Related
Before I start this thread, I should say that all credit goes to otaking71 for finding this crack.
The two original threads are here
http://forum.xda-developers.com/showthread.php?t=1255043
http://forum.xda-developers.com/showthread.php?t=1255360
All of the work was done in the #htc_evo_shift channel on freenode irc.
Table of contents:
1. Hboot information about the exploit.
2. Downgrading
2.1 Notes
3. Full root(Updated 2.2 root)
4. Links
5. Credits/donation links
I will aim to make it so this mod can be ported to other devices to help downgrade bootloaders and software. Please read the entire thread before flashing anything and trying this.
Hboot
Hboot uses a hidden partition to check everything it flashes against, this partition is "misc", or hboot -1, or on the shift mmcblk0p17(hboot itself is at mmcblk0p18).
Some raw dumps of this partition using strings to filter ascii strings brings out this type of dump.
Locked bootloader for the evo shift's dump
"SPCS_001
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
2.76.651.4
FNOC
FNOC"
Unlocked bootloader for the verizon thunderbolt
"VZW__001
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage
1.02.605.6
FNOC
FNOC"
Eng spl unlocked evo shift
"FN0C
FN0C
FN0C"
Now the place to focus at is the version numbers, 2.76.651.4. Hboot will check all items you try to flash via hboot or ruu utility against this number and if it is lower than what you are trying to flash, it will allow you to proceed in flashing through hboot, or ruu. If the number is higher, it will reject the flash. If the number doesn't exist(like in the eng spl) it will assume it is able to flash it(ONLY TESTED ON ENG SPL, not locked bootloaders). So by dumping the TB's misc partition into our own, we made it so the locked hboot would accept flashes. Either by RUU or hboot.
We believe the package you flash still needs to be signed though so that only leaves you with official ruu's and extracted ruu zips.
Joeykrim's history(Located on the second page of this thread)
joeykrim said:
for those curious, a lil bit of history:
same method as used on the evo part 2 thread by toastcfh at xda.
only diff is shift is emmc and evo was mtd. shift emmc partitions are a bit more in number and named differnetly when compared to the evo mtd partitions. on the evo this partition was labeled as "misc" in /proc/partitions. the misc partition being flashed holds the software version number which hboot checks against to verify whether or not it will allow an RUU to be loaded.
also, i want to recall a web site somewhere which allows users to create a custom misc file with a provided version number.
thought this partition was protected by the internal memory write protection but appears it wasn't. not much of a surprise as the first release of the shift didn't have write protection for the hboot partition turned on.
great this works! sadly, they'll prob patch it next OTA around as they did for the evo.
good job on testing (sorry about the lost shift), publishing and releasing! glad to see the shift has unlocked internal memory write protection again!!!
you're path to the internal partition location is incorrect. as the OP states, use:/dev/block/mmcblk0p17
full command: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
great article with the history and usage of dd, its a classic unix/linux command. very good to become familiar with: http://en.wikipedia.org/wiki/Dd_(Unix)
Click to expand...
Click to collapse
How to downgrade your device
For the shift, will be different on other devices with a bit of modding.
1. Temproot(With Fre3vo for the shift) http://forum.xda-developers.com/showthread.php?t=1185243
2. Move the file misc.img to the root of your sdcard, and PG06IMG.zip too if you plan on flashing through hboot.
3. Modify the misc partition to bypass the version check, type the following in an adb shell or a terminal emulator on your phone.
Code:
dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
Note for other devs: misc.img is the image from the TB, could be other images as long as it has a lower version number.
4. This is up to you, you can either use the ruu utility to revert or the PG06IMG.zip in hboot. I'll include links to both. Since both utilities check the misc partition, both are able to flash =)
5. Reboot and then full root like normal on your downgraded device.
Notes
1. When flashing hboot/using this exploit it always flashes twice/stops early and recontinues. Don't worry about it, this is normal(Sometimes it looks like more than 2 but just chill out).
2. Some SDcards are not recognized by hboot, so you will either have to switch cards for this operation or use the ruu utility method.
3. Remove the PG06IMG from your sdcard after flash, or hboot will pick it up next time.
Full root for downgraded 2.2
Flash ENG bootloader
1. Download these files and extract them to the root of your sdcard: www.thebcblends.com/shift/Shift-root.zip
2. Obtain temproot from z4Root, visionary, OR CM's temproot wiki
3. Flash hboot with Engineer SPL:
Code:
dd if=/sdcard/Shift/hboot_eng.nb0 of=/dev/block/mmcblk0p18
4. Boot into bootloader and check for S-OFF
Flashing a recovery
1. Grab latest shift recovery from: http://www.koushikdutta.com/2010/02/clockwork-recovery-image.html
2. Make sure you're temprooted(may have to temp root again)
3. Install recovery from rom manager
Alternative install can be done if you grab another recovery's recovery.img and do one of the following below.
a. Okay this is for those with fastboot - flash the recovery with fastboot: fastboot flash recovery recovery.img
b. This is for those where fastboot doesn't work or they don't have it - 1. Place recovery.img on the root of your sdcard, then type the command below.
Code:
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p21
Full root/Rom flashing
Well I know you don't have anything you want to save from the 2.2 ruu since it's just a stock flash, so I am going to leave it off here as flash whatever rom you want over the new system via recovery and you should end up with a fully rooted android.
Just remember to wipe data/factory reset after flash.
Links - MD5Sums aren't terribly important here as the files will not flash if they are not correct due to the signatures.
Fre3vo temp root for GB - http://forum.xda-developers.com/showthread.php?t=1185243
misc.img for the misc partition - http://dl.dropbox.com/u/41040697/misc.img MD5Sum: c88dd947eb3b36eec90503a3525ae0de
Misc.img mirror(You guys took down my second dropbox.....trying a different site now): http://www.box.net/shared/0l8ex73zne0tfr10ob69
Second mics.img mirror: http://dl.dropbox.com/u/15373824/misc.img
Another mirror for misc.img: http://dev-host.org/a9dbnuzgb9qv/misc.zip (Thanks Fdxrider)
Official ruu file for downgrading to 2.2 - http://www.multiupload.com/15N2D30H6C MD5SUM: a4b880954d2ac29d5bdf0dade9dede3c
PG06IMG for hboot downgrading to 2.2 - http://dl.dropbox.com/u/41040697/PG06IMG.zip MD5SUM: d20be478fd860b80f5e800c958f79077
Mirror for PG06IMG(First link went down temporarily due to generating too much traffic on my account, good job guys xD) - http://dl.dropbox.com/u/15373824/PG06IMG.zip
Mirror for PG06IMG: http://dev-host.org/xmlaaco0s2ph/PG06IMG.zip
2.2 root [Bcnice guide]- http://forum.xda-developers.com/showthread.php?t=932153
Cm's rooting method(For those without z4root or visionary) - http://wiki.cyanogenmod.com/wiki/HTC_Evo_Shift_4G:_Full_Update_Guide
Credits
Otaking71 - Discoverer of this exploit for the shift and working throughout the night to establish it as a working downgrade.
Bcnice20 & other 2.2 root devs - I borrowed your root methods for this guide, and linked to them. Just had to update it for recovery basically.
Stuke00 - Fre3vo temp root for 2.3.3
Joeykrim - Donating that history for the curious minds.
Donation links:
Otaking71 - Main driver of this discovery/creator and came up with this theory
http://forum.xda-developers.com/donatetome.php?u=1762836
Should we vote this to the front or try to keep it on the downlow?
^ Shift Faced
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
totalnub911 said:
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
Something of that sort, you can obtain full root through this exploit. Though it's through downgrading the firmware you use old 2.2 rooting methods.
totalnub911 said:
I'm at work now, but am I to understand that there is now a full root for shifts on gb?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
that is correct if you downgrade then root with shiftRR. thats what i'm getting from all this
EDIT: got beat to it
YoungCorruption said:
that is correct if you downgrade then root with shiftRR. thats what i'm getting from all this
EDIT: got beat to it
Click to expand...
Click to collapse
sounds like its time to change your siggy there youngcorruption!
Im sorry for the noobish but what does this mean and how do i do this
2. Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
misc.img is the image from the TB, could be other images as long as it has a lower version number.
halrulez said:
Im sorry for the noobish but what does this mean and how do i do this
2. Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
misc.img is the image from the TB, could be other images as long as it has a lower version number.
Click to expand...
Click to collapse
In more specific directions it means to move the downloaded file misc.img to /sdcard , then to type the command "dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17 misc.img" without quotes. The rest just means it'll be different on other devices.
Nice write up, thanks to otaking and scary you all saved the shifters from a horrible ota update
Sent from my Supreme Shift using Tapatalk
Scaryghoul said:
In more specific directions it means to move the downloaded file misc.img to /sdcard , then to type the command "dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17 misc.img" without quotes. The rest just means it'll be different on other devices.
Click to expand...
Click to collapse
ok can do this in terminal from my phone or do i have to do this in adb from my computer?
and if so what are the full steps to get to the point so i can enter this. I am trying to understand adb hell i am just starting in linux so i am hella noob
halrulez said:
ok can do this in terminal from my phone or do i have to do this in adb from my computer?
and if so what are the full steps to get to the point so i can enter this. I am trying to understand adb hell i am just starting in linux so i am hella noob
Click to expand...
Click to collapse
Either one, you can either mount your phone on usb and move the misc.img to your sdcard then type the command in terminal on your phone.
OR
You can adb push the file to your sdcard then adb shell the command.
I'll make the instructions more detailed in a bit.
What do you mean by: Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p1?
I moved the misc.img to sdcard but I have no mmcblk0pl in dev/block. Do I have to create that folder? And dd and of....lost me there.
I just did it and it worked perfectly. Back on 2.2, ready to root. Thanks again to otaking and scary for all your hard work.
ok so i was able to do this from the terminal from my android
bow though when i am trying to run the ruu from my computer is starts to go but keeps says that it is waiting for the booloader. the phone wont boot in to the boot loader
halrulez said:
ok so i was able to do this from the terminal from my android
bow though when i am trying to run the ruu from my computer is starts to go but keeps says that it is waiting for the booloader. the phone wont boot in to the boot loader
Click to expand...
Click to collapse
you might need to install htc sync to run ruu's. http://www.htc.com/managed-assets/support/software/htc-sync/setup_3.0.5557.exe
im just going to put this out there as well because i have had problems with the drivers that came with sync and i was forced to use the modified usb drivers found in the unrevoked evo tool, i dunno its weird but my vista pc didnt like anything but them drivers, and another guy i helped ruu from a major mess up, he couldnt get anything with sync to reconize his shift untill he used the same modified evo drivers . i hope no one has an issue but if it come about this is how to fix a driver issue
Best day ever!!!!!!!!!!!!!!!!!!!!!!!!!
strapped365 said:
im just going to put this out there as well because i have had problems with the drivers that came with sync and i was forced to use the modified usb drivers found in the unrevoked evo tool, i dunno its weird but my vista pc didnt like anything but them drivers, and another guy i helped ruu from a major mess up, he couldnt get anything with sync to reconize his shift untill he used the same modified evo drivers . i hope no one has an issue but if it come about this is how to fix a driver issue
Click to expand...
Click to collapse
provide link to said drivers?
riggsandroid said:
provide link to said drivers?
Click to expand...
Click to collapse
kinda cant provide an actual link directly to the drivers because i had to set up unrevoked just like i was rooting an evo, so i just hinted they were in the tool
http://unrevoked.com/recovery/
thats where you can get the tool from to setup your drivers if you have issues with sync not playing well or your pc just dont want to read the drivers right
for those curious, a lil bit of history:
same method as used on the evo part 2 thread by toastcfh at xda.
only diff is shift is emmc and evo was mtd. shift emmc partitions are a bit more in number and named differnetly when compared to the evo mtd partitions. on the evo this partition was labeled as "misc" in /proc/partitions. the misc partition being flashed holds the software version number which hboot checks against to verify whether or not it will allow an RUU to be loaded.
also, i want to recall a web site somewhere which allows users to create a custom misc file with a provided version number.
thought this partition was protected by the internal memory write protection but appears it wasn't. not much of a surprise as the first release of the shift didn't have write protection for the hboot partition turned on.
great this works! sadly, they'll prob patch it next OTA around as they did for the evo.
good job on testing (sorry about the lost shift), publishing and releasing! glad to see the shift has unlocked internal memory write protection again!!!
blakeatl said:
What do you mean by: Modify the misc partition: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p1?
I moved the misc.img to sdcard but I have no mmcblk0pl in dev/block. Do I have to create that folder? And dd and of....lost me there.
Click to expand...
Click to collapse
you're path to the internal partition location is incorrect. as the OP states, use:/dev/block/mmcblk0p17
full command: dd if=/sdcard/misc.img of=/dev/block/mmcblk0p17
great article with the history and usage of dd, its a classic unix/linux command. very good to become familiar with: http://en.wikipedia.org/wiki/Dd_(Unix)
Hello everyone,
rhcp was able to locate a method with which to do updates the standard way HTC does them. If you are, for instance, on 1.73 and have the 1.85 OTA .zip file (the one sent from HTC, not a CWM .zip file), you can use this method to place it in the right location and start an update.
Disclaimer:
I do not take responsibility if something goes wrong. PLEASE do this at your own risk.
Please do not use this to go to 1.85 as you may lose root. This is more FYI for future OTA updates or after 1.85 is rooted.
Requirements:
You must have ROOT before doing this. You'll be accessing a location that is not writable without root.
You must have the official OTA file. If someone can help with this portion I can post it here for all users to use if they wish.
Follow these steps to pull the OTA update:
When it shows "downloading" and the OTA completes, if you have root, please do the following:
Code:
adb shell
cd /cache
ls -l
Locate the file ending with .zip here. May look extremely long and should resemble something like OTA_Evita_U_Cingular.........zip
Quit out of adb shell
Code:
adb pull /cache/<file name of the OTA package.zip>
Post that package.zip file on a file share and send me the link and I will add it to the OP.
To update using the OTA file, follow these steps:
Code:
adb push <file name of the OTA package.zip> /mnt/sdcard/
adb shell
su
cp <file name of the OTA package.zip> /cache/update.zip
cd /cache/
mkdir recovery
cd recovery
echo “–update_package=/cache/update.zip” > command
adb reboot recovery
This will cause your device to update using the OTA method that HTC uses to push updates.
If this helped you...PLEASE donate to rhcp, which happens to have had to pay for a new One S due to bricking the first time figuring this out. His donate link is here.
Toss me a Thanks if you think this guide was helpful .
h8rift said:
Hello everyone,
rhcp was able to locate a method with which to do updates the standard way HTC does them. If you are, for instance, on 1.73 and have the 1.85 OTA .zip file (the one sent from HTC, not a CWM .zip file), you can use this method to place it in the right location and start an update.
Disclaimer:
I do not take responsibility if something goes wrong. PLEASE do this at your own risk.
Requirements:
You must have ROOT before doing this. You'll be accessing a location that is not writable without root.
You must have the official OTA file. If someone can help with this portion I can post it here for all users to use if they wish.
Follow these steps to pull the OTA update:
When it shows "downloading" and the OTA completes, if you have root, please do the following:
Code:
adb shell
cd /cache
ls -l
Locate the file ending with .zip here. May look extremely long and should resemble something like OTA_Evita_U_Cingular.........zip
Quit out of adb shell
Code:
adb pull /cache/<file name of the OTA package.zip>
Post that package.zip file on a file share and send me the link and I will add it to the OP.
To update using the OTA file, follow these steps:
Code:
adb push <file name of the OTA package.zip> /mnt/sdcard/
adb shell
su
cp <file name of the OTA package.zip> /cache/update.zip
cd /cache/
mkdir recovery
cd recovery
echo “–update_package=/cache/update.zip” > command
adb reboot recovery
This will cause your device to update using the OTA method that HTC uses to push updates.
If this helped you...PLEASE donate to rhcp, which happens to have had to pay for a new One S due to bricking the first time figuring this out. His donate link is here.
Toss me a Thanks if you think this guide was helpful .
Click to expand...
Click to collapse
nice but this update didnt fix anything anyway. wifi still sucks.
djfrost40 said:
nice but this update didnt fix anything anyway. wifi still sucks.
Click to expand...
Click to collapse
Lol. Be it as it may....this is still a handy method for us to use with future OTA updates.
h8rift said:
Lol. Be it as it may....this is still a handy method for us to use with future OTA updates.
Click to expand...
Click to collapse
I think ATT and HTC just need to issue a refund to all of the unfortunate folks that fell for this phone hook line and sinker...LOL, I tried the update, and wifi is still bad maybe even worse... I just boxed mine up and went back to my HTC Vivid.
djfrost40 said:
I think ATT and HTC just need to issue a refund to all of the unfortunate folks that fell for this phone hook line and sinker...LOL, I tried the update, and wifi is still bad maybe even worse... I just boxed mine up and went back to my HTC Vivid.
Click to expand...
Click to collapse
Sorry to hear that djfrost40. I have literally had zero issues with this phone. No issues mentioned here (besides HTC's software-tweaked multi-tasking) have been evident on my phone. Hope your Vivid treats you well.
h8rift said:
Sorry to hear that djfrost40. I have literally had zero issues with this phone. No issues mentioned here (besides HTC's software-tweaked multi-tasking) have been evident on my phone. Hope your Vivid treats you well.
Click to expand...
Click to collapse
Wow was starting to think I was the only one because like you I have had zero problems with my phone never had to replace it and the multi tasking doesn't really effect me all that much
Sent from My Nocturnalized Beast
The only issue I have is getting my OC to work 100%. Aside from that, I love the phone to death!
This method does not seem to work for me. I have no trouble following the steps but the phone just boots into recovery and nothing else. Also I think there are a couple of "exits" missing from the list of commands right after the creation of the command file, maybe they are implied.
Has anyone else verified this works for them? I am on a rooted, TWRP and still at 1.73. I also tried this method with CWM recovery installed but no luck.
anika200 said:
This method does not seem to work for me. I have no trouble following the steps but the phone just boots into recovery and nothing else. Also I think there are a couple of "exits" missing from the list of commands right after the creation of the command file, maybe they are implied.
Has anyone else verified this works for them? I am on a rooted, TWRP and still at 1.73. I also tried this method with CWM recovery installed but no luck.
Click to expand...
Click to collapse
If you have twrp, why have you flashed a custom Rom?
Sent from my HTC One X using Tapatalk 2
kleeman7 said:
If you have twrp, why have you flashed a custom Rom?
Sent from my HTC One X using Tapatalk 2
Click to expand...
Click to collapse
Yeah, kinda does'nt make sense. Actually I am liking the original HTC sense and also I am not sure which rom to try out.
Update.zip for root??
Is it possible to make an update.zip that we could flash via stock recovery to push su bianary? Just a thought.
kizzle4 said:
Is it possible to make an update.zip that we could flash via stock recovery to push su bianary? Just a thought.
Click to expand...
Click to collapse
Nope, unless you work for HTC and know how to get the key to sign the update zip
Sent from my HTC One XL using Tapatalk 2
What about update zip from say an international version?
kizzle4 said:
What about update zip from say an international version?
Click to expand...
Click to collapse
It will fail once it reads the build prop and realizes that this isn't an international one x, and if it does flash you would have a nice paperweight
Besides what does this accomplish? You can't modify ANY zip file from HTC without breaking the signature. Which makes this method useless
Sent from my HTC One XL using Tapatalk 2
In order for a thread to exist in the development section, it must contain a link to downloadable content. Because this is more of a guide, I'm moving this to general.
Thread Moved.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"If you choose not to decide, you still have made a choice"
Sent from my Galaxy Note (i717), using XDA Premium.
What steps in the OP modify if there's not enough space on the cache partition to hold the update.zip? Is it safe to run the following steps in that case:
Code:
adb push <file name of the OTA package.zip> /mnt/sdcard/
adb shell
su
cd /mnt/sdcard/
mv <file name of the OTA package.zip> update.zip
cd /cache/recovery
echo "-update_package=/mnt/sdcard/update.zip" > command
AlxMAX said:
What steps in the OP modify if there's not enough space on the cache partition to hold the update.zip? Is it safe to run the following steps in that case:
Code:
adb push <file name of the OTA package.zip> /mnt/sdcard/
adb shell
su
cd /mnt/sdcard/
mv <file name of the OTA package.zip> update.zip
cd /cache/recovery
echo “–update_package=/mnt/sdcard/update.zip” > command
Click to expand...
Click to collapse
Wondering this too... or even using a larger partition like /data that has 1GB free. :-/
Can someone dd the radio partition for me and link to it?
Wanna make the zips =)
FYI: use this adb command and then pull the img of your sd card -
Code:
C:\adb>adb shell dd if=/dev/block/mmcblk0p17 of=/sdcard/radio.img
taylor.fowler said:
Can someone dd the radio partition for me and link to it?
Wanna make the zips =)
FYI: use this adb command and then pull the img of your sd card -
Code:
C:\adb>adb shell dd if=/dev/block/mmcblk0p17 of=/sdcard/radio.img
Click to expand...
Click to collapse
"removed from dropbox" stock radio from new at&t ota, download taylor.fowler cwm flashable
Cm10.x and sense zips coming soon!
Sent from my One X using xda app-developers app
Could anyone help me obtain a system.mbn dump from a rooted XT1080 running SU4-21?
I'm going to try using the http://forum.xda-developers.com/droid-ultra/general/droid-mini-maxx-ultra-root-pogress-100-t3071609 method to flash it and then run sunshine for bootloader unlock.
Sunshine should already work in SU4-21.... Doesn't it?
hazam1992 said:
Sunshine should already work in SU4-21.... Doesn't it?
Click to expand...
Click to collapse
Only if you're already rooted. Sunshine can't grab temproot on it's own. At least not the latest version.
FYI - If anyone is willing, these are the commands to run:
Code:
set sBD="%date%-%time:~0,2%.%time:~3,2%"
adb wait-for-device
adb shell su -c "dd if=/dev/block/mmcblk0p38 of=/sdcard/system.mbn"
adb pull /sdcard/system.mbn ./%sBD%/system.mbn
pause
Any luck? I am going to post in General to see if we can get some results here.
jyusta said:
Any luck? I am going to post in General to see if we can get some results here.
Click to expand...
Click to collapse
YES!! I grabbed the FXZ from motorola, and found some instructions elsewhere on this forum on how to unpack it. I then added SuperSU and followed the instructions people have been using with the SU6-7 release only modified to use my new 4-21 files. Everything worked fine and I was able to run Sunshine successfully.
I'm going to bed now, but I'll upload the files when I get a chance.
tl;dr: I got everything to work and unlocked my Droid Maxx.
little2slo said:
YES!! I grabbed the FXZ from motorola, and found some instructions elsewhere on this forum on how to unpack it. I then added SuperSU and followed the instructions people have been using with the SU6-7 release only modified to use my new 4-21 files. Everything worked fine and I was able to run Sunshine successfully.
I'm going to bed now, but I'll upload the files when I get a chance.
tl;dr: I got everything to work and unlocked my Droid Maxx.
Click to expand...
Click to collapse
...actually, here's a link to the files I used http://www.4shared.com/zip/9UOyljqaba/_Root_SU4-21_Stock.html
little2slo said:
...actually, here's a link to the files I used ...
Click to expand...
Click to collapse
Thank you sooo much!
I'm going to try this, time to install some tools. Hopefully I don't brick my only device!
It worked perfectly for me! I got my Droid Maxx yesterday with 4.21, and I am so happy I realized I shouldn't update. I used those files (remember, the mine folder should be renamed to _root) and it worked (don't worry about time, it took about 40 min for it to finish for me). I then used sunshine and now I'm unlocked!
little2slo said:
YES!! I grabbed the FXZ from motorola, and found some instructions elsewhere on this forum on how to unpack it. I then added SuperSU and followed the instructions people have been using with the SU6-7 release only modified to use my new 4-21 files. Everything worked fine and I was able to run Sunshine successfully.
I'm going to bed now, but I'll upload the files when I get a chance.
tl;dr: I got everything to work and unlocked my Droid Maxx.
Click to expand...
Click to collapse
Can you give us the link to the 4-21 fxz?
elicik said:
It worked perfectly for me! I got my Droid Maxx yesterday with 4.21, and I am so happy I realized I shouldn't update. I used those files (remember, the mine folder should be renamed to _root) and it worked (don't worry about time, it took about 40 min for it to finish for me). I then used sunshine and now I'm unlocked!
Click to expand...
Click to collapse
How different is rooting 4.21 from 6.7? Want to be absolutely sure before rooting mine since I don't have a backup phone.
---------- Post added at 12:45 PM ---------- Previous post was at 12:26 PM ----------
cohomology said:
How different is rooting 4.21 from 6.7? Want to be absolutely sure before rooting mine since I don't have a backup phone.
Click to expand...
Click to collapse
Also in the original rooting 6.7 thread, op said one has to flash a special non OTA 6.7 image before rooting. Do we have to do sth similar to 4.21?
---------- Post added at 12:57 PM ---------- Previous post was at 12:45 PM ----------
I got mine working last night, I have not purchased sunshine yet but the tool says it is ready to unlock bootloader
So the difference is you need to flash a different ROM in step 00
[URL="https://yadi.sk/d/MCliEyCPfj7ZZ"]https://yadi.sk/d/MCliEyCPfj7ZZ[/URL]
In the folder for your device there is a SU4.21-release-keys.xml that you need to use.
The other difference is after step
"01 Unzipp everything to C:\Python27."
rename the "mine" folder from little2slo to "_root"
Then follow the rest of the steps and you should be good to go.
Thanks again for releasing this to the rest of us OP!
jyusta said:
I got mine working last night, I have not purchased sunshine yet but the tool says it is ready to unlock bootloader
So the difference is you need to flash a different ROM in step 00
[URL="https://yadi.sk/d/MCliEyCPfj7ZZ"]https://yadi.sk/d/MCliEyCPfj7ZZ[/URL]
In the folder for your device there is a SU4.21-release-keys.xml that you need to use.
The other difference is after step
"01 Unzipp everything to C:\Python27."
rename the "mine" folder from little2slo to "_root"
Then follow the rest of the steps and you should be good to go.
Thanks again for releasing this to the rest of us OP!
Click to expand...
Click to collapse
Sorry for my ignorance -- but when do I flash "_Root_SU4-21_Stock.zip" linked by little2slo?
Alright first of all thanks to little2slo for this!
Second of all before i do anything i just want to make sure im understanding everything and what i plan to do is correct so if the steps i post below are wrong in any way please let me know!
1) Instal python 2.7 Pyserial and RSD lite then copy all the below files to the C:/python27 folder
2) Reboot the phone into fastboot and use RSD lite to flash the 4.21 release keys version from here https://yadi.sk/d/MCliEyCPfj7ZZ
3) Rename the mine folder in zip from little2slo to _root
4) boot into fast mode again and then run the blbroke.bat from the folder little2slo posted
5) run Run_root.bat from the folder little2slo posted
And then i should be rooted and can use sunshine to unlock the bootloader correct?
Here's what I did.
1. Install RSD Lite
2. Install python27 and pyserial from "Soft_and_Drivers.rar"
3. boot into fastboot and flash 1FF-obakem_verizon-user-4.4.4-SU4.21-release-keys.xml.zip using RSD Lite
3. run BLBROKE.bat from _Root_SU6-7_Stock.rar (either needs python in your path or you can copy the contents of that rar file into the python install dir)
4. your phone should now boot into the QHSUSB_DLOAD mode
5. When prompted for drivers point them to the drivers in the "windows_drivers_QHSUSB_DLOAD" folder from the "Soft_and_Drivers.rar" archive
5a. I actually ended up waiting for the automatic install to fail, opening device manager, finding the failed device, selecting upgrade drivers and pointing it to the correct folder this way
5b. make sure you use the correct 32/64bit folder
6. either rename the "mine" folder to "_root" OR change the line in RUN_Root.bat from "python qdloadRoot.py MPRG8960.bin -ptf _root/partitions.txt" to "python qdloadRoot.py MPRG8960.bin -ptf mine/partitions.txt"
7. execute the RUN_ROOT.bat file
8. Wait for everything to flash. It took me about an hour.
9. Your phone should reboot automatically, and now have root
10. You should now be able to run Sunshine and unlock your bootloader
If anyone cares, I used the ImgExtractor.exe from http://forum.xda-developers.com/showthread.php?t=2707111 to convert the system.img in the FXZ file into a system.mbn file. The system.mbn is a direct ext4 filesystem image so I copied it, mounted the copy, baked in SuperSU, unmounted, split both copies, diff'd to see what was different, and then modified the qdloadRoot.py script to only look for those files.
Relevant commands:
ImgExtractor.exe system.img system.mbn -conv
sudo mount -t ext4 -o loop system.mbn /mnt
sudo umount /mnt
split -a 3 -b 16777216 --numeric-suffixes=1 system.mbn system
find . -name "system0" -exec mv {} {}.mbn \;
find . -name "system1" -exec mv {} {}.mbn \;
to do the diff I used checksums
sum system*.mbn > sums.txt
diff sums.txt modified/sums.txt
Note: ImgExtractor runs on windows, everything else are linux commands
Hopefully someone else finds this helpful since I spent over an hour just trying to find out how to convert the system.img from the motorola FXZ into an ext4 image I could modify. Turns out motorola has some special sauce so most tools and scripts I looked at wouldn't work.
little2slo said:
If anyone cares, I used the ImgExtractor.exe from http://forum.xda-developers.com/showthread.php?t=2707111 to convert the system.img in the FXZ file into a system.mbn file. The system.mbn is a direct ext4 filesystem image so I copied it, mounted the copy, baked in SuperSU, unmounted, split both copies, diff'd to see what was different, and then modified the qdloadRoot.py script to only look for those files.
Relevant commands:
ImgExtractor.exe system.img system.mbn -conv
sudo mount -t ext4 -o loop system.mbn /mnt
sudo umount /mnt
split -a 3 -b 16777216 --numeric-suffixes=1 system.mbn system
find . -name "system0" -exec mv {} {}.mbn \;
find . -name "system1" -exec mv {} {}.mbn \;
to do the diff I used checksums
sum system*.mbn > sums.txt
diff sums.txt modified/sums.txt
Note: ImgExtractor runs on windows, everything else are linux commands
Hopefully someone else finds this helpful since I spent over an hour just trying to find out how to convert the system.img from the motorola FXZ into an ext4 image I could modify. Turns out motorola has some special sauce so most tools and scripts I looked at wouldn't work.
Click to expand...
Click to collapse
I sure am glad you found the file before me, sounds painful!
My maxx is rooted now! Thank you all for the great work. And now on my way to unlock the BL!
---------- Post added at 11:06 PM ---------- Previous post was at 10:21 PM ----------
cohomology said:
My maxx is rooted now! Thank you all for the great work. And now on my way to unlock the BL!
Click to expand...
Click to collapse
I just unlocked the BL with sunshine and couldn't be happier!
Thanks for getting back to me with the steps you took little2slo and thanks for letting us know how you got to that point! I really appreciate your work here and im about to try this as soon as the obakem file downloads. Ill return with results. Hopefully my tmobile service will work a bit better with the CM rom available for the ultra.
Alright guys got the rooted image flashed over no problem. Installed sunshine and now the bootloader is unlocked! IM SO HAPPY. Ive had this device just laying in the drawer for about 6 months now i can finally do something with it. Next is to figure out how to flash the CM rom available.
If you just don't want root, or your need to sell your phone, or whatever, you can use this to return your phone to stock v10q:
Flash this zip from TWRP. This is every piece of the v10q firmware: h910_10q_full_stock.zip
SHA1: 720f122605dda361b8d8de1abaa8a56326416056
Wipe Cache/Dalvik Cache
Format data
Reboot
That is it. Your phone will be bone stock v10q.
If you want to root again after you flash this, use this procedure.
-- Brian
I flashed the system that went well when I flash the return to stock zip it ends with Error 1
Sent from my LG-H910 using Tapatalk
What version of TWRP? I tested this on 3.1.1
I also have 3.1.1 .... I tried flashing from internal storage and SD card I did also check the SHA1's to make sure they match and they do. So what's the SHA1 out of the system image itself just to make sure it's correct once it's unzipped (considering I don't have a computer so I'm using my phone to extract the image)
Sent from my LG-H910 using Tapatalk
I'm also getting error 1 trying to install the zip. TWRP 3.1
Unzip failed. Aborting...
Updater process ended with ERROR: 1
Error installing zip ...
Updating partition details...
...done
Would a log from TWRP of the failed flash help I can go try and Flash again and then copy the log if that will help
Sent from my LG-H910 using Tapatalk
Well crap -- it must be a bad upload. I will upload a new copy in a bit.
Thanks @deadguyperez for the exact error: Unzip failed -- that means it is a bad zip.
-- Brian
Please don't forget to fix this I'm running WETA and it's fan-****ing-tastic so I'll probably never go back to stock but just in case I need to.... would be nice to have the files. Thanks boss! Stay safe.
Yea, dealing with the damage from Irma, but I should be back in shape by Wednesday.
-- Brian
status??
runningnak3d said:
Yea, dealing with the damage from Irma, but I should be back in shape by Wednesday.
-- Brian
Click to expand...
Click to collapse
@op have you had the chance to work on this any more? I'm excited to get back to full stock if possible so I can warranty out my phone. Front Camera and Accelerometer both don't work anymore...
Does this relock the bootloader as well?
jetracer said:
Does this relock the bootloader as well?
Click to expand...
Click to collapse
It will yes
Sent from my LG-H910 using Tapatalk
First post updated with HOPEFULLY fixed zips. Since my H910 is currently my test bed for LAF research, it is bone stock so I can't test these. The worst that will happen is that you get an error. If so, PM me, or @ mention me in this thread so I can work with you to find out what is wrong.
-- Brian
runningnak3d said:
First post updated with HOPEFULLY fixed zips. Since my H910 is currently my test bed for LAF research, it is bone stock so I can't test these. The worst that will happen is that you get an error. If so, PM me, or @ mention me in this thread so I can work with you to find out what is wrong.
-- Brian
Click to expand...
Click to collapse
@runningnak3d I got this error: Updater process ended with ERROR: 1. Error installing zip file /sdcard/download/v10m_return_to_stock.zip
Any ideas?
Also - The 5GB system.img file loads extremely quick. Seems sketchy to me, but maybe that's normal?
EDIT - I'm running TWRP 3.0.2-1 and it does say that the system image flashed properly. That much has been completed.
sirslipzalot said:
@runningnak3d I got this error: Updater process ended with ERROR: 1. Error installing zip file /sdcard/download/v10m_return_to_stock.zip
Any ideas?
Also - The 5GB system.img file loads extremely quick. Seems sketchy to me, but maybe that's normal?
EDIT - I'm running TWRP 3.0.2-1 and it does say that the system image flashed properly. That much has been completed.
Click to expand...
Click to collapse
Got past the error and booted into Android by using ADB to flash all the files in the return_to_stock zip. It was tedious, but I typed out the list for anyone who just wants to copy and paste each line into their CLI.
dd if=aboot of=/dev/block/bootdevice/by-name/aboot
dd if=abootbak of=/dev/block/bootdevice/by-name/abootbak
dd if=apdp of=/dev/block/bootdevice/by-name/apdp
dd if=boot of=/dev/block/bootdevice/by-name/boot
dd if=cmnlib of=/dev/block/bootdevice/by-name/cmnlib
dd if=cmnlib64 of=/dev/block/bootdevice/by-name/cmnlib64
dd if=cmnlib64bak of=/dev/block/bootdevice/by-name/cmnlib64bak
dd if=cmnlibbak of=/dev/block/bootdevice/by-name/cmnlibbak
dd if=devcfg of=/dev/block/bootdevice/by-name/devcfg
dd if=devcfgbak of=/dev/block/bootdevice/by-name/devcfgbak
dd if=factory of=/dev/block/bootdevice/by-name/factory
dd if=hyp of=/dev/block/bootdevice/by-name/hyp
dd if=hypbak of=/dev/block/bootdevice/by-name/hypbak
dd if=keymaster of=/dev/block/bootdevice/by-name/keymaster
dd if=keymasterbak of=/dev/block/bootdevice/by-name/keymasterbak
dd if=laf of=/dev/block/bootdevice/by-name/laf
dd if=lafbak of=/dev/block/bootdevice/by-name/lafbak
dd if=modem of=/dev/block/bootdevice/by-name/modem
dd if=msadp of=/dev/block/bootdevice/by-name/msadp
dd if=persist of=/dev/block/bootdevice/by-name/persist
dd if=pmic of=/dev/block/bootdevice/by-name/pmic
dd if=pmicbak of=/dev/block/bootdevice/by-name/pmicbak
dd if=raw_resources of=/dev/block/bootdevice/by-name/raw_resources
dd if=raw_resourcesbak of=/dev/block/bootdevice/by-name/raw_resourcesbak
dd if=rct of=/dev/block/bootdevice/by-name/rct
dd if=recovery of=/dev/block/bootdevice/by-name/recovery
dd if=recoverybak of=/dev/block/bootdevice/by-name/recoverybak
dd if=rpm of=/dev/block/bootdevice/by-name/rpm
dd if=rpmbak of=/dev/block/bootdevice/by-name/rpmbak
dd if=sec of=/dev/block/bootdevice/by-name/sec
dd if=tz of=/dev/block/bootdevice/by-name/tz
dd if=tzbak of=/dev/block/bootdevice/by-name/tzbak
dd if=xbl of=/dev/block/bootdevice/by-name/xbl
dd if=xbl2 of=/dev/block/bootdevice/by-name/xbl2
dd if=xbl2bak of=/dev/block/bootdevice/by-name/xbl2bak
dd if=xblbak of=/dev/block/bootdevice/by-name/xblbak
Crap. There must not have been a problem with the zip, but a typo in the Edify script.
Sorry about that, I probably missed a ; some place.
Obviously I'm lost so maybe someone can help me
1) 1st LG android phone and so far I'm worried. Phone is beautiful I got it for a $100 due to the camera lens glass being shattered.
2) I'm looking for which variant I have. I own the at&t v20 which number is that?
3) I'm looking for how to root the phone and boot loader. Is it currently possible? Which method can/should I use because the entire V20 section isn't broken down like the galaxy note.
Really appreciate all your time
About to give this a try so....
Step 1 flash System Image
Step 2 Flash Return to stock
Step 3 Reboot and Profit?
Overgloc said:
About to give this a try so....
Step 1 flash System Image
Step 2 Flash Return to stock
Step 3 Reboot and Profit?
Click to expand...
Click to collapse
That's the way to do it. Someone earlier tried but the return to stock zip errored out in twrp. Possibly a broken script.
Convert your ZenPad 3s 10 from CN to WW firmware
This guide will show you how to flash the WW firmware to your ZenPad Z500M that came preloaded with the CN (China) ROM. Up until recently, this was problematic because the CN firmware, as well as the 13.x series in general, is locked down. It does not provide flashing access via the common methods like unlocking+fastboot, recovery or SP Flash Tool. But thanks to a MediaTek temporary root tool invented by some evil genius, it's now possible to upgrade your CN ZenPad to the latest WW ROM. It's well known that this variant comes with Google apps and is fully unlockable and rootable.
DISCLAIMER
Any procedures described in this thread are done at your own risk. No one else will be responsible for any data loss, corruption or damage of your device, including that which results from software bugs.
REQUIREMENTS
An ASUS ZenPad Z500M (P027) tablet with 13.x firmware
Either:
A PC with ADB installed to interact with your device, or
A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
Familiarity with the Thanks button under XDA posts
INSTRUCTIONS
Read and understand this whole procedure before you start. This is about as dangerous as installing a full OTA update, and you would have to try hard to mess it up in a way that your device cannot be recovered. But keep in mind that it is a possibility. Make sure your battery has decent charge or plug it into the charger.
Go to Amazing Temp Root for MediaTek ARMv8 and read the directions on how to open a root shell in ADB or a terminal emulator app, and make sure you understand them. Download the latest release of mtk-su. Support the developer.
Download and unzip the recovery image to your tablet. Link below.
Open a root shell and flash the image to your recovery partition with:
Code:
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery bs=1048576
You may need to specify the full path of the img file.
Download the latest 14.x WW firmware from ASUS' support site. Link below.
Put the official zip package in the root of your internal storage. Rename the file by changing the letters "WW" to "CN". That is, rename UL-P027-WW-14.0210.1806.33-user.zip to UL-P027-CN-14.0210.1806.33-user.zip. This has to be done in the same boot session as the recovery flashing step.
At this point, the OS updater should detect the file, prepare the upgrade and ask you to reboot. Confirm that you want to reboot to install. Make sure that you have succeeded step 4.
Your tablet will reboot and automatically install the WW 14.x package. You may need/want to do a factory reset after this.
Alternative method to zip file autodetection: reboot to recovery and do an adb sideload install.
NOTES
Do not try to install any 13.x firmware package using this method. That's because if something goes wrong and your device fails to boot, you would not be able to get root access to repair it. It may be next to impossible to recover it. The 13.x releases are locked down, unlike the 14.x (Android 7) ones.
If for any reason you reboot your tablet after doing the dd flashing step but before successfully installing the 14.x ROM, your original recovery will get restored. You will have to flash it again before trying the upgrade.
Do not try to downgrade from a 14.x FW to 13.x via TWRP. It is a fact that this will make your tablet unbootable because the 13.x packages do not provide all the necessary images.
DOWNLOAD
WW-13.x Recovery Image
ASUS Z500M firmware downloads
CREDITS
Thanks to @lemon0o for successfully testing this method. :good:
Read-only file system error - way out?
Hi diplomatic,
Thanks a lot for sharing this beautiful method. I had two of these tablets with CN firmware and had pretty much given up on them until now.
Edit 2: I successfully used the adb sideload method to update to WW firmware. The autodetect did not work for me.
Original post:
I have had success with steps 1-4 (UID 0, selinux: permissive),
but when I am trying to paste the downloaded firmware file in root folder ( / ) I get the error Read-only file system. I pasted the renamed firmware file in /sdcard/ but the autodetection doesn't work.
I tried remounting root '/' with
Code:
mount -o rw,remount /
I was then able to paste the renamed firmware file (WW to CN) to (root) / . The autodetection still doesn't work.
Is there a guide you can point me to for adb sideload install? I have exposure to linux but haven't explored android innards much. I will keep looking.
Thanks again, really hoping I am able to make this work!
@bkmiictian, I'm glad you figured it out. (And finally have someone respond after like 8 months. ) But FWIW, the upgrade package should go into your internal shared storage to be detected. It's just following the standard installation procedure for Asus. Nothing to do with the root dir of the file system.
diplomatic said:
@bkmiictian, I'm glad you figured it out. (And finally have someone respond after like 8 months. ) But FWIW, the upgrade package should go into your internal shared storage to be detected. It's just following the standard installation procedure for Asus. Nothing to do with the root dir of the file system.
Click to expand...
Click to collapse
I had similar issues, was not clear what to do, how to make it recognized.
Here I found great detailed explanation on the asus website (can't put full link as I'm newbie support/FAQ/1011948/ )
Apart from that, great guide !! Thanks a lot!!
Spent hours before that finding a way to either root it or install Google Apps. Tried all rooting apps I could find ...
thanks for the details procedure
Please all noted the file should place under "internal shared storage" not root as seen in adb.
Details steps as provide by Asus in its FAQ:
FAQ/1011948
Hi, Thanks so much for the tutorial.
I'm also having issues with the Z500M with CN firmware.
I followed the steps until getting the selinux: permissive message on ADB.
But I'm lost on what to do with the Recovery.img & the WW 14.x firmware
I copied the files into the root directory, but I don't understand what to do next.
Edit:
Found the procedure to manually install the firmware update from Asus.
Disconnected the USB cable & it told me there was a new update.
After updating, it restarted and showed an android with the message "installing system update" but then it just gave an Error.
Then it restarted saying System update failed. Unknow error. System was restored to previous configuration.
I guess I'm doing something wrong...
I think my issue may be Step 4.
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery bs=1048576
You may need to specify the full path of the img file.
Click to expand...
Click to collapse
That command does not seem to work.
ADB says "No such a file or directory"
If I try with this command I get an error too.
dd if=/root/recovery.img of=/dev/block/platform/mtk-msdc.0/11>
dd: /root/recovery.img: Permission denied
danielfd said:
I think my issue may be Step 4.
That command does not seem to work.
ADB says "No such a file or directory"
If I try with this command I get an error too.
dd if=/root/recovery.img of=/dev/block/platform/mtk-msdc.0/11>
dd: /root/recovery.img: Permission denied
Click to expand...
Click to collapse
Yes, this is the main point of this procedure. Where did you extract recovery.img? If it's, say, in your internal storage, you may need to specify
dd if=/storage/emulated/0/recovery.img of=/dev/block.....
Only reboot to install the FW if you have succeeded with this step.
diplomatic said:
Yes, this is the main point of this procedure. Where did you extract recovery.img? If it's, say, in your internal storage, you may need to specify
dd if=/storage/emulated/0/recovery.img of=/dev/block.....
Only reboot to install the FW if you have succeeded with this step.
Click to expand...
Click to collapse
Thanks Diplomatic
The new code seems to work for me.
dd if=/storage/emulated/0/recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery bs=1048576
Click to expand...
Click to collapse
I still get an Error when I try to update to the WW firmware.
Will try the whole process from the beginning.
EDIT:
It worked!
Thanks a lot Diplomatic!
I made a factory reset to the tablet & followed again the steps & the update was successful.
So if I had 14x on Android 7, can I just move to the twrp recovery part of the forum, why not just manually update to 14x from 13x if 14x can be unlocked? Am I missing something?