Hi, since this is my wife's HTC hero from Orange UK, I'm being particularly careful with it. I'm new to xda-developers/HTC platforms (but not new to doing horrible things to embedded platforms) :>
I've been messing about with the phone all evening - downloaded that ROM image from the other thread and pulled it apart to look at the OS files etc - the standard break-a-new-embedded-linux-platform routine.
Anyway, if you hold down BACK when powering on, it enters the bootloader mode with a "FASTBOOT USB" prompt, which sounded interesting. I got a copy of the fastboot binary, and extracted the kernel and the ramdisk images from "boot.img" in the "HEROIMG_Hero_HTC_WWE_1.76.405.1_R3_WWE_release_signed.zip" (using split_bootimg.pl).
Just as a quick test, I tried booting them with:
fastboot boot kernel.img boot.img
since the above just boots a kernel from RAM, and not actually flash it. Anyway, fastboot claims it downloaded and booted it ok, and the phone shows the "HERO" logo. Unfortunately that is as far as it gets. However, if I reset the phone, it boots perfectly fine from the kernel/ramdisk in flash (phew!)
Since it doesn't actually boot into android proper (and doesn't show up as a USB device), I don't know if (a) its showing the HERO logo, but failing the signature check, or (b) actually booting, but crashing 'cos the kernel/ramdisk aren't quite right. I'd guess (a) myself, but I'm new to messing with HTC bootloaders.
Anyway, in case they're useful, the details of the phone from the fastboot mode are:
HERO CVT SHIP S-ON
HBOOT-1.76.0004 (HERO10000)
MICROP-010f
TOUCH PANEL-SYN0104
RADIO-6.35.04.25
Jul 3 2009,15:22:21
That method of entering fastboot is the same as the magic. Check the magic / sapphire wiki and have a read as I suspect the magic is its closest relative and a lot of the magic stuff will work...
daisy xx
Aha, thank you very much, that gives me more information!
Anyway, I just tried booting the boot.img itself instead of splitting it up with:
fastboot boot boot.img
This time, it booted right into the full android! Checking /proc/config.gz:
On the phone booting normally, it says:
# Linux kernel version: 2.6.27
# Fri Jul 3 07:52:06 2009
On the phone booted with boot.img extracted from that zip, it starts:
# Linux kernel version: 2.6.27
# Thu Jun 25 14:16:01 2009
So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?
Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":
ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh
# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk
All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:
/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000
Then I just booted it with "fastboot boot test-insecure.img"
adq said:
Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":
ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh
# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk
All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:
/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000
Then I just booted it with "fastboot boot test-insecure.img"
Click to expand...
Click to collapse
You're ready to build your own rom images ;-)
You could start by preparing your own rooted recovery with nandroid.
For a quick and dirty basic recovery image, just download one from sapphire development forum, replace the boot.img-kernel with a working copy for your hero.
Then rename init.sapphire.rc in init.hero.rc in ramdisk image.
You can simply extract ramdisk image with:
mkdir boot.img-ramdisk
cd boot.img-ramdisk
zcat ../boot.img-ramdisk.gz | cpio -idv
make your changes to ramdisk files
search internet for a script named repack-bootimg.pl
add the new base parameter to mkbootimg line in the script
cd to directory where you unpacked your boot.img
repack-bootimg.pl boot.img-kernel boot.img-ramdisk newboot.img
fastboot your recovery
then you can use nandroid in the recovery image to make a full dump of your rom and use the newer version of boot.img you have in your device to rebuild an up-to-date recovery or any kind of rom (you could start by preparing a copy of your original rom by changing ro.secure=0 in both boot.img and recovery.img).
By the way, I noticed that kernel in HERO uses sapphire fixup. The currently available version on the net is not booting on sapphire (magic) 32A, but it resets after a few minutes.
Maybe the kernel version in your orange hero introduces compatibility with sapphire boards. Well, really I suppose it won't, but if you get a nandrod backup and post your current original boot.img, magic 32A board owners could give it a try while we are waiting for HTC to release updated kernel sources for Magic and Hero.
Bye
daldroid
adq said:
[...]
So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?
Click to expand...
Click to collapse
No, no signature in standard boot.img, you have to zip it and sign the resulting zip. But no signing keys except for test-keys are available to the public, so I suppose your spl (S-ON) wil not allow you to directly flash rom images from fastboot command line.
However it seems your SPL allows you to fastboot a repacked boot image, so it should not be a problem to use a recovery image to flash whichever rom mod you like.
I suggest you not to flash any SPL you can find on the net, I suppose you have the newest ad no image of your original SPL is available (there is one from a leaked hero image, but yours seems to be newer)
Bye
Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts I'll upload the boot.img later though.
Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?
adq said:
Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts I'll upload the boot.img later though.
Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?
Click to expand...
Click to collapse
Well, really it's a little bit mor than a minute or so.
I suppose it's not an hardware watchdog, I don't have access to console debug messages.
Really the reset is a good sign, if you try booting dream or sapphire 32b kernel on 32A boards, it hangs forever.
If you extract piggy.gz from the kernel and hexedit it,you can find hero kerel initializes the hardware using the sapphire fixup.
It could only be that htc reused the same source and fixed hardware details and forgot to change the fixup routine name or that they are prepare to build a kernel able to boot on both hero and magic 32A boards.
32A and hero use the same new base address for kernel and ramdisk loading 0x19200000.
our boards have more memory than dream and 32b boards.
I suspect htc is using a stacked ram configuration and they changed the init code for the number of banks in memory.
In 32A they changed ram location for fb, ram console and maybe gpu1. It was a real mess to guess every change, so I stopped recompiling and rebooting the kernel after a dozen of times ;-) Waiting for htc to release the patched source code ;-)
The radio rom on hero seems to be is newer than 32a's latest available but I don't want to try a flash, you know what I mean ;-)
The available hero SPL shoud work on sapphire (and on blackstone and topaz too) and maybe the newer radio rom requires it, but... I prefer not to brick my Magic.
Have a nice rom rooting time. You could want to give superuser.apk a try.
People on this forum is asking for rooting status on hero, I suppose you'll be able to announce them your succes in a short time.
Wow! That was Fast! Lol..... even thought there is still some work to do.
i feel honoured to have been one of the first to read this i still dont have a hero yet =[ gotta wait till august when i get my ema might start scrounging and saving what i can get so i can get it sooner
Well done to you sir what a fine job uve done, gz =]
I'm waiting for my Hero as well and I'm completely new to android.
But like you I develop for and work with embedded Linux systems so tearing ROMs apart was pretty much on top of my list when my device should arrive .
I don't know what the 'recovery' image does on Android systems, but as I read it like this: You can temporary boot a rom (or at least a kernel and it will get the rest of the system from the rom area) through the fastboot method.
So yes, then you have temporary booted into a rooted ROM. But how to make it permanent? Because if you modify the ROM and flash it back it will probably not work because it detects its modified, right?
Trying to make a "dirty recovery image" to dump full roms using Nandroid Backup
Hello Dalroid,
I read your post and was able to do the following:
1. Using split_bootimg, extract the ramdisk files from the Stock HTC HERO Rom found in the XDA forums.
2. I downloaded the cm-recovery 1.4 image from Sapphire and used split_bootimg on it as well.
3. I copied the extracted kernel from the HTC Hero ROM and replaced the one from the cm-recovery of sapphire.
4. I renamed init.sapphire.rc to init.hero.rc in the extracted recovery image folder.
5. This is where i have trouble. I am using the repack-bootimg.pl, but I am unable to repackage the image.
I did note that you stated that some base parameters needed to be changed in the script for this to work. Could you please shed some light on what I need completed in order to repackage. Thank you in advance.
EDIT: I found one problem so far, I do not have mkbootimg or mkbootfs on my computer. How do I get these on my computer?
JWallstreet said:
Hello Dalroid,
I read your post and was able to do the following:
1. Using split_bootimg, extract the ramdisk files from the Stock HTC HERO Rom found in the XDA forums.
2. I downloaded the cm-recovery 1.4 image from Sapphire and used split_bootimg on it as well.
3. I copied the extracted kernel from the HTC Hero ROM and replaced the one from the cm-recovery of sapphire.
4. I renamed init.sapphire.rc to init.hero.rc in the extracted recovery image folder.
5. This is where i have trouble. I am using the repack-bootimg.pl, but I am unable to repackage the image.
I did note that you stated that some base parameters needed to be changed in the script for this to work. Could you please shed some light on what I need completed in order to repackage. Thank you in advance.
EDIT: I found one problem so far, I do not have mkbootimg or mkbootfs on my computer. How do I get these on my computer?
Click to expand...
Click to collapse
I built my mkbootimg from android source code (android.git.kernel.org), but if you prefer you can find a prebuilt binary from http://rapidshare.com/files/249629878/PortTools.rar. I'm not the author neither I tested it, just searched for mkbootimg in forums and pasted the link for you.
If you use the standard mkbootimg, just add --base 0x19200000 the the mkbootimg line, otherwise the boot.img will be generated with standard load address which won't work for hero (or for my 32A Magic).
This is pretty exciting stuff
I really want to remove the SIM lock from the Hero - is this something you can do now you've got su access?
Is it going to be possible to have a 'how to' guide for the Hero to tell us what to do to get the phone unlocked?
I want to see someone install the Magic image on the Hero - it should fly with the extra RAM
Just out of curiosity, what would happen if I booted the original cm-recovery-1.4.img on the Hero?
My phone will hopefully arrive tomorrow, and the first thing I'd like to do is create a backup with the nandroid script.
wossName said:
Just out of curiosity, what would happen if I booted the original cm-recovery-1.4.img on the Hero?
My phone will hopefully arrive tomorrow, and the first thing I'd like to do is create a backup with the nandroid script.
Click to expand...
Click to collapse
It wont boot. You can instead use the modified(only trackball press event and kernel) cyanogen's recovery here: http://forum.xda-developers.com/showthread.php?t=541807&page=2
enlightener said:
It wont boot. You can instead use the modified cyanogen's recovery here: http://forum.xda-developers.com/showthread.php?t=541807&page=2
Click to expand...
Click to collapse
I'm new to all this, so I'd be grateful for some more information: is the Dream and Hero hardware too different to boot the same image? Or would it be possible to create multi-platform images?
I already downloaded the modified image from that thread and have extracted the same kernel, so I should be all set.
Hi,
I have a branded Desire which have been first unbranded (goldcard), OTA updated to latest Htc froyo update, and then Unrevoked 3.21+S-off 1.5 by alpharev.
Now, i want to make my own kernel from htc sources.
I know linux (using Gentoo for years), but process to flash a new kernel on an android device is not clear for me.
Is this link ok for Desire?
http://htcevohacks.com/htc-evo-hacks/how-to-build-your-own-htc-evo-4g-android-kernel/
Regards.
Sent from my HTC Desire using XDA App
I followed Cyanogen wiki for building the HTC Kernel as I found the toolchain from Codesourcery threw errors when trying to compile.
Obviously with the CyanogenMod guide, I don't clone the kernel from their git, instead I untar the HTC source.
I would be interested in hearing your findings, if you do try and compile with that toolchain.
As for flashing the Kernel, I just use koush's AnyKernel - drop the zImage into the kernel folder and then compress and sign, to make a flashable zip.
Mekrel said:
I followed Cyanogen wiki for building the HTC Kernel as I found the toolchain from Codesourcery threw errors when trying to compile.
Obviously with the CyanogenMod guide, I don't clone the kernel from their git, instead I untar the HTC source.
I would be interested in hearing your findings, if you do try and compile with that toolchain.
As for flashing the Kernel, I just use koush's AnyKernel - drop the zImage into the kernel folder and then compress and sign, to make a flashable zip.
Click to expand...
Click to collapse
Yeah, basically this. It's pretty straightforward, it can just be a bit finicky sometimes.
Hi,
Thanks for answers.
Mekrel:
For the Sourcery compiler, I have same results as yours: errors and does not compile.
I believe HTC are working with the "google" toolchain, so their sources are not veryfied to work with another compiler.
Using the Cyanogen compile way ( with "google" toolchain), it does compile fine.
I'm happy to see this option in the kernel (Change Cpu Policy While Screen is ON/OFF), but I wonder why it is not activated by default... :
http://img833.imageshack.us/img833/3668/desiredefault.jpg
With changes made:
http://img145.imageshack.us/img145/3707/desiremodified.jpg
It would certainly be better than using SetCpu for me ( I'm using it just to force cpu at 245MHz when screen is off), and not need to hack HTC performance lock feature since I don't want to underclock or overclock my Cpu.
Now I just have to test it...but I do have few questions before doing that:
I can use koush's AnyKernel tool to flash my new zImage, but in case all goes wrong? How to revert back?
-->Can I save my actual boot.img in sdcard, and in case flash process goes wrong revert back to my actual boot.img?
Please help if possible with detailed process (or a web link but I have not being able to find a detailed process for Desire).
Regards.
Edit: Seems for me that Kouch's tool will not reuse my ramdisk, but another one?
-->I just want being able to modify my kernel, so I prefer to reuse ramdisk which is actually in my boot.img if possible.
-->I have tried this way: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images, but script provided on this link gave me error because my boot.img has a "Second Stage".
Judge584 said:
Hi,
Thanks for answers.
Mekrel:
For the Sourcery compiler, I have same results as yours: errors and does not compile.
I believe HTC are working with the "google" toolchain, so their sources are not veryfied to work with another compiler.
Using the Cyanogen compile way ( with "google" toolchain), it does compile fine.
I'm happy to see this option in the kernel (Change Cpu Policy While Screen is ON/OFF), but I wonder why it is not activated by default... :
http://img833.imageshack.us/img833/3668/desiredefault.jpg
With changes made:
http://img145.imageshack.us/img145/3707/desiremodified.jpg
It would certainly be better than using SetCpu for me ( I'm using it just to force cpu at 245MHz when screen is off), and not need to hack HTC performance lock feature since I don't want to underclock or overclock my Cpu.
Now I just have to test it...but I do have few questions before doing that:
I can use koush's AnyKernel tool to flash my new zImage, but in case all goes wrong? How to revert back?
-->Can I save my actual boot.img in sdcard, and in case flash process goes wrong revert back to my actual boot.img?
Please help if possible with detailed process (or a web link but I have not being able to find a detailed process for Desire).
Regards.
Edit: Seems for me that Kouch's tool will not reuse my ramdisk, but another one?
-->I just want being able to modify my kernel, so I prefer to reuse ramdisk which is actually in my boot.img if possible.
-->I have tried this way: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images, but script provided on this link gave me error because my boot.img has a "Second Stage".
Click to expand...
Click to collapse
You can backup via:
Code:
cat /dev/mtd/mtd2 > /sdcard/mtd2.img
Then you can use fastboot to flash boot:
Code:
fastboot flash boot mtd2.img
The guide you linked to doesn't recommend trying to split the boot.img from your phone (in this example, mtd2.img) due to possible corruption issues, which is why I went for Koush' AnyKernel.
So what you're saying is you can't get the ramdisk from your boot.img via:
Code:
% mkdir ramdisk
cd ramdisk
gzip -dc ../boot.img-ramdisk.gz | cpio -i
as this is the part that throws the error?
no, errors came from the perl scripts posted on the link http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images
So to resume:
Code:
cat /dev/mtd/mtd2 > /sdcard/mtd2.img
will backup my boot.img but it may be corrupted
Code:
fastboot flash boot mtd2.img
will restore it but if it's corrupted then it's useless.
Why can it be corrupted?
Why not possible to flash this way, without the hassle of dealing with boot.img?:
Code:
fastboot flash zimage zImage
Edit:
OK, I have done some search: please confirm this procedure to be safe to flash a modified kernel:
1°)Make an Nandroid Backup
2°)Since my Desire is rooted and S-OFFed it does not need any-more signed files, so for me I just have to put my new wifi kernel module (bcm4329.ko) to /system/lib/modules/bcm4329.ko (via adb push)
3°And then flash the new kernel zImage in fastboot using this command:
Code:
fastboot flash zimage zImage
4°)Once done: I will have to power off my Desire.
5°)Then, Power it on again in bootloader mode, wait for 3 seconds and then go to fastboot: the zImage should now start flashing automaticaly.
6°)Once done: reboot to test my new kernel.
7°)In case something goes wrong, all I will have to do is to restore boot via my Nandroid backup and all will be fine.
If someone can confirm this procedure to be right and safe, thank you.
Best Regards.
Ok, my new kernel is ready.
Does someone can confirm that step 1 to 7 in previous post are corrects?
Sent from my HTC Desire using XDA App
The 7 steps you posted look about right - I'm not entirely sure about #3, I don't have much experience in fastboot flashing. You might be better off using AnyKernel and flashing that in recovery.
It works good!
Thanks a lot.
Sent from my HTC Desire using XDA App
i extracted the boot.img from my desire and run this script on it.
but it returns:
Code:
./unpack-bootimg.pl boot.img
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
i've been searching the internet for two days now and i cant find any other script that does that, only a tutorial for manually doing it with a hex editor, but that still doesn't cover that last file the script is complaining about.
any ideas?
p.s.: i need to modify boot.img because i'm trying to set up dual boot - android + android - for testing purposes, will post if successful
update:
i managed to extract kernel and ramdisk
first i tried booting kernel from fastboot, worked like a charm
then i tried booting kernel+ramdisk from fastboot - hangs on htc logo
i also tried compiling kernel+ramdisk into boot.img instuctions - again hangs on htc bootscreen
adb says no devices, fastboot detects it, but shows no ID, just ??????????
so apparently the last file in boot.img is important
any ideas?
i'm using cyangenmod7 btw
I am in the process of making a bootable kernel image . . I have succesfully compiled the kernel from source, and have the modules set and ready to go, but need a boot.img to rip apart and put back together with my zimage.
ALSO, I need to know where the kernel config file is on the device as it is not in /proc/config.gz , as it is on some devices.
Thank you for any help here. I'm getting closer! I will post a "howto" for debian linux if I can get the image to boot properly when I'm done.
The answer is here http://forum.xda-developers.com/showthread.php?t=2628951. I figured out how to compile the kernel and replace the boot.emmc.win on your g pad gpe 510.
Hello to all!
I'm an heavy oneplus user, currently with Nord, but i'm try to use my old but Gold Oneplus 3 to run Klipper+Moonraker+Fluidd.
Klipper side everything is perfect, still remains one big issue: there is no kernel compiled for OP3 which has USB_SERIAL_CH341 driver enabled.
I'm trying to build but without success. Here is what i've done under Linux Mint latest version.
First of all i've installed a lot of packages, i cant remember all because i used various guides since initially i was not able neither of finish compilation.
Then i've downloaded:
kernel source: https://github.com/lin16-microg/android_kernel_oneplus_msm8996/tree/lin-16.0-mse2
from this ROM thread, which is the rom im still using: https://forum.xda-developers.com/t/...ened-lineageos-16-0-for-oneplus-3-3t.4034869/
initially i've tried to use EVAgcc toolchain, but it was impossible to finish to build. Then i switched to AOSP toolchains:
32bit: https://android.googlesource.com/pl...inux-androideabi-4.9/+/refs/heads/pie-release
64bit: https://android.googlesource.com/pl...64-linux-android-4.9/+/refs/heads/pie-release
With Them i was able to compile from source, but before doing i modified the file called "lineageos_oneplus3_defconfig" by adding "USB_SERIAL_CH341=y" just under the "USB_SERIAL=y" in order to have the serial driver compiled and loader (if i have understood right?).
to build i've used from inside kernel source cloned directory:
>make clean
>make mrproper
>ARCH=arm64 SUBARCH=arm64 CROSS_COMPILE=googletoolpath/bin/aarch64-stuffs- CROSS_COMPILE_ARM32=googletoolpath/bin/arm-stuffs- make O=out lineageos_oneplus3_defconfig
>ARCH=arm64 SUBARCH=arm64 CROSS_COMPILE=googletoolpath/bin/aarch64-stuffs- CROSS_COMPILE_ARM32=googletoolpath/bin/arm-stuffs- make O=out Image -j2
in this way i've obtained an Image (not a zimage since with zimage returned error).
Then i unpacked the stock boot.img with Android Image Kitchen, substituted boot.img-kernel file (which is an archive..?) with the compiled image renamed.
Finally i repacked everything.
Tried to flash the repacked boot img but no boot, the phone returns to fastboot screen.
I've noticed that my newboot.img is around 25mb insted of around 12mb like the stock one present in the Rom.zip
Probably the error resides in how i've managed to unpack and repack the kernel image..
Do someone see some heavy error which can cause the problem? What can i try?
From a side, as automation engineer, i want to learn and try to do it by myself, but on the other side, if someone is able to compile it for me with serial CH341 driver enabled a beer is assured.
Thanks all to have read up to now and for any advice
not sure that's important but you forgot to gzip kernel before repacking. I recommend to compile with configuration of running kernel from device /proc/config.gz first.
alecxs said:
not sure that's important but you forgot to gzip kernel before repacking. I recommend to compile with configuration of running kernel from device /proc/config.gz first.
Click to expand...
Click to collapse
I've to try because it is not gzipped by default, the problem is that I don't found all in one scripts or config file as the one mentioned by you. I would never thought that rebuild a kernel were so tricky.