcard: www.thebcblends.com/shift/Shift-root.zip
2. Obtain temproot from z4Root, visionary, OR CM's temproot wiki
3. Flash hboot with Engineer SPL:
Code:
dd if=/sdcard/Shift/hboot_eng.nb0 of=/dev/block/mmcblk0p18
4. Boot into bootloader and check for S-OFF
Flashing a recovery
1. Grab latest shift recovery from: http://www.koushikdutta.com/2010/02/clockwork-recovery-image.html
2. Make sure you're temprooted(may have to temp root again)
3. Install recovery from rom manager
Alternative install can be done if you grab another recovery's recovery.img and do one of the following below.
a. Okay this is for those with fastboot - flash the recovery with fastboot: fastboot flash recovery recovery.img
b. This is for those where fastboot doesn't work or they don't have it - 1. Place recovery.img on the root of your sdcard, then type the command below.
Code:
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p21
Full root/Rom flashing
Well I know you don't have anything you want to save from the 2.2 ruu since it's just a stock flash, so I am going to leave it off here as flash whatever rom you want over the new system via recovery and you should end up with a fully rooted android.
Just remember to wipe data/factory reset after flash.
Links - MD5Sums aren't terribly important here as the files will not flash if they are not correct due to the signatures.
Fre3vo temp root for GB - http://forum.xda-developers.com/showthread.php?t=1185243
misc.img for the misc partition - http://dl.dropbox.com/u/41040697/misc.img MD5Sum: c88dd947eb3b36eec90503a3525ae0de
Misc.img mirror(You guys took down my second dropbox.....trying a different site now): http://www.box.net/shared/0l8ex73zne0tfr10ob69
Second mics.img mirror: http://dl.dropbox.com/u/15373824/misc.img
Another mirror for misc.img: http://dev-host.org/a9dbnuzgb9qv/misc.zip (Thanks Fdxrider)
Official ruu file for downgrading to 2.2 - http://www.multiupload.com/15N2D30H6C MD5SUM: a4b880954d2ac29d5bdf0dade9dede3c
PG06IMG for hboot downgrading to 2.2 - http://dl.dropbox.com/u/41040697/PG06IMG.zip MD5SUM: d20be478fd860b80f5e800c958f79077
Mirror for PG06IMG(First link went down temporarily due to generating too much traffic on my account, good job guys xD) - http://dl.dropbox.com/u/15373824/PG06IMG.zip
Mirror for PG06IMG: http://dev-host.org/xmlaaco0s2ph/PG06IMG.zip
2.2 root [Bcnice guide]- http://forum.xda-developers.com/showthread.php?t=932153
Cm's rooting method(For those without z4root or visionary) - http://wiki.cyanogenmod.com/wiki/HTC_Evo_Shift_4G:_Full_Update_Guide
Credits
Otaking71 - Discoverer of this exploit for the shift and working throughout the night to establish it as a working downgrade.
Bcnice20 & other 2.2 root devs - I borrowed your root methods for this guide, and linked to them. Just had to update it for recovery basically.
Stuke00 - Fre3vo temp root for 2.3.3
Joeykrim - Donating that history for the curious minds.
Donation links:
Otaking71 - Main driver of this discovery/creator and came up with this theory
http://forum.xda-developers.com/donatetome.php?u=1762836
Should we vote this to the front or try to keep it on the downlow?
^ Shift Faced
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
totalnub911 said:
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
Something of that sort, you can obtain full root through this exploit. Though it's through downgrading the firmware you use old 2.2 rooting methods.
totalnub911 said:
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
that is correct if you downgrade then root with shiftRR. thats what i'm getting from all this
EDIT: got beat to it
YoungCorruption said:
that is correct if you downgrade then root with shiftRR. thats what i'm getting from all this
EDIT: got beat to it
Click to expand...
Click to collapse
sounds like its time to change your siggy there youngcorruption!
Im sorry for the noobish but what does this mean and how do i do this
2. Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
misc.img is the image from the TB, could be other images as long as it has a lower version number.
halrulez said:
Im sorry for the noobish but what does this mean and how do i do this
2. Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
misc.img is the image from the TB, could be other images as long as it has a lower version number.
Click to expand...
Click to collapse
In more specific directions it means to move the downloaded file misc.img to /sdcard , then to type the command "dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17 misc.img" without quotes. The rest just means it'll be different on other devices.
Nice write up, thanks to otaking and scary you all saved the shifters from a horrible ota update
Sent from my Supreme Shift using Tapatalk
Scaryghoul said:
In more specific directions it means to move the downloaded file misc.img to /sdcard , then to type the command "dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17 misc.img" without quotes. The rest just means it'll be different on other devices.
Click to expand...
Click to collapse
ok can do this in terminal from my phone or do i have to do this in adb from my computer?
and if so what are the full steps to get to the point so i can enter this. I am trying to understand adb hell i am just starting in linux so i am hella noob
halrulez said:
ok can do this in terminal from my phone or do i have to do this in adb from my computer?
and if so what are the full steps to get to the point so i can enter this. I am trying to understand adb hell i am just starting in linux so i am hella noob
Click to expand...
Click to collapse
Either one, you can either mount your phone on usb and move the misc.img to your sdcard then type the command in terminal on your phone.
OR
You can adb push the file to your sdcard then adb shell the command.
I'll make the instructions more detailed in a bit.
What do you mean by: Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p1?
I moved the misc.img to sdcard but I have no mmcblk0pl in dev/block. Do I have to create that folder? And dd and of....lost me there.
I just did it and it worked perfectly. Back on 2.2, ready to root. Thanks again to otaking and scary for all your hard work.
ok so i was able to do this from the terminal from my android
bow though when i am trying to run the ruu from my computer is starts to go but keeps says that it is waiting for the booloader. the phone wont boot in to the boot loader
halrulez said:
ok so i was able to do this from the terminal from my android
bow though when i am trying to run the ruu from my computer is starts to go but keeps says that it is waiting for the booloader. the phone wont boot in to the boot loader
Click to expand...
Click to collapse
you might need to install htc sync to run ruu's. http://www.htc.com/managed-assets/support/software/htc-sync/setup_3.0.5557.exe
im just going to put this out there as well because i have had problems with the drivers that came with sync and i was forced to use the modified usb drivers found in the unrevoked evo tool, i dunno its weird but my vista pc didnt like anything but them drivers, and another guy i helped ruu from a major mess up, he couldnt get anything with sync to reconize his shift untill he used the same modified evo drivers . i hope no one has an issue but if it come about this is how to fix a driver issue
Best day ever!!!!!!!!!!!!!!!!!!!!!!!!!
strapped365 said:
im just going to put this out there as well because i have had problems with the drivers that came with sync and i was forced to use the modified usb drivers found in the unrevoked evo tool, i dunno its weird but my vista pc didnt like anything but them drivers, and another guy i helped ruu from a major mess up, he couldnt get anything with sync to reconize his shift untill he used the same modified evo drivers . i hope no one has an issue but if it come about this is how to fix a driver issue
Click to expand...
Click to collapse
provide link to said drivers?
riggsandroid said:
provide link to said drivers?
Click to expand...
Click to collapse
kinda cant provide an actual link directly to the drivers because i had to set up unrevoked just like i was rooting an evo, so i just hinted they were in the tool
http://unrevoked.com/recovery/
thats where you can get the tool from to setup your drivers if you have issues with sync not playing well or your pc just dont want to read the drivers right
for those curious, a lil bit of history:
same method as used on the evo part 2 thread by toastcfh at xda.
only diff is shift is emmc and evo was mtd. shift emmc partitions are a bit more in number and named differnetly when compared to the evo mtd partitions. on the evo this partition was labeled as "misc" in /proc/partitions. the misc partition being flashed holds the software version number which hboot checks against to verify whether or not it will allow an RUU to be loaded.
also, i want to recall a web site somewhere which allows users to create a custom misc file with a provided version number.
thought this partition was protected by the internal memory write protection but appears it wasn't. not much of a surprise as the first release of the shift didn't have write protection for the hboot partition turned on.
great this works! sadly, they'll prob patch it next OTA around as they did for the evo.
good job on testing (sorry about the lost shift), publishing and releasing! glad to see the shift has unlocked internal memory write protection again!!!
blakeatl said:
What do you mean by: Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p1?
I moved the misc.img to sdcard but I have no mmcblk0pl in dev/block. Do I have to create that folder? And dd and of....lost me there.
Click to expand...
Click to collapse
you're path to the internal partition location is incorrect. as the OP states, use:/dev/block/mmcblk0p17
full command: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
great article with the history and usage of dd, its a classic unix/linux command. very good to become familiar with: http://en.wikipedia.org/wiki/Dd_(Unix)

Categories

Resources