Related
I WILL NOT TAKE ANY RESPONSABILITY FOR WHAT HAPPENS TO YOUR PHONE. THIS IS AT YOUR OWN RISK. THIS IS ONLY TRIED ON VERSION 1.1, 1.5 AND 1.6 ON THE DEVELOPER PHONE.
I was fed up with having to hold a and o for my swedish chars, so couple of hours ago I decided to create a swedish layout, and here's how you can do it too. You need an unlocked android phone, such as the Dev1. I will also assume that you have and know how to use the SDK. Connect your phone to your computer and run:
Code:
adb shell
In the shell run getprop and find hw.keyboards.0.devname. This for me is trout-keypad-v3. If it's the same for you, do the following, otherwise change accordingly.
Code:
adb pull /system/usr/keychars/trout-keypad-v3.kcm.bin Desktop/
You now have a copy of the keychar-binary on your desktop, make sure to backup it. Open it in a binary editor, and you will find a file coded with an intro followed by lots of data coded as below (not documented, therefore not guarantied, but I feel pretty certain it's right, dots are 0x00):
..char.numberchar.smallchar.bigchar.smallspecial.bigspecial.(keycode+1).
For example, my A looked like:
..A.2.a.A.a.A.?.
What I want it to look like is:
..A.2.a.A.å.Å.?.
If your hex-editor allows that then congrats to you, mine didn't. What I had to do was to use a ascii-table (http://www.ascii-code.com/) and use teh hex code.
00 00 41 00 32 00 61 00 41 00 61 00 41 00 1E 00
...should therefore be...
00 00 41 00 32 00 61 00 41 00 E5 00 C5 00 1E 00
I now have å and Å on my a-button. The next button for me, Z, could be done using the exact same tactic. The fun part came with X. Notice the coding:
00 00 58 00 39 00 78 00 58 00 78 00 00 EF 35 00
The problem here is EF, which is there to make sure that there is not a ... in the middle of the char-code. What we do here is therefore to change the EF to 00 when we change the 00 before it. The result would therefore be:
00 00 58 00 39 00 78 00 58 00 F6 00 D6 00 35 00
Now let's save the file. We can send it to the device with the following code. THIS WILL REPLACE YOUR CURRENT LAYOUT.
Code:
adb root
adb remount
adb push trout-keypad-v3.kcm.bin /system/usr/keychars/
For security reasons I would recommend you to always reboot your phone after running adb remount, since this will leave your /system more vulnerable then usual.
Now we can restart the phone, and hopefully it will have a new working layout. If the layout is totally different from yours (for example alt+a is #) that means the encoding of the new file is wrong, and another layout is used. If this happens I recommend you start from the beginning, it doesn't take much time, and small errors can be avoided. You can do as above to reset your old layout:
Code:
adb root
adb remount
adb push trout-keypad-v3.kcm.bin.backup /system/usr/keychars/trout-keypad-v3.kcm.bin
My working swedish layout is attached. alt+a => å, alt+z => ä, alt+x => ö.
Hope you will appreciate this as much as I do.
Thanks to Joushou for all the help in #android.
Thank you! this is fantastic. I just have to figure out how this would work with asian fonts
Thanks maybe everybody can put the different layout in this thread.
In France we have azerty layout.
Great thanks!
Would be interesting to be able to SWITCH layouts.
I salute you sir for this easy guide!! Though using notepad ++ i didnt even use hex view! but just chose to see through the null null crap on the screen!! Total matrixe experience! But i definetly vote to get this a sticky for easy goofing with keyboard layouts!
Works great on Haykuro 1.5, changed a to ä and z to ö. Writing finnish on a mobile phone has never been so easy
Tack ska du ha!
Now that would be fun to do the same but by modifying the on-screen keyboard
Just modified the keypad for qwertz to work with haykuro 6hr1.
Download is in the attachment!
Text version of QWERTZ kcm
Hello-
Does any one have the text version of qwertz.kcm.bin?
Thanks.
Hey,
If I've changed that layout will that effect the virtual keyboard layout in 1.5.
If it's not, how can I change the layout for the virtual keyboard.
regards
Nice to see that this is appreciated.
Hamdan919 said:
Hey,
If I've changed that layout will that effect the virtual keyboard layout in 1.5.
If it's not, how can I change the layout for the virtual keyboard.
regards
Click to expand...
Click to collapse
No, it will not. To change the virtual layout you have to program a new layout, or wait for someone else to do it. There are alternative virtual keyboards to download from the market. Make sure that the virtual keyboard does not have internet privileges though, since the virtual keyboard can listen to every single key you push, even on the hardware keyboard. This means that the virtual keyboard can modify the hardware keyboard though, but I haven't seen that except for a bug in a layout.
I don't mind programming the french layout, can you tell me where to find the default qwerty keyboard to alter for the VK?
Right now I have the french layout for the physical keyboard and just miss the VK on my jf1.51 build.
Regards
DJ_Spray said:
I don't mind programming the french layout, can you tell me where to find the default qwerty keyboard to alter for the VK?
Right now I have the french layout for the physical keyboard and just miss the VK on my jf1.51 build.
Regards
Click to expand...
Click to collapse
http://android.git.kernel.org/?p=platform/packages/inputmethods/LatinIME.git;a=summary
Sry for refreshing such an old Thread but i want to ask something.
Is there any way to do this, without adb?
Rey-619 said:
Sry for refreshing such an old Thread but i want to ask something.
Is there any way to do this, without adb?
Click to expand...
Click to collapse
As long as you have root. Get into your phone, write:
Code:
dd if=/system/usr/keychars/trout-keypad-v3.kcm.bin of=/sdcard/keypad
Now you can get the file off your sdcard, and do back it up. When you are ready just put it back. Before you can put it back you will have to remount your /system mount with write access. Run mount and look what is before /system. In my case the line looks like:
/dev/block/mtdblock3 /system yaffs2 ro 0 0
In my case I would therefore write:
Code:
su
mount -o rw,remount /dev/block/mtdblock3 /system
dd if=/sdcard/keypad of=/system/usr/keychars/trout-keypad-v3.kcm.bin
This should work as well as the adb method described in original post.
dd if=/system/usr/keychars/trout-keypad-v3.kcm.bin of=/sdcard/keypad
-> /keypad: canot open for write: Read-only file system
I have root.
Have i type this in terminal commander? right? ore in Bootloader?
Rey-619 said:
dd if=/system/usr/keychars/trout-keypad-v3.kcm.bin of=/sdcard/keypad
-> /keypad: canot open for write: Read-only file system
I have root.
Have i type this in terminal commander? right? ore in Bootloader?
Click to expand...
Click to collapse
You are supposed to put it into a terminal. You do have a sdcard, right? Is it mounted to the computer when you try to run the command? If it is, the unmount it and try again.
i tryed both ^^
damn i need the german keyboard layout xD
Rey-619 said:
i tryed both ^^
damn i need the german keyboard layout xD
Click to expand...
Click to collapse
Could you give me the output of mount that includes /sdcard as second argument?
mhm.... xD
Code:
$ mount
rootfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
tmpfs /sqlite_smt_journals tmpfs rw=,size=4096k 0 0
/dev/block/mtdblock3 /system yaffs2 ro 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosiud,nodev 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/mmcblk0p2 /system/sd ext3 rw,noatime,nodiratime,errors=continue,data=ordered 0 0
/dev/block//vold/179:1 /sdcard vflat rw,dirsync,nosuid,nodev noexec,uid=100,gid=1000,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8 0 0
#
[Hack] Root Phones ("exploit needless" method)
How I root any ROM on (almost?) any Android Phone
My Phone simply needs to fullfill one requirement:
I MUST be able to flash the recovery.img standalone!
Chapter One: unpack, edit and repack recovery.img
I will use these Linux programs:
split bootimg (Thanks to William Enck)
mkbootimg (compiled from AOSP source)
...the former splits the recovery.img into kernel and ramdisk...
...the latter repack all togheteher...
...For example I'll try these commands on a clockworkmod recovery from an HTC desire (I download 5.0.2.0-bravo from ClockWorkMod)...
Linux Side:
Code:
[email protected] $ split_bootimg.pl recovery-clockwork-5.0.2.0-bravo.img
Page size: 2048 (0x00000800)
Kernel size: 1831224 (0x001bf138)
Ramdisk size: 1291948 (0x0013b6ac)
Second size: 0 (0x00000000)
Board name:
Command line: no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5
Writing recovery-clockwork-5.0.2.0-bravo.img-kernel ... complete.
Writing recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz ... complete.
[email protected] $
I write down parameters needed later on:
Page Size = 2048
Command line = 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5'
HexEditing Lookout of recovery.img header:
Code:
[email protected] $ hexedit recovery-clockwork-5.0.2.0-bravo.img
00000000 41 4E 44 52 4F 49 44 21 38 F1 1B 00 00 80 00 20 ANDROID!8......
00000010 AC B6 13 00 00 00 00 21 00 00 00 00 00 00 F0 20 .......!.......
00000020 00 01 [COLOR=#0000ff][B]00[/B][/COLOR] [COLOR=red][B]20[/B][/COLOR] 00 08 00 00 00 00 00 00 00 00 00 00 ... ............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 6E 6F 5F 63 6F 6E 73 6F 6C 65 5F 73 75 73 70 65 no_console_suspe
00000050 6E 64 3D 31 20 6D 73 6D 73 64 63 63 5F 73 64 69 nd=1 msmsdcc_sdi
00000060 6F 69 72 71 3D 31 20 77 69 72 65 2E 73 65 61 72 oirq=1 wire.sear
00000070 63 68 5F 63 6F 75 6E 74 3D 35 00 00 00 00 00 00 ch_count=5......
I use the highlighted address ordered as follows:
base = 0x20000000
Now I simply repack alltoghether.. just to check new file vs old one:
Code:
[email protected] $ mkbootimg --kernel recovery-clockwork-5.0.2.0-bravo.img-kernel --ramdisk recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz --base 0x20000000 --pagesize 2048 --cmdline 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5' -o recovery_new.img
[email protected] $
[email protected] $ diff recovery-clockwork-5.0.2.0-bravo.img recovery_new.img
[email protected] $
No warnings, binary files don't differ...
Editing ramdisk:
Code:
[email protected] $ mkdir ramdisk
[email protected]ndalf $ cd ramdisk/
[email protected] $ gunzip -c ../recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz | cpio -i
4294 blocks
[email protected] $ ls -l
totale 144
drwxrwx--x 2 doc doc 4096 23 nov 23.56 data
-rw-r--r-- 1 doc doc 2615 23 nov 23.56 [B]default.prop[/B]
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 dev
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 etc
-rwxr-x--- 1 doc doc 94372 23 nov 23.56 init
-rwxr-x--- 1 doc doc 691 23 nov 23.56 init.rc
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 proc
drwxr-xr-x 3 doc doc 4096 23 nov 23.56 res
drwxr-x--- 2 doc doc 4096 23 nov 23.56 sbin
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 sys
drwxr-xr-x 3 doc doc 4096 23 nov 23.56 system
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 tmp
-rw-r--r-- 1 doc doc 0 23 nov 23.56 ueventd.goldfish.rc
-rw-r--r-- 1 doc doc 4027 23 nov 23.56 ueventd.rc
[email protected] $
I'm going to modify one line of default.prop from
Code:
...
ro.secure=[B]1[/B]
...
to
Code:
...
ro.secure=[B]0[/B]
...
WARNING: clockworkmod recoveries could already have ro.secure set to 0
Repack ramdisk:
Code:
[email protected] $ find . | cpio -o -H newc | gzip > ../recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz
4295 blocks
[email protected] $ cd ..
[email protected] $
Repack recovery.img (as showed before):
Code:
[email protected] $ mkbootimg --kernel recovery-clockwork-5.0.2.0-bravo.img-kernel --ramdisk recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz --base 0x20000000 --pagesize 2048 --cmdline 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5' -o recovery_new.img
[email protected] $
Chapter Two: flash recovery.img to phone
I own a Samsung Galaxy Next, so I need to create an Odin Ready Archive and so on...
Different phone brands need different flash methods, I bet...
Chapter Three: Rooting
I need android sdk and I try android debug bridge...
...on a not rooted phone:
Code:
(i686) [email protected] $ adb shell
[B]$[/B] su
Permission denied
[B]$[/B]
...and on a rooted one:
Code:
(i686) [email protected] $ adb shell
[B]$[/B] su
[B]#[/B]
Now, starting the phone in recovewry mode with ro.secure=0, connecting with "adb shell" I find:
Code:
[email protected] $ adb shell
#
Already a root shell! No exploit needed!
Take a look to /system:
Code:
# mount
...
/dev/block/mmcblk0p3 /system ext4 [B]rw[/B],relatime,barrier=1,data=ordered 0 0
...
WOW! already "read-write" mounted... (if not mounted I can easily remount it "rw"... I'm root!)
Now, having su binary, Superuser.apk and busybox in the linux working directory:
Linux side:
Code:
[email protected] $ adb push su /system/xbin
417 KB/s (22228 bytes in 0.051s)
[email protected] $ adb push su /system/bin
529 KB/s (22228 bytes in 0.041s)
[email protected] $ adb push busybox /system/xbin
5061 KB/s (1674712 bytes in 0.323s)
[email protected] $
Anyway it should be better to make a backup of old su binary before overwriting it (adb pull /system/bin/su su-old)
"adb shell":
Code:
# chown root.shell /system/bin/su
# chmod 06755 /system/bin/su
# chown root.shell /system/xbin/su
# chmod 06755 /system/xbin/su
# chmod 04755 /system/xbin/busybox
#
WARNINNG: ordered commands
Linux:
Code:
[email protected] $ adb push com.noshufou.android.su-1.apk /system/app/Superuser.apk
5198 KB/s (843503 bytes in 0.158s)
[email protected] $
"adb shell":
Code:
# chmod 644 /system/app/Superuser.apk
#
THAT'S ALL FOLKS!
reboot system now!
...
Code:
[email protected] $ adb shell
$ su
#
Enjoy!
...no exploit needed...
...
...Simply Linux Way of Hacking!...
Doc,
I dont get any command line: ...
in stock recovery/boot image.
can i just edit the default.prop of stock recovery img and flash it as PDA? or one package?
also does this not work when done to the boot.img?
roofrider said:
...I dont get any command line: ...
in stock recovery/boot image.
Click to expand...
Click to collapse
Command Line is optional, and usually - for example - you don't get anyone on Samsung Galxy Phone... for the HTC used in the example, instead, there was one, needed to tune the boot parameters on runtime...
can i just edit the default.prop of stock recovery img and flash it as PDA? or one package?
Click to expand...
Click to collapse
Surely you can! This Thread is exactly what you said: "change one file in stock recovery image"... all the rest is explanation on how I did it...
also does this not work when done to the boot.img?
Click to expand...
Click to collapse
Loud and Clear! Boot works in the same way but I prefer not to unsecure the system too much... cause any app could gain root privileges without asking for whenever she wants...
...whilst I'm the only one who decide to enter Recovery Mode...
Hi.
Even I can read on /tmp/recovery.log:
Code:
[property list]
ro.secure=0
ro.allow.mock.location=0
I get a normal user prompt on adb shell when phone is recovery boot.
So I guess I need some more tunning for make this work on a Samsung Galaxy Mini.
Thanks anyway. I've learnt how to build images with this post :good:
Galaxi Mini too!
XiR_ said:
Hi.
Even I can read on /tmp/recovery.log:
Code:
[property list]
ro.secure=0
ro.allow.mock.location=0
I get a normal user prompt on adb shell when phone is recovery boot.
So I guess I need some more tunning for make this work on a Samsung Galaxy Mini.
Thanks anyway. I've learnt how to build images with this post :good:
Click to expand...
Click to collapse
I own a Galaxy Mini too and I just get the same issue while testing Gingerbread 2.3.6 S5570XWKTN; my previous release was S5570XIKQC (2.3.4) where I got easy superuser rights on connection...
Maybe there is something more to check for...
Actually I have two simple workarounds to root, anyway, the working system as explained above:
I flash an old Recovery (2.3.4)! no real need to bump to 2.3.6 other then "on working system" (here there is my one: CODE_S5570XIKQC_recovery.tar.md5)
I flash (my current option) a CWM based recovery (here there is my one, freshly compiled from Mebitek Cyanogen 7.2 Unofficial Source: CODE_S5570CYANO_recovery.tar.md5 - CWM 5.0.2.8)
2.3.6 XWKTN
Testing Gb 2.3.6 XWKTN I got another unusual issue (unconfirmed on the network...):
After root, when I power on the phone I get the binaries
/system/xbin/su
/system/xbin/busybox
always deleted...
I workarounded it modifying the boot image:
I changed permissions of
/sbin
folder
Code:
# ls -l /
...
drwxr-x[B][COLOR="Red"]r[/COLOR][/B]-[B][COLOR="Red"]x[/COLOR][/B] 2 root root 0 Jan 1 1970 sbin
...
to give every user "exec rights" on it, then I put there both binaries!
Eh eh... I know that the system PATH first look there for commands:
Code:
# set | grep ^PATH
PATH=[B][COLOR="Red"]/sbin[/COLOR][/B]:/vendor/bin:/system/sbin:/system/bin:/system/xbin
#
Last:
I also put in 2.3.6 recovery /sbin folder the last "su" binary (source from GitHub)...
On execution I get "SegFault", but Root privileges Anyway:
Code:
$ su
Segmentation Fault
#
...amazing...
after doing a little research on the web why it's asking for sim network unlock pin, found out it's because my device it locked with a certain carrier/provider. i made sure it was already unlocked when i got, i was even able to use for about a week. however, for some reason it got locked again and got that message. i'm sure i didn't make any changes because this is my first time to have a samsung tab, that's when i tried to do more research about it and i know there's a way to do it but i guess i need a more detailed guide, please help... thanks!
This program finds the SIM unlock code for your Samsung Galaxy p6200 device. It requires root / superuser.
Simply install the application, hit the "SIM unlock code" button, wait a few minutes, and it should come up with the code. It can indeed take a while, so plug your phone in the charger before running, and go make yourself a cup of coffee.
Write down the code, turn off your device, insert a SIM that doesn't match your SIM lock, turn the device on again, and enter the code when the device asks for it.
If the code does not work, do NOT try it again. You might end up with a freeze. The app can also find the unfreeze code, but if the SIM unlock code was wrong in the first place, maybe so is the unfreeze code.download free sim unlock for galaxy p6200 here:http://www.mobyware.net/get-software-65666.html
........Another method :Step 1. - Retrieve nv_data.bin file
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
cat /efs/.nv_state >> /sdcard/.nv_state
busybox cp -r /efs /sdcard/
Step 2. - Edit nv_data.bin file
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468
you should see a string like this
ff 01 00 00 00 00
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
It should read ff 00 00 00 00 00 46 46 for unlocked
save and close file
unmount SD Card
Step 3. - Replace nv_data.bin file
I want to say it again so no one misses it MAKE SURE YOU HAVE A BACKUP OF YOUR /efs/ FOLDER BEFORE YOU CONTINUE!!!!!
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
rm /efs/nv_*
rm /efs/.nv_*
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
cat /sdcard/.nv_state >> /efs/.nv_state
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
chmod 755 /efs/.nv_state
chown radio.radio /efs/.nv_state || chown 1001.1001 /efs/.nv_state
reboot
your tab is now unlocked... enjoy
Just make sure you back up your entire /efs folder (save it on your computer and your tablet) before making any change.I believe you can refer to this one on the 10.1 tab forum :http://forum.xda-developers.com/showthread.php?t=1336659&highlight=t-mobile+unlock....
Can anyone confirm that this solution works? I'm reluctant to try without a guarantee
Sent from my HTC Desire S using xda app-developers app
@devid801
Ok, so I've opened the nv_data.bin file in hex edtor and found the following at address 00181468 : ff 01 00 00 00 00 44 4b . As you can see, the 46 46 is not there, instead there is 44 4b . Is this significant? Do I have to replace with 46 46 or should I leave it alone? Could this mean that this solution does not apply in my case and I risk breaking my device if I use it? Please advise.
Edit: I ignored the 44 4b bytes there and just changed the 01 to 00 and it worked, I am now network unlocked. Thanks for posting the solution
Xperia J: fast+snappy stock kernel JB (11.2.A.0.21)
The following guide shows how to build the stock sources for you
stock xperia j phone with JB.
When Foxcon adopted the drivers for the xperia j they left in
a huge amount of debug which slows down your phone.
When we finally build our own kernel (Chapter 7)
we optimize it by:
- optimizing kernel for speed (not size)
- remove a huge amount of debug from the drivers
- remove kernel core debug
- remove debug_fs
- build without module support
In my opinion the kernel feels much more snappier afterwards.
The system reacts much more fluent on user inputs and sound
has less hangs than before.
Let me hear how it feels for you and if you like it or not
Maybe you have further modifications. So please post it here.
The last section describes how you can build your own kernel patch files.
0. Prerequisites
1. Extracting the current boot image
2. Splitting the image into kernel, ramdisk and cmdline
3. Unpack the ramdisk
4. Build the sony kernel with the original kernel configuration (.config)
5. Build a new boot image
6. Flash the new boot image to the phone
7. Now for the FUN part: TUNE the sony kernel with the attached patch-file
A: Howto build a patch file by comparing a
fresh extracted kernel sources with your edited sources:
0. Prerequisites
==================
- Device needs to be rooted and bootloader unlocked !!!
- Device needs to be up to date with latest Jelly Bean release 11.2.A.0.21 !!!
- A linux machine as working environment
- free ARM compiler, lite version, EABI, URL:
sourcery.mentor.com/sgpp/lite/arm/portal/release2322
- latest Xperia Jlo sources, URL:
developer.sonymobile.com/downloads/xperia-open-source-archives/open-source-archive-for-build-11-2-a-0-21/
- phyton script 'mkelf.py' to re-/build parition image, URL:
dl-developer.sonymobile.com/tools/image_generation_script_for_Xperia_smartphones.zip
- another basic guide, URL:
developer.sonymobile.com/2011/05/06/how-to-build-a-linux-kernel
1. Extracting the current boot image
======================================
- Install Andrdoid SDK.
- Then add a path to your .bashrc file of your linux host:
linux-w49x:~/my_kernel # echo "export PATH=/root/adt-bundle-linux-x86-20130219/sdk/platform-tools:$PATH" >> ~/.bashrc
linux-w49x:~/my_kernel # . ~/.bashrc
- Enable "USB-Debugging" in the phone seetings
- Start the phone and connect via USB to your linux machine
- At first we copy the sony boot image to the sdcard of the device:
linux-w49x:~ # adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0p3 of=/sdcard/sony_boot.img
40960+0 records in
40960+0 records out
20971520 bytes transferred in 2.078 secs (10092165 bytes/sec)
- Read kernel config of your current kernel and store it on sdcard, too:
[email protected]:/ $ su
[email protected]:/ # cat /proc/config.gz > /sdcard/sony_config.gz
130|[email protected]:/ $ exit
130|[email protected]:/ $ exit
- Transfer both to your linux PC:
linux-w49x:~ # adb pull /sdcard/sony_boot.img
linux-w49x:~ # adb pull /sdcard/sony_config.gz
2. Splitting the image into kernel, ramdisk and cmdline
========================================================
- Basically the image consists of:
* 4k singed sin header with a ?x509? certificate
* kernel
* ramdisk
* cmdline parameters for the kernel
* a lot of empty space (~15 MB)
- Hexdump the image to make it human readable:
linux-w49x:~ # hexdump -C sony_boot.img > dump
linux-w49x:~ # head dump
00000000 7f 45 4c 46 01 01 01 61 00 00 00 00 00 00 00 00 |.ELF...a........|
00000010 02 00 28 00 01 00 00 00 00 80 20 00 34 00 00 00 |..(....... .4...|
00000020 00 00 00 00 00 00 00 00 34 00 20 00 03 00 00 00 |........4. .....|
00000030 00 00 00 00 01 00 00 00 00 10 00 00 00 80 20 00 |.............. .| <== Byte 9/10/11: is kernel start (after 4k sin header)
00000040 00 80 20 00 68 70 3c 00 68 70 3c 00 00 00 00 00 |.. .hp<.hp<.....| <== Byte 9/10/11: is kernel length
00000050 00 00 00 00 01 00 00 00 68 80 3c 00 00 00 40 01 |........h.<[email protected]| <== Byte 9/10/11: is ramdisk start
00000060 00 00 40 01 c6 1b 15 00 c6 1b 15 00 00 00 00 80 |[email protected]| <== Byte 9/10/11: is ramdisk length
00000070 00 00 00 00 04 00 00 00 2e 9c 51 00 00 00 00 00 |..........Q.....| <== Byte 9/10/11: is cmdline start
00000080 00 00 00 00 00 02 00 00 00 02 00 00 00 00 00 20 |............... | <== Byte 9/10/11: is cmdline length (512 characters)
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- Now read the addresses from behind:
00 10 00 => is 0x001000
68 70 3c => is 0x3c7068
68 80 3c => is 0x3c8068
c6 1b 15 => is 0x151bc6
2e 9c 51 => is 0x519c2e
00 02 00 => is 0x000200
- NOTE: THE NUMBERS WILL BE DIFFERENT FOR YOUR st26i DEVICE !!!
- Use 'dd' to split sony_boot.img into its single parts.
- BUT use the correct numbers from your kernel here:
linux-w49x:~ # dd skip=$((0x001000)) count=$((0x3c7068)) bs=1 if=sony_boot.img of=sony_kernel.img
3960936+0 records out
3960936 bytes (4.0 MB) copied, 66.2326 s, 59.8 kB/s
linux-w49x:~ # dd skip=$((0x3c8068)) count=$((0x151bc6)) bs=1 if=sony_boot.img of=sony_ramdisk.img.gz
1383366+0 records in
1383366+0 records out
1383366 bytes (1.4 MB) copied, 23.1965 s, 59.6 kB/s
linux-w49x:~ # dd skip=$((0x519c2e)) count=$((0x000200)) bs=1 if=sony_boot.img of=sony_cmdline.img
512+0 records in
512+0 records out
512 bytes (512 B) copied, 0.00931558 s, 55.0 kB/s
3. Unpack the ramdisk
=======================
- First unzip ramdisk (should start with 0x1f 0x8b )
linux-w49x:~ # hexdump -C sony_ramdisk.img.gz | head
00000000 1f 8b 08 00 a0 a8 50 51 00 03 ec 3d 69 73 db b8 |......PQ...=is..|
00000010 92 f9 fa f4 2b b0 72 ea cd d8 ab 83 92 cf 64 ca |....+.r.......d.|
00000020 5b 2b 5b b4 ad 7a b6 e4 91 e4 1c b5 f5 4a a1 48 |[+[..z.......J.H|
00000030 48 42 99 57 78 58 f1 ce e4 bf 6f 37 c0 03 a4 a8 |HB.WxX....o7....|
00000040 83 49 66 6a 76 ca aa 38 a6 c0 ee 46 a3 bb d1 68 |.Ifjv..8...F...h|
00000050 a0 01 58 39 55 4e 95 96 a2 28 ea 61 eb 4c 85 df |..X9UN...(.a.L..|
00000060 ca 51 4b ed 2a c5 9f 37 c7 ad a3 ab f6 71 f7 38 |.QK.*..7.....q.8|
00000070 57 7e 16 fd 6e af c1 4b ca 1b af 14 b9 be 2b 8e |W~..n..K......+.|
00000080 dc ea 1c ad c1 6b 65 bf 25 5f b7 d4 d7 4a e8 85 |.....ke.%_...J..|
00000090 f4 89 da 81 d1 98 3b a6 31 63 fe a2 e1 e9 af 5e |......;.1c.....^|
linux-w49x:~ # gunzip sony_ramdisk.img.gz
- Now again, the resulting sony_ramdisk.img should start with 0x30 0x37 0x30.
- Now extract cpio archive to a directory:
linux-w49x:~ # mkdir ramdisk
linux-w49x:~ # cd ramdisk/
linux-w49x:~/ramdisk # cpio -i < ../sony_ramdisk.img
4444 blocks
linux-w49x:~/ramdisk # ls
charger init init.qcom.ril.path.sh init.s1.rc logo.rle sys
data init.Sony.rc init.qcom.sh init.target.rc logo.rle.org system
default.prop init.goldfish.rc init.qcom.usb.rc init.trace.rc proc ueventd.Sony.rc
dev init.qcom.class_core.sh init.qcom.usb.sh init.usb.rc res ueventd.goldfish.rc
fstab.msm7627a init.qcom.class_main.sh init.rc init.usbmode.sh sbin ueventd.rc
- OPTIONAL: You can now modify the ramdisk to your needs... we will
repack it later from here.
4. Build the sony kernel with the original kernel configuration (.config)
===========================================================================
In this section we will just rebuild the sony kernel with its default config.
This step is optional. You might want to SKIP THIS STEP and continue dircetly
with building the optimized kernel (Chapter 7)
- Install the mentioned ARM compiler from Mentor (for URL, see top of page)
- Extract the kernel config we fetched from the device:
linux-w49x:~ # gunzip sony_config.gz
- Extract the sony kernel:
linux-w49x:~ # tar -xf 11.2.A.0.21.tar.bz2
- Add the config to the kernel base directory:
linux-w49x:~ # cp sony_config ./kernel/.config
linux-w49x:~ # cd kernel
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make oldconfig
- OPTIONAL: reconfigure the kernel OR skip this step:
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make menuconfig
- Because the ARM compiler is pretty strict, edit the kernel Makefile in "kernel/Makefile":
- Change this part....
ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
KBUILD_CFLAGS += -Os
else
KBUILD_CFLAGS += -O2
endif
- .. by appending this to the flags:
ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,) $(call cc-disable-warning,implicit-function-declaration,) $(call cc-disable-warning,strict-prototypes,) $(call cc-disable-warning,unused-function,) $(call cc-disable-warning,unused-variable,)
else
KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,) $(call cc-disable-warning,implicit-function-declaration,) $(call cc-disable-warning,strict-prototypes,) $(call cc-disable-warning,unused-function,) $(call cc-disable-warning,unused-variable,)
endif
- Finally we build the kernel:
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make
- Time to grab a BIG 0xCOFFEE
5. Build a new boot image
===========================
- Collect the new kernel:
linux-w49x:~ # cp ~/kernel/arch/arm/boot/zImage my_kernel.img
- Pack a new ramdisk (or just take exsiting one)
linux-w49x:~ # cd ramdisk
linux-w49x:~/ramdisk # find . | cpio --quiet -H newc -o | gzip > ../my_ramdisk.img.gz
linux-w49x:~/ramdisk # cd ..
- Pack everything together using mkelf.py from sony (URL, see above):
linux-w49x:~ # python mkelf.py -o my_boot.img [email protected] [email protected],ramdisk [email protected],cmdline
6. Flash the new boot image to the phone
==========================================
- power off device
- vol up + attach usb = fastboot
linux-w49x:~ # fastboot flash boot ./my_boot.img
linux-w49x:~ # fastboot reboot
- If anything goes wrong you can always flash the extraced image using:
linux-w49x:~ # fastboot flash boot ./sony_image.img
linux-w49x:~ # fastboot reboot
7. Now for the FUN part: TUNE the sony kernel with the attached patch-file
=============================================================================
- Basically we disable "module support" as we have none
- Disable A LOT OF DEBUG: debugfs and various debug statments in MSM drivers
- Tune vibration period to be more gentle
- Optimize kernel size for speed and not for size
- Remove kernel and user space process debug infos
- Make sure you unpack the stock sony kernel sources. The sources need to be
fresh and clean!!!
linux-w49x:~ # tar -xf 11.2.A.0.21.tar.bz2
linux-w49x:~ # cd kernel/
- patch the performance tweaks to it. The perf_tweak.patch is appended to this post:
linux-w49x:~/kernel # patch -p3 < ../perf_tweak.patch
patching file ./kernel/power/earlysuspend.c
patching file ./Makefile
patching file ./arch/arm/mach-msm/smd_pkt.c
patching file ./arch/arm/mach-msm/sdio_cmux.c
patching file ./arch/arm/mach-msm/reset_modem.c
patching file ./arch/arm/mach-msm/qdsp5v2/mi2s.c
patching file ./arch/arm/mach-msm/qdsp5v2/audio_out.c
patching file ./arch/arm/mach-msm/modem_notifier.c
patching file ./arch/arm/mach-msm/msm_cpr-debug.c
patching file ./arch/arm/mach-msm/smd_rpcrouter.c
patching file ./arch/arm/mach-msm/ipc_router.c
patching file ./arch/arm/mach-msm/bam_dmux.c
patching file ./arch/arm/mach-msm/qdsp6/msm_q6vdec.c
patching file ./arch/arm/mach-msm/rmt_storage_client.c
patching file ./arch/arm/mach-msm/include/mach/debug_mm.h
patching file ./arch/arm/mach-msm/clock.c
patching file ./arch/arm/mach-msm/sdio_dmux.c
patching file ./arch/arm/mach-msm/msm_cpr.h
patching file ./arch/arm/mach-msm/qdsp5/audio_mp3.c
patching file ./arch/arm/mach-msm/qdsp5/audmgr.c
patching file ./arch/arm/mach-msm/qdsp5/audio_acdb.c
patching file ./arch/arm/mach-msm/qdsp5/audio_lpa.c
patching file ./arch/arm/mach-msm/pm2.c
patching file ./arch/arm/mach-msm/sdio_ctl.c
patching file ./arch/arm/mach-msm/clock-debug.c
patching file ./arch/arm/mach-msm/board-msm7627a-display.c
patching file ./arch/arm/mach-msm/vreg.c
patching file ./arch/arm/mach-msm/board-tamsui-jlo.c
patching file ./arch/arm/mach-msm/clock.h
patching file ./net/netfilter/xt_socket.c
patching file ./include/linux/vibrator_class.h
patching file ./include/linux/bma250.h
patching file ./drivers/media/common/tuners/xc4000.c
patching file ./drivers/tty/serial/msm_serial_hs.c
patching file ./drivers/vibrators/fih_vibrator.c
patching file ./drivers/vibrators/vibrator_class.c
patching file ./drivers/video/msm/msm_fb.c
patching file ./drivers/video/msm/mipi_orise.c
patching file ./drivers/bluetooth/bluesleep.c
patching file ./drivers/usb/otg/msm_otg.c
patching file ./drivers/usb/otg/msm72k_otg.c
patching file ./drivers/usb/gadget/f_diag.c
patching file ./drivers/usb/gadget/u_ctrl_hsuart.c
patching file ./drivers/usb/gadget/f_rmnet_smd_sdio.c
patching file ./drivers/usb/gadget/u_serial.c
patching file ./drivers/usb/gadget/u_bam.c
patching file ./drivers/usb/gadget/f_rmnet_smd.c
patching file ./drivers/input/keyboard/fih_gpio_keys.c
patching file ./drivers/input/keyboard/fih_power_key.c
patching file ./drivers/input/touchscreen/cyttsp_core.c
patching file ./drivers/input/sensor/qpdss702.c
patching file ./drivers/leds/fih_led.c
patching file ./drivers/net/wireless/bcmdhd/wl_linux_mon.c
patching file ./drivers/net/wireless/bcmdhd/Makefile
patching file ./drivers/net/wireless/bcmdhd/dhd_custom_gpio.c
patching file ./drivers/power/fih_bq27520_fuelgauger.c
patching file ./drivers/power/fih_msm_battery.c
patching file ./drivers/gpu/msm/adreno_postmortem.c
patching file ./drivers/gpu/msm/adreno.c
patching file ./drivers/rtc/rtc-msm.c
patching file ./.config
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make
===> repeat steps 5) and 6) but use our new zImage.
A: Howto build a patch file by comparing a
fresh extracted kernel sources with your edited sources:
=========================================================
- Compare two kernel directories and create a patch from it:
linux-w49x:~ # export BASEDIR=$PWD
linux-w49x:~ # cd kernel/
linux-w49x:~/kernel # rm $BASEDIR/perf_tweak.patch
linux-w49x:~/kernel # find -name '*.c' -o -name '*.h' -o -name 'Makefile' -o -name '.config' | xargs [email protected] diff -upN $BASEDIR/kernel/@ $BASEDIR/my_kernel/@ >> $BASEDIR/perf_tweak.patch
Great Tutorial for Xperia J custom Kernel
Thanks .. Really helpful .
numbers were different in mine
dd skip=$((0x001000)) count=$((0x3da520)) bs=1 if=sony_boot.img of=sony_kernel.img
dd skip=$((0x3db520)) count=$((0x11a498)) bs=1 if=sony_boot.img of=sony_ramdisk.img.gz
dd skip=$((0x4f59b8)) count=$((0x000200)) bs=1 if=sony_boot.img of=sony_cmdline.img
I am with locked bootloader ( 1 week old JLo ) will do it as soon I unlock it.
I will also include swap support in kernel config and test .
omg it's so complicated...
have anyone finished it? Will it be released as flashable version ?
Lol ye makes me dizzy!
work on xperia J
this work on xperia J with bootloader locked
For simplicity's sake I like to build my kernels with CyanogenMod, but I'll check out your patch for some useful edits. :good:
Don't want to necro bump threads but....
Massive thanks to OP
I'd been messing around for the last day with trying to compile the .31 stock kernel from source.
Successfully used the above guide to dump the .31 kernel from phone add overclock to .31 source code (from Vengeance 1.42 source) compile, make boot.img and flash. :laugh:
Can I use this patch for the newest JB kernel? will it work?
Hello guys. I just got my phone back from a repair by HTC. They changed the LCD and the motherboard, and there started the problems. I was not able to unlock the bootloader using HTCDEV for that reason. Then I found out that I can s-off the phone without unlocking the bootloader, and thats what I did (it took me a while thought with that wire trick ) . I got the phone SuperCID also.
I wanted to install a recovery after that, but for some reason it wouldn't let me do that. I rooted the phone using the one click root tool from this thread: http://forum.xda-developers.com/showthread.php?p=26280760 . Then I installed official european RUU , which in the past worked just fine for me. But now the phone is still sim locked (to T-Mobile if it matters).
So I started searching for a solution. I found this thread: http://forum.xda-developers.com/showthread.php?t=1192300 and tried to do it according to the instructions in post #3 . No success there too. It was saying that access is denied or something like that.
So now I don't know what else to do. Can you help me out with this guys?
Thanks a lot.
tx3m said:
Hello guys. I just got my phone back from a repair by HTC. They changed the LCD and the motherboard, and there started the problems. I was not able to unlock the bootloader using HTCDEV for that reason. Then I found out that I can s-off the phone without unlocking the bootloader, and thats what I did (it took me a while thought with that wire trick ) . I got the phone SuperCID also.
I wanted to install a recovery after that, but for some reason it wouldn't let me do that. I rooted the phone using the one click root tool from this thread: http://forum.xda-developers.com/showthread.php?p=26280760 . Then I installed official european RUU , which in the past worked just fine for me. But now the phone is still sim locked (to T-Mobile if it matters).
So I started searching for a solution. I found this thread: http://forum.xda-developers.com/showthread.php?t=1192300 and tried to do it according to the instructions in post #3 . No success there too. It was saying that access is denied or something like that.
So now I don't know what else to do. Can you help me out with this guys?
Thanks a lot.
Click to expand...
Click to collapse
what were you trying to do exactly and it said that access denied?
rzr86 said:
what were you trying to do exactly and it said that access denied?
Click to expand...
Click to collapse
What I get is:
C:\Android>adb shell
[email protected]:/ $ strings -n 8 /dev/block/mmcblk0p6
strings -n 8 /dev/block/mmcblk0p6
strings: /dev/block/mmcblk0p6: Permission denied
1|[email protected]:/ $
I had to be able to find an unlock code after entering that line, and that's what I was trying to do. Am I wrong? And if I am, what is the way to do it?(unlock SIM) As I said before, the phone is s-off and rooted, but the bootloader is locked (thats what it says) and I have no recovery (I wasn't able to install one).
tx3m said:
What I get is:
C:\Android>adb shell
[email protected]:/ $ strings -n 8 /dev/block/mmcblk0p6
strings -n 8 /dev/block/mmcblk0p6
strings: /dev/block/mmcblk0p6: Permission denied
1|[email protected]:/ $
I had to be able to find an unlock code after entering that line, and that's what I was trying to do. Am I wrong? And if I am, what is the way to do it?(unlock SIM) As I said before, the phone is s-off and rooted, but the bootloader is locked (thats what it says) and I have no recovery (I wasn't able to install one).
Click to expand...
Click to collapse
you can't install a custom recovery because your bootloader is locked so you can't use any fastboot command to flash the recovery
first flash 3.33 universal from here
http://forum.xda-developers.com/showthread.php?t=1459767
it will give you a patched hboot also which is unlocked
follow the instructions to the letter
and before flashing check md5 sums(important)
after that flash a custom recovery
then start again the unlock method
rzr86 said:
you can't install a custom recovery because your bootloader is locked so you can't use any fastboot command to flash the recovery
first flash 3.33 universal from here
http://forum.xda-developers.com/showthread.php?t=1459767
it will give you a patched hboot also which is unlocked
follow the instructions to the letter
and before flashing check md5 sums(important)
after that flash a custom recovery
then start again the unlock method
Click to expand...
Click to collapse
May be a noob question, but how do I check the md5 sums on windows? I was always doing it through recovery on the phone, but now I dont have one?
tx3m said:
May be a noob question, but how do I check the md5 sums on windows? I was always doing it through recovery on the phone, but now I dont have one?
Click to expand...
Click to collapse
you can do it also with any file manager to check md5 sums
from pc use md5 checker
rzr86 said:
you can do it also with any file manager to check md5 sums
from pc use md5 checker
Click to expand...
Click to collapse
So I just did what you suggested. Here is what appeared on the screen after entering the same code:
Code:
C:\Android>adb shell
[email protected]:/ $ su
su
[email protected]:/ # strings -n 8 /dev/block/mmcblk0p6
strings -n 8 /dev/block/mmcblk0p6
macaddr=1C:B0:94:F0:DB:D7
sromrev=3
vendid=0x14e4
devid=0x432f
boardtype=0x4b9
boardrev=0x36
boardflags=0x200
xtalfreq=37400
pa0b0=5190,5190,5576
pa0b1=64229,64229,64172
pa0b2=65121,65121,65155
pa0itssit=62
pa0maxpwr=82
ofdmpo=0xCC888888
mcs2gpo0=0xCCCC
mcs2gpo1=0xCCCC
rssismf2g=0xa,0xa,0xa
rssismc2g=0xb,0xb,0xa
rssisav2g=0x3,0x3,0x3
rcal_flag=0x61
ccode=ALL
cctl=0x0
cckdigfilttype=0
ofdmdigfilttype=1
rxpo2g=0
boardnum=1
otpimagesize=182
hwhdr=0x05ffff031030031003100000
RAW1=80 32 fe 21 02 0c 00 22 2a 01 01 00 00 c5 0 e6 00 00 00 00 00 40 00 00 ff f
f 80 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 ff
20 04 D0 2 29 43 21 02 0c 00 22 04 00 20 00 5A
sd_gpout=0
sd_oobonly=1
rssi_offset=0
20130518
4109125C01997
HT15RT503206
HT15RT503206
MB320T501997
MB320T501997
99HNA003-02
CF93FF83
4109125C01997
PG5810000
T-MOB010
PG5810000
1CB094F0DBD7
2013/05/18
35506604772****
T-MOB010
v:@"C#@,/
[email protected]:/ #
So I guess trying to get a code didn't work. I'll try the other suggested method in the same thread. Thanks again for your help
EDIT: After trying the second method it worked just fine. I'm free again ) Thanks again bro
tx3m said:
So I just did what you suggested. Here is what appeared on the screen after entering the same code:
Code:
C:\Android>adb shell
[email protected]:/ $ su
su
[email protected]:/ # strings -n 8 /dev/block/mmcblk0p6
strings -n 8 /dev/block/mmcblk0p6
macaddr=1C:B0:94:F0:DB:D7
sromrev=3
vendid=0x14e4
devid=0x432f
boardtype=0x4b9
boardrev=0x36
boardflags=0x200
xtalfreq=37400
pa0b0=5190,5190,5576
pa0b1=64229,64229,64172
pa0b2=65121,65121,65155
pa0itssit=62
pa0maxpwr=82
ofdmpo=0xCC888888
mcs2gpo0=0xCCCC
mcs2gpo1=0xCCCC
rssismf2g=0xa,0xa,0xa
rssismc2g=0xb,0xb,0xa
rssisav2g=0x3,0x3,0x3
rcal_flag=0x61
ccode=ALL
cctl=0x0
cckdigfilttype=0
ofdmdigfilttype=1
rxpo2g=0
boardnum=1
otpimagesize=182
hwhdr=0x05ffff031030031003100000
RAW1=80 32 fe 21 02 0c 00 22 2a 01 01 00 00 c5 0 e6 00 00 00 00 00 40 00 00 ff f
f 80 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 ff
20 04 D0 2 29 43 21 02 0c 00 22 04 00 20 00 5A
sd_gpout=0
sd_oobonly=1
rssi_offset=0
20130518
4109125C01997
HT15RT503206
HT15RT503206
MB320T501997
MB320T501997
99HNA003-02
CF93FF83
4109125C01997
PG5810000
T-MOB010
PG5810000
1CB094F0DBD7
2013/05/18
35506604772****
T-MOB010
v:@"C#@,/
[email protected]:/ #
So I guess trying to get a code didn't work. I'll try the other suggested method in the same thread. Thanks again for your help
Click to expand...
Click to collapse
yeap it doesn't show you the unlock code above your imei number
but i just remembered something else
in order to use the unlock process you have to be on gb firmware(that means 1.17 or1.18 hboot version)
it was a mistake from my side to tell you to flash 3.33 universal
but you can flash gb firmware from the firmware thread again(don't forget to check md5 sums again too)
then try the unlock process again
there is a way to do it also with 1.27 hboot version but i am still looking for it
edit:i think i found it
http://forum.xda-developers.com/showthread.php?p=27813767#post27813767 (post #531)