Related
Dear all,
When looking at the recent HTC Hero update firmware released from HTC i was curious to why they had included adb.exe and fastboot.exe in the upgrade program, so I started looking into this. Basicly I made replacement tools for adb.exe and fastboot.exe that simulated the behavior of a phone to be on the safe side.
From this session I learned two things. First of all we can upgrade the rom.zip via both OSX, Linux and Windoze. Secondly there is a special boot mode called oem-78 which enabled RUU bootloader mode.
Some other notes also is that my bootloader was delivered with factory hboot version 1.76.0007, but even with this bootloader while in RUU mode the bootloader does not seem to check signature when trying to boot cm-hero-recovery.img. It crashes on boot tought, but this seems to be another way in for booting unsigned images...
Another interesting note is that my device was factory programmed with firmware 2.73.751.4, while the upgrade released yesterday is 2.73.405.5.
This is the resulting log from what the ARUWizard is actually doing.
I did not investigate futher after fastboot flash zip rom.zip, so there might be more needed to do after this, so proceed with caution if you want to try this.
Code:
# Get list of attached devices
$ adb devices
# Check battery power for detected device.
$ adb -s <SN> shell cat /sys/class/power_supply/battery/capacity
# Get current firmware version.
$ adb -s <SN> shell getprop ro.build.description
# Reboot into bootloader with RUU mode enabled.
$ adb -s <SN> shell reboot oem-78
# Check if device is is disconnected from usermode
$ adb devices
# If not present any more, check via fastboot
$ fastboot devices
# If detected, check if in RUU mode
$ fastboot -s <SN> getvar boot-mode
# If mode returns RUU, start the upgrade by erasing cache
$ fastboot -s <SN> erase cache
# Upload rom.zip file and flash
$ fastboot -s <SN> flash zip rom.zip
Best regards,
Exion
Diator said:
I am in Taiwan, i bought the Hero 1 week ago and the default firmware is 2.73.751.4
Click to expand...
Click to collapse
Same here. I bought mine a few days ago in Taiwan. This is the new version where they ship 1 extra microSD that is 8GB class 6 (as well as the old 2GB card). The handset itself is standard HTC Hero white, but the firmware is Chunghwa telecom branded.
I have attached my build.prop file which should give most info regarding this firmware for those interested.
Best regards,
Exion
Hi!
As with Galaxy S2, I have ported the u-boot bootloader to the Galaxy Nexus. It can be chainloaded from samsung bootloader (loaded instead of linux kernel) safely.
It could be useful to have multiple ROMs on one device or test other OS like Ubuntu or Genode.
Detailed installation guide is available at Ksys Labs LLC wiki http://ksyslabs.org/doku.php?id=gnex_uboot .I'll just copy-paste it here
Happy hacking and don't forget to visit our wiki at http://ksyslabs.org !
===== Rationale ======
There were a couple reasons to port u-boot to Galaxy Nexus
* Security: we cannot trust the proprietary samsung bootloader
* Implementing dual-boot for original and custom firmware
* Booting Genode operating system
===== Demo =====
===== Compilation from source =====
Source code is in https://github.com/Ksys-labs/uboot-tuna
There exist two branches of interest
* master - contains the official stable releases. may be force-pushed and rebased, beware
* tuna-fosdem-hacks contains the u-boot that was used for FOSDEM 2013 to demo booting Genode
To compile, you need to have the ARM cross-compiler. I recommend codesourcery 2010q1-188 because that's what I'm using and some users reported that newer compilers produce broken binaries.
There are two ways to use the u-boot. One is flashing it instead of the Samsung SBL bootloader. The other one is chainloading it from the SBL.
Flashing instead of SBL has the following advantages
* Faster boot time than chainloading
* Ability to use the standard partitioning layout
There is a number of issues and therefore we do not recommend flashing it instead of SBL
* No Fastboot support (preliminary USB RNDIS and DHCP BOOTP support is available), you'll have to use OMAPFlash to restore the device if you flash a non-working kernel
* No display initialization. You'll have to disable the "Check for Bootloader initialization" option in kernel config
By default, the chainloaded version is compiled. It is loaded (by the SBL) to the address **0x81808000**.
If you want to build the SBL replacement version, edit the **include/configs/omap4_tuna.h** file and uncomment the **#define TUNA_SPL_BUILD** line. X-loader loads the bootloader to the address **0xa0208000**.
Code:
export PATH=/home/alexander/handhelds/armv6/codesourcery/bin:$PATH
export ARCH=arm
export CROSS_COMPILE=arm-none-eabi-
U_BOARD=omap4_tuna
make clean
make distclean
make ${U_BOARD}_config
make -j8 ${U_BOARD}
mkbootimg --kernel u-boot.bin --ramdisk /dev/null -o u-boot.aimg
===== Installation =====
==== Chainloaded Mode ====
You'll need the root access to your device.
You can take the prebuilt u-boot here. http://ksyslabs.org/lib/exe/fetch.php?media=gnex-uboot-chainloaded.img
The u-boot has the support for android boot images. When flashed instead of the SBL, it boots the kernel off the "Boot" partition. When chainloaded, it looks for the kernel in **/system/boot/vmlinux.uimg** . Additionally, it first looks for the **/system/boot/boot.scr.uimg** so you can put custom commands there and override the kernel image.
It also supports booting custom images from **/sdcard/boot/vmlinux.uimg** and **/sdcard/boot/boot.scr.uimg**
If you need larger images, I suggest that you use the **tuna-fosdem-hacks** branch, format the cache partition to ext2 and put the files to **/cache/media/boot/**
push the files to your device via adb
Code:
adb push gnex-uboot-chainloaded.img /sdcard/
adb hell
now, in the device shell, do the following
Code:
su
cat /dev/block/platform/omap/omap_hsmmc.0/by-name/boot > /sdcard/vmlinux.uimg
mount -o remount,rw /system
mkdir /system/boot
cp /sdcard/vmlinux.uimg /system/boot/
cat /sdcard/gnex-uboot-chainloaded.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/boot
sync
reboot
Instead of installing gnex-uboot-chainloaded.img via dd, you can use fastboot
Code:
fastboot flash:raw boot u-boot.img
===== Replacing samsung bootloader =====
OMAP4 devices cannot be bricked completely because the CPU has a firmware loader in the OTP (one-time programmable) memory. When the device is powered, it tries booting from USB.
Make sure to have an old version of x-loader (PRIMEKK14) because newer ones have the security hole which allowed booting unsigned bootloaders fixed. The installation procedure is roughly the same, but use **sbl** partition. And also install xloader from http://ksyslabs.org/lib/exe/fetch.php?media=gnex-xloader-working.img
Code:
adb push gnex-xloader-working.img /sdcard/
Code:
cat /sdcard/gnex-xloader-working.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/xloader
There exists a Samsung recovery tool which can unbrick the devices with corrupted xloader/SBL. You will need a computer running Windows XP.
Search the internet for the archive named "OMAPFlash_tuna.zip" which has md5 "ddbf07a1d36b044c40af5788a83b5395". We cannot upload it here because of the unclear license status.
===== Making images =====
You can either use Android's mkbootimg to produce ANDROID! type images (not recommended) or u-boot's mkimage (in the u-boot tools directory) to make boot images. Using ANDROID! format is discouraged because the loader code in the u-boot is buggy and may fail in some corner cases such as large images.
==== making a custom boot image ====
Code:
mkimage -A arm -O linux -T kernel -C none -a 0x80008000 -e 0x80008000 -n linux -d zImage vmlinux.uimg
#alternatively, just do that when compiling linux
#do not forget to add mkimage to your PATH variable
make uImage
==== making a custom boot script ====
Code:
mkimage -A arm -O linux -T script -C none -a 0x84000000 -e 0x84000000 -n android -d boot.scr boot.scr.uimg
===== Booting Modes =====
The bootloader supports several boot modes. Each boot mode is indicated by the color of the LED and activated by a combination of hardware buttons. It also supports the Android "reboot to recovery" and "reboot to bootloader" features
* Normal Boot -> no keys are pressed, cyan LED
* Recovery Boot -> Volume Up key pressed, green LED
* Custom Boot -> Volume Down key pressed, blue LED
* USB RNDIS mode -> both Volume keys pressed, purple LED
===== Pitfalls =====
* No Fastboot or DFU (RNDIS BOOTP is untested) -> not a big deal if you're chainloading, right?
* Serial number is always 0123456789abcdef or sth like that. Anyone to fix that?
* UART support is quirky. The device will likely hang if booted with the UART cable. Workaround: boot without the UART cable and plug right after the purple LED flashes.
===== A sample boot script for android =====
Make a boot.scr.uimg from it and push it to the correct location.
Code:
setenv bootargs "mem=1G vmalloc=768M omap_wdt.timer_margin=30 mms_ts.panel_id=18
no_console_suspend console=ttyFIQ0";
setenv loaddaddr 0x82000000;
setenv devtype mmc;
setenv devnum 0;
setenv kernel_part 0xc;
setenv kernel_name /media/boot/vmlinux.uimg;
echo Load Address: ${loaddaddr};
echo cmdline:${bootargs};
if ext4load ${devtype} ${devnum}:${kernel_part} ${loaddaddr} ${kernel_name}; then
bootm ${loaddaddr};
exit 0;
elif ext2load ${devtype} ${devnum}:${kernel_part} ${loaddaddr} ${kernel_name}; then
bootm ${loaddaddr};
exit 0;
else
echo failed to boot custom image;
fi
Nice!
Before there actually wasn't any dual boot stuff for Nexus but now there is really much....
I will laugh if someone ports still another dual boot loader to Nexus, E.g BootiQi dual boot loader or what it is..., (for Jét it is JétQi) but I don't remember the original dual boot files names...
Any toro support?
Sent from my Galaxy Nexus using xda app-developers app
saber.srod said:
Any toro support?
Sent from my Galaxy Nexus using xda app-developers app
Click to expand...
Click to collapse
You may try it out. It is flashed instead of kernel, not overwriting the bootloader, so should be safe. As we don't have any Toro devices, we're not particularly interested in providing support for them unless someone steps up with a patch
Also, make sure to have an old version of x-loader (PRIMEKK14) because newer ones have the security hole which allowed booting unsigned bootloaders fixed.
Click to expand...
Click to collapse
do you have PRIMEKK14 file?
cause I couldn't find it on this thread:
http://forum.xda-developers.com/showthread.php?t=1587498
or this one is PRIMEKK14?
http://ksyslabs.org/lib/exe/fetch.php?media=gnex-xloader-working.img
any enlightenment please?
savantist said:
do you have PRIMEKK14 file?
cause I couldn't find it on this thread:
http://forum.xda-developers.com/showthread.php?t=1587498
or this one is PRIMEKK14?
http://ksyslabs.org/lib/exe/fetch.php?media=gnex-xloader-working.img
any enlightenment please?
Click to expand...
Click to collapse
The latter one is the one I'm using on my phone so it should work.
sp3dev said:
The latter one is the one I'm using on my phone so it should work.
Click to expand...
Click to collapse
I wanna use the chainloaded method, so first thing I should do is fastboot-ing that .img just like another bootloader file? then chainload the u-boot file?
but it looks like I'm replacing samsung SBL (replacing SBL method) if I do that, doesn't it?
savantist said:
I wanna use the chainloaded method, so first thing I should do is fastboot-ing that .img just like another bootloader file? then chainload the u-boot file?
but it looks like I'm replacing samsung SBL (replacing SBL method) if I do that, doesn't it?
Click to expand...
Click to collapse
Yes, you can actually fastboot it via
"fastboot flash:raw boot u-boot.img"
and no, you don't need to mess with xloader for chainloading
sp3dev said:
Yes, you can actually fastboot it via
"fastboot flash:raw boot u-boot.img"
and no, you don't need to mess with xloader for chainloading
Click to expand...
Click to collapse
so it's ok to do chainloading in PRIMELC03 bootloader? If yes, I'm success...
finally "The Great Sp3dev"
nice work like always,
playing with it now,let's see where it goes
Sent from my Galaxy Nexus using xda premium
sp3dev said:
The latter one is the one I'm using on my phone so it should work.
Click to expand...
Click to collapse
ah, I bricked my phone with your gnex-xloader-working using following script... It is only 128K. Is that right?
Code:
cat /sdcard/gnex-xloader-working.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/xloader
Is PRIMEKK14 bootloader the only one to work since we only have http://forum.xda-developers.com/showthread.php?t=1587498 this thread for bootloader and there's no flashable version of PRIMEKK14?
I use OMAPFlash to save it having PRIMEKK15 bootloader and I do not have the courage to do it again...
dlhxr said:
ah, I bricked my phone with your gnex-xloader-working using following script... It is only 128K. Is that right?
Code:
cat /sdcard/gnex-xloader-working.img > /dev/block/platform/omap/omap_hsmmc.0/by-name/xloader
Is PRIMEKK14 bootloader the only one to work since we only have http://forum.xda-developers.com/showthread.php?t=1587498 this thread for bootloader and there's no flashable version of PRIMEKK14?
I use OMAPFlash to save it having PRIMEKK15 bootloader and I do not have the courage to do it again...
Click to expand...
Click to collapse
Oh well, I specially edited the post so that chainloaded users don't flash loader. You only need the xloaded if you flash u-boot instead of SBL. Otherwise, treat u-boot just as linux kernel.
As for replacing bootloader, I guess PRIMEKK15 should also work, I just didn't notice when the security check was introduced. Yeah, use OMAPFlash to recover anyway. And note that you cannot use my precompiled u-boot to replace SBL. As written in the beginning of the post, you need to change a define in config and recompile because the load address and partition layout are different for chainloading and direct booting cases.
Very nice! Keep the good work up! :good:
sp3dev said:
Oh well, I specially edited the post so that chainloaded users don't flash loader. You only need the xloaded if you flash u-boot instead of SBL. Otherwise, treat u-boot just as linux kernel.
As for replacing bootloader, I guess PRIMEKK15 should also work, I just didn't notice when the security check was introduced. Yeah, use OMAPFlash to recover anyway. And note that you cannot use my precompiled u-boot to replace SBL. As written in the beginning of the post, you need to change a define in config and recompile because the load address and partition layout are different for chainloading and direct booting cases.
Click to expand...
Click to collapse
Some feedback here. I flashed u-boot to boot partition and save the original boot image to /system/boot/vmlinux.uimg.
Without any key pressed it shows
Code:
Wrong Image Format for boot command
Error: can't get kernel image!
Not booting xxxxxxxxx
Fail to boot
The characters on the screen does not show well and some of them can't be recognized....
When I press the volume up, it boot into recovery.
When I press the volume down, it shows
Code:
File not found /media/boot/vmlinux.uimg
Unrecognized filesystem type
Fail to boot
Something is wrong with my procedure?
Another small question. I want to make a zip to flash the U-boot, but always failed. I have to use fastboot command to flash gnex-uboot-chainloaded.img to boot.img.
What is in my updater-script.
Code:
mount("ext4", "EMMC", "/dev/block/platform/omap/omap_hsmmc.0/by-name/system", "/system");
package_extract_file("gnex-uboot-chainloaded.img", "/tmp/gnex-uboot-chainloaded.img");
package_extract_file("META-INF/com/google/android/switch_boot.sh", "/tmp/switch_boot.sh");
set_perm(0, 0, 0777, "/tmp/switch_boot.sh");
run_program("/tmp/switch_boot.sh");
set_perm(0, 0, 0777, "/system/boot/vmlinux.uimg");
unmount("/system");
What is in my switch_boot.sh
Code:
#!/sbin/sh
cat /dev/block/platform/omap/omap_hsmmc.0/by-name/boot > /tmp/vmlinux.uimg
mkdir /system/boot
cp /tmp/vmlinux.uimg /system/boot/
cat /tmp/gnex-uboot-chainloaded.img /dev/block/platform/omap/omap_hsmmc.0/by-name/boot
It seems the last line doesn't work...
Code:
cat /tmp/gnex-uboot-chainloaded.img /dev/block/platform/omap/omap_hsmmc.0/by-name/boot
If I use the following command in updater-script,
Code:
package_extract_file("gnex-uboot-chainloaded.img", "/dev/block/platform/omap/omap_hsmmc.0/by-name/boot");
The device enters bootloader directly showing no boot image after reboot....
dlhxr said:
If I use the following command in updater-script,
Code:
package_extract_file("gnex-uboot-chainloaded.img", "/dev/block/platform/omap/omap_hsmmc.0/by-name/boot");
The device enters bootloader directly showing no boot image after reboot....
Click to expand...
Click to collapse
That's because SBL expects the boot partition to contain the image in ANDROID! format. It creates the image itself when you flash via fastboot with the ":raw" suffix.
Try that
Code:
mkbootimg --kernel gnex-uboot-chainloaded.img --ramdisk /dev/null -o u-boot.aimg
Not sure why the original boot image didn't work for you. Are you copying the boot.img to vmlinux.uimg or the raw zImage? you should do the former, the u-boot expects either the "ANDROID!" image or the one made with mkimage.
If anything, you could try repacking the boot image yourself or try mine to see if it boots (it's for jb 4.1.1 though)
http://rghost.ru/44686398
chainloading method, in fact it works on PRIMELC03 too...
btw,
if I flash the xloader (replacing bootloader method), then how am I gonna back to original samsung bootloader/PRIMELC03 since there isn't fastboot support in your u-boot bootloader?
using odin? or omapflash? :crying:
thanks.
savantist said:
chainloading method, in fact it works on PRIMELC03 too...
Click to expand...
Click to collapse
ok, I probably didn't make it clear enough. chainloading works with any bootloader and is safe.
savantist said:
btw,
if I flash the xloader (replacing bootloader method), then how am I gonna back to original samsung bootloader/PRIMELC03 since there isn't fastboot support in your u-boot bootloader?
using odin? or omapflash? :crying:
thanks.
Click to expand...
Click to collapse
if you can boot android or recovery, thenuse dd it to /dev/block/blah-blah-blah, otherwise - omapflash.
sp3dev said:
ok, I probably didn't make it clear enough. chainloading works with any bootloader and is safe.
if you can boot android or recovery, thenuse dd it to /dev/block/blah-blah-blah, otherwise - omapflash.
Click to expand...
Click to collapse
you wrote it on wrong part on first page yesterday, makes me little bit confused, but it's corrected now...
but to do "replacing bootloader method", one should flash PRIMEKK14 or PRIMEKK15 bootloader before, right?
wow... omapflash...
savantist said:
you wrote it on wrong part on first page yesterday, makes me little bit confused, but it's corrected now...
but to do "replacing bootloader method", one should flash PRIMEKK14 or PRIMEKK15 bootloader before, right?
wow... omapflash...
Click to expand...
Click to collapse
well, some bootloaders after PRIMEKK may work, but I have not tested and we had some new phones with the recent firmware versions from stock, and u-boot failed to work there until xloader was downgraded
Hello all
I just bought a second Desire.
After S OFF it and change recovery and Radio.
And after I just put new ROM CM10.1 but error with symlinks....
I restart the Desire and ...
I note that it can't mount sdcard.
I check all i read on this forum and other but nothing work.
Testing 4Ext USB Brick
Testing instruction in fastboot
Test: fastboot oem enableqxdm 0
fastboot oem eraseconfig
For information the Desire write this on main screen :
BRAVO PVT4 SHIP S-OFF
HBOOT-6.93 1002
MICROP-051d
TOUCH PANEL-SYM0101
RADIO-5.17.05.08
I always flash with my PC with Fastboot but after no way to mount.
I can change recovery , hboot but the sdcard did not mount.
I test sdcard in my other Desire and It is works
I take all ideas to found an solution.
Code:
D:\Android\Roms\Hboot>fastboot.exe oem boot
... INFOsetup_tag addr=0xA0000100 cmdline add=0x8E07F9F0
INFOTAG:Ramdisk OK
INFOTAG:smi ok, size = 0
INFOTAG:hwid 0x0
INFOTAG:skuid 0x26A12
INFOTAG:hero panel = 0x3
INFOTAG:engineerid = 0x0
INFOMCP dual-die
INFOMCP dual-die
INFOTAG:mono-die = 0x0
INFODevice CID is super CID
INFOCID is super CID
INFOBackup CID is HTC__E11
INFOsetting->cid::HTC__E11
INFOserial number: MB137PL07227
INFOcommandline from head: no_console_suspend=1
INFOcommand line length =423
INFOactive commandline: board_bravo.disable_uart3=0 board_bravo.
INFOusb_h2w_sw=0 board_bravo.disable_sdcard=0 diag.enabled=0 boa
INFOrd_bravo.debug_uart=0 smisize=0 userdata_sel=0 androidboot.e
INFOmmc=false androidboot.baseband=5.17.05.08 androidboot.cid=H
INFOTC__E11 androidboot.carrier=HTC-Dutch androidboot.mid=PB9920
INFO000 androidboot.keycaps=qwerty androidboot.mode=normal andro
INFOidboot.serialno=MB137PL07227 androidboot.bootloader=6.93.100
INFO2 no_console_suspend=1
INFOaARM_Partion[0].name=misc
INFOaARM_Partion[1].name=recovery
INFOaARM_Partion[2].name=boot
INFOaARM_Partion[3].name=system
INFOaARM_Partion[4].name=cache
INFOaARM_Partion[5].name=userdata
INFOpartition number=6
INFOValid partition num=6
INFOjump_to_kernel: machine_id(2457), tags_addr(0x20000100), ker
INFOnel_addr(0x20008000)
INFO-------------------hboot boot time:104796 msec
Hello people,
anybody have an idea what can i flash to solve my problem.
I have always full access to Bootloader and Fastboot , and recovery.
But when I boot stuck on HTC screen.
And in all recovery I test the message when I choose "choose zip fro msdcard " = "E:can't mount /sdcard/ "
jodiskett said:
Hello people,
anybody have an idea what can i flash to solve my problem.
I have always full access to Bootloader and Fastboot , and recovery.
But when I boot stuck on HTC screen.
And in all recovery I test the message when I choose "choose zip fro msdcard " = "E:can't mount /sdcard/ "
Click to expand...
Click to collapse
I recommend you to download Fastboot Commander and then do this:
wipe all partitions
flash the latest radio and stock hboot
flash CronMod or any other rom
If it still doesn't work I think it has to be an hardware issue...
I'm not an expert, but this way you maybe you can try to get it working...
Androidmarketuser said:
I recommend you to download Fastboot Commander and then do this:
wipe all partitions
flash the latest radio and stock hboot
flash CronMod or any other rom
If it still doesn't work I think it has to be an hardware issue...
I'm not an expert, but this way you maybe you can try to get it working...
Click to expand...
Click to collapse
Thanks for your help, but same result.
I check this method
Code:
ROM update without SDcard
If you don't have an sd card, or your slot is broken you can try this trick, but you will need a custom recovery like Clockwork.
Boot up your phone to recovery. And move your rom file to the adb directory, and start a command line ( cmd )
adb shell
mount data
adb push D:\custom_rom.zip /data/
Wait until the push finised, and restart your device to recovery again with "adb reboot-bootloader"
mount data
mount /data /sdcard ( mount the data folder into your sdcard folder, so your recovery will think that you have an sdcard installed )
Locate the ROM .Zip file you wish to flash.
Confirm the flash by following the on-screen instructions (ie: pressing the trackball, pressing the call button, etc.)
If no errors arise during the flashing process then the ROM flash was successful, Reboot the device.
With some root file explorer, remove the rom file if you don't need it anymore, to free up space.
Or use adb to remove the custom recovery
But i have little problem with command : adb push d:\file.rom /data/
I have error can someone give exact sentence ?
Thnaks
jodiskett said:
But i have little problem with command : adb push d:\file.rom /data/
I have error can someone give exact sentence ?
Thnaks
Click to expand...
Click to collapse
Can you write what the error message is?
If it is too long to write make a screenshot with Print key and paste it in paint.
Check if you have entered the correct path
I have this:
D:\Android\adb>adb shell
~ # mount data
mount data
~ # adb push d:\roms.zip data
adb push d:\roms.zip data
/sbin/sh: adb: not found
~ # adb push roms.zip data
adb push roms.zip data
/sbin/sh: adb: not found
~ # adb push roms.zip data
i think it is the name of roms.zip what is wrong.
I put roms.zip in root of D: , same folder of adb but nothing is ok
jodiskett said:
I have this:
D:\Android\adb>adb shell
~ # mount data
mount data
~ # adb push d:\roms.zip data
adb push d:\roms.zip data
/sbin/sh: adb: not found
~ # adb push roms.zip data
adb push roms.zip data
/sbin/sh: adb: not found
~ # adb push roms.zip data
i think it is the name of roms.zip what is wrong.
I put roms.zip in root of D: , same folder of adb but nothing is ok
Click to expand...
Click to collapse
No, you can't execute the "adb push roms.zip /data/" if you are still in the adb shell.
after you mounted the data partition, press Ctrl+C to close the shell mode and then enter "adb push roms.zip" and make sure you're in the right directory, otherwise enter the full filepath, foor example
Code:
abd push "D:\Program Files\roms.zip"
Yes , i did it
Thanks for the ctrl^c
I can flash the rom, I flashed Cron Mod and the phone started.
It is ok but no sdcard read.
Seems to be hardware problems
But i have time to check
Thanks guy
How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders
Glad to see sum positive progress in the right direction....
BigCountry907 ,
Since the MarshaMallow update gives us the developer options OEM unlock switch, shouldn't we just update to it first, to get the bootloader unlock?
OEM Update
You won't find the option to turn on OEM in the device.
You can enable it! Here's how:
Go to the Google Play Store.
Search secret codes revealer.
Search codes
Look for 759
Click launch code
Confirm launch
Under oem click on.
Congrats. You've just enabled oem on your desire 526!
Happy hunting.
BigCountry907 said:
How To Get Permanent Root
This is a workaround until I can compile a Bootable Kernel
First of all say thanks to @Captain_Throwback !!
He was the original creator of the TWRP Recovery for the Desire 626s.
I have taken his TWRP recovery for the 626s, unpacked it and ported in some of the Desire 526 recovery image.
Kinda a cracked up way of doing this but hey ( It Works)
Step #1
Unlock Your Boot-Loader !!! (currently accomplished with a Java Card / HTC Service Tool)
Even with the card you could run into trouble with unlocking the boot-loader.
There is no switch to Enable OEM Unlock available in the Developer Options.
Here is a work-around for that.
Step #1-A
Open up terminal shell on a computer and pull the frp image from the device. (Temp Root Required)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
Terminal Output
[email protected]_a13wlpp:/ #dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ #
Pull the frp.img to the computer.
If you are still in adb shell.
Code:
exit
exit
Then from the normal command line
Code:
adb pull /sdcard/frp.img
Terminal Output
f=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img <
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.364 secs (1440351 bytes/sec)
[email protected]_a13wlpp:/ # exit
[email protected]_a13wlpp:/ $ exit
[email protected]:~$ adb pull /sdcard/frp.img
2758 KB/s (524288 bytes in 0.185s)
[email protected]:~$
Now open the frp.img file in a hex editor. Like HXD in windows.
Go to the last line of the file.
Change the very last 00 to 01 and save the file.
Reference the screen shots below.
Factory FRP
Patched FRP
Flash the patched frp.img to the device.
Back to the terminal.
Code:
adb push frp.img /sdcard/frp.img
Code:
adb shell
su
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
If you have completed this now your clip can unlock the boot-loader
In case your wondering this will also work on a boot loader locked device. It will get you as far as being able to get a unlock token from fastboot using Fastboot oem get_identifier_token WITH THE DEVICE IN DOWNLOAD MODE
Unfortunatly HTC-DEV still will not give you the UNLOCK TOKEN yet. The pg2fs partition needs an edit then htc dev will generate a good code. Problem is without clip you cannot modify the pg2fs image. Allthough I am working on it.
STEP #2 ( Get Perm Root !! )
Download the Patched TWRP and SuperSu
The 2 files are attached to the thread. Unzip the TWRP-No-Touch.img.zip Do not unzip the Super.zip.
Copy the super.zip to the device sdcard. Use file explorer or terminal.
Code:
adb push super.zip /sdcard/super.zip
Flash the TWRP Recovery to the device.
reboot to download mode
Code:
adb reboot download
Flash the recovery
Code:
fastboot flash recovery Twrp-526-NO-TOUCH.img
Boot into TWRP Recovery
Code:
fastboot boot recovery
DON'T PANIC !! Yes your right......The touch screen is not working!!!
I need to compile a custom kernel to get TWRP working Right.
I have compiled the kernel but it isn't booting right yet. That's why I figured out this work around for now.
So Now What ???
No worries....Even though we can't access the TWRP commands from the touch screen LETS NOT FORGET.........
We can use the command line :highfive:
Open up terminal on your computer.
If it's not already open.
Go into the shell.
Code:
adb shell
No need to type su cause in case you didn't notice we are already ROOT. "#"
So to install SuperSu (or any other zip package) we do this.
#1 Mount the system partition.
Code:
mount -o rw -t ext4 /dev/block/mmcblk0p62 /system
#2 Tell TWRP what we want it to do one stap at a time
Set device to boot into recovery upon reboot.
Code:
echo 'boot-recovery ' > /cache/recovery/command
Tell TWRP to install SuperSu when it boots.
Code:
echo '--update_package=/sdcard/super.zip' >> /cache/recovery/command
Reboot the recovery to install the SuperSu.
Code:
reboot recovery
Now you will see TWRP boot back up and when it boots up it will install the zip package.
Congratulations you are now one of the first peoples to have a fully rooted Verizon Desire 526. :laugh::silly:
Lets get busy boys !!!! We need to get this boot loader unlocked for the rest of the community.
It's all about the pg2fs partition. If we can find a way to write to it with s-on and boot loader locked then we can unlock all boot-loaders
Click to expand...
Click to collapse
Good to know about the 759 code webag.youtag.
But without buying the clip device we are still stuck.
So hopefully BigCountry907 can find a way to unlock the bootloader and root without the clip.
Sidenote: I tried changing my PRL but couldn't get the changes to stick. I tried DFS and QPST. Am I missing something?
@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.
I was looking around and saw a post! (Rare I know)
Have you tried hboot instead of fastboot?also, I have no computer (sad). I am able to get temp root with "kingroot-4.8.2" I am able to use hex edit to change frp from 00 to 01. Is there a way to get identifier token without a PC? Maybe in configuration files or prop files?
BigCountry907 said:
@webag.youtag
I installed the mentioned app and used the code.
It shows in the app that the oem is turned on.
But It isn't setting the last byte of the FRP to 01 so ultimatly it will not work.
I tested and still get.
[email protected]:~$ fastboot oem get_identifier_token
...
(bootloader) [KillSwitch] : /dev/block/bootdevice/by-name/frp
(bootloader) [KillSwitch] Last Byte is 0X00, disable unlock
(bootloader) [KillSwitch] oem unlock Turn Off!
OKAY [ 0.082s]
finished. total time: 0.082s
[email protected]:~$
The app lacks permissions to write to the frp partition.
Anyone working on unlocking the boot-loader needs to use the method I posted previously.
And also note: If you reboot the phone then you need to flash the frp partition again.
During re-boot the bit gets set back to 00.
So in a nutshell.
Edit your frp. Make 00 = 01.
Then dd flash the frp.
Then adb reboot download.
Then fastboot oem get_identifier_token.
Problem is there still is a change required in the pg2fs partition / TO Avoid the CID Not Allowed Error
@supermaxkato
Not sure about the prl.
But I have noticed that the security system is tricky.
It will show you in adb shell that you have written the changes to the partition successfully.
But due to the read only protection the partition never really gets written.
Basically instead of giving an error it is writing to a NULL device successfully.
Click to expand...
Click to collapse
Can you please upload your unlocked boot loader bigcountry907?
Any more progress on this, gentlemen?
When I follow the OP and get to the step:
"fastboot flash recovery Twrp-526-NO-TOUCH.img"
I receive the following error:
FAILED (remote: 9: SD_SECURITY_FAIL recovery and bootloader isn't BL_UNLOCK)
finished. total time: 2.762s
Steps taken:
-frp.img (Pulled from the device, edited & reflashed back with dd command, adb shell reports successful)
-pushed super.zip to device
-rebooted using fastboot to download mode
-attempted to flash TWRP & get the fail with the same error multiple times
Any suggestions or clues? I've attempted this several times, following the OP step by step.
Thanks for the help
@rfunderburk39
You have to unlock the BOOTLOADER first.
Currently I can only unlock it with the xtc-2 clip.
But I'm working on it.
Surprisingly my desire 530 was able to be s-off using TWRP recovery.
If i can somehow capture the commands passed from the xtc-2 clip to the twrp recovery we can replicate it.
Other than that were looking at cooking a qfil / qpst flashable rom.
Not easy.
does anyone know how to log all commands sent to TWRP?
BigCountry907, is the desire 530 you were able to root with twrp the verizon version? If so, did you have to unlock the bootloader first? Because I don't see it on htcdev.
@BigCountry907 I misunderstood the OP, I thought the frp.img edit was a work around of the Java Card.
I will look into the logging of the the TWRP commands. Let me know if I can help out in other ways.
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
Tommorrow my time will be limited during the day, but I can look into "qcom msm8909 source + manuals" & the ability to log TWRP commands and see what I can find.
Interesting about the 530, I was not aware that was possible.
I've used linux for about 20 years, and would consider my knowledge to be good, with the ability to usually get to source of a problem and/or find a solution slash work around.
I've never created a partition.xml, but would be happy to look into it.
I do have quite a bit of past JTAG experience but that was using a serial port not USB, which I assume you are referencing.
@supermaxkato
No my Desire 530 is Metro-Pcs.
I took one of the verizon 526 and activated it then used the phone number to port to Metro Pcs.
With the port it cost $70 for the Desire 530 + 1 month of unlimited service. Essentially the Desire 530 was free.
Any Verizon HTC most likely will have the same security scheme.
@rfunderburk39
This is good news. I would be grateful to have help on this.
It is difficult to know what kind of experience people have some don't even know how to use adb.
I will start another thread with all the information I know so far.
And I have the MSM8909 source code. Not just the kernel but the "Qualcomm Chipcode" Board Support Package.
And many qcom manuals.
This should be very helpful to us.
I will name the new thread "{WIP} {ROM} MSM8909 Service Rom From Source / QPST Root + Unlock + Unbrick"
I will post all current information there.
Something potentially worth trying:
-Grab the Settings.apk (and .odex) from the 526+ or 626, just make sure its the same version of android.
-Push those to device
-adb shell
-su
-mount -o rw,remount,rw /system
-exit
-exit
-adb push Settings.apk /system/priv-app/Settings/
-adb push Settings.odex /system/priv-app/Settings/arm/
-Open >settings>developer options on the device
-check and see if the option “OEM Unlock” appears
-reboot into "download mode" and see if the settings stick.
-run fastboot oem get_identifier_token
Granted this holds the possibility of bricking the phone, but more than likely will not stick on a reboot & the Settings.apk will be replaced with the device original.
I will test on mine.
Give me an hour
Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.
BigCountry907 said:
@rfunderburk39
It gets you one step closer but still at the end it fails.
Verizon implements some major security.
I could really use some help.
I got alot together. The entire qcom msm8909 source + manuals you name it.
I was amazed today when i unlocked a desire 530 with the xtc-2 clip and it used @Captain_Throwback twrp to s-off the device.
The beauty of this is it proves S-Off is possible through twrp recovery.
It was my belief that the recovery did not have high enough permissions to write to the radio and get s-off.
Apparently if you know the right commands in the TWRP #shell it's possible.
So how deep into linux / android do you go?
My next best attempt is to generate a service rom using QPST to flash in EDL mode.
Ever make a partition.xml file???
Thats aboot where im at.
oh yea and JTAG TOO.
Click to expand...
Click to collapse
BigCountry907 said:
Well I replaced the settings files with the settings files from the unlocked ruu for the 526.
It's a no-go the settings app crashes on boot.
This would only add the oem_unlocking option.
We can get the same result by changing the last byte 00 of the FRP.img to 01 and then in a root shell
to pull
dd if=dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
to push
dd if=/sdcard/frp.img of=dev/block/bootdevice/by-name/frp
This will work to get a Unlock Token but the HTC-DEV site will reject it.
ERROR = CID Not Allowed.
If you can find a way to write the pg2fs partition I can make this work.
Click to expand...
Click to collapse
I didn't think it would work, just an outside chance. Hoped it may give a different token, that in turn would pass over at HTC-DEV.
Back when I had other HTC devices, I used a tool here on XDA [TOOL] HTC Easy Unlock Bootloader Tool. It doesn't appear to be maintained any longer, its based around Windows *.bat files (easy enough to edit)
https://forum.xda-developers.com/showthread.php?t=2133336
and SimpleGoldCard
https://forum.xda-developers.com/showthread.php?t=970157
SimpleGoldCard would access a site, after downloading that, you select it in the SimpleGoldCard application & it would create the image.
https://huygens.hoxnet.com/goldcard.html
I haven't had time to read through these post just yet, the method may no longer be valid. But worth a look, and I will be reading through these today to see.
Also I will see what I can find about a work-a-round of the the writing to pg2fs partition
I just got my AT&T V35 so I can try and help you guys get root.
However, I don't have time to try and track down all the information so far. So, Someone with knowledge needs to bring me up to speed.
Here are the questions I need answered:
Is there a model that has FULL fast boot (fastboot flash, fastboot boot, etc). This is VERY important because it will make life much easier.
Where is the engineering abl?
Has LG UP already been patched for lab mode (partition DL, DUMP)?
How many models of the V35 are there?
How many of those have KDZs available?
We will start with that.
When it comes to rooting an extremely locked down phone there are several things that are involved. Now there are multiple ways to get to them, but I prefer doing through lafd for writing / temp root.
You have to be able to write to the phone while it is secure. This means having a patched LG UP that can handle writing say laf from the G7
You need temp root. This (in the past for my root processes) has meant flashing a laf partition that is signed, but has a root exploit
once you have temp root, you have to be able to unlock the bootloader. This was accomplished on the V20 with an engineering aboot (abl). It was accomplished on the G6 by taking a donor US997 with an unlock.bin
I await the answers....
Please don't get me wrong, now that I have the phone in my hands, I will start from scratch if I have to, but it is in your best interests, if you want root, to help me out (it will go MUCH faster -- since I know what I do and don't have to do).
-- Brian
Is there a model that has FULL fast boot?: Yes AT&T engineering V35
Where is the engineering abl?: HERE
Has LG UP already been patched for lab mode (partition DL, DUMP)?: Yes, HERE
How many models of the V35 are there?: 6
(All of them are crossflashable except the Korean one - fault in modem partitions (LMV350N)
How many of those have KDZs available?: All of them HERE
vlad48 said:
Is there a model that has FULL fast boot?: Yes AT&T engineering V35
Where is the engineering abl?: HERE
Has LG UP already been patched for lab mode (partition DL, DUMP)?: Yes, HERE
How many models of the V35 are there?: 6
(All of them are crossflashable except the Korean one - fault in modem partitions (LMV350N)
How many of those have KDZs available?: All of them HERE
Click to expand...
Click to collapse
I hit the thanks button, but thanks again.
I need someone with an unlocked bootloader to get in touch with me and do some fastboot boots.
-- Brian
vlad48 said:
Is there a model that has FULL fast boot?: Yes AT&T engineering V35
Where is the engineering abl?: HERE
Has LG UP already been patched for lab mode (partition DL, DUMP)?: Yes, HERE
How many models of the V35 are there?: 6
(All of them are crossflashable except the Korean one - fault in modem partitions (LMV350N)
How many of those have KDZs available?: All of them HERE
Click to expand...
Click to collapse
Thanks for all this.
I flashed my AT&T V35 to the LMV350ULM variant using LGUP. Can I then flash it with the LMV350AWM version and do I need to reset the phone firsthand before flashing in order to get a newer build with security updates?
@X-Nemesis If your device was initially an AT&T model - it can receive OTA's only if it is on AT&T firmware and you are using it with AT&T SIM.
Yes, you can cross-flash it to any other model except KOREAN ones, but the trade-off is that you will stop receiving OTA updates until you return to your AT&T firmware.
vlad48 said:
@X-Nemesis If your device was initially an AT&T model - it can receive OTA's only if it is on AT&T firmware and you are using it with AT&T SIM.
Yes, you can cross-flash it to any other model except KOREAN ones, but the trade-off is that you will stop receiving OTA updates until you return to your AT&T firmware.
Click to expand...
Click to collapse
Yeah, I'm in Canada and got the V35 for a great price off Ebay. I found out exactly what you said regarding updates and knew I was toast so I flashed to the Fi version after reading a post on Reddit similar to yours, for those who aren't on AT&T.
I just didn't know you could crossflash all of the firmwares except for the Korean version so at least I have a means to keep my phone with the latest security updates.
Again, thanks.
runningnak3d said:
I hit the thanks button, but thanks again.
I need someone with an unlocked bootloader to get in touch with me and do some fastboot boots.
-- Brian
Click to expand...
Click to collapse
Hey Brian. Super psyched you're here. I just nabbed a v35 as well as it seemed like a worthy upgrade from the v30 for what they are going for on eBay now.
I read that @b8engl has a v35 with an unlocked bootloader. Perhaps you two are already in touch.
Good luck fellas. I see great things happening here.
-Adam
X-Nemesis said:
Yeah, I'm in Canada and got the V35 for a great price off Ebay. I found out exactly what you said regarding updates and knew I was toast so I flashed to the Fi version after reading a post on Reddit similar to yours, for those who aren't on AT&T.
I just didn't know you could crossflash all of the firmwares except for the Korean version so at least I have a means to keep my phone with the latest security updates.
Again, thanks.
Click to expand...
Click to collapse
So you CAN cross flash V35. Someone with Octopus box told me you couldn't.
Sent via open market LG US998 V30/V30+
---------- Post added at 12:42 PM ---------- Previous post was at 12:42 PM ----------
vlad48 said:
@X-Nemesis If your device was initially an AT&T model - it can receive OTA's only if it is on AT&T firmware and you are using it with AT&T SIM.
Yes, you can cross-flash it to any other model except KOREAN ones, but the trade-off is that you will stop receiving OTA updates until you return to your AT&T firmware.
Click to expand...
Click to collapse
Thank you for the information!
Sent via open market LG US998 V30/V30+
runningnak3d said:
I hit the thanks button, but thanks again.
I need someone with an unlocked bootloader to get in touch with me and do some fastboot boots.
-- Brian
Click to expand...
Click to collapse
I already reached out to help... didn't receive anymore message.
---------- Post added at 07:22 PM ---------- Previous post was at 07:22 PM ----------
ChazzMatt said:
So you CAN cross flash V35. Someone with Octopus box told me you couldn't.
Click to expand...
Click to collapse
Yes, it's possible!
---------- Post added at 07:37 PM ---------- Previous post was at 07:22 PM ----------
bacon612 said:
Hey Brian. Super psyched you're here. I just nabbed a v35 as well as it seemed like a worthy upgrade from the v30 for what they are going for on eBay now.
I read that @b8engl has a v35 with an unlocked bootloader. Perhaps you two are already in touch.
Good luck fellas. I see great things happening here.
-Adam
Click to expand...
Click to collapse
Yes, we were. But I'm guessing that he alredy has his V35 in hands now... must be testing!
I haved request help for extracting the Qualcomm loader from a data file, perhaps you would like to take a look to the file and tell me what you think I could do?
Link here: https://forum.xda-developers.com/showpost.php?p=79074150&postcount=39
@b8engl It would really make things go quicker if you could fastboot boot every V35 and G7 laf partition that is available. The purpose being to find one that can have the toybox backdoor triggered.
Boot it, run lglaf, and type whoami, and then !EXEC /system/bin/toybox whomai\0
I could extract and decompile *every* one of them, but it quicker to just boot and test.
The G7 has an SD845 so laf images should boot on the V35. We don't care about things like the screen working, touch, the modem or anything else. As long as it boots, and lafd runs, we are good. As for you worrying about bricking your phone or something else nasty -- the fastboot boot command doesn't write anything to the phone. It extracts the boot image, loads it into RAM and runs it. If it boots -- great -- if not, no harm.
-- Brian
@runningnak3d your version from lglaf didn't work for me, I use lekensteyn version.
- git pull, then:
PHP:
[[email protected] lglafng]$ python lglaf.py
LGLAF.py by Peter Wu ([url]https://lekensteyn.nl/lglaf[/url])
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:564: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC /system/bin/toybox whomai\0
LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'/system/bin/toybox'
#
b8engl
You are a very big liar.
You have no phone with unlocked bootloader. I gave you a link to download full dump files of the phone.
byran7 said:
b8engl
You are a very big liar.
You have no phone with unlocked bootloader. I gave you a link to download full dump files of the phone.
Click to expand...
Click to collapse
hey dude, what's up with that big mouth!
what are you talking about, by you sent some files... I receive a lot of junk, especially about files or help. did I not respond or what?! take a pill and calme down!
b8engl said:
@runningnak3d your version from lglaf didn't work for me, I use lekensteyn version.
- git pull, then:
PHP:
[[email protected] lglafng]$ python lglaf.py
LGLAF.py by Peter Wu ([url]https://lekensteyn.nl/lglaf[/url])
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:564: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC /system/bin/toybox whomai\0
LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'/system/bin/toybox'
#
Click to expand...
Click to collapse
Use @steadfasterX's repo: https://github.com/steadfasterX/lglaf.git that is where all the latest development work is going.
Also, use Python3
Code:
git clone https://github.com/steadfasterX/lglaf.git
git checkout develop
python3 lglaf.py
whoami
!EXEC toybox whoami\0
!EXEC /system/bin/toybox whoami\0
There are TWO spaces after the EXEC.
However, it is a good sign that you didn't get any output from whoami alone....
-- Brian
b8engl
You are a very big liar.
You have no phone with unlocked bootloader. I gave you a link to download full dump files of the phone.
Ask for forgiveness and do not deceive more people here on the forum.
I will ask to make a photo of the phone in fastboot.Then all doubts will disappear.
@runningnak3d how to import cryptography?
PHP:
[[email protected] lglaf]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
b8engl said:
@runningnak3d how to import cryptography?
PHP:
[[email protected] lglaf]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
Click to expand...
Click to collapse
Code:
sudo pip3 install cryptography
But if that is FWUL (and it looks like it is from the prompt), it should have all the Python modules installed. Weird.
-- Brian
PHP:
[[email protected] lglaf]$ git pull
Already up to date.
[[email protected] lglaf]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu ([url]https://lekensteyn.nl/lglaf[/url])
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:665: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: name 'laf_crypto' is not defined
# !EXEC toybox whoami\0
LGLAF.py: WARNING: name 'laf_crypto' is not defined
# !EXEC /system/bin/toybox whoami\0
LGLAF.py: WARNING: name 'laf_crypto' is not defined
#
---------- Post added at 10:44 PM ---------- Previous post was at 10:37 PM ----------
Downloading new version from FWUL...
---------- Post added at 11:07 PM ---------- Previous post was at 10:44 PM ----------
well...I switch to lekensteyn version, and this happened:
PHP:
[[email protected] lglafng]$ python3 lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# whoami
lglaf.py:564: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
_logger.warn(e)
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC toybox whoami\0
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
# !EXEC /system/bin/toybox whoami\0
LGLAF.py: WARNING: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)
#
Then I try:
PHP:
[[email protected] lglafng]$ git pull
remote: Enumerating objects: 118, done.
remote: Counting objects: 100% (116/116), done.
remote: Compressing objects: 100% (59/59), done.
remote: Total 103 (delta 69), reused 77 (delta 44), pack-reused 0
Receiving objects: 100% (103/103), 46.09 KiB | 1.18 MiB/s, done.
Resolving deltas: 100% (69/69), completed with 6 local objects.
From https://github.com/steadfasterX/lglaf
* [new branch] develop -> origin/develop
b012319..c68c778 ufs-test -> origin/ufs-test
Already up to date.
[[email protected] lglafng]$ git checkout develop
Branch 'develop' set up to track remote branch 'develop' from 'origin'.
Switched to a new branch 'develop'
[[email protected] lglafng]$ python3 lglaf.py
LAF Crypto failed to import! Error: No module named 'cryptography'
LAF Crypto failed to import!
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
#
Well I just got an LG v35 from AT&T a couple days ago and I was just getting on here to find out if there is a easy way of rooting I'm not technically not knowledgeable like everybody else here is so I was just looking for an easy way something that I could understand some way that I can root I also have the LG V10 the from AT&T that from my understanding you're not able to root those
@runningnak3d I've managed to get this working on gnome... what do you need next?
PHP:
[email protected]:~/lglaf$ sudo python3 lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# whoami
Hello, I am LAF. Nice to meet you.# !EXEC toybox whoami\0
Hello, I am LAF. Nice to meet you.# !EXEC /system/bin/toybox whoami\0