First of all many thanks to IEFtm from Modaco forum for the solution and the how to !!
Here a copy/paste of instructions with some additions ( i can't be more clear than him )
/!\ IMPORTANT /!\ : only your device will see your sdcard before the end of the unbrick process !!!
As most of you know, people have been hard at work to fix the USB issues we've been seeing due to recovery setting us into USB debugmode.
After unsuccessful attempts to change the kernel commandline , eg. to:
disable_uart3=0
usb_h2w_sw=0
we've been successful in discovering (with the help of XDA-developers) that these switches are stored in the first NAND partition, mtd0, or 'misc'.
You must be rooted to try the following, it seems you can't write to mtd0 without root.
Do step 1 again if you have to.
Also, SD card functionality has to work. For this, go into fastboot mode ( device off : volume down + power, select FASTBOOT) , and do:
fastboot oem enableqxdm 0
( you must have android sdk installed, open a command prompt MSDOS under windows, navigate into 'tools' folder and type this command )
Steps involved:
1. Find out your CID. Go into fastboot mode ( device off : volume down + power, select FASTBOOT) , and do :
fastboot oem boot
( you must have android sdk installed, open a command prompt MSDOS under windows, navigate into 'tools' folder and type this command )
The log will say something like the following:
Code:
#INFOTAG:Ramdisk OK
#INFOTAG:smi ok, size = 0
#INFOTAG:hwid 0x0
#INFOTAG:skuid 0x21F04
#INFOTAG:hero panel = 0x0
#INFOTAG:engineerid = 0x0
#INFOMCP dual-die
#INFOMCP dual-die
#INFOTAG:mono-die = 0x0
#INFODevice CID is not super CID
[B][SIZE="3"]#INFOCID is HTC__E11[/SIZE][/B]
In this specific case, the CID is HTC__E11.
2. Get the following mtd0.img from here or from here: mirror provided by SgtDavePwnage.
Edit this image to the CID you found above with a hex editor.
3. Get flash_image from here or from here: mirror provided by SgtDavePwnage.
You can move both mtd0.img and flash_image by putting it on your sdcard, and issueing the following command in a terminal emulator ( you must do this on your device with Connecbot for exemple ) :
In the terminal emulator ( like connecbot ) you will be at prompt beginning with a $ , type 'su' ( without the quote ) 2 times and you will normally see # at the beginning of the ligne ( or anything else with # ). In this case you are logged as root. You can check it with this command : ls ( check screenshoot to see what's look like )
Now type the following
cat /sdcard/flash_image > /data/flash_image "type enter"
cat /sdcard/mtd0.img > /data/mtd0.img "type enter"
chmod 755 /data/flash_image "type enter"
/data/flash_image misc /data/mtd0.img "type enter"
( repeat last command 2 times to be sure and ignore output errors that you will see )
4. Repeat step 3 a couple of times if it doesn't seem to work well.
5. All done! Reboot, you should have normal usb connectivity. Post your 'fastboot oem boot' log and intermediate steps if it fails.
In case of you get 'permission denied' for 'su' command , you can try to do the same thing as Deffe on modaco forum :
P.S.
before i have reroot my legend make step1 and use fake-flush and not step2. So the phone became rooted and i can use connectbot!
Click to expand...
Click to collapse
Credits:
-kubino @ XDA for providing us with the 'misc' information
-TheProfessor @ irc.freenode.net #modaco for being the first test subject + debugging
-adam235 @ irc.freenode.net #modaco for being a test subject as well + debugging
-SgtDavePwnage @ irc.freenode.net #modaco -> moral support + debugging
-DrMon @ irc.freenode.net #modaco -> being brave enough to test on his non-bricked device!
You can also check this :
http://forum.xda-developers.com/showthread.php?t=747030
and
http://forum.xda-developers.com/showthread.php?t=748813
and here
http://forum.xda-developers.com/showthread.php?t=733713
to get some information on your situation.
You can go to the original thread http://android.modaco.com/content/h...com/309961/usb-brick-rickrolled-b0rked-fixed/
to get your mtd0.img already modified for your CID ( if someone has posted it )
Click here to DONATE for them !
Thank You, Ilos. Was waiting for this. Your effort is much appreciated.
Hope our Moderator Sir will put a link to this thread in the first post in this section.
I read through the remedy everyday so I understand a little more each day but I sure hope you will be around when get usb bricked !
Can I practise this on my good device to get a hang of it or will it mess up things big time !
Thread Stuck.
Hi Ilos,
Thanks for the better detailed information so far, about usb problems.
After obtaining super user access i wrote the following commands as you said.
cat /sdcard/flash_image > /data/flash_image
cat /sdcard/mtd0.img > /data/mtd0.img
After writing the above commands in connectbot and giving the enter, the terminal mentioned that they could not find the files.
I placed them om my sd card. is it necessary to place them in a certain file?
The other commands went well and I rebooted but my telephone was not recognized by the computer.
in the below line you mention that the output errors should be ignored, what do you mean with that, because I receive errors.
" repeat last command 2 times to be sure and ignore output errors that you will see )"
I also wrote the last command two times but with no success.
Thanks in advance.
you must put both files at / of your sdcard and you received error at the end of the process ( 0X0000112331 or something like that )
ilos said:
you must put both files at / of your sdcard and you received error at the end of the process ( 0X0000112331 or something like that )
Click to expand...
Click to collapse
No error like that but can't find the flash_image and mtd0.img file.
when your logged as root under connecbot, please type that
ls
and tell me what you see
more or less what you see in img. device2 in one of your comments above posted on today 10.25am
you must see your sdcard when you type ls
if you see it, type :
cd sdcard
and type again ls
check if you see flash_image and mtd0.img that you put on your sdcard
Ilos I managed it with your great help.
I unfortunately had renamed the file mtd0.img which gave the output in the terminal ls mtd0.img.img. and therefore the command could not be read correctly. So I changed the filename and repeated the steps with SUCCESS.
Thanks again.
happy to see your success
Enjoy flashing again !!
ok edited the img and moved them into the sdcard.what to do now how can i move them in the legend data?
kdma said:
ok edited the img and moved them into the sdcard.what to do now how can i move them in the legend data?
Click to expand...
Click to collapse
pls read the "how to" before asking....
ilos said:
You can move both mtd0.img and flash_image by putting it on your sdcard, and issueing the following command in a terminal emulator ( you must do this on your device with Connecbot for exemple ) :
In the terminal emulator ( like connecbot ) you will be at prompt beginning with a $ , type 'su' ( without the quote ) 2 times and you will normally see # at the beginning of the ligne ( or anything else with # ). In this case you are logged as root. You can check it with this command : ls ( check screenshoot to see what's look like )
Now type the following
cat /sdcard/flash_image > /data/flash_image "type enter"
cat /sdcard/mtd0.img > /data/mtd0.img "type enter"
chmod 755 /data/flash_image "type enter"
/data/flash_image misc /data/mtd0.img "type enter"
( repeat last command 2 times to be sure and ignore output errors that you will see )...
Click to expand...
Click to collapse
how should i use connecbot if i cant boot my phone?
i can only use fastboot
maybe
Maybe Froyo will be gentler on our devices and roms as probably there will be no need to use app2sd + which has been considered, albeit not conclusively, to be one of the major causes of usb bricking (?)
Anyone know what causes the USB bricking?
Sent from my Legend using XDA App
Hi all
People that I do?? I can not determine the USB, only in boot mode is determined, I have a new hboot and I can not do step1, can someone help me ka??
Poligon:/mnt/winda/tmp/android/r4-legend-root# ./fastboot-linux oem gencheckpt boot
... INFOsetup_tag addr=0x60000100 cmdline add=0x9D079570
INFOTAG:Ramdisk OK
INFOTAG:smi ok, size = 0
INFOTAG:hwid 0x0
INFOTAG:skuid 0x22F00
INFOTAG:hero panel = 0x0
INFOTAG:engineerid = 0x0
INFOMCP dual-die
INFOMCP dual-die
INFOTAG:mono-die = 0x0
INFODevice CID is not super CID
INFOCID is HTC__A07
INFOsetting->cid::HTC__A07
INFOserial number: HT03DNX01548
INFOcommandline from head: no_console_suspend=1 console=null
INFOcommand line length =443
INFOactive commandline: board_legend.disable_uart3=1 board_legen
INFOd.usb_h2w_sw=1 board_legend.disable_sdcard=0 diag.enabled=0
INFOboard_legend.debug_uart=0 smisize=0 userdata_sel=0 androidbo
INFOot.emmc=false androidboot.baseband=7.08.35.21 androidboot.c
INFOid=HTC__A07 androidboot.carrier=HTC-Russia androidboot.mid=P
INFOB7610000 androidboot.keycaps=qwerty androidboot.mode=recover
INFOy androidboot.serialno=HT03DNX01548 androidboot.bootloader=0
INFO.43.0003 no_console_suspend=1 console=null
INFOaARM_Partion[0].name=misc
INFOaARM_Partion[1].name=recovery
INFOaARM_Partion[2].name=boot
INFOaARM_Partion[3].name=system
INFOaARM_Partion[4].name=cache
INFOaARM_Partion[5].name=userdata
INFOpartition number=6
INFOValid partition num=6
INFOmpu_nand_acpu_rw 15E 1000
FAILED (status read failed (Protocol error))
izya12 said:
INFOactive commandline: board_legend.disable_uart3=1 board_legen
INFOd.usb_h2w_sw=1 board_legend.disable_sdcard=0 diag.enabled=0
Click to expand...
Click to collapse
look at these lines
it has :
board_legend.disable_uart3=1
board_legend.usb_h2w_sw=1
acording to android.modaco.com/content/htc-legend-legend-modaco-com/309961/usb-brick-rickrolled-b0rked-fixed/ these values should be 0
so your Legend is USB-bricked ( like mine was , do not worry it is solvable )
follow the modago unbrick howto an have fun with your legend !!
Sorry for the choppy link but my account is not jet enabled for outside links
izya12 said:
Hi all
People that I do?? I can not determine the USB, only in boot mode is determined, I have a new hboot and I can not do step1, can someone help me ka??
Poligon:/mnt/winda/tmp/android/r4-legend-root# ./fastboot-linux oem gencheckpt boot
... INFOsetup_tag addr=0x60000100 cmdline add=0x9D079570
INFOTAG:Ramdisk OK
INFOTAG:smi ok, size = 0
INFOTAG:hwid 0x0
INFOTAG:skuid 0x22F00
INFOTAG:hero panel = 0x0
INFOTAG:engineerid = 0x0
INFOMCP dual-die
INFOMCP dual-die
INFOTAG:mono-die = 0x0
INFODevice CID is not super CID
INFOCID is HTC__A07
INFOsetting->cid::HTC__A07
INFOserial number: HT03DNX01548
INFOcommandline from head: no_console_suspend=1 console=null
INFOcommand line length =443
INFOactive commandline: board_legend.disable_uart3=1 board_legen
INFOd.usb_h2w_sw=1 board_legend.disable_sdcard=0 diag.enabled=0
INFOboard_legend.debug_uart=0 smisize=0 userdata_sel=0 androidbo
INFOot.emmc=false androidboot.baseband=7.08.35.21 androidboot.c
INFOid=HTC__A07 androidboot.carrier=HTC-Russia androidboot.mid=P
INFOB7610000 androidboot.keycaps=qwerty androidboot.mode=recover
INFOy androidboot.serialno=HT03DNX01548 androidboot.bootloader=0
INFO.43.0003 no_console_suspend=1 console=null
INFOaARM_Partion[0].name=misc
INFOaARM_Partion[1].name=recovery
INFOaARM_Partion[2].name=boot
INFOaARM_Partion[3].name=system
INFOaARM_Partion[4].name=cache
INFOaARM_Partion[5].name=userdata
INFOpartition number=6
INFOValid partition num=6
INFOmpu_nand_acpu_rw 15E 1000
FAILED (status read failed (Protocol error))
Click to expand...
Click to collapse
USB bricked.... pls follow the HOWTO in the first post...
when the phone Brick is always possible to solve the problem?
Related
Feeling brave? Help me test / develop my superboot!
http://android.modaco.com/content/h...9976/13-jan-1-0-superboot-rooting-the-tattoo/
P
sorry, but your batch makes problemm...
and when i make it manual:
C:\Android\superboot>fastboot-windows boot tattoo.superboot.img
downloading 'boot.img'... OKAY
booting...
then nothing
for me doesn't work... i've got mac and the message in terminal is:
./install-superboot-mac.sh: line 3: unexpected EOF while looking for matching `''
./install-superboot-mac.sh: line 14: syntax error: unexpected end of file
and if i try to do the steps inside the script terminal says:
bash-3.2# chmod +x fastboot-mac
bash-3.2# chmod +x adb-mac
bash-3.2# ./adb-mac shell reboot oem-78
error: device not found
bash-3.2# ./fastboot-mac oem-78
usage: fastboot [ <option> ] <command>
commands:
update <filename> reflash device from update.zip
flashall flash boot + recovery + system
flash <partition> [ <filename> ] write a file to a flash partition
erase <partition> erase a flash partition
getvar <variable> display a bootloader variable
boot <kernel> [ <ramdisk> ] download and boot kernel
flash:raw boot <kernel> [ <ramdisk> ] create bootimage and flash it
devices list all connected devices
reboot reboot device normally
reboot-bootloader reboot device into bootloader
options:
-w erase userdata and cache
-s <serial number> specify device serial number
-p <product> specify product name
-c <cmdline> override kernel commandline
-i <vendor id> specify a custom USB vendor id
bash-3.2# ./fastboot-mac boot tattoo.superboot.img
downloading 'boot.img'... FAILED (remote: not allow)
bash-3.2# ./fastboot-mac reboot
rebooting... (here with no reboot)
i hope this could help you...
You could try fastboot oem boot superboot.img allthough I don't think it will work, we have tried this on the Eris but who knows maybe yours will be different
Any advance on this guys?
If you need my help, just tell me, I'm newbie but I love to take risks!
I tried this method on my HTC.
downloading 'boot.img'... OKAY
booting.....
Click to expand...
Click to collapse
I waited for few min nothing happen.so un plug the cable it goes to RUU.
And then i insert the cable it rebooted.
What about this?
i'm New
Did anyone try what I said, "fastboot oem boot superboot.img" make sure you have oem in there otherwise it will just hang at booting..... I'm just curouse if it works for you guys.
I have a feeling there stuck on it same as we are, the tattoo and eris are more alike than either to the hero
binny1007 said:
Did anyone try what I said, "fastboot oem boot superboot.img" make sure you have oem in there otherwise it will just hang at booting..... I'm just curouse if it works for you guys.
Click to expand...
Click to collapse
Yup, tried that. It just boots the phone to it's current (flashed) rom
I tried using the boot command and, while it's hanging at "booting...", I sent a oem boot, but no luck
If it boots to the current flashed rom then it might have worked. you wont notice a physical different if superboot boots.
FireSokar said:
If it boots to the current flashed rom then it might have worked. you wont notice a physical different if superboot boots.
Click to expand...
Click to collapse
Interesting. When I get mine (tattoo), I'll try it out. Superboot just allows us superuser access, doesn't it? If we boot with this, then run a Terminal emulator, type 'su', we'll be able to get root (temporarily)?
Im pretty sure thats how it works, im not 100% sure im following this thread closely as we are stuck @ the exact same point on getting the droid eris rooted, better side of 2 months working on it.
The wait for my HTC Tattoo is killing me. I really want to try this out before I go back to school...
I ordered it last week sometime and it's supposedly coming next week... If it all comes to the worse, I'll just try this at school.... Hehe
Alright, I did this, and I think it may get me somewhere.
I did this while on the home screen, with USB debugging enabled. I ran the mac fastboot script, and it booted into the HTC logo screen. It said "Booting..." and got stuck.
After a minute, I yanked the USB cord out, and it dumped me at the RUU screen with text like this in my Terminal:
Terminal said:
Matthew-Coburns-MacBook:1.2-tattoo-superboot matthew$ ./install-superboot-mac.sh
Superboot for HTC Tattoo by Paul O'Brien @ http://www.MoDaCo.com
----------------------------------------------------------------
Rebooting device...
* daemon not running. starting it now *
* daemon started successfully *
0
Waiting 10 seconds for reboot...
Booting superboot...
ERROR: could not get pipe properties
downloading 'boot.img'... OKAY
booting... ERROR: usb_read failed with status e00002ed
FAILED (status read failed (No such file or directory))
ERROR: could not get pipe properties
< waiting for device >
ERROR: could not get pipe properties
ERROR: could not get pipe properties
ERROR: could not get pipe properties
ERROR: could not get pipe properties
ERROR: could not get pipe properties
ERROR: could not get pipe properties
Click to expand...
Click to collapse
I then reinserted the USB cable and got this:
rebooting...
Done!
Click to expand...
Click to collapse
After that, I did some exploring with adb-mac:
Matthew-Coburns-MacBook:1.2-tattoo-superboot matthew$ ./adb-mac shell
$ ls
sqlite_stmt_journals
cache
sdcard
etc
system
sys
sbin
proc
logo.rle
init.rc
init.goldfish.rc
init.bahamas.rc
init
default.prop
data
root
dev
$ su
su: permission denied
Click to expand...
Click to collapse
And so, I got the dreaded permission denied error! Oh well, at least I tried...
Any suggestions?
EDIT: I can do 'cat /proc/cpuinfo' and get:
Processor : ARMv6-compatible processor rev 2 (v6l)
BogoMIPS : 244.94
Features : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 6TEJ
CPU variant : 0x1
CPU part : 0xb36
CPU revision : 2
Hardware : bahamas
Revision : 0080
Serial : 0000000000000000
Click to expand...
Click to collapse
Interesting...
Before I start, can we please keep the n00bish comments away from this thread. I have experience in doing this, and if I/we find a solution to this rooting drama, I'll post a how-to. A simple "Thanks, this will keep my fingers crossed" post is all that's enough to spark a chain reaction and fuel the fire knowing that we've got a strong user base that can help us test out our hacks.
Let's get down to business, shall we?
Mount Points:
This is the list of mount points that can be retrieved by issuing a simple 'mount' command on the adb shell, while your device is in USB Debugging (Settings > Applications > Development). Or in a terminal emulator.
rootfs / rootfs ro 0 0
[X]tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
[!] tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
[!!]/dev/block/mtdblock3 /system yaffs2 ro 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,uid=1000,gid=1015,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8 0 0
Click to expand...
Click to collapse
I've added [X], [!] and [!!] to point out what we can do. The one with the cross is a no-go, despite being a tmpfs (TeMPorary File System), we can't write to it, and /dev/shm doesn't exist either. /dev/shm is commonly on Linux systems, a ram drive - anything written there goes bye-byes on reboot.
The second one, /sqlite_stmt_journals, which is mounted as RW, aka Read Write. Yes, we can run shell scripts, you do 'sh myscript.sh' from a terminal emulator or the adb shell to get them to run. Surpise - No noexec (no executables) flag, we can *possibly* run some custom non-root software! Downside? Only 4MB to play with. Shoot.
The second one, is the main target. /system is where Android is held, locked up in a RO filesystem. RO is Read Only. In other words, we can look but can't touch. (Bummer.) This is where we try to get into (with superuser apk and such), but it restricts us. If we can remount this sucker RW... Well, I did try:
$ mkdir /sdcard/test && mount -t yaffs2 -o rw /dev/block/mtdblock /sdcard/test
mkdir failed for /sdcard/test, File exists
$ mount -t yaffs2 -o rw /dev/block/mtdblock3 /sdcard/test
mount -t yaffs2 -o rw /dev/block/mtdblock3 /sdcard/test
mount: Operation not permitted
$ mount -t yaffs2 -o ro /dev/block/mtdblock3 /sdcard/test
mount -t yaffs2 -o ro /dev/block/mtdblock3 /sdcard/test
mount: Operation not permitted
$
Click to expand...
Click to collapse
...But it failed. /sdcard/test was the mount point on my sdcard that I wanted it to be accessed from, so I could just simply go "bang bang bang woot! GOLD! ". But no. Silly HTC.
Teh fastboot way of life:
Power off your HTC Tattoo and hold VOL Down while pressing the End Call/Power Button to enter the bootloader menu. Let the device scan for some DIAG ramdisk images (Test/Diagnostics mode?). After that, press the back button to enter the fastboot USB menu. While there, open a command prompt (on PC), change to the path where you downloaded fastboot (you can nab the said tool by downloading modaco's superboot 1.2 zip file in a thread in this category). Replace fastboot-windows with fastboot-linux, etc.
C:\Users\Coburn\Downloads\Tattoo>fastboot-windows oem boot tattoo.superboot.img
... INFOsetup_tag addr=0xA0000100 cmdline add=0x8D05E538
INFOTAG:Ramdisk OK
INFOTAG:smi ok, size = 0
INFOTAG:hwid 0x1
INFOTAG:skuid 0x1FC04
INFOTAG:hero panel = 0x0
INFOTAG:engineerid = 0x0
INFOMCP dual-die
INFOMCP dual-die
INFOTAG:mono-die = 0x0
INFODevice CID is not super CID
INFOCID is VODAP001
INFOsetting.cid::VODAP001
INFOserial number: HT99SLG03779
INFOcommandline from head: no_console_suspend=1 console=null
INFOcommand line length =404
INFOactive commandline: board_bahamas.disable_uart3=0 board_baha
INFOmas.usb_h2w_sw=0 board_bahamas.disable_sdcard=0 diag.enabled
INFO=0 board_bahamas.debug_uart=0 smisize=0 androidboot.baseban
INFOd=3.35.07.20 androidboot.cid=VODAP001 androidboot.carrier=VO
INFODA-UK androidboot.mid=CLIC10000 androidboot.keycaps=qwerty a
INFOndroidboot.mode=normal androidboot.serialno=HT99SLG03779 and
INFOroidboot.bootloader=0.52.0001 no_console_suspend=1 console=n
INFOull
INFOaARM_Partion[0].name=misc
INFOaARM_Partion[1].name=recovery
INFOaARM_Partion[2].name=boot
INFOaARM_Partion[3].name=system
INFOaARM_Partion[4].name=cache
INFOaARM_Partion[5].name=userdata
INFOpartition number=6
INFOValid partition num=6
INFO0
INFO0
INFO69466957
INFO69784520
INFO69007473
INFO7473
INFO0
INFO0
INFO0
INFO0
INFO0
INFO0
[....]
FAILED (status read failed (Too many links))
Click to expand...
Click to collapse
Oh my! Look at that! Did I just get a kernel parameter dump?! I tried the oem boot method using paul's superboot boot.img, and that's the data that it spat back. When it rebooted, it did the vibration like it would do on a cold boot. There was a lot of INFO0s though... Then it died with "Too many links". Aww. A Misc Partition?! WHAT?! Who knows what's there... (HTC, what are you hiding from us that you shouldn't be?)
Also, if we can force a custom kernel parameter with the "fastboot -c <something to make kernel remount system rw> oem boot" command, we may have a idea.
reboot-bootloader doesn't seem to work... "FAILED: remote (not allow)."
See below:
usage: fastboot [ <option> ] <command>
commands:
update <filename> reflash device from update.zip
flashall flash boot + recovery + system
flash <partition> [ <filename> ] write a file to a flash partition
erase <partition> erase a flash partition
getvar <variable> display a bootloader variable
boot <kernel> [ <ramdisk> ] download and boot kernel
flash:raw boot <kernel> [ <ramdisk> ] create bootimage and flash it
devices list all connected devices
reboot reboot device normally
reboot-bootloader reboot device into bootloader
options:
-w erase userdata and cache
-s <serial number> specify device serial number
-p <product> specify product name
-c <cmdline> override kernel commandline
-i <vendor id> specify a custom USB vendor id
Click to expand...
Click to collapse
I'm tapped. I hope this helps us in any way, it took about an hour to type (and copy/paste from CMD on Windows 7).
Remember: It's our phone, not theirs. We're breaking free - if Android is open source, why isn't the hardware?
Cheers (and please don't forget to buy me a coffee! ),
Coburn64.
Thanks coburn and f..k HTC
Good investigative work!
One point tho...
Coburn64 said:
The second one, /sqlite_stmt_journals, which is mounted as RW, aka Read Write. Yes, we can run shell scripts, you do 'sh myscript.sh' from a terminal emulator or the adb shell to get them to run. Surpise - No noexec (no executables) flag, we can *possibly* run some custom non-root software! Downside? Only 4MB to play with. Shoot.
Click to expand...
Click to collapse
What does this allow that we can't already do on /data? We can already push executables to /data/local and chmod and execute them... I believe this approach has already been tried for trying asroot2, try3 etc. exploits and the like.
The Tattoo seems pretty tight (altho of course nothing is impenetrable), our best bet is likely to be a leak of a S-OFF bootloader or an as yet unpatched kernel exploit?
P
List of options for "fastboot oem":
Code:
$ ./fastboot.exe oem h
... INFOcommand list
INFOkeytest
INFOheap
INFOboot
INFOreset
INFOpowerdown
INFOrebootRUU
INFOenableqxdm
INFOrtask
INFOtask
OKAY
rebootRUU is particulary usefull, it enables RUU mode without having to go through "adb shell reboot oem-78".
@modaco: Every time I tried to write something in /data/local, I kept getting the message "Permission Denied" like I didn't have write permissions or anything. How did you manage to do this?
@mainfram3: Nice work! I know 'fastboot oem boot' reboots the phone to flashed ROM (even if you try to force a custom image down it's throat) but this is rather interesting.
I wonder what 'fastboot oem enableqxdm' does? I'll try it out tonight...
EDIT: Looking at some exploits, there's a 2.4/2.6 kernel "sock_sendpage() NULL pointer dereference" exploit here on milw0rm.com. Does anyone know what kernel source version on HTC's Dev site is?
enable qxdm enables support for the Qualcomm qxdm debug tool.
Hmmm, like I say, I don't have a tattoo yet, but you can normally write to /data/local. Strange!
P
Coburn64 said:
EDIT: Looking at some exploits, there's a 2.4/2.6 kernel "sock_sendpage() NULL pointer dereference" exploit here on milw0rm.com. Does anyone know what kernel source version on HTC's Dev site is?
Click to expand...
Click to collapse
That's a very nice find! From the source, Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable. Our Tattoos are running 2.6.29
We need a skilled kernel developer to port this to the Android, since the exploit relies on low level assembly code :S
mainfram3 said:
That's a very nice find! From the source, Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable. Our Tattoos are running 2.6.29
We need a skilled kernel developer to port this to the Android, since the exploit relies on low level assembly code :S
Click to expand...
Click to collapse
Confirmed, we're running 2.6.29 on the offical ROMs. This looks promising.
mainfram3 said:
That's a very nice find! From the source, Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable. Our Tattoos are running 2.6.29
We need a skilled kernel developer to port this to the Android, since the exploit relies on low level assembly code :S
Click to expand...
Click to collapse
I wrote to author of FlashRec. Waiting for answer)
5[Strogino] said:
I wrote to author of FlashRec. Waiting for answer)
Click to expand...
Click to collapse
Awesome. What's flashrec anyway?
I was feeling adventous and decided to try some other rooting attempts that have succeeded on other phones. The fun thing was, I could get so close to the finishing line, when the Tattoo would kill the process (asroot2, try3, etc).
Damn. However, we can't give up - the goal is just in sight, we'll get there - we need to reroute the plan.
Coburn64 said:
Awesome. What's flashrec anyway?
I was feeling adventous and decided to try some other rooting attempts that have succeeded on other phones. The fun thing was, I could get so close to the finishing line, when the Tattoo would kill the process (asroot2, try3, etc).
Damn. However, we can't give up - the goal is just in sight, we'll get there - we need to reroute the plan.
Click to expand...
Click to collapse
FlashRec it's application for HTC Magic with exploit inside, to install custom recovery on systems with old Cupcake ROMs.
http://zenthought.org/content/project/flashrec
When HTC closed down a hole, that flashrec has been used, it become out-of-use
But mainfram3 found a new hope. Not only Tattoo users, Magic users (who stucked at new Hboot 1.76.00XX) have this hope too)
5[Strogino] said:
But mainfram3 found a new hope.
Click to expand...
Click to collapse
You meant Coburn64
And also let's not forget Droid Eris users, they're stuck in the same place we are, and they seem to be a much larger group.
this is personal now!!
i know that they just have added support for the sprint hero in flashrec i think it's on version 1.4 now!
all we need is just to find a small hole in the system making us able to write directly to the device and passing all the security sh*t
i have been in contact with htc tech center but have not been able to come through yet
i will request a eng S-off and matching radio!
i will also take take a look at the exploit code for the 2.6.29 kernel
I really hope we will get this working as i already have made custom ROM and recovery.img for it! hehe...
/data/local is writable, so is /sqlite_stmt_journals. The latter is restricted to 4MB, while the first has a lot of space (the rest of the /data partition).
Oh, and I can write to the data/local directory, I have to use adb push to get files on there.
Oddly enough, it allowed me to install a Hero super user APK on my Tattoo. Now, this is getting fun. Could someone disguise asroot2 or something inside an app, package it up as a APK and get android to install it?
I tried the asroot2, try3 and such but I got:
[1] Killed /data/local/asroot2
Click to expand...
Click to collapse
...like there's some watchdog feature inside the kernel or something. :-/
UPDATE: I'm working on a busybox hack for the tattoo. The aim of this is to get busybox installed on the device, so I can dump the NAND chip partitions and get that SPL.
Fingers crossed, and we also have found the debugging ROM for the Tattoo! So yeah, hehe...
Coburn64 said:
UPDATE: I'm working on a busybox hack for the tattoo. The aim of this is to get busybox installed on the device, so I can dump the NAND chip partitions and get that SPL.
Fingers crossed, and we also have found the debugging ROM for the Tattoo! So yeah, hehe...
Click to expand...
Click to collapse
Respect!! Hope for success, thanks for your effort
Thank you for your hard work!
I thought the rooting of tattoo died when benham ceased to exist in another tattoo-related forum and now i stumble upon this!
Crossing fingers!^^
Musenkishi said:
Thank you for your hard work!
I thought the rooting of tattoo died when benham ceased to exist in another tattoo-related forum and now i stumble upon this!
Crossing fingers!^^
Click to expand...
Click to collapse
Heh.
BUMP: My Busybox Hack is now live! Get it and install the sucker on your phone!
I tried to do what in http://forum.xda-developers.com/showthread.php?t=2281254
but my current default.xml file had all languages , but i only see 13 in settings
is there anyway to do it ?
am runing android 4.2.2 stock rom
Anyone ?
!!!!!!!!!!!! really ? no one !!!!!!!!!!!!!!!
enable hidden languages
mjrshark said:
!!!!!!!!!!!! really ? no one !!!!!!!!!!!!!!!
Click to expand...
Click to collapse
phone has to be rooted -- tested and working with HTC One X
1. boot in FASTBOOT and check CID , start cmd type
Code:
fastboot getvar all
2. start phone normally, enable usb debugging
3. start CMD type:
Code:
adb pull system/customize/CID/default.xml
4. rename saved file "default.xml" to "your_cid.xml" // my cid was HTC__Y13 so it will be HTC__Y13.xml
5. start CMD type:
Code:
adb push your_cid.xml/sdcard/
6. start CMD type:
Code:
adb shell
su (tap grant access on your htc screen)
mount -o remount,rw /system
cat /sdcard/your_cid.xml > /system/customize/CID/your_cid.xml
exit
exit
7. do factory reset
artur223 said:
phone has to be rooted -- tested and working with HTC One X
1. boot in FASTBOOT and check CID , start cmd type
Code:
fastboot getvar all
2. start phone normally, enable usb debugging
3. start CMD type:
Code:
adb pull system/customize/CID/default.xml
4. rename saved file "default.xml" to "your_cid.xml" // my cid was HTC__Y13 so it will be HTC__Y13.xml
5. start CMD type:
Code:
adb push your_cid.xml/sdcard/
6. start CMD type:
Code:
adb shell
su (tap grant access on your htc screen)
mount -o remount,rw /system
cat /sdcard/your_cid.xml > /system/customize/CID/your_cid.xml
exit
exit
7. do factory reset
Click to expand...
Click to collapse
thanks for answer after a year dont have HTC anymore , but maybe someone will read your answer and learn from it
hlo...... I used command method to remove tampered and it was gone at first but when I unlocked bootloader using command tampered came again and now it is not going with revine,guru bootloader......helppppp
jaspreet4140 said:
hlo...... I used command method to remove tampered and it was gone at first but when I unlocked bootloader using command tampered came again and now it is not going with revine,guru bootloader......helppppp
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=2477792
helpp
hy nykk again.......thx for reply......but I used this method at first only ....now this also not working...
now I got more big trouble...
I m only s-off and bootloader is relocked and have no root so can't flash any recovery......
I I tried unlock_bin token cmd says sending token(0 bytes) successful but bootloader do not show anything........what should I do noww...
jaspreet4140 said:
hy nykk again.......thx for reply......but I used this method at first only ....now this also not working...
now I got more big trouble...
I m only s-off and bootloader is relocked and have no root so can't flash any recovery......
I I tried unlock_bin token cmd says sending token(0 bytes) successful but bootloader do not show anything........what should I do noww...
Click to expand...
Click to collapse
okay, but first, can you please relax!!
after you relax, please post your current "fastboot getvar all" (excluding IMEI and s/n), and if you are S-Off, we'll have you unlocked pretty quickly
but you have to relax!! otherwise you're going to rush things and make a mistake.
re
bootloader 1.54.0000
baseband. 4A.17.3250.14
cpld: none
microp:none
main:2.24.980.3
pvt ship s-off
meid:00000000000000
product:m7_ul
HBOOT-8064
midN0714000
cid:11111111
securityff
jaspreet4140 said:
bootloader 1.54.0000
baseband. 4A.17.3250.14
cpld: none
microp:none
main:2.24.980.3
pvt ship s-off
meid:00000000000000
product:m7_ul
HBOOT-8064
midN0714000
cid:11111111
securityff
Click to expand...
Click to collapse
1- that's not a copy/paste you typed that stuff ... (see screenshot for copy/paste on windows)
2- are you relaxed now?
3- next time, please quote me, or mention me using @nkk71 to get my attention, otherwise I may not read the post
4- are you relaxed now
5- to get unlocked:
Since you are S-Off, use a custom recovery masked in a firwmare package: you can use of these "firmware" packages (m7_u/ul only):
http://www.androidfilehost.com/?w=files&flid=13085
fastboot oem rebootRUU
fastboot flash zip fw_m7ul_TWRP_2.6.3.3_1.26.401.33.zip
fastboot reboot-bootloader
-> enter RECOVERY (should be TWRP or CWM now)
and use @scotty1223's commands in custom recovery http://forum.xda-developers.com/showthread.php?t=2475914 to unlock bootloader
Code:
C:\ADB3>[B][COLOR="Blue"]adb devices[/COLOR][/B]
List of devices attached
HT34xxxxxxxx recovery [I]<- you need to be in custom recovery to
ensure [B]root[/B] privileges
i.e. an adb shell with [B]#[/B] as opposed to [B]$[/B][/I]
C:\ADB3>[B][COLOR="Blue"]adb shell[/COLOR][/B]
[SIZE="1"][I][U]Note[/U]
CWM shell prompt usually looks like [B]~#[/B]
TWRP shell prompt usually looks like [B]~ # ←[6n[/B]
it doesn't matter, you just type (or even better copy/paste) the commands in bold blue
[/I][/SIZE]
[I][SIZE="1"]Setting UNLOCKED[/SIZE][/I]
~ # [B][COLOR="Blue"]echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796[/COLOR][/B]
echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
4+0 records in
4+0 records out
4 bytes (4B) copied, 0.007691 seconds, 520B/s
~ # [B][COLOR="Blue"]exit[/COLOR][/B]
exit
C:\ADB3>[B][COLOR="Blue"]adb reboot bootloader[/COLOR][/B]
^^ if this doesn't work in your particular version, just select reboot to bootloader in TWRP.
ps: your version-main will now say 1.26.401.33 (reflecting the recovery version 2.6.3.3); it didn't actually change, but version-main always show the last thing flashed in ruu mode.
6- careful on what you flash/install etc. you're doing quite a few mistakes... and rushing things.... so please be careful!!
.
re
ya I m relaxed......thx for concern....
but I can't download ur files using pc.....how to download them I enabled javascript also using mozilla
tnxx
ok done...thxxx nkk71 again greate helpp.........
ree
nkk71 now everything is back to normal except a small thing....TAMPERED is not going I used scotty command ,revone tool and guru bootloader ...none is helpful......others are working good I.e I m able to relock ,unlock,lock bootloader but not tampered.........it worked at first time but when I unlocked it came again n now its not going.....
can u get ur magic sword on this one
jaspreet4140 said:
nkk71 now everything is back to normal except a small thing....TAMPERED is not going I used scotty command ,revone tool and guru bootloader ...none is helpful......others are working good I.e I m able to relock ,unlock,lock bootloader but not tampered.........it worked at first time but when I unlocked it came again n now its not going.....
can u get ur magic sword on this one
Click to expand...
Click to collapse
you need to use @nkk71 (ie @ then nkk71, no spaces) not just nkk71 for me to get notified
and scotty's command should work just fine, maybe you're mistyping them or not in su mode? reboot to custom recovery, then
Code:
C:\ADB3>[B][COLOR="Blue"]adb devices[/COLOR][/B]
List of devices attached
HT34xxxxxxxx recovery [I]<- you need to be in custom recovery to
ensure [B]root[/B] privileges
i.e. an adb shell with [B]#[/B] as opposed to [B]$[/B][/I]
C:\ADB3>[B][COLOR="Blue"]adb shell[/COLOR][/B]
[SIZE="1"][I][U]Note[/U]
CWM shell prompt usually looks like [B]~#[/B]
TWRP shell prompt usually looks like [B]~ # ←[6n[/B]
it doesn't matter, you just type (or even better copy/paste) the commands in bold blue
[/I][/SIZE]
[I][SIZE="1"]Resetting TAMPERED[/SIZE][/I]
~ # [B][COLOR="Blue"]echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988[/COLOR][/B]
echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988
1+0 records in
1+0 records out
1 bytes (1B) copied, 0.009370 seconds, 106B/s
~ # [B][COLOR="Blue"]exit[/COLOR][/B]
exit
C:\ADB3>[B][COLOR="Blue"]adb reboot bootloader[/COLOR][/B]
^^ if this doesn't work in your particular version, just select reboot to bootloader in TWRP.
copy/paste (no screenshot, a real copy/paste please) your command prompt output (all of it) if it still fails.
PS: oh and is it going, but coming back or just not going away?
.
rom
can anyone suggest me a latest non sense based ROM for htc one which has some cool features like multi tasking ,double tap or slide up unlock.......
sorry for late replying @nkk71 .my exams were going on..........and tampered was gone for first time only and now it: s not going and I m using scotty cmd with su mode in usb debugging...
jaspreet4140 said:
sorry for late replying @nkk71 .my exams were going on..........and tampered was gone for first time only and now it: s not going and I m using scotty cmd with su mode in usb debugging...
Click to expand...
Click to collapse
try the commands while booted into custom recovery (and there's no need to 'su' in custom recovery as it already should give you a root shell:
Code:
C:\ADB3>[B][COLOR="Blue"]adb devices[/COLOR][/B]
List of devices attached
HT34xxxxxxxx recovery [I]<- you need to be in custom recovery to
ensure [B]root[/B] privileges
i.e. an adb shell with [B]#[/B] as opposed to [B]$[/B][/I]
C:\ADB3>[B][COLOR="Blue"]adb shell[/COLOR][/B]
[SIZE="1"][I][U]Note[/U]
CWM shell prompt usually looks like [B]~#[/B]
TWRP shell prompt usually looks like [B]~ # ←[6n[/B]
it doesn't matter, you just type (or even better copy/paste) the commands in bold blue
[/I][/SIZE]
[I][SIZE="1"]Resetting TAMPERED[/SIZE][/I]
~ # [B][COLOR="Blue"]echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988[/COLOR][/B]
echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988
1+0 records in
1+0 records out
1 bytes (1B) copied, 0.009370 seconds, 106B/s
~ # [B][COLOR="Blue"]exit[/COLOR][/B]
exit
C:\ADB3>[B][COLOR="Blue"]adb reboot bootloader[/COLOR][/B]
^^ if this doesn't work in your particular version, just select reboot to bootloader in TWRP.
remember to copy/paste that command, even something as small as an extra/missing <space>, can make it not work.
if it still doesn't work, you'll have to do as @scotty1223 mentioned in his thread (under the section "if this does not work for you"): http://forum.xda-developers.com/showthread.php?t=2477792
don't just say it doesn't work, you need to provide him with:
1) a copy/paste of "fastboot getvar all"
2) a copy/paste of your command prompt output
3) your mmcblk0p7
though I don't think I've ever seen a post that said this doesn't work (unless the command is mistyped)
.
Yes you heard it right! It is possible to unlock bootloader of ZenFone 2 Laser without the buggy Asus Unlock App.
This method was developed by @osm0sis with @Titokhan's analysis and my testing. Also thanks to @MiauLightouch for his unofficial method of unlocking ZE500KL and special thanks to @shakalaca since achieving root on locked bootloader was not possible without him.
READ ENTIRE OP BEFORE POSTING COMMENTS
This method was tested on my rooted ZE550KL (MSM8916) and it worked like a charm!
I expect it to work on ZE600KL and ZE550KG and probably on other variants too. Currently, it's a one-way method i.e. you can't relock bootloader but with your help, we may be able to relock bootloader as well.
Update: This doesn't work on ZE500KL and ZE500KG. Use MiauLightouch's guide for unlocking these devices.
You MUST be rooted to use this method. If your phone is not rooted, follow a relevant guide listed in this thread. Or search yourself to find a proper rooting guide. Tip: Use shakalaca's pre-rooted patched system img from here ZE550KL 's system.img works on all Z00L devices and ZE601KL's system.img works on all Z00T devices.
DISCLAIMER
By proceeding to this guide you agree to exempt osm0sis, Titokhan, sziraqui and xda-developers.com from any harm/damage that "may" happen to your device.
Code:
#include
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices,
* thermonuclear war, or you getting fired because the alarm app failed.
* YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*
*/
INSTRUCTIONS
STEP 1: Create a partition dump
Note: Script updated on 7 July,2016
This will backup your critical partitions. If you skip this step, and messed up your device, don't expect me to help you recover it.
i) From Termux (Download from playstore), type
Code:
su
OR
Using adb (assuming you have enabled USB Debugging and device is connected to computer)
Code:
adb shell
su
For both cases, wait to see a pop from SuperSU and grant root access. If you don't see SuperSU pop-up even after 15 seconds, go to Auto Start Manager and "Allow" SuperSU and then try again.
ii) Now copy paste the following set of commands (all commands together) in terminal/cmd and hit enter
Code:
state=locked;
outdir=/sdcard/dumps-lockedbl;
if [ -e /dev/block/platform/*/by-name ]; then
target=/dev/block/platform/*/by-name;
elif [ -e /dev/block/platform/*/*/by-name ]; then
target=/dev/block/platform/*/*/by-name;
fi;
if [ "$target" ]; then
target=`echo -n $target`;
mkdir $outdir;
echo $target > $outdir/targets.txt;
bootdev=/dev/block/bootdevice/by-name;
test -e $bootdev && echo $bootdev >> $outdir/targets.txt;
for part in $(ls $target); do
case $part in
system|APP|cache|CAC|userdata|UDA|boot|LNX|recovery|SOS) ;;
*) dd if=$target/$part of=$outdir/$part-$state.img;;
esac;
done;
fi;
[Link to original thread of above script http://forum.xda-developers.com/showpost.php?p=67147071&postcount=575 ]
old script (just for my reference)
Long script but works on both LP and MM for ZE550KL with a drawback of not dumping out "persistent" partition.
Code:
mkdir /sdcard/dump_locked
dd if=/dev/block/bootdevice/by-name/aboot of=/sdcard/dump_locked/aboot_locked.img
dd if=/dev/block/bootdevice/by-name/abootbak of=/sdcard/dump_locked/abootbak_locked.img
dd if=/dev/block/bootdevice/by-name/abootdebug of=/sdcard/dump_locked/abootdebug_locked.img
dd if=/dev/block/bootdevice/by-name/ADF of=/sdcard/dump_locked/ADF_locked.img
dd if=/dev/block/bootdevice/by-name/APD of=/sdcard/dump_locked/APD_locked.img
dd if=/dev/block/bootdevice/by-name/asdf of=/sdcard/dump_locked/asdf_locked.img
dd if=/dev/block/bootdevice/by-name/asusfw of=/sdcard/dump_locked/asusfw_locked.img
dd if=/dev/block/bootdevice/by-name/asusgpt of=/sdcard/dump_locked/asusgptt_locked.img
dd if=/dev/block/bootdevice/by-name/asusgpt1 of=/sdcard/dump_locked/asusgpt1_locked.img
dd if=/dev/block/bootdevice/by-name/asusgpt2 of=/sdcard/dump_locked/asusgpt2_locked.img
dd if=/dev/block/bootdevice/by-name/asuskey of=/sdcard/dump_locked/asuskey_locked.img
dd if=/dev/block/bootdevice/by-name/asuskey2 of=/sdcard/dump_locked/auskey2_locked.img
dd if=/dev/block/bootdevice/by-name/asuskey3 of=/sdcard/dump_locked/asuskey3_locked.img
dd if=/dev/block/bootdevice/by-name/asuskey4 of=/sdcard/dump_locked/asuskey4_locked.img
dd if=/dev/block/bootdevice/by-name/asuskey5 of=/sdcard/dump_locked/asuskey5_locked.img
dd if=/dev/block/bootdevice/by-name/config of=/sdcard/dump_locked/config_locked.img
dd if=/dev/block/bootdevice/by-name/DDR of=/sdcard/dump_locked/DDR_locked.img
dd if=/dev/block/bootdevice/by-name/devinfo of=/sdcard/dump_locked/devinfo_locked.img
dd if=/dev/block/bootdevice/by-name/factory of=sdcard/dump_locked/factory_locked.img
dd if=/dev/block/bootdevice/by-name/factorybak of=sdcard/dump_locked/factorybak_locked.img
dd if=/dev/block/bootdevice/by-name/fsc of=/sdcard/dump_locked/fsc_locked.img
dd if=/dev/block/bootdevice/by-name/fsg of=/sdcard/dump_locked/fsg_locked.img
dd if=/dev/block/bootdevice/by-name/hyp of=/sdcard/dump_locked/hyp_locked.img
dd if=/dev/block/bootdevice/by-name/hypbak of=/sdcard/dump_locked/hypbak_locked.img
dd if=/dev/block/bootdevice/by-name/keystore of=/sdcard/dump_locked/keystore_locked.img
dd if=/dev/block/bootdevice/by-name/misc of=/sdcard/dump_locked/misc_locked.img
dd if=/dev/block/bootdevice/by-name/modem of=/sdcard/dump_locked/modem_locked.img
dd if=/dev/block/bootdevice/by-name/modemst1 of=/sdcard/dump_locked/modemst1_locked.img
dd if=/dev/block/bootdevice/by-name/modemst2 of=/sdcard/dump_locked/modemst2_locked.img
dd if=/dev/block/bootdevice/by-name/oem of=/sdcard/dump_locked/oem_locked.img
dd if=/dev/block/bootdevice/by-name/persistent of=/dump_locked/sdcard/persistent_locked.img
dd if=/dev/block/bootdevice/by-name/persist of=/sdcard/dump_locked/persist_locked.img
dd if=/dev/block/bootdevice/by-name/rpm of=/sdcard/dump_locked/rpm_locked.img
dd if=/dev/block/bootdevice/by-name/rpmbak of=/sdcard/dump_locked/rpmbak_locked.img
dd if=/dev/block/bootdevice/by-name/sbl1 of=/sdcard/dump_locked/sbl1_locked.img
dd if=/dev/block/bootdevice/by-name/sec of=/sdcard/dump_locked/sec_locked.img
dd if=/dev/block/bootdevice/by-name/splash of=/sdcard/dump_locked/splash_locked.img
dd if=/dev/block/bootdevice/by-name/ssd of=/sdcard/dump_locked/ssd_locked.img
dd if=/dev/block/bootdevice/by-name/tz of=/sdcard/dump_locked/tz_locked.img
dd if=/dev/block/bootdevice/by-name/tzbak of=/sdcard/dump_locked/tzbak_locked.img
echo "Finished Partition Backup!"
The script will take approx. 6 mins to complete. Be Patient. Do not close the terminal session.
You should see a folder with name "dumps-lockedbl" in your internal memory having many .img files. Copy it to external storage and also to cloud storage.
STEP 2: Unlock your bootloader Warning: This may void your warranty
(All credits to osm0sis for this)
Now the following magical code will unlock your bootloader! Copy paste it to Termux/adb-shell
Code:
echo -ne "\x01" | dd obs=1 count=1 seek=16 of=/dev/block/bootdevice/by-name/devinfo
To check your bootloader status, Reboot to fastboot mode. Connect it to a computer (computer should have adb and fastboot files, and assus drivers installed)On your computer, hold down shift key and right click on the folder in which you have adb and fastboot files. Select "Open command window here". Type the following command and hit enter-
Code:
fastboot oem device-info
You will get the following output
Code:
...
(bootloader) Device unlocked: true
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
(bootloader) Adb Enable: 0
OKAY [ 0.004s]
"Device unlocked: true" means bootloader is unlocked!
Troubleshoot:Not needed
If your output has "Device unlocked: false" then it means your bootloader is still locked. In that case, type the following code
Code:
fastboot oem adb_enable
fastboot oem adb_enable
Yes you need to type it twice. Now check status again
Code:
fastboot oem device-info
Now the output should be
Code:
...
(bootloader) Device unlocked: false
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
(bootloader) Adb Enable: 1
OKAY [ 0.004s]
Now repeat step 2 again. Your bootloader will be unlocked
STEP 3: If you want to help us in relocking bootloader, then do this step
This is similar to step 1 with the difference that we are now dumping out partitions that might have changed after unlocking bootloader to folder name dumps-unlockedbl
i) From Termux terminal emulator app (Download from playstore), type
Code:
su
OR
Using adb (assuming you have enabled USB Debugging and device is connected to computer)
Code:
adb shell
su
ii) Now copy paste the following set of commands (all commands together) in terminal/cmd and hit enter:
Code:
state=unlocked;
outdir=/sdcard/dumps-unlockedbl;
if [ -e /dev/block/platform/*/by-name ]; then
target=/dev/block/platform/*/by-name;
elif [ -e /dev/block/platform/*/*/by-name ]; then
target=/dev/block/platform/*/*/by-name;
fi;
if [ "$target" ]; then
target=`echo -n $target`;
mkdir $outdir;
echo $target > $outdir/targets.txt;
bootdev=/dev/block/bootdevice/by-name;
test -e $bootdev && echo $bootdev >> $outdir/targets.txt;
for part in $(ls $target); do
case $part in
system|APP|cache|CAC|userdata|UDA|boot|LNX|recovery|SOS) ;;
*) dd if=$target/$part of=$outdir/$part-$state.img;;
esac;
done;
fi;
old script (just for my reference)
Long script but works on both LP and MM for ZE550KL
Code:
mkdir /sdcard/dump_unlocked
dd if=/dev/block/bootdevice/by-name/aboot of=/sdcard/dump_locked/aboot_unlocked.img
dd if=/dev/block/bootdevice/by-name/abootbak of=/sdcard/dump_unlocked/abootbak_unlocked.img
dd if=/dev/block/bootdevice/by-name/abootdebug of=/sdcard/dump_unlocked/abootdebug_unlocked.img
dd if=/dev/block/bootdevice/by-name/ADF of=/sdcard/dump_unlocked/ADF_unlocked.img
dd if=/dev/block/bootdevice/by-name/APD of=/sdcard/dump_unlocked/APD_unlocked.img
dd if=/dev/block/bootdevice/by-name/asdf of=/sdcard/dump_unlocked/asdf_unlocked.img
dd if=/dev/block/bootdevice/by-name/asusfw of=/sdcard/dump_unlocked/asusfw_unlocked.img
dd if=/dev/block/bootdevice/by-name/asusgpt of=/sdcard/dump_unlocked/asusgptt_unlocked.img
dd if=/dev/block/bootdevice/by-name/asusgpt1 of=/sdcard/dump_unlocked/asusgpt1_unlocked.img
dd if=/dev/block/bootdevice/by-name/asusgpt2 of=/sdcard/dump_unlocked/asusgpt2_unlocked.img
dd if=/dev/block/bootdevice/by-name/asuskey of=/sdcard/dump_unlocked/asuskey_unlocked.img
dd if=/dev/block/bootdevice/by-name/asuskey2 of=/sdcard/dump_unlocked/auskey2_unlocked.img
dd if=/dev/block/bootdevice/by-name/asuskey3 of=/sdcard/dump_unlocked/asuskey3_unlocked.img
dd if=/dev/block/bootdevice/by-name/asuskey4 of=/sdcard/dump_unlocked/asuskey4_unlocked.img
dd if=/dev/block/bootdevice/by-name/asuskey5 of=/sdcard/dump_unlocked/asuskey5_unlocked.img
dd if=/dev/block/bootdevice/by-name/config of=/sdcard/dump_unlocked/config_unlocked.img
dd if=/dev/block/bootdevice/by-name/DDR of=/sdcard/dump_unlocked/DDR_unlocked.img
dd if=/dev/block/bootdevice/by-name/devinfo of=/sdcard/dump_unlocked/devinfo_unlocked.img
dd if=/dev/block/bootdevice/by-name/factory of=sdcard/dump_unlocked/factory_unlocked.img
dd if=/dev/block/bootdevice/by-name/factorybak of=sdcard/dump_unlocked/factorybak_unlocked.img
dd if=/dev/block/bootdevice/by-name/fsc of=/sdcard/dump_unlocked/fsc_unlocked.img
dd if=/dev/block/bootdevice/by-name/fsg of=/sdcard/dump_unlocked/fsg_unlocked.img
dd if=/dev/block/bootdevice/by-name/hyp of=/sdcard/dump_unlocked/hyp_unlocked.img
dd if=/dev/block/bootdevice/by-name/hypbak of=/sdcard/dump_unlocked/hypbak_unlocked.img
dd if=/dev/block/bootdevice/by-name/keystore of=/sdcard/dump_unlocked/keystore_unlocked.img
dd if=/dev/block/bootdevice/by-name/misc of=/sdcard/dump_unlocked/misc_unlocked.img
dd if=/dev/block/bootdevice/by-name/modem of=/sdcard/dump_unlocked/modem_unlocked.img
dd if=/dev/block/bootdevice/by-name/modemst1 of=/sdcard/dump_unlocked/modemst1_unlocked.img
dd if=/dev/block/bootdevice/by-name/modemst2 of=/sdcard/dump_unlocked/modemst2_unlocked.img
dd if=/dev/block/bootdevice/by-name/oem of=/sdcard/dump_unlocked/oem_unlocked.img
dd if=/dev/block/bootdevice/by-name/persistent of=/dump_unlocked/sdcard/persistent_unlocked.img
dd if=/dev/block/bootdevice/by-name/persist of=/sdcard/dump_unlocked/persist_unlocked.img
dd if=/dev/block/bootdevice/by-name/rpm of=/sdcard/dump_unlocked/rpm_unlocked.img
dd if=/dev/block/bootdevice/by-name/rpmbak of=/sdcard/dump_unlocked/rpmbak_unlocked.img
dd if=/dev/block/bootdevice/by-name/sbl1 of=/sdcard/dump_unlocked/sbl1_unlocked.img
dd if=/dev/block/bootdevice/by-name/sec of=/sdcard/dump_unlocked/sec_unlocked.img
dd if=/dev/block/bootdevice/by-name/splash of=/sdcard/dump_unlocked/splash_unlocked.img
dd if=/dev/block/bootdevice/by-name/ssd of=/sdcard/dump_unlocked/ssd_unlocked.img
dd if=/dev/block/bootdevice/by-name/tz of=/sdcard/dump_unlocked/tz_unlocked.img
dd if=/dev/block/bootdevice/by-name/tzbak of=/sdcard/dump_unlocked/tzbak_unlocked.img
echo "Finished Partition Backup!"
Again, the script will take approx. 6 mins to complete. You can close terminal seession once the script completes (i.e. ~6mins)
You should see a folder with name "dumps-unlockedbl" in your internal memory having many .img files. Copy it to external storage and also to cloud storage.
Facing issues or didn't understand something? Here's a video Tutorial
HELP US ACHIEVE RELOCKING BOOTLOADER:
We may be able to relock bootloader if you send us your partition backups. So compress together "dumps-lockedbl" and "dumps-unlockedbl" folders. Zip name should be "Partitions_YourXdaUsername". Upload to any reliable cloud storage (preferable your google drive). PM me a link to your file, DO NOT POST A LINK IN COMMENTS SINCE YOUR BACKUP CONTAINS SENSITIVE INFORMATION. Don't worry, we won't misuse it, you can trust me on that
POST YOUR RESULTS
Post your results in the following format-
1. Device model:
2. Soc/Chipset:
3. SKU:
4. Output of "fastboot oem device-info" or BL Status :
.
.
Well does this help in relocking after unlocking via official unlock app and will i get ota after that
anshad007 said:
Well does this help in relocking after unlocking via official unlock app and will i get ota after that
Click to expand...
Click to collapse
You can get OTA as long as you don't modify the /system partition.
Also please don't quote the entire OP
Does this method work on Android 6.0 firmware?
Valeev said:
Does this method work on Android 6.0 firmware?
Click to expand...
Click to collapse
Yes.
Does this method work on ze500kg ?
eiyuuRei said:
Does this method work on ze500kg ?
Click to expand...
Click to collapse
Not tested, but you can try. Don't forget to make partition backup
i have unlocked bootloader and flashed TWRP perfectly.
since my phone (ze550kl) known as TEST MODEL C (i dont know what is the difference between this and real ones) i couldn't get it done via official unlock apk.
thnx for this method memur bey!!! you saved my life.
No ota
andrehsu said:
You can get OTA as long as you don't modify the /system partition.
Also please don't quote the entire OP
Click to expand...
Click to collapse
Manh I tried going back to previous firmware and searched for ota but its impossible to get ota after bootloader unlock please try it for yourdelf
Error
Not working for me, it says mkdir failed
I am unable to unlock the phone.
Could you say me in detail??
Thank You
anshad007 said:
Manh I tried going back to previous firmware and searched for ota but its impossible to get ota after bootloader unlock please try it for yourdelf
Click to expand...
Click to collapse
I'm not sure you know what an over the air update is. Ota is the thing that pops up when you check for update in system update
andrehsu said:
I'm not sure you know what an over the air update is. Ota is the thing that pops up when you check for update in system update
Click to expand...
Click to collapse
dude i know what is ota is well why dont you try unlocking the phone via official unlock app and search for ota .....
anshad007 said:
dude i know what is ota is well why dont you try unlocking the phone via official unlock app and search for ota .....
Click to expand...
Click to collapse
Then you should know that you can't roll back firmware with OTA updates, regardless of bootloader unlock status
anshad007 said:
dude i know what is ota is well why dont you try unlocking the phone via official unlock app and search for ota .....
Click to expand...
Click to collapse
I tried with my friends phone to Noo ota after unlocking the bootloader via official bootloader unlock app
ajay12boys said:
Not working for me, it says mkdir failed
Click to expand...
Click to collapse
Are you on Marshmallow? If yes you need to grant it "storage" permissions. Goto settings>app>termux>permissions
Click on the the toggle which is on right side of "Storage" . The toggle will turn blue if Storage permissions is granted/enabled.
Also did you got SuperSU pop up when you entered "su"?
When the pop up appears you need to click on grant.
Try again and do post back your results
sengetli said:
important note:
if u cant get it done, try to remove devinfo file first
i have successed like this.
rm /dev/block/bootdevice/by-name/devinfo .
Click to expand...
Click to collapse
Please don't instruct people to remove "devinfo" Removing devinfo can brick devices. Your device is different, a test model. Please edit your comment and remove your suggestion of removing devinfo.
Did you made partition backup before and after unlocking. If yes, can you upload it and PM me a link? This will help us to achieve relocking bootloader.
vemanaprudhvi said:
I am unable to unlock the phone.
Could you say me in detail??
Click to expand...
Click to collapse
Which step are you facing difficulties? Its already a very detailed guide. Nevertheless, I will add a video tutorial soon
sziraqui said:
Are you on Marshmallow? If yes you need to grant it "storage" permissions. Goto settings>app>termux>permissions
Click on the the toggle which is on right side of "Storage" . The toggle will turn blue if Storage permissions is granted/enabled.
Also did you got SuperSU pop up when you entered "su"?
When the pop up appears you need to click on grant.
Try again and do post back your results
No, i am not on marshmallow. I am still on lollipop 5.0.2 Firmware v1.17.40.1234. And yes i got SuperSU pop up when i entered "su" in terminal and granted him access. I am recieving error "mkdir failed for /sdcard/dump_locked, File exists 255"
Click to expand...
Click to collapse
ajay12boys said:
No, i am not on marshmallow. I am still on lollipop 5.0.2 Firmware v1.17.40.1234. And yes i got SuperSU pop up when i entered "su" in terminal and granted him access. I am recieving error "mkdir failed for /sdcard/dump_locked, File exists 255"
Click to expand...
Click to collapse
That means "dump_ locked" folder already exists you don't need to use mkdir part of the set of commands. Proceed to step 1 without including mkdir line, copy the commands from below mkdir line
Doesn't work on my ZE500KG.
Run "fastboot oem adb_enable" causes the phone to freeze(?) fastboot and reboot
EDIT: I just noticed /dev/block/bootdevice/by-name/devinfo does not exist.
Device model: ZE500KG
SoC/Chipset: Qualcomm MSM8916 Snapdragon 410
SKU: 359683069026920
Output of "fastboot oem device-info" :
Code:
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Device verified: false
(bootloader) Device authorized: false
(bootloader) Device check_fused: false
(bootloader) Device reboot_reason: 0x00
(bootloader) Device SSN: F8AZCY10D963
(bootloader) Skip check bat id enabled: false
(bootloader) Charger screen enabled: true
(bootloader) Display panel:
(bootloader) Device project: ZE500KG
(bootloader) CPU_RV=007050e1
(bootloader) Device resize: false
(bootloader) SB=Y
I'll PM my dumps, later.
yuki_is_bored said:
Doesn't work on my ZE500KG.
Run "fastboot oem adb_enable" causes the phone to freeze(?) fastboot and reboot
EDIT: I just noticed /dev/block/bootdevice/by-name/devinfo does not exist.
Device model: ZE500KG
SoC/Chipset: Qualcomm MSM8916 Snapdragon 410
SKU: 359683069026920
Output of "fastboot oem device-info" :
Code:
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Device verified: false
(bootloader) Device authorized: false
(bootloader) Device check_fused: false
(bootloader) Device reboot_reason: 0x00
(bootloader) Device SSN: F8AZCY10D963
(bootloader) Skip check bat id enabled: false
(bootloader) Charger screen enabled: true
(bootloader) Display panel:
(bootloader) Device project: ZE500KG
(bootloader) CPU_RV=007050e1
(bootloader) Device resize: false
(bootloader) SB=Y
I'll PM my dumps, later.
Click to expand...
Click to collapse
Can you post the output of this-
Code:
su
ls -la /dev/block/bootdevice/by-name
Edit: output of this too (more imp)-
Code:
ls -la /dev/block/platform/*/*/
And this also (if by-name exists)
Code:
echo /dev/block/platform/*/*/by-name