Development [J706F] Discussion about restoring widewine L1 after unlocking + relocking bootloader. - Lenovo P11

This is a continuation of a previous thread which diverted from it's original topic (see here @CryptMan @MrCrayon). Making the tablet work with Android 11 again was done successfully by flashing persist.img but the widewine l3 status didn't change even after re-locking the bootloader und the stock ROW firmware.
Stuff I/we know:
Flashing a different persist.img can apparently cause the level to drop to L3 (see here)
In my case it presumably was caused by unlocking but not fixed by relocking the bootloader.
Another user got L3 on the J716F model but without unlocking the bootloader. Commenters suggest using the QCN file from a l1 certified tablet (see here)
I flashed persist.img from the latest 62X firmware and upgraded via OTA to 63X (not hosted yet) (see here)
I once selected "erase all before download" (attempt to fix bootloop, stupid for sure!) which probably wiped important parts of my QCN file.
The QCN file seems to hold the devices fingerprint.
L1 can be achieved using Magisk and certain module(s) but I haven't tried this since that's not for everyone.
Stuff I don't know:
does the loss of SN, MAC, BT, PN cause widewine L3 or do you have already recovered it as described by another thread? (see here)
Does L1 work if downgrade to 62X - the ROM I extracted the persist.img from and don't do the OTA?
L1 can be achieved using Magisk which might be a lot easier. Is this solution "stable" and can't be broken by Google snapping their fingers?
is it possible to have widewine L1 but safetynet not passing (regarding Magisk)?
Note: the category is neither question nor development, but dev seems a better fit as this will drive less people here who confuse this as a howtoguide and don't have anything to contribute.
The thread will be changed to a howtoguide once we found a solution.

MateUserHHTT said:
I once selected "erase all before download" (attempt to fix bootloop, stupid for sure!) which probably wiped important parts of my QCN file.
Click to expand...
Click to collapse
Yeah, I also did this. And then my SN, PN, MAC etc. where gone. Also the device certification!
I'm very sure that this option in QFIL causes damage to QCN and (!) wipe some important data(partition).
I have compared some partitions from J606F (working, L1) with my J706F (damaged QCN, L3) and I found a partition named "secdata" which is empty on the J706F.
I made a copy of this from the 606 and it looks like this partition stores certificates (SSL/TLS).
Then I tried to write this to the 706, but this results in soft-brick. The 706 only boots to 9008 mode. And it stays there even if I delete the secdata partition again, very strange.

CryptMan said:
And it stays there even if I delete the secdata partition again
Click to expand...
Click to collapse
Damn, that's bad. In Germany we have a saying that translates to "No Backup, no pity" but I wouldn't think about backing up empty partitions either. Did you erase it or format it afterwards? Maybe you could create an empty image of fitting size with dd filled with zeros? Also: did you check that the secdata partition actually existed on the J706F? If so, was it empty or could it be that you had no read permissions? And was the file size of the image you flashed fitting? I think it doesn't matter because fastboot doesn't overwrite other partitions (has a failsafe) but I'm not sure of that.
I have access to a J706L (model with sim-slot) but I can only access it in a "reading" way (tablet of a friend...).
I put it into FFBM but it didn't show up in QFIL at the same machine I used for my J706F. I'll check the drivers and attempt again. I guess that's our best bet on restoring L1 without rooting it.

My J606F (the working one) in FFBM is also NOT visible to QFIL.
BUT if it is fully booted to system (and USB debug is anabled) THEN it is seen as "901D" device and I was able to read QCN.
This secdata partition is presend on J706F but filled with 0x00.
Size is 28.672 bytes, on both devices.
I used QFIL "Partition Manager" for reading and writing, And wiped the whole GPT there as last restort to restore function after flash of secdata soft-bricked the J706F.
The thing is, while "persist" is part of the ZIP file the secdata is NOT.
The secdata of J606F (the working one) looks like a linux binary/executable:
Code:
00000000h: 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 ; ELF............
00000010h: 00 00 28 00 01 00 00 00 00 F0 FF 45 00 00 00 00 ; ..(......ðÿE....
Later in the file/partition you can find this, please pay attention to the strings "Attestation", "Root CA" and "General Use Root Key":
Code:
000012a0h: 02 42 4A 31 11 30 0F 06 03 55 04 07 13 08 42 65 ; .BJ1.0...U....Be
000012b0h: 69 20 4A 69 6E 67 31 0F 30 0D 06 03 55 04 0B 13 ; i Jing1.0...U...
000012c0h: 06 4C 45 4E 4F 56 4F 31 0F 30 0D 06 03 55 04 0A ; .LENOVO1.0...U..
000012d0h: 13 06 4C 45 4E 4F 56 4F 31 1E 30 1C 06 03 55 04 ; ..LENOVO1.0...U.
000012e0h: 03 13 15 4C 45 4E 4F 56 4F 20 41 74 74 65 73 74 ; ...LENOVO Attest
000012f0h: 61 74 69 6F 6E 20 43 41 30 1E 17 0D 32 30 30 38 ; ation CA0...2008
00001300h: 32 31 30 39 30 33 33 33 5A 17 0D 58 58 58 58 58 ; 21090333Z..XXXXX
00001310h: 58 58 58 58 58 58 58 58 30 5D 31 0B 30 09 06 03 ; XXXXXXXX0]1.0...
00001320h: 55 04 06 13 02 43 4E 31 0B 30 09 06 03 55 04 08 ; U....CN1.0...U..
00001330h: 13 02 42 4A 31 1D 30 1B 06 03 55 04 03 13 14 53 ; ..BJ1.0...U....S
00001340h: 65 63 54 6F 6F 6C 73 20 41 74 74 65 73 74 20 55 ; ecTools Attest U
00001350h: 73 65 72 31 0F 30 0D 06 03 55 04 0A 13 06 4C 45 ; ser1.0...U....LE
00001360h: 4E 4F 56 4F 31 11 30 0F 06 03 55 04 07 13 08 42 ; NOVO1.0...U....B
00001370h: 65 69 20 4A 69 6E 67 30 82 01 22 30 0D 06 09 2A ; ei Jing0‚."0...*
Code:
000016a0h: 42 4A 31 11 30 0F 06 03 55 04 07 13 08 42 65 69 ; BJ1.0...U....Bei
000016b0h: 20 4A 69 6E 67 31 1D 30 1B 06 03 55 04 0B 13 14 ; Jing1.0...U....
000016c0h: 47 65 6E 65 72 61 6C 20 55 73 65 20 52 6F 6F 74 ; General Use Root
000016d0h: 20 4B 65 79 31 0F 30 0D 06 03 55 04 0B 13 06 4C ; Key1.0...U....L
000016e0h: 45 4E 4F 56 4F 31 0F 30 0D 06 03 55 04 0A 13 06 ; ENOVO1.0...U....
000016f0h: 4C 45 4E 4F 56 4F 31 19 30 17 06 03 55 04 03 13 ; LENOVO1.0...U...
00001700h: 10 4C 45 4E 4F 56 4F 20 52 6F 6F 74 20 43 41 20 ; .LENOVO Root CA
00001710h: 31 30 1E 17 0D 32 30 30 34 30 39 30 36 31 38 35 ; 10...20040906185
00001720h: 36 5A 17 0D 58 58 58 58 58 58 58 58 58 58 58 58 ; 6Z..XXXXXXXXXXXX
00001730h: 58 30 6F 31 0B 30 09 06 03 55 04 06 13 02 43 4E ; X0o1.0...U....CN
00001740h: 31 0B 30 09 06 03 55 04 08 13 02 42 4A 31 11 30 ; 1.0...U....BJ1.0
00001750h: 0F 06 03 55 04 07 13 08 42 65 69 20 4A 69 6E 67 ; ...U....Bei Jing
00001760h: 31 0F 30 0D 06 03 55 04 0B 13 06 4C 45 4E 4F 56 ; 1.0...U....LENOV
00001770h: 4F 31 0F 30 0D 06 03 55 04 0A 13 06 4C 45 4E 4F ; O1.0...U....LENO
00001780h: 56 4F 31 1E 30 1C 06 03 55 04 03 13 15 4C 45 4E ; VO1.0...U....LEN
00001790h: 4F 56 4F 20 41 74 74 65 73 74 61 74 69 6F 6E 20 ; OVO Attestation
000017a0h: 43 41 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D ; CA0‚."0...*†H†÷.
Code:
00001af0h: 1B 06 03 55 04 0B 13 14 47 65 6E 65 72 61 6C 20 ; ...U....General
00001b00h: 55 73 65 20 52 6F 6F 74 20 4B 65 79 31 0F 30 0D ; Use Root Key1.0.
00001b10h: 06 03 55 04 0B 13 06 4C 45 4E 4F 56 4F 31 0F 30 ; ..U....LENOVO1.0
00001b20h: 0D 06 03 55 04 0A 13 06 4C 45 4E 4F 56 4F 31 19 ; ...U....LENOVO1.
00001b30h: 30 17 06 03 55 04 03 13 10 4C 45 4E 4F 56 4F 20 ; 0...U....LENOVO
00001b40h: 52 6F 6F 74 20 43 41 20 31 30 1E 17 0D 32 30 30 ; Root CA 10...200
00001b50h: 34 30 39 30 36 31 37 34 38 5A 17 0D 58 58 58 58 ; 409061748Z..XXXX
00001b60h: 58 58 58 58 58 58 58 58 5A 30 81 89 31 0B 30 09 ; XXXXXXXXZ0‰1.0.
00001b70h: 06 03 55 04 06 13 02 43 4E 31 0B 30 09 06 03 55 ; ..U....CN1.0...U
00001b80h: 04 08 13 02 42 4A 31 11 30 0F 06 03 55 04 07 13 ; ....BJ1.0...U...
00001b90h: 08 42 65 69 20 4A 69 6E 67 31 1D 30 1B 06 03 55 ; .Bei Jing1.0...U
00001ba0h: 04 0B 13 14 47 65 6E 65 72 61 6C 20 55 73 65 20 ; ....General Use
00001bb0h: 52 6F 6F 74 20 4B 65 79 31 0F 30 0D 06 03 55 04 ; Root Key1.0...U.
00001bc0h: 0B 13 06 4C 45 4E 4F 56 4F 31 0F 30 0D 06 03 55 ; ...LENOVO1.0...U
00001bd0h: 04 0A 13 06 4C 45 4E 4F 56 4F 31 19 30 17 06 03 ; ....LENOVO1.0...
00001be0h: 55 04 03 13 10 4C 45 4E 4F 56 4F 20 52 6F 6F 74 ; U....LENOVO Root
00001bf0h: 20 43 41 20 31 30 82 01 22 30 0D 06 09 2A 86 48 ; CA 10‚."0...*†H
The strings "Attestation", "Root CA" and "General Use Root Key": make me think two things.
First this cloud be the device certification.
Second this looks like a "normal" SSL/TLS certification process.
But what I do NOT understand is why does the flashing of this partions soft-bricks the device?
Security behavior?
CA of J606F does NOT match J706F?
In the first case, we need to know HOW to write this.
In the second case, we need a backup of this from a J706F.
Also in second case, we need to know if this partition is device specific!
Because if Lenovo run's the ROOT-CA it is no big deal for them to chain this secdata to the device serial while generation this specific for any device they make.
In this case, we are lost ... very lost ...

My j716f has screwed up serial and widevine is L3..I deleted all in qfil..the Chinese guys didn't sort it out..maybe restoring serial number will restore widevine..

CryptMan said:
Also in second case, we need to know if this partition is device specific!
Because if Lenovo run's the ROOT-CA it is no big deal for them to chain this secdata to the device serial while generation this specific for any device they make.
In this case, we are lost ... very lost ...
Click to expand...
Click to collapse
Since I have two working J706F I'm probably in the best position to check this.
I can also do some other checking but I'll have to wait the weekend.

{Mod edit: Quoted post deleted}
I just skimmed it quickly but it looks like that's only to restore L1 in Netflix when you still have L1 in the device, is that right?
The problem here is for those people that lost L1 in the device (not only Netflix)

MrCrayon said:
I just skimmed it quickly but it looks like that's only to restore L1 in Netflix when you still have L1 in the device, is that right?
The problem here is for those people that lost L1 in the device (not only Netflix)
Click to expand...
Click to collapse
No, it was L3 before, checked by DRM info app.

{Mod edit: Quoted post deleted}
If I understand this correct, then changed just to "GB" instead of there real region, logged in in Google and then the device was L1 again?!
That sounds a bit too simple, but yeah I could try that.
May on weekend, for now I have seen all the install, configuration and import/export data options a but too often ...
MrCrayon said:
Since I have two working J706F I'm probably in the best position to check this.
I can also do some other checking but I'll have to wait the weekend.
Click to expand...
Click to collapse
That would be great if you can compare the partitions, thank you.
One other thing, I found was a file called "factory rescue zip" for the P11, sadly not for free download but free for an different Lenovo device.
So I downloaded that one to have look inside. And in that Zip file I found a file called "sec.dat". Which looks differend, but hey it's from different device.
If that "factory rescue zip" for the P11 also contains this "sec.dat", may this could be another route to go?

f1tm0t said:
No, it was L3 before, checked by DRM info app.
Click to expand...
Click to collapse
What was the cause of L1 loss?
In my and CryptMan's case it's most likely due to the fact we checked "erase all before download" in QFIL.

CryptMan said:
If I understand this correct, then changed just to "GB" instead of there real region, logged in in Google and then the device was L1 again?!
Click to expand...
Click to collapse
Just now I flashed clean ZUI with GB region and I have L1
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

MateUserHHTT said:
What was the cause of L1 loss?
In my and CryptMan's case it's most likely due to the fact we checked "erase all before download" in QFIL.
Click to expand...
Click to collapse
I never checked "erase all before download". L3 and "device not certified by Google" came after unlocking bootloader in my cases (rich expirience)

f1tm0t said:
I never checked "erase all before download". L3 and "device not certified by Google" came after unlocking bootloader in my cases (rich expirience)
Click to expand...
Click to collapse
Sadly losing L1 when you unlock bootloader is normal.
Relocking bootloader should bring back L1 unless something else has been erased/changed.

f1tm0t said:
I never checked "erase all before download"
Click to expand...
Click to collapse
Then the way you restored your L1 will most likely not help us. But thank you anyways.

@CryptMan
I tried Partition Manager but it's giving me Sahara error, can't read packet header.
It's probably because I'm using VirtualBox on Linux but before I try in a Windows machine I wanted to clarify something.
When I clcik on Partition Manager it asks me to verify if the correct firehose file is selected (or something like that), do I need to select prog_firehose_ddr.elf from the current ROM installed in the device or any ROM is OK?
MateUserHHTT said:
I flashed persist.img from the latest 62X firmware and upgraded via OTA to 63X (not hosted yet) (see here)
Click to expand...
Click to collapse
I never had a 63x ota, what's the full version?
P.S.
I noticed prog_firehose_ddr is slightly differente between last global and CN, so I guess current ROM would be better

@MrCrayon
I have always used the latest version of prog_firehose_ddr from the latest firmware ZIP.
As far as I understand this concept, firehose will be loaded to the SoC and must "only" match to it because it is executed there. After successfully loading/running firehose on the SoC the whole communication between PC and SoC/Flash uses Qualcomm sahara protocol to transfer data.
I have a Z3X box, and was successfull in using the firehose from the firmware ZIP. Official Z3X does NOT support the P11, but firehose/sahara is generic communication with Qualcomm devices so it was possible to read partitions with this tool too.
Running QFIL in VMware (or some other virtual machine) is always a very bad idea. I was never successful while doing this.
Best way is to always connect the device directly.

@MrCrayon
Oh, one more very very important thing!
Be very very careful when using the partition manager!
Do NEVER click on "erase" or "load" there is no "Are you sure what you are doing?" the tool just to the job!
Using "Read" is no problem.
To get to this dialog, you have to right click on the partition you want to work with and select the first option "manage partition data".

MrCrayon said:
I never had a 63x ota, what's the full version?
Click to expand...
Click to collapse
Build number: TB-J706F_630185_220128_ROW
Kernel ver.: 4.14.190-perf+
Android ver.: 11.
This version came with WeChat and GG (some chinese app) preinstalled. Including a "Tablet Center" with options like "protect your devices from accidetnal damage", "ADP One" or "Depot Support". Usually each points results in "No Internet connection" (which ain't true) or some other error message.
The title at the top-left corner says "Tablet Center{Test Only}" so I kinda feel like I received an update I wasn't supposed to receive

Good news for Linux users I used https://github.com/bkerler/edl and it worked perfectly.
To print partitions I used:
Bash:
edl printgpt --memory=ufs
and to back them up I used:
(--skip did not work so make sure you have 130GB of free space and 50 minutes)
Bash:
edl rl dump_folder --memory=ufs --genxml --skip=super,userdata
I was not expecting it but secdata is the same
fpinfo.bin contains selected region, SN and PN.
Anything else I can check?

@MrCrayon
Cool. Thank you very much.
I have flashed your file to my J706F, the good news is ... it still boots up (unlike my try with the secdata from J606, which resultet in soft-brick).
The bad news is ... it does not change anything for Widevine .
May you could post your QCN but with overwritte SN and 2nd part of all MAC adresses?
Or can I send you mine to compare if some options my missing?
Best regards

Related

[Q] rooting Utano Barrier T180

hi,
i've bought a Utano Barrier T180 outdoor android phone and i want to root it. it has android 2.3.5.1 installed and i tried already:
universalAndroot app
z4root app
the zergRush exploid
everything isn't working. zergRush means:
Code:
[-] Hellions with BLUE flames !
any idea what that mean and if there is still a chance to do it over the exploit.
another way would be to modify the recovery image. if I look a little closer it seams to be an unencrypted image in some container format:
hd /tmp/a/image/factory.mbn
Code:
00000000 80 10 00 00 00 10 02 00 49 6d 61 67 65 20 66 69 |........Image fi|
00000010 6c 65 20 77 69 74 68 20 68 65 61 64 65 72 00 00 |le with header..|
00000020 01 02 00 00 62 61 64 5f 62 6c 6f 63 6b 5f 62 79 |....bad_block_by|
00000030 74 65 5f 61 64 64 72 65 73 73 20 3d 20 32 30 30 |te_address = 200|
00000040 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |0...............|
00000050 70 61 67 65 5f 62 79 74 65 73 5f 75 73 65 72 20 |page_bytes_user |
00000060 20 20 20 20 20 20 20 3d 20 32 30 34 38 00 00 00 | = 2048...|
00000070 62 6c 6f 63 6b 5f 70 61 67 65 73 20 20 20 20 20 |block_pages |
00000080 20 20 20 20 20 20 20 3d 20 36 34 00 00 00 00 00 | = 64.....|
00000090 64 65 76 69 63 65 5f 62 6c 6f 63 6b 73 20 20 20 |device_blocks |
000000a0 20 20 20 20 20 20 20 3d 20 34 30 39 36 00 00 00 | = 4096...|
000000b0 64 61 74 61 5f 77 69 64 74 68 20 20 20 20 20 20 |data_width |
000000c0 20 20 20 20 20 20 20 3d 20 31 36 00 00 00 00 00 | = 16.....|
000000d0 64 65 76 69 63 65 5f 4d 42 79 74 65 20 20 20 20 |device_MByte |
000000e0 20 20 20 20 20 20 20 3d 20 35 31 32 00 00 00 00 | = 512....|
000000f0 64 65 76 69 63 65 5f 74 79 70 65 20 20 20 20 20 |device_type |
00000100 20 20 20 20 20 20 20 3d 20 53 4c 43 00 00 00 00 | = SLC....|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000120 66 6c 61 73 68 5f 64 65 76 69 63 65 20 20 20 20 |flash_device |
00000130 20 20 20 20 20 20 20 3d 20 30 78 30 30 30 30 3d | = 0x0000=|
00000140 43 55 53 54 4f 4d 5f 53 45 54 54 49 4e 47 00 00 |CUSTOM_SETTING..|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 66 6c 61 73 68 5f 69 64 20 20 20 20 20 20 20 20 |flash_id |
00000170 20 20 20 20 20 20 20 3d 20 30 78 30 30 30 30 00 | = 0x0000.|
00000180 71 75 61 6c 63 6f 6d 6d 5f 64 65 76 69 63 65 20 |qualcomm_device |
00000190 20 20 20 20 20 20 20 3d 20 4d 53 4d 37 32 78 78 | = MSM72xx|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001b0 70 61 67 65 5f 6c 61 79 6f 75 74 5f 73 74 72 69 |page_layout_stri|
000001c0 6e 67 20 20 20 20 20 3d 20 28 64 61 74 61 5f 34 |ng = (data_4|
000001d0 36 34 5f 73 70 61 72 65 5f 32 5f 64 61 74 61 5f |64_spare_2_data_|
000001e0 34 38 5f 73 70 61 72 65 5f 31 34 29 78 34 00 00 |48_spare_14)x4..|
000001f0 71 66 69 74 5f 76 65 72 73 69 6f 6e 20 20 20 20 |qfit_version |
00000200 20 20 20 20 20 20 20 3d 20 31 2e 36 2e 31 30 00 | = 1.6.10.|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 6c 6f 67 5f 66 69 6c 65 20 20 20 20 20 20 20 20 |log_file |
00000230 20 20 20 20 20 20 20 3d 20 4d 61 72 32 33 2d 32 | = Mar23-2|
00000240 30 31 32 2d 31 31 32 32 2d 31 37 2e 6c 6f 67 00 |012-1122-17.log.|
00000250 66 69 6c 65 5f 63 72 65 61 74 65 5f 70 61 74 68 |file_create_path|
00000260 20 20 20 20 20 20 20 3d 20 0a 20 20 64 3a 2f 54 | = . d:/T|
strings /tmp/a/image/factory.mbn
Code:
Image file with header
bad_block_byte_address = 2000
page_bytes_user = 2048
block_pages = 64
device_blocks = 4096
data_width = 16
device_MByte = 512
device_type = SLC
flash_device = 0x0000=CUSTOM_SETTING
flash_id = 0x0000
qualcomm_device = MSM72xx
page_layout_string = (data_464_spare_2_data_48_spare_14)x4
qfit_version = 1.6.10
log_file = Mar23-2012-1122-17.log
file_create_path =
d:/T18/0322/AMSS/products/76XX/tools/qfit/Local/FactoryImage2.mbn
end_of_header
Start End Actual
0 0:MIBIB 0x0000 0x0009 0x0004 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/mibib.mbn
1 0:SIM_SECURE 0x000A 0x000D 0x0000 main_ecc_10 1x_pages
2 0:QCSBL 0x000E 0x000F 0x0001 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/qcsbl.mbn
3 0:OEMSBL1 0x0010 0x0014 0x0005 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/oemsbl.mbn
4 0:OEMSBL2 0x0015 0x0019 0x0000 main_ecc_10 1x_pages
5 0:AMSS 0x001A 0x00ED 0x0091 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/amss.mbn
6 0:EFS2 0x00EE 0x014D 0x0005 main_ecc_10 1x_pages
D:/T18/0322/AMSS/products/76XX/tools/qfit/cefs.mbn
7 0:FOTA 0x014E 0x014F 0x0000 main_ecc_10 1x_pages
8 0:NV 0x0150 0x0160 0x0000 main_ecc_10 1x_pages
9 0:APPSBL 0x0161 0x0163 0x0001 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/appsboot.mbn
10 0:BOOT 0x0164 0x018B 0x0021 main_and_spare_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/boot.img
11 0:SYSTEM 0x018C 0x086B 0x0421 main_and_spare_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/system.img
12 0:SPLASH 0x086C 0x0873 0x0003 main_and_spare_ecc_10 1x_pages
but my linux knowledge isn't big enough to extract the system partition from this container, mount the yaffs2 file system, add an su programm and an superuser.apk and pack it all together again.
what do you think, could this way work??
could someone help me please to do so?
the imagefile is available at h t t p : / / share.branddistribution.de/utano_outdoor/sw/utano_BARRIER_T180_ANDROID_2_3_5_1.rar
thanks treaki
On your phone, go to Settings, About phone, Model number and verify it says HW-T18. If so go to google and do a search for "HW-T18 root" without the quotes. Should be the website android-hilfe. If you use chrome, when on the site you can translate. Sorry I cant post the link, but have to wait for 10 posts.
Tommy Top Drive said:
On your phone, go to Settings, About phone, Model number and verify it says HW-T18. If so go to google and do a search for "HW-T18 root" without the quotes. Should be the website android-hilfe. If you use chrome, when on the site you can translate. Sorry I cant post the link, but have to wait for 10 posts.
Click to expand...
Click to collapse
I have this same phone, branded "insmat rock v5". This is same as Utano barrier t180, agm rock v5, caterpillar b10, texet tm-3200r, hw-t18 etc.
But seems to be near impossible to root. Tried to load "update.zip" (also tried different versions of this superuser) via sd-card as instructions for those mentioned phones say. Managed to hard-boot phone by pressing vol-down and pwr. Phone gives red screen with text "welcome update" with white letters, and that's it.. Nothing happens then. Doesn't take key presses after that. But when i take battery out and back, then boots normally, but still without superuser.
from phone:
model info: hw-t18
android version: 2.3.5.
kernel: 2.6.35.11-perf
software version:QC_7x27_T18I_VERI_03011_120918
BASEBAND version:QC_7x27_T18I_VERI_03005_120918
What to try next to root this?
e: managed to install and reboot superuser update.zip via "droid explorer"
rooting
Hello,
Do you allready manage to root the Utano?
If not there is a succesfull description on a german site.
Boomkweker said:
Hello,
Do you allready manage to root the Utano?
If not there is a succesfull description on a german site.
Click to expand...
Click to collapse
Can you pls give the link to this site?
wookario said:
Can you pls give the link to this site?
Click to expand...
Click to collapse
The post is on a site android-hilfe with the extension de. I'm not allowed to post outgoing links. You can search for Utano barrier root zugriff. It's in a post of 29-06-2012 by Wolk. When you have problems with the translations I can help.

[PARTITION LIST] Partition Information and RUU/OTA Files,Work In Progress, 01/10/2013

Hi Everyone!
Attached to this post I have created an excel file which contains what I know to date about the various partitions on the HTC One S (as you will see its not a lot). It includes brief and more lengthy descriptions, as well as what img and other files flash to those partitions from RUUs and OTA updates. It also includes some information I have gathered by viewing various partitions with a hex editor.
As you can see, this file is far from complete (as my own knowledge of these matters is similarly lacking). Some information may also be incorrect. I wanted to share this file in the hopes that developers and other members who may have more knowledge than I can contribute to making this file better, so that we can all understand our HTC One S's and what makes it tick.
If you want to assist this project, please feel free to post updated versions of this file to this thread. I will then merge those updates onto a master file and update the Original Thread with that info for easy access for others.
First I want to thank SneakyGhost who has already shared a basic text file with some information about some of the partitions on his public dropbox. (Sneaky, let me know and I can share that public dropbox on this link too if you see fit). We can let this post evolve with more development information too based on peoples suggestions.
Original Version 01/10/2013
-First draft with good info from SneakyGhost and very basic n00b stuff from AKToronto
Developers & Members Who Contributed:
SneakyGhost
[others to follow i hope]
Just wondering, is there any different between mmpcblk0p* and mmcblk0p* because when getting file from phone we type dd if=/dev/block/mmcblk0p* not mmpcblk0p*.... thx
Hello,
Here is some information I recieved from touch of jobo. Some of it might help.
1 emmc: (no) ruu: sbl1-?.img
2 emmc: (no) ruu: sbl2.img
3 emmc: (no) ruu: (no) data: PGFS, securoty, simlock, simunlock
4 emmc: (no) ruu: (no) data: htc-board-info, cid, imei
5 emmc: (no) ruu: (no) data: htc-board-info, cid, imei
6 emmc: (no) ruu: (no) data: macaddr, devid, imei, ..
7 emmc: (no) ruu: (no) data: PGFS, sbl2_update, sbl3, rpm,tz, ..
8 emmc: (no) ruu: (no) empty
9 emmc: (no) ruu: sbl3.img
10 emmc: (no) ruu: rpm.img
11 emmc: (no) ruu: tz.img
12 emmc: (no) ruu: hboot.nb0
13 emmc: (no) ruu: (no) data: htc-security-rec
14 emmc: (no) ruu: splash1.nb0 data: raw rgb565 540x960x2
15 emmc: (no) ruu: (no) empty
16 emmc: dsps ruu: (no) empty
17 emmc: radio ruu: radio.img mount: /firmware/radio vfat (fat16)
18 emmc: adsp ruu: adsp.img mount: /firmware/q6 vfat (fat16)
19 emmc: wcnss ruu: wcnss.img mount: /firmware/wcnss vfat (fat12)
20 emmc: radio_config ruu: rcdata.img @+0x10018C
21 emmc: boot ruu: boot_signed.img, bootable
22 emmc: recovery ruu: recovery_signed.img, bootable
23 emmc: misc ruu: (no) mostly empty, FNOC, FNOC
24 emmc: modem_st1 ruu: (no) data looks compressed or encrypted
25 emmc: modem_st2 ruu: (no) data looks compressed or encrypted
26 emmc: devlog ruu: (no) mount: /devlog ext4
27 emmc: (no) ruu: (no) empty
28 emmc: pdata ruu: (no) empty
29 emmc: (no) ruu: (no) empty
30 emmc: local ruu: (no) empty
31 emmc: extra ruu: (no) empty
32 emmc: (no) ruu: (no) empty
33 emmc: system ruu: system.img mount: /system ext4
34 emmc: cache ruu: (no) mount: /cache ext4
35 emmc: data ruu: (no) mount: /data ext4
36 emmc: fat ruu: (no) mount: /mnt/sdcard fat32
Rsotbiemrptson
cat2115 said:
Just wondering, is there any different between mmpcblk0p* and mmcblk0p* because when getting file from phone we type dd if=/dev/block/mmcblk0p* not mmpcblk0p*.... thx
Click to expand...
Click to collapse
No difference. Just a type-o on my part. Thx for the correction!
Rsotbiemrptson said:
Hello,
Here is some information I recieved from touch of jobo. Some of it might help.
1 emmc: (no) ruu: sbl1-?.img
2 emmc: (no) ruu: sbl2.img
3 emmc: (no) ruu: (no) data: PGFS, securoty, simlock, simunlock
4 emmc: (no) ruu: (no) data: htc-board-info, cid, imei
5 emmc: (no) ruu: (no) data: htc-board-info, cid, imei
6 emmc: (no) ruu: (no) data: macaddr, devid, imei, ..
7 emmc: (no) ruu: (no) data: PGFS, sbl2_update, sbl3, rpm,tz, ..
8 emmc: (no) ruu: (no) empty
9 emmc: (no) ruu: sbl3.img
10 emmc: (no) ruu: rpm.img
11 emmc: (no) ruu: tz.img
12 emmc: (no) ruu: hboot.nb0
13 emmc: (no) ruu: (no) data: htc-security-rec
14 emmc: (no) ruu: splash1.nb0 data: raw rgb565 540x960x2
15 emmc: (no) ruu: (no) empty
16 emmc: dsps ruu: (no) empty
17 emmc: radio ruu: radio.img mount: /firmware/radio vfat (fat16)
18 emmc: adsp ruu: adsp.img mount: /firmware/q6 vfat (fat16)
19 emmc: wcnss ruu: wcnss.img mount: /firmware/wcnss vfat (fat12)
20 emmc: radio_config ruu: rcdata.img @+0x10018C
21 emmc: boot ruu: boot_signed.img, bootable
22 emmc: recovery ruu: recovery_signed.img, bootable
23 emmc: misc ruu: (no) mostly empty, FNOC, FNOC
24 emmc: modem_st1 ruu: (no) data looks compressed or encrypted
25 emmc: modem_st2 ruu: (no) data looks compressed or encrypted
26 emmc: devlog ruu: (no) mount: /devlog ext4
27 emmc: (no) ruu: (no) empty
28 emmc: pdata ruu: (no) empty
29 emmc: (no) ruu: (no) empty
30 emmc: local ruu: (no) empty
31 emmc: extra ruu: (no) empty
32 emmc: (no) ruu: (no) empty
33 emmc: system ruu: system.img mount: /system ext4
34 emmc: cache ruu: (no) mount: /cache ext4
35 emmc: data ruu: (no) mount: /data ext4
36 emmc: fat ruu: (no) mount: /mnt/sdcard fat32
Rsotbiemrptson
Click to expand...
Click to collapse
Really helpful. Will add in to the file. Do you know what he is refering to with the (no) tag?
AKToronto said:
Really helpful. Will add in to the file. Do you know what he is refering to with the (no) tag?
Click to expand...
Click to collapse
Hello,
I have no Idea what the (no) means.
Rsotbiemrptson
AKToronto said:
Really helpful. Will add in to the file. Do you know what he is refering to with the (no) tag?
Click to expand...
Click to collapse
* emmc: (no) means the partition is not listed in /proc/emmc. otherwise it states the parition name from /proc/emmc
* ruu: (no) means it does not contains an image from a ruu. otherwise it states the filename of the image from the ruu.
* data: something interesting or recognizable
* mount: /mount/point/when/booted/ filesystemtype
-Jobo
EDIT: /proc/partitions lists the number of blocks for each.
Hi guys!
Nice thread. Just found it cuz i had no partition list, no complete one at least. Good work.
Credits for the initial few partitions should go to Tecardo though, i think i got the numbers from him.
I have just finished a Script that dumps all partitions to PC, well, all but Radio, System, Kernel, Data, Cache and the empty ones.
I will make a Dump of my two devices (normal Ville and Taiwan Ville 64gb) so you can maybe add a partition list for the SE variant here too.
Since Tec has a RIFF Box now and my old bricked device, we can maybe work some stuff out.
If we find out more information on the Partitions we could input it here too if you like. Just let us know.
regards,
Sneaky
Sneakyghost said:
Hi guys!
Nice thread. Just found it cuz i had no partition list, no complete one at least. Good work.
Credits for the initial few partitions should go to Tecardo though, i think i got the numbers from him.
I have just finished a Script that dumps all partitions to PC, well, all but Radio, System, Kernel, Data, Cache and the empty ones.
I will make a Dump of my two devices (normal Ville and Taiwan Ville 64gb) so you can maybe add a partition list for the SE variant here too.
Since Tec has a RIFF Box now and my old bricked device, we can maybe work some stuff out.
If we find out more information on the Partitions we could input it here too if you like. Just let us know.
regards,
Sneaky
Click to expand...
Click to collapse
That works for me! Im happy for you guys to edit the file and post, and then I can update the OP with that file too! Whatever works! Thanks again!
One S SE Partitions
I've got the cat /proc/emmc readout now, which is surprisingly only showing a few partitions on the One S SE.
I am unsure if that is a reliable readout. There is no mention of an SD or hboot partition. The device might need to run an insecure boot and be rooted for a complete readout.
If anyone can tell me how to obtain a complete listing i would be grateful. Thanks.
Find the listing attached.
AKToronto: you might be willing to integrate that excel sheet into the existing as a second sheet? Thanks.
Let me know if i can do anything to obtain more info. I've got a normal and an SE here so no worries doing some messing about. I just need precise infos what to do because my time is very limited. Sorry.
One Notice concerning the use of Excel: i hope you guys are aware that you need to set cell formatting to text only before inserting any hex or decimal values as excel loves to reformat them for you and hence mess them up! I'd recommend a different program to collect this data. Can't imagine if anything goes wrong when flashing raw stuff because someone read the wrong numbers from the sheet lol. There's guys with linux and a RIFF Box out here who might go by the partition offsets lol...
Sneakyghost said:
I've got the cat /proc/emmc readout now, which is surprisingly only showing a few partitions on the One S SE.
I am unsure if that is a reliable readout. There is no mention of an SD or hboot partition.
Click to expand...
Click to collapse
That is normal. See my list. The ones that say "emmc: (no)" are not listed in /proc/emmc on the OneS. The ones that say: "ruu: something.img", I mapped out by dumping the partitions from the device and comparing to images extracted from a RUU. The one labeled 'fat' is the sdcard partition.
-Jobo
Thanks.
Please specify compare dump to RUU. Are the dumps identical to the images in a RUU? So a hash compare would do the trick?
Or how do you go about? I have UltraEdit with UltraCompare. I could also compare line-by-line...
Sneakyghost said:
Thanks.
Please specify compare dump to RUU. Are the dumps identical to the images in a RUU? So a hash compare would do the trick?
Or how do you go about? I have UltraEdit with UltraCompare. I could also compare line-by-line...
Click to expand...
Click to collapse
You can't do a hash compare, as the dump from your device is typically bigger than the image from the RUU, so it won't match. If you know exactly from which RUU the images on the device come (and you haven't flashed any special/extra partitions, you could do a byte-for-byte or line-by-line compare.
I did it a bit more 'visually'. If you see roughly the same stuff in roughly the same place, it is (most probably) the same kind of image. For example, these are not identical, but similar enough to know it's the same kind of thing, just a different version:
Code:
rpm.img from a RUU:
00006d00 40 30 06 00 70 b5 a8 20 06 f0 ff fd 1d 4c 07 23 |@0..p.. .....L.#|
00006d10 21 68 1d a2 05 f0 40 ff 21 68 1b 25 ad 01 49 19 |[email protected]!h.%..I.|
00006d20 c8 61 a8 20 06 f0 f1 fd 61 68 01 23 1a a2 05 f0 |.a. ....ah.#....|
00006d30 33 ff 61 68 49 19 c8 61 a8 20 06 f0 e6 fd a1 68 |3.ahI..a. .....h|
00006d40 09 23 19 a2 05 f0 28 ff a1 68 49 19 c8 61 a8 20 |.#....(..hI..a. |
00006d50 06 f0 db fd e1 68 03 23 17 a2 05 f0 1d ff e1 68 |.....h.#.......h|
00006d60 49 19 c8 61 a8 20 06 f0 d0 fd 21 69 05 23 16 a2 |I..a. ....!i.#..|
00006d70 05 f0 12 ff 21 69 49 19 c8 61 70 bc 08 bc 00 20 |....!iI..ap.... |
00006d80 18 47 00 00 24 a3 03 00 61 70 70 73 20 68 61 6e |.G..$...apps han|
00006d90 64 6c 65 72 00 00 00 00 6d 6f 64 65 6d 20 68 61 |dler....modem ha|
00006da0 6e 64 6c 65 72 00 00 00 6c 70 61 73 73 20 68 61 |ndler...lpass ha|
00006db0 6e 64 6c 65 72 00 00 00 72 69 76 61 20 68 61 6e |ndler...riva han|
00006dc0 64 6c 65 72 00 00 00 00 64 73 70 73 20 68 61 6e |dler....dsps han|
00006dd0 64 6c 65 72 00 00 00 00 70 b5 80 20 06 f0 95 fd |dler....p.. ....|
00006de0 1d 4c 08 23 21 68 1d a2 05 f0 f6 fb 21 68 1b 25 |.L.#!h......!h.%|
00006df0 ad 01 49 19 08 62 80 20 06 f0 87 fd 61 68 02 23 |..I..b. ....ah.#|
00006e00 1a a2 05 f0 e9 fb 61 68 49 19 08 62 80 20 06 f0 |......ahI..b. ..|
00006e10 7c fd a1 68 0a 23 19 a2 05 f0 de fb a1 68 49 19 ||..h.#.......hI.|
00006e20 08 62 80 20 06 f0 71 fd e1 68 04 23 17 a2 05 f0 |.b. ..q..h.#....|
00006e30 d3 fb e1 68 49 19 08 62 80 20 06 f0 66 fd 21 69 |...hI..b. ..f.!i|
00006e40 06 23 16 a2 05 f0 c8 fb 21 69 49 19 08 62 70 bc |.#......!iI..bp.|
00006e50 08 bc 00 20 18 47 00 00 24 a3 03 00 61 70 70 73 |... .G..$...apps|
00006e60 20 63 68 61 6e 67 65 72 00 00 00 00 6d 6f 64 65 | changer....mode|
00006e70 6d 20 63 68 61 6e 67 65 72 00 00 00 6c 70 61 73 |m changer...lpas|
00006e80 73 20 63 68 61 6e 67 65 72 00 00 00 72 69 76 61 |s changer...riva|
00006e90 20 63 68 61 6e 67 65 72 00 00 00 00 64 73 70 73 | changer....dsps|
00006ea0 20 63 68 61 6e 67 65 72 00 00 00 00 06 28 12 d2 | changer.....(..|
00006eb0 78 44 00 79 00 18 87 44 02 04 06 08 0a 0c 07 a0 |xD.y...D........|
00006ec0 70 47 08 a0 70 47 09 a0 70 47 0a a0 70 47 0b a0 |pG..pG..pG..pG..|
00006ed0 70 47 0c a0 70 47 0d a0 70 47 00 00 41 50 53 53 |pG..pG..pG..APSS|
00006ee0 00 00 00 00 4d 50 53 53 5f 53 57 00 4c 50 41 53 |....MPSS_SW.LPAS|
00006ef0 53 00 00 00 52 49 56 41 00 00 00 00 44 53 50 53 |S...RIVA....DSPS|
00006f00 00 00 00 00 4d 50 53 53 5f 46 57 00 3c 75 6e 73 |....MPSS_FW.<uns|
mmcblk0p10 from my device:
00006d00 bc 08 bc 00 20 c0 43 18 47 a9 00 08 18 04 62 70 |.... .C.G.....bp|
00006d10 bc 08 bc 00 20 18 47 a4 a3 03 00 40 30 06 00 70 |.... [email protected]|
00006d20 b5 a0 20 06 f0 d3 fd 1d 4c 07 23 21 68 1d a2 05 |.. .....L.#!h...|
00006d30 f0 14 ff 21 68 1b 25 ad 01 49 19 c8 61 a0 20 06 |...!h.%..I..a. .|
00006d40 f0 c5 fd 61 68 01 23 1a a2 05 f0 07 ff 61 68 49 |...ah.#......ahI|
00006d50 19 c8 61 a0 20 06 f0 ba fd a1 68 09 23 19 a2 05 |..a. .....h.#...|
00006d60 f0 fc fe a1 68 49 19 c8 61 a0 20 06 f0 af fd e1 |....hI..a. .....|
00006d70 68 03 23 17 a2 05 f0 f1 fe e1 68 49 19 c8 61 a0 |h.#.......hI..a.|
00006d80 20 06 f0 a4 fd 21 69 05 23 16 a2 05 f0 e6 fe 21 | ....!i.#......!|
00006d90 69 49 19 c8 61 70 bc 08 bc 00 20 18 47 00 00 70 |iI..ap.... .G..p|
00006da0 94 03 00 61 70 70 73 20 68 61 6e 64 6c 65 72 00 |...apps handler.|
00006db0 00 00 00 6d 6f 64 65 6d 20 68 61 6e 64 6c 65 72 |...modem handler|
00006dc0 00 00 00 6c 70 61 73 73 20 68 61 6e 64 6c 65 72 |...lpass handler|
00006dd0 00 00 00 72 69 76 61 20 68 61 6e 64 6c 65 72 00 |...riva handler.|
00006de0 00 00 00 64 73 70 73 20 68 61 6e 64 6c 65 72 00 |...dsps handler.|
00006df0 00 00 00 70 b5 80 20 06 f0 69 fd 1d 4c 08 23 21 |...p.. ..i..L.#!|
00006e00 68 1d a2 05 f0 f4 fb 21 68 1b 25 ad 01 49 19 08 |h......!h.%..I..|
00006e10 62 80 20 06 f0 5b fd 61 68 02 23 1a a2 05 f0 e7 |b. ..[.ah.#.....|
00006e20 fb 61 68 49 19 08 62 80 20 06 f0 50 fd a1 68 0d |.ahI..b. ..P..h.|
00006e30 0a 23 19 a2 05 f0 dc fb a1 68 49 19 08 62 80 20 |.#.......hI..b. |
00006e40 06 f0 45 fd e1 68 04 23 17 a2 05 f0 d1 fb e1 68 |..E..h.#.......h|
00006e50 49 19 08 62 80 20 06 f0 3a fd 21 69 06 23 16 a2 |I..b. ..:.!i.#..|
00006e60 05 f0 c6 fb 21 69 49 19 08 62 70 bc 08 bc 00 20 |....!iI..bp.... |
00006e70 18 47 00 00 70 94 03 00 61 70 70 73 20 63 68 61 |.G..p...apps cha|
00006e80 6e 67 65 72 00 00 00 00 6d 6f 64 65 6d 20 63 68 |nger....modem ch|
00006e90 61 6e 67 65 72 00 00 00 6c 70 61 73 73 20 63 68 |anger...lpass ch|
00006ea0 61 6e 67 65 72 00 00 00 72 69 76 61 20 63 68 61 |anger...riva cha|
00006eb0 6e 67 65 72 00 00 00 00 64 73 70 73 20 63 68 61 |nger....dsps cha|
00006ec0 6e 67 65 72 00 00 00 00 06 28 12 d2 78 44 00 79 |nger.....(..xD.y|
00006ed0 00 18 87 44 02 04 06 08 0d 0a 0c 07 a0 70 47 08 |...D.........pG.|
00006ee0 a0 70 47 09 a0 70 47 0d 0a a0 70 47 0b a0 70 47 |.pG..pG...pG..pG|
00006ef0 0c a0 70 47 0d a0 70 47 00 00 41 50 53 53 00 00 |..pG..pG..APSS..|
00006f00 00 00 4d 50 53 53 5f 53 57 00 4c 50 41 53 53 00 |..MPSS_SW.LPASS.|
out of thanks already...
Gotcha. Thanks.
Did it for testing purposes with mmcblk0p1 from JB One SSE and mmcblk0p1 from ICS One S and they both are fairly similar so i can tell by using UltraCompare that it is the same partition type.
I now dumped all One SSE partitions successfully apart from the SD and the UserData got stuck, it never finished. But all others dumped fine. Will start looking into them when i get time.
For now, Partition 1 is same. That's what i can already say lol.
[EDIT]
Userdata (0p35) didn't get stuck. I aborted it and then found an image on the SD which was already 7,5 GB big. I believe the Data Partition is quite large on the SE.
Will update the OP soon. Sorry Ive been a bit busy with kernels
Nevermind.
Tecardo's gonna help me with doing a writeback-script, just in case you already read my request here. Thanks.
Sneakyghost said:
Nevermind.
Tecardo's gonna help me with doing a writeback-script, just in case you already read my request here. Thanks.
Click to expand...
Click to collapse
I was going to suggest you take a bootsplash zip and modify it .. but got ninja'd.
AW: [PARTITION LIST] Partition Information and RUU/OTA Files,Work In Progress, 01/10/
On the One S special edition the sdcard is mapped to /data/media. It's mounted differently, also the recovery can't mount the sdcard as mass storage or partition.
Interesting. A very minor difference in the otherwise totally identical partition layout...
sent from viper 2.1

Tutorial: How to Customize/Modify/Hack your HBoot.img

This build is for
development purposes only
Do not distribute outside of HTC
without HTC's written permission.
Failure to comply may
lead to legal action.​
Ok friends, as we all know, it is very possible to modify the HBoot and this isn't the first time it has been done before. @old.splatterhand has loaded and shared such HBoots for the K2_UL and K2_U variants. @russellvone has as well loaded and shared such HBoot for the K2_CL variant and currently has made one for Cricket users too.
What this tutorial will do for this community is explain how it is done so that we all as a family can learn and grow together. I am a hands on type of guy and one of my pep peeves is being left in the dark so I am taking the time to explain some things. So let's get started.
Requirements for this TUTORIAL:
- A good hex editor is needed so click and download HxD
- I also use IDA (but that is me and for other purposes mainly - so stick with HxD)
- HBoot.img - I won't be supplying this so, sorry everyone. You will need to grab it elswhere :good:
Please keep in mind that if you install a custom HBoot and your device receives an OTA you may be required to flash back the stock HBoot just like you would with your stock recovery.
STEPS
Go ahead and open up HxD. Drag & drop the HBoot image file into the HxD Window.
Note - no matter if its a raw, dd, dumped, piece, or an .img or an .nb0 file - the edit will take place all the same.
I will be using HBoot 2.21 from the original 4.2.2 OTA during this tutorial. Now go ahead and hit CTRL+F or go to the Search tab then click Find. Search for "This build is" - without quotations...
You will then see this in HxD:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0013C7F0 4F 2D 00 00 4F 70 65 6E 44 53 50 2D 00 00 00 00 O-..OpenDSP-....
0013C800 20 28 00 00 65 4D 4D 43 2D 62 6F 6F 74 00 00 00 (..eMMC-boot...
0013C810 25 73 20 25 64 4D 42 00 4F 63 74 20 32 38 20 32 %s %dMB.Oct 28 2
0013C820 30 31 33 2C 32 32 3A 30 39 3A 31 36 2E 25 64 00 013,22:09:16.%d.
0013C830 4F 63 74 20 32 38 20 32 30 31 33 2C 32 32 3A 30 Oct 28 2013,22:0
0013C840 39 3A 31 36 00 00 00 00 45 6E 74 65 72 69 6E 67 9:16....Entering
0013C850 20 52 65 63 6F 76 65 72 79 2E 2E 2E 00 00 00 00 Recovery.......
0013C860 45 6E 74 65 72 69 6E 67 20 4D 46 47 20 4B 65 72 Entering MFG Ker
0013C870 6E 65 6C 2E 2E 2E 00 00 45 6E 74 65 72 69 6E 67 nel.....Entering
0013C880 20 4D 44 4D 20 52 61 6D 64 75 6D 70 20 6D 6F 64 MDM Ramdump mod
0013C890 65 2E 2E 2E 00 00 00 00 [COLOR="red"]54 68 69 73 20 62 75 69[/COLOR] e.......[COLOR="red"]This bui
0013C8A0 6C 64 20 69 73 20 66 6F 72 [COLOR="black"]00 00 00[/COLOR] 64 65 76 65 ld is for[COLOR="black"]...[/COLOR]deve
0013C8B0 6C 6F 70 6D 65 6E 74 20 70 75 72 70 6F 73 65 73 lopment purposes
0013C8C0 20 6F 6E 6C 79 [COLOR="black"]00 00 00[/COLOR] 44 6F 20 6E 6F 74 20 64 only[COLOR="black"].[/COLOR][COLOR="black"]..[/COLOR]Do not d
0013C8D0 69 73 74 72 69 62 75 74 65 20 6F 75 74 73 69 64 istribute outsid
0013C8E0 65 20 6F 66 20 48 54 43 [COLOR="black"]00 00 00 00[/COLOR] 77 69 74 68 e of HTC[COLOR="black"]....[/COLOR]with
0013C8F0 6F 75 74 20 48 54 43 27 73 20 77 72 69 74 74 65 out HTC's writte
0013C900 6E 20 70 65 72 6D 69 73 73 69 6F 6E 2E [COLOR="black"]00 00 00[/COLOR] n permission.[COLOR="black"]...[/COLOR]
0013C910 46 61 69 6C 75 72 65 20 74 6F 20 63 6F 6D 70 6C Failure to compl
0013C920 79 20 6D 61 79 [COLOR="black"]00 00 00[/COLOR] 6C 65 61 64 20 74 6F 20 y may[COLOR="black"]...[/COLOR]lead to
0013C930 6C 65 67 61 6C 20 61 63 74 69 6F 6E 2E [COLOR="black"]00 00 00[/COLOR] legal action.[/COLOR]...
0013C940 5B 44 49 53 50 4C 41 59 5F 45 52 52 5D 20 61 6C [DISPLAY_ERR] al
0013C950 6C 6F 63 61 74 65 20 68 65 61 70 20 66 6F 72 20 locate heap for
0013C960 73 70 6C 61 73 68 20 69 6D 61 67 65 20 66 61 69 splash image fai
Please take note of what is written in red. This is that little pesky warning label that pops up when running a custom kernel and/or custom recovery.
I look forward to this part as I will be showing how to remove it - and any of you can too (manually of course).
Now, in this particular HBoot (2.21) you find that the text begins at Offset 0013C890
Code:
0013C890 65 2E 2E 2E 00 00 00 00 [COLOR="red"]54 68 69 73 20 62 75 69[/COLOR] e.......[COLOR="red"]This bui[/COLOR]
The beginning of the warning from HTC starts with the letter T from the word This. Remember how I said to take notice of the highlighted red? If you look at number 54 you notice it is the beginning of this warning. Don't worry, HxD will show you where it begins. Just use the mouse to click where that letter or symbol is and it will show a dotted line box around that number as being the reference point from there forward (or backwards lol).
To edit and remove this warning label is very simple. You will be hex editing this image file needless to say - if you haven't realized it yet. YOU WILL NOT BE MAKING ANY CHANGES ON THE RIGHT OF HxD!!!!
We will be replacing ALL of the letters with text by spacing it. To do so we must first find out what number represents a 'space'. This is simple, as you only need to hover your mouse over a space in between two letters in which it will highlight its number with a dotted line box. In this case a space would be the number 20. So what we are going to do is remove every text of that warning label with a space by implementing the number 20 in the proper places to each of the given text letter.
PLEASE NOTE!! ---- It is HIGHLY recommended that you DO NOT replace each text letter in the left panel with the number 00.
- The reason for this is because 00 stands for blank which in the Hex world is not consider a 'text'. Where as a space is considered a text and since we are replacing text it would be best to do so with other text so the HBoot will still see text even though the warning label will no longer show up anymore. It just would seem to be of best interests and just overall safer.
This is what you will see after you replace all the text letters with the number 20:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0013C7F0 4F 2D 00 00 4F 70 65 6E 44 53 50 2D 00 00 00 00 O-..OpenDSP-....
0013C800 20 28 00 00 65 4D 4D 43 2D 62 6F 6F 74 00 00 00 (..eMMC-boot...
0013C810 25 73 20 25 64 4D 42 00 4F 63 74 20 32 38 20 32 %s %dMB.Oct 28 2
0013C820 30 31 33 2C 32 32 3A 30 39 3A 31 36 2E 25 64 00 013,22:09:16.%d.
0013C830 4F 63 74 20 32 38 20 32 30 31 33 2C 32 32 3A 30 Oct 28 2013,22:0
0013C840 39 3A 31 36 00 00 00 00 45 6E 74 65 72 69 6E 67 9:16....Entering
0013C850 20 52 65 63 6F 76 65 72 79 2E 2E 2E 00 00 00 00 Recovery.......
0013C860 45 6E 74 65 72 69 6E 67 20 4D 46 47 20 4B 65 72 Entering MFG Ker
0013C870 6E 65 6C 2E 2E 2E 00 00 45 6E 74 65 72 69 6E 67 nel.....Entering
0013C880 20 4D 44 4D 20 52 61 6D 64 75 6D 70 20 6D 6F 64 MDM Ramdump mod
[COLOR="red"]0013C890 [COLOR="black"]65 2E 2E 2E 00 00 00 00[/COLOR] 20 20 20 20 20 20 20 20 [COLOR="black"]e.......[/COLOR]
0013C8A0 20 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] 20 20 20 20 [COLOR="black"]...[/COLOR]
0013C8B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C8C0 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] 20 20 20 20 20 20 20 20 [COLOR="black"]...[/COLOR]
0013C8D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C8E0 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00 00[/COLOR] 20 20 20 20 [COLOR="black"]....[/COLOR]
0013C8F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C900 20 20 20 20 20 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] [COLOR="black"]...[/COLOR]
0013C910 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C920 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] 20 20 20 20 20 20 20 20 [COLOR="black"]...[/COLOR]
0013C930 20 20 20 20 20 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] [COLOR="black"]...[/COLOR][/COLOR]
0013C940 5B 44 49 53 50 4C 41 59 5F 45 52 52 5D 20 61 6C [DISPLAY_ERR] al
0013C950 6C 6F 63 61 74 65 20 68 65 61 70 20 66 6F 72 20 locate heap for
0013C960 73 70 6C 61 73 68 20 69 6D 61 67 65 20 66 61 69 splash image fai
Once you have completed the task of overwriting the bytes then go ahead and save your work. Now comes the MOST IMPORTANT PART EVER!!!
- Compare both the original and modified HBoot.img file and MAKE SURE that the modified image is reading the exact same bytes in size as the original!
- If the modified file is just ONE byte to large or to small when compared to the original file then you better delete that file and try the whole process over again!! DO NOT FLASH THAT MODIFIED FILE IF THE BYTES SIZE IS NOT THE SAME AS THE ORIGINAL FILE OR YOU WILL BRICK YOUR DEVICE!.
- If both files are the exact same sizes then you are clear to flash the new modified HBoot image which will remove that pesky red text. There is much more that can be done with the HBoot, but for starters this tutorial will suffice for now.
If this tutorial was helpful to you then please click on thanks :good:
---- Happy hunting.
Thank You for the tut. I only have a few questions.
1) Is there anyway through adb or otherwise to 'pull' the original hboot file from the phone ?
2) Does the newly created hboot file need to be zipped or flashed in fstboot the way it is?
Thank You for your time =)
extracting your hboot.img
rb2tfm said:
1) Is there anyway through adb or otherwise to 'pull' the original hboot file from the phone ?
Click to expand...
Click to collapse
I think this might work:
$ adb shell
shell:/ $ su
shell:/ # dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
shell:/ # exit
shell:/ $ exit
$ adb pull /sdcard/hboot.img
gepr said:
I think this might work:
$ adb shell
shell:/ $ su
shell:/ # dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
shell:/ # exit
shell:/ $ exit
$ adb pull /sdcard/hboot.img
Click to expand...
Click to collapse
hi. i copied hboot.img from my phone but when i want to open it with HxD, it shows just 0 but no number or red note
SidRobo said:
hi. i copied hboot.img from my phone but when i want to open it with HxD, it shows just 0 but no number or red note
Click to expand...
Click to collapse
Hello, I am the original member that made this thread a while back. Grab the hboot.img from the OTA and you will find what you are looking for.
But do know that the following command will properly dump your hboot.img:
Code:
dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
As you can see in the picture below, I could easily modify this right on my phone and not even touch a computer , but of course at the time that I wrote this thread I did not know the potentials for being able to conduct "development" projects without the use of a pc and simply right on the device.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sent from my C525c using Tapatalk
SHM said:
Hello, I am the original member that made this thread a while back. Grab the hboot.img from the OTA and you will find what you are looking for.
But do know that the following command will properly dump your hboot.img:
Code:
dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
As you can see in the picture below, I could easily modify this right on my phone and not even touch a computer , but of course at the time that I wrote this thread I did not know the potentials for being able to conduct "development" projects without the use of a pc and simply right on the device.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
hi. thank you for the answer but could you pls explain more, I'm noob:good:
how is it possible without pc?????!!!
SidRobo said:
hi. thank you for the answer but could you pls explain more, I'm noob:good:
how is it possible without pc?????!!!
Click to expand...
Click to collapse
Using a hex editor such as what you saw in the picture would suffice. Then, comparing the size of the non modified hboot.img with the modified hboot.img as I mentioned in the instructions. Then, when all is good, I use the following command to write the modified hboot.img to my partition.
Code:
dd if=/sdcard/modified_hboot.img of=/dev/block/mmcblk0p12
But be careful when doing all of this. You mess up on the hboot and you will find yourself with a hard bricked device.
Sent from my C525c using Tapatalk
SHM said:
Using a hex editor such as what you saw in the picture would suffice. Then, comparing the size of the non modified hboot.img with the modified hboot.img as I mentioned in the instructions. Then, when all is good, I use the following command to write the modified hboot.img to my partition.
Code:
dd if=/sdcard/modified_hboot.img of=/dev/block/mmcblk0p12
But be careful when doing all of this. You mess up on the hboot and you will find yourself with a hard bricked device.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
Sorry man because i'm noob
My problem is with this part ***Grab the hboot.img from the OTA and you will find what you are looking for.***
I don't know exactly what ota is and how to get hboot
Could u plz explain more about it or but a link?
Again Sorry for disturbing u
And sorry for my bad english
Sent from my Desire 300 X515e using XDA Forums
SidRobo said:
Sorry man because i'm noob
My problem is with this part ***Grab the hboot.img from the OTA and you will find what you are looking for.***
I don't know exactly what ota is and how to get hboot
Could u plz explain more about it or but a link?
Again Sorry for disturbing u
And sorry for my bad english
Sent from my Desire 300 X515e using XDA Forums
Click to expand...
Click to collapse
I just noticed your signature shows you using a Desire phone. Do you own an HTC One SV? This thread is based on the HTC One SV so I want to verify before I continue.
Sent from my C525c using Tapatalk
SHM said:
I just noticed your signature shows you using a Desire phone. Do you own an HTC One SV? This thread is based on the HTC One SV so I want to verify before I continue.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
i have a htc desire 300
INFOversion: 0.5
INFOversion-bootloader: 1.18.0002
INFOversion-baseband: 14.11.36Q4.21
INFOversion-cpld: None
INFOversion-microp: None
INFOversion-main:
INFOversion-misc: PVT SHIP S-OFF
INFOserialno: ----------------
INFOimei: ----------------
INFOmeid:
INFOproduct: g3u
INFOplatform: HBOOT-8225
INFOmodelid: 0P6A10000
INFOcidnum: 11111111
INFObattery-status: good
INFObattery-voltage: 4340mV
INFOpartition-layout: HTC
INFOsecurity: off
INFObuild-mode: SHIP
INFOboot-mode: FASTBOOT
INFOcommitno-bootloader: dirty-e1c32097
INFOhbootpreupdate: 12
INFOgencheckpt: 0
Then mmcblk0p12 probably isn't the partition that holds the hboot on your device. You need to go to your device forum and request a link for the most recent OTA made available. Should be compress as a zip. When you extract there will be another compressed zip typically called, firmware.zip. Extract and you should hopefully find your signed hboot.img.
Sent from my C525c using Tapatalk
SHM said:
Then mmcblk0p12 probably isn't the partition that holds the hboot on your device. You need to go to your device forum and request a link for the most recent OTA made available. Should be compress as a zip. When you extract there will be another compressed zip typically called, firmware.zip. Extract and you should hopefully find your signed hboot.img.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
what if no OTA is available???
SidRobo said:
what if no OTA is available???
Click to expand...
Click to collapse
Then you will need to find the partition that holds your hboot.img. Even if that means dumping every unknown partition your device has and reviewing each one with a hex editor until you find it.
Sent from my C525c using Tapatalk
SHM said:
Then you will need to find the partition that holds your hboot.img. Even if that means dumping every unknown partition your device has and reviewing each one with a hex editor until you find it.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
hi i found two files boot_init.img and boot_stock.img form this link https://drive.google.com/folderview?id=0B6WBFlAKqe30cGp3WkFRSjRaMjQ&&tid=0B6WBFlAKqe30TjRLa2Qxa0toYlU#list
is rhis what i look for it?
if yes so how should i flash it?
SidRobo said:
hi i found two files boot_init.img and boot_stock.img form this link https://drive.google.com/folderview...jRaMjQ&&tid=0B6WBFlAKqe30TjRLa2Qxa0toYlU#list
is rhis what i look for it?
if yes so how should i flash it?
Click to expand...
Click to collapse
Those are not the hboot. The hboot is your bootloader. Completely different.
Sent from my C525c using Tapatalk

help unbreak i9003 with omap flash

i have a i9003 broken by flashing with wrong files ( i9000)
when i use the omap flash (after installing driver)
i got the next message :
» Looking for device (omap usb)
» Please turn on device
» Waiting for device (omap usb)
» Found device (omap usb)
» Requesting ASIC id
» AsicId items 05
» AsicId id 01 05 01 36 30 07 07
» AsicId secure_mode 13 02 01 00
» AsicId public_id 12 15 01 DC 64 77 05 87 18 3E 62 48 1F DC 73 69 7D D2 1C F2 AA 8D 4C
» AsicId root_key_hash 14 15 01 D7 81 BB D5 CD EC 1F F7 E4 DA 7A F9 BE 79 A2 4C 72 DF 89 43
» AsicId checksum 15 09 01 13 BF 3E EF 15 52 E7 03
» Raw data transfer failure (No error) during peripheral boot (sending boot message)
I dont really understand what it is, but my phone broke once and i restock it with odin.
Sent from my GT-I9003 using xda app-developers app

Question about software android will check license of devices and that info is encrypted

The same title. I want to use 1 license for multiple devices but max of license just for 1 device. To use it for multiple devices I need to check what information the software receives from the device (example: android id, imei, android version,...). Then fake the 2nd device information into the first device's information. But when I check, the information is encoded into strings that are difficult to understand. So I want to ask what kind of encryption is that, and the data after decrypted. Below is an image of the encrypted string that the software checks my device information. Please help me.
"htttp://arteam.pro/log-sys/?data=Qcdw1B9CILI+xcDA7mY9v/wSuMPEvvjr3H72jMubzO3MaWWONvTbZc34J+qxHq1tNYSVhJezLBJM4EuapwTqhqqtCcxCWA6+Dai9lm99D32nj+RqIuvN3Z3QE7ezJ4ZFrLn8QsUEFka7x6DDQj4ekQJbyuQ+prf80PDh7kSWTfzllQq9munu/9UKCg1XolmtY5EDRPxMU99nnPkrAf5lmfOkeVMV4Bn1yR/o0vUPopQ="
The data parameter is some binary data encoded in base64. I used
Bash:
$ echo "Qcdw1B9CILI+xcDA7mY9v/wSuMPEvvjr3H72jMubzO3MaWWONvTbZc34J+qxHq1tNYSVhJezLBJM4EuapwTqhqqtCcxCWA6+Dai9lm99D32nj+RqIuvN3Z3QE7ezJ4ZFrLn8QsUEFka7x6DDQj4ekQJbyuQ+prf80PDh7kSWTfzllQq9munu/9UKCg1XolmtY5EDRPxMU99nnPkrAf5lmfOkeVMV4Bn1yR/o0vUPopQ=" | base64 -d - | tee decode.bin
and opened that in Bless. It's using some kind of encryption, output below in hex.
Code:
41 C7 70 D4 1F 42 20 B2 3E C5 C0 C0 EE 66 3D BF
FC 12 B8 C3 C4 BE F8 EB DC 7E F6 8C CB 9B CC ED
CC 69 65 8E 36 F4 DB 65 CD F8 27 EA B1 1E AD 6D
35 84 95 84 97 B3 2C 12 4C E0 4B 9A A7 04 EA 86
AA AD 09 CC 42 58 0E BE 0D A8 BD 96 6F 7D 0F 7D
A7 8F E4 6A 22 EB CD DD 9D D0 13 B7 B3 27 86 45
AC B9 FC 42 C5 04 16 46 BB C7 A0 C3 42 3E 1E 91
02 5B CA E4 3E A6 B7 FC D0 F0 E1 EE 44 96 4D FC
E5 95 0A BD 9A E9 EE FF D5 0A 0A 0D 57 A2 59 AD
63 91 03 44 FC 4C 53 DF 67 9C F9 2B 01 FE 65 99
F3 A4 79 53 15 E0 19 F5 C9 1F E8 D2 F5 0F A2 94
Good luck decrypting it. Considering this is an app with such highly restrictive license terms, I'm sure the devs have heavily guarded the code against reverse engineering. The best way to deal with this imo is to just find an alternative if one exists.
The binary data encoded in base64 is difficult to understand.

Categories

Resources