Related
While in bootloader, need to save existing ROM, but don't know how to dump it.
r2sd seems to be removed. Any other commands or substitutions?
regards,
fdp24
please,
do post exactly howto remove CID lock, as i urgently need to reflash my device.
regarding your howto dump your rom , sorry i havent heard of a complete way!
regards
Use aWizard
I think It's very dangerous to restore rom with awizard. Hight risk to crash!!!
Does the artemis bootloader has rbmc command? if yes you can use it to dump the rom from bootloader.
artemis bootloader has not rbmc command,can't use rbmc command backup it's ROM !!
commands
I posted commands, which I found.
http://forum.xda-developers.com/showthread.php?t=285112
When you execute password XXXXXXXX
it says:
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
But I could not get rbmc working
Hi All. I dumped OS and Radio from my Artemis used aWizard programm. Now i have 2 files: OS.nba and Radio.nba . Can i upload this versions on the same Artemis and how can i do it? maybe ather programm no aWizard?
Have u done swomething with ROM ???
Well this is just my second HTC device.. But has anybody ever wondered why information on creating HardSPL and stuff is seeded sparely? We're just waiting until olipro, cmonex (bless their work!!! ) or some other mod finishes the Hard-SPL.
If this is an illegal talk or something then just delete my thread..
I find this is an interesting topic.. So why not colaborate with each other and report status on this, so that we eventually could hack something together..? At least for the sake of interest.. I ever liked hacking embedded devices, but my knowledge in these things is not so good. Would like to dig more into this and solve this kind of mystery
I have found interesting bits of information at the following places:
http://wiki.xda-developers.com/index.php?pagename=Wizard_ROM_Layout
http://forum.xda-developers.com/showthread.php?t=334667
http://www.xs4all.nl/~itsme/projects/xda/tools.html
http://wiki.xda-developers.com/index.php?pagename=SPL%20Questions%3F
http://forum.xda-developers.com/showthread.php?t=501871
The first step seems to be extracting the stock SPL.. I read something about pmemmap, a tool to show the memory map of the phone and pmemdump, a tool to dump memory areas of the phone to disk.
This rises the question of how to find out the address, where the SPL lies in our LEOs and then how to dump it?
If there are any constructive comments on this, everybody is invited to add his thoughts here, or point out the right way
Update:
SPL seems to be dumped, credits go to cmonex. - Now it's time to investigate further steps. Currently looking into it.
Okay.. You can read the SPL from your LEOs with the following command:
pmemdump 0x8ff00000 0x80000 dump.bin
But i have attached it here for your convenience.
Update 2:
For all those people that are curious about the technical background behind SPL hacking i am giving an update of my research now (of course cmonex will finish that work, and she will do it good, but as you probably know, i want to get into that kind of stuff):
I managed to get an MFG SPL (the SPL that isn't shipped with stock ROMs and that is used by HTC to debug) now. This type of SPL is needed to do any further steps regarding flashing Hard-SPL.
This may not be complete or even correct, so if you have any information to add, please share it with us.
As far as i understood the rough procedure now would be to relocate the SPL and its .data section in RAM (that means all the data referenced by code) to a new address. This is needed because the address where the SPL and its data section lie now is protected by the MPU (Memory Protection Unit?), which is set up by the radio bootloader, which is running on another CPU (the ARM9). Every write there will lead to nowhere and as our SPL would execute, it would crash, because of missing data. This is why we need to relocate our SPL to a new address by changing all the hard coded references to data (such as strings etc.) in code.
I need someone to comment on the process of changing all the hard coded addresses to another one. I don't know how to do it yet.
If this is done and all code runs well (there could be further glitches, such as the NAND write/read issue - please comment on that) we would use JumpSPL to load our SPL in RAM into an unused address and execute it. This would give us all the tools needed for flashing HSPL.
I have attached a copy of the MFG SPL i obtained (if this is against any rules, please remove it) together with an analysis in IDA32, which i just made (for the lazy ones).
It would be nice, if we could get some further info here.
Btw.: I found this funky stuff on the PSAS forum. It is a tool that actually simulates an ARM processor and let's you step through the instructions. Really nice, if you want to understand what's going on.
If you want to flash another language ROM to your HTC device you can go here. Please don't use this thread for such requests. Let's keep it about SPL talking. Thanks
Thanks to share this information with the comunity.
Feel free to investigate and and have a go for it.
The itsme utils are extremely useful,
You could also read the posts from Pof, Des, jockeyw2001 regarding this subject.
After you got your SPL, you can read Jockyw2001's posts regarding bootloaders dissembling in IDA pro.
The actual patching of the SPL isn't the hardest part, Cmonex once told that the development of the Soft SPL was trickiest part.
Regards, and good luck.
EqX
Thank you.. I will have a go for it, when i have more time. It's over for today..
Very interesting thread. I would like to know how they are trying to hack the SPL. With due respect to Olinex, we rely on them but there must be also people around who can give a hand to accelerate the process. No ?
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
Did you install activeperl ?
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
mr.vandalay said:
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
Click to expand...
Click to collapse
You need to use the exact version of ActivePerl as stated on that page and you must use Windows.
You should also know that you cant use this goldcard image for your LEO with the typhoon option. This is for another HTC device.. If you look into that pl file you see that there is no entry for LEO. We need the LEO key.
I replied to your PM about dumping SPL 0x95000000
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
sorry this will never work on Leo. I can make the goldcard for you though (for a small donation)
Thanks a lot cmonex, for your PM, hope to flash my Holand device onto a WWE device to better understud.
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Tung_meister said:
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Click to expand...
Click to collapse
Yes, it should be
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Code:
G:\itsutilsbin>pmemdump.exe 0x95000000 0x80000
ERROR: ITReadProcessMemory - Invalid access to memory location.
95000000: * * * * *
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
Someone can help?
kholk said:
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Someone can help?
Click to expand...
Click to collapse
You're not the only one. Currently working it out with cmonex.
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
mr.vandalay said:
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
Click to expand...
Click to collapse
Welcome to the club of dutch rom refugees
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
cidriver said:
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
Click to expand...
Click to collapse
She.. She's female!
I have flashed a ROM yesterday : RUU_Vision_hTC_Asia_HK_CHT_1.34.708.3_Radio_12.28b.60.140e_26.03.02.18_M2_release_154602_signed.exe
Software ver. : 1.34.708.3
Today I want to flash back to Villian ROM..... but then found that the bootloader has already returned to S-ON.
So I tried the normal way to make it S-OFF. Mine is Desire-Z HK version. So I used the wpthis-Z.ko and hbooteng.img (as taught by someone in the forum here) to run.
Everything goes fine until "insmod /data/local/wpthis-Z.ko". It came out as "Failed - exec format error". Then the result is still S-ON.
I also tried wpthis-pre-OTA.ko and wpthis-OTA.ko just to take a bet, but the result still failed - exec format error
No idea which step or files went wrong........
Can anyone teach me how to correct this? I would really love to go back to the Villian ROM.
Use the new Uber-root method - http://forum.xda-developers.com/showthread.php?t=857390
You don't need to put that eng hboot on any more, unless you really want to (you'll still be able to flash custom ROMs without it, because you'll still have S-OFF).
Thanks Stevie....but I still have problem in using this method :
1) It said "unzip the file into any directory". Would that be directory on PC or sdcard?
2) I have followed exactly the code instruction but when get into step "./gfree", it returns with a lot of parameters which I have no idea what it meant.....And the result is -
"Patching and backing up partition 7...
Error opening copy file
#"
Did I do something wrong?
manleyfu said:
Thanks Stevie....but I still have problem in using this method :
1) It said "unzip the file into any directory". Would that be directory on PC or sdcard?
2) I have followed exactly the code instruction but when get into step "./gfree", it returns with a lot of parameters which I have no idea what it meant.....And the result is -
"Patching and backing up partition 7...
Error opening copy file
#"
Did I do something wrong?
Click to expand...
Click to collapse
I think I found the reason of being unsuccessful......
Just found from another thread and realized that I have missed one very very important step : Make sure your computer is not mounting your phone's sdcard - in which I did not see this remark from qpop's instruction....
Thanks Stevie again for the first hint. Without this hint I will not be able to learn this.....
CAN ANYONE HELP ME UNLOCK MY T MOBILE GALAXY FOR THE NETWORK PASS CODE KEY TO USE WITH DIFFERENT SERVICE.....MAYBE WITH THE USB CORD WAY 1ST
helroz said:
keep the backup is a safety
If you have froyo on your phone, only solution: (or samsung for repair)
http://perso.numericable.fr/helroz/Perso/repair_nv_data.zip
this method give informations in your bad nv_data.bin (imei, Model, product code) and insert this in a new nv_data.bin (sim unlocked).
After this new nv_data.bin (sim unlocked with your informations) is inserted in your phone, at restart, your phone create nv_data.bin.md5 and batch file create .nv_data.bak and .nv_data.bak.md5 and save your new efs folder.
Your phone is unlocked
It's possible to made this on froyo but not advised and not really tested (I repair codes at the same time but at the first start froyo change codes by FFFFFFFF)
Thanks to Mikiya on Frandroid to made "Reparation_nv_data.jar" at my demand
Thanks to vnamee for detailled instructions:
Just did this on my phone and it works great. The SGS unlock tool gave me a number that did not work no matter what firmware I used. Here are the steps to perform the unlock.
You will need root and busybox and something to edit the root, such as Root Explorer or ADB. You will need Java on your PC as well.
1) Copy the EFS folder with Root Explorer or ADB to back up
2) In /efs, delete:
nv_data.bin.md5
.nv_data.bak
.nv_data.bak.md5
nv_data.JPC (you may not have this)
nv_data.JPC.md5 (you may not have this)
.nv2.bak
.nv2.bak.md5
3) Reboot your phone and navigate to /efs to see if nv_data.bin.md5 is created. If it is, you are good to go. If you go there right after the phone boots, it may not have been created yet.
4) Put your phone in USB debug mode and connect via USB to computer.
5) Run step 2.bat (this will extract nv_data.bin to your computer)
6) Run reparation_nv_data.jar (I guess you just enter any 8 digit number in the boxes that will be your unlock code. I had entered '00000000' and SGS unlock couldn't find anything afterward, so I'm not sure if this number will be needed at any point in the future. This will edit the nv_data.bin).
7) Run Step 4.bat (this will upload the files to your phone. Make sure the phone is on and when you run it, make sure to keep pressing 'allow' so the program has root access to push the files to your root).
8) After this is done, you can answer 'n' if there were no errors and it should reboot your phone. Phone should be unlocked.
Phone must have nv_data in /efs folder, with all firmware, if at start you don't have nv_data, phone create it, but generic with no imei.
Click to expand...
Click to collapse
here is the thread for that, http://forum.xda-developers.com/showthread.php?t=822008
Or the simple way, use this app to unlock
https://market.android.com/details?id=com.helroz.galaxysunlock&feature=search_result
Make sure you read through the instructions.
check here
u should check here it helped me unlock my phone last week
http://forum.xda-developers.com/showthread.php?t=761045
it was confusing at first for me but it was pretty simple all the instructions are there if u have any problems u can leave a post and some will help out
I just used this application, worked fine. I rooted my phone first just to let you know.
https://market.android.com/details?id=com.clarkehackworth.SamsungGalaxySUnlock&feature=search_result
iynfynity said:
here is the thread for that, http://forum.xda-developers.com/showthread.php?t=822008
Click to expand...
Click to collapse
This method helped me unlock my phone when the sgs unlocker failed to extract the unlock code. It kept saying "unlock codek". The above method maybe a lilttle tricky for beginners, first back up your efs folder and try it.
MilkPudding said:
Or the simple way, use this app to unlock
https://market.android.com/details?id=com.helroz.galaxysunlock&feature=search_result
Make sure you read through the instructions.
Click to expand...
Click to collapse
This didn't work for me
m4r10 said:
This didn't work for me
Click to expand...
Click to collapse
Ya it won't work if you didn't read through the instructions.
If you are running 2.3.3 on your HTC EVO 4G, this method will gain you access to system and root files. This is not exactly root, but I am trying to figure out if it would be possible to manually replace hboot using my method. I was able to root my evo, but same method I am trying doesn't seem to work on my wife's phone.
STEPS:
01. Format your SD card to FAT32. Please keep in mind some brands of SD cards do not work.
03. Download "SD Tools" from the Android Market.
04. Copy the SD card CID code after installing "SD Tools".
05. Reverse the SD card CID code. ie "123456789" should be written as "987654321"
06. Go to here to generate your goldcard.
07. Enter your email. For the correct SD card cid code, you need to replace the first 2 characters to 00.
Example: From “532600bd227d9c0347329407514d5402” to “002600bd227d9c0347329407514d5402”
08. Click Continue and you will receive the goldcard.img in .zip format in your email.
09. Go to your email, download the zip file and save it to a directory and unzip it to goldcard.img
10. Download HxD Hex Editor from here
11. Install and launch HxD Hex Editor program. (make sure you use "Run as Administrator" under Vista and win 7)
12. Go to Extra tab > Open Disk. Under Physical disk, select Removable Disk (Must be your SD card), uncheck “Open as Readonly), click OK.
13. Go to Extra again, Open Disk Image, open up goldcard.img which you’ve saved/unzipped earlier.
Now, you should have two tabs, one is your removable disk, the other is goldcard.img. Press OK when prompted for “Sector Size” 512 (Hard disks/Floppy disks), click OK.
14. Click on goldcard.img tab. Go to Edit tab > Select All, edit tab again > copy.
15. Click on the “removable disk” tab. Select offset 00000000 till offset 00000170 (including the 00000170 line), click on Edit tab and then Paste Write.
16. Click on File > Save. now you can exit the program.
17. Reboot your phone with this SD Card (now GoldCard) inside
You should now be able to use a file explorer like ASTRO to browse around in system, lib, sbin, framework, xbin, etc.
So what are you able to do with the your temp root? How long does it last (till reboot or one shot)
Correct me if I'm wrong, but I'm pretty sure you can browse threw the folders you listed without going threw any of the steps you listed.
roids87 said:
Correct me if I'm wrong, but I'm pretty sure you can browse threw the folders you listed without going threw any of the steps you listed.
Click to expand...
Click to collapse
I was thinking that as well but wasn't sure.
roids87 said:
Correct me if I'm wrong, but I'm pretty sure you can browse threw the folders you listed without going threw any of the steps you listed.
Click to expand...
Click to collapse
u r correct
so i did this and i got to a bootloader error via RUU . one small step closer
leo72793 said:
so i did this and i got to a bootloader error via RUU . one small step closer
Click to expand...
Click to collapse
I think ur talkin about the error u get when u try to downgrade i.e. 2.3 to 2.2.
Anyway, OP did u see this post?
http://forum.xda-developers.com/showthread.php?t=883548
Maybe the info can b used to edit 2.16 to look like 2.10 if ur method allows for hboot writes
leo72793 said:
so i did this and i got to a bootloader error via RUU . one small step closer
Click to expand...
Click to collapse
That's about where I got an RUU error message. You are right, it was one step closer. But now I am getting a signature error. Before, I could not even get past reboot to bootloader.
{ParanoiA} said:
I think ur talkin about the error u get when u try to downgrade i.e. 2.3 to 2.2.
Anyway, OP did u see this post?
http://forum.xda-developers.com/showthread.php?t=883548
Maybe the info can b used to edit 2.16 to look like 2.10 if ur method allows for hboot writes
Click to expand...
Click to collapse
yea maybe it can be used to make the 2.10.0001 bootloader fake as the new one
{ParanoiA} said:
I think ur talkin about the error u get when u try to downgrade i.e. 2.3 to 2.2.
Anyway, OP did u see this post?
http://forum.xda-developers.com/showthread.php?t=883548
Maybe the info can b used to edit 2.16 to look like 2.10 if ur method allows for hboot writes
Click to expand...
Click to collapse
I did see that, but that method requires S-off. Our S is on at this time... BUMMER.
Should probably remove TEMPROOT from the topic, since indeed, there is no temproot.
Ehh, I see the WIP tag.. whoops. I guess, good luck, but I think this has been tried.
cheers.
well since youve got the goldcard made, could you by any chance put a pc36img.zip of the 3.70.651.1 froyo build with all the stuff it needs and downgrade that way? kinda like what the inspire hack kit does
frickinjerms said:
well since youve got the goldcard made, could you by any chance put a pc36img.zip of the 3.70.651.1 froyo build with all the stuff it needs and downgrade that way? kinda like what the inspire hack kit does
Click to expand...
Click to collapse
Here is a link to the 3.70 zip file:
http://goo-inside.me/supersonic/ruu...15.00.11.19_NV_1.90_release_161482_signed.zip
Don't forget to rename it PC36IMG.zip and place on the root of the card.
So OP, you were able to go from never rooted with 2.3.3 (4.24 S-ON) to being rooted using the exact instructions you posted?
OP is just trolling us again. He did the exact same **** a few weeks back
http://forum.xda-developers.com/showthread.php?t=1169387
Nick N said:
Here is a link to the 3.70 zip file:
http://goo-inside.me/supersonic/ruu...15.00.11.19_NV_1.90_release_161482_signed.zip
Don't forget to rename it PC36IMG.zip and place on the root of the card.
Click to expand...
Click to collapse
well now we just need someone willing to take the plunge
frickinjerms said:
well now we just need someone willing to take the plunge
Click to expand...
Click to collapse
I tried this using steps from the "Downgrade" section located here:
http://androidforums.com/desire-hd-...b-build-downgrade-1-32-405-6-easy-follow.html
..but I got the failed older version message when using the 3.70 PC36IMG.zip
Wow, this guy is 2 for 2 on trolling.
People, no need to be so gullible. If any kind of usable root is achieved all you need to do is install a terminal app on your phone and type "su" at the prompt to test. Also need USB debugging enabled in phone settings...
Sent from my PC36100 using XDA Premium App