Hi, since this is my wife's HTC hero from Orange UK, I'm being particularly careful with it. I'm new to xda-developers/HTC platforms (but not new to doing horrible things to embedded platforms) :>
I've been messing about with the phone all evening - downloaded that ROM image from the other thread and pulled it apart to look at the OS files etc - the standard break-a-new-embedded-linux-platform routine.
Anyway, if you hold down BACK when powering on, it enters the bootloader mode with a "FASTBOOT USB" prompt, which sounded interesting. I got a copy of the fastboot binary, and extracted the kernel and the ramdisk images from "boot.img" in the "HEROIMG_Hero_HTC_WWE_1.76.405.1_R3_WWE_release_signed.zip" (using split_bootimg.pl).
Just as a quick test, I tried booting them with:
fastboot boot kernel.img boot.img
since the above just boots a kernel from RAM, and not actually flash it. Anyway, fastboot claims it downloaded and booted it ok, and the phone shows the "HERO" logo. Unfortunately that is as far as it gets. However, if I reset the phone, it boots perfectly fine from the kernel/ramdisk in flash (phew!)
Since it doesn't actually boot into android proper (and doesn't show up as a USB device), I don't know if (a) its showing the HERO logo, but failing the signature check, or (b) actually booting, but crashing 'cos the kernel/ramdisk aren't quite right. I'd guess (a) myself, but I'm new to messing with HTC bootloaders.
Anyway, in case they're useful, the details of the phone from the fastboot mode are:
HERO CVT SHIP S-ON
HBOOT-1.76.0004 (HERO10000)
MICROP-010f
TOUCH PANEL-SYN0104
RADIO-6.35.04.25
Jul 3 2009,15:22:21
That method of entering fastboot is the same as the magic. Check the magic / sapphire wiki and have a read as I suspect the magic is its closest relative and a lot of the magic stuff will work...
daisy xx
Aha, thank you very much, that gives me more information!
Anyway, I just tried booting the boot.img itself instead of splitting it up with:
fastboot boot boot.img
This time, it booted right into the full android! Checking /proc/config.gz:
On the phone booting normally, it says:
# Linux kernel version: 2.6.27
# Fri Jul 3 07:52:06 2009
On the phone booted with boot.img extracted from that zip, it starts:
# Linux kernel version: 2.6.27
# Thu Jun 25 14:16:01 2009
So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?
Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":
ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh
# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk
All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:
/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000
Then I just booted it with "fastboot boot test-insecure.img"
adq said:
Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":
ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh
# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk
All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:
/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000
Then I just booted it with "fastboot boot test-insecure.img"
Click to expand...
Click to collapse
You're ready to build your own rom images ;-)
You could start by preparing your own rooted recovery with nandroid.
For a quick and dirty basic recovery image, just download one from sapphire development forum, replace the boot.img-kernel with a working copy for your hero.
Then rename init.sapphire.rc in init.hero.rc in ramdisk image.
You can simply extract ramdisk image with:
mkdir boot.img-ramdisk
cd boot.img-ramdisk
zcat ../boot.img-ramdisk.gz | cpio -idv
make your changes to ramdisk files
search internet for a script named repack-bootimg.pl
add the new base parameter to mkbootimg line in the script
cd to directory where you unpacked your boot.img
repack-bootimg.pl boot.img-kernel boot.img-ramdisk newboot.img
fastboot your recovery
then you can use nandroid in the recovery image to make a full dump of your rom and use the newer version of boot.img you have in your device to rebuild an up-to-date recovery or any kind of rom (you could start by preparing a copy of your original rom by changing ro.secure=0 in both boot.img and recovery.img).
By the way, I noticed that kernel in HERO uses sapphire fixup. The currently available version on the net is not booting on sapphire (magic) 32A, but it resets after a few minutes.
Maybe the kernel version in your orange hero introduces compatibility with sapphire boards. Well, really I suppose it won't, but if you get a nandrod backup and post your current original boot.img, magic 32A board owners could give it a try while we are waiting for HTC to release updated kernel sources for Magic and Hero.
Bye
daldroid
adq said:
[...]
So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?
Click to expand...
Click to collapse
No, no signature in standard boot.img, you have to zip it and sign the resulting zip. But no signing keys except for test-keys are available to the public, so I suppose your spl (S-ON) wil not allow you to directly flash rom images from fastboot command line.
However it seems your SPL allows you to fastboot a repacked boot image, so it should not be a problem to use a recovery image to flash whichever rom mod you like.
I suggest you not to flash any SPL you can find on the net, I suppose you have the newest ad no image of your original SPL is available (there is one from a leaked hero image, but yours seems to be newer)
Bye
Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts I'll upload the boot.img later though.
Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?
adq said:
Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts I'll upload the boot.img later though.
Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?
Click to expand...
Click to collapse
Well, really it's a little bit mor than a minute or so.
I suppose it's not an hardware watchdog, I don't have access to console debug messages.
Really the reset is a good sign, if you try booting dream or sapphire 32b kernel on 32A boards, it hangs forever.
If you extract piggy.gz from the kernel and hexedit it,you can find hero kerel initializes the hardware using the sapphire fixup.
It could only be that htc reused the same source and fixed hardware details and forgot to change the fixup routine name or that they are prepare to build a kernel able to boot on both hero and magic 32A boards.
32A and hero use the same new base address for kernel and ramdisk loading 0x19200000.
our boards have more memory than dream and 32b boards.
I suspect htc is using a stacked ram configuration and they changed the init code for the number of banks in memory.
In 32A they changed ram location for fb, ram console and maybe gpu1. It was a real mess to guess every change, so I stopped recompiling and rebooting the kernel after a dozen of times ;-) Waiting for htc to release the patched source code ;-)
The radio rom on hero seems to be is newer than 32a's latest available but I don't want to try a flash, you know what I mean ;-)
The available hero SPL shoud work on sapphire (and on blackstone and topaz too) and maybe the newer radio rom requires it, but... I prefer not to brick my Magic.
Have a nice rom rooting time. You could want to give superuser.apk a try.
People on this forum is asking for rooting status on hero, I suppose you'll be able to announce them your succes in a short time.
Wow! That was Fast! Lol..... even thought there is still some work to do.
i feel honoured to have been one of the first to read this i still dont have a hero yet =[ gotta wait till august when i get my ema might start scrounging and saving what i can get so i can get it sooner
Well done to you sir what a fine job uve done, gz =]
I'm waiting for my Hero as well and I'm completely new to android.
But like you I develop for and work with embedded Linux systems so tearing ROMs apart was pretty much on top of my list when my device should arrive .
I don't know what the 'recovery' image does on Android systems, but as I read it like this: You can temporary boot a rom (or at least a kernel and it will get the rest of the system from the rom area) through the fastboot method.
So yes, then you have temporary booted into a rooted ROM. But how to make it permanent? Because if you modify the ROM and flash it back it will probably not work because it detects its modified, right?
Trying to make a "dirty recovery image" to dump full roms using Nandroid Backup
Hello Dalroid,
I read your post and was able to do the following:
1. Using split_bootimg, extract the ramdisk files from the Stock HTC HERO Rom found in the XDA forums.
2. I downloaded the cm-recovery 1.4 image from Sapphire and used split_bootimg on it as well.
3. I copied the extracted kernel from the HTC Hero ROM and replaced the one from the cm-recovery of sapphire.
4. I renamed init.sapphire.rc to init.hero.rc in the extracted recovery image folder.
5. This is where i have trouble. I am using the repack-bootimg.pl, but I am unable to repackage the image.
I did note that you stated that some base parameters needed to be changed in the script for this to work. Could you please shed some light on what I need completed in order to repackage. Thank you in advance.
EDIT: I found one problem so far, I do not have mkbootimg or mkbootfs on my computer. How do I get these on my computer?
JWallstreet said:
Hello Dalroid,
I read your post and was able to do the following:
1. Using split_bootimg, extract the ramdisk files from the Stock HTC HERO Rom found in the XDA forums.
2. I downloaded the cm-recovery 1.4 image from Sapphire and used split_bootimg on it as well.
3. I copied the extracted kernel from the HTC Hero ROM and replaced the one from the cm-recovery of sapphire.
4. I renamed init.sapphire.rc to init.hero.rc in the extracted recovery image folder.
5. This is where i have trouble. I am using the repack-bootimg.pl, but I am unable to repackage the image.
I did note that you stated that some base parameters needed to be changed in the script for this to work. Could you please shed some light on what I need completed in order to repackage. Thank you in advance.
EDIT: I found one problem so far, I do not have mkbootimg or mkbootfs on my computer. How do I get these on my computer?
Click to expand...
Click to collapse
I built my mkbootimg from android source code (android.git.kernel.org), but if you prefer you can find a prebuilt binary from http://rapidshare.com/files/249629878/PortTools.rar. I'm not the author neither I tested it, just searched for mkbootimg in forums and pasted the link for you.
If you use the standard mkbootimg, just add --base 0x19200000 the the mkbootimg line, otherwise the boot.img will be generated with standard load address which won't work for hero (or for my 32A Magic).
This is pretty exciting stuff
I really want to remove the SIM lock from the Hero - is this something you can do now you've got su access?
Is it going to be possible to have a 'how to' guide for the Hero to tell us what to do to get the phone unlocked?
I want to see someone install the Magic image on the Hero - it should fly with the extra RAM
Just out of curiosity, what would happen if I booted the original cm-recovery-1.4.img on the Hero?
My phone will hopefully arrive tomorrow, and the first thing I'd like to do is create a backup with the nandroid script.
wossName said:
Just out of curiosity, what would happen if I booted the original cm-recovery-1.4.img on the Hero?
My phone will hopefully arrive tomorrow, and the first thing I'd like to do is create a backup with the nandroid script.
Click to expand...
Click to collapse
It wont boot. You can instead use the modified(only trackball press event and kernel) cyanogen's recovery here: http://forum.xda-developers.com/showthread.php?t=541807&page=2
enlightener said:
It wont boot. You can instead use the modified cyanogen's recovery here: http://forum.xda-developers.com/showthread.php?t=541807&page=2
Click to expand...
Click to collapse
I'm new to all this, so I'd be grateful for some more information: is the Dream and Hero hardware too different to boot the same image? Or would it be possible to create multi-platform images?
I already downloaded the modified image from that thread and have extracted the same kernel, so I should be all set.
I'm trying to figure out how to unpack and repack the evo's boot image. I found the "HOWTO: Unpack, Edit, and Repack Boot Images" thread in another forum using the search function but when I tried to use the scripts to unpack the boot.img file I received an error as follows:
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
The HOWTO thread I found mentioned that this was likely a second stage loader but indicated that it has not been seen on any system to date. This second stage loader had apparently only been defined in the mkbootimg.h file but not implemented as of the time this how to was written.
Can anyone provide a link to instructions on how to extract and repack the boot.img for the EVO? I'd like to make a few changes to the default.prop in the ramdisk of the default boot.img file and instructions would be greatly appreciated.
I use dsixda's kitchen
http://forum.xda-developers.com/showthread.php?t=633246
that allowed me to unpack it. I remember the error you speak of but I forget what script I was using
elegantai said:
I use dsixda's kitchen
http://forum.xda-developers.com/showthread.php?t=633246
that allowed me to unpack it. I remember the error you speak of but I forget what script I was using
Click to expand...
Click to collapse
This worked for me perfectly.
Thanks very much for the pointer!
Hi,
I have a branded Desire which have been first unbranded (goldcard), OTA updated to latest Htc froyo update, and then Unrevoked 3.21+S-off 1.5 by alpharev.
Now, i want to make my own kernel from htc sources.
I know linux (using Gentoo for years), but process to flash a new kernel on an android device is not clear for me.
Is this link ok for Desire?
http://htcevohacks.com/htc-evo-hacks/how-to-build-your-own-htc-evo-4g-android-kernel/
Regards.
Sent from my HTC Desire using XDA App
I followed Cyanogen wiki for building the HTC Kernel as I found the toolchain from Codesourcery threw errors when trying to compile.
Obviously with the CyanogenMod guide, I don't clone the kernel from their git, instead I untar the HTC source.
I would be interested in hearing your findings, if you do try and compile with that toolchain.
As for flashing the Kernel, I just use koush's AnyKernel - drop the zImage into the kernel folder and then compress and sign, to make a flashable zip.
Mekrel said:
I followed Cyanogen wiki for building the HTC Kernel as I found the toolchain from Codesourcery threw errors when trying to compile.
Obviously with the CyanogenMod guide, I don't clone the kernel from their git, instead I untar the HTC source.
I would be interested in hearing your findings, if you do try and compile with that toolchain.
As for flashing the Kernel, I just use koush's AnyKernel - drop the zImage into the kernel folder and then compress and sign, to make a flashable zip.
Click to expand...
Click to collapse
Yeah, basically this. It's pretty straightforward, it can just be a bit finicky sometimes.
Hi,
Thanks for answers.
Mekrel:
For the Sourcery compiler, I have same results as yours: errors and does not compile.
I believe HTC are working with the "google" toolchain, so their sources are not veryfied to work with another compiler.
Using the Cyanogen compile way ( with "google" toolchain), it does compile fine.
I'm happy to see this option in the kernel (Change Cpu Policy While Screen is ON/OFF), but I wonder why it is not activated by default... :
http://img833.imageshack.us/img833/3668/desiredefault.jpg
With changes made:
http://img145.imageshack.us/img145/3707/desiremodified.jpg
It would certainly be better than using SetCpu for me ( I'm using it just to force cpu at 245MHz when screen is off), and not need to hack HTC performance lock feature since I don't want to underclock or overclock my Cpu.
Now I just have to test it...but I do have few questions before doing that:
I can use koush's AnyKernel tool to flash my new zImage, but in case all goes wrong? How to revert back?
-->Can I save my actual boot.img in sdcard, and in case flash process goes wrong revert back to my actual boot.img?
Please help if possible with detailed process (or a web link but I have not being able to find a detailed process for Desire).
Regards.
Edit: Seems for me that Kouch's tool will not reuse my ramdisk, but another one?
-->I just want being able to modify my kernel, so I prefer to reuse ramdisk which is actually in my boot.img if possible.
-->I have tried this way: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images, but script provided on this link gave me error because my boot.img has a "Second Stage".
Judge584 said:
Hi,
Thanks for answers.
Mekrel:
For the Sourcery compiler, I have same results as yours: errors and does not compile.
I believe HTC are working with the "google" toolchain, so their sources are not veryfied to work with another compiler.
Using the Cyanogen compile way ( with "google" toolchain), it does compile fine.
I'm happy to see this option in the kernel (Change Cpu Policy While Screen is ON/OFF), but I wonder why it is not activated by default... :
http://img833.imageshack.us/img833/3668/desiredefault.jpg
With changes made:
http://img145.imageshack.us/img145/3707/desiremodified.jpg
It would certainly be better than using SetCpu for me ( I'm using it just to force cpu at 245MHz when screen is off), and not need to hack HTC performance lock feature since I don't want to underclock or overclock my Cpu.
Now I just have to test it...but I do have few questions before doing that:
I can use koush's AnyKernel tool to flash my new zImage, but in case all goes wrong? How to revert back?
-->Can I save my actual boot.img in sdcard, and in case flash process goes wrong revert back to my actual boot.img?
Please help if possible with detailed process (or a web link but I have not being able to find a detailed process for Desire).
Regards.
Edit: Seems for me that Kouch's tool will not reuse my ramdisk, but another one?
-->I just want being able to modify my kernel, so I prefer to reuse ramdisk which is actually in my boot.img if possible.
-->I have tried this way: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images, but script provided on this link gave me error because my boot.img has a "Second Stage".
Click to expand...
Click to collapse
You can backup via:
Code:
cat /dev/mtd/mtd2 > /sdcard/mtd2.img
Then you can use fastboot to flash boot:
Code:
fastboot flash boot mtd2.img
The guide you linked to doesn't recommend trying to split the boot.img from your phone (in this example, mtd2.img) due to possible corruption issues, which is why I went for Koush' AnyKernel.
So what you're saying is you can't get the ramdisk from your boot.img via:
Code:
% mkdir ramdisk
cd ramdisk
gzip -dc ../boot.img-ramdisk.gz | cpio -i
as this is the part that throws the error?
no, errors came from the perl scripts posted on the link http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images
So to resume:
Code:
cat /dev/mtd/mtd2 > /sdcard/mtd2.img
will backup my boot.img but it may be corrupted
Code:
fastboot flash boot mtd2.img
will restore it but if it's corrupted then it's useless.
Why can it be corrupted?
Why not possible to flash this way, without the hassle of dealing with boot.img?:
Code:
fastboot flash zimage zImage
Edit:
OK, I have done some search: please confirm this procedure to be safe to flash a modified kernel:
1°)Make an Nandroid Backup
2°)Since my Desire is rooted and S-OFFed it does not need any-more signed files, so for me I just have to put my new wifi kernel module (bcm4329.ko) to /system/lib/modules/bcm4329.ko (via adb push)
3°And then flash the new kernel zImage in fastboot using this command:
Code:
fastboot flash zimage zImage
4°)Once done: I will have to power off my Desire.
5°)Then, Power it on again in bootloader mode, wait for 3 seconds and then go to fastboot: the zImage should now start flashing automaticaly.
6°)Once done: reboot to test my new kernel.
7°)In case something goes wrong, all I will have to do is to restore boot via my Nandroid backup and all will be fine.
If someone can confirm this procedure to be right and safe, thank you.
Best Regards.
Ok, my new kernel is ready.
Does someone can confirm that step 1 to 7 in previous post are corrects?
Sent from my HTC Desire using XDA App
The 7 steps you posted look about right - I'm not entirely sure about #3, I don't have much experience in fastboot flashing. You might be better off using AnyKernel and flashing that in recovery.
It works good!
Thanks a lot.
Sent from my HTC Desire using XDA App
Hi there! I'm trying to build CM-12 for GT-I8160 based on TeamCanjica's CM-11. Actually, it has been compiled successfully with some hacks (I skipped imgdiff). But it bricked my phone after I flashed it via CWM. :crying:
I've unbricked my phone by flashing my backup of stock boot partition (mmcblk0p15) to "Kernel" partition via Heimdall. Then, my phone showed CM boot animation for a long time. (bootloop I think, maybe because of stock boot partition isn't compatible with it). And I use stock firmware for now.
I found that type of the boot partition (mmcblk0p15) of the stock differ with boot.img I've built.
Code:
$ file mmcblk0p15-boot (my backup of stock boot partition)
mmcblk0p15-boot: Linux kernel ARM boot executable zImage (little-endian)
$ file boot.img (boot.img I've extracted from cm-12-20141217-UNOFFICIAL-codina.zip)
boot.img: Android bootimg, kernel (0x40008000), ramdisk (0x41000000), page size: 4096
So, what are "Linux kernel ARM boot executable zImage" and "Android bootimg"? Where is the root partition (ramdisk) stored?
Is it okay to skip imgdiff? I think imgdiff is just for creation of OTA package. Am I correct?
I also found boot.img in out/target/product/codina (not in the zip file) which type is Linux kernel ARM boot executable zImage.
Is it the correct boot.img? I found that the content of that file is same with kernel file I found in the same folder. I'm afraid that the ramdisk is not included in it.
Sorry for my English n thank you very much.
Oh. All people wants to have cm12, but still 0 replies here.
I'm sorry, I can't help in this too... /
S.AMU said:
Oh. All people wants to have cm12, but still 0 replies here.
I'm sorry, I can't help in this too... /
Click to expand...
Click to collapse
Hi! It's okay, I've flashed out/target/product/codina/boot.img + gapps. It booted to CM-12 , freezed at the welcome screen n refused to boot again after I force-rebooted it :crying:. Unfortunately, ADB & recovery didn't work, so I didn't know much why it got freezed. Maybe I have to figure out how to compile a nice kernel with working ADB & recovery. Hahaha...
Hi,
I've downloaded the latest Android 10 image for the S20, which works great on my phone.
I've then extracted the boot.img from the AP tar, and used unpackbootimg & mkbootimg to pack it right back (without changing anything).
I've made sure all the parts were packed (Including the ramdisk), but after flashing the device always boot to Download Mode with :
dt table header check fail: FDT_ERR_BADMAGIC
DTB LOAD FAIL
I've seen the same error in:
https://forum.xda-developers.com/t/question-building-a-custom-kernel-for-g980f-exynos.4122853/
Where he claims to have solved it by supplying the ramdisk parameter, but I've already did.
Any idea how to solve this?
Thanks!