[GUIDE] Radio S-OFF, SuperCID, SimUnlock + Root - Desire HD Android Development

Hi ppl here is a guide on how to gain radio S-OFF, Super CID , SimUnlock
What You Need
-- This File
-- If on OSX / Linux ADB binary (they are not included in the .zip)
-------------------------------------------------------------------------------------------
Bits in red Are Only for people who dont already have perm root
Bits in Blue are for everyone
-------------------------------------------------------------------------------------------
1) Extract the zip file (to your adb directory if on mac / linux)
2) Open a command prompt / shell and navigate to your where you extracted the files
3) run
adb install visionaryplus-r14.apk
Click to expand...
Click to collapse
4) open visionary on phone
5) tick Run visionary.sh after root" and "set system r/w after root"
6) Now click "temproot now" and wait 30 - 60 sec
7) run line per line
adb push gfree /data/local
adb shell
su
cd /data/local
chmod 777 gfree
./gfree
sync
reboot
Click to expand...
Click to collapse
Now We Are Radio S-OFF and SuperCID + SimUnlocked
8) If you where not already perma rooted run visionary Temp root, then perm root.
[To Check]
1) run
adb reboot bootloader
Click to expand...
Click to collapse
ON SHIP HBOOT
Just check the top line if you see
SHIP S-OFF (it worked )
SHIP S-ON (it didnt )
ON ENG HBOOT
2) tap bootloder option
3) use vol down to get to system info and tap
4) check CID for CID-11111111 (if you have this all is done 100%)
5) reboot
[PROBLEMS]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IF THIS DOESNT WORK AND U GET
***WARNING***: Did not find brq filter.
Click to expand...
Click to collapse
Get either a stock kernel CM/SENSE or my buzz-1.0.7 as its confirmed working on those
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[FAQ]
Does this install the ENG hboot ?
No as that is no longer required, still an opition if you want to gain the extra functions
Click to expand...
Click to collapse
How can i install custom recovery for roms without ENG hboot ?
Just get rom manger from marked and install with that
Click to expand...
Click to collapse
What does all this mean ?
Radio S-OFF = we have s-off regardless or hboot we are using so if you update the hboot s-off will stay
Super CID = Allow to install RRU's from ANYONE
Click to expand...
Click to collapse
[CREDITS]
Paul O'Brien for visionary
scotty2 and others who found the method to patch P7
everyone else who has worked on the G2 root and wpthis

hey there, thanks for the guide but something didnt work while running ./gfree
Code:
./gfree
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.25-Buzz-1.0.6-OCUV
New .modinfo section size: 212
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02ccc70, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02cc000
Kernel memory mapped to 0x40001000
Searching for brq filter...
- ***WARNING***: Did not find brq filter.
Patching and backing up partition 7...
after some seconds it rebooted on its own but nothing happened to my cid. any ideas?

same here

That will be the live kernel patching failing as it cant find where to patch .... try running with my 1.0.7 kernel and then restore back (shuld run on stock kernels)... as i know that works ill relay this info to scotty2 and see if he can fix for these kernels.
Can you post your kernel info from the about phone menu ?

Apache14 said:
Can you post your kernel info from the about phone menu ?
Click to expand...
Click to collapse
here it is
2.6.32.25-Buzz-1.0.6-OCUV
[email protected] #66
Sat Nov 27 18:38:35 GMT2010

Worked great
To verify all went well, do this:
Plug in your phone to your computer
In the Terminal/command line, type this:
PHP:
adb shell
this puts you in the phone's shell. now it's a simple matter of the following:
(note the # is your prompt. Don't type the "#". The lines without the # are returned by the phone.)
PHP:
# stop ril-daemon
# cat /dev/smd0 &
# echo -e 'ATE1\r' > /dev/smd0
0
#
# echo -e 'ATV1\r' > /dev/smd0
OK
# echo -e '[email protected]?\r' > /dev/smd0
@CID: 11111111
OK
echo -e '[email protected]?40\r' > /dev/smd0
# [email protected]?40
@SIMLOCK= 00
OK
#echo -e '[email protected]?AA\r' > /dev/smd0
[email protected]?AA
@secu_flag: 0
OK
It should look something like that anyway. It may look slightly different if you were typing while the computer was sending you back information.
Did it work? Here's what you're looking for:
@CID: 11111111 <--- this response means you have superCID! Congrats!
@SIMLOCK= 00 <--- this means your simlock is off. Mazel Tov!
@secu_flag: 0 <--- this means your radio is S-OFF. Hurrah!

Hi,
not work for me.
Code:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Users\Administrator>d:
D:\>cd D:\Handy\HTC Desire HD\SuperCID
D:\Handy\HTC Desire HD\SuperCID>adb push gfree /data/local
adb server is out of date. killing...
* daemon started successfully *
1939 KB/s (683255 bytes in 0.344s)
D:\Handy\HTC Desire HD\SuperCID>adb shell
# su
su
# cd /data/local
cd /data/local
# chmod 777 gfree
chmod 777 gfree
# ./gfree
./gfree
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.25-Buzz-1.0.6-OCUV
New .modinfo section size: 212
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02ccc70, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02cc000
Kernel memory mapped to 0x40001000
Searching for brq filter...
- ***WARNING***: Did not find brq filter.
Patching and backing up partition 7...
D:\Handy\HTC Desire HD\SuperCID>
with friendly greet
starbase64

For the moment
IF THIS DOESNT WORK AND U GET
***WARNING***: Did not find brq filter.
Get either a stock kernel CM/SENSE or my buzz-1.0.7 as its confirmed working on those

Hi,
now works (or not ), but system info is no longer available on bootloader
with friendly greet
starbase64

Yep it worked
Look at the top SHIP S-OFF

Hi,
but how i can see the SuperCID? System info?
with friendly greet
starbase64

starbase64 said:
Hi,
not work for me.
Code:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Users\Administrator>d:
D:\>cd D:\Handy\HTC Desire HD\SuperCID
D:\Handy\HTC Desire HD\SuperCID>adb push gfree /data/local
adb server is out of date. killing...
* daemon started successfully *
1939 KB/s (683255 bytes in 0.344s)
D:\Handy\HTC Desire HD\SuperCID>adb shell
# su
su
# cd /data/local
cd /data/local
# chmod 777 gfree
chmod 777 gfree
# ./gfree
./gfree
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.25-Buzz-1.0.6-OCUV
New .modinfo section size: 212
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02ccc70, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02cc000
Kernel memory mapped to 0x40001000
Searching for brq filter...
- ***WARNING***: Did not find brq filter.
Patching and backing up partition 7...
D:\Handy\HTC Desire HD\SuperCID>
with friendly greet
starbase64
Click to expand...
Click to collapse
Try with 1.07 kernel.
If it doesnt work try with stock kernel which works fine
I think only the ENG Hboot shows system info...

Flawless, cheers

starbase64 said:
Hi,
but how i can see the SuperCID? System info?
with friendly greet
starbase64
Click to expand...
Click to collapse
fastboot getvar all

So can we now flash radio's without fear of being locked down again?

Apache14 said:
fastboot getvar all
Click to expand...
Click to collapse
I love ur 1.0.6 kernell.
Can I flash 1.0.7, S-OFF radio, and then back 1.06??

yep u can flash official HTC RUUS / RADIO / HBOOT without any fear of loosing root

xmoo said:
I love ur 1.0.6 kernell.
Can I flash 1.0.7, S-OFF radio, and then back 1.06??
Click to expand...
Click to collapse
yep yep thats fine

Is there anyway to undo this? Incase of garanty issues?

dubstepshurda said:
Is there anyway to undo this? Incase of garanty issues?
Click to expand...
Click to collapse
S-OFF has nothing to do with legal or illigal.
In somecases when you send your phone for repair, they S-off it, and forget to remove it.
So just remove superuser, install stock rom. And don't matter S-ON or s-OFF
"ON ENG HBOOT
2) tap bootloder option
3) use vol down to get to system info and tap
4) check CID for CID-11111111 (if you have this all is done 100%)
5) reboot"
2) tap bootloader option You fotgot the A.

Related

[guide] Manual Radio S-OFF, SimUnlock (for linux)

About:
No clicks radio s-off for console lovers
Requirements:
0. Rooted desire hd
1. jkoljo's Easy Radio tool v2_2.zip from this thread http://forum.xda-developers.com/showthread.php?t=857537
2. USB Debugging enabled. Connect charge only!
Steps:
0. unpack gfree from the above zip file
1. $ adb remount
2. $ adb push gfree /system/xbin
3. $ adb shell
4. # chmod 700 /system/xbin/gfree
5. # /system/xbin/gfree -s off
6. # rm -i /system/xbin/gfree # be sure that you are removing the right file
7. # exit
8. reboot the phone.
10x:
jkoljo for the tool
There is already a thread for gfree, it has all the necessary info in it.
WildsideUK said:
There is already a thread for gfree, it has all the necessary info in it.
Click to expand...
Click to collapse
second that, also puzzled as all your doing is using adb why linux specific?
Tried to do it. Failed. Can anybody help? :-(
Code:
[email protected]:~/Desktop/AndroidSDK/2.2/tools$ ./adb remount
remount succeeded
[email protected]:~/Desktop/AndroidSDK/2.2/tools$ ./adb push gfree /system/xbin
1713 KB/s (134401 bytes in 0.076s)
[email protected]:~/Desktop/AndroidSDK/2.2/tools$ ./adb shell
# chmod 700 /system/xbin/gfree
# /system/xbin/gfree -s off
--secu_flag off set
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.27-cyanogenmod
New .modinfo section size: 208
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02b99a8, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02b9000
Kernel memory mapped to 0x40009000
Searching for brq filter...
- ***WARNING***: Did not find brq filter.
Patching and backing up partition 7...
patching secu_flag: 0
Done.
# rm -i /system/xbin/gfree
rm: remove '/system/xbin/gfree'? y
# exit
You have incompatible kernel, try it in some 1.32 based sense rom with buzz 1.1.4 kernel. 1.1.4 CM could be enough, though, so try it first.

[TOOL] rkflashtool for Linux and rk2808, rk2818 and rk2918 based tablets

Hi,
Because I don't run Windows nor NetBSD, I rewrote rkflash from scratch with the use of libusb-1.0, so you can now read and write your rk2818-based tablet's flash memory under Linux (also w/o the need to root your tablet). Credit for reverse-engineering the protocol goes to the original author of rkflash (see source).
Small guide
- unzip the file
- compile
Linux (Debian, Ubuntu, ...)
Code:
sudo apt-get install libusb-1.0-0-dev
gcc -o rkflashtool rkflashtool.c -lusb-1.0 -O2 -W -Wall -s
Mac OS X (thanks to surfer63, binary here)
Code:
sudo port install libusb
gcc -I/opt/local/include -I/opt/local/include/libusb-1.0 \
-L/opt/local/lib -o rkflashtool rkflashtool.c -lusb-1.0 -O2 -W -Wall
Preparation
- powerdown your tablet
- disconnect all cables
To get into flash mode differs for many tablets. Google around or use trial and error
- insert the USB cable in computer
- hold vol+ (or put on/off/locked-switch in the locked position)
- insert the other end of your cable in the tablet
- wait a few seconds
- release vol+
Now if you run lsusb, the following line should appear:
Bus 001 Device 044: ID 2207:281a (290a for rk2918 based tablets)
Bus and device number may be different. The screen of your tablet stays black.
The USB device must be readable and writable for the user running rkflashtool. If that's not the case, you'll see an error like this:
Code:
$ ./rkflashtool b
libusb couldn't open USB device /dev/bus/usb/001/048: Permission denied.
libusb requires write access to USB device nodes.
rkflashtool: fatal: cannot open device
This can be fixed in several ways (chmod, run as root, udev rules) but that's beyond the scope of this posting. For now, chmod 666 the device mentioned in the error message.
Usage of rkflashtool
Code:
$ ./rkflashtool
rkflashtool: fatal: usage:
rkflashtool b reboot device
rkflashtool r offset size >file read flash
rkflashtool w offset size <file write flash
offset and size are in units of 512 bytes
On my tablet, the boot partition starts at offset 0x8000 (in blocks of 512 bytes)
Its size is 0x2000 blocks
To backup the partition, issue:
Code:
$ ./rkflashtool r 0x8000 0x2000 >boot.img.backup
rkflashtool: info: interface claimed
rkflashtool: info: reading flash memory at offset 0x00008000
rkflashtool: info: reading flash memory at offset 0x00008020
.......
rkflashtool: info: reading flash memory at offset 0x00009fe0
To write a new boot.img or an old backup back to the device:
Code:
$ ./rkflashtool w 0x8000 0x2000 <boot.img.backup
rkflashtool: info: interface claimed
rkflashtool: info: writing flash memory at offset 0x00008000
rkflashtool: info: writing flash memory at offset 0x00008020
.......
rkflashtool: info: writing flash memory at offset 0x00009fe0
You can find a list of all partitions of your tablet in the HWDEF file, which is inside the update.img for your tablet. If no such file is available, you can also look at /proc/cmdline on a running device (either through adb or a terminal app running on the device itself). Depending on the tablet, you might need root access to view /proc/cmdline. Another option is dumping the first 0x2000 blocks of nand flash by issuing rkflashtool r 0x0000 0x2000 >parm. View the file with hexedit, xxd, or a similar program. The kernel parameters contain a description of several mtd partitions (sizes and offsets).
After reading and writing at will, you can reboot your tablet by issuing
./rkflashtool b
Note that if your tablet has an on/off/locked-switch and it is still in the locked position, rebooting won't work.
If the file you are writing is smaller than the specified size, the rest is padded with zeroes. If it's bigger, it will be truncated. This is different from rkflash, which will overwrite blocks beyond the partition size.
rkflashtool does not support flashing a new bootloader directly.
If you have a different tablet, please try rkflashtool b and r first before flashing (w) something new.
Standard DISCLAIMER with regard to bricking your tablet applies.
Enjoy!
EDIT: better build instructions, clean up text
EDIT2: works on rk2918 tablets too (tested on Arnova 7 G2) if you change the USB product id from 0x281a to 0x290a before compilation
EDIT3: released version 2 of rkflashtool. now supports rk2918 tablets out of the box. if it doesn't find one, it falls back to rk2808/rk2818. also, updated the wording a bit.
EDIT4: new mac osx binary
EDIT5: more ways to find offsets and sizes of partitions on your tablet
EDIT6: small emphasis changes above and...
version 1 is here ONLY for archival purposes or if version 2 does not work on your rk28xx tablet. In all other cases, you need to download rkflashtool-v2.zip
Thanks a lot for this flash tool. I'm on MacOSX and Ubuntu and don't have Windows either. I tried the original rkflash as well but couldn't get it to work. On my Ubuntu boxes your rkflashtool compiles and works fine.
My Archos 7 HT V2 presents itself also as:
Code:
Bus 002 Device 004: ID 2207:281a
Reading partitions works fine and so does writing.
I did a quick modification of a system.img (left some files out) of my custom froyo rom and wrote it to my tablet.
That works fine. As /data is a separate partition I even have all my downloaded apps, data, settings, etc. This makes modifying a new rom much faster then building a complete update.img, flashing it, restore some data and then start testing.
Nice work.
great! finally I can remove one line from my todo list
thank you!
EDIT:
random notes (I don't see your code yet so it may be fixed, then sorry)
* I always specify b(reboot) for rk2818 tablets with my rkflash because it hanged easily if I try to write multiple times without b
* parameter file need to be converted with rkcrc -p. official RKAndroid tools flashed it 5 times with offsets. (read & check 1st 0x0-0x2000 block)
* I logged how to update bootloader, but it's complicated and I could not understand probably bootloader can be updated via misc partition. see update-script in update.img. (but not recommended/no reason to do it)
EDIT2:
there is libusb for Windows and OS X. rkflashtool may work on them.
on Windows, there is RKAndroidTool.exe (not batchupgrade). but "read" function in rkflash/rkflashtool may be useful on some case on Windows
Good to hear it works for others, too! I have not had a hanging tablet after several writes in one session, but this might depend on the tablet.
Thanks for mentioning that it should also work on other platforms supported by libusb. I'd forgotten to do that.
About using update.img to flash a new bootloader, this can be done, but if you brick the tablet by flashing a wrong/faulty bootloader, you can only unbrick it with the Windows tools
Which leads me to the question: could you send me the snooped log of updating the bootloader? Two people see more than one and perhaps we can eventually manage to do this through libusb too.
ivop said:
About using update.img to flash a new bootloader, this can be done, but if you brick the tablet by flashing a wrong/faulty bootloader, you can only unbrick it with the Windows tools
Click to expand...
Click to collapse
probably you also need a needle to short pins of NAND chip
so I don't recommend to flash bootloader
ivop said:
Which leads me to the question: could you send me the snooped log of updating the bootloader? Two people see more than one and perhaps we can eventually manage to do this through libusb too.
Click to expand...
Click to collapse
I made that log several months ago with another windows machine which is not used lately. I'm not sure log is still exist... if I find it, I'll send it to you (but please don't expect)
probably you may also get log on Windows on VM on Linux. it seems VMware has log function (refer http://vusb-analyzer.sourceforge.net/tutorial.html) or there is "usbmon" function in Linux.
actually I didn't try this way myself so it may be wrong, sorry.
I've tryed a couple of firmwares, cooking my own.
Every time after flashing, tablet shows boot animation and after few seconds display becomes dark.
My investigation led me to following:
Log shows:
Code:
ERROR/Lights(865): write_int failed to open /sys/class/backlight/rk28_button_light/brightness
in /sys/class/backlight I found symlink (rk28_bl):
rk28_bl -> ../../devices/platform/rk28_backlight/backlight/rk28_bl
Shouldn't be there another symlink named r28_button_light ?
I'm using MANTA MID001 from Poland.
fun_ said:
EDIT2:
there is libusb for Windows and OS X. rkflashtool may work on them.
Click to expand...
Click to collapse
ivop said:
Good to hear it works for others, too! I have not had a hanging tablet after several writes in one session, but this might depend on the tablet.
Click to expand...
Click to collapse
I did a couple of successive writes as well from ubuntu.
ivop said:
Thanks for mentioning that it should also work on other platforms supported by libusb. I'd forgotten to do that.
Click to expand...
Click to collapse
My main platform is OSX and I immediately added libusb. So far I have not been able to compile rkflashtool despite declaring all kind of CFLAGS, CXXFLAGS and/or LDFLAGS.
Trying a little bit more.
Could you post the compiler warnings/errors here? I might be able to help out.
ivop said:
Could you post the compiler warnings/errors here? I might be able to help out.
Click to expand...
Click to collapse
I managed to compile it. It took a lot of hurdles. I used the build environment I also use for Hugin for which I'm the OSX maintainer.
I now built a single combined 32/64bit (i386/x86_64) rkflashtool that will run on 10.4.x/10.5.x/10.6.x/10.7.x (building multi-architecture, multi-version binaries/libraries in one binary/library is possible on OSX. I'm not going to explain that here but it's a feature of OSX).
The compiled version is attached. You can also attach it to your first post if you like.
It works fine. I did some reading/writing of images without issues.
If you are on OSX and have macports installed, you can do the following to build rkflashtool.
Install libusb from Macports:
Code:
sudo port install libusb
cd into the folder where your rkflashtool.c is is and run the following command:
Code:
gcc -I/opt/local/include -I/opt/local/include/libusb-1.0 \
-L/opt/local/lib -o rkflashtool rkflashtool.c -lusb-1.0 -W -Wall
This will build rkflashtool for your native environment (OSX version, hardware and config).
--- removed the rest of the post as well as the attachments. He/She who is interested in building a complete universal distributable rkflashtool can ask via this thread ---
UPDATE: Works on rk2918 tablet too
Yesterday I have tested the tool on an Arnova 7 G2 tablet, which has an rk2918 CPU. If you change the ProductID before compilation, like this:
... libusb_open_device_with_vid_pid(c, 0x2207, 0x281a) ...
to
... libusb_open_device_with_vid_pid(c, 0x2207, 0x290a) ...
it'll work, except for rebooting the device if the tablet is still locked. To boot the tablet in bootloader mode, turn off the tablet completely, put the on/off-switch in the locked position and connect it to your computer. It should be visible now with lsusb. For further instructions, see first post. I advise dumping the first 0x2000 blocks at offset 0x0000 first as this contains the parameter block in which you can see where each partition starts and how big it is.
ivop said:
UPDATE: Works on rk2918 tablet too
Yesterday I have tested the tool on an Arnova 7 G2 tablet, which has an rk2918 CPU. If you change the ProductID before compilation, like this:
... libusb_open_device_with_vid_pid(c, 0x2207, 0x281a) ...
to
... libusb_open_device_with_vid_pid(c, 0x2207, 0x290a) ...
Click to expand...
Click to collapse
Feature request :
I's nice but could you also make it a startup option, like the b,r,w options, with an if-else option in the source code? Something like (RK)2818 and (RK)2918 and maybe even for the older ones: (RK)2808.
In that case you only need one binary. Users who are going to use the tool will definitely know what CPU they have.
surfer63 said:
Feature request :
I's nice but could you also make it a startup option, like the b,r,w options, with an if-else option in the source code? Something like (RK)2818 and (RK)2918 and maybe even for the older ones: (RK)2808.
In that case you only need one binary. Users who are going to use the tool will definitely know what CPU they have.
Click to expand...
Click to collapse
I released a new version and updated the first post. It now tries to connect to an rk2918 tablet and if it doesn't find one, it falls back to rk2818.
The V2 version works fine too on MacOSX. The compilation is still the same for a "my machine only" version.
I compiled a universal Intel 32bit/64bit 10.4/10.5/10.6/10.7 V2 version as well.
See attached.
Note: I don't have a RK2918 so I can only test for a RK2818 tablet.
Hi,
Thanks for your thread it's very intersting.
I succeed flashing my boot partition with your tool but I don't success in remount,rw my system partition. It's cramFS and in init.rk28board.rc you can see those line :
Code:
# Mount /system rw first to give the filesystem a chance to save a checkpoint
mount cramfs [email protected] /system
mount cramfs [email protected] /system ro remount
I tried everything like replacing ro by rw, deleting the second line but my system stills in ReadOnly, don't understand why. I also tried deleting those lines to test if my flash process works properly and it's worked... So I'm lost. Any idea ?
----
Other thing, if I want to do same as flashing boot partition but with system partition is it possible with the same process ? Unfortunately I don't know the beginning offset of the partition. I don't know where to find HWDEF file. The size of partition is 00038000 (hex) bytes => 229376 (dec) bytes
Here is my /proc/mtd :
Code:
dev: size erasesize name
mtd0: 00002000 00000010 "misc"
mtd1: 00004000 00000010 "kernel"
mtd2: 00002000 00000010 "boot"
mtd3: 00004000 00000010 "recovery"
mtd4: 00038000 00000010 "system"
mtd5: 0003a000 00000010 "backup"
mtd6: 0003a000 00000010 "cache"
mtd7: 00080000 00000010 "userdata"
mtd8: 00534000 00000010 "user"
mtd9: 00020000 00000010 "pagecache"
mtd10: 00020000 00000010 "swap"
Thank you for your great job
My problem is solved. I was searching for a while but ivop gave the answer in a previous post
I advise dumping the first 0x2000 blocks at offset 0x0000 first as this contains the parameter block in which you can see where each partition starts and how big it is.
Click to expand...
Click to collapse
So I did it, after I opened an Hex Editor like GHex on Ubuntu and I can saw this :
Code:
[email protected](misc),
[email protected](kernel),
[email protected](boot),
[email protected](recovery),
[email protected](system),
[email protected](backup),
[email protected](cache),
[email protected](userdata),
[email protected](user)
So system partition starts at E000 and has a length of 38000 (hex) bytes.
Thanks for your help this thread is now in my bookmarks
And really nice job with this flashtool
I pushed latest my rkutils to https://github.com/naobsd/rkutils
rkunpack can unpack RKFW image used in RK2918 ROM, RKAF image (update.img), KRNL/PARM image used in some single partition image. unpack will be done recursively.
rkcrc can make KRNL/PARM images with -k/-p.
rkafpack can make RKAF image. (I need to write docs/howtos...)
little off-topic,
latest RK2918 ROMs which is based on "SDK2.0", new format for boot.img/recovery.img is introduced. it's almost same as common boot.img format for android. unpackbootimg/mkbootimg can be used to unpack/repack it with one exception...
there is SHA1 hash value in header of boot.img (offset 0x240 bytes). Rockchip changes it by some unknown way. normal mkbootimg can't generate same hash value as Rockchip, so we can't make custom boot.img with new format
fortunately, we can split new boot.img, and we can make separate kernel.img and boot.img(ramdisk) like as pre-SDK2.0 RK2918 ROMs, which is loadable with new bootloader in SDK2.0 ROMs.
--
btw I just found interesting one: https://github.com/jhonxie/rk2918_tools
relsyou said:
My problem is solved. I was searching for a while but ivop gave the answer in a previous post
So I did it, after I opened an Hex Editor like GHex on Ubuntu and I can saw this :
Code:
[email protected](misc),
[email protected](kernel),
[email protected](boot),
[email protected](recovery),
[email protected](system),
[email protected](backup),
[email protected](cache),
[email protected](userdata),
[email protected](user)
So system partition starts at E000 and has a length of 38000 (hex) bytes.
Thanks for your help this thread is now in my bookmarks
And really nice job with this flashtool
Click to expand...
Click to collapse
I'll add that to my first post. Also, you can view /proc/cmdline to see a list of partitions. It's part of the kernel command line.
Note that the lengths are not in bytes but in blocks of 512 bytes. This happens to be the same as the requirements of the rkflashtool btw (length in blocks).
As for having a writable system partition, currently the system partition is cramfs which cannot be written to. Ever. If you want a writable system partition, you need to change it to ext3 for example. That means unpacking fun_'s system.img and recreating it as an ext3 partition.
In short:
Unpack cramfs img with cramfsck -x (as root, so you preserve permissions and uid/gid)
Create an empty file the size of your system partition (dd if=/dev/null of=fubar.img bs=512 count=...... et cetera, do the math)
mkfs.ext3 fubar.img
mount -o loop fubar.img /someplacemountable
copy contents of old image to /someplacemountable (use cp -a to preserve ownership etc)
umount
flash fubar.img to system partition
change init.rk28board.rc to reflect the changes
reflash boot.img
reboot device
This is untested, but should work in theory.
Another option is to keep the system partition read-only and use unionfs to overlay a writable partition. I'm not sure if this can be a file on your userdata partition mounted with -o loop, but I suppose it can. This depends on your kernel having unionfs and loopback support though.
fun_ said:
I pushed latest my rkutils to https://github.com/naobsd/rkutils
Click to expand...
Click to collapse
Nice! I was thinking about creating an rkpack(tool ) myself, but I see it's not necessary anymore.
here is an example for rkafpack
Code:
$ rkunpack N3NET-2.3-20110722.img
[COLOR="Red"][B]FIRMWARE_VER:1.0.0[/B][/COLOR]
[COLOR="Red"][B]MACHINE_MODEL:rk2818sdk[/B][/COLOR]
MACHINE_ID:
[COLOR="Red"][B]MANUFACTURER:rock-chips[/B][/COLOR]
unpacking 12 files
-------------------------------------------------------------------------------
00000800-00000fff [COLOR="Red"][B]HWDEF:HWDEF[/B][/COLOR] 797 bytes
00001000-000017ff [COLOR="Red"][B]package-file:package-file[/B][/COLOR] 532 bytes
00001800-00021fff [COLOR="Red"][B]bootloader:RK28xxLoader(L).bin[/B][/COLOR] 131700 bytes
00022000-000227ff [COLOR="Red"][B]parameter:parameter:[email protected][/B][/COLOR] 506 bytes
00022800-0002e7ff [COLOR="Red"][B]misc:Image/misc.img:[email protected][/B][/COLOR] 49152 bytes
0002e800-0066bfff [COLOR="Red"][B]kernel:Image/kernel.img:[email protected][/B][/COLOR] 6541946 bytes
0066c000-006947ff [COLOR="Red"][B]boot:Image/boot.img:[email protected][/B][/COLOR] 163844 bytes
00694800-008e8fff [COLOR="Red"][B]recovery:Image/recovery.img:[email protected][/B][/COLOR] 2441220 bytes
008e9000-085fc7ff [COLOR="Red"][B]system:Image/system.img:[email protected][/B][/COLOR] 131149828 bytes
----------------- [COLOR="Red"][B]backup:SELF:[email protected][/B][/COLOR] (N3NET-2.3-20110722.img) 140498948 bytes
085fc800-085fcfff [COLOR="Red"][COLOR="Red"][B]update-script:update-script[/B][/COLOR][/COLOR] 1294 bytes
085fd000-085fd7ff [COLOR="Red"][B]recover-script:recover-script[/B][/COLOR] 266 bytes
-------------------------------------------------------------------------------
unpacked
$ rkafpack \
[COLOR="Red"][B]FIRMWARE_VER:1.0.0[/B][/COLOR] \
[COLOR="Red"][B]MACHINE_MODEL:rk2818sdk[/B][/COLOR] \
[COLOR="Red"][B]MANUFACTURER:rock-chips[/B][/COLOR] \
[COLOR="Red"][B]HWDEF:HWDEF[/B][/COLOR] \
[COLOR="Red"][B]package-file:package-file[/B][/COLOR] \
'[COLOR="Red"][B]bootloader:RK28xxLoader(L).bin[/B][/COLOR]' \
[COLOR="Red"][B]parameter:parameter:[email protected][/B][/COLOR] \
[COLOR="Red"][B]misc:Image/misc.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B][B]kernel:Image/kernel.img:[email protected][/B][/B][/COLOR] \
[COLOR="Red"][B]boot:Image/boot.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B]recovery:Image/recovery.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B]system:Image/system.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B]backup:SELF:[email protected][/B][/COLOR] \
[COLOR="Red"][B]update-script:update-script[/B][/COLOR] \
[COLOR="Red"][B]recover-script:recover-script[/B][/COLOR] \
> new.img
$ sha1sum N3NET-2.3-20110722.img new.img
e758a6c47dca7f09f0b8a82ad89b0cd7c7c8e826 N3NET-2.3-20110722.img
e758a6c47dca7f09f0b8a82ad89b0cd7c7c8e826 new.img
some values are empty in RK2818 ROM.
--
here is how to make RKFW image
Code:
$ rkunpack N50-2.3-20111103-ZZ-SDK2.0.img
VERSION:2.0.3
unpacking
00000000-00000065 N50-2.3-20111103-ZZ-SDK2.0.img-HEAD 102 bytes
00000066-00022623 N50-2.3-20111103-ZZ-SDK2.0.img-BOOT 140734 bytes
00022624-0c342627 update.img 204603396 bytes
unpacking update.img
================================================================================
FIRMWARE_VER:0.2.3
MACHINE_MODEL:rk29sdk
MACHINE_ID:007
MANUFACTURER:RK29SDK
unpacking 10 files
-------------------------------------------------------------------------------
00000800-00000fff package-file:package-file 540 bytes
00001000-000237ff bootloader:RK29xxLoader(L)_V2.08.bin 140734 bytes
00023800-00023fff parameter:parameter:[email protected] 610 bytes
00024000-0002ffff misc:Image/misc.img:[email protected] 49152 bytes
00030000-006a3fff boot:Image/boot.img:[email protected] 6766592 bytes
006a4000-01167fff recovery:Image/recovery.img:[email protected] 11288576 bytes
01168000-0c31efff system:Image/system.img:[email protected] 186346496 bytes
----------------- backup:SELF:[email protected] (update.img) 204603396 bytes
0c31f000-0c31f7ff update-script:update-script 933 bytes
0c31f800-0c31ffff recover-script:recover-script 266 bytes
-------------------------------------------------------------------------------
================================================================================
00022624-0c342627 N50-2.3-20111103-ZZ-SDK2.0.img-MD5 32 bytes
unpacked
$ cat N50-2.3-20111103-ZZ-SDK2.0.img-HEAD N50-2.3-20111103-ZZ-SDK2.0.img-BOOT update.img > new.img
$ md5sum new.img
[COLOR="Red"][B]5191abc65649eacf8d2476e37d84a046[/B][/COLOR] new.img
$ cat N50-2.3-20111103-ZZ-SDK2.0.img-MD5
5191abc65649eacf8d2476e37d84a046
$ echo -n [COLOR="Red"][B]5191abc65649eacf8d2476e37d84a046[/B][/COLOR] >> new.img
$ sha1sum N50-2.3-20111103-ZZ-SDK2.0.img new.img
3120b13df8886e0ddfae0e35379443c27c925572 N50-2.3-20111103-ZZ-SDK2.0.img
3120b13df8886e0ddfae0e35379443c27c925572 new.img

[Q] MyTouch 4G SIMUNLOCK

Hi,
am trying to unlock my sim on my mytouch 4g.. ...how do i do that ...i keep trying the gfree way but i keep getting:
"# chmod 777 gfree
chmod 777 gfree
# ./gfree -S
./gfree -S
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.14-UNITY-V9-gdfc9a05
New .modinfo section size: 212
Attempting to power cycle eMMC... Failed.
Module failed to load: No such file or directory"
there is an error. ? what can i do?
I have a HTC Panache (known as mytouch 4g in usa) and it is permrooted
Was it rooted with gfree? Are you on a gingerbread ROM? If you are on a gingerbread ROM you need to go back to stock 2.2 with the RUU. Re root, use gfree to simunlock and then revert to your nandroid backup and you will be right back to where you are now with simunlock.

[Q] Briked my Desire Z by putting the wrong HBoot on it

OK so I was following the instructions to put an alternative mod on my HTC Desire Z, when I relised I had put the HBoot for the Tmobile G2 rather than the Desire Z
by following the guide
I have clockwork mod there so I can run adb shell and look arround.
This user was fixing the reverse situation. But when I try to run gfreee...
Code:
/data/local/tmp # ./gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.28-cyanogenmod-g4f4ee2e
New .modinfo section size: 216
Attempting to power cycle eMMC... Failed.
Module returned an unknown code (No such file or directory).
He then goes on to dd the correct HBoot into a partition:
Code:
dd if=/data/local/hboot-eng.img /dev/block/mmcblk0p18(enter)
I also found this post that talks about doing a simular thing but to a diffrent partition.
Code:
dd if=/data/local/hboot_7230_Vision_HEP_0.85.0005_101011.nb0 of=/dev/block/mmcblk0p18
so what is the correct partition for the HBoot? and is this the right way to recover from this.
Any guidence would be appreciated.
Stuart
xplora1a said:
OK so I was following the instructions to put an alternative mod on my HTC Desire Z, when I relised I had put the HBoot for the Tmobile G2 rather than the Desire Z
Any guidence would be appreciated.
Stuart
Click to expand...
Click to collapse
This is the forum for the Desire S, not the Z.
Thanks
SimonTS said:
This is the forum for the Desire S, not the Z.
Click to expand...
Click to collapse
Thanks found the right place now

Can't get S-Off or Super CID

I'm having some problems here. I tried to get superCID but strangely the CID never changes. Here's the commands. They all looked like they worked but the CID didn't change. (This is after I did the HEX editor and pushed the file back onto the SD card.)
Since that didn't work I tried rumrunners s-off script but that said it couldn't work with my ROM Beanstalk 4.4.2 or kernel.
HTC One S, Rooted, Beanstalk 4.4.2
S4 1.5Ghz Dual Core
HBOOT - 2.15
Kernel 3.4.76-ge75b9c0 phoenixita
Baseband 1.13.50.05........
Code:
C:\fastboot>adb shell
[email protected]:/ # su
su
[email protected]:/ # ls -l /sdcard/mmcblk0p4MOD
ls -l /sdcard/mmcblk0p4MOD
-rwxrwx--- root sdcard_r 1024 2014-02-23 13:32 mmcblk0p4MOD
[email protected]:/ # dd if=/sdcard/mmcblk0p4MOD of=/dev/block/mmcblk0p4
dd if=/sdcard/mmcblk0p4MOD of=/dev/block/mmcblk0p4
2+0 records in
2+0 records out
1024 bytes transferred in 0.015 secs (68266 bytes/sec)
[email protected]:/ # exit
exit
[email protected]:/ # exit
exit
C:\fastboot>adb reboot bootloader
C:\fastboot>fastboot oem readcid
...
(bootloader) cid: T-MOB010
OKAY [ 0.016s]
finished. total time: 0.016s
Wrong section. Next time Q&A.
Switch for a moment to a sense 2.15 Rom and try facepalm S-off.
fonnae said:
I'm having some problems here. I tried to get superCID but strangely the CID never changes. Here's the commands. They all looked like they worked but the CID didn't change. (This is after I did the HEX editor and pushed the file back onto the SD card.)
Since that didn't work I tried rumrunners s-off script but that said it couldn't work with my ROM Beanstalk 4.4.2 or kernel.
HTC One S, Rooted, Beanstalk 4.4.2
S4 1.5Ghz Dual Core
HBOOT - 2.15
Kernel 3.4.76-ge75b9c0 phoenixita
Baseband 1.13.50.05........
Code:
C:\fastboot>adb shell
[email protected]:/ # su
su
[email protected]:/ # ls -l /sdcard/mmcblk0p4MOD
ls -l /sdcard/mmcblk0p4MOD
-rwxrwx--- root sdcard_r 1024 2014-02-23 13:32 mmcblk0p4MOD
[email protected]:/ # dd if=/sdcard/mmcblk0p4MOD of=/dev/block/mmcblk0p4
dd if=/sdcard/mmcblk0p4MOD of=/dev/block/mmcblk0p4
2+0 records in
2+0 records out
1024 bytes transferred in 0.015 secs (68266 bytes/sec)
[email protected]:/ # exit
exit
[email protected]:/ # exit
exit
C:\fastboot>adb reboot bootloader
C:\fastboot>fastboot oem readcid
...
(bootloader) cid: T-MOB010
OKAY [ 0.016s]
finished. total time: 0.016s
Click to expand...
Click to collapse
Try rumrunner s-off and when your finished with that reboot to bootloader then go into fastboot, open up a command window and type "fastboot oem writecid 11111111" (without quotes)
Did you edit that file via hex editor?
EDIT: oh sorry... :cyclops:
dd98 said:
Try rumrunner s-off and when your finished with that reboot to bootloader then go into fastboot, open up a command window and type "fastboot oem writecid 11111111" (without quotes)
Click to expand...
Click to collapse
Unfortunately, I already tried Rumrunner. It didnt' work and mentioned something about the "cap is on too tight" and try a custom kernel or different ROM.
I also tried Firewater and after typing 'Yes' it just exited.
I'm pretty much out of ideas here.
fonnae said:
Unfortunately, I already tried Rumrunner. It didnt' work and mentioned something about the "cap is on too tight" and try a custom kernel or different ROM.
I also tried Firewater and after typing 'Yes' it just exited.
I'm pretty much out of ideas here.
Click to expand...
Click to collapse
Try moonshine
Sent from my SPH-L710 using Nightmare Rom
Thread Moved to Q&A, Help & Troubleshooting
As per the Forum Rules (which you agreed to when you signed up to XDA), development sections are only for development work to be posted, NOT for questions.
Please remember that in future so we don't have a repeat situation.
Regards,
- KidCarter93
Forum Moderator

Categories

Resources