Root making an hboot flashable recovery

[scotty85]

EU1,thanks for your replies. i never imagined that our little experiment here would work with the S-ON bootloader,sorry if i somehow gave those impressions.

what i am wondering is if we can modify the root PB00IMG file so that all it does is install the S-OFF 1.49.000 bootloader? basically remove all files except that wich installs the bootloader?

it would then be easy for folks to get the S-OFF without the battery pull,or having to install the whole update and then re-root. it would be alot less scary,and i presume,low risk?

i still cant open the root PB00IMG file all i get is a "the compressed(zipped) folder is invalid" error message,so i cant even attempt to modify it.

if you or scary wants to whip somethin up to only flash the S-OFF bootloader,id be happy to be the guinea pig to test it

 

[Bob Cat]

if you or scary wants to whip somethin up to only flash the S-OFF bootloader,id be happy to be the guinea pig to test it

I too would be a guinea pig on my 2nd phone. Both of my phones are 1.49.0000 S-ON.

 

[erisuser1]

what i am wondering is if we can modify the root PB00IMG file so that all it does is install the S-OFF 1.49.000 bootloader? basically remove all files except that wich installs the bootloader?

The whole point of crypto signatures is to prevent that from happening. Not specifically the bootloader, but any changes whatsoever. That protects the phone from hapless users that can't seem to download or copy files correctly without screwing up.

There are THREE different signing methods that are in use in different places:

(1) Apps (.apk files), and .jar files are signed with Sun's native "Jar" signing methods. Developer ROM .zip files are also signed this way.

(2) Update.zip files are signed on a whole-archive basis using a signature which appears in the .zip file's "comments" section - the code for this can be seen in the standard Android distribution for the "recovery"

(3) HTC uses a third method - algorithm unknown - that prepends a mystery blob of 256 bytes to the beginning of a .zip file. BTW, this is why your microsoft tools puke on it; if you unzip them with a Unix/Linux version of "unzip", it merely gives you a warning, e.g.:

"warning [Eris_LeakV3_v2.36.605.1_PB00IMG.ZIP]: 256 extra bytes at beginning or within zipfile
(attempting to process anyway)"

The first two methods are public-key crypto methods; even though the code is known, the private key(s) that are in use are unknown, and so even though the algorithm is known, it is still essentially impossible to subvert the signing method. In the third case above (the one the HTC bootloader uses to validate PB*.zip files), not only is the algorithm unknown, but presumably the signing key is unknown as well, too.

That's the long way of saying "good luck with that"

eu1

 

[scotty85]

so if i understand that correctly,even if we were able to modify htc's root rom to install only the bootloader,the S-ON bootloader would know,and not allow that update to happen?

thats a bummer.

but at least the recovery works. another good reason to be S-OFF,methinks

 

[scary alien]

Kinda yes kinda no.

I just downloaded it from your link and took a look; it's not there (which is sort of what I expected).

FYI, octal 240 is only 156 bytes - you would need to dump the first 17 lines of 16 bytes to see the "PK" ( = hex 0x50 0x4b ) "magic number" signature that is the demarcation of the beginning of ZIP file archive. That would occur at byte 256 (offset 0x100 or octal 0400) of a "real" HTC PB00IMG.zip file.

Also, it is easier if you use "hexdump -C" instead of "od -h", because then you don't need to worry about byte swabbing interpretation issues (big-endian vs. little-endian).

If you do something like "hexdump -C PB00IMG.zip | hexdump -C | head -17" on a real HTC PB00IMG.zip file, you will see that the actual zip archive begins at byte offset 256 - the first 256 bytes of the file appear to be an HTC-specific signature of some sort - presumably cryptographic, as it is not the same between different HTC PB00IMG.zip files.

eu1

Yeah, sorry 'bout that...I didn't have Ubuntu booted-up so I just grabbed some Unix utils for Windows and dumped the first part of the files (half-way expecting to see low-values at the front ). Not knowing what to look for, I figured you still might be able recognize what you were looking for even with a partial dump.

I still might run your suggested S-ON experiment you listed earlier, but I would tend to lean towards your inclination that this is all successful due to having the S-OFF setting. My interest was piqued mainly as an additional, fairly simple method of installing my trackball-optional recovery, but it sounds like there'd be too many caveats to include with the instructions, eh?

Thank you again for your insight re. this.

 

[scotty85]

but it sounds like there'd be too many caveats to include with the instructions, eh?

not if youre allready S-OFF
1)download
2)make sure sd card is formatted FAT32
3)transfer to root of sd card and rename PB00IMG.zip( if using windows,just "PB00IMG" as windows adds the.zip automatically)
4)power off
5)power on holding vol - to enter hboot.wait for update promt
6)push track ball. wait for install to complete.
7)push track ball again to reboot

easy as 1,2,3

i think more people need to become s-off. either by installing the root PB00IMG and re-rooting,or doing the battery pull. or,if youre lucky enuff to have the S-ON 1.49.000 there is a .zip you can flash in recovery.

on my incredible, hboots are flashable as PBxxIMG files as well... am i correct in assuming that there would not be a way to flash the 1.49.0000 S-ON bootloader in hboot without losing root? if it were possible, a person could upgrade from 1.47.0000 to 1.49.0000 then flash the S-OFF .zip

 

[scary alien]

easy as 1,2,3

i think more people need to become s-off. either by installing the root PB00IMG and re-rooting,or doing the battery pull. or,if youre lucky enuff to have the S-ON 1.49.000 there is a .zip you can flash in recovery.

Well...I feel I should prepare you for the proper and obilgatory warning from eu1 that "flashing the bootloader is the single most dangerous thing you can do on your phone" .

We've seen tale after tale of users that are not really all that careful about following instructions to the letter... So, this makes encouraging folks to get their bootloaded upgrade to S-OFF a pretty scary proposition. eu1 actually used to encourage this (getting the S-OFF bootloader) and shortly thereafter backed-away from this advice (he more than almost anyone has dealt with the vagaries of some people's penchant for looking before leaping, if you will).

Not all are as careful (as we are? ) in the things that they do to their phone...

Just sayin'...

 

[Bob Cat]

not if youre allready S-OFF
1)download
2)make sure sd card is formatted FAT32
3)transfer to root of sd card and rename PB00IMG.zip( if using windows,just "PB00IMG" as windows adds the.zip automatically)
4)power off
5)power on holding vol - to enter hboot.wait for update promt
6)push track ball. wait for install to complete.
7)push track ball again to reboot

easy as 1,2,3

i think more people need to become s-off. either by installing the root PB00IMG and re-rooting,or doing the battery pull. or,if youre lucky enuff to have the S-ON 1.49.000 there is a .zip you can flash in recovery.

on my incredible, hboots are flashable as PBxxIMG files as well... am i correct in assuming that there would not be a way to flash the 1.49.0000 S-ON bootloader in hboot without losing root? if it were possible, a person could upgrade from 1.47.0000 to 1.49.0000 then flash the S-OFF .zip

What's the dummies way to get S-OFF?

 

[scotty85]

What's the dummies way to get S-OFF?

since you have the 1.49.0000 bootloader(s) the easiest thing for you would be to flash the "erisengspl.zip" in recovery.

xda link here:
http://forum.xda-developers.com/showpost.php?p=8680709&postcount=29
and a lil more info here:
http://forum.xda-developers.com/showpost.php?p=8897869&postcount=4

if that fails,the only way is to install the "root rom" PB00IMG file(linked above my mister alien).

you can let it completely install,then re-root after.

or...

you can do the "battery pull" as described here:
http://androidforums.com/eris-all-things-root/75384-visual-example-pb00img-zip-update-method.html

basically,you start to install the root rom update,then pull the battery after the bootloader is installed it sounds scary,but its how i did it

but i think the .zip will work for you. try it and report back worse thing that happens is youre still S-ON if it fails

 

[Bob Cat]

since you have the 1.49.0000 bootloader(s) the easiest thing for you would be to flash the "erisengspl.zip" in recovery.

but i think the .zip will work for you. try it and report back worse thing that happens is youre still S-ON if it fails

The test phone is now 1.49.2000 S-Off. Now I'll do the DD.

* DD is now S-OFF. Like a walk in the park.

 

[scotty85]

The test phone is now 1.49.2000 S-Off. Now I'll do the DD.

 

[bberryhill0]

How do I find out which hboot I'm running? I'm going to guess that I have to boot into recovery.

* Oh. QuickBoot has a bootloader option. I'm on 1.49 S-ON.

 

[Bob Cat]

How do I find out which hboot I'm running? I'm going to guess that I have to boot into recovery.

* Oh. QuickBoot has a bootloader option. I'm on 1.49 S-ON.

Flashing the zip method will NOT work on the 1.47. Read the Link Scotty provided. Just looking out.

 

[scotty85]

Flashing the zip method will NOT work on the 1.49. Read the Link Scotty provided. Just looking out.

1.49 should be the only bootloader the .zip method DOES work on! it defaintely doesnt work with 1.47(thats wat mine was)

what method did you use BC?

 

[Bob Cat]

1.49 should be the only bootloader the .zip method DOES work on! it defaintely doesnt work with 1.47(thats wat mine was)

what method did you use BC?

Boy it was way early when I posted that. Disregard.
I edited that post.

 

[scotty85]

Boy it was way early when I posted that. Disregard.
I edited that post.

oooooh,lol

 

[erisuser1]

Two things to add to this thread.

(1) Please, please, PLEASE use all digits of the bootloader version number when referring to specific bootloader(s)

1.49.0000 S-ON
1.49.2000 S-OFF

Clearly, just saying "1.49" is completely ambiguous.

(2) If there was a way to flash a bootloader with a PB00IMG.zip file that was not signed by HTC's key, it would nevertheless be a bad idea: performing very dangerous flashing operations using unsigned and unverified inputs has obvious problems when newbs are involved - look at the daily stream of folks who can't seem to get an intact ROM file to their phone's SD card.

Same goes for using S-OFF bootloaders with fastbooot, or "unsigned" PB00IMG.zip files - it is like an open invitation for disasters to happen.

eu1

 

[brock350]

How would you change it back to s -on? Incase you had to exchange it? I doubt they would look but you never know.

 

[erisuser1]

How would you change it back to s -on? Incase you had to exchange it? I doubt they would look but you never know.

fastboot flash hboot hboot_7501a_1.47.0000_091023.nb0

 

[scotty85]

fastboot flash hboot hboot_7501a_1.47.0000_091023.nb0

Thanks eu1. Ill have to try this. I assume this is thru adb in fastboot? Or just in charge mode?

 

[scary alien]

Thanks eu1. Ill have to try this. I assume this is thru adb in fastboot? Or just in charge mode?

Scotty,

See the bottom part of the first post in this thread http://androidforums.com/eris-all-t...2-custom-recovery-trackball-not-required.html for a mini-tutorial re. fastboot with the requisite warnings re. double-checking your MD5 sums courtesy of eu1.

As usual, flashing your bootloader requires care to make sure the file you will flash is good and that you have a full charge on your phone, etc. (waving a chicken or two around might not hurt either ).

Cheers!

 

[scotty85]

thanks scary. i hadnt realized that was down there! id used the adb part to change my recoveries,but dint notice the fastboot instructions

i have practiced switching recoveries with the fastboot method.

so what file would i need to put in my tools directory if i wanted to use the above command to revert to an s-on bootloader?

 

[scary alien]

thanks scary. i hadnt realized that was down there! id used the adb part to change my recoveries,but dint notice the fastboot instructions

i have practiced switching recoveries with the fastboot method.

so what file would i need to put in my tools directory if i wanted to use the above command to revert to an s-on bootloader?

You would need the HBOOT file that eu1 listed above, triple-check the MD5 D), put your phone in fastboot mode, and then issue the command eu1 gave from the SDK tools directory.

Cheers!

 

[scotty85]

any ideas where i would find it?

 

[scary alien]

any ideas where i would find it?

lol...I realized a few minutes after I posted that that was going to be your next question .

I'm pretty sure it should be in one of the 2.1 leaks...lemme check my files real quick...brb...

edit 1: okay, strike that...its in the RUU, according to eu1's thread:

http://forum.xda-developers.com/showthread.php?t=686598

edit 2: RUU_MR2 is here: http://www.pcdphones.com/our-devices/products/46-adr6200vw (I'm grabbing to examine it ...)