Well, I've been working with some 32As by flashing Froyo to them and all. So far it's cool, but the process is a bit tiresome... they always come with some Cupcake 1.6 I need to flash over with a 2.2 RUU from Rogers using a goldcard so it fixes the SPL it originally comes with, then flashing ENG SPL (S-OFF) and then flashing SPL+Radio+Recovery (6.35 in my case) prior to installing a ROM.
Now, I've been investigating the RUU wizard a bit and this is what I've found the RUU does:
Code:
adb devices
adb devices
adb devices
# Presumably check for battery level before attempting RUU?
adb -s <SERIAL> shell cat /sys/class/power_supply/battery/capacity
adb devices
adb devices
# Gets the build number (to compare against the one in android_info.txt, I assume)
adb -s <SERIAL> shell getprop ro.build.description
adb devices
adb devices
adb -s <SERIAL> shell getprop ro.build.description
adb devices
adb devices
# THIS REBOOTS INTO RUU MODE
adb -s <SERIAL> shell reboot oem-78
adb devices
fastboot devices
# If mode is "RUU"...
fastboot -s <SERIAL> getvar boot-mode
# Flash first ROM.zip (it seems to be a special fastboot hboot image which allows flashing SPL (!))
fastboot -s <SERIAL> erase cache
fastboot -s <SERIAL> flash zip "<path>\rom.zip"
fastboot -s <SERIAL> oem rebootRUU
adb devices
fastboot devices
# Flash the full ROM1.zip
fastboot -s <SERIAL> getvar boot-mode
fastboot -s <SERIAL> flash zip "<path>\rom1.zip"
adb devices
fastboot devices
# All ok? reboot into normal mode
fastboot -s <SERIAL> getvar boot-mode
fastboot -s <SERIAL> reboot
adb kill-server
Taking a look at rom.zip, I can find android_info.txt contains the following files:
Code:
android-info.txt
boot_special.img
hboot_7200A_1.76.0008_091103.nb0
radio.img
And rom1.zip:
Code:
android-info.txt
boot.img
recovery.img
splash1_HTC_Magic.nb0
system.img
userdata.img
Wherein android-info.txt contains:
Code:
MODELID: SAPP10000
CIDNUM: HTC__N34
CIDNUM: HTC__Y13
CIDNUM: HTC__506
CIDNUM: HTC__140
CIDNUM: HTC__139
CIDNUM: ORANGB10
CIDNUM: VODAPC23
CIDNUM: 11111111
MAINVER: 3.05.401.1
hbootpreupdate: 0
Now, I only have theories I'm willing to try once I get a new phone (in case mine bricks while testing, which I don't think it can happen but it's my everyday phone so...), which I need somebody here to be brave enough to test (or at least someome who has a JTAG debrick kit) so maybe, we can find a solution to removing S-ON and maybe even doing everything in one shot using a SAPPIMG.ZIP or something like that.
Here are my theories:
1) Adding CIDNUM: <your phone's CID here, mine isn't on the list > could help the RUU to flash everything correctly, thus removing the need for a goldcard?
2) What about making our own ROM.zip with 6.35.10.19 radio, S-OFF 1.76.2007 HBOOT and ROM1.zip with a custom recovery, and using it instead of the original? even better, without system.img or userdata.img, so you would only need to boot into recovery and flash a ROM?
3) Actually, what if step 2 worked with a ROM already installed? I mean, I wish to know if, when fastboot does the rom1.zip flashing, erases system & data too. It doesn't seem it does, so I think one can put S-OFF without even doing a full RUU procedure?
I think I had more questions related to this, but it's late and this is what comes to mind. What do you guys think? you guys think something can be made out of this? anybody up to check if my theories are right?
Any info you can provide is greatly appreciated! ^^
- DARKGuy
1. No
2. No
Phone checks for signature (checksum) of zips. If you will change something inside rom.zip - you will get signature error.
There is easy method to remove S-ON on Magic32A (not mt3g v1.2)
5[Strogino] said:
1. No
2. No
Phone checks for signature (checksum) of zips. If you will change something inside rom.zip - you will get signature error.
There is easy method to remove S-ON on Magic32A (not mt3g v1.2)
Click to expand...
Click to collapse
Thing is, what does it checksum against? those ZIPs don't have a signature anywhere (not like update.zips for example) unless it does some kind of CRC check or something (which would be very basic).
My idea was to find a way to skip all that (+ optionally skipping the goldcard) and also install a proper radio/s-off SPL/recovery combination without the manual work.
darkguy2008 said:
Thing is, what does it checksum against? those ZIPs don't have a signature anywhere (not like update.zips for example) unless it does some kind of CRC check or something (which would be very basic).
My idea was to find a way to skip all that (+ optionally skipping the goldcard) and also install a proper radio/s-off SPL/recovery combination without the manual work.
Click to expand...
Click to collapse
I think it does CRC check (or other basic check), but this check in HBoot. To avoid it you need change HBoot to ENGineering.
Hboot on Magics has two security levels:
- S-ON / S-OFF (with s-off you can change any partition)
- HBoot ability to process remote commands. If hboot is named as 'perfected', so it does not receive fastboot-commands (like flash, boot, erase...). Many of hboots are perfected...
Interesting? To flash s-off spl you need avoid CRC check. To avoid CRC check you need flash s-off spl =)
5[Strogino] said:
I think it does CRC check (or other basic check), but this check in HBoot. To avoid it you need change HBoot to ENGineering.
Hboot on Magics has two security levels:
- S-ON / S-OFF (with s-off you can change any partition)
- HBoot ability to process remote commands. If hboot is named as 'perfected', so it does not receive fastboot-commands (like flash, boot, erase...). Many of hboots are perfected...
Interesting? To flash s-off spl you need avoid CRC check. To avoid CRC check you need flash s-off spl =)
Click to expand...
Click to collapse
Okay, that's some interesting info ^^ I have a few ideas now:
1) Considering "boot_special.img" is there a way to open those .img files and see what do they contain? (like when you edit boot.img for kernel zips?)
2) Also, "hboot_7200A_1.76.0008_091103.nb0", since it doesn't have "perfected" on its name, what about using another hboot file instead?
3) Or, another idea! considering that hboot isn't perfected, once applied, can I put a S-OFF hboot.img in rom1.zip (which is flashed after rom.zip) instead?
4) I'm also thinking that maybe a sappimg.zip file with S-OFF hboot, the ROM, no userdata.img file and the kernel (in boot.zip) would at least skip some manual steps?
2) and 3) ...
Mmm... Word "Perfected" was chosen people from XDA to differentiate between power and weakness) It is not a part of filename.
I don't remember exactly, but if in fastboot-mode you can see androids on skates - it is non-perfected hboot. Any other hboot is perfected. Official ROMs are going with perfected hboot usually.
1)
Any img-file can be unpacked as other (boot.img, system.img, recovery.img). It should contain zImage and ramdisk too. But not all official ROMs have boot_special.img
I think this file is used when HTC needs expand MTD sizes. Old official ROMs (Magic 32A) have less than 100MB system image (partition). New official ROMs (3.05.XXX.X and higher) have more than 100 MB system (partition).
4)
We are staying at same place. How you will avoid crc check? How to use minimal efforts in this case?
5)
We need remember what there are three types of Magics - Magic 32A, Magic 32B, MT3G v1.2 (3.5). Many things are different within, especially hboots.
p.s. To do less manual work we can ask dev of SuperOneClick to add feature 'Install recovery via flash_image'. But other steps (like flash something via recovery) are staying manual.
Related
these instructions are intended for those who have root and S-OFF yet still on stock 1.32.405.3, the new update breaks superuser and overwrites both recovery and hboot, if you follow my steps it should all work fine and still have root, no wipe is needed
Info about this update:
1.72.405.3_R2 Update: improve system performance and camera feature enhancements
Requirements for this method:
Clockwork recovery, ENG S-OFF and radio S-OFF
unless you have radio s-off you can't flash the new radio, if you flash it without radio s-off you will loose root.
radio s-off is easy and insures you never loose s-off again, you need to have it before you apply the update
One click Radio S-OFF, SimUnlock (Easy Root Guide)
i recommend you make a nandroid backup first from clockwork recovery
Applying 1.72.405.3
Download the new OTA if you have it in the download folder you or from here
http://dl.dropbox.com/u/8076202/OTA_Ace_HTC_WWE_1_72_405_3_R2-1_32_405_6_release_1632939lowfu0y78jktpp2.zip
copy the OTA file to the root of your sdcard and rename it to update.zip
reboot into clockwork recovery and choose apply update.zip, clockwork recovery will apply the OTA safely without overwriting HBOOT and recovery
reboot, now you have android 2.2.1 and build 1.72.405.3, however clockwork didn't install the new kernel so wifi will break, you will need to flash the supplied kernel in the OTA
Re-flashing the kernel
download the original 1.72.405.3 kernel (extracted from the RUU) http://www.multiupload.com/APNFJJVGWI
Extract the boot.img file to the /tools folder of your Android SDK
Reboot your device into bootloader mode and select fast boot mode (select restart and keep holding down volume down + power, never mind the stupid vibration)
From an elevated command prompt, browse to the /tools folder of the Android SDK
Once in the /tools folder, type (without quotes) "fastboot flash boot boot.img"
Wait until the send and write operations are completed (this may take a few minutes)
Reboot your device
Restoring SU
Once rebooted, uninstall superuser (since it keeps crashing when giving permissions) this step is very important
download the old su package from here http://www.multiupload.com/YTL0P497YR
unpack files to SDCARD
boot to Clockwork recovery
(DHD CWM menu) mount /sytem
(DHD CWM menu) mount /sdcard
(PC cmd prompt sdk tools) adb shell
# cp /sdcard/su /system/bin/
# cp /sdcard/Superuser.apk /system/app/
# ln -s /system/bin/su /system/xbin/su
# chmod 06555 /system/bin/su
# exit
(DHD CWM menu) umount /sytem
(DHD CWM menu) umount /sdcard
reboot
download BusyBox from market
Flashing the New radio don't install the new radio unless you have Radio S-OFF
you can download and install the new radio by following the instructions in here
The HTC Desire HD Radio Thread
Once completed you should have the following software information:
Andorid version: 2.2.1
Baseband version: 12.28e.60.140fU_26.04.02.17_M2
Kernel version: 2.6.32.21.-g3d0aaff / [email protected]#1 / Wed Dec 1 17:09:51 CST 2010
Build nuber: 1.72.405.3.CL296490 release-keys
Software number: 1.72.405.3
Browser version: WebKit 3.1
for those struggling with sdk commands check this post forum.xda-developers.com/showpost.php?p=10068129&postcount=59
these steps and files were collected from various members, all thanks goes to them
as usual i'm not responsible if all hell breaks loose in your Desire HD
[update 1] working superuser patch http://forum.xda-developers.com/showthread.php?t=886999
[update 2] downgrade back to 1.32 guide http://forum.xda-developers.com/showthread.php?t=905003
I have done it all, and it seems to be working fine.
How can I make sure I have the new radio? what version should I check, and where?
I haven't done the SU thing yet - when I tap the Superuser it doesn't seem to crash over here. Is there any other way I can check the superuser?
hamdir said:
Extract the boot.img file to the /tools folder of your Android SDK
Reboot your device into bootloader mode and select fast boot mode (select restart and keep holding down volume down + power, never mind the stupid vibration)
From an elevated command prompt, browse to the /tools folder of the Android SDK
Once in the /tools folder, type (without quotes) "fastboot flash boot boot.img
Click to expand...
Click to collapse
I must be missing something here. Do I need the entire Android SDK to do this?
I actually have a fastboot folder with all the flashboot app etc that works (used for clockwork recovery installation before), is it enough to put boot.img there and go on?
---edit---
nevermind, that was obviously ok!...I'm going on
i think adb and fastboot should be enough but try to look up confirmation in this forum, you are gonna use it to flash so better not take risks
I've read this after, anyway just done, it needed just a few seconds and it's perfect, WiFi newly working now! I go on with the su stuff
# ln -s /system/bin/su /system/xbin/su
Click to expand...
Click to collapse
says File exists...
I'm sure I uninstalled superuser...what to do?
initial impressions
no 100% cpu usage/battery problem for me like some people are reporting, 720p lag seems gone needs more investigation, the stuck clock flipping seems gone, apps on the sd card still loses their homescreen icons once rebooted
edit - it seems snappy after it stabilizes, h264 playback seems improved
ErMeglio said:
says File exists...
I'm sure I uninstalled superuser...what to do?
Click to expand...
Click to collapse
its ok keep going as long as you made sure superuser was removed
Just done EVERYTHING. BusyBox working and saying I'm correctly rooted (superuser asked for the permission, no probls, so it's ok!), I also updated it to 1.17.1! Had some difficulties finding the right radio, that is not in the radio thread linked. I just found out that it was in my RUU-unzipped rom.zip file found in the last modified folder of %APPDATA% and the radio was named simply radio.img (how strange, he!).
Everything seems to work perfectly and I'm all-around updated.
Many many thanks go to you hamdir for your step-by-step fool-proof guide, merry xMas to you firstly...and to the whole great community in there
---edit---
ok, said too soon, WiFi not working anymore after the radio update
Ideas?
---edit---
flashed again the boot.img and WiFi IS working again.
Can it be done without eng s-off?
Flash is possible with SFR ROM???
grozni said:
Can it be done without eng s-off?
Click to expand...
Click to collapse
well im not sure if fastboot flashing would work without it
OK, I know I'm going to get scolded for this but I'm stuck at the clockwork recovery's reboot screen with a red triangle and an exclamation mark. I perm-rooted with Visionary, used the one-click radio S-OFF and it seemed to work, ROM Manager seemed to flash clockwork recovery without errors. I can get to the bootscreen with the fastboot option etc but at the top right it says radio s-on! Should I try another method to get radio S-OFF?
DHD with ENG S-OFF, Radio S-OFF and clockwork recovery installed on 1.32.405.6 and after trying
*reboot into clockwork recovery and choose apply update.zip, clockwork recovery will apply the OTA safely without overwriting HBOOT and recovery
I get :
assert failed apply patch bla bla bla, i would send screenshoot but forum wont let me add external links
Any solution?
[email protected] said:
DHD with ENG S-OFF, Radio S-OFF and clockwork recovery installed on 1.32.405.6 and after trying
*reboot into clockwork recovery and choose apply update.zip, clockwork recovery will apply the OTA safely without overwriting HBOOT and recovery
I get :
assert failed apply patch bla bla bla, i would send screenshoot but forum wont let me add external links
Any solution?
Click to expand...
Click to collapse
maybe the OTA file is broken try to donwload it again.
makbil said:
OK, I know I'm going to get scolded for this but I'm stuck at the clockwork recovery's reboot screen with a red triangle and an exclamation mark. I perm-rooted with Visionary, used the one-click radio S-OFF and it seemed to work, ROM Manager seemed to flash clockwork recovery without errors. I can get to the bootscreen with the fastboot option etc but at the top right it says radio s-on! Should I try another method to get radio S-OFF?
Click to expand...
Click to collapse
seems SOFF didn't work ask around in the radio S-OFF thread, if you are still s-on rom manager will say it installed clockwork when in fact it didnt
you must have s-off
perferable both radio s-off and eng s-off
carl2990 you've edited the build.prop i don't how to help sorry ask around in the development forum
good luck
Any theories why cwm wouldn't flash kernel image? Not flashing radio, recovery, hboot, i get that. But why not the kernel?
hamdir said:
maybe the OTA file is broken try to donwload it again.
Click to expand...
Click to collapse
Tried to download again and still same error on update thru CWM
Verifying current system:
assert failed: apply_patch_check("/system/framework/am.jar", "1e0028b2b5baa5fd8d02b1df102a8abf6f03b077", "26697b47b593b822bbbe1035b506a88b02cf4b43"
E: Error in /sdcard/update.zip
(Status 7)
Installation aborted.
I got my S-OFF issue sorted out (using this, more info here)
Now on 2.2.1, continuing with the rest
Extract the boot.img file to the /tools folder of your Android SDK
Is that the "Tool" folder on my SD card? There is also a folder called "Android" on my SD card, just want to make sure I'm not doing anything wrong.
Android SDK
http://developer.android.com/sdk/index.html
Hi!
I have an HTC Wildfire, have it rooted, clockwork and cyanogenmod installed. Now, I need to send it back for repair an therefor restore everything as it was. This thread is great help: http://forum.xda-developers.com/showthread.php?t=1160251
I have a problem though: I don't have Windows except for Virtualbox and RUU won't work there. So I need to install the data from RUU*.exe using linux tools only.
So far I have extracted the rom.zip file using wine and
Code:
find .wine/drive_c/ -name 'rom.zip' -exec cp -v {} ./update.zip \;
Inside this rom.zip I have the following:
Code:
android-info.txt radio.img recovery.img system.img userdata.img boot.img hboot_7225_1.01.0001_101117.nb0 rcdata.img splash1.nb0
So I boot into the recovery and try to flash rom.zip which I have renamed to update.zip and copied to /sdcard/. I needed to turn signature checkings off to get past signature checking error, now I get following:
Code:
E:Can't open /sdcard/update.zip
(bad)
Installation aborted
I assume that it is possible to install all the *.img and *.nb0 files, but in what order do I have to install them and how exactly? I have linux, fastboot and adb at my disposal. HTCFlasher doesn't work with wildfire. So, how do I get my stock rom back? Does anybody have an idea?
Found out myself (sort of).
Ok, I bit the bullet, cleaned the cache and did as follows from a folder with all the rom images:
Code:
fastboot flash boot boot.img
fastboot flash radio radio.img
fastboot flash rcdata rcdata.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot erase cache
fastboot reboot
Now I have HTC stock firmware with HTC Sense on top of it. Probably no root, but I need it to send my wildfire back for repair anyway.
Last thing to do: install hboot with
Code:
fastboot oem mb 9C068490 1 30
fastboot flash hboot hboot_7225_1.01.0001_101117.nb0
Let's hope it'll work.
EDIT: It did work indeed!
Code:
BUZZ PVT SHIP S-ON
HBOOT-1.01.0001
Does anybody know what "fastboot oem mb 9C068490 1 30" exactly does? Except that it is an OEM command of course?
Before I start this thread, I should say that all credit goes to otaking71 for finding this crack.
The two original threads are here
http://forum.xda-developers.com/showthread.php?t=1255043
http://forum.xda-developers.com/showthread.php?t=1255360
All of the work was done in the #htc_evo_shift channel on freenode irc.
Table of contents:
1. Hboot information about the exploit.
2. Downgrading
2.1 Notes
3. Full root(Updated 2.2 root)
4. Links
5. Credits/donation links
I will aim to make it so this mod can be ported to other devices to help downgrade bootloaders and software. Please read the entire thread before flashing anything and trying this.
Hboot
Hboot uses a hidden partition to check everything it flashes against, this partition is "misc", or hboot -1, or on the shift mmcblk0p17(hboot itself is at mmcblk0p18).
Some raw dumps of this partition using strings to filter ascii strings brings out this type of dump.
Locked bootloader for the evo shift's dump
"SPCS_001
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
2.76.651.4
FNOC
FNOC"
Unlocked bootloader for the verizon thunderbolt
"VZW__001
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
1.02.605.6
FNOC
FNOC"
Eng spl unlocked evo shift
"FN0C
FN0C
FN0C"
Now the place to focus at is the version numbers, 2.76.651.4. Hboot will check all items you try to flash via hboot or ruu utility against this number and if it is lower than what you are trying to flash, it will allow you to proceed in flashing through hboot, or ruu. If the number is higher, it will reject the flash. If the number doesn't exist(like in the eng spl) it will assume it is able to flash it(ONLY TESTED ON ENG SPL, not locked bootloaders). So by dumping the TB's misc partition into our own, we made it so the locked hboot would accept flashes. Either by RUU or hboot.
We believe the package you flash still needs to be signed though so that only leaves you with official ruu's and extracted ruu zips.
Joeykrim's history(Located on the second page of this thread)
joeykrim said:
for those curious, a lil bit of history:
same method as used on the evo part 2 thread by toastcfh at xda.
only diff is shift is emmc and evo was mtd. shift emmc partitions are a bit more in number and named differnetly when compared to the evo mtd partitions. on the evo this partition was labeled as "misc" in /proc/partitions. the misc partition being flashed holds the software version number which hboot checks against to verify whether or not it will allow an RUU to be loaded.
also, i want to recall a web site somewhere which allows users to create a custom misc file with a provided version number.
thought this partition was protected by the internal memory write protection but appears it wasn't. not much of a surprise as the first release of the shift didn't have write protection for the hboot partition turned on.
great this works! sadly, they'll prob patch it next OTA around as they did for the evo.
good job on testing (sorry about the lost shift), publishing and releasing! glad to see the shift has unlocked internal memory write protection again!!!
you're path to the internal partition location is incorrect. as the OP states, use:/dev/block/mmcblk0p17
full command: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
great article with the history and usage of dd, its a classic unix/linux command. very good to become familiar with: http://en.wikipedia.org/wiki/Dd_(Unix)
Click to expand...
Click to collapse
How to downgrade your device
For the shift, will be different on other devices with a bit of modding.
1. Temproot(With Fre3vo for the shift) http://forum.xda-developers.com/showthread.php?t=1185243
2. Move the file misc.img to the root of your sdcard, and PG06IMG.zip too if you plan on flashing through hboot.
3. Modify the misc partition to bypass the version check, type the following in an adb shell or a terminal emulator on your phone.
Code:
dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
Note for other devs: misc.img is the image from the TB, could be other images as long as it has a lower version number.
4. This is up to you, you can either use the ruu utility to revert or the PG06IMG.zip in hboot. I'll include links to both. Since both utilities check the misc partition, both are able to flash =)
5. Reboot and then full root like normal on your downgraded device.
Notes
1. When flashing hboot/using this exploit it always flashes twice/stops early and recontinues. Don't worry about it, this is normal(Sometimes it looks like more than 2 but just chill out).
2. Some SDcards are not recognized by hboot, so you will either have to switch cards for this operation or use the ruu utility method.
3. Remove the PG06IMG from your sdcard after flash, or hboot will pick it up next time.
Full root for downgraded 2.2
Flash ENG bootloader
1. Download these files and extract them to the root of your sdcard: www.thebcblends.com/shift/Shift-root.zip
2. Obtain temproot from z4Root, visionary, OR CM's temproot wiki
3. Flash hboot with Engineer SPL:
Code:
dd if=/sdcard/Shift/hboot_eng.nb0 of=/dev/block/mmcblk0p18
4. Boot into bootloader and check for S-OFF
Flashing a recovery
1. Grab latest shift recovery from: http://www.koushikdutta.com/2010/02/clockwork-recovery-image.html
2. Make sure you're temprooted(may have to temp root again)
3. Install recovery from rom manager
Alternative install can be done if you grab another recovery's recovery.img and do one of the following below.
a. Okay this is for those with fastboot - flash the recovery with fastboot: fastboot flash recovery recovery.img
b. This is for those where fastboot doesn't work or they don't have it - 1. Place recovery.img on the root of your sdcard, then type the command below.
Code:
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p21
Full root/Rom flashing
Well I know you don't have anything you want to save from the 2.2 ruu since it's just a stock flash, so I am going to leave it off here as flash whatever rom you want over the new system via recovery and you should end up with a fully rooted android.
Just remember to wipe data/factory reset after flash.
Links - MD5Sums aren't terribly important here as the files will not flash if they are not correct due to the signatures.
Fre3vo temp root for GB - http://forum.xda-developers.com/showthread.php?t=1185243
misc.img for the misc partition - http://dl.dropbox.com/u/41040697/misc.img MD5Sum: c88dd947eb3b36eec90503a3525ae0de
Misc.img mirror(You guys took down my second dropbox.....trying a different site now): http://www.box.net/shared/0l8ex73zne0tfr10ob69
Second mics.img mirror: http://dl.dropbox.com/u/15373824/misc.img
Another mirror for misc.img: http://dev-host.org/a9dbnuzgb9qv/misc.zip (Thanks Fdxrider)
Official ruu file for downgrading to 2.2 - http://www.multiupload.com/15N2D30H6C MD5SUM: a4b880954d2ac29d5bdf0dade9dede3c
PG06IMG for hboot downgrading to 2.2 - http://dl.dropbox.com/u/41040697/PG06IMG.zip MD5SUM: d20be478fd860b80f5e800c958f79077
Mirror for PG06IMG(First link went down temporarily due to generating too much traffic on my account, good job guys xD) - http://dl.dropbox.com/u/15373824/PG06IMG.zip
Mirror for PG06IMG: http://dev-host.org/xmlaaco0s2ph/PG06IMG.zip
2.2 root [Bcnice guide]- http://forum.xda-developers.com/showthread.php?t=932153
Cm's rooting method(For those without z4root or visionary) - http://wiki.cyanogenmod.com/wiki/HTC_Evo_Shift_4G:_Full_Update_Guide
Credits
Otaking71 - Discoverer of this exploit for the shift and working throughout the night to establish it as a working downgrade.
Bcnice20 & other 2.2 root devs - I borrowed your root methods for this guide, and linked to them. Just had to update it for recovery basically.
Stuke00 - Fre3vo temp root for 2.3.3
Joeykrim - Donating that history for the curious minds.
Donation links:
Otaking71 - Main driver of this discovery/creator and came up with this theory
http://forum.xda-developers.com/donatetome.php?u=1762836
Should we vote this to the front or try to keep it on the downlow?
^ Shift Faced
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
totalnub911 said:
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
Something of that sort, you can obtain full root through this exploit. Though it's through downgrading the firmware you use old 2.2 rooting methods.
totalnub911 said:
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
that is correct if you downgrade then root with shiftRR. thats what i'm getting from all this
EDIT: got beat to it
YoungCorruption said:
that is correct if you downgrade then root with shiftRR. thats what i'm getting from all this
EDIT: got beat to it
Click to expand...
Click to collapse
sounds like its time to change your siggy there youngcorruption!
Im sorry for the noobish but what does this mean and how do i do this
2. Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
misc.img is the image from the TB, could be other images as long as it has a lower version number.
halrulez said:
Im sorry for the noobish but what does this mean and how do i do this
2. Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
misc.img is the image from the TB, could be other images as long as it has a lower version number.
Click to expand...
Click to collapse
In more specific directions it means to move the downloaded file misc.img to /sdcard , then to type the command "dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17 misc.img" without quotes. The rest just means it'll be different on other devices.
Nice write up, thanks to otaking and scary you all saved the shifters from a horrible ota update
Sent from my Supreme Shift using Tapatalk
Scaryghoul said:
In more specific directions it means to move the downloaded file misc.img to /sdcard , then to type the command "dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17 misc.img" without quotes. The rest just means it'll be different on other devices.
Click to expand...
Click to collapse
ok can do this in terminal from my phone or do i have to do this in adb from my computer?
and if so what are the full steps to get to the point so i can enter this. I am trying to understand adb hell i am just starting in linux so i am hella noob
halrulez said:
ok can do this in terminal from my phone or do i have to do this in adb from my computer?
and if so what are the full steps to get to the point so i can enter this. I am trying to understand adb hell i am just starting in linux so i am hella noob
Click to expand...
Click to collapse
Either one, you can either mount your phone on usb and move the misc.img to your sdcard then type the command in terminal on your phone.
OR
You can adb push the file to your sdcard then adb shell the command.
I'll make the instructions more detailed in a bit.
What do you mean by: Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p1?
I moved the misc.img to sdcard but I have no mmcblk0pl in dev/block. Do I have to create that folder? And dd and of....lost me there.
I just did it and it worked perfectly. Back on 2.2, ready to root. Thanks again to otaking and scary for all your hard work.
ok so i was able to do this from the terminal from my android
bow though when i am trying to run the ruu from my computer is starts to go but keeps says that it is waiting for the booloader. the phone wont boot in to the boot loader
halrulez said:
ok so i was able to do this from the terminal from my android
bow though when i am trying to run the ruu from my computer is starts to go but keeps says that it is waiting for the booloader. the phone wont boot in to the boot loader
Click to expand...
Click to collapse
you might need to install htc sync to run ruu's. http://www.htc.com/managed-assets/support/software/htc-sync/setup_3.0.5557.exe
im just going to put this out there as well because i have had problems with the drivers that came with sync and i was forced to use the modified usb drivers found in the unrevoked evo tool, i dunno its weird but my vista pc didnt like anything but them drivers, and another guy i helped ruu from a major mess up, he couldnt get anything with sync to reconize his shift untill he used the same modified evo drivers . i hope no one has an issue but if it come about this is how to fix a driver issue
Best day ever!!!!!!!!!!!!!!!!!!!!!!!!!
strapped365 said:
im just going to put this out there as well because i have had problems with the drivers that came with sync and i was forced to use the modified usb drivers found in the unrevoked evo tool, i dunno its weird but my vista pc didnt like anything but them drivers, and another guy i helped ruu from a major mess up, he couldnt get anything with sync to reconize his shift untill he used the same modified evo drivers . i hope no one has an issue but if it come about this is how to fix a driver issue
Click to expand...
Click to collapse
provide link to said drivers?
riggsandroid said:
provide link to said drivers?
Click to expand...
Click to collapse
kinda cant provide an actual link directly to the drivers because i had to set up unrevoked just like i was rooting an evo, so i just hinted they were in the tool
http://unrevoked.com/recovery/
thats where you can get the tool from to setup your drivers if you have issues with sync not playing well or your pc just dont want to read the drivers right
for those curious, a lil bit of history:
same method as used on the evo part 2 thread by toastcfh at xda.
only diff is shift is emmc and evo was mtd. shift emmc partitions are a bit more in number and named differnetly when compared to the evo mtd partitions. on the evo this partition was labeled as "misc" in /proc/partitions. the misc partition being flashed holds the software version number which hboot checks against to verify whether or not it will allow an RUU to be loaded.
also, i want to recall a web site somewhere which allows users to create a custom misc file with a provided version number.
thought this partition was protected by the internal memory write protection but appears it wasn't. not much of a surprise as the first release of the shift didn't have write protection for the hboot partition turned on.
great this works! sadly, they'll prob patch it next OTA around as they did for the evo.
good job on testing (sorry about the lost shift), publishing and releasing! glad to see the shift has unlocked internal memory write protection again!!!
blakeatl said:
What do you mean by: Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p1?
I moved the misc.img to sdcard but I have no mmcblk0pl in dev/block. Do I have to create that folder? And dd and of....lost me there.
Click to expand...
Click to collapse
you're path to the internal partition location is incorrect. as the OP states, use:/dev/block/mmcblk0p17
full command: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
great article with the history and usage of dd, its a classic unix/linux command. very good to become familiar with: http://en.wikipedia.org/wiki/Dd_(Unix)
This guide will explain how to downgrade chacha from higher RUU version to lower RUU version. Even HBoot downgrade is possible. Mine, I successfully downgraded from HBoot 1.05 to 1.04.
Usually this error msg appears if you try to downgrade your firmware ‘Main Version is Older’, the guide will help solve this.
The guide is based on thread http://forum.xda-developers.com/showthread.php?p=10757949#post10757949
This is not my actual work, I searched thru the forums when I wanted to downgrade my chacha from RUU_Chacha_HTC_Europe_1.33.401.1_Radio_47.17.35.3033H_7.48.35.14_2_release_204385_signed to RUU_Chacha_hTC_Asia_WWE_1.21.707.2_Radio_47.14.35.3030H_7.47.35.17_release_197518_signed and created this guide.
My device is carrier unlocked, S-ON and this method will work on S-ON devices.
Note: Before you proceed, I accept no responsibility if you brick your phone. Do it on your own risk!!!
Things you need
I assume you already have android SDK and HTC sync installed in your system
1) Flash_Image – http://www.android-hilfe.de/attachments/root-hacking-modding-fuer-htc-desire/8835d1275662657-how-rebrand-o2-desire-fertig-flash_image.zip
2) HEX Editor - http://mh-nexus.de/en/downloads.php?product=HxD
3) A gold card – search thru the forums if you need to create one.
Step 1: Achieve temp adb shell root
You can achieve temp adb shell root using zergRush method, if you don’t know how, your can see this thread http://forum.xda-developers.com/showthread.php?t=1296916 or simplest way is to use the batch file created by qzfive http://forum.xda-developers.com/showthread.php?t=1319386
Step 2: copy the mtd0 file to sdcard.
Open command prompt, change your directory to ADB directory (usually the folder where ADB.exe resides).
In the command prompt type, adb shell
You should see ‘#’ at the prompt, if you see ‘$’ then you didn’t achieved temp root, redo step-1.
In the command prompt type
cat /dev/mtd/mtd0 > /sdcard/misc.img
Step 3: now change the USB connection type to ‘disk drive’ and copy the ‘misc.img’ to your pc or laptop. Use HxD as administrator and open ‘misc.img’
Step 4: The current version number can be located at 11th line, change it to the version number of RUU you want to downgrade to. I have changed mine from 1.33.401.1 to 1.25.709.1 and save. Be sure to back up the file before any updates.
Step 5:
copy the flash_image (which you downloaded at the start) and misc.img back to your root of sdcard
Step 6: change the USB connection type to ‘charge only’ and execute the below commands in the adb shell
cat /sdcard/flash_image > /data/flash_image
chmod 755 /data/flash_image
/data/flash_image misc /sdcard/misc.img
Step 7:
Copy the rom.zip from RUU which you wanted to flash to the root of the goldcard and rename to PH06IMG.zip. Power off the phone, insert goldcard to the phone – press volume down + power on, the phone will flash the rom.
I'm quite happy to see that this ChaCha section is getting more and more used. This goes straight to the ChaCha guide that I made. Congratulations!
Thank you, i was trying my luck for s-off as in this forum http://forum.xda-developers.com/showthread.php?t=1317960 so downgraded my phone. and unfortunately no s-off!
Ok, this could be modified with a s-off hboot in the zip to achieve s-off, I'm sure of it. Anyone have an engineering s-off Hboot around?
It wouldn't work - if you modify a signed HTC .zip, the bootloader won't take it if it's S-ON
@#$%. I do feel this is is the start of an exploitable loophole. Now how to use it is the key.
as qzfive said, if the rom.zip in RUU is modified it cannot be flashed, i tried to modify the rom.zip using zip utility to change the CID information once, but the flashing was not successful. Believe HTC uses some special technique to build the zip
if any one can direct to information on building RUU may be we can give it a try
ajeevlal said:
as qzfive said, if the rom.zip in RUU is modified it cannot be flashed, i tried to modify the rom.zip using zip utility to change the CID information once, but the flashing was not successful. Believe HTC uses some special technique to build the zip
if any one can direct to information on building RUU may be we can give it a try
Click to expand...
Click to collapse
It has a digiotal signature that you are modifying by packing it with a normal zip program. Instead, use 7zip this way:
- extract the files you want to edit
- edit them (for text editor use notepad++ as others like normal notepad\word\wordpad are creating unneeded newline chars)
- open the zip with 7zip again and drag and drop the files you want to replace into 7zip.
Alex C. said:
It has a digiotal signature that you are modifying by packing it with a normal zip program. Instead, use 7zip this way:
- extract the files you want to edit
- edit them (for text editor use notepad++ as others like normal notepad\word\wordpad are creating unneeded newline chars)
- open the zip with 7zip again and drag and drop the files you want to replace into 7zip.
Click to expand...
Click to collapse
I'm guessing it's only possible to modify the CID of the .zip this way? I got an idea of replacing recovery.img in the zip to a CWM.img, guessing it wouldn't work?
EDIT: I pulled the rom.zip from the 1.33.401.1 RUU and it wouldn't let me put my modified android-info.txt back into the .zip, 7zip gave me a "Not implemented/Operation not supported" error :/
qzfive said:
I'm guessing it's only possible to modify the CID of the .zip this way? I got an idea of replacing recovery.img in the zip to a CWM.img, guessing it wouldn't work?
EDIT: I pulled the rom.zip from the 1.33.401.1 RUU and it wouldn't let me put my modified android-info.txt back into the .zip, 7zip gave me a "Not implemented/Operation not supported" error :/
Click to expand...
Click to collapse
7zip said "Not implemented"? Weird.. So you are simply using drag and drop, eh?
As a side note, remove the first 256 bytes of the file, which is the RSA signature (for example using HxD) to get a "proper" zip file. All modifications of the file will invalidate the signature anyway, you won't be able to flash it unless you're S-OFF or through an exploit.
Yup, Drag and Drop gives the error "Not Implemented", and clicking the Add icon gives the error "Operation is not supported"
Funnily enough, WinRAR says "C:\Users\James\Desktop\PH06IMG.zip: The archive is corrupt" when trying to add files to it
I'm guessing HTC made their .zips pretty secure then :/
xdbg said:
As a side note, remove the first 256 bytes of the file, which is the RSA signature (for example using HxD) to get a "proper" zip file. All modifications of the file will invalidate the signature anyway, you won't be able to flash it unless you're S-OFF or through an exploit.
Click to expand...
Click to collapse
I've edited with 7zip and the signature was not invalidated. The files were then flashed.
do i have to buy xtc clip to get gold card or what ?
cause i cant find any other way to do it
Search on Google: gold card creator. You can also search "gold card" on XDA.
It worked Thanks....
what to do if i cant get adb shell root?
zergRush doesnt work saying Hellions with blue flames
the 2nd link is dead, and i guess its based on the same exploit
all i need is to flash europe 1.33.401.1 on top of 1.57.707.2
s-on
aZzz.bZzz said:
what to do if i cant get adb shell root?
zergRush doesnt work saying Hellions with blue flames
the 2nd link is dead, and i guess its based on the same exploit
all i need is to flash europe 1.33.401.1 on top of 1.57.707.2
s-on
Click to expand...
Click to collapse
facing similar issue... ok got adb shell working (already rooted) but failed at last command and says not enough memory ... card empty and phone got abt 80mb free.
my phone is s-on, and factory unlocked. Do i still need goldcard? read reviews long time ago that unlocked phone dont need that, only branded one need goldcard.
wish the xtc clip were cheaper ...
thank you , you were right it just wants a post on my wall.
I am sorry for the off topic but is there any easy tutorial how to Sim Carrier unlock MY HTC chacha S-ON, if there is one ?
I have USA Version CHACHA , with firmware 1.60.xxx
Really downgrade firmware? And do S-OFF?
With gold card not have downgrade
There is a new downgrade option released for firmware 1.36.970.1 to 1.15.970.1.
However my Japanese is not perfect and my understanding of hacking is very weak.
If there is someone more in the know could understand what the steps to take are that would be great.
Good luck all. I hope someone can make a guide as well to help other out.
I'll try my best as well.
Here is the link.
http://htcsoku.info/htcsokudev-news/au-deluxe-136to115-downgrade/
link to RUU 1.15.970.1 is dead
I have successfully downgraded my J Butterfly based on those instructions. I have simplified it because the original instructions seems to be overly complicated. It involved tricking a system app with root privileges to run an custom command, only to use run_root_shell later anyway.
I also did not use the run_root_shell supplied by the guide, instead I compiled a newer version direct from the source: https://github.com/android-rooting-tools/android_run_root_shell
You'll need
1. revone.dna-0.2.1
http://forum.xda-developers.com/showthread.php?t=2314582
2. A newer build of run_root_shell (attached)
3. 1.15 ROM: PL99IMG_DLX_WLJ_JB_45_KDDI_JP_1.15.970.1_R_Radio_1.00.10.1127_3_NV_2.28_01C_release_signed.zip
(renamed to rom.zip in this tutorial)
https://mega.co.nz/#!jQtQ0BLS!279lf8k4sbKPTmWHTsPg6hbaGDatpq3xGGv4aE8N1h4
4. firmware.zip extracted from OTA_DLX_WLJ_JB_45_KDDI_JP_1.36.970.1-1.29.970.1_release_330380g3nfgypcfojku8a9.zip:
http://kie.nu/1urK
5. adb and fastboot
6. An HEX editor such as XVI32
THIS WILL WIPE YOUR USER DATA, BACKUP ALL YOUR STUFF FIRST
Steps:
1. Run the following commands in command prompt to push files required by run_root_shell to device:
adb push run_root_shell /data/local/tmp/
adb push device.db /data/local/tmp/
2. Run in command prompt:
adb shell
to access the shell on your device. Run the following commands to run run_root_shell, disregard messages about HTL21 not supported. You will be returned to the command line but with a hash (#) instead of a dollar sign, that means you have temprooted.
cd /data/local/tmp/
chmod 755 *
./run_root_shell
3. Run these commands on device shell:
chmod 666 /dev/msm_acdb
dd if=/dev/block/mmcblk0p21 of=/sdcard/p21
4. Run in another command prompt:
adb pull /sdcard/p21
to pull the file p21 from device, then open it with an HEX editor. Refer to the images on the original Japanese tutorial, change the version number near "ClearAutoImage" to 1.00.000.0 and save the file as p21mod.
5. Push the modified file back to the device by running in command prompt:
adb push p21mod /sdcard/p21mod
6. Back to the device shell, run these commands to write the modifications to the device and reboot into bootloader.
dd if=/sdcard/p21mod of=/dev/block/mmcblk0p21
reboot bootloader
7. Run in command prompt:
fastboot oem rebootRUU
to boot to RUU.
8. Run in command prompt:
fastboot flash zip firmware.zip
and it willl fail with this error: "FAILED (remote: 90 hboot pre-update! please flush image again immediately)"
9. Run in command prompt:
fastboot flash zip rom.zip
to flash 1.15 ROM. It should take around 6 minutes. This wipes your user data.
10. In command prompt, push run_root_shell to device again. Also push revone.dna-0.2.1 to device.
adb push run_root_shell /data/local/tmp/
adb push device.db /data/local/tmp/
adb push revone.dna-0.2.1 /data/local/tmp/revone.dna
11. Refer to step 2 to temproot again.
12. Run revone.dna on device shell:
./revone.dna -P
and you should see "revone successful - please reboot to continue".
13. Reboot and repeat step 12 again, this time you should see "revone successful - no need to reboot".
14. Run on device shell:
./revone.dna -s 0 -u
and you should see "revone successful".
15. ???
16. PROFIT!
You have now successfully S-OFFed and may proceed to unlocking and SuperCIDing your device as usual.
Corrupted
Phil_123 said:
3. 1.15 ROM: PL99IMG_DLX_WLJ_JB_45_KDDI_JP_1.15.970.1_R_Radio_1.00.10.1127_3_NV_2.28_01C_release_signed.zip
(renamed to rom.zip in this tutorial)
.
Click to expand...
Click to collapse
I have downloaded this file twice and found it corrupted. Can't open it so i can't uncompress and reach firmware.zip either.
:crying:
Could you reupload it?
corrupted
darky4e said:
I have downloaded this file twice and found it corrupted. Can't open it so i can't uncompress and reach firmware.zip either.
:crying:
Could you reupload it?
Click to expand...
Click to collapse
I have "fixed" it by Zip2Fix and made a zip file what can be extracted. But the two zip file size isn't match so i guess its isn't the same and there isn't any firmware.zip in the nem zip file so i guess the program extracted everything.
I have read that some people succesfully used corrupted ruu, and it's made corrupted by reason. I will read more about it and try to find a correct firmware.zip for the method. If you could help me in any means it would be great.
darky4e said:
I have "fixed" it by Zip2Fix and made a zip file what can be extracted. But the two zip file size isn't match so i guess its isn't the same and there isn't any firmware.zip in the nem zip file so i guess the program extracted everything.
I have read that some people succesfully used corrupted ruu, and it's made corrupted by reason. I will read more about it and try to find a correct firmware.zip for the method. If you could help me in any means it would be great.
Click to expand...
Click to collapse
My bad, my instructions were wrong. I wrote them only after successfully doing it myself, I must have mixed some things up while writing.
I looked at the original Japanese guide again, the firmware.zip is in OTA_DLX_WLJ_JB_45_KDDI_JP_1.36.970.1-1.29.970.1_release_330380g3nfgypcfojku8a9.zip and can be downloaded here:
http://kie.nu/1urK
Phil_123 said:
My bad, my instructions were wrong. I wrote them only after successfully doing it myself, I must have mixed some things up while writing.
I looked at the original Japanese guide again, the firmware.zip is in OTA_DLX_WLJ_JB_45_KDDI_JP_1.36.970.1-1.29.970.1_release_330380g3nfgypcfojku8a9.zip and can be downloaded here:
http://kie.nu/1urK
Click to expand...
Click to collapse
Thank you very much! I have succesfully downgraded the phone! Thx for the instructions again!!
run_root_shell and revone.dna-0.2.1 work with HTC Butterfly kddi HTL21 with HBOOT 1.41 ? I'am stuck on run_root_shell and it say's "Error No such file or directory" when I use the command in adb "$ ./run_root_shell"
what can I do ?
dfani511 said:
run_root_shell and revone.dna-0.2.1 work with HTC Butterfly kddi HTL21 with HBOOT 1.41 ? I'am stuck on run_root_shell and it say's "Error No such file or directory" when I use the command in adb "$ ./run_root_shell"
what can I do ?
Click to expand...
Click to collapse
This method can only be used for the software version of the 1.36.970.1, I think your software version 1.39.970.1 is not SOFF
i have 1.39.970.3 ?????????????
OTA ??????????
Nice share, im succesfully unlock soff with this way
Sent from my MITO_A10 using XDA Free mobile app
"htl21 1399703 firmware" I want up because it cannot find the file.