Related
Any chance that we can use the .bin file in the bootloader update, rename it to DREAIMG.nbh, put it on a SD card (even for OTA RC30), reboot to SPL (camera+END) and flash the ROM for OTA RC30?
trying this now on stock rc30...standby.
ok, RC30 stock bootloader does not recognize DREAIMG.nbh
ok, also tried it on modded RC30 and bootloader says no image found.
Ok, that was the name I found on other threads. Maybe that is not the name to be used.
i also tried DREAIMG.IMG but still the same....
scanta2 said:
Any chance that we can use the .bin file in the bootloader update, rename it to DREAIMG.nbh, put it on a SD card (even for OTA RC30), reboot to SPL (camera+END) and flash the ROM for OTA RC30?
Click to expand...
Click to collapse
Nope, no chance. The stock bootloader - although it will see DREAIMG.nbh files on fat32 sdcards - it will only accept NBH files signed by HTC's private key.
I thought i recalled a post about finding HTCs key when dumping the NAND, am i dillusional?????lol....
korndub said:
I thought i recalled a post about finding HTCs key when dumping the NAND, am i dillusional?????lol....
Click to expand...
Click to collapse
Probably a public key. Public keys are used to verify files signed with a private key. As the name implies, the private key is not disseminated.
http://en.wikipedia.org/wiki/Public_key_infrastructure
Hi
can anyone give me img of stock bootloader, and where is this public cert of HTC?
Vilko said:
Hi
can anyone give me img of stock bootloader, and where is this public cert of HTC?
Click to expand...
Click to collapse
Stock bootloader is attached to this thread. Public cert is located in /etc/security. That's the cert for update files though. No idea if it's the same as used for nbh, especially since no nbh have been publicly released. Analyze the dumped stock bootloader.
This has been resolved by using the flash lite exploit to gain root access allowing the misc partition to be flashed with a downgraded main version number which allows the old leaked Eng RUU we have to be flashed!
GUI for how to root
http://forum.xda-developers.com/showthread.php?t=720565
Old and Outdated information from the Original Post listed below for historical purposes ONLY
Who is Affected: If you've flashed the official OTA update on top of a non rooted ROM or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
What is Patched by the OTA: Through the radio.img which the OTA flashes, it updates the Main Version in the bootloader preventing Toast's root methods from working. It also flashes back the stock recovery, removing our root access in recovery mode and ability to apply .zip files. And last of all, the OTA patches the exploit hole in /system/bin/hstools used for unrevoked1 root.
Successfully eliminating all released methods of obtaining root access.
Conclusion:
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
Future:
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Details of the tested known root methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootloader error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. partition with write access for non-root user and allows executing is /data/local . flash_image can't write to the partitions w/o being run with root permissions. chownto and chown of flash_image to user root - permission denied.
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Modifying PC36IMG.zip - using a hex editor to attempt at changing the MainVer stored in the android-info.txt, if any bit changes, it seems to fail the validation by the bootloader.
I tried almost all of these after the OTA hit my wifes phone. No dice. Subscribed to further updates on this thread.
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
frankenstein\ said:
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.
I can't tell if the flash actually worked because I don't know where to check the wimax version info...
I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.
I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe file.
I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
Click to expand...
Click to collapse
im guessing the only reason it allowed you to flash a PC36IMG.zip which wasn't HTC signed is because you're using the hboot from the eng build of the PC36IMG.zip which doesn't check for HTC signatures on the PC36IMG.zip file. Not sure if it looks at the MainVer or not ...
once you're on a stock hboot, the PC36IMG.zip file has to be signed by HTC in order to flash!
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
We had to do things like this when working with mach_kernel when we got ahold of the first developer build of OS X for Intel. It was a pain in the ass and took weeks before we cracked the kernel.
There is even more risk with this though since tampering with the bootloader can definitely permanently brick devices.
joeykrim said:
If you've flashed the official OTA update or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.
Here are details of the tested methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?
RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootlaoder error - main version is older
RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_release_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_release_171253.exe- Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.
Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
##786# - Reset - doesn't seem to effect much in the way of bootloader version ...
Click to expand...
Click to collapse
since my frien did the OTA update yesterday and "bricked" his phone i have been trying to fix the phone (i have access to bootloader so it seems to me that maybe, just maybe i can save the phone) anyways, i have been getting a lot of the same error messages anytime i try to update/load any stock rom via bootloader.
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu? i have looked all over htc's website, but they don't even acknowlege the existence of the evo, at least not that i can find.
joeykrim said:
flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
...
Click to expand...
Click to collapse
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Sorry for the long multi quote, there are quite a few good ideas and I wanted to make sure I explored each of them as far as the original poster intended.
EtherealRemnant said:
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.
Click to expand...
Click to collapse
interesting ... circumventing the HTC signature check would be perfect and essentially give us an eng build bootloader.
in the RUU.exe rom.zip files, the android-info.txt indicate the MainVer along with a separate hboot.img file. the official OTA didn't have an hboot.img file. It only had a radio.img file which must have updated the MainVer value.
Not sure where on the phone this MainVer value is stored? in the radio?
you're suggesting, compare the bootloader, which is obviously stored somewhere in radio.img as thats the only file being flashed thru the OTA which increments the bootloader version number, against an older radio.img to attempt and find which bytes were changed for the version number?
The radio.img files are all around 22mbs ... ugh
if we're able to find the change in version number on the radio.img, not sure how it would help in flashing over it?
i was kind of thinking down these lines...since the bootloader checks the version number of any file it attempts to flash, the version number is going to be the key.
if we're able to increment (or temp change) the main version number in the file being flashed w/o messing up the htc signature, that could work.
2002wrex said:
what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu?
Click to expand...
Click to collapse
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
unknown_owner said:
Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
Click to expand...
Click to collapse
very clever concept!
i'm not 100% sure on all the different approaches in the suggestion, but here are the ones it prompted me to explore.
unfortunately, every time the /sdcard is mounted on the phone, its mounted as noexec, meaning no files located on the /sdcard can be executed like programs.
also the /sdcard is mounted with uid=1000 and gid=1015 meaning all files mounted on the /sdcard have their uid/gid overwrote so none of them are allowed root ownership.
without being able to "su" to root access, we aren't able to run any programs with root access.
trying to chownto flash_image to any reference file as root results in:
chownto flash_image /system/bin/chown
Can't change user/group to root!
chown root flash_image
Unable to chmod flash_image: Operation not permitted
if i missed the suggested approach, could you elaborate?
Oh boy...... I thought I was alone in this. I try everything I can and now gave up. Any one can rooted this new OTA please let me know. I really need to downgrade from this.
Made me think of a problem that happened with the Directivo a few years back...
ht t p://dealdatabase.com/forum/showthread.php?t=22154
I was looking around, trying to figure out some way to hack the hdvr2 w/o modifying the prom. I recalled something from the xbox-linux team's presentation for CCC, which was something close to "once you break the chain of trust, the box is forever compromised." I thought to myself: "self, if we can load one kernel via BASH_ENV, why can't we load a second kernel?"
Click to expand...
Click to collapse
So, is there a way we could compromise the kernel? If so, then...
Subscribed...
Not really interested in rooting until froyo is working, and I could really use the wifi fixes this OTA is supposed to offer, but I'll hold off installing it until we know it can eventually be rooted.
Mikesus said:
http://dealdatabase.com/forum/showthread.php?t=22154
So, is there a way we could compromise the kernel? If so, then...
Click to expand...
Click to collapse
i read thru the thread. im not clear on how they used BASH_ENV or any other method to load a 2nd kernel.
unfortunately, i think we have an extra layer of security that they dont. thanks HTC!
without nand unlocked on the kernel partition no data can be stored there including a 2nd kernel.
appreciate the link and info. perhaps the ideas or concepts will spur some innovation!
joeykrim said:
i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!
Click to expand...
Click to collapse
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
i appreciate the help joey, obviously you are busy with your own problems and a lot of people around here just throw you the old "SEARCH BUTTON" response. any help is greatly appreciated!
2002wrex said:
the thing about winmo ruu's (here's a topic i DO know well) is that they are always in a zip. you decompress the zip and have access to all the files. one of them will be the ruu, the rest are all the supporting files/images/rom. all of the android ruu's seem to come as on large exe that doesn't allow access to the files, it merely runs itself. in the winmo days if you got a rom with no ruu, and didn't want to flash from SD, you just took someone elses ruu and dumped the rom image in to the decompressed folder containing the ruu.
Click to expand...
Click to collapse
interesting again .. so the RUU .exe files for android, do have a payload stored in a rom.zip file which is dumped to a temp directory after the RUU .exe starts and before it finishes.
now, the rom.zip files have been pulled and posted in each of the two RUU .exe threads we currently have. these rom.zip files do contain all .img files which are flashed to the phone. the catch is though, just as the PC36IMG.zip files used in root, these rom.zip files seem to have a special HTC signature (checksum?) in their header.
if you open these rom.zip files from the RUU in winzip, it will error out, but using 7zip, they open just fine.
im new to HTC, this is my first HTC android phone and its almost been 4 weeks so this is as much as i know. it seems, if we're able to alter these rom.zip files either used in the RUU .exe or naming them PC36IMG.zip flashed thru the bootloader and the phone excepts them, we would be golden!
to help save you some searching and let you see what im talking about, here is the latest RUU rom.zip file
http://www.joeyconway.me/evo/stock/RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rom.zip
Subscribed, I was able to Order my EVO today so I will be watching for development. I pledge my donations to whoever is able to figure it out. I really appreciate the efforts of this community.
I second that pledge for donations! I, like many others here, updated while knowing that I probably shouldn't have. I knew better...
Subscribed.
Thanks for all the effort and work. I hope ya'll get it figured out.
dang, I just got my evo yesterday and got the update message so I thought it'd be ok to update it as I thought it might have been old.
Came home and was excited to do all my customization and tweaks, but w/ no prevail
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
EtherealRemnant said:
So my local best buy will not give the phone to the customer without pushing the new OTA to it :/
Apparently all of the stores will be doing this per Sprint and HTC's request.
Click to expand...
Click to collapse
Try calling them ahead of time before picking it up and asking if you can just swing by and pick it up yourself and call Sprint to activate yourself. Tell them you are in a rush, make up a story, and see if they just let you pay for it and run.
With Epsylon3 brilliant work, a new idea of flashing custom firmwares came to surface, allowing custom /system partition to be flashed directly from RSD Lite! This way you don't need to flash fixed SBFs and waste time with rooting and recovery install in case of system screw-up.
What you need:
1) MotoAndroidDepacker. With it, unpack sbf of the firmware you use as base.
2) Leave CG35(boot) and CG61(devtree) partition files, delete other smgs. Other files are not that important. You can delete all partition files if you're making backup for yourself...
3) Replace CG39(system) with your system dump:
adb shell:
su
dd if=/dev/block/system of=/sdcard/CG39.smg
copy CG39.smg from sd card to your firmware folder.
4) Compile sbf with MotoAndroidDepacker.
5) Flash your sbf in case of failure.
MAJOR CAVEAT: This sbf will work ONLY on devices with have same full SBF version applied last as your device. I.e. if you have flashed 3.4.2-107 and then upgraded it with nandroid to 3.4.2-177, the sbf you created from your system dump will work only for devices which flashed still 3.4.2-107 sbf last. To install such (custom) sbf, one would need to flash full 3.4.2-107 sbf first.
Technical: this is possible because of bug/feature in flashing process: system signature partiton is not checked if phone signature is already present. Phone signature is generated when flashing full genuine sbf and is verified aganist copy in sp partition and obviously differs for each firmware. It is stored at the end of the system partition.
Great news.
Some question:
If I install a full sbf. IE: 3.4.2-117 and then apply a custom ROM over it (CM).
So can I make a backup of my system and flash it again in case of any brick?
You can make a backup for yourself and flash it again all you want until you flash another full motorola sbf. Don't forget to make data backups as well, this method can't replace nandroid / titanium!
Interesting...
So I can flash my base sbf, integrate call recording, 720p playback, wvga recording, root, swype on my language and other mods and create a new sbf only to apply these mods.
It will be usefull....
Oh great all of us asked this question when this section began in xda. So essentially we can make an sbf out of our phones and keep it and not worry about any nandroid backups.
This is a great discovery, thanks a ton.
Cheers
So would it be possible creating custom bootmenus as these are updated by sbf's too?
If your current system contain boot menu. The custom sbf also, it is identical with the current system.
i think you can create a Full SBF with all original partitions and your "signed" CG39
I think it is not a bug... the thing is : i'm not sure sbf can work on other devices ... but anyway... it can be really usefull to recover device or to create a full backup with the good kernel made for the /system and /devtree
mbr and ebr are needed too, if the partition table has changes, you will have problems..
So the question is whether the signature is related to the specific part of every device, or it is universal as official sbf. Need to be verified .
Does this means that someone could create a sbf wich flashs dierctly CM7 or MiUi?
IE-coRe said:
Does this means that someone could create a sbf wich flashs dierctly CM7 or MiUi?
Click to expand...
Click to collapse
It's possible too.
Where i can finde the MotoAndroidDepacker?
Great news! But why are Android systems so complicated when it comes to flashing and banking up? I mean, with computers it's easy. You make an image of the system partition and you're done. Restoring is as simple as writing the backup back to the partition. So, why is it so hard to just make an entire nand backup that we can simply write back to go to a working state after failure?
Sent from my MB525 using Tapatalk
I made a custom sbf with nightly build in it . Then wipe and flash it, stuck at M logo. Bootmenu works, but it seems that it can't mount some partition , it's the same symptom when wipe in stock recovery in cm7.
Does it really need to flash a full sbf before the custom sbf ?
So if i wanted to do this i split my sbf, delete everything only leaving,
CG35.SMG
CG61.SMG
firmware.hmg
Then system dump and add that CG39.smg in and build and flash?
Have i missed anything?
Well you forgot RAMDLD... One CG39 is enough if you'll flash this SBF over ver 4 froyo (not Chinese or Korean) but i recommended CG35 and CG61 to make such sbf enough to flash over system downgraded with fixed sbf + nandroid.
Is it possible to keep all files and just replace CG39? Or are files removed for a reason? Thanks for replying.
You can keep all files, theoretically.
Well i made an sbf version of miui and it works
Wonder if it works on other peoples Defy?
Tested by formatting system and then applying sbf. Booted back into MIUI like a dream
EDIT:
Shame the SBF comes out at 300+mb May take a while to upload these things lol.
If I mount the CG39 as a loopback device in a linux box,
Can I just replace the contents and it will retain the signature?
Or the signature is based in a checksum?
Dear Fellas,
After reading a bit through the pages of this Q&A forum I realized that there is no thread describing a proper method to flash a stock firmware into our "stock" tablets, I mean, without any customization or root.
Anyone please, could share his knowledge and enrich us into this subject? Yes, anyone knows how to proceed to flash a stock firmware through microSD?
Just to make things clear as possible, my wondering extends to which files add into microSD, the correct format, the correct structure to flash.
Really appreciate ideas and directions.
Cheers
Erick
Get the firmware you want from the asus webpage, extract it, find in the extracted path another zip archive and rename it to EP101_SDUPDATE Make sure you leave it a zip dont change the extension AND make sure it is on the root of the card... boot by pressing the VOL DOWN + POWER button... as soon as you see some text press within 5 sec the UP button....and wait
Note: OTA updates don't work on my Nexus 5 due to TWRP blocking them. Now my phone doesn't recognize the OTA update anymore (When my phone went to install the OTA updated and rebooted, it rebooted into TWRP instead and completely ignores the updates existence since then). To fix this I plan to simply push the factory img of 5.0.1 to my device directly. I downloaded the factory .img from Google's website .
However instead of a .img file i'm used to, I got a .tgz. I extracted that and got a .tar and then extracted that to finally get my folder with the .img files. However now I'm not sure which one to push to my device. There is a img file called "radio-hammerhead-m8974a-2.0.50.2.22.img" but judging by the file size, I don't think that's the correct one (only 45MB). There is a .zip file called "image-hammerhead-lrx22c.zip" but this contains multiple .img files, the largest one called "system.img". I'm guessing this is the correct one to push to my device via adb since it's about 1GB in size?
I suspect pushing the entire .zip file to my phone and flashing that would be bad as it looks like it'll overwrite TWRP?
Any help would be greatly appreciated.
Here's a lot of useful information about OTA's Check it out: http://forum.xda-developers.com/google-nexus-5/general/info-nexus-5-ota-help-desk-t2523217
You'll need boot and system at least,
If you plan on keeping twrp and root, you may as well just flash one of the flashable zips already available in the development forum
Actually you should have a radio and bootloader img file. First one is - as the name says - the latest radio software (which is needed for GPS, WiFi, cellular network and so on). Second one is the latest bootloader. I'd update them both.
From the zip archive you should only flash certain imgs - if you flash all your data will be wiped (factory reset). What img files does the zip contain?
Why are you pushing them to your phone? You need to flash with fastboot from your computer. There is not just one img file for the update, there are several for different partitions on the phone. Have a look through some of the guides in the general section. Also, flashing one of the stock flashable zips would be much faster, but why not learn a little as you update.
Vomer has a thread of flashable 5.0 and 5.0.1 stock Google ROMs. Don't worry about factory images because you will lose everything once you flash these and it's a much bigger pain imo to back everything including internal on your phone up.
snappycg1996 said:
Don't worry about factory images because you will lose everything once you flash these
Click to expand...
Click to collapse
Not necessarily true.
You can flash bootloader, radio, and system without losing anything. You'll just have to reroot afterward.