Root Backgrounder to rooting and Android errata

[handy5876]

If you are the type who needs to get the bigger picture before following detailed instructions then you may need to go through this.

Background before rooting and flashing ROMs.

Just to state the obvious the HTC desire has got the linux operating system at its core and the android virtual machine called the Dalvik virtual machine sits on top of this core. These are some of the areas you may need to get a handle on.

ROM

Spoiler

The desire has 572 MB RAM and 512 MB ROM space. The ROM is called so but actually is not read only and resides on NAND Flash memory which can be both read and written to. The ROM is like the hard disk of a PC and the sdcard is like a removable disk. Just like a PC which divides the hard disk into C: , D: etc Android divides the ROM into partitions. Android calls these partitions by different names like boot, system, data etc.
- The first partition 'misc' is a very sensitive area which contains carrier data among other and is normally never touched even when you root, go soff or flash ROMs.
- The 'recovery' partition contains a linux kernel specially tailored for flashing updates. During rooting this is replaced by a custom recovery from clockworkmod etc. The original recovery does not permit flashing of unofficial ROMs, backups etc and is extremely limited.
- The next partition is 'boot' which houses the actual linux kernel used by android.
- The 'system' partition houses the system apps and data. The term flashing ROMs mostly means installing a different system and boot image.
- The 'data' partition houses the user apps and their dependencies.
- The 'cache' partition houses the system cache.

SDCARD

Spoiler

The sdcard can be also divided into partitions. The first partition is generally the FAT32 filesystem of Windows which can be accessed on the PC by connecting with USB cable. The second partition is generally the ext filesystem of linux. sdext is not available on original device and is basically a mod for shifting your apps to sdcard when you are running out of space which is a vexing issue for desire owners. This is because in Android all user apps are installed only on 'data' partition which is on ROM and is 147 MB only and soon you run out of space. Note that this sdext methodology is different from android supported method of shifting of apps to sdcard.

Bootloader

Spoiler

The bootloader or hboot is the first piece of code executed by the device. It is accessed by booting with vol dn + power pressed. The hboot is similar to the BIOS of PCs. It does some checks and hands control over to the linux kernel(boot partition) if normal booting is followed. If interactive booting is followed and recovery is selected then it hands over control to recovery kernel(recovery partition). The hboot being the first piece of code executed by the device is one of the most sensitive pieces of software and corruption bricks the device.

Radio

Spoiler

The radio software drives the radio of the device like 2g, 3g . The radio software is also upgradable but is equally sensitive like hboot. Problems during flashing like supply interruptions, problematic usb cables, PC problems can brick the device.

Rooting

Spoiler

The process of rooting is basically gaining root or priveleged access in the linux system and is the first step to any customization of the device. Typically during rooting the unofficial recovery from clockworkmod or amonra is flashed which is what unrevoked does. Once the unofficial recovery is flashed your device actually gets opened up. With this recovery you can flash custom ROMs. You can also take backups(nandroid). Nandroid takes a image of the recovery, boot, system, data, cache and sdext partitions. This can be used to restore the system exactly to that state if things do not go as planned when flashing a new ROM or some other system related operation. Note that nandroid will not touch the hboot, radio and misc and also will not restore recovery. Nandroid also gives capability to erase(wipe) partitions like /data(factory reset), /cache and dalvik cache and may be required prior to flashing a new ROM due to incompatibilities. Custom recovery can also be used to uninstall vexing system apps(bloatware) among many other things.

SON/SOFF

Spoiler

The hboot has a special safeguard for preventing unauthorised changes to /system partition (even with root access) called SON. This prevents you from touching the /system or system apps when android is booted up. What this means is that you cant get rid of bloatware when android is running. The process of unlocking this security feature is called soff and it is carried out with alpharev software. Alpharev flashes a modified hboot which bypasses the security feature and /system can thereafter be available for read write. Since hboot also contains partition information, the partition sizes can also be changed from original tables with alpharev hboot. The modified partition tables can give you increased space in /data partition from original 147 MB stock to more than 300 MB by rearranging space. The hboot also has a special mode called fastboot during which some extended commands for flashing hboots, radios, splash screens etc can be issued to bootloader.

Unrooting (RUU/PB99IMG.zip)

Spoiler

These terms which you will come across is basically for disaster recovery and you want to restore and unroot the phone back to original carrier/HTC version for all areas including radio, hboot, boot, system, data etc. RUU (ROM Upgrade utility) is a PC software and works through the USB cable. The PB99IMG.zip file can be extracted from the RUU is a special zip file which when you stick it on sdcard does the same job as RUU. One needs to know that RUU/PB99IMG software are region specific and only a few of them are available which have been leaked from OEM service centres. You also need to be aware that your phone carries region branding which is a special code inserted by manufacturer. This code called cidnum is checked by the RUU/PB99IMG before it restores the phone. So if the software is not available for your region then the only alternative is you need to make a goldcard as described in the guides hosted in the forum. The goldcard is nothing but a sdcard with a modified bootsector. With the goldcard in the phone the RUU/PB99IMG bypasses the region code checks.

There is more detailed information in my subsequent posts if you want to know more.

 

[Rastaman-FB]

very good but its too long so i can imagine members will read that and be like WTF?

out of interest did you read any of the guides/faq's that SUroot had written with all the various advise and problems weve come across over last 18months?

it would have answered a lot of questions

 

[handy5876]

very good but its too long so i can imagine members will read that and be like WTF?

out of interest did you read any of the guides/faq's that SUroot had written with all the various advise and problems weve come across over last 18months?

it would have answered a lot of questions

- Yeah maybe its slightly long. What can I leave out or reduce? Ill try.

- I pieced this from those guides and interaction with the members and some searching on xda also.

 

[Rastaman-FB]

well its good as a learning piece, im just not sure who its targeted at as alot of that stuff is things that you can learn over time as its not needed for the early stuff

never the less, a good write up

 

[GrenW]

I like it. It's different.

It's not a guide on what you need to do, in fact its nothing you 'really' need to know. But it does tell you why things are done the way they are and gives you more of an understanding of what's going on.

Most people just root and flash. Then perhaps S-Off to get more data partition space. How many actually know what's going on and how their phone operates behind all of the jargon.

Nice one

 

[handy5876]

Thanks for the boosters. I figured out how to make it smaller by formatting. Maybe now it is more readable.
My small writeup is hardly a patch on the guides here. It is just a rough map sketch.

 

[stevep94]

I like it!!

As great as the guides and faq's are (and they ARE!) my initial fear was not understanding what various things actually were when they were referred to in the guide - this helps a lot!!

Even now with a good 4 days rooting experience under my belt, its been handy to have a read through and understand things a little better!

I'd recommend any new rooters read this and then go on to the guides!!

 

[Flumme]

Thank you!

This is a great complement to the extremely well written guides and faq:s in the stickies! Well done!

 

[handy5876]

Some errata I gleaned on android. For the curious ones

Android Partitions

Spoiler

The ROM is divided into following partitions
mtd0 - misc
mtd1 - recovery
mtd2 - boot
mtd3 - system
mtd4 - cache
mtd5 - userdata

mmcblk0 - sdcard
mmcblk1 - sdext(Generally)

How to change splash screen

Spoiler

If you are soff then you can make your own splash screen.

Download nbimg-1.1win32.zip from xda at [release] nbimg: HTC splash screen tool - xda-developers and extract it and follow the steps as shown in xda.

My command prompt history is shown below:-

D:\store\Desire\nbimg-1.1win32>dir
08/06/2011 07:39 PM 1,152,054 splash1.bmp
07/07/2008 08:53 PM 11,776 nbimg.exe

Convert bmp to nb

D:\store\Desire\nbimg-1.1win32>nbimg -F splash1.bmp -w 480 -h 800

Check output

D:\store\Desire\nbimg-1.1win32>dir
07/07/2008 08:53 PM 11,776 nbimg.exe
08/06/2011 07:39 PM 1,152,054 splash1.bmp
08/06/2011 07:44 PM 768,032 splash1.bmp.nb

Now rename splash1.bmp.nb to splash1.img. I used explorer for that.

D:\store\Desire\nbimg-1.1win32>dir
07/07/2008 08:53 PM 11,776 nbimg.exe
08/06/2011 07:39 PM 1,152,054 splash1.bmp
08/06/2011 07:44 PM 768,032 splash1.img

Check fastboot recognises the phone

C:\sdktools-toolsonly\android-sdk-windows\tools>fastboot devices
SH0A5PL08610 fastboot

Give the flashing command

C:\sdktools-toolsonly\android-sdk-windows\tools>fastboot flash splash1 d:\store\Desire\nbimg-1.1win32\splash1.img
sending 'splash1' (750 KB)... OKAY [ 0.124s]
writing 'splash1'... OKAY [ 0.237s]
finished. total time: 0.362s

Make Goldcard without Phone

Spoiler

Need to make a goldcard which you didnt make earlier and phone is having a problem. I heard somewhere that phone is not at all required for making a goldcard. The tricky part is you need to read the cid.

Didnt have any luck with Windows. Didnt find any utility to read the cid.

Turned my attention to linux. Was too lazy to install linux. But I realized that I had the gparted live cd. I think most rooters have this. Just booted with that and read the cid just as given in the rooting sticky except you need to substitute mmc0 for mmc1. All other steps are the same.

Course you need computer with cardreader and computer needs to be set to boot from cd.

Nandroid

Spoiler

Nandroid is the backup and restore facility offered by custom recovery. What is custom recovery now? It is the the recovery program which is used to replace the stock program in the phone. The custom recovery gives many more facilities than the stock one does like:-
- Flashing custom ROMs
- Backup and restore the phone
- Formating partitions
- Wipe partitions etc
Now recovery is really a linux kernel which is situated on mtd1 (the second partition of Flash memory). Once the bootloader hboot completes its checks it hands over control to the actual linux kernel located at mtd2. If the interactive booting is followed and recovery option is chosen in hboot then control is handed over to recovery in mtd1.

The nandroid backup facility of recovery creates .img files from the /recovery(mtd1), /boot(mtd2) , /system(mtd3), /cache(mtd4), /userdata(mtd5) and /sdext (mmcblk0p2) partitions. The idea is that on selecting restore these partitions are restored exactly as they were earlier. It is thus a great utility since if you try out a ROM and dont like it and want to go back all you need to do is reboot into recovery and restore the specific backup.

Nandroid does not restore the recovery.img since I guess it does not make sense trying to restore itself. But all these image files can be flashed from fastboot mode if you are SOFF.

Root Directory

Spoiler

Have you wondered about the ROMs you install. What is in them? It turned out that they only contained verbatim the /system partition you find on the device. It also contains a boot.img.

Now there is a mystery. Where did so many directories get populated on the root directory once android starts up. Where is the root mounted ? The answer to this lies in boot.img. The boot.img which is destined for the boot partition contains a kernel and gzipped ramdisk. If the ramdisk is extracted by searching for gzip signature then you find the ramdisk contents faithfully mirror some of the files & directories in the root directory like so:-
/data
/dev
/proc
/sbin
/sys
/system
default.prop
init
init.bash.rc
init.goldfish.rc
init.rc
ueventd.bravo.rc
ueventd.goldfish.rc
ueventd.rc

All these directories are mostly empty and are mount points for the actual partitions like mtd3, 4 etc. Thus the ramdisk itself is the root partition. Unlike desktop linux the ramdisk is not unloaded and continues. So after kernel gets control from bootloader one of the tasks it does after many OS related stuff is start init located in ramdisk. init in turn executes init.rc also on ramdisk.

init.rc is the one which actually brings the system up and it also mounts the partitions into the root. It also creates various other directories which you find in the root directory and not in the ramdisk.

Unrooting

Spoiler

RUU/PB99IMG
Some thoughts on RUU/PB99IMG

I have seen people finding the RUU business very trying. This is my attempt at understanding RUU issue. Not complete.

RUU Rom Upgrade Utility is a leaked software from OEM service centres which are utilised to quickly repair or flash a phone back to stock. In the process the phone also gets unrooted. The RUU is a windows software and works through the USB cable. The PB99IMG.zip is a rom.zip file hidden inside the RUU and can be easily extracted in Windows. The zip file needs to be renamed to PB99IMG.zip and planted on your sdcard and thereafter the same function as RUU can be achieved by booting device with vol dn + power button.

Each RUU is specific to a certain region and ordinarily you cannot flash the RUU not meant for you. The device supported by the RUU is captured in the rom.zip in the android-info.txt file. For example the android-info.txt file in the wwe RUU 2.29.405.5 RUU holds the following data:-

modelid: PB9920000
cidnum: HTC__001
cidnum: HTC__E11
cidnum: HTC__N34
cidnum: HTC__203
cidnum: HTC__102
cidnum: HTC__K18
cidnum: HTC__405
cidnum: HTC__Y13
cidnum: HTC__A07
cidnum: HTC__304
cidnum: HTC__016
cidnum: HTC__032
mainver: 2.29.405.5
hbootpreupdate:12
DelCache: 1

If you issue 'fastboot getvar all' you will find whether your device tallies with this data.

C:\AndroidSDK\tools>fastboot getvar all
INFOversion: 0.5
INFOversion-bootloader: 0.92.0001
INFOversion-baseband: 5.09.00.20
INFOversion-cpld: None
INFOversion-microp: 031d
INFOversion-main: 2.09.405.8
INFOserialno: HT045PL12223
INFOimei: 357841031833711
INFOproduct: bravo
INFOplatform: HBOOT-8

 

[handy5876]

Been flashing radios, hboots and ROMs? Want to know where they actually go ? I mean physically ? Have a look at the images below.

Spoiler

The Qualcomm chips are confidential I think. No further information is available on them.

 

[handy5876]

How to change hboot using thalamus patcher available at hboot patcher.

Command Prompt History

Spoiler

Command Prompt history hboot flashing for 100MB System and 5M Cache.

1. First Do nandroid backup

2. Directory listing of hboot_patcher directory

D:\store\Desire\hboot_patcher_r1-win32>dir
07/01/2011 03:17 AM 524,288 bravo_alphaspl.img
05/13/2004 05:56 PM 84,784 fciv.exe
07/01/2011 07:02 PM 8,192 hboot_patcher.exe
03/18/2010 01:45 PM 421,200 msvcp100.dll
03/18/2010 01:45 PM 770,384 msvcr100.dll

3. Execute hboot_patcher

D:\store\Desire\hboot_patcher_r1-win32>hboot_patcher.exe
You MUST check the md5 of bravo_alphaspl.img before continuing.

To do so, run: fciv.exe bravo_alphaspl.img
Ensure that the output is: a812a26af9d1e039bdd1fe48743e0472

4. OK check the checksum

D:\store\Desire\hboot_patcher_r1-win32>fciv bravo_alphaspl.img
a812a26af9d1e039bdd1fe48743e0472 bravo_alphaspl.img

5. OK checksum is fine. Rerun hboot_patcher

D:\store\Desire\hboot_patcher_r1-win32>hboot_patcher.exe

Enter size for /system: 100
Ok
/system set to: 100 MB

Enter size for /cache: 5
Ok
/cache set to: 5 MB

/data has been calculated as: 332 MB

Enter label for hboot, max 9 characters: 332-100-5

Label is set to: 332-100-5

5. Move the generated hboot to hboot.img and copy to sdktools directory. Not really required.


6. Now put the device in fastboot mode
***Sanity check for fastboot.

C:\sdktools-toolsonly\android-sdk-windows\tools>fastboot devices
SH0A5PL08610 fastboot

7. Now give the command.

C:\sdktools-toolsonly\android-sdk-windows\tools>fastboot flash hboot hboot.img
C:\sdktools-toolsonly\android-sdk-windows\tools>fastboot reboot-bootloader
C:\sdktools-toolsonly\android-sdk-windows\tools>fastboot erase cache

Now boot recovery
Wipe Data and Cache
Restore your Nandroid Backup.

 

[handy5876]

NAND partitioning details. My thread in xda.

[Q] Desire Partitions - xda-developers