Hi ppl here is a guide on how to gain radio S-OFF, Super CID , SimUnlock
What You Need
-- This File
-- If on OSX / Linux ADB binary (they are not included in the .zip)
-------------------------------------------------------------------------------------------
Bits in red Are Only for people who dont already have perm root
Bits in Blue are for everyone
-------------------------------------------------------------------------------------------
1) Extract the zip file (to your adb directory if on mac / linux)
2) Open a command prompt / shell and navigate to your where you extracted the files
3) run
adb install visionaryplus-r14.apk
Click to expand...
Click to collapse
4) open visionary on phone
5) tick Run visionary.sh after root" and "set system r/w after root"
6) Now click "temproot now" and wait 30 - 60 sec
7) run line per line
adb push gfree /data/local
adb shell
su
cd /data/local
chmod 777 gfree
./gfree
sync
reboot
Click to expand...
Click to collapse
Now We Are Radio S-OFF and SuperCID + SimUnlocked
8) If you where not already perma rooted run visionary Temp root, then perm root.
[To Check]
1) run
adb reboot bootloader
Click to expand...
Click to collapse
ON SHIP HBOOT
Just check the top line if you see
SHIP S-OFF (it worked )
SHIP S-ON (it didnt )
ON ENG HBOOT
2) tap bootloder option
3) use vol down to get to system info and tap
4) check CID for CID-11111111 (if you have this all is done 100%)
5) reboot
[PROBLEMS]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IF THIS DOESNT WORK AND U GET
***WARNING***: Did not find brq filter.
Click to expand...
Click to collapse
Get either a stock kernel CM/SENSE or my buzz-1.0.7 as its confirmed working on those
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[FAQ]
Does this install the ENG hboot ?
No as that is no longer required, still an opition if you want to gain the extra functions
Click to expand...
Click to collapse
How can i install custom recovery for roms without ENG hboot ?
Just get rom manger from marked and install with that
Click to expand...
Click to collapse
What does all this mean ?
Radio S-OFF = we have s-off regardless or hboot we are using so if you update the hboot s-off will stay
Super CID = Allow to install RRU's from ANYONE
Click to expand...
Click to collapse
[CREDITS]
Paul O'Brien for visionary
scotty2 and others who found the method to patch P7
everyone else who has worked on the G2 root and wpthis
hey there, thanks for the guide but something didnt work while running ./gfree
Code:
./gfree
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.25-Buzz-1.0.6-OCUV
New .modinfo section size: 212
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02ccc70, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02cc000
Kernel memory mapped to 0x40001000
Searching for brq filter...
- ***WARNING***: Did not find brq filter.
Patching and backing up partition 7...
after some seconds it rebooted on its own but nothing happened to my cid. any ideas?
same here
That will be the live kernel patching failing as it cant find where to patch .... try running with my 1.0.7 kernel and then restore back (shuld run on stock kernels)... as i know that works ill relay this info to scotty2 and see if he can fix for these kernels.
Can you post your kernel info from the about phone menu ?
Apache14 said:
Can you post your kernel info from the about phone menu ?
Click to expand...
Click to collapse
here it is
2.6.32.25-Buzz-1.0.6-OCUV
[email protected] #66
Sat Nov 27 18:38:35 GMT2010
Worked great
To verify all went well, do this:
Plug in your phone to your computer
In the Terminal/command line, type this:
PHP:
adb shell
this puts you in the phone's shell. now it's a simple matter of the following:
(note the # is your prompt. Don't type the "#". The lines without the # are returned by the phone.)
PHP:
# stop ril-daemon
# cat /dev/smd0 &
# echo -e 'ATE1\r' > /dev/smd0
0
#
# echo -e 'ATV1\r' > /dev/smd0
OK
# echo -e '[email protected]?\r' > /dev/smd0
@CID: 11111111
OK
echo -e '[email protected]?40\r' > /dev/smd0
# [email protected]?40
@SIMLOCK= 00
OK
#echo -e '[email protected]?AA\r' > /dev/smd0
[email protected]?AA
@secu_flag: 0
OK
It should look something like that anyway. It may look slightly different if you were typing while the computer was sending you back information.
Did it work? Here's what you're looking for:
@CID: 11111111 <--- this response means you have superCID! Congrats!
@SIMLOCK= 00 <--- this means your simlock is off. Mazel Tov!
@secu_flag: 0 <--- this means your radio is S-OFF. Hurrah!
Hi,
not work for me.
Code:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Users\Administrator>d:
D:\>cd D:\Handy\HTC Desire HD\SuperCID
D:\Handy\HTC Desire HD\SuperCID>adb push gfree /data/local
adb server is out of date. killing...
* daemon started successfully *
1939 KB/s (683255 bytes in 0.344s)
D:\Handy\HTC Desire HD\SuperCID>adb shell
# su
su
# cd /data/local
cd /data/local
# chmod 777 gfree
chmod 777 gfree
# ./gfree
./gfree
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.25-Buzz-1.0.6-OCUV
New .modinfo section size: 212
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02ccc70, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02cc000
Kernel memory mapped to 0x40001000
Searching for brq filter...
- ***WARNING***: Did not find brq filter.
Patching and backing up partition 7...
D:\Handy\HTC Desire HD\SuperCID>
with friendly greet
starbase64
For the moment
IF THIS DOESNT WORK AND U GET
***WARNING***: Did not find brq filter.
Get either a stock kernel CM/SENSE or my buzz-1.0.7 as its confirmed working on those
Hi,
now works (or not ), but system info is no longer available on bootloader
with friendly greet
starbase64
Yep it worked
Look at the top SHIP S-OFF
Hi,
but how i can see the SuperCID? System info?
with friendly greet
starbase64
starbase64 said:
Hi,
not work for me.
Code:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Users\Administrator>d:
D:\>cd D:\Handy\HTC Desire HD\SuperCID
D:\Handy\HTC Desire HD\SuperCID>adb push gfree /data/local
adb server is out of date. killing...
* daemon started successfully *
1939 KB/s (683255 bytes in 0.344s)
D:\Handy\HTC Desire HD\SuperCID>adb shell
# su
su
# cd /data/local
cd /data/local
# chmod 777 gfree
chmod 777 gfree
# ./gfree
./gfree
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.25-Buzz-1.0.6-OCUV
New .modinfo section size: 212
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02ccc70, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02cc000
Kernel memory mapped to 0x40001000
Searching for brq filter...
- ***WARNING***: Did not find brq filter.
Patching and backing up partition 7...
D:\Handy\HTC Desire HD\SuperCID>
with friendly greet
starbase64
Click to expand...
Click to collapse
Try with 1.07 kernel.
If it doesnt work try with stock kernel which works fine
I think only the ENG Hboot shows system info...
Flawless, cheers
starbase64 said:
Hi,
but how i can see the SuperCID? System info?
with friendly greet
starbase64
Click to expand...
Click to collapse
fastboot getvar all
So can we now flash radio's without fear of being locked down again?
Apache14 said:
fastboot getvar all
Click to expand...
Click to collapse
I love ur 1.0.6 kernell.
Can I flash 1.0.7, S-OFF radio, and then back 1.06??
yep u can flash official HTC RUUS / RADIO / HBOOT without any fear of loosing root
xmoo said:
I love ur 1.0.6 kernell.
Can I flash 1.0.7, S-OFF radio, and then back 1.06??
Click to expand...
Click to collapse
yep yep thats fine
Is there anyway to undo this? Incase of garanty issues?
dubstepshurda said:
Is there anyway to undo this? Incase of garanty issues?
Click to expand...
Click to collapse
S-OFF has nothing to do with legal or illigal.
In somecases when you send your phone for repair, they S-off it, and forget to remove it.
So just remove superuser, install stock rom. And don't matter S-ON or s-OFF
"ON ENG HBOOT
2) tap bootloder option
3) use vol down to get to system info and tap
4) check CID for CID-11111111 (if you have this all is done 100%)
5) reboot"
2) tap bootloader option You fotgot the A.
I was trying to install ClockworkMod Recovery I follow the step but for some reason I'm keep getting the following.
Code:
D:\Epic 4g\one.click.clockworkmod2.5.1.0-flasher>adb shell
$ su
su
# remount rw
remount rw
Remounting /system (/dev/stl9) in read/write mode
# exit
exit
$ exit
exit
D:\Epic 4g\one.click.clockworkmod2.5.1.0-flasher>run-try-first
one click installer and Clockworkmod Recovery v2.5.1.0 made by noobnl, skeeters
lint, and koush
Press any key to continue . . .
remove stock recovery patcher
mount: Operation not permitted
rm failed for /system/etc/install-recovery.sh, No such file or directory
rm failed for /system/recovery-from-boot.p, No such file or directory
copy kernel and flasher
1509 KB/s (0 bytes in 313888.000s)
2458 KB/s (0 bytes in 5820868.002s)flashing kernel
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
open device file: Permission denied
bmldevice_get_size: bmldevice_open failed!src: /sdcard/zImage
dst: /dev/block/bml8 partition size: 0x0
part_size: 0x0
reboot: Operation not permitted
wait 60 second
cleanup
rm failed for /data/local/tmp/rageagainstthecage-arm5.bin, No such file or direc
tory
rm failed for /data/local/root.sh, No such file or directory
done
Press any key to continue . . .
I've searched other thread someone did post the same issue but all they ask was "did you remount as rw?" or "Make sure your looking at your phone, superuser will ask you permission to for the process to run as root"
I did remount as rw and no superuser did not ask me anything during the install.
What should I do?
Please help!
Thank you
Hi,
am trying to unlock my sim on my mytouch 4g.. ...how do i do that ...i keep trying the gfree way but i keep getting:
"# chmod 777 gfree
chmod 777 gfree
# ./gfree -S
./gfree -S
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.14-UNITY-V9-gdfc9a05
New .modinfo section size: 212
Attempting to power cycle eMMC... Failed.
Module failed to load: No such file or directory"
there is an error. ? what can i do?
I have a HTC Panache (known as mytouch 4g in usa) and it is permrooted
Was it rooted with gfree? Are you on a gingerbread ROM? If you are on a gingerbread ROM you need to go back to stock 2.2 with the RUU. Re root, use gfree to simunlock and then revert to your nandroid backup and you will be right back to where you are now with simunlock.
hy guys
I want to downgrade my htc desire z, and i am follwing all the steps only the thing is that on ./flashgc it gives me this: permission denied.
and finally and the most important, when i begin to downgrade it gives me this message: CID Incorrect update fail.
please help me
amiraria said:
hy guys
I want to downgrade my htc desire z, and i am follwing all the steps only the thing is that on ./flashgc it gives me this: permission denied.
and finally and the most important, when i begin to downgrade it gives me this message: CID Incorrect update fail.
please help me
Click to expand...
Click to collapse
Can you post the original post you are following? You might need to create your own goldcard.
CID Incorrect update failed
iSkanky said:
Can you post the original post you are following? You might need to create your own goldcard.
Click to expand...
Click to collapse
after doing all the settings as instruction shows i started writing the cammonds like below:
> adb shell cat /dev/msm_rotator
/dev/msm_rotator: invalid length
> adb push fre3vo /data/local/tmp
> adb shell
$ chmod 777 /data/local/tmp/fre3vo
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
Buffer offset: 00000000
Buffer size: 8192
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba90000...
Potential exploit area found at address fbb4d600:a00.
Exploiting device...
> adb shell
# exit
> adb push misc_version /data/local/tmp/misc_version
> adb push flashgc /data/local/tmp/flashgc
> adb shell chmod 777 /data/local/tmp/*
> adb shell
# cd /data/local/tmp
# ./misc_version -s 1.00.000.0
--set_version set. VERSION will be changed to: 1.00.000.0
Patching and backing up partition 17...
./flashgc (In this part when i am writing this code i will get this massage: ./flashgc permission denied, then i countinued typing the rest of the codes).
# sync
# dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10
1.00.000.010+0 records in
10+0 records out
10 bytes transferred in 0.001 secs (10000 bytes/sec) (here also instead of getting 10000 bytes/sec i get 5000 bytes/sec)
(here i downloaded PC10IMG.zip and copied to my sdcart)
(then for Fastboot Downgrade i wrote these codes)
> adb reboot bootloader
> fastboot devices
(My device is recognized by typing the above command)
> fastboot oem rebootRUU
(but after finishing all the procedure it will give me this error: CID Incorrect update failed)
flashgc is not working and it gives the error: CID incorrect
amiraria said:
after doing all the settings as instruction shows i started writing the cammonds like below:
> adb shell cat /dev/msm_rotator
/dev/msm_rotator: invalid length
> adb push fre3vo /data/local/tmp
> adb shell
$ chmod 777 /data/local/tmp/fre3vo
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
Buffer offset: 00000000
Buffer size: 8192
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba90000...
Potential exploit area found at address fbb4d600:a00.
Exploiting device...
> adb shell
# exit
> adb push misc_version /data/local/tmp/misc_version
> adb push flashgc /data/local/tmp/flashgc
> adb shell chmod 777 /data/local/tmp/*
> adb shell
# cd /data/local/tmp
# ./misc_version -s 1.00.000.0
--set_version set. VERSION will be changed to: 1.00.000.0
Patching and backing up partition 17...
./flashgc (In this part when i am writing this code i will get this massage: ./flashgc permission denied, then i countinued typing the rest of the codes).
# sync
# dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10
1.00.000.010+0 records in
10+0 records out
10 bytes transferred in 0.001 secs (10000 bytes/sec) (here also instead of getting 10000 bytes/sec i get 5000 bytes/sec)
(here i downloaded PC10IMG.zip and copied to my sdcart)
(then for Fastboot Downgrade i wrote these codes)
> adb reboot bootloader
> fastboot devices
(My device is recognized by typing the above command)
> fastboot oem rebootRUU
(but after finishing all the procedure it will give me this error: CID Incorrect update failed)
Click to expand...
Click to collapse
I even made a goldcard but i dont know how to use it, i mean the file name is Goldcard.img, i dont know whether i should place it in the related folder or not ? what should be the extension of the file.
one thing more: my device is htc desire z 2.3.3 . and i downloaded the ( Desire Z: PC10IMG.zip
Mirrors:
PC10IMG.zip
Vision_DZ_1.34.405.5_PC10IMG.zip
Vision_DZ_1.34.405.5_PC10IMG.zip) the first one is it correct or not? or i should download the (G2: PC10IMG_Vision_TMOUS_1.19.531.1_Radio_12.21.60.09b _26.02.01.15_M2_release_149459_signed.zip
Mirrors:
Vision_G2_1.19.531.1_PC10IMG.zip
Vision_G2_1.19.531.1_PC10IMG.zip
MD5: 531c08dc402e15577b947bf4cd22aec2)
please help me
zte nubia z5s mini nx406e - version android 4.4.4
Greetings, could someone guide me ?
I want to be able to update this device,
to an android version a little more current,
if I have a copy of the system made with twrp recovery,
starting from there, how can I extract everything to be able to develop.
I know that everything that is needed is within the system itself,
I would appreciate any guidance.
Please do not block what I write again, like the one here
I just tried to explain myself in a way that they could understand me better, excuse my bad english.
Procedure performed to extract .img
adb version: Android Debug Bridge version 1.0.32 - > files used: googledrivers
adb>adb devices
List of devices attached
0123456789 device
previously rooted device -> with this version of the super su -> files here SuperSu
adb shell
[email protected]:/ $ su
[email protected]:/ # cat /proc/partitions
major minor #blocks name
179 9 12288 mmcblk0p9 -> boot
179 24 1280000 mmcblk0p24 -> system
[email protected]:/ # cat /dev/block/mmcblk0p9 > /sdcard/boot_pull.img
[email protected]:/ # cat /dev/block/mmcblk0p24 > /sdcard/system_pull.img
[email protected]:/ # exit
[email protected]:/ $ exit
adb>adb pull /sdcard/system_pull.img stock_system.img
2773 KB/s (1310720000 bytes in 461.535s)
img to download from here: stock_system.img
adb>adb pull /sdcard/boot_pull.img stock_boot.img
2792 KB/s (12582912 bytes in 4.400s)
img to download from here: stock_boot.img
Procedure to extract kernel
1.- Download the tool: android bootimg tools
2.- Extract the file using: tar xvzf android_bootimg_tools.tar.gz
It contains two binaries:
unpackbootimg
mkbootimg
3.-Then run: ./unpackbootimg -i boot.img -o unpack
./unpackbootimg -i <filename.img> -o <output_path>
It will contain:
boot.img-base
boot.img-cmdline
boot.img-pagesize
boot.img-ramdisk.gz ----> ramdisk
boot.img-zImage ----> kernel
archive: boot-img-zImage
to extract: boot.img-ramdisk.gz
use command: gunzip -c boot.img-ramdisk.gz | cpio -i
I'm looking at how to extract kernel sources from: boot.img-zImage