Related
I have spent hours looking for exploits, compiling CVE root exploits via NDK, and finding ways to root and have found no root exploit to work so far. One possibility may revolve around fastboot and/or the Fire update bin files. Here is some info:
update.bin files can be found here: https://www.amazon.com/gp/help/customer/display.html?nodeId=200529680
the update.bin files are jar files and can be modified with most archive managers or over command line, but I believe it will not get past security if you try to update with a modified jar. Plus the updater checks the update version so it does not update an already installed version.
You could add the su binary to /system/xbin but the update will not pass verification...
Error log for attempting to update a modified package is as followed:
Code:
I/SystemUpdates( 2175): Verifying sideload file...
I/SystemUpdates( 2175): sideload update lost
E/SystemUpdates( 2175): Verification exception:
E/SystemUpdates( 2175): com.amazon.dcp.ota.OTASideloadExceptionUnrecoverable
E/SystemUpdates( 2175): at com.amazon.dcp.ota.OTAController.throwExceptionOnError(OTAController.java:950)
E/SystemUpdates( 2175): at com.amazon.dcp.ota.OTAController.ensureSideloadCanBeInstalled(OTAController.java:871)
E/SystemUpdates( 2175): at com.amazon.settings.systemupdates.SystemUpdates$3.doInBackground(SystemUpdates.java:194)
E/SystemUpdates( 2175): at com.amazon.settings.systemupdates.SystemUpdates$3.doInBackground(SystemUpdates.java:171)
E/SystemUpdates( 2175): at android.os.AsyncTask$2.call(AsyncTask.java:288)
E/SystemUpdates( 2175): at java.util.concurrent.FutureTask.run(FutureTask.java:237)
E/SystemUpdates( 2175): at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
E/SystemUpdates( 2175): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
E/SystemUpdates( 2175): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
E/SystemUpdates( 2175): at java.lang.Thread.run(Thread.java:841)
you get the same error when trying to update with an unmodified file that is the same version as what you are on. So maybe with a downgrade or when the next Fire OS update comes out, we could work something out but I am not exactly sure if it would work.
Here is a listing of the files inside an update.bin:
Code:
boot.img file_contexts images META-INF ota.prop recovery system tools
if you grab the boot.img from the update.bin, you can extract the boot.img with unpackbootimg and repackage it with mkbootimg. Tools can be found here: https://code.google.com/p/android-s...il?name=android_bootimg_tools.tar.gz&can=2&q=
when the boot img is unpacked you will see the following files:
Code:
boot.img-base boot.img-cmdline boot.img-pagesize boot.img-ramdisk.gz boot.img-zImage
boot.img-ramdisk.gz is the focus as it is a simple gz file containing another file called boot.img-ramdisk which is a cpio file and can be extracted with most archive managers or the command line
Why do I care about the boot image? You can obtain root by modifying lines default.prop inside of boot.img-ramdisk from
Code:
ro.adb.secure=1
ro.secure=1
to
Code:
ro.adb.secure=0
ro.secure=0
once those lines are modified you should be able to gain root in a shell vi adb entering the command
Code:
adb root
then once in a root shell, the su binary could be installed
when modifying the default.prop I tried repackaging it and booting the image using fastboot boot but nothing happens. This is the output. It gets stuck at booting...:
Code:
creating boot image - 5369856 bytes
downloading 'boot.img'...
OKAY [ 0.293s]
booting...
even the default unmodified boot.img does not seem to boot with fastboot boot. Could this be due to the locked bootloader? Usually it would give an error message if it was prohibited.
Code:
fastboot getvar all
(bootloader) serialno: 00880807438504J3
(bootloader) partition-offset:userdata: 86200000
(bootloader) partition-size:userdata: 31e7fbe00
(bootloader) partition-type:userdata: unknown
(bootloader) partition-offset:cache: 4f200000
(bootloader) partition-size:cache: 37000000
(bootloader) partition-type:cache: unknown
(bootloader) partition-offset:system: 4200000
(bootloader) partition-size:system: 4b000000
(bootloader) partition-type:system: unknown
(bootloader) partition-offset:persisbackup: 3200000
(bootloader) partition-size:persisbackup: 1000000
(bootloader) partition-type:persisbackup: unknown
(bootloader) partition-offset:MISC: 3180000
(bootloader) partition-size:MISC: 80000
(bootloader) partition-type:MISC: unknown
(bootloader) partition-offset:DKB: 3080000
(bootloader) partition-size:DKB: 100000
(bootloader) partition-type:DKB: unknown
(bootloader) partition-offset:KB: 2f80000
(bootloader) partition-size:KB: 100000
(bootloader) partition-type:KB: unknown
(bootloader) partition-offset:recovery: 2780000
(bootloader) partition-size:recovery: 800000
(bootloader) partition-type:recovery: unknown
(bootloader) partition-offset:boot: 1f80000
(bootloader) partition-size:boot: 800000
(bootloader) partition-type:boot: unknown
(bootloader) partition-offset:UBOOT: 1f00000
(bootloader) partition-size:UBOOT: 80000
(bootloader) partition-type:UBOOT: unknown
(bootloader) partition-offset:TEE2: 1a00000
(bootloader) partition-size:TEE2: 500000
(bootloader) partition-type:TEE2: unknown
(bootloader) partition-offset:TEE1: 1500000
(bootloader) partition-size:TEE1: 500000
(bootloader) partition-type:TEE1: unknown
(bootloader) partition-offset:PMT: 1100000
(bootloader) partition-size:PMT: 400000
(bootloader) partition-type:PMT: unknown
(bootloader) partition-offset:PRO_INFO: 1008000
(bootloader) partition-size:PRO_INFO: 20000
(bootloader) partition-type:PRO_INFO: unknown
(bootloader) max-download-size: 52429824
(bootloader) kernel: lk
(bootloader) product: ARIEL
(bootloader) version: 0.5
(bootloader) production: Unknown
Although we know all these things I still think that the best way may to find a local root exploit that works rather than messing with all this... but that is just my opinion. I am currently looking through these exploits but most are too old: http://adbtoolkit.com/rooting/exploits/#.VKDbFAMAI
boot image
Where are you getting a boot.img from the update-kindle-20.4.5.2_user_452004220.bin?
have you tried extracting the boot.img from your working kindle and booting that? Just a thought.
It's Kit Kat
I would like to remind everyone that underneath its kit kat.
fyi, I tried towelroot and it did not work.
Ill keep messing around.
HT123 said:
Where are you getting a boot.img from the update-kindle-20.4.5.2_user_452004220.bin?
have you tried extracting the boot.img from your working kindle and booting that? Just a thought.
Click to expand...
Click to collapse
update-kindle-20.4.5.2_user_452004220.bin is just a jar file and can be extracted with an archive manager. the boot ikage is on the root of update-kindle-20.4.5.2_user_452004220.bin
I'm missing something then.
Are you repacking the image?
I have extracted the bin for the HD 6 and i can not for the life of me find a boot.img on there. The HD 6 image looks like is star
As for the KitKat base, TowelRoot doesn't work. I think a few exploits have been compiled and tried with no luck.
Guys have you asked Gran PC for the source code of his Firerooter?
Maybe there's something on it that may help you.
Google+ KFSOWI Community
Source: Teasers teasers teasers.
Yunus Sina Gülşen
Dec 25, 2014
Will you be able to publish source code and how you have found the exploit? As i can take it and start working for AFHD6?
Gran PC
owner
Dec 25, 2014
It's not really an exploit. It's all going to be open source though.
Gran PC
owner
Dec 25, 2014
If you manage to port it to another device it would be appreciated if you were to credit me on your release notes, by the way.
Yunus Sina Gülşen
Dec 25, 2014
Well i am pissed at waiting and will definitely try and your help would be a very good starting point at the moment. You can be sure about the credits.
Yunus Sina Gülşen
Dec 25, 2014
github?
Mar Gonçalves
Dec 25, 2014
"It's not really an exploit"... Wow, +Gran PC, Amazon really make it easier this time, hum? ˆ_ˆ
Gran PC
owner
I don't have my GitHub credentials on this computer, so you'll just have to make do with the binary release (it's written in Lua, so the source code is obviously included).
Yunus Sina Gülşen
Dec 25, 2014
ok, waiting for the release then
Click to expand...
Click to collapse
it is open source. having never seen LUA before reading it, it looks like a flash of minisystem.img to /system and then incremental updates via renaming of the downloads to update.zip is used. If i am wrong i apologize and some please correct me. minisystem.img is designed for the hdx.
HT123 said:
it is open source. having never seen LUA before reading it, it looks like a flash of minisystem.img to /system and then incremental updates via renaming of the downloads to update.zip is used. If i am wrong i apologize and some please correct me. minisystem.img is designed for the hdx.
Click to expand...
Click to collapse
I looked at the code a bit but not enough to understand it. cannot tell yet.
HT123 said:
Where are you getting a boot.img from the update-kindle-20.4.5.2_user_452004220.bin?
have you tried extracting the boot.img from your working kindle and booting that? Just a thought.
Click to expand...
Click to collapse
I'll need to redownload it and make sure.
HT123 said:
it is open source. having never seen LUA before reading it, it looks like a flash of minisystem.img to /system and then incremental updates via renaming of the downloads to update.zip is used. If i am wrong i apologize and some please correct me. minisystem.img is designed for the hdx.
Click to expand...
Click to collapse
It should be named update-kindle-20.4.5.2_user_452004220.bin check link in my thread boot.img is on the root of the bin file (rename it to .jar so your archive manager can detect it as a jar). Just redownloaded and rechecked
still not seeing it. Mine starts at /system. downloaded it twice... weird.
update-kindle-20.4.5.2_user_452004220.jar
HT123 said:
still not seeing it. Mine starts at /system. downloaded it twice... weird.
update-kindle-20.4.5.2_user_452004220.jar
Click to expand...
Click to collapse
You could try a different archive manager. I use Linux with default gnome archive manager ( I think called file roller)
Thank you to try have root aces.
I've don't have skill for help you, i'm sory but just a little question :
Have you test all root application for root the Fire HD ?
Hi guys, so a friend of mine got a Desire 820 dual sim few days back. Device came in a very messy condition in terms for software. It was already Super CID'd & S-OFFed, no option to update software & around 200 languages. So i tried different threads to fix the issue & upgrade the phone to Lollipop.
I was able to get it back to stock Indian KK RUU 1.22.720.1 assuming that it was an Indian variant based on its id A51_DTUL but it was not the case.. After downloading the 1.22.720.10 update, it was giving me error like Modified System or Wrong Variant
Cut short i managed to identify / fix the problem & successfully upgraded the phone to Android L
Story line is that most of the guides available for 820 dual sim Lollipop upgrade are for the Indian variant with MID 0PFJ10000. Problem occurring is with its Chinesse sibbling with MID 0PFJ11000 & this is where the phone wont allow you to do software updates.
RUU is just checking the CID while in the OTA updater-script they have plenty of checks before flashing it.
So in the below KK updater-script, you can see that first it is checking for the current firmware, then CID & then MID
PHP:
mount("ext4", "EMMC", "system", "/system");
assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.1:user/release-keys" ||
file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.10:user/release-keys");
assert(file_getprop("/system/build.prop", "ro.aa.taskid") == "402794" ||
file_getprop("/system/build.prop", "ro.aa.taskid") == "447333");
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_cid(getprop("ro.cid"), "00000000" , "11111111" ,
"22222222" , "33333333" , "44444444" , "55555555" , "66666666" ,
"77777777" , "88888888" , "99999999" , "HTC__038") == "t");
);
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_mid("full", "0PFJ10000") == "t");,
assert(check_mid("simple", "0PFJ10000") == "t");
This is point where we get Wrong Variant or Modified System error on device other than 0PFJ10000 MID.
So inorder to get rid of this error & getting all the updates automatically while keeping your ROM in stock status. These are the requirements / guidelines.
Required:
S-OFF
Root
Super CID
I assume you already know about fastboot commands stuff
So before proceeding, verify that you phone is A51_DTUL & the processor type is hTCBmsm8939 with 2GB of RAM. You can do this by booting into bootloader & run command fastboot getvar all
1st step, change MID of your device -> from 0PFJ11000 to 0PFJ10000. Run the following ADB commands:
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader
Now once the commands are successful, to verify the MID in fastboot again verify it with command fastboot getvar MID. It should now be 0PFJ10000
So we killed the BUG :laugh:
2nd step:
2a. download Indian KK RUU from this thread -> Thanks to sshivampp & robinsahlot
2b. Rename the downloaded ZIP to “0PFJIMG.zip” or to 0PFJIMG.txt incase you are unable to copy it
2c. Copy the 0PFJIMG.txt / zip file to the External SD card & do change the extension back to .zip incase you had to change it to .txt
2d. Reboot into bootloader & dont forget to disable Fastboot option under power settings
2e. Press Vol up for update once prompted
You will lot of checks & update prompts on the screen
Once successful, reboot the phone & check for software updates. You should now be able to install all the OTAs without any errors
Special thanks to h1dd3n_sn1p3r for his initial guide on upgrading to Android L.
And our dexter, Mr. scotty1223 for his amazing guides & work. Through which i was able to figure out MID change part
Lovely! Thanks for credit towards me!
Excellent find bro ?
Any one knows MID of HK variant?
help
Hey, thanks for this post, i have tried every solution posted in this site, but anyone of them worked, this one seems the most effective one, but i cant change the MID! I copy the code, hit enter, the window closes, but when i reboot the phone and check de getvar mid, it doesnt change! what can i do? i have the phone in S-OFF, rooted and super CID... the phone was unlocked, tried this way, but now is relocked, tried this one also but its the same MID ..thaks for the help u can give me
ok i try some of the code, just to avoid the window from closing and it says this :
adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found...
gpcga said:
Hey, thanks for this post, i have tried every solution posted in this site, but anyone of them worked, this one seems the most effective one, but i cant change the MID! I copy the code, hit enter, the window closes, but when i reboot the phone and check de getvar mid, it doesnt change! what can i do? i have the phone in S-OFF, rooted and super CID... the phone was unlocked, tried this way, but now is relocked, tried this one also but its the same MID ..thaks for the help u can give me
ok i try some of the code, just to avoid the window from closing and it says this :
adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found...
Click to expand...
Click to collapse
What is the current MID of your device? also is it Qualcomm processor? If you boot the phone nornally with ADB debugging. is it detected? as from the last line it seems device is not connected or not detected
I changed the recovery
Hello, the phone didn't connect because of the recovery, I flashed another one, and that was it. Thanks, I have the stock lollipop 5.0.2 now. This is the only solution that worked fast and effective.
fshami said:
What is the current MID of your device? also is it Qualcomm processor? If you boot the phone nornally with ADB debugging. is it detected? as from the last line it seems device is not connected or not detected
Click to expand...
Click to collapse
Would this method work on my Chinese Desire 820t?
sponmagnet said:
Would this method work on my Chinese Desire 820t?
Click to expand...
Click to collapse
This thread is for the non-indian variants with Qualcomm chipset.. all details in first post. So if u have the same mid OPFJ11xxx then go a head & try.. be sure ur hardware specs match as i mentioned in the guide
Can anybody post instructions of how to change MID to TW variant? (-> from 0PFJ10000 to 0PFJ12000)
Prowler_gr said:
Can anybody post instructions of how to change MID to TW variant? (-> from 0PFJ10000 to 0PFJ12000)
Click to expand...
Click to collapse
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x32\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader
I am getting error
"adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found..."
Device is connected !!!
I tried everything but nothing works...
I want my phone to run on lollipop
please help me
shubhamkanwaria said:
I am getting error
"adb shell
adb server is out of date. killing...
* daemon started successfully *
error: device not found..."
Device is connected !!!
I tried everything but nothing works...
I want my phone to run on lollipop
please help me
Click to expand...
Click to collapse
Check if USB debugging is enabled.. and after connecting the phone, all drivers are installed properly
fshami said:
Check if USB debugging is enabled.. and after connecting the phone, all drivers are installed properly
Click to expand...
Click to collapse
USB debugging is enabled and all drivers are properly installed but still same error.
shubhamkanwaria said:
USB debugging is enabled and all drivers are properly installed but still same error.
Click to expand...
Click to collapse
If your phone is booted, still adb devices command is not showing your device?
Sent from my HTC One E9PLUS dual sim using XDA-Developers mobile app
fshami said:
If your phone is booted, still adb devices command is not showing your device?
Sent from my HTC One E9PLUS dual sim using XDA-Developers mobile app
Click to expand...
Click to collapse
Thank you so much... i got it... Now my phone running on lollipop.....
shubhamkanwaria said:
Thank you so much... i got it... Now my phone running on lollipop.....
Click to expand...
Click to collapse
glad to help
fshami said:
Hi guys, so a friend of mine got a Desire 820 dual sim few days back. Device came in a very messy condition in terms for software. It was already Super CID'd & S-OFFed, no option to update software & around 200 languages. So i tried different threads to fix the issue & upgrade the phone to Lollipop.
I was able to get it back to stock Indian KK RUU 1.22.720.1 assuming that it was an Indian variant based on its id A51_DTUL but it was not the case.. After downloading the 1.22.720.10 update, it was giving me error like Modified System or Wrong Variant
Cut short i managed to identify / fix the problem & successfully upgraded the phone to Android L
Story line is that most of the guides available for 820 dual sim Lollipop upgrade are for the Indian variant with MID 0PFJ10000. Problem occurring is with its Chinesse sibbling with MID 0PFJ11000 & this is where the phone wont allow you to do software updates.
RUU is just checking the CID while in the OTA updater-script they have plenty of checks before flashing it.
So in the below KK updater-script, you can see that first it is checking for the current firmware, then CID & then MID
PHP:
mount("ext4", "EMMC", "system", "/system");
assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.1:user/release-keys" ||
file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.10:user/release-keys");
assert(file_getprop("/system/build.prop", "ro.aa.taskid") == "402794" ||
file_getprop("/system/build.prop", "ro.aa.taskid") == "447333");
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_cid(getprop("ro.cid"), "00000000" , "11111111" ,
"22222222" , "33333333" , "44444444" , "55555555" , "66666666" ,
"77777777" , "88888888" , "99999999" , "HTC__038") == "t");
);
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_mid("full", "0PFJ10000") == "t");,
assert(check_mid("simple", "0PFJ10000") == "t");
This is point where we get Wrong Variant or Modified System error on device other than 0PFJ10000 MID.
So inorder to get rid of this error & getting all the updates automatically while keeping your ROM in stock status. These are the requirements / guidelines.
Required:
S-OFF
Root
Super CID
I assume you already know about fastboot commands stuff
So before proceeding, verify that you phone is A51_DTUL & the processor type is hTCBmsm8939 with 2GB of RAM. You can do this by booting into bootloader & run command fastboot getvar all
1st step, change MID of your device -> from 0PFJ11000 to 0PFJ10000. Run the following ADB commands:
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader
Now once the commands are successful, to verify the MID in fastboot again verify it with command fastboot getvar MID. It should now be 0PFJ10000
So we killed the BUG :laugh:
2nd step:
2a. download Indian KK RUU from this thread -> Thanks to sshivampp & robinsahlot
2b. Rename the downloaded ZIP to “0PFJIMG.zip” or to 0PFJIMG.txt incase you are unable to copy it
2c. Copy the 0PFJIMG.txt / zip file to the External SD card & do change the extension back to .zip incase you had to change it to .txt
2d. Reboot into bootloader & dont forget to disable Fastboot option under power settings
2e. Press Vol up for update once prompted
You will lot of checks & update prompts on the screen
Once successful, reboot the phone & check for software updates. You should now be able to install all the OTAs without any errors
Special thanks to h1dd3n_sn1p3r for his initial guide on upgrading to Android L.
And our dexter, Mr. scotty1223 for his amazing guides & work. Through which i was able to figure out MID change part
Click to expand...
Click to collapse
sorry .. this is no more available .. please check the next replay #18
fshami said:
Hi guys, so a friend of mine got a Desire 820 dual sim few days back. Device came in a very messy condition in terms for software. It was already Super CID'd & S-OFFed, no option to update software & around 200 languages. So i tried different threads to fix the issue & upgrade the phone to Lollipop.
I was able to get it back to stock Indian KK RUU 1.22.720.1 assuming that it was an Indian variant based on its id A51_DTUL but it was not the case.. After downloading the 1.22.720.10 update, it was giving me error like Modified System or Wrong Variant
Cut short i managed to identify / fix the problem & successfully upgraded the phone to Android L
Story line is that most of the guides available for 820 dual sim Lollipop upgrade are for the Indian variant with MID 0PFJ10000. Problem occurring is with its Chinesse sibbling with MID 0PFJ11000 & this is where the phone wont allow you to do software updates.
RUU is just checking the CID while in the OTA updater-script they have plenty of checks before flashing it.
So in the below KK updater-script, you can see that first it is checking for the current firmware, then CID & then MID
PHP:
mount("ext4", "EMMC", "system", "/system");
assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.1:user/release-keys" ||
file_getprop("/system/build.prop", "ro.build.fingerprint") == "htc/htc_asia_india/htc_a51dtul:4.4.4/KTU84P/429556.10:user/release-keys");
assert(file_getprop("/system/build.prop", "ro.aa.taskid") == "402794" ||
file_getprop("/system/build.prop", "ro.aa.taskid") == "447333");
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_cid(getprop("ro.cid"), "00000000" , "11111111" ,
"22222222" , "33333333" , "44444444" , "55555555" , "66666666" ,
"77777777" , "88888888" , "99999999" , "HTC__038") == "t");
);
ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
assert(check_mid("full", "0PFJ10000") == "t");,
assert(check_mid("simple", "0PFJ10000") == "t");
This is point where we get Wrong Variant or Modified System error on device other than 0PFJ10000 MID.
So inorder to get rid of this error & getting all the updates automatically while keeping your ROM in stock status. These are the requirements / guidelines.
Required:
S-OFF
Root
Super CID
I assume you already know about fastboot commands stuff
So before proceeding, verify that you phone is A51_DTUL & the processor type is hTCBmsm8939 with 2GB of RAM. You can do this by booting into bootloader & run command fastboot getvar all
1st step, change MID of your device -> from 0PFJ11000 to 0PFJ10000. Run the following ADB commands:
PHP:
adb shell
su
echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit
exit
adb reboot bootloader
Now once the commands are successful, to verify the MID in fastboot again verify it with command fastboot getvar MID. It should now be 0PFJ10000
So we killed the BUG :laugh:
2nd step:
2a. download Indian KK RUU from this thread -> Thanks to sshivampp & robinsahlot
2b. Rename the downloaded ZIP to “0PFJIMG.zip” or to 0PFJIMG.txt incase you are unable to copy it
2c. Copy the 0PFJIMG.txt / zip file to the External SD card & do change the extension back to .zip incase you had to change it to .txt
2d. Reboot into bootloader & dont forget to disable Fastboot option under power settings
2e. Press Vol up for update once prompted
You will lot of checks & update prompts on the screen
Once successful, reboot the phone & check for software updates. You should now be able to install all the OTAs without any errors
Special thanks to h1dd3n_sn1p3r for his initial guide on upgrading to Android L.
And our dexter, Mr. scotty1223 for his amazing guides & work. Through which i was able to figure out MID change part
Click to expand...
Click to collapse
my data before :
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ11000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.022s
D:\HTC\fastboot>
and do :
D:\HTC\fastboot>adb shell
[email protected]_a51dtul:/ $ su
[email protected]_a51dtul:/ # echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x0>
17+0 records in
17+0 records out
17 bytes transferred in 0.005 secs (3400 bytes/sec)
[email protected]_a51dtul:/ # exit
[email protected]_a51dtul:/ $ exit
so the data after :
D:\HTC\fastboot>fastboot getvar mid
mid: 0PFJ10000
finished. total time: 0.002s
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ10000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.034s
D:\HTC\fastboot>
checked update .. 70.01MB .. downloaded .. but still got the msg (your system modified contact htc)
#Note : i was downloaded the ruu that you mention .. just changed mid then checked update
any help ??
nabilovetch said:
my data before :
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ11000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.022s
D:\HTC\fastboot>
and do :
D:\HTC\fastboot>adb shell
[email protected]_a51dtul:/ $ su
[email protected]_a51dtul:/ # echo -ne '\x30\x00\x50\x00\x46\x00\x4a\x00\x31\x00\x30\x0>
17+0 records in
17+0 records out
17 bytes transferred in 0.005 secs (3400 bytes/sec)
[email protected]_a51dtul:/ # exit
[email protected]_a51dtul:/ $ exit
so the data after :
D:\HTC\fastboot>fastboot getvar mid
mid: 0PFJ10000
finished. total time: 0.002s
D:\HTC\fastboot>fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 01.01.010_U1030481_08.01.41119
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 1.22.720.1
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: HC4ANYC01045
(bootloader) imei: 355386060878133
(bootloader) imei2: 355386060878141
(bootloader) meid: 00000000000000
(bootloader) product: a51_dtul
(bootloader) platform: hTCBmsm8939
(bootloader) modelid: 0PFJ10000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: ed7d3c37
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
(bootloader) mfg-name:
all: Done!
finished. total time: 0.034s
D:\HTC\fastboot>
checked update .. 70.01MB .. downloaded .. but still got the msg (your system modified contact htc)
#Note : i was downloaded the ruu that you mention .. just changed mid then checked update
any help ??
Click to expand...
Click to collapse
Good you've changed CID & MID. Now download & flash the RUU i mentioned. Once flashed then your device will do updates
Sent from my HTC One E9PLUS dual sim using XDA-Developers mobile app
fshami said:
Good you've changed CID & MID. Now download & flash the RUU i mentioned. Once flashed then your device will do updates
Sent from my HTC One E9PLUS dual sim using XDA- mobile app
Click to expand...
Click to collapse
i do factory reset and reflash ruu using sd card ..
still got the msg (your software is modified, contact htc)
Device MUST be S-OFF!
Requirements
HTC Fastboot and ADB : Google Drive
Firmware : Google Drive
RUU EXE : http://www.htc.com/us/support/htc-one-m8/news/
First Step
Change your MID and CID from yours to Developer Edition.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Open your Command Prompt on your installation folder with "Left Shift + Right Mouse Click"
MID Change
adb.exe shell
su (if needed to get a # prompt)
Code:
echo -ne '\x30\x00\x50\x00\x36\x00\x42\x00\x31\x00\x32\x00\x30\x00\x30\x00\x30' | dd of=/dev/block/mmcblk0p5 bs=1 seek=16384
exit (if you have #, 2 times)
adb.exe reboot-bootloader
CID Change
htc_fastboot.exe oem writecid BS_US002
htc_fastboot.exe reboot-bootloader
htc_fastboot.exe oem rebootRUU (you have to see black screen with green HTC logo)
Flash firmware-6.12.1540.4
htc_fastboot.exe flash zip firmware-6.12.1540.4.zip (you have to get error, try again this time it will do)
htc_fastboot.exe reboot-bootloader ( do this when firmware process done, you have to see a green bar at 100%)
htc_fastboot.exe erase cache
Flash 6.12.1540.4 RUU
You have to open RUU EXE which downloaded from htc news website.
Wait until UNCOMPRESSING done.
You have to see "License Agreement", DO NOT close this window.
Open your file explorer or run command and type %TEMP% , and click ENTER
You have to be in there "C:\Users\*your pc name*\AppData\Local\Temp"
Find last edited Folder, it must have "corecomp.ini" , "dotnetinstaller.exe" , "ISBEW64.exe" and another Folder.
Open this folder and copy "rom.zip" into your installation folder where htc_fastboot.exe exist.
htc_fastboot.exe oem rebootRUU (you have to see black screen with green HTC logo)
htc_fastboot.exe flash zip rom.zip (first you have to get error, but the process restart automatically)
You have to wait about 5-10 minutes until all processes done.
htc_fastboot.exe reboot-bootloader
htc_fastboot.exe erase cache
PRESS volume down button to do Factory Reset and PRESS power button to select.
Phone restart automatically, when the factory reset done
All done, be happy
Boss pls help me
HTC M8 Sprint
CID : BS_US002
MODEL : OP6B70000
Pls help Me .... when i am try to flash firmware-6.12.1540.4 then error massage
C:\Users\MONOAR\Desktop\One_M8_All-In-One_Kit_v\data>fastboot.exe flash zip firm
ware-6.12.1540.4.zip
< waiting for device >
target reported max download size of 1826414592 bytes
error: cannot load 'firmware-6.12.1540.4.zip': No error
[email protected]
monoar30 said:
HTC M8 Sprint
CID : BS_US002
MODEL : OP6B70000
Pls help Me .... when i am try to flash firmware-6.12.1540.4 then error massage
C:\Users\MONOAR\Desktop\One_M8_All-In-One_Kit_v\data>fastboot.exe flash zip firm
ware-6.12.1540.4.zip
< waiting for device >
target reported max download size of 1826414592 bytes
error: cannot load 'firmware-6.12.1540.4.zip': No error
[email protected]
Click to expand...
Click to collapse
dunno if i m reading that paths wrong but it looks you did something wrong related to the filepaths of the firmware and adb itself. - go into your folder were adb is located. might be inside your One-M8-All-In-One_Kit folder ....then paste the firmware zip in just the same folder. ( location of adb ) ....after that, navigate to that adb location/folder, (you should actually be there because you have just copied the firmware zip into that folder ..so skip that .... press shift + right mousebutton on empty space inside of the folder ( so dont start any program or click on a file, just hold shift and press the right mousekey to open die normal windows dialog window where you can change the view of the folder or add new files etc. )
by using the shift+right mouse key combi, u will see another option inside of that dialog apart from the common stuff you normally have listed. -> "open command prompt right here" ( or something similar, dunno the exact wording in english )
so click that order, it will open up the windows console (cmd) -> make your phone reboot to the bootloader by writing "adb reboot-bootloader" ( i guess it should be obvious that your phone needs to be connected via usb allready )
- ( you can also just hold the power button on your phone and pick bootloader at the boot-menu, just as you like.
- arrived at bootloader, make sure you phone shows "fastboot-usb"
- write "fastboot oem rebootRUU" inside the cmd window -> phone should boot into the RUU modus.
- write "fastboot flash zip firmware-6.12.1540.4.zip" (not fastboot".exe" - just fastboot ... ) -> make sure you use the correct name of the zip. - you need use the filename of the firmware that you ve copied into the adb folder at the beginning. - to prevent issues, you should rename the firmware zip to something simple. - like just firmware.zip or firm.zip, without that versionsnumber. - its just easier for you to write that into the cmd window and you will be sure that issues might be not related to some wrong written filename.
done.
edit: @sceryavuz is htc_fastboot anything special or just the normal adb? if it is different, may you explain to me what it is?
What is the advantage of the Developer edition?
Can I do this with a vzw m8? I want to see if this helps me run GPE and AOSP roms without the cellular issues I've been having. Also, can I change back as well?
Sent from my HTC6525LVW using XDA-Developers mobile app
edit: @sceryavuz is htc_fastboot anything special or just the normal adb? if it is different, may you explain to me what it is?[/QUOTE]
htc_fastboot you need this for flashing firmware. Security reasons. You can't flash recovery, for example with this.
fastboot it's for everithing else, other than firmware.
For me it was like that, at least..
vladaxx said:
What is the advantage of the Developer edition?
Click to expand...
Click to collapse
It is the full unlocked rom, you can do anything with Developer Edition without any errors. This is the most stable version.
Dan Tekle said:
Can I do this with a vzw m8? I want to see if this helps me run GPE and AOSP roms without the cellular issues I've been having. Also, can I change back as well?
Sent from my HTC6525LVW using XDA-Developers mobile app
Click to expand...
Click to collapse
I don't know if it is work or not? I have AT&T device and it works. Sprint and verizon device may have specific modem.
_moelle said:
dunno if i m reading that paths wrong but it looks you did something wrong related to the filepaths of the firmware and adb itself. - go into your folder were adb is located. might be inside your One-M8-All-In-One_Kit folder ....then paste the firmware zip in just the same folder. ( location of adb ) ....after that, navigate to that adb location/folder, (you should actually be there because you have just copied the firmware zip into that folder ..so skip that .... press shift + right mousebutton on empty space inside of the folder ( so dont start any program or click on a file, just hold shift and press the right mousekey to open die normal windows dialog window where you can change the view of the folder or add new files etc. )
by using the shift+right mouse key combi, u will see another option inside of that dialog apart from the common stuff you normally have listed. -> "open command prompt right here" ( or something similar, dunno the exact wording in english )
so click that order, it will open up the windows console (cmd) -> make your phone reboot to the bootloader by writing "adb reboot-bootloader" ( i guess it should be obvious that your phone needs to be connected via usb allready )
- ( you can also just hold the power button on your phone and pick bootloader at the boot-menu, just as you like.
- arrived at bootloader, make sure you phone shows "fastboot-usb"
- write "fastboot oem rebootRUU" inside the cmd window -> phone should boot into the RUU modus.
- write "fastboot flash zip firmware-6.12.1540.4.zip" (not fastboot".exe" - just fastboot ... ) -> make sure you use the correct name of the zip. - you need use the filename of the firmware that you ve copied into the adb folder at the beginning. - to prevent issues, you should rename the firmware zip to something simple. - like just firmware.zip or firm.zip, without that versionsnumber. - its just easier for you to write that into the cmd window and you will be sure that issues might be not related to some wrong written filename.
done.
edit: @sceryavuz is htc_fastboot anything special or just the normal adb? if it is different, may you explain to me what it is?
Click to expand...
Click to collapse
htc_fastboot is stock fastboot that released by htc. You can use your fastboot already have. htc_fastboot check all zip or img file for compatibility.
null0seven said:
edit: @sceryavuz is htc_fastboot anything special or just the normal adb? if it is different, may you explain to me what it is?
htc_fastboot you need this for flashing firmware. Security reasons. You can't flash recovery, for example with this.
fastboot it's for everithing else, other than firmware.
For me it was like that, at least..
Click to expand...
Click to collapse
Yes, mostly agreed (security and compatibility reasons). You can flash TWRP with htc_fastboot
@monoar30 @_moelle @Dan Tekle @null0seven @sceryavuz
hey guys just to make it sense
you can't convert CDMA ( device) firmware to GSM firmware
sprint and Verizon can't be converted to any other GSM firmware
HTC_fastboot used to flash big .zip as you can flash any thing by regular fastboot but RUU.zip needs to be flashed by HTC_fastboot
Did anyone with Verizon M8 manage to install it?
I managed to change CID, MID and install firmware without any errors, but when I try to flash rom.zip it says file is too large. Also the device doesn't recognize SIM card when on Developer Edition firmware. I guess this is because of the hardware difference, we won't be able to get this ROM working.
M.Ned said:
Did anyone with Verizon M8 manage to install it?
I managed to change CID, MID and install firmware without any errors, but when I try to flash rom.zip it says file is too large. Also the device doesn't recognize SIM card when on Developer Edition firmware. I guess this is because of the hardware difference, we won't be able to get this ROM working.
Click to expand...
Click to collapse
you are lucky if your device still working
read the post above yours
you can't flash GSM firmware on CDMA device because the hardware is different
i have a verizon htc one M8, unlocked, S-OFF, SuperCID, rooted, boot loader unlocked working with GSM carrier in India, I unlocked couple more LTE bands etc. Can I flash this as I don't have the CDMA only device?
Chandresh204 said:
i have a verizon htc one M8, unlocked, S-OFF, SuperCID, rooted, boot loader unlocked working with GSM carrier in India, I unlocked couple more LTE bands etc. Can I flash this as I don't have the CDMA only device?
Click to expand...
Click to collapse
if your device hardware match the GSM variant then you can
if didn't then you can't
(bootloader) version: 0.5
(bootloader) version-bootloader: 3.19.0.0000
(bootloader) version-baseband: 1.29.214500021.24_2G
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main:
(bootloader) version-misc: PVT SHIP S-OFF
(bootloader) serialno: FA**************
(bootloader) imei: 99**************
(bootloader) imei2: Not Support
(bootloader) meid: 99**************
(bootloader) product: m8_whl
(bootloader) platform: hTCBmsm8974
(bootloader) modelid: 0P6B12000
(bootloader) cidnum: 11111111
(bootloader) battery-status: good
(bootloader) battery-voltage: 0mV
(bootloader) partition-layout: Generic
(bootloader) security: off
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: 76df2b54
(bootloader) hbootpreupdate: 11
(bootloader) gencheckpt: 0
all: Done!
finished. total time: 0.017s
--------------------------------------------------------------------------------
Successfully able to change my cid as well as mid as previous its was 0P6B70000
So now i am still not able to install developer version rom
And Successfully flashed firmware-6.12.1540.4.zip
{F:\Utility\Softwares\Mobile Flushing\HTC one m8>fastboot flash zip firmware-6.12.1540.4.zip
sending 'zip' (31625 KB)...
OKAY [ 1.994s]
writing 'zip'...
(bootloader) zip header checking...
(bootloader) zip info parsing...
(bootloader) checking model ID...
(bootloader) checking custom ID...
(bootloader) start image[hboot] unzipping for pre-update check...
(bootloader) total_image_number=8
(bootloader) start image[hboot] flushing...
(bootloader) [RUU]WP,hboot,0
(bootloader) [RUU]WP,hboot,99
(bootloader) [RUU]WP,hboot,100
(bootloader) ...... Successful
(bootloader) current_image_number=0
(bootloader) current_image_number=1
(bootloader) current_image_number=2
(bootloader) current_image_number=3
(bootloader) current_image_number=4
(bootloader) current_image_number=5
(bootloader) current_image_number=6
(bootloader) current_image_number=7
FAILED (remote: 90 hboot pre-update! please flush image again immediately)
finished. total time: 3.177s
F:\Utility\Softwares\Mobile Flushing\HTC one m8>fastboot flash zip firmware-6.12.1540.4.zip
sending 'zip' (31625 KB)...
OKAY [ 2.004s]
writing 'zip'...
(bootloader) zip header checking...
(bootloader) zip info parsing...
(bootloader) checking model ID...
(bootloader) checking custom ID...
(bootloader) total_image_number=16
(bootloader) start image[adsp] unzipping & flushing...
(bootloader) [RUU]UZ,adsp,0
(bootloader) [RUU]UZ,adsp,11
(bootloader) [RUU]UZ,adsp,21
(bootloader) [RUU]UZ,adsp,33
(bootloader) [RUU]UZ,adsp,43
(bootloader) [RUU]UZ,adsp,54
(bootloader) [RUU]UZ,adsp,65
(bootloader) [RUU]UZ,adsp,75
(bootloader) [RUU]UZ,adsp,88
(bootloader) [RUU]UZ,adsp,98
(bootloader) [RUU]UZ,adsp,100
(bootloader) [RUU]WP,adsp,0
(bootloader) [RUU]WP,adsp,100
(bootloader) ...... Successful
(bootloader) current_image_number=0
(bootloader) start image[pg2fs_spcustom] unzipping & flushing...
(bootloader) [RUU]UZ,pg2fs_spcustom,0
(bootloader) [RUU]UZ,pg2fs_spcustom,45
(bootloader) [RUU]UZ,pg2fs_spcustom,99
(bootloader) [RUU]UZ,pg2fs_spcustom,100
(bootloader) ...... Successful
(bootloader) current_image_number=1
(bootloader) start image[rpm] unzipping & flushing...
(bootloader) [RUU]UZ,rpm,0
(bootloader) [RUU]UZ,rpm,100
(bootloader) [RUU]WP,rpm,0
(bootloader) [RUU]WP,rpm,100
(bootloader) ...... Successful
(bootloader) current_image_number=2
(bootloader) start image[sbl1] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1,0
(bootloader) [RUU]UZ,sbl1,100
(bootloader) signature checking...
(bootloader) verified fail
(bootloader) ..... Bypassed
(bootloader) current_image_number=3
(bootloader) start image[sbl1] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1,0
(bootloader) [RUU]UZ,sbl1,100
(bootloader) signature checking...
(bootloader) verified fail
(bootloader) ..... Bypassed
(bootloader) current_image_number=4
(bootloader) start image[sbl1] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1,0
(bootloader) [RUU]UZ,sbl1,100
(bootloader) signature checking...
(bootloader) [RUU]WP,sbl1,0
(bootloader) [RUU]WP,sbl1,100
(bootloader) ...... Successful
(bootloader) current_image_number=5
(bootloader) start image[sbl1] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1,0
(bootloader) [RUU]UZ,sbl1,100
(bootloader) signature checking...
(bootloader) verified fail
(bootloader) ..... Bypassed
(bootloader) current_image_number=6
(bootloader) start image[sdi] unzipping & flushing...
(bootloader) [RUU]UZ,sdi,0
(bootloader) [RUU]UZ,sdi,100
(bootloader) [RUU]WP,sdi,0
(bootloader) [RUU]WP,sdi,100
(bootloader) ...... Successful
(bootloader) current_image_number=7
(bootloader) start image[sensor_hub] unzipping & flushing...
(bootloader) [RUU]UZ,sensor_hub,0
(bootloader) [RUU]UZ,sensor_hub,100
(bootloader) [RUU]WP,sensor_hub,0
(bootloader) [RUU]WP,sensor_hub,4
(bootloader) [RUU]WP,sensor_hub,8
(bootloader) [RUU]WP,sensor_hub,12
(bootloader) [RUU]WP,sensor_hub,16
(bootloader) [RUU]WP,sensor_hub,20
(bootloader) [RUU]WP,sensor_hub,24
(bootloader) [RUU]WP,sensor_hub,28
(bootloader) [RUU]WP,sensor_hub,32
(bootloader) [RUU]WP,sensor_hub,36
(bootloader) [RUU]WP,sensor_hub,40
(bootloader) [RUU]WP,sensor_hub,44
(bootloader) [RUU]WP,sensor_hub,48
(bootloader) [RUU]WP,sensor_hub,52
(bootloader) [RUU]WP,sensor_hub,56
(bootloader) [RUU]WP,sensor_hub,60
(bootloader) [RUU]WP,sensor_hub,64
(bootloader) [RUU]WP,sensor_hub,68
(bootloader) [RUU]WP,sensor_hub,72
(bootloader) [RUU]WP,sensor_hub,76
(bootloader) [RUU]WP,sensor_hub,80
(bootloader) [RUU]WP,sensor_hub,84
(bootloader) [RUU]WP,sensor_hub,88
(bootloader) [RUU]WP,sensor_hub,92
(bootloader) [RUU]WP,sensor_hub,96
(bootloader) [RUU]WP,sensor_hub,100
(bootloader) ...... Successful
(bootloader) current_image_number=8
(bootloader) start image[sp1] unzipping & flushing...
(bootloader) ...... Successful
(bootloader) current_image_number=9
(bootloader) start image[tp] unzipping & flushing...
(bootloader) ..... Bypassed
(bootloader) current_image_number=10
(bootloader) start image[tp] unzipping & flushing...
(bootloader) ..... Bypassed
(bootloader) current_image_number=11
(bootloader) start image[tz] unzipping & flushing...
(bootloader) ...... Successful
(bootloader) current_image_number=12
(bootloader) start image[wcnss] unzipping & flushing...
(bootloader) ...... Successful
(bootloader) current_image_number=13
(bootloader) start image[radio] unzipping & flushing...
(bootloader) trying to rename MBA
(bootloader) ...... Successful
(bootloader) current_image_number=14
(bootloader) start image[rcdata] unzipping & flushing...
(bootloader) ...... Successful
(bootloader) current_image_number=15
OKAY [ 59.617s]
finished. total time: 61.621s }
---------------------------------------------------
and when i am flashing rom.zip then its saying
F:\Utility\Softwares\Mobile Flushing\HTC one m8>fastboot flash zip rom.zip
load_file: could not allocate 1574717756 bytes
error: cannot load 'rom.zip'
so what should i do
Shakil Murm said:
(bootloader) product: m8_whl
Click to expand...
Click to collapse
Your device is m8_whl and this RUU is meant for m8_ul or m8_ul_ca only.
Return to stock .. if you're lucky you still can use your device but lose the ability to connect to 3G/4G/LTE.
(because you most probably already bricked the radio after your flash the firmware which is not meant for your device variant)
ckpv5 said:
Your device is m8_whl and this RUU is meant for m8_ul or m8_ul_ca only.
Return to stock .. if you're lucky you still can use your device but lose the ability to connect to 3G/4G/LTE.
(because you most probably already bricked the radio after your flash the firmware which is not meant for your device variant)
Click to expand...
Click to collapse
i'm trying to tell them that this method works on GSM devices only but no one read
please @sceryavuz ADD IT TO OP THIS METHOD WORKS ON GSM DEVICES ONLY NO VERIZON OR SPRINT
please ckpv5 am i right or not ??
RUU Not Working?
Hi,
I followed your instructions and the Developer Edition rom flashed and appears to be working fine, thanks very much.
After setting the phone up I wanted to try and test flashing again with RUU_M8_UL_M60_SENSE70_MR_BrightstarUS_WWE_6.12.1540.4.exe . The process fails after "Verifying information on your Android phone. Please wait..." with ERROR 170 USB CONNECTION ERROR. I've checked and the USB connection seems to be fine. Is this to be expected?
Thanks again.
0graham0 said:
Hi,
I followed your instructions and the Developer Edition rom flashed and appears to be working fine, thanks very much.
After setting the phone up I wanted to try and test flashing again with RUU_M8_UL_M60_SENSE70_MR_BrightstarUS_WWE_6.12.1540.4.exe . The process fails after "Verifying information on your Android phone. Please wait..." with ERROR 170 USB CONNECTION ERROR. I've checked and the USB connection seems to be fine. Is this to be expected?
Thanks again.
Click to expand...
Click to collapse
run the RUU while the device boot into fastboot and use USB 2 not USB 3
Sent from my HTC One M8 using XDA Labs
ahmed.ismael said:
run the RUU while the device boot into fastboot and use USB 2 not USB 3
Click to expand...
Click to collapse
ah, that did the trick. thanks very much.
I was unable to flash the rom.zip with google's fastboot.exe (recogniced wrong size, header error, etc.....)!
Use htc_fastboot.exe found in the same temporary folder as rom.zip!
Worked for me. Why flash firmware first??
OP instructions worked for me . Was coming from US AT&T / Cingular (Cricket?)
Why did we flash firmware zip firmware and THEN flash the RUU pulled from the temp folder?
Hi everyone,
First sorry for my English, I'm Vietnamese. I bought fire hd 8 6th used for a cheap price, I want to flash new rom via sideload becase i didn't find any topic about flashtool for fire hd tablet, so i decided to sideload it but unfortunately sideload processing to 47% and fail all of time, so i did some research and know that method only working on non modification devices, and my tablet already unlocked bootloader.. maybe, i knew it by using fastboot getvar unlocked and it say Yes. I thought with unblocked bootloader might be able to flash custom recovery to install a new rom, i tried and the results is writing recovery done but when device boot to recovery mode by holding power + volume down button nothing appear still remain blackscreen with recovery mode text from bottom left and with the bonus thing is Stock recovery is gone. Just for my stupid action, its bricked with only fastboot mode is accessible
I'm sorry for taking to long. Please let me know if you have any advice and stock recovery please share me
Thank you so much!
Issue solved thanks for k4y0z. Here is the recovery image file
https://forum.xda-developers.com/showpost.php?p=79663247&postcount=21
and the instruction for create recovery
https://forum.xda-developers.com/showpost.php?p=79656602&postcount=10
vnhatduy2010 said:
Hi everyone,
First sorry for my English, I'm Vietnamese. I bought fire hd 8 6th used for a cheap price, I want to flash new rom via sideload becase i didn't find any topic about flashtool for fire hd tablet, so i decided to sideload it but unfortunately sideload processing to 47% and fail all of time, so i did some research and know that method only working on non modification devices, and my tablet already unlocked bootloader.. maybe, i knew it by using fastboot getvar unlocked and it say Yes. I thought with unblocked bootloader might be able to flash custom recovery to install a new rom, i tried and the results is writing recovery done but when device boot to recovery mode by holding power + volume down button nothing appear still remain blackscreen with recovery mode text from bottom left and with the bonus thing is Stock recovery is gone. Just for my stupid action, its bricked with only fastboot mode is accessible
I'm sorry for taking to long. Please let me know if you have any advice and stock recovery please share me
Thank you so much!
Click to expand...
Click to collapse
Impossible that you have unlocked BL. Can you post the output of fastboot getvar all?
Thanks!
Rortiz2 said:
Impossible that you have unlocked BL. Can you post the output of fastboot getvar all?
Thanks!
Click to expand...
Click to collapse
Hi sorry for late reply
this is the output of getvar all
C:\Users\1\Desktop\fire7\ADB FASTBOOT FILES WINDOWS>fastboot devices
G000L40360860685 fastboot
C:\Users\1\Desktop\fire7\ADB FASTBOOT FILES WINDOWS>fastboot getvar all
(bootloader) secure: yes
(bootloader) prod: 0
(bootloader) unlock_status: false
(bootloader) unlock_code: 0x2a2097d9656b4eed
(bootloader) serialno: G000L40360860685
(bootloader) max-download-size: 0x6d00000
(bootloader) partition-size:userdata: 69d6fbe00
(bootloader) partition-type:userdata: ext4
(bootloader) partition-sizeMT: 438000
(bootloader) partition-typeMT: ext4
(bootloader) partition-sizeersisbackup: 1000000
(bootloader) partition-typeersisbackup: ext4
(bootloader) partition-size:MISC: 80000
(bootloader) partition-type:MISC: ext4
(bootloader) partition-size:dfs: 20000000
(bootloader) partition-type:dfs: ext4
(bootloader) partition-size:dkernel: 1000000
(bootloader) partition-type:dkernel: ext4
(bootloader) partition-size:cache: 1a800000
(bootloader) partition-type:cache: ext4
(bootloader) partition-size:system: 64e48000
(bootloader) partition-type:system: ext4
(bootloader) partition-size:dkb: 100000
(bootloader) partition-type:dkb: raw data
(bootloader) partition-size:kb: 100000
(bootloader) partition-type:kb: raw data
(bootloader) partition-size:metadata: 2760000
(bootloader) partition-type:metadata: raw data
(bootloader) partition-size:tee2: 500000
(bootloader) partition-type:tee2: raw data
(bootloader) partition-size:tee1: 500000
(bootloader) partition-type:tee1: raw data
(bootloader) partition-size:frp: 100000
(bootloader) partition-type:frp: raw data
(bootloader) partition-size:expdb: a00000
(bootloader) partition-type:expdb: raw data
(bootloader) partition-size:logo: 800000
(bootloader) partition-type:logo: raw data
(bootloader) partition-sizeara: 80000
(bootloader) partition-typeara: raw data
(bootloader) partition-size:secro: 600000
(bootloader) partition-type:secro: ext4
(bootloader) partition-size:recovery: 1000000
(bootloader) partition-type:recovery: raw data
(bootloader) partition-size:boot: fe3000
(bootloader) partition-type:boot: raw data
(bootloader) partition-size:lk: 7d000
(bootloader) partition-type:lk: raw data
(bootloader) partition-size:seccfg: 40000
(bootloader) partition-type:seccfg: raw data
(bootloader) partition-sizerotect2: a00000
(bootloader) partition-typerotect2: ext4
(bootloader) partition-sizerotect1: a00000
(bootloader) partition-typerotect1: ext4
(bootloader) partition-size:nvram: 500000
(bootloader) partition-type:nvram: raw data
(bootloader) partition-sizeroinfo: 300000
(bootloader) partition-typeroinfo: raw data
(bootloader) partition-sizereloader: 40000
(bootloader) partition-typereloader: raw data
(bootloader) off-mode-charge: 1
(bootloader) warranty: no
(bootloader) unlocked: yes
(bootloader) secure: no
(bootloader) kernel: lk
(bootloader) product: GIZA
(bootloader) version-preloader: 0.1.00
(bootloader) version: 0.5
(bootloader) partition-size:userdata: 69d6fbe00
(bootloader) partition-type:userdata: ext4
(bootloader) partition-sizeMT: 438000
(bootloader) partition-typeMT: ext4
(bootloader) partition-sizeersisbackup: 1000000
(bootloader) partition-typeersisbackup: ext4
(bootloader) partition-size:MISC: 80000
(bootloader) partition-type:MISC: ext4
(bootloader) partition-size:dfs: 20000000
(bootloader) partition-type:dfs: ext4
(bootloader) partition-size:dkernel: 1000000
(bootloader) partition-type:dkernel: ext4
(bootloader) partition-size:cache: 1a800000
(bootloader) partition-type:cache: ext4
(bootloader) partition-size:system: 64e48000
(bootloader) partition-type:system: ext4
(bootloader) partition-size:dkb: 100000
(bootloader) partition-type:dkb: raw data
(bootloader) partition-size:kb: 100000
(bootloader) partition-type:kb: raw data
(bootloader) partition-size:metadata: 2760000
(bootloader) partition-type:metadata: raw data
(bootloader) partition-size:tee2: 500000
(bootloader) partition-type:tee2: raw data
(bootloader) partition-size:tee1: 500000
(bootloader) partition-type:tee1: raw data
(bootloader) partition-size:frp: 100000
(bootloader) partition-type:frp: raw data
(bootloader) partition-size:expdb: a00000
(bootloader) partition-type:expdb: raw data
(bootloader) partition-size:logo: 800000
(bootloader) partition-type:logo: raw data
(bootloader) partition-sizeara: 80000
(bootloader) partition-typeara: raw data
(bootloader) partition-size:secro: 600000
(bootloader) partition-type:secro: ext4
(bootloader) partition-size:recovery: 1000000
(bootloader) partition-type:recovery: raw data
(bootloader) partition-size:boot: fe3000
(bootloader) partition-type:boot: raw data
(bootloader) partition-size:lk: 7d000
(bootloader) partition-type:lk: raw data
(bootloader) partition-size:seccfg: 40000
(bootloader) partition-type:seccfg: raw data
(bootloader) partition-sizerotect2: a00000
(bootloader) partition-typerotect2: ext4
(bootloader) partition-sizerotect1: a00000
(bootloader) partition-typerotect1: ext4
(bootloader) partition-size:nvram: 500000
(bootloader) partition-type:nvram: raw data
(bootloader) partition-sizeroinfo: 300000
(bootloader) partition-typeroinfo: raw data
(bootloader) partition-sizereloader: 40000
(bootloader) partition-typereloader: raw data
all: Done!!
finished. total time: 0.207s
C:\Users\1\Desktop\fire7\ADB FASTBOOT FILES WINDOWS>
Click to expand...
Click to collapse
Thank you
vnhatduy2010 said:
Hi sorry for late reply
this is the output of getvar all
Code:
(bootloader) secure: yes
(bootloader) prod: 0
(bootloader) unlock_status: false
(bootloader) unlocked: yes
(bootloader) secure: no
Thank you
Click to expand...
Click to collapse
What?
You can create the recovery from the boot-image using the install-recovery.sh script.
If you have unmodified boot and system it should happen automatically on boot.
Otherwise you can modify the script to read boot.img from a file.
What?
You can create the recovery from the boot-image using the install-recovery.sh script.
If you have unmodified boot and system it should happen automatically on boot.
Otherwise you can modify the script to read boot.img from a file.
Click to expand...
Click to collapse
Hi that mean my device not unlocked yet?
I'm just google to find the firmware extractor tool, I manage to extract it and found recovery-from-boot.p file & install-recovery.sh inside /bin
I don't want to bother you but please I don't know what to do next to create recovery from sh file, the internet said that need using Linux OS but I don't know how to modify the script.
I will dualboot Ubuntu if necessary. Can you give me instruction?
Thanks~
vnhatduy2010 said:
Hi I'm just google to find the firmware extractor tool, I manage to extract it and found recovery-from-boot.p file & install-recovery.sh inside /bin
I don't want to bother you but please I don't know what to do next to create recovery from sh file, the internet said that need using Linux OS but I don't know how to modify the script.
I will dualboot Ubuntu if necessary. Can you give me instruction?
Thanks~
Click to expand...
Click to collapse
Post the contents of the script here please.
The firmware-bin is just a ZIP-file, no special tools needed to extract it.
vnhatduy2010 said:
Hi that mean my device not unlocked yet?
I'm just google to find the firmware extractor tool, I manage to extract it and found recovery-from-boot.p file & install-recovery.sh inside /bin
I don't want to bother you but please I don't know what to do next to create recovery from sh file, the internet said that need using Linux OS but I don't know how to modify the script.
I will dualboot Ubuntu if necessary. Can you give me instruction?
Thanks~
Click to expand...
Click to collapse
Are you sure that is the Fire HD8 2016? Nvm, yes it's 2016: GIZA.
How did you unlocked the BL?
k4y0z said:
Post the contents of the script here please.
The firmware-bin is just a ZIP-file, no special tools needed to extract it.
Click to expand...
Click to collapse
yes I extracted with Winrar but after that I stuck with img file and windows can't open that file type.
btw here is the scritpt
Code:
#!/system/bin/sh
if ! applypatch -c EMMC:/dev/block/platform/mtk-msdc.0/by-name/recovery:9218048:a1aff37711937c43c8bd4396803fb254a35db53a; then
applypatch -b /system/etc/recovery-resource.dat EMMC:/dev/block/platform/mtk-msdc.0/by-name/boot:8607744:05901192d8e64b20a9eabbddbf8b92b1ec0ca492 EMMC:/dev/block/platform/mtk-msdc.0/by-name/recovery a1aff37711937c43c8bd4396803fb254a35db53a 9218048 05901192d8e64b20a9eabbddbf8b92b1ec0ca492:/system/recovery-from-boot.p && echo "
Installing new recovery image: succeeded
" >> /cache/recovery/log || echo "
Installing new recovery image: failed
" >> /cache/recovery/log
else
log -t recovery "Recovery image already installed"
fi
Rortiz2 said:
Are you sure that is the Fire HD8 2016? Nvm, yes it's 2016: GIZA.
How did you unlocked the BL?
Click to expand...
Click to collapse
I don't know this is the used device maybe the old owner unlocked it, I'm not sure about it maybe my wrong,
did you noticed anything from my getvar output?
vnhatduy2010 said:
yes I extracted with Winrar but after that I stuck with img file and windows can't open that file type.
btw here is the scritpt
Code:
#!/system/bin/sh
if ! applypatch -c EMMC:/dev/block/platform/mtk-msdc.0/by-name/recovery:9218048:a1aff37711937c43c8bd4396803fb254a35db53a; then
applypatch -b /system/etc/recovery-resource.dat EMMC:/dev/block/platform/mtk-msdc.0/by-name/boot:8607744:05901192d8e64b20a9eabbddbf8b92b1ec0ca492 EMMC:/dev/block/platform/mtk-msdc.0/by-name/recovery a1aff37711937c43c8bd4396803fb254a35db53a 9218048 05901192d8e64b20a9eabbddbf8b92b1ec0ca492:/system/recovery-from-boot.p && echo "
Installing new recovery image: succeeded
" >> /cache/recovery/log || echo "
Installing new recovery image: failed
" >> /cache/recovery/log
else
log -t recovery "Recovery image already installed"
fi
Click to expand...
Click to collapse
OK, make sure the firmware you have extracted is the same version you have installed.
Then copy the boot.img from the firmware to /sdcard
Code:
adb push boot.img /sdcard/
Then go into adb shell and run the following command
Code:
applypatch -b /system/etc/recovery-resource.dat /sdcard/boot.img /sdcard/recovery.img a1aff37711937c43c8bd4396803fb254a35db53a 9218048 05901192d8e64b20a9eabbddbf8b92b1ec0ca492:/system/recovery-from-boot.p
It should create /sdcard/recovery.img
You can pull it
Code:
adb pull /sdcard/recovey.img
If it isn't the same version you have installed (or the files have been modified to prevent recovery from being overwritten), you will have to extract the files
Code:
/system/etc/recovery-resource.dat
/system/recovery-from-boot.p
and place them on the device as well.
Thanks k4y0z but like i said on first post when i boot into recovery mode by holding power + volume down, nothing come up only the blackscreen with recovery mode text and my pc only regconize fastboot mode but recovery mode pc regconize as MTP device and no devices attached in cmd even i'm trying to reinstall driver and try on different pc, that mean i can't use adb command.
it's no hope:crying:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
vnhatduy2010 said:
Thanks k4y0z but like i said on first post when i boot into recovery mode by holding power + volume down, nothing come up only the blackscreen with recovery mode text and my pc only regconize fastboot mode but recovery mode pc regconize as MTP device and no devices attached in cmd even i'm trying to reinstall driver and try on different pc, that mean i can't use adb command.
it's no hope:crying:
Click to expand...
Click to collapse
Yes it's likely your recovery is broken.
You will have to flash the recovery produced by the scripts.
Make sure you are using the correct versions of all the files.
k4y0z said:
Yes it's likely your recovery is broken.
You will have to flash the recovery produced by the scripts.
Make sure you are using the correct versions of all the files.
Click to expand...
Click to collapse
Why he has the BL unlocked if it is a HD8 2016? Did you ported the exploit to that device?
Rortiz2 said:
Why he has the BL unlocked if it is a HD8 2016? Did you ported the exploit to that device?
Click to expand...
Click to collapse
No, I don't own that device. I don't think it really is unlocked, but the getvar output seems to be self-contradicting, as I noted above:
(bootloader) secure: yes
(bootloader) prod: 0
(bootloader) unlock_status: false
(bootloader) unlocked: yes
(bootloader) secure: no
Click to expand...
Click to collapse
k4y0z said:
Yes it's likely your recovery is broken.
You will have to flash the recovery produced by the scripts.
Make sure you are using the correct versions of all the files.
Click to expand...
Click to collapse
you right recovery completely broken, i tried to figure out but still don't know how to flash recovery produce by the script can we flash recovery.img file from the other kindle fire tablet like Hd 7 or Hd 8 older gen?
k4y0z said:
No, I don't own that device. I don't think it really is unlocked, but the getvar output seems to be self-contradicting, as I noted above:
Click to expand...
Click to collapse
Amazing. Never saw that...
So he can flash the recovery tought fastboot right?
Rortiz2 said:
Amazing. Never saw that...
So he can flash the recovery tought fastboot right?
Click to expand...
Click to collapse
I hope so, if can be flash recovery it will great
Rortiz2 said:
Amazing. Never saw that...
So he can flash the recovery tought fastboot right?
Click to expand...
Click to collapse
vnhatduy2010 said:
I hope so, if can be flash recovery it will great
Click to expand...
Click to collapse
According to the OP, you said, that fastboot flash was working.
Another option would be to flash from a rooted system.
k4y0z said:
According to the OP, you said, that fastboot flash was working.
Another option would be to flash from a rooted system.
Click to expand...
Click to collapse
yeah, fastboot still working fine but recovery is broken so i can't access and using adb command just only fastboot command, fastboot flash recovery command working but when i reboot to recovery nothing come up, maybe recovery image not compatible with hd 8 6th gen
vnhatduy2010 said:
yeah, fastboot still working fine but recovery is broken so i can't access and using adb command just only fastboot command, fastboot flash recovery command working but when i reboot to recovery nothing come up, maybe recovery image not compatible with hd 8 6th gen
Click to expand...
Click to collapse
Well, what recovery are you flashing?
It needs to be for GIZA.
I have given you instructions how to create a proper recovery-image.
What firmware-version do you have installed?
I have 3 of these, so I'm being a little carefree.
I went into recovery and adb sideload flashed an older version, causing that one to go into a preloader loop (not a big deal)
I'd love to recover that one and it appears I can do so using some of the techniques found here https://forum.xda-developers.com/amazon-fire/development/unbrick-fire-7-5th-gen-downgrade-t3388747
I can definitely handshake at the beginning and read/write. On one of my working tablets I went into fastboot and ran `fastboot getvar all` and was able to see some partition sizes and offsets.
I've tried writing some things to the tablet stuck in preloader mode, but still not getting that one back to adb or fastboot. Some examples:
./write_mmc.py $((0x2000000)) boot.img
./write_mmc.py $((0x1F00000)) lk.bin
./write_mmc.py $((0x1500000)) tz.img
I can keep banging away at this but if anyone has a few more hints, I really could use a clue by four. Thanks!
PS: I imagine that these models (THEBES) could get some of the same goodness as the amonet versions but it has been low on people's priority.
paklids said:
I have 3 of these, so I'm being a little carefree.
I went into recovery and adb sideload flashed an older version, causing that one to go into a preloader loop (not a big deal)
I'd love to recover that one and it appears I can do so using some of the techniques found here https://forum.xda-developers.com/amazon-fire/development/unbrick-fire-7-5th-gen-downgrade-t3388747
I can definitely handshake at the beginning and read/write. On one of my working tablets I went into fastboot and ran `fastboot getvar all` and was able to see some partition sizes and offsets.
I've tried writing some things to the tablet stuck in preloader mode, but still not getting that one back to adb or fastboot. Some examples:
./write_mmc.py $((0x2000000)) boot.img
./write_mmc.py $((0x1F00000)) lk.bin
./write_mmc.py $((0x1500000)) tz.img
I can keep banging away at this but if anyone has a few more hints, I really could use a clue by four. Thanks!
PS: I imagine that these models (THEBES) could get some of the same goodness as the amonet versions but it has been low on people's priority.
Click to expand...
Click to collapse
Hi,
So looks like you downgraded the Preloader to version that has non-patched rw commands:good:
I can try to help you. If you want, just PM me.
Regards.
I'm going to add some details to the thread so peeps know where I'm coming from and where I'm going:
This unit, if you want to get into adb you'll need to enable adb debugging in the menu. After that you cannot reboot directly into fastboot mode, but you can hop over to recovery and then do it from there:
`adb reboot recovery` then select `reboot to recovery`
When the unit is stock (in my case v5.6.1.0) and on adb - the lsusb is:
Bus 005 Device 124: ID 1949:0212 Lab126, Inc.
& on fastboot lsusb reports:
Bus 005 Device 003: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo
(Hey...that looks familiar! I had an HTC Magic that I rooted the first day I owned it)
What did I do to put this unit in preloader loop? I booted into revocery and used adb sideload to flash (I *think*) update-kindle-32.5.2.2_user_522054520.bin . After that the screen went black and I could see it rebooting because the USB would come up and then back down. lsusb would then report:
Bus 001 Device 105: ID 0e8d:3000 MediaTek Inc.
I hope this helps any of you follow along in case you are trying to recover your Fire HD 8 5th gen (2015)
Oh, and here are the details I gathered from the known working tablet:
fastboot getvar all
(bootloader) unlock_status: false
(bootloader) unlock_version: 1
(bootloader) unlock_code: 0xFFFFFFFFFFFFFFFF
(bootloader) prod: 1
(bootloader) serialno: FFFFFFFFFFFFFFFF
(bootloader) partition-offset:userdata: 5ec80000
(bootloader) partition-size:userdata: 173bfbe00
(bootloader) partition-type:userdata: unknown
(bootloader) partition-offset:cache: 4f280000
(bootloader) partition-size:cache: fa00000
(bootloader) partition-type:cache: unknown
(bootloader) partition-offset:system: 4280000
(bootloader) partition-size:system: 4b000000
(bootloader) partition-type:system: unknown
(bootloader) partition-offsetersisbackup: 3280000
(bootloader) partition-sizeersisbackup: 1000000
(bootloader) partition-typeersisbackup: unknown
(bootloader) partition-offset:MISC: 3200000
(bootloader) partition-size:MISC: 80000
(bootloader) partition-type:MISC: unknown
(bootloader) partition-offsetKB: 3100000
(bootloader) partition-sizeKB: 100000
(bootloader) partition-typeKB: unknown
(bootloader) partition-offset:KB: 3000000
(bootloader) partition-size:KB: 100000
(bootloader) partition-type:KB: unknown
(bootloader) partition-offset:recovery: 2800000
(bootloader) partition-size:recovery: 800000
(bootloader) partition-type:recovery: unknown
(bootloader) partition-offset:boot: 2000000
(bootloader) partition-size:boot: 800000
(bootloader) partition-type:boot: unknown
(bootloader) partition-offset:UBOOT: 1f00000
(bootloader) partition-size:UBOOT: 100000
(bootloader) partition-type:UBOOT: unknown
(bootloader) partition-offset:TEE2: 1a00000
(bootloader) partition-size:TEE2: 500000
(bootloader) partition-type:TEE2: unknown
(bootloader) partition-offset:TEE1: 1500000
(bootloader) partition-size:TEE1: 500000
(bootloader) partition-type:TEE1: unknown
(bootloader) partition-offsetMT: 1100000
(bootloader) partition-sizeMT: 400000
(bootloader) partition-typeMT: unknown
(bootloader) partition-offsetRO_INFO: 1008000
(bootloader) partition-sizeRO_INFO: 20000
(bootloader) partition-typeRO_INFO: unknown
(bootloader) max-download-size: 52429824
(bootloader) kernel: lk
(bootloader) product: THEBES
(bootloader) version: 0.5
(bootloader) unlocked: not unlocked
(bootloader) production: Unknown
all: Done!!
So I did confirm that you can get the tablet (in my case tablet number 2) into preloader mode by booting to recovery and side loading the update that I mentioned before. For reference:
md5sum update-kindle-32.5.2.2_user_522054520.bin
615019d226954c2e4e2f98613151bc75 update-kindle-32.5.2.2_user_522054520.bin
paklids said:
I have 3 of these, so I'm being a little carefree.
...
I've tried writing some things to the tablet stuck in preloader mode, but still not getting that one back to adb or fastboot. Some examples:
./write_mmc.py $((0x2000000)) boot.img
./write_mmc.py $((0x1F00000)) lk.bin
./write_mmc.py $((0x1500000)) tz.img
I can keep banging away at this but if anyone has a few more hints, I really could use a clue by four. Thanks!
PS: I imagine that these models (THEBES) could get some of the same goodness as the amonet versions but it has been low on people's priority.
Click to expand...
Click to collapse
paklids said:
So I did confirm that you can get the tablet (in my case tablet number 2) into preloader mode by booting to recovery and side loading the update that I mentioned before. For reference:
md5sum update-kindle-32.5.2.2_user_522054520.bin
615019d226954c2e4e2f98613151bc75 update-kindle-32.5.2.2_user_522054520.bin
Click to expand...
Click to collapse
You gotta be careful with write_mmc.py and ensure that you have the addresses right! Those can be quite tricky, you should go through the Fire HD 2014 thread which has the same chipset:
https://forum.xda-developers.com/fire-hd/development/unbrick-fire-hd-6-7-flashing-lollipop-t3405797
You will need to replace TZ/LK to the version you had before the downgrade. Then it should boot, and you may be able to root FireOS via KingRoot or something (if it's vulnerable). If your preloader version changed, then you cannot do anything since there is no way to write preloader via write_mmc.py. I think the recent scripts by @k4y0z can query the versions of PL/TZ/LK, see if you can do that too, just to make sure that PL does not need to be replaced, and to get an idea which versions you are dealing with.
Edit: Here is how you can see which versions of PL/TZ/LK you have (remove the junk - I copied this from another script):
Code:
tee_version=$((`adb shell getprop ro.boot.tee_version | dos2unix`))
lk_version=$((`adb shell getprop ro.boot.lk_version | dos2unix`))
pl_version=$((`adb shell getprop ro.boot.pl_version | dos2unix`))
Just a note for anyone else, sometimes running ./handshake.py as a regular user will just continue waiting. I ran it as root and it completed quickly. This isn't uncommon with a number of linux distributions (I'm on Debian 9 Stretch) because of the permissions on /dev/tty type devices. It's always recommended that if you can run it as a regular user, then that is better. It may be possible to use sudo to do this as well.
bibikalka said:
You gotta be careful with write_mmc.py and ensure that you have the addresses right! Those can be quite tricky, you should go through the Fire HD 2014 thread which has the same chipset:
https://forum.xda-developers.com/fire-hd/development/unbrick-fire-hd-6-7-flashing-lollipop-t3405797
You will need to replace TZ/LK to the version you had before the downgrade. Then it should boot, and you may be able to root FireOS via KingRoot or something (if it's vulnerable). If your preloader version changed, then you cannot do anything since there is no way to write preloader via write_mmc.py. I think the recent scripts by @k4y0z can query the versions of PL/TZ/LK, see if you can do that too, just to make sure that PL does not need to be replaced, and to get an idea which versions you are dealing with.
Edit: Here is how you can see which versions of PL/TZ/LK you have (remove the junk - I copied this from another script):
Code:
tee_version=$((`adb shell getprop ro.boot.tee_version | dos2unix`))
lk_version=$((`adb shell getprop ro.boot.lk_version | dos2unix`))
pl_version=$((`adb shell getprop ro.boot.pl_version | dos2unix`))
Click to expand...
Click to collapse
Yup, thebes and ariel share same CPU
So, now that we know Preloader is vulerable, we can flash a prerooted system.img (Yes, will take a lot of time).
Probably Amazon patched up this in latest preloaders but downgrading the Preloader and then restoring correct TZ, LK and flash the rooted system img may do the trick
Regards.
Rortiz2 said:
Yup, thebes and ariel share same CPU
So, now that we know Preloader is vulerable, we can flash a prerooted system.img (Yes, will take a lot of time).
Probably Amazon patched up this in latest preloaders but downgrading the Preloader and then restoring correct TZ, LK and flash the rooted system img may do the trick
Regards.
Click to expand...
Click to collapse
This is too slow. The first order of business would be to update LK/TZ and see if it boots. If it does, then just do Kingroot: https://forum.xda-developers.com/showpost.php?p=63061585&postcount=4
If PL also has downgrade protection, it will still not boot. Then RPMB needs to be cleared for which we don't have a procedure (yet).
bibikalka said:
This is too slow. The first order of business would be to update LK/TZ and see if it boots. If it does, then just do Kingroot: https://forum.xda-developers.com/showpost.php?p=63061585&postcount=4
If PL also has downgrade protection, it will still not boot. Then RPMB needs to be cleared for which we don't have a procedure (yet).
Click to expand...
Click to collapse
any one cant root this ?