Database Users

universal bootloader 1.0 decrypted

After banging my head with the update utility and a bootsplash stuck universal for like hours, I did decrypt the bootloader 1.0... Will do some reverse engineering and post what I find... :lol:
Update: decrypted Bootloader 1.0 is attached...

ady,
if this is true... congratulations!!!
you may want to share your knowledge with buzz and the other specialists ;-)
have a good success
peter

hi ady,
GREAT!
could you please tell me how you did it?
thanx
buzz

By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later

ady said:
By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later
Click to expand...
Click to collapse
very interesting approach... )))
buzz

Thanx buzz.
something which I observed earlier while looking at the string table:
It has multilevel password protection and the password for each level i.e update, erase, dump, debug is calculated at runtime.
Moreover the access level resets to lowest after a certain time which makes it almost unhackable
There are strings related to CID meaning there might be a method to change CID

updated first post to attach the decrypted bootloader 1.0 for those who are interested.
Also I succesfully flashed the 1.0 bootloader on a device which was previously updated with 1.01...
Of course if was after hacking the RUU.dll. By default it doesn't let you update to an older bootloader

ady I have been looking at the bootloader of the prophet and the interaction between the romupdate utility and the phone with a software logic analyzer which has revealed a lot of information including the commands that romupdate runs while upgrading the rom.
I am in the process of compiling a list of bootloader commands which may be usefull.
Did you dump the commands while downgrading the bootloader.
Pete

you can find a list of commands very easily. just look at the string table. however not all commands are allowed and that is the callenge

Some commands do not appear to be secured correctly.
For example the rbmc command.
If I run it without a password it says no pemission enter any password and then it will run fine.
The password issued by the romupdate tool seem to be based partly upon the results of the info 2 command as far as I can tell.
The main command I am struggling to figure out is the r2sd command which reads a key/password from the SD Card.

Rymez2K said:
The main command I am struggling to figure out is the r2sd command which reads a key/password from the SD Card.
Click to expand...
Click to collapse
hi,
did you mean d2s command?
buzz

r2sd command runs well when u hv CID unlocked..works for Prohet,wizard and charmer..typhoon

hdubli said:
r2sd command runs well when u hv CID unlocked..works for Prohet,wizard and charmer..typhoon
Click to expand...
Click to collapse
;o))) I thought, this is about Universal 1.00 bootloader...
buzz

According to some source of information there are 2 types of Universal. One with G3 and another with G4 chips. G3 bootroms have string "HW Version : 1.40h" in bootloader and its version is 1.xx, G4: "1.40j" and version numbers are 2.xx. Your ROM is for G3.
And bootrom can be decoded from nk.nbf with alpinenbfdecode.pl script

ady said:
By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later
Click to expand...
Click to collapse
If this is correct , i hope, ...the nk.nbf of JASJAR bootloader can be decoded from bal66 tool and one can get.nba file.But I was not able to decode further with imgfs tools...it simply fails to do that....

@hdubli
bootloader image - nk.nba - is not an imgfs. you cannot use mamaich's imgfs_tools on it.
bal66's tool cannot decode bootloader nk.nbf to nk.nba either.
buzz

Attached is the file...pls check

hdubli said:
Attached is the file...pls check
Click to expand...
Click to collapse
yes, that file looks to be OK...
buzz

another thing:
lnb command doesn't work on 1.0 or 1.01. Another command wdata is used instead to update.
the difference between the two commands is that lnb needs to have an nb image i.e. lnb lnbtemp.nb whereas wdata transfers the image directly from host computer memory (more hack safe)

Reversing IMEI-CHECK's Wizard Unlocker :)

Hey Folks,
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
The application is protected by Themida which is in my view the leading protector on the market currently (yes better than execryptor).
The unlocker has Ring0 protection, Emulated API's, Resource Encryption + Lots more fun and games.
Now onto what I have found so far.
The GUI stuff:
Code:
set 1 0
set 5 ffffffff
set 2 0
set 6 000000
set 4 000000
progressbar 0 239 0 255 ffffff 100 0
shmsg 0 0 " . : | Wizard Unlock | : ."
info 1
shmsg 3 0 " ..detecting device.."
set 32 2
info 0
shmsg 4 0 " >>> Wizard found"
Is plain to see, but the evil work is well tucked away in a procedure which is pushed onto the VirtualMachine.
So I still need to fish that out (loooonnnng task)...
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Download:
http://rapidshare.com/files/12763879/_00CC0000.mem
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
The following tools are also 'picked up':
Filenames:
Code:
PORTMON.exe
SnoopyPro.exe
Device Monitor.exe
Window Titles:
Code:
Portmon Class
SnoopyPro
USB Monitor
Device Monitor
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Since he has NO terms about his programs what so ever then there is no legal problems with what I am doing to his application.
He is probably too scared of HTC anyway, since he is decompiling their firmwares in order to make the product. (Which is outlawed in HTC's terms)
Anyway....
Watch this space

Very interesting, would information gathered from the Wizard unlocker lead to cracking the Treo 750 unlocker? Or any other phone that imei-check supports for that matter?

Whiterat said:
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
Click to expand...
Click to collapse
Great, will you disclose your findings? there was an earlier post about the unlocker for G4 wizards, here (see comment #36):
http://forum.xda-developers.com/showthread.php?t=284312
Whiterat said:
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Click to expand...
Click to collapse
It seems that this is the patched SPL that is flashed on the first unlocking step, it is modified so that when it is told to flash an splash screen, it flashes the security area, overwriting the CID.
Whiterat said:
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
Click to expand...
Click to collapse
I will load it at IDA and compare with a normal wizard SPL...
Whiterat said:
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Click to expand...
Click to collapse
Yes, the imei-check guys are doing great job with their unlockers... similar method is used in artemis unlocker too. They load a modified SPL in RAM and jump to its physical address from WinCE, this modified SPL shows the DOC ID in help of "set" command and allows flashing unsigned code, then they use obtained DOC ID info to patch the security area by sending a "fake" splash screen, same as in wizard unlocker.
Whiterat said:
Watch this space
Click to expand...
Click to collapse
I will

phoa not much point in me continuing!
You've got the whole lot there!
I'm a lover not a coder, I simply reverse in order to help others succeed.
Since you have all important info anyway, Not really going to be of much help here
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......

Whiterat said:
phoa not much point in me continuing!
You've got the whole lot there!
Click to expand...
Click to collapse
Well I didn't want to discourage you on continuing the reversing process, I just pointed you to the thread where we discussed about the unlocking method a while ago...
I admire the fact that you reached that far only disassembling / debugging the binary, what we actually did to have the full process was capturing it with USB monitor; the unlocker can be tricked if you run the usb monitor process as one user, ant the unlocker as a different user, but imei-check seem to have corrected this 'bug' in newer unlockers.
Whiterat said:
Since you have all important info anyway, Not really going to be of much help here
Click to expand...
Click to collapse
We don't have _all_ the important info, we have the commands that the unlocker sends to the bootloader, but the data sent to flash the security area is actually different in every phone, so flashing what is sent in one phone to another phone will actually brick it.
I think it can be helpful if you manage to reverse the algorithm that the unlocker uses to generate the code which is flashed on the security area, this can't be done capturing usb traffic, this has to be reversed from the binary, and Themida is not easy to break as you sure have noticed
Whiterat said:
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
Click to expand...
Click to collapse
No sorry, i don't have any... I am not very used to IDA, started using it few months ago and still learning new things about it everytime I start it

Ah cool I will look into it a bit further
(Need to get a friend to code a tool to remove the junk code)
e.g
PUSH EAX
PUSH EDX
MOV EAX,2282
INC EAX
DEC EDX
POP EDX
POP EAX
Since it is popping those registers off the stack, its actually altered nothing
Themida is a cow, Because my friend didnt manage to make a start on the junk code remover (and I didnt realise there was a virtualised function) I just did each Import by hand (approx 4 hours lol)
Also rebuilt the OEP by hand too, not too hard since it was VC++6.
I have a G4 which I have unlocked with Imei-Calc (thus I have the key file, which I *think* might decrypt parts of the program, or possibly is part of an encrypted rom.)
3 Last things:
1. Can the G3/G4 chip be worked out by IMEI, i.e IMEI represents a date and the chips were only used after a certain date? or is this tool generic for G3/G4 ?
2. Do you have an SPL for 2.08.10
3. How can I dump my SPL (bearing in mind my only minisd has a full backup of my rom, Just in case crossbow gets a little ugly for my liking)
Ohh one last thing, kbdus.dll on Crossbow.....Is there a kbduk.dll as far as you know?
My Wizard has british keyboard and all the chars are shifted +1.....
Thats my next major task I think before continuing on this thing
Btw, To use the usb logger on newer versions of IMEI-CALC, just rename the exe and change the class name

Hi..Answer on the "Last Three Things"
1.) No one cannot identify G3/G4 with imei.If u lok carefully the place below yr battery u will find a"G4" written besides yr imei no.In G3, nothing is written.The most commeon way is to check IPL/SPL .001 in the end is G4.
2) Take a ROM which has 2.08 SPL. and use typho5.exe to dismantle the ROM parts.If ROM is release recently then you will find IPL/SPL for G3/G4 both.Chek the threads here..
3) As such crossbow ROM has no IPL/SPL..if u know what ROM u were using prior to that, u can apply above to dump yr ipl SPL..secondly you can do this with awizard1.3 beta.
I hope this helps

Rooting German G1 CRB43

I have spent the past several weeks trying to root my G1 originally from Germany. My goal is to root and load a stock U.S. T-Mobile ROM onto the phone. Here is some info on the phone:
Model: T-Mobile G1
Firmware: 1.5
Baseband Version: 62.50S.20.17U_2.22.19.26I
Kernel Version: 2.6.27-00393-g6607056
Build Number: CRB43
Now, I've been through the forums and pretty much all of the tutorials. I've attempted the goldcard method using several different micro SD cards. I've been trying to load it with DREAIMG.NBH, (RC7) version. I've been using both dd commands in Ubuntu and also via PC using HXD. Where I run into a wall is the phone upon booting it up (Camera Button + Power Button) it says "No Image File".
Here's how I've been trying thus far. I've formatted the SD cards using Windows XP command (format F: /FS:FAT32 /A:4096). I've checked the CID from the SD cards using both the G1 via Terminal and also using a WMD (HTC Touch) in qmat and reversed in qmat crypto toolbox, replaced the first byte with "00", and generated a gold card via the online goldcard generator. I've tried writing the goldcard.img via HXD and via dd command, to see if either would work, and have written the DREAIMG.NBH to root as instructed. The results have always been the same, "No Image File" when I boot the phone.
If there is anyone that could help, I would greatly appreciate it as I am at a loss with what to do next.

Uhm.. CRB43 is the same build number than the Rogers Dream. Perhaps the Rogers rooting method works? That's all I can tell sorry

hellfenix said:
Uhm.. CRB43 is the same build number than the Rogers Dream. Perhaps the Rogers rooting method works? That's all I can tell sorry
Click to expand...
Click to collapse
Just tried the Rogers method. Unfortunately, I get stuck at the first reboot point. After I've loaded the update.zip file and I reboot (Camera button + Power button), I get the "No image file" error.
Any other suggestions.

If the no image file is a green text going really fast then it is normal, you have to pres the Send key (talk key) from there to get to Fastboot mode.

hellfenix said:
If the no image file is a green text going really fast then it is normal, you have to pres the Send key (talk key) from there to get to Fastboot mode.
Click to expand...
Click to collapse
I attempted it again, this time I pressed the send key and it does nothing. It goes back to the red, green, blue, and white screen.

To root a german G1 you will need to make a goldcard. I don't have an english link to a tutorial, so please google on it. Search for "Goldcard G1".

djvw said:
To root a german G1 you will need to make a goldcard. I don't have an english link to a tutorial, so please google on it. Search for "Goldcard G1".
Click to expand...
Click to collapse
I appreciate the response, but if you look at my original post, I've been trying the Goldcard method but have had problems with "No image file" appearing.

i have been having the same problem with my official 1.5 (CRB43) USA while i was trying to root today :/

IIxShockwavexII said:
i have been having the same problem with my official 1.5 (CRB43) USA while i was trying to root today :/
Click to expand...
Click to collapse
Hopefully someone has figured out a solution and will let us know.

johnnysacco said:
Hopefully someone has figured out a solution and will let us know.
Click to expand...
Click to collapse
do you rooting your crb43 ? I have same problem on my g1

Hi guys. Did someone figure it out already? I have CRB43 and faced exactly the same issue. Any ideas?

ringieringie said:
Yo peoples,
after weeks of trying to downgrade my rc9 to rc7. i finally figured a way to easily write to the raw sectors in xp without using unmount, cygwin and things like that. use at own risk!!!!
- download terminal on your g1.
- type: cat /sys/class/mmc_host/mmc1/mmc1:*/cid
- reverse in qmat
- change the first 2 numbers or letters to 00
- create goldcard from Viper BJK website (thanks man)
- format sd card to fat32
- download HxD Hex Editor and install
- open program and go to "extra" and then "open disk"
- choose physical disk and then the removable disk. that is the same as your memory card. I've you don`t know with one it is. just remove the card and restart the program and you will see witch one is disappeared.
- uncheck open as readonly !!!!!!!
- go to "extra" again and the open disk image.
- open the goldcard.img witch you have created from Viper BJK website.
- press ok (512 is fine) en then "select all" and "copy"
- go to the removable disk tab and select offset 00000000 till offset 00000170 go to "edit" and then past write.
- save it
- now copy dreaming.nbh to the root off your memorycard.
- turn of your phone and restart by holding the camera and the power button.
Hope this will help you.....
grtz C.C.
Click to expand...
Click to collapse
This worked for me on my German G1 T-Mobile crb43.
rgs.
tsk

johnnysacco said:
...and reversed in qmat crypto toolbox, replaced the first byte with "00", and generated a gold card via the online goldcard generator. I've tried writing the goldcard.img via HXD and via dd command
Click to expand...
Click to collapse
Hi m8, I had exactly the same problems as you, but this finaly worked for me and now I got root
If you get the cid via adb you don't need to reverse (When you use Linux you use the reverse function) only replace the first bytes and generate the goldcard and write the img with HxD.
/tsk

Mine Updated Today
I just got a repaired phone yesterday here in the US and the shop had put in a new German mainboard which had CRB43 build on it. This morning my phone received a network update and changed my build to CRC1. Now I can downgrade the phone and try running the normal rooting procedures found here http://forum.xda-developers.com/showthread.php?t=533731.

How to carrier/SIM unlock the Galaxy Tab [Updated Dec 5 2010]

Background: I unlocked my Tab first by hex editing my nv_data.bin file. It was perfect, my IMEI and device serial number were unharmed. Then I got my official unlock code from Tmobile. So I reverted to my original nv_data.bin, placed an AT&T SIM into the Tab and it rebooted, I entered the code, unlocked the Tab, then compared the original file to the newly unlocked file. Very minor changes. I wrote a program to do the modification and the resulting nv_data.bin file worked fine.
To clarify, I have a T-Mobile Tab and you must have rooted in order to do this.
I also have an AT&T tab and the same procedure works.
It also works on any GSM model.
Heres the edit points for those of you comfy with a hex editor:
Code:
0x181469 change this one byte from 01 to 00
0x18150e change this one byte to 00 if its not already
If you're going to do this, please back up your /efs folder! Do it twice even Save your backups for at least 11.5 years.
I just edit a copy of the nv_data.bin, then delete nv_data.bin and nv_data.bin.md5 in the phones /efs folder using Root Explorer, then copy my modified file back to the folder, then reboot. The nv_data.bin.md5 will be automatically regenerated for you.
I've even edited a copy of the file right on my Tab using the Hexeditor in the Market.
FYI, you can not swap nv_data.bin files from one phone to another, you get the bogus IMEI number as the file doesn't match the hardware IMEI number.
UPDATE: New easier way that doesn't involve learning how to hex edit
This requires you to be rooted and have busybox installed, which you should have but you can grab busybox installer from the market if not.
Backup the contents of the /efs folder on the phone first!!! Save your backups for at least 11.5 years.
From your computer, open an adb shell to your phone with the command:
Code:
adb shell
Then paste all the following commands into the shell window at once, in other words, one big cut n paste:
Code:
su
cd /sdcard
echo "this takes about 45 seconds"
if [ ! -f /sdcard/nv_data.bin.orig ]; then
echo "copying file to /sdcard"
cp /efs/nv_data.bin /sdcard/nv_data.bin.orig
fi
echo -en \\x00 > out0
dd if=nv_data.bin.orig of=out1 bs=1 count=1578089
dd if=nv_data.bin.orig of=out2 bs=1 skip=1578090 count=163
dd if=nv_data.bin.orig of=out3 bs=1 skip=1578254
cat out1 out0 out2 out0 out3 > nv_data.bin.unlocked
rm out0 out1 out2 out3
rm /efs/nv_data.bin
cp nv_data.bin.unlocked /efs/nv_data.bin
rm /efs/nv_data.bin.md5
reboot
.
Wait 45 seconds for the whole process to complete.
Thats It! your phone will reboot and its carrier unlocked!
If you can't get internet access with your new SIM its because you haven't set the APN for this carrier. For the settings you need, Google "APN setting your_carriers_name_here" and put those settings in
Settings->Wireless->Mobile Networks->Access Point Names and then select it. Done!

A little off topic here, in reference to your official unlock process....
did you have to put in AT&T's network settings before you entered your unlock code? I'm only asking because tech support had no solution for why my unlock codes doesn't work.

leftbrain said:
A little off topic here, in reference to your official unlock process....
did you have to put in AT&T's network settings before you entered your unlock code? I'm only asking because tech support had no solution for why my unlock codes doesn't work.
Click to expand...
Click to collapse
No, Its not related. Your code is compared to the data stored on the phone for a match. Nothing more. I really think they screwed up an IMEI digit when requesting your code.

You were right about the imei #, tmobile is resending the unlock code now... thanks so much!

Code:
0x18150e change this one byte from 01 to 00
On my pristine T-Mo US tab this one is already 00. Are you sure you haven't accidentally swapped the values?

Volker1 said:
Code:
0x18150e change this one byte from 01 to 00
On my pristine T-Mo US tab this one is already 00. Are you sure you haven't accidentally swapped the values?
Click to expand...
Click to collapse
I just double checked, and its correct for my files. So theres a good chance this may not work for you (or anyone else) until we can compare more files.

It works! I did make all changes except the one at 0x18150e, that is:
Code:
0x180069 to 0x1800ce: change all these bytes from the values they are to ff
0x181469: change this one byte from 01 to 00
0x18150e: left this byte at 00
This unlocked my tab, I just sent me a text message with a German SIM card.

Volker1 said:
It works! I did make all changes except the one at 0x18150e, that is:
Code:
0x180069 to 0x1800ce: change all these bytes from the values they are to ff
0x181469: change this one byte from 01 to 00
0x18150e: left this byte at 00
This unlocked my tab, I just sent me a text message with a German SIM card.
Click to expand...
Click to collapse
Sweet, I reverted BOTH those bytes to 01 and I got the unlock prompt on next boot. So you ended up with 00 in both those bytes too?

So if I follow these steps on my t-mobile tab, and then I insert my att sim, I'll be getting edge with it, right?
Sent from my SGH-T849 using XDA App

calin75 said:
So if I follow these steps on my t-mobile tab, and then I insert my att sim, I'll be getting edge with it, right?
Sent from my SGH-T849 using XDA App
Click to expand...
Click to collapse
Yes indeed.

A bit off topic... are we thinking that ATT's Tab will be euro-firmware flashable - giving us access to ATT's 3G network and the ability to make voice calls?

rotohammer said:
Sweet, I reverted BOTH those bytes to 01 and I got the unlock prompt on next boot. So you ended up with 00 in both those bytes too?
Click to expand...
Click to collapse
Yes, I ended up with both 0x181469 and 0x18150e equal to 00.
Seems like both 00 = no SIM lock, both 01 = SIM lock.

Just as soon as I can track down a firmware backup for my Bell Canada (850/1900) unit, I'll be trying the Euro firmware.
But I bet ya money that AT&T is doing the same thing T-Mobile is doing, and locking out the IMEI numbers of their tabs from voice services. Which means you'll likely need to import a Bell or Rogers unit, or spoof your IMEI (not something I'd recommend).

Croak said:
Just as soon as I can track down a firmware backup for my Bell Canada (850/1900) unit, I'll be trying the Euro firmware.
But I bet ya money that AT&T is doing the same thing T-Mobile is doing, and locking out the IMEI numbers of their tabs from voice services. Which means you'll likely need to import a Bell or Rogers unit, or spoof your IMEI (not something I'd recommend).
Click to expand...
Click to collapse
Sadly, I think you are going to be right.
I am keeping my eyes open on the Bell version to see how it will work with the euro firmware .

How did you get T-mobile to send a code? They tell me they can't do it yet.
Also, will this be usable as a phone if unlocked? At least abroad? I'm off to egypt, probably to use vodafone service.
Thanks!
Kevin

bookmarking this for when i get my Tab!

kevinsneel said:
How did you get T-mobile to send a code? They tell me they can't do it yet.
Also, will this be usable as a phone if unlocked? At least abroad? I'm off to egypt, probably to use vodafone service.
Thanks!
Kevin
Click to expand...
Click to collapse
I paid full price, and then called then to explain I'm entitled to the unlock code. I had to fax my receipt to their Sim Unlock Team.
Unlocked means you can get internet via a different carriers SIM card. This doesnt give you phone capability, as they crippled the software, regardless of SIM inserted.

kevinsneel said:
How did you get T-mobile to send a code? They tell me they can't do it yet.
Also, will this be usable as a phone if unlocked? At least abroad? I'm off to egypt, probably to use vodafone service.
Thanks!
Kevin
Click to expand...
Click to collapse
So when are you going to Egypt Kevin , are you going to Cairo too.

@wawoox: Yes, we go to Cairo, Luxor, and Aswan. I'd rather not publicize the dates on the web, however .
@rotohammer: Funny, I talked to them on phone and via chat and had no luck (slightly different answers from both, but neither said they even saw a mechanism yet). I assume by full price you mean $600, not the $700 unlocked price we see elsewhere? I too paid the $600, but I didn't mention it, thinking they'd know that; I assumed they treated the $600 as itself a discount. I guess I'll have to mention it and ask them to talk to that group. Thanks!

kevinsneel said:
@rotohammer: Funny, I talked to them on phone and via chat and had no luck (slightly different answers from both, but neither said they even saw a mechanism yet).
Click to expand...
Click to collapse
When I talked to them, I made it clear, I paid the full unsubsidized price, then asked them, "so I am entitled to the unlock, right? All 4 customer service agents I spoke to said "yes". Now, the first two attempts by them failed, the third, where I was told to fax my receipt to them, worked. Its odd that I had to spend 3 days to do this, but I got what I was entitled to.
I paid $600.

[Q] Possible Hboot Hack ????

Whilst spending more endless hours attempting to root my wildfire, I have noticed that if I push mtd0 to sdcard as mtd0.img, and then use HxD to edit it as though to use flash_version ( I was thinking I wonder if it's possible to spoof supercid 111111) so after backing up the original I filled the entire file full of 1's (I tried 0's first, the error message tells me if i could force 0's this may be a good thing???) and flashed misc.
On entering hboot when it checks sdcard a load of 1's came up before anything else, so i repeated the experiment with stars *, and *'s is what hboot seen.
I'm thinking possiblity of some kind of alternate boot or mabye a command (fastboot oem unlock, or fastboot erase hboot) or something along those lines. Tried modifying the first line, but still came up *'s so somewhere else in the file possibly where version goes, but version doesnt usually show up on sdcheck does it.
Experiments continue

Keep up the experiments!
Thanks!

keep up doing it, you are great

thousands of people hope this work in the future...
i think unrevoked is not doing anything now
we r 4 months from 2.2....

Any more luck? How is this getting on?

dannyjmcguinness said:
Whilst spending more endless hours attempting to root my wildfire, I have noticed that if I push mtd0 to sdcard as mtd0.img, and then use HxD to edit it as though to use flash_version ( I was thinking I wonder if it's possible to spoof supercid 111111) so after backing up the original I filled the entire file full of 1's (I tried 0's first, the error message tells me if i could force 0's this may be a good thing???) and flashed misc.
On entering hboot when it checks sdcard a load of 1's came up before anything else, so i repeated the experiment with stars *, and *'s is what hboot seen.
I'm thinking possiblity of some kind of alternate boot or mabye a command (fastboot oem unlock, or fastboot erase hboot) or something along those lines. Tried modifying the first line, but still came up *'s so somewhere else in the file possibly where version goes, but version doesnt usually show up on sdcheck does it.
Experiments continue
Click to expand...
Click to collapse
I tried this a week ago and it does not seems to work :S
cid version is on "ro.cid" prop. Change cid on mtd0, flash it and then try a "getprop ro.cid"
Of course, you'll get the original CID, not the supercid. You cannot change these properties (ro.secure is another one. The ONE that prevent us from writing on system, etc)
I think these properties are Read-Only and are loaded into the system from the hboot at boot time.
I managed to change the default.prop on "/" from ro.secure=1 to ro.secure=0 but every time you reboot your phone this file goes back to ro.secure=1, so I think hboot re-load every file and prop needed for their security lock at boot.
I repeat, even with root access you won't change a single property with "ro." before.
Not a single one.
Sorry guys, we'll have to wait more...
For more information abot the proccess read my post: http://forum.xda-developers.com/showthread.php?t=1042077
As you can see, no one has answered yet so I think this is useless...

Looks promising!
Sent from my HTC Wildfire using XDA App

Think I've discovered a bit more, I'm absolutly posotive that this is the way forward. Problem is not enough people seem interested in this post.
It would appear that this can be used to issue a boot message, so please share your knowledge on what you know of boot messages, coz I'm pretty sure a boot message could be used to override certain parameters.
Please people, if you read this, HELP ME OUT

I know what are you talking about,and I think that might help you
http://runtimeworld.com/2011/04/a-complete-list-of-hboot-commands/
I could work with you on this, PM me if you are interested
edit: this command has 8 letters (like cidnum):
writemid // write model ID

The best thing u've found.. I'm feeling like we'll oly root wildfire before unrevoked.,
It'll be good if we do it our self as unrevoked has tried hard but not succeeded due to heavy lock of hboot.. If there is a luck and ability to do it, we can do it..
I dont hav knowledge in linux and android much elz i would hav joined to root wildfire with u all..
Best of luck for rooting and make sure not to brick the phone..

God, I must follow this post.
Thanks for your hard work.
Sent from my HTC Wildfire using XDA App

Maybe you'll find something interesting there
tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
sry, can't add urls i'm new

ejnreon said:
Maybe you'll find something interesting there
tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
sry, can't add urls i'm new
Click to expand...
Click to collapse
cant be THAT new if you joined in 2009 :L