Bootloader modification - G2 and Desire Z Q&A, Help & Troubleshooting

Does anybody have any information about how to modify the HBOOT image, or installing an entirely different boot image (e.g. Das U-Boot) onto this device? Or on any device? I've searched various forums for posts regarding HBOOT but not finding any regarding this.
I recently found my G2 (and G1!) buried in storage. I'd forgotten how much I enjoyed using them, especially the G2. I did the root thing, installing TWRP and a KitKat-based ROM, but it is terribly slow, not least of which for its reported 384M usable RAM.
I like to think I've got a pretty good idea as to how Android devices (generally) boot up, and was thinking I've got a fair amount of practice under my belt building my own Linux kernels, and how I'd really like a Raspberry Pi (or variant), but this device already has everything I'd need for a "SBC"-style device.
If I could slap Das U-Boot on there, I think it'd be pretty easy to (try to) boot a Linux kernel and shell and then figure out laboriously what to do for hardware drivers. (For that matter, what's the G2's capability re: USB OTG?) If it's a matter of making actual changes to HBOOT to tell it to load something other than Android (or kernel followed by Android), I'd be fine with researching that and then doing the laborious building an optimized kernel and drivers.
I could also be talking out my ass and have not, in fact, really understood the Android booting process. But I need a project and it would be really cool if I could work on this, I just don't really know where to look beyond what I've read. I did read one sequence where somebody reported on how they actually did a dual-boot Debian/Android setup (literal dual-boot, not a Debian chroot, which involved him modding the boot image for his LG Optimus). I haven't had time to follow through with it to be sure I can apply any of his findings to HBOOT, but I suppose that might be the best place to start.
One other thing -- if I modify HBOOT and break something, is that a brick, or can I arbitrarily swap out boot images even if they don't work? Or, more directly, will I have a means to re-burn the original image even if I were to completely wipe it? Will fastboot or adb recognize the device and be able to communicate with its filesystem? Not that I'm worried too much about bricking it, but it'd be nice to minimize that chance before I just bite the bullet and try another boot image and cross my fingers.

Hi @dwkindig,
You don't need to install a bootloader other than HBOOT to install non-Android software. For instance, I have recently ported postmarketOS to the HTC Desire Z. So if you need a project to work on, check it out. There are a lot of things you could help out with .

Related

[Q] Newbie questions about DHD rooting and memory

Hi,
I'd be really grateful to anyone who can answer my newbie questions.
I'm looking to follow the guide to downgrade my non-network-branded (i.e. sim-free) Desire HD, so I can permanently root it. Then I intend to follow the other guide so I can still update to the latest official release. My primary requirement for rooting is just so I can make complete backups of my phone's state in future. Though I'll probably play about with other community ROMs too!
Sorry if answers to my questions are elsewhere, and feel free just to point if that's the case. I've searched but haven't found definitive answers. Knowing these things will increase my understanding. Although I'm used to tinkering with things a little am in no way a programmer and my last phone was a Nokia E65!
1) Please can someone list the different parts of the phone's memories, including which are impossible to write over and which are. E.g. my understanding is:
--One flash chip with:
- 'bootloader', which to me sounds like a PC's BIOS or the kind of app you can boot into on a standard desktop PC when choosing which OS to boot into;
- factory image partition;
- separate partition for over the air updates;
- 1GB partition for user-writeable memory for things like apps installed on the phone, contacts, etc.
--Physically separate 'radio' chip that can be overwritten (I don't understand the difference between this and the OS though)
--RAM;
--microSD card.
2) After following the two guides mentioned above, will I still be able to receive over the air HTC updates in future? And if not, does that mean I'd be relying on the community to make available any official updates? I bought my DHD through an official UK retailer.
3) After following the two guides mentioned above, will it still be possible to restore my phone to its factory state in future, e.g. for resale or sending back to HTC, so everything that we unlock ('eng s-off', 'radio s-off', etc., which fries my brain right now) is locked again? If so, can a guide to this process be linked to?
4) I understand it's possible to switch between custom ROMs easily. When this is done, does that mean all system settings, such as phone contacts and app settings are also switched, or are these settings written to a different part of the phone memory?
I'll be sure to thank (and donate) for your time. Many thanks in advance as well!
Hi, I just bought the DHD 3 weeks ago and it is still difficult to understand to understand all this android stuff sometimes
1) I was a little lost at the beginning too, I don't know if this is what you are looking for but this is what I understood.
There are 4 flashable "things" :
- ROM OS (android OS)
- Linux Kernel (linux kernel)
- ROM radio (another ROM that manage ONLY the hardware stuff like 3G, Wi-Fi, bluetooth, GPS...)
- bootloader (exactly like a bios) and contains a recovery menu (that can be flashed by clockworkmod for example)
The ROM radio seems independant and you can flashed it separatly from the other it doesn't bother. The last versions improve battery life or GPS startup etc...
The ROM OS (android) need to be flashed with the kernel otherwise you can have some problem (wi-fi or data network that doesn't work anymore...).
S-Off means security off and it is necessary to do it if you want to write a new recovery on the bootloader or flash a new radio ROM...
Ther is two kind of S-Off but I'm not sure of the meaning so I let you watch about it.
When you install through the official ways :
1 OTA : You need to have the official recovery from the bootloader otherwise it will NOT work (no OTA with clockworkmod)
If your phone is network-branded you need a goldcard here and/or superCID (I don't really understand here lol)
After the installation I think you keep the S-Off but you're not root anymore.
2 RUU : It will install/reinstall everything (ROM OS, kernel, ROM radio and bootloader).
It is even capable of reseting your CID (your not concerned here because your phone is non-network-branded)
If think you loose the S-Off (or ENG S-Off -> SHIPS S-Off), you're not root anymore...
If you want to keep S-OFF, SuperCID and ClockWorkMod you need to :
1 flash the ROM OS through the ClockWorkMod recovery -> update.zip (you can give it the OTA file .zip, it will only flash the ROM OS)
2 flash the kernel manualy with fastboot (you can also use the boot.img contain in your OTA file)
3 flash the ROM radio (there is the excellent tuto here on XDA about this)
2) OTA will not be possible if you want to use clockworkmod. I was a little anxious about that too at the beginning! But you can find the official
ROMS REALLY easily on XDA probably before your provider send it to you. And when you do everything manually, you can CHOOSE wich radio ROM you want,
you can do backup REALLY quickly with clockworkmod and you can come back (things you can't do if you use OTA)... The last point that confort me
in doing all of this is that you can download OTA but not install it to pick up the ROMs inside and the kernel ! I did it last week and my phone
is now running the two ROMS that was contained in the OTA file AND the kernel. This is why I'm not worried anymore.
3) I never tried to restore my phone to its exact factory settings but I think you can...
4) I don't really now. In my case, I decided to use Google for my contact too, so when I flash, a few minutes later I have all my contacts
I hope my english is not too bad for explainations like this
Hi poumpoum,
Firstly, thanks so much for taking the time to help. Your English is ten times better than my Française! If you've a PayPal account you'd like to Personal Message me, or just the name of your preferred charity, I'd like to say a little thanks that way too.
Okay: so I understand that doing these cool things to my phone means I won't be able to update it over the air. You've convinced me this isn't a problem because any updates find their way to the community.
I'm also convinced I can restore my phone completely to factory defaults due to this thread (the thread's for a different region but the principle still stands).
Thanks for clarifying the radio ROM shares the same physical chip as all the other memory (including the RAM actually, I found this out).
This thread also explained some of the jargon to me.
You're welcome

Kernel Source

Hello,
Im not sure if anyone was aware, but the source code for the kernel is available from the Acer website. Im not sure if this would help with the dev of roms or cracking the bootloader. Thought I would throw it out there.
Its available on the Acer support page under the A100, and is around 100mb
mvan4310 said:
Hello,
Im not sure if anyone was aware, but the source code for the kernel is available from the Acer website. Im not sure if this would help with the dev of roms or cracking the bootloader. Thought I would throw it out there.
Its available on the Acer support page under the A100, and is around 100mb
Click to expand...
Click to collapse
Yeah, I saw that. Doesn't make a difference though, we need a unlocked bootloader before a custom kernel we can make with that is useful.
Back in my Xperia x10 days they were able to find a way to crash the stock kernel and were able to load custom kernels with a locked bootloader. Its probably not feasible considering it was a much older kernel version and from a different manufacturer...but one can only hope right? lol
Don't know if it helps, but the thunderbolt also came with a locked bootloader and devs figured out how to flash a custom kernel. The custom was also locked but supported what they needed it to. It was flashed with the same process as our flashing updates manually. Maybe some of the tbolt devs could help?
Sent from my A100 using Tapatalk
We could do a custom rom that through 2nd-init, but so far its been an uphill battle trying to figure it out. I'm not a kernel developer, but I've done some work modifying and working with cm7 kernels but nothing to this scale.
I do know that we wouldnt be able to change the kernel on this device or a modified recovery because there's some checking going on with the checksum of the disk images.
@crossix
Have you seen this thread in the Nook Tablet forums?
They found a way around the the bootloader problem.
I was thinking the above. Maybe we can make a work around through the kernal code. I havnt done programming on this low of a level but can scan through to see if and what checks there are and if there are any loopholes... I like to think they have a backdoor somewhere in there...
Excuse me, I was wrong. The tbolt with its locked bootloader was solved a little differently. I think what they did was flash an entirely different bootloader to it. One that was still encrypted but unlocked. Don't know if that's possible in this case but thought it was something to mention.
Sent from my LG-VM670 using Tapatalk
Maybe we should talk to nemith and fattire and they may have some suggestions. I am no where shilled at this level of development to talk intelligently to them. My development skills lie in the .Net field and at the application level. So I am not much help.
@painter... i have been looking through the nook forums that you referred to and i certyainly think that this is possible route to go with the a100. this is also way above my skillset, however i will be more than happy to do what i can if there are any developers interested. i have been doing alot of research into the locked bootloader and this is the most promising news that i have heard so far. I wish we could get more devs interested in this little tablet because it has great potential if we could get past the bootloader.
What Ill do later is download the code again, had before, but accidentally deleted it, and look through some of the more important code to see what can be found. Why would Acer put up the source code if there isnt a way to alter the kernel? Seems counter-intuitive to put it up without a purpose...
here is some info on 2nd init, if anyone smarter than me is interested in having a look.....good luck!..... http://cvpcs.org/blog/2011-06-14/2nd-init._what_it_is_and_how_it_works
mvan4310 said:
What Ill do later is download the code again, had before, but accidentally deleted it, and look through some of the more important code to see what can be found. Why would Acer put up the source code if there isnt a way to alter the kernel? Seems counter-intuitive to put it up without a purpose...
Click to expand...
Click to collapse
Because they have to, its required by gpl to make the source public. Just because they make it public, doesnt mean that it'll compile properly though. But, in this case it does compile cleanly and with it we could probably take bits and pieces of cwm for the a500 and get it to work (their gpl version not thor's recovery). How to do that tough with our current encrypted recovery I dunno.
I looked at the thread and it definitely looks like something doable but what offset would we use and how would we tell the boot partition to go look for a custom recovery when we cant even open it to alter its contents since it and the recovery partitions are both encrypted.
If you make a image of either partition using dd and try to mount it and read its contents you see gibberish rather then editable files in the images. might be able to poke at it with a hex editor, but that's beyond my skill level.
Sent from my MB860 using XDA App
Im still in the extraction process, and it is a rather large image. Its around 500mb compressed. I can take a look into it, but cant make any promises that Ill find anything at all. I understand the gpl and whatnot, and the partitions being encrypted, and am just hoping that somewhere in the kernel is a clue as to what is being done that can help us along the way to cracking this thing.
I didnt think of this until now, but is the newer A500 encrypted? If s, maybe we can find the difference between the older and the newer version somehow and see what they are using. Just a thought, could be completely wrong.
from what I understood (I could be completely wrong though) one of the newest updates that brought the a500 up to 3.2.1 changed their encryption method so itsmagic (their security hole) no longer worked. The work around for that was to downgrade to 3.2 and install cwm / itsmagic and them flash a recovery 3.2.1 image.
Sent from my MB860 using XDA App
Hmm, Not sure. Ill look around. Im still trying to root my tab, have been unsuccessful thus far, and about 3 hours into trying..
is there any benefit in opening the device and sniffing around? I know the bootloader's encrypted but some of it might not be? That's how GeoHot found the first iPhone unlock exploit; by shorting two pins or something?
I also know it's possible to read NAND chips with an Arduino to some extent. I dunno, just talking out loud...
Never thought of finding a way through the hardware itself. I have never opened my Acer, probably wont. I have a Chromebook and they only way to install another OS on it was to flip a switch and pop the cover off, since it has a button thats enabled with the case on that prevents writing to specific portions and whatnot... Good thought. Maybe someone will look into this further.
A100 teardown
http://www.techrepublic.com/blog/it...eardown-lots-of-tech-crammed-into-7-case/3028
Sent from my PG86100 using Tapatalk
I think its very nifty that it has an expansion slot for a cellular chip. All the specs I can find on the 3g a101 show it as having half the RAM. Wonder what it would take to pop a 3g chip in there and get it working. :-\ You would probably have to flash the firmware from the 101 to get it to see the chip...

Wild speculation

I don't have the experience to know if this is possible, which is why I ask because I'm curious. I post here because I want devs to see it, and think "that could work" or "idiot"
As we know the defy bootloader will probably never be unlocked, now I was thinking would it not be possible to somehow isolate the bootloader from a rom, and run some kind of virtual one in a seperate partition to run a fully custom kernel? It's probably crazy but I'm dying to know what people think, don't be too hard on me I have no coding experience :/ however all opinions are welcome I think anything is possible
Sent from the real world by hacking into the matrix
I don't want that this will become another dead Bootloader-Hacking-Thread but I want to give you an answer with the facts:
1) There currently is no known way to execute code before booting the kernel because everything is well protected though signing code.
2) The only way to boot a kernel after kernel-boot are tools like kexec or 2ndboot. But a phone's RIL is a heavy stone on that way because it's not that easy to reinitialize this part of hardware and without RIL a phone is useless. The main-developers canceled this project due to this reason.
Other "non-phone"-devices with locked bootloader (like Sony's google-tv) are using this method without problems.
3) You can use kexec/2ndboot to load a full bootloader instead of an kernel only, too. But because we don't have the source we would have to reverse engineer it to disable the signature check of the kernel otherwise you would load another useless protected bootloader This was also an project but I don't think it's still alive...
Additional note: You can't directly flash a modified bootloader because our chipset has built-in OMAP3-security features. This means the CPU will only boot signed Code from NAND.
You can find many helpful information about this topic on this page:
http://and-developers.com/partitions:cdt#cdt_table_of_droid_x
Thanks that clarifies things quite a bit, however I mean loading not just a second kernel but a WHOLE bootloader that would handle the phones entire functions independently, or is it completely hardwired so its impossible for something to override it? (Sorry if you have already answered in the above). Another thing, has noone tried to compile custom fixed sbf? Maybe the bootloader could be replaced that way? In software almost anything done can be undone in some way, although perhaps this is the rare case where it isn't
Sent from the real world by hacking into the matrix
I edited my post to have everything at one place.
I hope this answers your questions.
The bootloader is like the bios in a pc (actually is part of the bios), it's what initializes the device and loads the rest of the code. to load it again or another one you had to reinitialize the device. the issue with the RIL is that when reset or restarted it "panics" and resets the whole device (I think, read it somewhere).
also the second unlocked bootloader that you want to load does not exist anyway.
it's better to just help the developers with bug reports and testing than daydream.
sorry mate!
m11kkaa said:
I edited my post to have everything at one place.
I hope this answers your questions.
Click to expand...
Click to collapse
So its all been tried before, damn! XD at least the devs here have done a fine job of making good roms even with this limitation, guess I will do my research before I buy my next phone as I love playing with roms, the more custom, the better
Sent from the real world by hacking into the matrix

[Question] Modding out hboot?

I was wondering has anyone tried decompiling our hboot and tryig to see if we can re size our portion sizes? Other phones such as the nexus one i believe has a modified hboot(blackrose) that allows resizing htc hero has a nice mod as well called firerat. Patches both recovery and boot.img to allow more size to data or system as needed(set by user). If i have the time & money to buy a test monkey i will be trying to decompile it.
Sent from my rooted GameBoy Advance! ^¬^
Decompiling is disassembly generally. Some decompilers can go back to the source code but it's not the original source and usually harder to read. Also, if you do something wrong in HBOOT you will likely brick your phone.
The correct word is partition not portion.
Maybe if you're interested you can ask the devs who did it. It sounds complicated and very risky. I think a safer option would be to create .img files on the emmc or sdcard storage and tell the ramdisk to boot from there. Boot Manager already accomplishes this and can multi boot ROMs but it hasn't been worked on since the ICS days. I think the devs of that project have said that someone could pick up on it and continue. It doesn't work on Jellybean but that's ideally the smartest concept, though the img method seems to be a bit slower.
Another option is LVM which I mentioned a while back and didn't get around to trying out.
This thread talks about it
http://forum.xda-developers.com/showthread.php?p=26164523
That above looks interesting but the users will also have to be technical enough to be able to create the LVM partitions themselves and set up their system enough to flash a ROM for it. It requires a modified boot.img and recovery.

What can brick a Sony Smartphone?

Hey!
I want to start developing on an old Sony smartphone, the Xperia Miro st23i (Mesona).
Why this device? It isn't expensive to buy a new mainboard in case I break it and for reasons of sentimentality
I have already compiled kernels for Desktop Linux for various reasons.
Now to my question:
There are CM10 sources and some 2.5-ish TWRP available which I intended to upgrade.
Can I break access to fastboot by flashing a kernel that doesn't work at all?
This always happens every now and then when trying something. But on my Thinkpad, I could always swap the hdd when I've messed things totally up... Here, I can't do that.
Same question for TWRP, can I break fastboot?
Can a messed up partition layout break fastboot?
How could I break fastboot?
I think my questions applies to more or less every Sony phone.
I couldn't find any information useful to me by Google or Xda search because the results are so full of questions how to get into fastboot...
I absolutely don't know how the fastboot mode works and what it depends on.
I just want to know what major mistakes I could do before I do them. Maybe I can prevent to be in need of a JTAG Interface by asking in advance
Thanks for any useful answer!
PS: Please don't discuss the fact I'm gonna develop on this device. The amount of thanks given in case I'm successful will be like 4 and the device will be sluggish as hell on Marshmallow or Nougat because it has only a few MBs of RAM and only 1GHz CPU. I know that! But I don't want to start developing on a device that's so expensive that I can't afford to break it.
You wouldn't let a newbie "try to learn something" at your new Prius. You would give him your old 1992 car that you don't need anyway, regardless of its top speed -
Kaffeetrinker said:
Hey!
I want to start developing on an old Sony smartphone, the Xperia Miro st23i (Mesona).
Why this device? It isn't expensive to buy a new mainboard in case I break it and for reasons of sentimentality
I have already compiled kernels for Desktop Linux for various reasons.
Now to my question:
There are CM10 sources and some 2.5-ish TWRP available which I intended to upgrade.
Can I break access to fastboot by flashing a kernel that doesn't work at all?
This always happens every now and then when trying something. But on my Thinkpad, I could always swap the hdd when I've messed things totally up... Here, I can't do that.
Same question for TWRP, can I break fastboot?
Can a messed up partition layout break fastboot?
How could I break fastboot?
I think my questions applies to more or less every Sony phone.
I couldn't find any information useful to me by Google or Xda search because the results are so full of questions how to get into fastboot...
I absolutely don't know how the fastboot mode works and what it depends on.
I just want to know what major mistakes I could do before I do them. Maybe I can prevent to be in need of a JTAG Interface by asking in advance
Thanks for any useful answer!
PS: Please don't discuss the fact I'm gonna develop on this device. The amount of thanks given in case I'm successful will be like 4 and the device will be sluggish as hell on Marshmallow or Nougat because it has only a few MBs of RAM and only 1GHz CPU. I know that! But I don't want to start developing on a device that's so expensive that I can't afford to break it.
You wouldn't let a newbie "try to learn something" at your new Prius. You would give him your old 1992 car that you don't need anyway, regardless of its top speed -
Click to expand...
Click to collapse
Sony devices can use flashtool which is different from fastboot and provides the ability to reflash the full firmware - which helps you get out of most issues you may encounter.
hypertrack said:
Sony devices can use flashtool which is different from fastboot and provides the ability to reflash the full firmware - which helps you get out of most issues you may encounter.
Click to expand...
Click to collapse
Thanks for trying to answer my question, but that's not it.
I've already unbricked like 50 phones by exactly following tutorials and reading everything I could find.
In the end, I just want to know what flashmode or fastboot mode depend on. I want to know which partitions I may mess up and which I may not mess up.
My guess is I may do everything as long as I don't reflash the bootloader partition.
Kaffeetrinker said:
Thanks for trying to answer my question, but that's not it.
I've already unbricked like 50 phones by exactly following tutorials and reading everything I could find.
In the end, I just want to know what flashmode or fastboot mode depend on. I want to know which partitions I may mess up and which I may not mess up.
My guess is I may do everything as long as I don't reflash the bootloader partition.
Click to expand...
Click to collapse
Ahh ok - so I bet @Bin4ry would be able to answer that question - either him or @Androxyde
@Kaffeetrinker
This thread by @munjeni used to contain much more detailed info about the S1 bootloader, but most of it can't be accessed right now.
Titokhan said:
@Kaffeetrinker
This thread by @munjeni used to contain much more detailed info about the S1 bootloader, but most of it can't be accessed right now.
Click to expand...
Click to collapse
Thank you very much! This thread gave me some words to google. Doing so, I found the information I needed
As soon as summer's over, the project can start.
To answer my own question in short: you can't hardbrick a Sony device as long as you don't mess with the bootloader.
Fota recoveries are completely seperated from the actual ROM (although they can be updated together).
Fastboot does neither rely on Fota kernel nor does it on the system kernel.
As long as you do only regular rom developing and don't change the partition layout or mess in any other way with the bootloader partition, nothing should go wrong.
If you create an unbootable system kernel, you still can use your twrp. And if you create an unbootable TWRP, you can still get into the system.
If you mess up both, you still habe got fastboot.

Categories

Resources