Database Users

[how to] change your MID without an eng bootloader

READ THIIS!
*this thread is for m8. it will NOT work on m7,or any older device. please check the general forum for your particular device for a similar thread.
_____________________________________________________________________________________________________________________
this thread is for the folks who wish tochage their MID in order to fully convert a device and recieve OTA updates. the method described here is not the only way to skin the cat,but as long as your careful the risk is very minimal, its quick and easy and doesnt require any hboot downgrades,eng hboot install,data loss,or having to run an ruu.
please note that s-off is required!
credits:
-beaups for schooling me on the echo command protocol
-kdj67f for dumping partitions from his java card s-offed phone
-davehasninjas for dumping rumrunner s offed partitions
-andybones for testing on a vzw device
*i dont have m8 yet. if you want to test,ill add you to the credits.
standard disclaimer: use this information at your own risk. it has been tested,but copying the command incorrectly could have consequences. if you melt your phone into a smoldering little pile of aluminum goo, its not my fault.
IF you are an advanced user with adb/fastboot set up and some basic knowlede of the cmd window,you can skip to #2
1)set up adb(windows 7 and older)
-download this file
-install drivers: if you have htc sync installed,you should allready have drivers. if not,you can install htc sync,or install these modified htc drivers from revolutionary (driver mirror)
-unzip your miniadb_v1031.zip file. this is native funtionality in windows 7. you otherwise may need a utility such as "7-zip" to extract,or unzip it. place the unzipped folder onto the root of your C drive on your PC. root means the top level,not inside any folders. so just copy and paste,or drag and drop the folder onto C with everything else that is there. you may want to rename it to "miniadb_m7" since youll be putting some device specific files in here.
-open a command window. on windows 7,click the start bubble in the lower left and type "command" in the search box. xp i believe is similar or the same. doing this should open a small black command window.
-change to your miniadb_m7 directory. type the following at the prompt in your cmd window:
cd c:\miniadb_m7
your command promt should change to "c:miniadb_m7>" provided you: 1)unzipped the miniadb_v1031 zip file,and 2)put the folder on your c drive,and 3)entered the name of the folder correctly ("miniadb_m7" in this case)
-now make sure usb debugging is checked in developer options(you will need to turn it on first),and plug your phone into your PC with a usb cable
-make sure your phone is being recognized- type:
adb devices
if your drivers are installed correctly,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.
if you get your serial number back,then enter this command:
adb reboot bootloader
this should take your phone to the "fastboot" screen,wich is white with colored letters. this is one mode of your bootloaders interactive modes. at the top youll see fastboot devices as confirmation youre in fastboot.
now enter:
fastboot devices
again,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.
if you get your serial number back,you can enter the following to boot back to the phones OS:
fastboot reboot
and now,youve installed adb/fastboot and tested youre phones drivers. if at either spot,you have trouble and dont get your serial number back,there is some sort of connection issue. use these steps to troubleshoot:
troubleshooting connectivity issues:
-try a reboot of the PC
-try different usb cables and ports
-dont use a usb hub
-dont use usb 3.0
-make sure nothing capable of comunicating with the phone is enabled and running. htc sync,pdanet,easy tether,and even itunes have all been known to cause issues.
-windows 8 has been known to have issues. try a windows 7 or older machine
failing the above,
-i use these drivers for fastboot and adb(donwload and run as admin): http://downloads.unrevoked.com/HTCDriver3.0.0.007.exe (mirror)
failing that,try manually updating the drivers in the following manner:
-put the phone in fastboot mode(select fastboot from the hboot menu)
-open device manager on the PC
-plug in phone,watch for it to pop up in device manager.
-update drivers with device manager,pointing the wizard to the extracted
driver download folder from above
note that you can check the connectivity of the phone,and make sure drivers are working by in the following manner:
-open cmd window. change to directory containing adb/fastboot utilities
-adb with the phone in the booted OS,usb debug enabled,enter:
adb devices in a cmd window
-fastboot with phone in fastboot,enter:
fastboot devices in cmd window
in either case,a properly connected phone with working drivers installed should report back the phones serial number.
Click to expand...
Click to collapse
this process,in your cmd window,should look something like this:
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Scott>[COLOR="red"]cd c:\miniadb_m7[/COLOR]
c:\miniadb_m7>adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
FAxxxxxxxxxx device
c:\miniadb_m7>[COLOR="red"]adb reboot bootloader[/COLOR]
c:\miniadb_m7>[COLOR="red"]fastboot devices[/COLOR]
FAxxxxxxxxxx fastboot
c:\miniadb_m7>[COLOR="red"]fastboot reboot[/COLOR]
rebooting...
finished. total time: 0.037s
c:\miniadb_m7>
2)change your MID
warning: *do not try and type the command. please copy and paste it
-AT&T, unlocked, developer MID:
enter the following:
adb shell
su (if needed to get a # prompt)
Code:
[B]echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x32\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384[/B]
(the above is one big long command. make sure you copy it all,and dont get extra spaces when you paste it.)
exit
adb reboot bootloader
fastboot getvar mid (or getvar all)
verify 0P6B12000 for modelid
fastboot reboot
________________________________________________________________________________________
-google play MID:
enter the following:
adb shell
su (if needed to get a # prompt)
Code:
[B]echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x37\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384[/B]
(the above is one big long command. make sure you copy it all,and dont get extra spaces when you paste it.)
exit
adb reboot bootloader
fastboot getvar mid (or getvar all)
verify 0P6B17000 for modelid
fastboot reboot
________________________________________________________________________________________
-t mobile MID:
enter the following:
adb shell
su (if needed to get a # prompt)
Code:
[B]echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x33\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384[/B]
(the above is one big long command. make sure you copy it all,and dont get extra spaces when you paste it.)
exit
adb reboot bootloader
fastboot getvar mid (or getvar all)
verify 0P6B13000 for modelid
fastboot reboot
________________________________________________________________________________________
-HTC_Europe MID:
enter the following:
adb shell
su (if needed to get a # prompt)
Code:
[B]echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384[/B]
(the above is one big long command. make sure you copy it all,and dont get extra spaces when you paste it.)
exit
adb reboot bootloader
fastboot getvar mid (or getvar all)
verify 0P6B10000 for modelid
fastboot reboot
________________________________________________________________________________________
your command window should look like this:
Code:
c:\miniadb_m7>[COLOR="red"]adb shell[/COLOR]
[email protected]:/ # [COLOR="Red"]echo -ne '\x50\x00\x4e\x00\x30\x00\x37\x00\x33\x00\x31\x00\x30\x00\x
30\x00\x30' | dd of=/dev/block/mmcblk0p6 bs=1 seek=16384[/COLOR]
00\x30' | dd of=/dev/block/mmcblk0p6 bs=1 seek=16384 <
17+0 records in
17+0 records out
17 bytes transferred in 0.009 secs (1888 bytes/sec)
[email protected]:/ # [COLOR="red"]exit[/COLOR]
exit
c:\miniadb_m7>[COLOR="red"]adb reboot bootloader[/COLOR]
c:\miniadb_m7>[COLOR="red"]fastboot getvar all[/COLOR]
(bootloader) version: 0.5
(bootloader) version-bootloader: 1.44.0000
(bootloader) version-baseband: 4A.17.3250.20
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.27.531.8
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HTxxxxxxxxxx
(bootloader) imei: xxxxxxxxxxxxxxx
(bootloader) meid: 00000000000000
(bootloader) product: m7_ul
(bootloader) platform: HBOOT-8064
(bootloader) modelid: PN0731000 [COLOR="Blue"]<-looky[/COLOR]
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 4175mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: dirty-f188f379dbbfee373cd551f7bc62b8435
getvar:all FAILED (unknown status code)
finished. total time: 0.092s
c:\miniadb_m7>[COLOR="Red"]fastboot reboot[/COLOR]
rebooting...
(bootloader) hbootpreupdate: 11
finished. total time: 7.288s
some other useful links:
remove tampered banner: http://forum.xda-developers.com/showthread.php?t=2708565
change lock status flag(lock/unlock bootloader): http://forum.xda-developers.com/showthread.php?t=2708571

other MIDs
Rogers MID
0P6B16000
Code:
echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x36\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
*thanks @craig0r
___________________________________________________________________________________________
wind(canada) MID
0P6B13000
Code:
echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x33\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
___________________________________________________________________________________________
verizon MID
0P6B20000
Code:
echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x32\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
warning! provided only for folks who have changed their mid and realized they shouldnt have,or achieved s off via a java card. DO NOT change a gsm or sprint device to this in attempts to use it on vzw and convert to a vzw device(or vice versa)
___________________________________________________________________________________________
sprint MID
0P6B70000
Code:
echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x37\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
warning! provided only for folks who have changed their mid and realized they shouldnt have,or achieved s off via a java card. DO NOT change a gsm or vzw device to this in attempts to use it on sprint and convert to a sprint device(or vice versa).
___________________________________________________________________________________________
0P6B11000
Code:
echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x31\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
___________________________________________________________________________________________
europe m8 dual sim MID
0P6B64000
Code:
echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x36\x00\x34\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
*thanks @EddyOS
warning! provided by request. i would strongly advise against attempting to convert single sim m8 to dual sim,or vise versa
___________________________________________________________________________________________

one more

So proud to see you here man.
I've converted my M7 from AT&T to Europe version and received OTA successfully.
Thanks for your great instructions.

Sorry if this is a dumb question, but I want to be clear before I try this sort of thing out.
Am I to understand that the developer edition, Google Play edition, and AT&T version all have the same MID?
Sent from my HTC One using XDA Premium HD app

craig0r said:
Sorry if this is a dumb question, but I want to be clear before I try this sort of thing out.
Am I to understand that the developer edition, Google Play edition, and AT&T version all have the same MID?
Sent from my HTC One using XDA Premium HD app
Click to expand...
Click to collapse
We have recently learned gpe is different.

T-Mobile US please.
Sent from my HTC One_M8 using Tapatalk 2

Would anyone happen to know if the unlocked edition is the same as AT&T,developer, google play?

yourunlikegus said:
Would anyone happen to know if the unlocked edition is the same as AT&T,developer, google play?
Click to expand...
Click to collapse
i do not believe so. do you have an unlocked version,or you want to convert to it?

scotty1223 said:
i do not believe so. do you have an unlocked version,or you want to convert to it?
Click to expand...
Click to collapse
I'll be getting one delivered tomorrow. If one hasn't shown up by the time it gets here I'll post it. After getting the Google drive upgrade was planning on changing to developer

cool.let me know what the mid is, if its same ill add that to the OP,and if its different,ill list the command to go back to that if needed in the second post.

scotty1223 said:
cool.let me know what the mid is, if its same ill add that to the OP,and if its different,ill list the command to go back to that if needed in the second post.
Click to expand...
Click to collapse
Right on

yourunlikegus said:
Right on
Click to expand...
Click to collapse
The MID for unlocked edition is the same as at&t, developer and google play edition

yourunlikegus said:
The MID for unlocked edition is the same as at&t, developer and google play edition
Click to expand...
Click to collapse
awsome,thanks!

Change MID for HTC One M8 EE UK
I am s-off and rooted, will this work for M8
(I see all comments are from M7)
Should I change my CID from ORANG001 to supercid?
What benefits can I get? Will this remove the EE simlock?
Advice welcome please
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.16.0.00
(bootloader) version-baseband: 1.14.213315
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.12.61.17
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno:
(bootloader) imei:
(bootloader) imei2: Not Support
(bootloader) meid: 00000000000000
(bootloader) product: m8_ul
(bootloader) platform: hTCBmsm8974
(bootloader) modelid: 0P6B10000
(bootloader) cidnum: ORANG001
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: 0a41237a
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0

I know this thread is about mid but whats the cid for the unlocked version? I was told before that it was htc__001 and that its mid was the european version on this thread, but i see the mid is different on here. Either way I changed both my cid to htc__001 and the mid on here for unlocked devices since im trying to change my t-mobile version to unlocked. Am i go to go to flash the correct firmware? I'm s-off as well

dachat said:
I am s-off and rooted, will this work for M8 yes. (you are in m8 general)
(I see all comments are from M7)
Should I change my CID from ORANG001 to supercid? i dont know,should you? what do you want to achieve?
What benefits can I get? first thing said in the first post. if you dont fit that scenario you dont need to change your nid. Will this remove the EE simlock? no
Advice welcome please
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.16.0.00
(bootloader) version-baseband: 1.14.213315
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.12.61.17
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno:
(bootloader) imei:
(bootloader) imei2: Not Support
(bootloader) meid: 00000000000000
(bootloader) product: m8_ul
(bootloader) platform: hTCBmsm8974
(bootloader) modelid: 0P6B10000
(bootloader) cidnum: ORANG001
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: 0a41237a
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
Click to expand...
Click to collapse
Gja88 said:
I know this thread is about mid but whats the cid for the unlocked version? I was told before that it was htc__001 and that its mid was the european version on this thread, but i see the mid is different on here. Either way I changed both my cid to htc__001 and the mid on here for unlocked devices since im trying to change my t-mobile version to unlocked. Am i go to go to flash the correct firmware? I'm s-off as well
Click to expand...
Click to collapse
not sure what the cid is for the unlocked version. maybe @yourunlikegus can provide that info.
if youve changed your cid/mid to htc europe,you can now run an unbranded(x.xx.401.x) ruu if one exists,to complete the conversion.
if the unlocked cid is not HTC__001 and does not match your mid,you cannot ruu and OTAs will not happen.

Change from ORANG001 to HTC_001
I am hoping to change my device to enable it to have the unlocked Europe stock rom getting stock ota's
Is this possible and how should I set about it?
I have S-off rooted ul_M8 Originally on EE
Running Android Revolution HD 5.0

I know it specifies Windows 7 and older but just looking to confirm. This can't be done with a Mac, can it? I have adb running on it, but in the shell, the super user command isn't recognized.

dachat said:
I am hoping to change my device to enable it to have the unlocked Europe stock rom getting stock ota's
Is this possible and how should I set about it?
I have S-off rooted ul_M8 Originally on EE
Running Android Revolution HD 5.0
Click to expand...
Click to collapse
-change cid
-change mid
-run a release keys ruu for the build you want to run
dave.michael said:
I know it specifies Windows 7 and older but just looking to confirm. This can't be done with a Mac, can it? I have adb running on it, but in the shell, the super user command isn't recognized.
Click to expand...
Click to collapse
Yes it can be done on a Mac,but you're on your own getting adb/fastboot working. I've zero Mac experience
Sent from my HTC PG09410 using Tapatalk 2

Some info that may help rooting

I have spent hours looking for exploits, compiling CVE root exploits via NDK, and finding ways to root and have found no root exploit to work so far. One possibility may revolve around fastboot and/or the Fire update bin files. Here is some info:
update.bin files can be found here: https://www.amazon.com/gp/help/customer/display.html?nodeId=200529680
the update.bin files are jar files and can be modified with most archive managers or over command line, but I believe it will not get past security if you try to update with a modified jar. Plus the updater checks the update version so it does not update an already installed version.
You could add the su binary to /system/xbin but the update will not pass verification...
Error log for attempting to update a modified package is as followed:
Code:
I/SystemUpdates( 2175): Verifying sideload file...
I/SystemUpdates( 2175): sideload update lost
E/SystemUpdates( 2175): Verification exception:
E/SystemUpdates( 2175): com.amazon.dcp.ota.OTASideloadExceptionUnrecoverable
E/SystemUpdates( 2175): at com.amazon.dcp.ota.OTAController.throwExceptionOnError(OTAController.java:950)
E/SystemUpdates( 2175): at com.amazon.dcp.ota.OTAController.ensureSideloadCanBeInstalled(OTAController.java:871)
E/SystemUpdates( 2175): at com.amazon.settings.systemupdates.SystemUpdates$3.doInBackground(SystemUpdates.java:194)
E/SystemUpdates( 2175): at com.amazon.settings.systemupdates.SystemUpdates$3.doInBackground(SystemUpdates.java:171)
E/SystemUpdates( 2175): at android.os.AsyncTask$2.call(AsyncTask.java:288)
E/SystemUpdates( 2175): at java.util.concurrent.FutureTask.run(FutureTask.java:237)
E/SystemUpdates( 2175): at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
E/SystemUpdates( 2175): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
E/SystemUpdates( 2175): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
E/SystemUpdates( 2175): at java.lang.Thread.run(Thread.java:841)
you get the same error when trying to update with an unmodified file that is the same version as what you are on. So maybe with a downgrade or when the next Fire OS update comes out, we could work something out but I am not exactly sure if it would work.
Here is a listing of the files inside an update.bin:
Code:
boot.img file_contexts images META-INF ota.prop recovery system tools
if you grab the boot.img from the update.bin, you can extract the boot.img with unpackbootimg and repackage it with mkbootimg. Tools can be found here: https://code.google.com/p/android-s...il?name=android_bootimg_tools.tar.gz&can=2&q=
when the boot img is unpacked you will see the following files:
Code:
boot.img-base boot.img-cmdline boot.img-pagesize boot.img-ramdisk.gz boot.img-zImage
boot.img-ramdisk.gz is the focus as it is a simple gz file containing another file called boot.img-ramdisk which is a cpio file and can be extracted with most archive managers or the command line
Why do I care about the boot image? You can obtain root by modifying lines default.prop inside of boot.img-ramdisk from
Code:
ro.adb.secure=1
ro.secure=1
to
Code:
ro.adb.secure=0
ro.secure=0
once those lines are modified you should be able to gain root in a shell vi adb entering the command
Code:
adb root
then once in a root shell, the su binary could be installed
when modifying the default.prop I tried repackaging it and booting the image using fastboot boot but nothing happens. This is the output. It gets stuck at booting...:
Code:
creating boot image - 5369856 bytes
downloading 'boot.img'...
OKAY [ 0.293s]
booting...
even the default unmodified boot.img does not seem to boot with fastboot boot. Could this be due to the locked bootloader? Usually it would give an error message if it was prohibited.
Code:
fastboot getvar all
(bootloader) serialno: 00880807438504J3
(bootloader) partition-offset:userdata: 86200000
(bootloader) partition-size:userdata: 31e7fbe00
(bootloader) partition-type:userdata: unknown
(bootloader) partition-offset:cache: 4f200000
(bootloader) partition-size:cache: 37000000
(bootloader) partition-type:cache: unknown
(bootloader) partition-offset:system: 4200000
(bootloader) partition-size:system: 4b000000
(bootloader) partition-type:system: unknown
(bootloader) partition-offset:persisbackup: 3200000
(bootloader) partition-size:persisbackup: 1000000
(bootloader) partition-type:persisbackup: unknown
(bootloader) partition-offset:MISC: 3180000
(bootloader) partition-size:MISC: 80000
(bootloader) partition-type:MISC: unknown
(bootloader) partition-offset:DKB: 3080000
(bootloader) partition-size:DKB: 100000
(bootloader) partition-type:DKB: unknown
(bootloader) partition-offset:KB: 2f80000
(bootloader) partition-size:KB: 100000
(bootloader) partition-type:KB: unknown
(bootloader) partition-offset:recovery: 2780000
(bootloader) partition-size:recovery: 800000
(bootloader) partition-type:recovery: unknown
(bootloader) partition-offset:boot: 1f80000
(bootloader) partition-size:boot: 800000
(bootloader) partition-type:boot: unknown
(bootloader) partition-offset:UBOOT: 1f00000
(bootloader) partition-size:UBOOT: 80000
(bootloader) partition-type:UBOOT: unknown
(bootloader) partition-offset:TEE2: 1a00000
(bootloader) partition-size:TEE2: 500000
(bootloader) partition-type:TEE2: unknown
(bootloader) partition-offset:TEE1: 1500000
(bootloader) partition-size:TEE1: 500000
(bootloader) partition-type:TEE1: unknown
(bootloader) partition-offset:PMT: 1100000
(bootloader) partition-size:PMT: 400000
(bootloader) partition-type:PMT: unknown
(bootloader) partition-offset:PRO_INFO: 1008000
(bootloader) partition-size:PRO_INFO: 20000
(bootloader) partition-type:PRO_INFO: unknown
(bootloader) max-download-size: 52429824
(bootloader) kernel: lk
(bootloader) product: ARIEL
(bootloader) version: 0.5
(bootloader) production: Unknown
Although we know all these things I still think that the best way may to find a local root exploit that works rather than messing with all this... but that is just my opinion. I am currently looking through these exploits but most are too old: http://adbtoolkit.com/rooting/exploits/#.VKDbFAMAI

boot image
Where are you getting a boot.img from the update-kindle-20.4.5.2_user_452004220.bin?
have you tried extracting the boot.img from your working kindle and booting that? Just a thought.

It's Kit Kat
I would like to remind everyone that underneath its kit kat.
fyi, I tried towelroot and it did not work.
Ill keep messing around.

HT123 said:
Where are you getting a boot.img from the update-kindle-20.4.5.2_user_452004220.bin?
have you tried extracting the boot.img from your working kindle and booting that? Just a thought.
Click to expand...
Click to collapse
update-kindle-20.4.5.2_user_452004220.bin is just a jar file and can be extracted with an archive manager. the boot ikage is on the root of update-kindle-20.4.5.2_user_452004220.bin

I'm missing something then.
Are you repacking the image?
I have extracted the bin for the HD 6 and i can not for the life of me find a boot.img on there. The HD 6 image looks like is star
As for the KitKat base, TowelRoot doesn't work. I think a few exploits have been compiled and tried with no luck.

Guys have you asked Gran PC for the source code of his Firerooter?
Maybe there's something on it that may help you.
Google+ KFSOWI Community
Source: Teasers teasers teasers.
Yunus Sina Gülşen
Dec 25, 2014
Will you be able to publish source code and how you have found the exploit? As i can take it and start working for AFHD6?
Gran PC
owner
Dec 25, 2014
It's not really an exploit. It's all going to be open source though.
Gran PC
owner
Dec 25, 2014
If you manage to port it to another device it would be appreciated if you were to credit me on your release notes, by the way.
Yunus Sina Gülşen
Dec 25, 2014
Well i am pissed at waiting and will definitely try and your help would be a very good starting point at the moment. You can be sure about the credits.
Yunus Sina Gülşen
Dec 25, 2014
github?
Mar Gonçalves
Dec 25, 2014
"It's not really an exploit"... Wow, +Gran PC, Amazon really make it easier this time, hum? ˆ_ˆ
Gran PC
owner
I don't have my GitHub credentials on this computer, so you'll just have to make do with the binary release (it's written in Lua, so the source code is obviously included).
Yunus Sina Gülşen
Dec 25, 2014
ok, waiting for the release then
Click to expand...
Click to collapse

it is open source. having never seen LUA before reading it, it looks like a flash of minisystem.img to /system and then incremental updates via renaming of the downloads to update.zip is used. If i am wrong i apologize and some please correct me. minisystem.img is designed for the hdx.

HT123 said:
it is open source. having never seen LUA before reading it, it looks like a flash of minisystem.img to /system and then incremental updates via renaming of the downloads to update.zip is used. If i am wrong i apologize and some please correct me. minisystem.img is designed for the hdx.
Click to expand...
Click to collapse
I looked at the code a bit but not enough to understand it. cannot tell yet.

HT123 said:
Where are you getting a boot.img from the update-kindle-20.4.5.2_user_452004220.bin?
have you tried extracting the boot.img from your working kindle and booting that? Just a thought.
Click to expand...
Click to collapse
I'll need to redownload it and make sure.

HT123 said:
it is open source. having never seen LUA before reading it, it looks like a flash of minisystem.img to /system and then incremental updates via renaming of the downloads to update.zip is used. If i am wrong i apologize and some please correct me. minisystem.img is designed for the hdx.
Click to expand...
Click to collapse
It should be named update-kindle-20.4.5.2_user_452004220.bin check link in my thread boot.img is on the root of the bin file (rename it to .jar so your archive manager can detect it as a jar). Just redownloaded and rechecked

still not seeing it. Mine starts at /system. downloaded it twice... weird.
update-kindle-20.4.5.2_user_452004220.jar

HT123 said:
still not seeing it. Mine starts at /system. downloaded it twice... weird.
update-kindle-20.4.5.2_user_452004220.jar
Click to expand...
Click to collapse
You could try a different archive manager. I use Linux with default gnome archive manager ( I think called file roller)

Thank you to try have root aces.
I've don't have skill for help you, i'm sory but just a little question :
Have you test all root application for root the Fire HD ?

[How to] flash Lollipop on Desire 820 dual sim Non-Indian variant. Fix Wrong Variant

Hi guys, so a friend of mine got a Desire 820 dual sim few days back. Device came in a very messy condition in terms for software. It was already Super CID'd & S-OFFed, no option to update software & around 200 languages. So i tried different threads to fix the issue & upgrade the phone to Lollipop.
I was able to get it back to stock Indian KK RUU 1.22.720.1 assuming that it was an Indian variant based on its id A51_DTUL but it was not the case.. After downloading the 1.22.720.10 update, it was giving me error like Modified System or Wrong Variant
Cut short i managed to identify / fix the problem & successfully upgraded the phone to Android L
Story line is that most of the guides available for 820 dual sim Lollipop upgrade are for the Indian variant with MID 0PFJ10000. Problem occurring is with its Chinesse sibbling with MID 0PFJ11000 & this is where the phone wont allow you to do software updates.
RUU is just checking the CID while in the OTA updater-script they have plenty of checks before flashing it.
So in the below KK updater-script, you can see that first it is checking for the current firmware, then CID & then MID
PHP:
mount("ext4", "EMMC", "system", "/system");
assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.1:user/release-keys" ||
file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.10:user/release-keys");
assert(file_getprop("/system/build.prop", "ro.aa.taskid") == "402794" ||
file_getprop("/system/build.prop", "ro.aa.taskid") == "447333");
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_cid(getprop("ro.cid"), "00000000" , "11111111" ,
"22222222" , "33333333" , "44444444" , "55555555" , "66666666" ,
"77777777" , "88888888" , "99999999" , "HTC__038") == "t");
);
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_mid("full", "0PFJ10000") == "t");,
assert(check_mid("simple", "0PFJ10000") == "t");
This is point where we get Wrong Variant or Modified System error on device other than 0PFJ10000 MID.
So inorder to get rid of this error & getting all the updates automatically while keeping your ROM in stock status. These are the requirements / guidelines.
Required:
S-OFF
Root
Super CID
I assume you already know about fastboot commands stuff
So before proceeding, verify that you phone is A51_DTUL & the processor type is hTCBmsm8939 with 2GB of RAM. You can do this by booting into bootloader & run command fastboot getvar all
1st step, change MID of your device -> from 0PFJ11000 to 0PFJ10000. Run the following ADB commands:
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader
Now once the commands are successful, to verify the MID in fastboot again verify it with command fastboot getvar MID. It should now be 0PFJ10000
So we killed the BUG :laugh:
2nd step:
2a. download Indian KK RUU from this thread -> Thanks to sshivampp & robinsahlot
2b. Rename the downloaded ZIP to “0PFJIMG.zip” or to 0PFJIMG.txt incase you are unable to copy it
2c. Copy the 0PFJIMG.txt / zip file to the External SD card & do change the extension back to .zip incase you had to change it to .txt
2d. Reboot into bootloader & dont forget to disable Fastboot option under power settings
2e. Press Vol up for update once prompted
You will lot of checks & update prompts on the screen
Once successful, reboot the phone & check for software updates. You should now be able to install all the OTAs without any errors
Special thanks to h1dd3n_sn1p3r for his initial guide on upgrading to Android L.
And our dexter, Mr. scotty1223 for his amazing guides & work. Through which i was able to figure out MID change part

Lovely! Thanks for credit towards me!
Excellent find bro ?

Any one knows MID of HK variant?

help
Hey, thanks for this post, i have tried every solution posted in this site, but anyone of them worked, this one seems the most effective one, but i cant change the MID! I copy the code, hit enter, the window closes, but when i reboot the phone and check de getvar mid, it doesnt change! what can i do? i have the phone in S-OFF, rooted and super CID... the phone was unlocked, tried this way, but now is relocked, tried this one also but its the same MID ..thaks for the help u can give me
ok i try some of the code, just to avoid the window from closing and it says this :
adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found...

gpcga said:
Hey, thanks for this post, i have tried every solution posted in this site, but anyone of them worked, this one seems the most effective one, but i cant change the MID! I copy the code, hit enter, the window closes, but when i reboot the phone and check de getvar mid, it doesnt change! what can i do? i have the phone in S-OFF, rooted and super CID... the phone was unlocked, tried this way, but now is relocked, tried this one also but its the same MID ..thaks for the help u can give me
ok i try some of the code, just to avoid the window from closing and it says this :
adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found...
Click to expand...
Click to collapse
What is the current MID of your device? also is it Qualcomm processor? If you boot the phone nornally with ADB debugging. is it detected? as from the last line it seems device is not connected or not detected

I changed the recovery
Hello, the phone didn't connect because of the recovery, I flashed another one, and that was it. Thanks, I have the stock lollipop 5.0.2 now. This is the only solution that worked fast and effective.
fshami said:
What is the current MID of your device? also is it Qualcomm processor? If you boot the phone nornally with ADB debugging. is it detected? as from the last line it seems device is not connected or not detected
Click to expand...
Click to collapse

Would this method work on my Chinese Desire 820t?

sponmagnet said:
Would this method work on my Chinese Desire 820t?
Click to expand...
Click to collapse
This thread is for the non-indian variants with Qualcomm chipset.. all details in first post. So if u have the same mid OPFJ11xxx then go a head & try.. be sure ur hardware specs match as i mentioned in the guide

Can anybody post instructions of how to change MID to TW variant? (-> from 0PFJ10000 to 0PFJ12000)

Prowler_gr said:
Can anybody post instructions of how to change MID to TW variant? (-> from 0PFJ10000 to 0PFJ12000)
Click to expand...
Click to collapse
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x32\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader

I am getting error
"adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found..."
Device is connected !!!
I tried everything but nothing works...
I want my phone to run on lollipop
please help me

shubhamkanwaria said:
I am getting error
"adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found..."
Device is connected !!!
I tried everything but nothing works...
I want my phone to run on lollipop
please help me
Click to expand...
Click to collapse
Check if USB debugging is enabled.. and after connecting the phone, all drivers are installed properly

fshami said:
Check if USB debugging is enabled.. and after connecting the phone, all drivers are installed properly
Click to expand...
Click to collapse
USB debugging is enabled and all drivers are properly installed but still same error.

shubhamkanwaria said:
USB debugging is enabled and all drivers are properly installed but still same error.
Click to expand...
Click to collapse
If your phone is booted, still adb devices command is not showing your device?
Sent from my HTC One E9PLUS dual sim using XDA-Developers mobile app

fshami said:
If your phone is booted, still adb devices command is not showing your device?
Sent from my HTC One E9PLUS dual sim using XDA-Developers mobile app
Click to expand...
Click to collapse
Thank you so much... i got it... Now my phone running on lollipop.....

shubhamkanwaria said:
Thank you so much... i got it... Now my phone running on lollipop.....
Click to expand...
Click to collapse
glad to help

fshami said:
Hi guys, so a friend of mine got a Desire 820 dual sim few days back. Device came in a very messy condition in terms for software. It was already Super CID'd & S-OFFed, no option to update software & around 200 languages. So i tried different threads to fix the issue & upgrade the phone to Lollipop.
I was able to get it back to stock Indian KK RUU 1.22.720.1 assuming that it was an Indian variant based on its id A51_DTUL but it was not the case.. After downloading the 1.22.720.10 update, it was giving me error like Modified System or Wrong Variant
Cut short i managed to identify / fix the problem & successfully upgraded the phone to Android L
Story line is that most of the guides available for 820 dual sim Lollipop upgrade are for the Indian variant with MID 0PFJ10000. Problem occurring is with its Chinesse sibbling with MID 0PFJ11000 & this is where the phone wont allow you to do software updates.
RUU is just checking the CID while in the OTA updater-script they have plenty of checks before flashing it.
So in the below KK updater-script, you can see that first it is checking for the current firmware, then CID & then MID
PHP:
mount("ext4", "EMMC", "system", "/system");
assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.1:user/release-keys" ||
file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.10:user/release-keys");
assert(file_getprop("/system/build.prop", "ro.aa.taskid") == "402794" ||
file_getprop("/system/build.prop", "ro.aa.taskid") == "447333");
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_cid(getprop("ro.cid"), "00000000" , "11111111" ,
"22222222" , "33333333" , "44444444" , "55555555" , "66666666" ,
"77777777" , "88888888" , "99999999" , "HTC__038") == "t");
);
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_mid("full", "0PFJ10000") == "t");,
assert(check_mid("simple", "0PFJ10000") == "t");
This is point where we get Wrong Variant or Modified System error on device other than 0PFJ10000 MID.
So inorder to get rid of this error & getting all the updates automatically while keeping your ROM in stock status. These are the requirements / guidelines.
Required:
S-OFF
Root
Super CID
I assume you already know about fastboot commands stuff
So before proceeding, verify that you phone is A51_DTUL & the processor type is hTCBmsm8939 with 2GB of RAM. You can do this by booting into bootloader & run command fastboot getvar all
1st step, change MID of your device -> from 0PFJ11000 to 0PFJ10000. Run the following ADB commands:
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader
Now once the commands are successful, to verify the MID in fastboot again verify it with command fastboot getvar MID. It should now be 0PFJ10000
So we killed the BUG :laugh:
2nd step:
2a. download Indian KK RUU from this thread -> Thanks to sshivampp & robinsahlot
2b. Rename the downloaded ZIP to “0PFJIMG.zip” or to 0PFJIMG.txt incase you are unable to copy it
2c. Copy the 0PFJIMG.txt / zip file to the External SD card & do change the extension back to .zip incase you had to change it to .txt
2d. Reboot into bootloader & dont forget to disable Fastboot option under power settings
2e. Press Vol up for update once prompted
You will lot of checks & update prompts on the screen
Once successful, reboot the phone & check for software updates. You should now be able to install all the OTAs without any errors
Special thanks to h1dd3n_sn1p3r for his initial guide on upgrading to Android L.
And our dexter, Mr. scotty1223 for his amazing guides & work. Through which i was able to figure out MID change part
Click to expand...
Click to collapse
sorry .. this is no more available .. please check the next replay #18

fshami said:
Hi guys, so a friend of mine got a Desire 820 dual sim few days back. Device came in a very messy condition in terms for software. It was already Super CID'd & S-OFFed, no option to update software & around 200 languages. So i tried different threads to fix the issue & upgrade the phone to Lollipop.
I was able to get it back to stock Indian KK RUU 1.22.720.1 assuming that it was an Indian variant based on its id A51_DTUL but it was not the case.. After downloading the 1.22.720.10 update, it was giving me error like Modified System or Wrong Variant
Cut short i managed to identify / fix the problem & successfully upgraded the phone to Android L
Story line is that most of the guides available for 820 dual sim Lollipop upgrade are for the Indian variant with MID 0PFJ10000. Problem occurring is with its Chinesse sibbling with MID 0PFJ11000 & this is where the phone wont allow you to do software updates.
RUU is just checking the CID while in the OTA updater-script they have plenty of checks before flashing it.
So in the below KK updater-script, you can see that first it is checking for the current firmware, then CID & then MID
PHP:
mount("ext4", "EMMC", "system", "/system");
assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.1:user/release-keys" ||
file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.10:user/release-keys");
assert(file_getprop("/system/build.prop", "ro.aa.taskid") == "402794" ||
file_getprop("/system/build.prop", "ro.aa.taskid") == "447333");
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_cid(getprop("ro.cid"), "00000000" , "11111111" ,
"22222222" , "33333333" , "44444444" , "55555555" , "66666666" ,
"77777777" , "88888888" , "99999999" , "HTC__038") == "t");
);
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_mid("full", "0PFJ10000") == "t");,
assert(check_mid("simple", "0PFJ10000") == "t");
This is point where we get Wrong Variant or Modified System error on device other than 0PFJ10000 MID.
So inorder to get rid of this error & getting all the updates automatically while keeping your ROM in stock status. These are the requirements / guidelines.
Required:
S-OFF
Root
Super CID
I assume you already know about fastboot commands stuff
So before proceeding, verify that you phone is A51_DTUL & the processor type is hTCBmsm8939 with 2GB of RAM. You can do this by booting into bootloader & run command fastboot getvar all
1st step, change MID of your device -> from 0PFJ11000 to 0PFJ10000. Run the following ADB commands:
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader
Now once the commands are successful, to verify the MID in fastboot again verify it with command fastboot getvar MID. It should now be 0PFJ10000
So we killed the BUG :laugh:
2nd step:
2a. download Indian KK RUU from this thread -> Thanks to sshivampp & robinsahlot
2b. Rename the downloaded ZIP to “0PFJIMG.zip” or to 0PFJIMG.txt incase you are unable to copy it
2c. Copy the 0PFJIMG.txt / zip file to the External SD card & do change the extension back to .zip incase you had to change it to .txt
2d. Reboot into bootloader & dont forget to disable Fastboot option under power settings
2e. Press Vol up for update once prompted
You will lot of checks & update prompts on the screen
Once successful, reboot the phone & check for software updates. You should now be able to install all the OTAs without any errors
Special thanks to h1dd3n_sn1p3r for his initial guide on upgrading to Android L.
And our dexter, Mr. scotty1223 for his amazing guides & work. Through which i was able to figure out MID change part
Click to expand...
Click to collapse
my data before :
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ11000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.022s
D:\HTC\fastboot>
and do :
D:\HTC\fastboot>adb shell
[email protected]_a51dtul:/ $ su
[email protected]_a51dtul:/ # echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x0>
17+0 records in
17+0 records out
17 bytes transferred in 0.005 secs (3400 bytes/sec)
[email protected]_a51dtul:/ # exit
[email protected]_a51dtul:/ $ exit
so the data after :
D:\HTC\fastboot>fastboot getvar mid
mid: 0PFJ10000
finished. total time: 0.002s
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ10000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.034s
D:\HTC\fastboot>
checked update .. 70.01MB .. downloaded .. but still got the msg (your system modified contact htc)
#Note : i was downloaded the ruu that you mention .. just changed mid then checked update
any help ??

nabilovetch said:
my data before :
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ11000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.022s
D:\HTC\fastboot>
and do :
D:\HTC\fastboot>adb shell
[email protected]_a51dtul:/ $ su
[email protected]_a51dtul:/ # echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x0>
17+0 records in
17+0 records out
17 bytes transferred in 0.005 secs (3400 bytes/sec)
[email protected]_a51dtul:/ # exit
[email protected]_a51dtul:/ $ exit
so the data after :
D:\HTC\fastboot>fastboot getvar mid
mid: 0PFJ10000
finished. total time: 0.002s
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ10000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.034s
D:\HTC\fastboot>
checked update .. 70.01MB .. downloaded .. but still got the msg (your system modified contact htc)
#Note : i was downloaded the ruu that you mention .. just changed mid then checked update
any help ??
Click to expand...
Click to collapse
Good you've changed CID & MID. Now download & flash the RUU i mentioned. Once flashed then your device will do updates
Sent from my HTC One E9PLUS dual sim using XDA-Developers mobile app

fshami said:
Good you've changed CID & MID. Now download & flash the RUU i mentioned. Once flashed then your device will do updates
Sent from my HTC One E9PLUS dual sim using XDA- mobile app
Click to expand...
Click to collapse
i do factory reset and reflash ruu using sd card ..
still got the msg (your software is modified, contact htc)

Fire HD 8 2015 (5th Gen) debrick

I have 3 of these, so I'm being a little carefree.
I went into recovery and adb sideload flashed an older version, causing that one to go into a preloader loop (not a big deal)
I'd love to recover that one and it appears I can do so using some of the techniques found here https://forum.xda-developers.com/amazon-fire/development/unbrick-fire-7-5th-gen-downgrade-t3388747
I can definitely handshake at the beginning and read/write. On one of my working tablets I went into fastboot and ran `fastboot getvar all` and was able to see some partition sizes and offsets.
I've tried writing some things to the tablet stuck in preloader mode, but still not getting that one back to adb or fastboot. Some examples:
./write_mmc.py $((0x2000000)) boot.img
./write_mmc.py $((0x1F00000)) lk.bin
./write_mmc.py $((0x1500000)) tz.img
I can keep banging away at this but if anyone has a few more hints, I really could use a clue by four. Thanks!
PS: I imagine that these models (THEBES) could get some of the same goodness as the amonet versions but it has been low on people's priority.

paklids said:
I have 3 of these, so I'm being a little carefree.
I went into recovery and adb sideload flashed an older version, causing that one to go into a preloader loop (not a big deal)
I'd love to recover that one and it appears I can do so using some of the techniques found here https://forum.xda-developers.com/amazon-fire/development/unbrick-fire-7-5th-gen-downgrade-t3388747
I can definitely handshake at the beginning and read/write. On one of my working tablets I went into fastboot and ran `fastboot getvar all` and was able to see some partition sizes and offsets.
I've tried writing some things to the tablet stuck in preloader mode, but still not getting that one back to adb or fastboot. Some examples:
./write_mmc.py $((0x2000000)) boot.img
./write_mmc.py $((0x1F00000)) lk.bin
./write_mmc.py $((0x1500000)) tz.img
I can keep banging away at this but if anyone has a few more hints, I really could use a clue by four. Thanks!
PS: I imagine that these models (THEBES) could get some of the same goodness as the amonet versions but it has been low on people's priority.
Click to expand...
Click to collapse
Hi,
So looks like you downgraded the Preloader to version that has non-patched rw commands:good:
I can try to help you. If you want, just PM me.
Regards.

I'm going to add some details to the thread so peeps know where I'm coming from and where I'm going:
This unit, if you want to get into adb you'll need to enable adb debugging in the menu. After that you cannot reboot directly into fastboot mode, but you can hop over to recovery and then do it from there:
`adb reboot recovery` then select `reboot to recovery`
When the unit is stock (in my case v5.6.1.0) and on adb - the lsusb is:
Bus 005 Device 124: ID 1949:0212 Lab126, Inc.
& on fastboot lsusb reports:
Bus 005 Device 003: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo
(Hey...that looks familiar! I had an HTC Magic that I rooted the first day I owned it)
What did I do to put this unit in preloader loop? I booted into revocery and used adb sideload to flash (I *think*) update-kindle-32.5.2.2_user_522054520.bin . After that the screen went black and I could see it rebooting because the USB would come up and then back down. lsusb would then report:
Bus 001 Device 105: ID 0e8d:3000 MediaTek Inc.
I hope this helps any of you follow along in case you are trying to recover your Fire HD 8 5th gen (2015)

Oh, and here are the details I gathered from the known working tablet:
fastboot getvar all
(bootloader) unlock_status: false
(bootloader) unlock_version: 1
(bootloader) unlock_code: 0xFFFFFFFFFFFFFFFF
(bootloader) prod: 1
(bootloader) serialno: FFFFFFFFFFFFFFFF
(bootloader) partition-offset:userdata: 5ec80000
(bootloader) partition-size:userdata: 173bfbe00
(bootloader) partition-type:userdata: unknown
(bootloader) partition-offset:cache: 4f280000
(bootloader) partition-size:cache: fa00000
(bootloader) partition-type:cache: unknown
(bootloader) partition-offset:system: 4280000
(bootloader) partition-size:system: 4b000000
(bootloader) partition-type:system: unknown
(bootloader) partition-offsetersisbackup: 3280000
(bootloader) partition-sizeersisbackup: 1000000
(bootloader) partition-typeersisbackup: unknown
(bootloader) partition-offset:MISC: 3200000
(bootloader) partition-size:MISC: 80000
(bootloader) partition-type:MISC: unknown
(bootloader) partition-offsetKB: 3100000
(bootloader) partition-sizeKB: 100000
(bootloader) partition-typeKB: unknown
(bootloader) partition-offset:KB: 3000000
(bootloader) partition-size:KB: 100000
(bootloader) partition-type:KB: unknown
(bootloader) partition-offset:recovery: 2800000
(bootloader) partition-size:recovery: 800000
(bootloader) partition-type:recovery: unknown
(bootloader) partition-offset:boot: 2000000
(bootloader) partition-size:boot: 800000
(bootloader) partition-type:boot: unknown
(bootloader) partition-offset:UBOOT: 1f00000
(bootloader) partition-size:UBOOT: 100000
(bootloader) partition-type:UBOOT: unknown
(bootloader) partition-offset:TEE2: 1a00000
(bootloader) partition-size:TEE2: 500000
(bootloader) partition-type:TEE2: unknown
(bootloader) partition-offset:TEE1: 1500000
(bootloader) partition-size:TEE1: 500000
(bootloader) partition-type:TEE1: unknown
(bootloader) partition-offsetMT: 1100000
(bootloader) partition-sizeMT: 400000
(bootloader) partition-typeMT: unknown
(bootloader) partition-offsetRO_INFO: 1008000
(bootloader) partition-sizeRO_INFO: 20000
(bootloader) partition-typeRO_INFO: unknown
(bootloader) max-download-size: 52429824
(bootloader) kernel: lk
(bootloader) product: THEBES
(bootloader) version: 0.5
(bootloader) unlocked: not unlocked
(bootloader) production: Unknown
all: Done!!

So I did confirm that you can get the tablet (in my case tablet number 2) into preloader mode by booting to recovery and side loading the update that I mentioned before. For reference:
md5sum update-kindle-32.5.2.2_user_522054520.bin
615019d226954c2e4e2f98613151bc75 update-kindle-32.5.2.2_user_522054520.bin

paklids said:
I have 3 of these, so I'm being a little carefree.
...
I've tried writing some things to the tablet stuck in preloader mode, but still not getting that one back to adb or fastboot. Some examples:
./write_mmc.py $((0x2000000)) boot.img
./write_mmc.py $((0x1F00000)) lk.bin
./write_mmc.py $((0x1500000)) tz.img
I can keep banging away at this but if anyone has a few more hints, I really could use a clue by four. Thanks!
PS: I imagine that these models (THEBES) could get some of the same goodness as the amonet versions but it has been low on people's priority.
Click to expand...
Click to collapse
paklids said:
So I did confirm that you can get the tablet (in my case tablet number 2) into preloader mode by booting to recovery and side loading the update that I mentioned before. For reference:
md5sum update-kindle-32.5.2.2_user_522054520.bin
615019d226954c2e4e2f98613151bc75 update-kindle-32.5.2.2_user_522054520.bin
Click to expand...
Click to collapse
You gotta be careful with write_mmc.py and ensure that you have the addresses right! Those can be quite tricky, you should go through the Fire HD 2014 thread which has the same chipset:
https://forum.xda-developers.com/fire-hd/development/unbrick-fire-hd-6-7-flashing-lollipop-t3405797
You will need to replace TZ/LK to the version you had before the downgrade. Then it should boot, and you may be able to root FireOS via KingRoot or something (if it's vulnerable). If your preloader version changed, then you cannot do anything since there is no way to write preloader via write_mmc.py. I think the recent scripts by @k4y0z can query the versions of PL/TZ/LK, see if you can do that too, just to make sure that PL does not need to be replaced, and to get an idea which versions you are dealing with.
Edit: Here is how you can see which versions of PL/TZ/LK you have (remove the junk - I copied this from another script):
Code:
tee_version=$((`adb shell getprop ro.boot.tee_version | dos2unix`))
lk_version=$((`adb shell getprop ro.boot.lk_version | dos2unix`))
pl_version=$((`adb shell getprop ro.boot.pl_version | dos2unix`))

Just a note for anyone else, sometimes running ./handshake.py as a regular user will just continue waiting. I ran it as root and it completed quickly. This isn't uncommon with a number of linux distributions (I'm on Debian 9 Stretch) because of the permissions on /dev/tty type devices. It's always recommended that if you can run it as a regular user, then that is better. It may be possible to use sudo to do this as well.

bibikalka said:
You gotta be careful with write_mmc.py and ensure that you have the addresses right! Those can be quite tricky, you should go through the Fire HD 2014 thread which has the same chipset:
https://forum.xda-developers.com/fire-hd/development/unbrick-fire-hd-6-7-flashing-lollipop-t3405797
You will need to replace TZ/LK to the version you had before the downgrade. Then it should boot, and you may be able to root FireOS via KingRoot or something (if it's vulnerable). If your preloader version changed, then you cannot do anything since there is no way to write preloader via write_mmc.py. I think the recent scripts by @k4y0z can query the versions of PL/TZ/LK, see if you can do that too, just to make sure that PL does not need to be replaced, and to get an idea which versions you are dealing with.
Edit: Here is how you can see which versions of PL/TZ/LK you have (remove the junk - I copied this from another script):
Code:
tee_version=$((`adb shell getprop ro.boot.tee_version | dos2unix`))
lk_version=$((`adb shell getprop ro.boot.lk_version | dos2unix`))
pl_version=$((`adb shell getprop ro.boot.pl_version | dos2unix`))
Click to expand...
Click to collapse
Yup, thebes and ariel share same CPU
So, now that we know Preloader is vulerable, we can flash a prerooted system.img (Yes, will take a lot of time).
Probably Amazon patched up this in latest preloaders but downgrading the Preloader and then restoring correct TZ, LK and flash the rooted system img may do the trick
Regards.

Rortiz2 said:
Yup, thebes and ariel share same CPU
So, now that we know Preloader is vulerable, we can flash a prerooted system.img (Yes, will take a lot of time).
Probably Amazon patched up this in latest preloaders but downgrading the Preloader and then restoring correct TZ, LK and flash the rooted system img may do the trick
Regards.
Click to expand...
Click to collapse
This is too slow. The first order of business would be to update LK/TZ and see if it boots. If it does, then just do Kingroot: https://forum.xda-developers.com/showpost.php?p=63061585&postcount=4
If PL also has downgrade protection, it will still not boot. Then RPMB needs to be cleared for which we don't have a procedure (yet).

bibikalka said:
This is too slow. The first order of business would be to update LK/TZ and see if it boots. If it does, then just do Kingroot: https://forum.xda-developers.com/showpost.php?p=63061585&postcount=4
If PL also has downgrade protection, it will still not boot. Then RPMB needs to be cleared for which we don't have a procedure (yet).
Click to expand...
Click to collapse
any one cant root this ?

[Partially solved]FS Half-borked... help.

I need help. I flashed the wrong .img to userdata and now it refuses to be formated:
Code:
[email protected]:~$ fastboot -w
Erasing 'userdata' OKAY [ 55.085s]
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
fastboot: error: Cannot generate image for userdata
I also tried:
Code:
[email protected]:~$ fastboot --force --disable-verification format:ext4:0x1987357000 userdata
Warning: userdata size is 0x1987357000, but 0x1987357000 was requested for formatting.
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
fastboot: error: Cannot generate image for userdata
When I get all vars from each slot I get the following differences:
Code:
Slot a+b diff
Produced: 09/15/2022 03:39:14 PM
Mode: Differences, Ignoring Unimportant
Left file: /home/moe/a.txt Right file: /home/moe/b:txt
6 (bootloader) battery-voltage:4115 <> 6 (bootloader) battery-voltage:4087
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
11 (bootloader) partition-size:userdata: 0x1987 <> 11 (bootloader) partition-size:userdata: 0x1987357000
12 (bootloader) partition-type:system_a:ext4 12 (bootloader) partition-type:system_b:ext4
13 (bootloader) partition-size:system_a: 0x1000 13 (bootloader) partition-size:system_b: 0x100000000
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
33 (bootloader) current-slot:_a <> 33 (bootloader) current-slot:_b
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
37 (bootloader) slot-retry-count:_a:6 <> 37 (bootloader) slot-retry-count:_a:0
38 (bootloader) slot-unbootable:_a:no 38 (bootloader) slot-unbootable:_a:yes
--------------------------------------------------------------------------------------------------------
Any tips are welcomed. Thanks.
[Update]After flashing stock (*.032) ROM the phone will boot from slot a but I still get an error when attempting to format userdata:
Code:
[email protected]:~/Downloads/ph-1/032$ fastboot -w
Erasing 'userdata' OKAY [ 52.228s]
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
fastboot: error: Cannot generate image for userdata
So far I have not seen any adverse effect on the phone operation, and Storage reports the right sizes. Still, what's going on here? How to fix it?