[S-OFF] BLACKROSE (Custom HBOOT) [2012.04.21]

Search This thread

dla5244

Retired Recognized Developer
Apr 20, 2011
242
1,302
Incheon
BlackRose

This is Nexus One custom bootloader(Based on HBOOT 0.35.2017)

FEATURE

Security OFF
None padlock mark even unlocked
Password protection
Engineering command
BlackRose custom command
Change boot logo
Resize Partition
Select menu by pressing trackball
Switch vibration at boot
CRC32 check function
Prevent overwrite HBOOT by RUU


REQUIRE

Windows PC or Linux PC
USB Debugging(ADB) ON(Setting-Application-Development-USB Debugging)
Connect USB before execute BlackRose installer

ADB and Fastboot USB Driver - Windows
http://www.mediafire.com/?bhxmn903d6cz9eg

GO

Windows PC: BlackRose.exe
Linux PC: BlackRose

Possible argument
skip: go to blackrose menu immediatly(not recommand because hboot version check step is skipped)
editor: go to blackrose editor(standalone)

Guide
Install
http://www.youtube.com/watch?v=cC7nyRxVvk4
Uninstall
http://www.youtube.com/watch?v=mGrnDsSrS5s
Update(from 120215)
http://www.youtube.com/watch?v=TK5kepkO9oI
Resize partition
http://www.youtube.com/watch?v=ScIMetgk7Zw
Execute BREditor(standalone)
http://www.youtube.com/watch?v=FSbSL4kUloQ

*.Those who using older version custom BlackRose(eg.111231), Since older version can't communicate with BlackRose installer so you need to follow my direction.
Once you follow my direction, you no need to do this later

1.customize same as previous partition layout using BlackRose editor(view "execute BREditor")
2.fastboot flash hboot hboot_brcust.nb0
3.fastboot reboot


*.If you are using MAC OSX and failed to install by using installer,
Download blackrose_manual_120421.zip and follow instruction in zip file

Change Log

120421

Disable password protection (temporary)
*.As you know, there is no way to recover password.
That's why I designed 2nd password.
I received many message about forget password.
So I decided to disable password protection until I design new solution.

Fix stock BlackRose partition layout label.

120216

Bootloader(HBOOT)
Add new function(I will not reveal, It doesn't matter for normal user)

120215

Bootloader(HBOOT)
Change message when protected by password (not allowed -> protected)
Add bootloader commandline in order to communicate BlackRose installer

Installer

Now surpport below HBOOT version
0.33.0012
0.33.2012
0.35.0017
0.35.2017
7.35.5017(BlackRose)

Recreate program (not rebuild but recreate :D)
1.BREditor has merged
2.Install process has revemped
3.Communicate with HBOOT
4.Convenient,Optimized
5.ETC
* Since i'm not god, please feel free to report bug)

111231

Happy New Year!

HBOOT(Bootloader)
Update release date(because it's the last day of 2011)

Installer and Editor
Common: Execute file is not packed (fix ploblem executable-file deleted by Virus Scanner)
Installer: Improve install process
Update exploit

Installer: Fix install bug(perfectly, 111231_2)

Installer: Improve installer(111231_3)
Editor: Bug fix(111231_3)

111217

HBOOT(Bootloader)
New CRC32 function
(this function is used for make custom bootloader)

Installer and Editor
Installer: Can flash ANY bootloader
Editor: Show warning message when set password

Editor: bug fix(partition and "understand" bug,111217_2)

111208

HBOOT(Bootloader)
Password protection
rebase blackrose custom command
remove unlock, lock command
remove simlock menu(replaced powerdown)
remove clearstorage menu(replaced reboot)
display off, on message when switch vibration at boot
add extension label(no more identify 5017 or 5117)
bug fix(getvar version)
cleanup

Installer and Editor
improve blackrose installer
new blackrose editor(you must use this)

breditor: make it clear(password -> protection)(111208_2)
breditor: password bug fix(111208_3)

111128

fix BlackRose custom command ploblem(brcmd 5)
improve BlackRose installer

111126

select menu by using trackball instead of power key(default)
*.I analysed key dispatch routine perfectly and revamped routine.
I recommand update BlackRose 111126 because that is better than 111125

fix key label

111125

switch trackball selection (permanent!!!, view advenced section)
etc

111118

HBOOT(Bootloader)
can't flash image without signature when S-ON
(can't flash by unsigned RUU, while can flash by flash command? that's not fair.)
change command (oem brset -> oem brcmd)
new command (brcmd 2, brcmd 5)

Installer
can apply custom partition blackrose (view Advenced section, more easily)
can update blackrose from custom partition blackrose. (view update section)

can install blackrose even you dosen't achieve adb root permission(111118_2)
fix BlackRose windows installer error(111118_3)
rebase BlackRose installer(111118_4)
fix BlackRose installer error(111118_5)

111111:eek:

change title color
can flash some image(boot,recovery,system,userdata,radio,zimage) even S-ON and locked bootloader
rework writemainver(reason:when you uninstall blackrose, stored mainversion will be cleared.)
add custom command(fastboot oem brset)
can switch vibration during at boot
can select by pressing trackball (View Advenced section in BlackRose Installer)
optimization and cleanup

can install BlackRose on linux (111111_2)
fix BlackRose linux installer error (111111_3)

111009
When you update ROM(by PASSIMG, RUU), BlackRose doesn't write new mainver

111006
New based on 0.35.2017(Engineering HBOOT) - Thanks to PhaseBurn :)
Original Image(0.35.2017): http://xdaforums.com/showpost.php?p=18141273&postcount=116

None padlock mark(even you unlocked bootloader)
Prevent overwrite HBOOT by OTA or RUU
Disable fastboot command(oem unlock), because no need to unlock bootloader
Can receive Google OTA

FAQ

1.Phone is brick, dosen't turn on screen

You have flashed unsigned RADIO
If you want unbrick your phone, The answer is JTAG or HTC Service Center(The engineer can refuse to repair your phone)

2.Can I lock bootloader again?

To relock the bootloader, You have to achieve radio S-OFF(secu_flag=0), otherwise you would see the error [Lock Failed]

3.How to achieve radio S-OFF?

AT@SIMLOCK=7,0 or AT@SIMLOCK=8,0

I disassembled radio(AMSS)
it need HTC Special SIM-CARD or SIM-EMULATOR(XTC-CLIP)

but...
If we can disable SMI-MPU and modify only one byte to AMSS routine on SDRAM
We can achive Radio S-OFF without HTC-Special-CARD.

4.I can't update radio by using recovery.

If cache partition size less than radio image, you couldn't update radio by using recovery.
so I suggest a way to update radio

fastboot flash radio [RADIO IMAGE(e.g radio.img)]

5.I can't see my device when execute BlackRose installer

If you are using sense rom, adb device isn't worked.
You must install htc sync.

-Thanks for your favor-

Donation

rugmankc
efrant
madj42
fzr-r4
texasice
gdarren


WOW, I cannot appreciate it enough :)

Lecahel
 

Attachments

  • amss.JPG
    amss.JPG
    84.4 KB · Views: 20,922
  • blackrose_120421.zip
    884.3 KB · Views: 63,480
  • blackrose_manual_120421.zip
    399.3 KB · Views: 21,699
Last edited:

dla5244

Retired Recognized Developer
Apr 20, 2011
242
1,302
Incheon
Supplement

BlackRose custom command

fastboot oem brcmd [command]

svib : Enable/Disable vibration during at boot (Output string is none. but setting will be changed.)
brec : Go to recovery mode
pass [password]: Create encrypted password/Authentication

Change boot logo

1.Prepare 480*800 bmp file to change
2.nbimg.exe -F [BMP FILE] -n
3.rename *.nb file to splash1.img
4.fastboot flash splash1 [SPLASH1 IMG]

Password Protection

1.fastboot oem brcmd pass [ORIGINAL PASSWORD]
2.Note your encrypted value
3.Input encrypted value in BREditor
4.Apply custom BlackRose

NEVER input original password in BREditor

If you would like to unlock protection
fastboot oem brcmd pass [ORIGINAL PASSWORD]

TIP
If lock state, oem pass command work as unlock method
Otherwise, work as create encrypted password

If you type wrong password third in a row, device is turned off

Apply custom BlackRose
*.If you use BlackRose installer method, no need to read

Apply
1.fastboot flash hboot [CUSTOM BLACKROSE BINARY]
2.fastboot reboot-bootloader

If you will change partition layout
1.fastboot flash hboot [CUSTOM BLACKROSE BINARY]
2.fastboot reboot-bootloader
3.fastboot erase cache
4.fastboot oem brcmd brec
5.full wipe
6.update rom
7.reboot
 

Attachments

  • nbimg.zip
    10.7 KB · Views: 5,298
Last edited:

Jack_R1

Senior Member
Aug 9, 2009
4,362
964
It means - a hack that allows flashing anything anywhere as long as the hack is present. So, theoretically, if anyone would modify the bootloader code (done earlier in this thread, AFAIK) to allow bypassing security, this hack will allow flashing it. Also, possibly, this hack will allow flashing engineering bootloader.
 
  • Like
Reactions: KoolPal

blunden

Senior Member
Jun 11, 2009
1,001
327
Impressive! A really interesting approach. Even though Radio S-OFF would be preferred a modified hboot that unlocks more commands than the current stock-unlocked hboot does, right?
 

dla5244

Retired Recognized Developer
Apr 20, 2011
242
1,302
Incheon
Impressive! A really interesting approach. Even though Radio S-OFF would be preferred a modified hboot that unlocks more commands than the current stock-unlocked hboot does, right?

Yes, we can do anything(except radio)
I found hidden functions during disassemble hboot
saveprt2sd, savemem2sd, mw etc...
i temporary changed oem lock function to saveprt2sd and it worked.

I found 0.33.2012 hboot(ENG) image
but since I use SLCD Nexus One, I couldn't flashing

Blackrose has potential

Sent from my Nexus One using XDA App
 
Last edited:

rjmohit

Senior Member
Sep 20, 2010
328
63
Google Pixel 3 XL
It doesnt work. It shows a 'failed' result, saying that the file couldnt be verified or something. I tried out three different hboots, including the one you've provided, but it shows the same error every time. :-/

EDIT: Works perfectly. Got an S-off. :)
 
Last edited:

maddie

Senior Member
Nov 17, 2006
136
6
37
Shenzhen
It doesnt work. It shows a 'failed' result, saying that the file couldnt be verified or something. I tried out three different hboots, including the one you've provided, but it shows the same error every time. :-/
didn't see anything to bypass the signature verification during the process.. i thought the only way to let the bootloader accept the image is that the file itself has a valid signature? how can you flash the image directly then..? o_o
 

dla5244

Retired Recognized Developer
Apr 20, 2011
242
1,302
Incheon
mistake

didn't see anything to bypass the signature verification during the process.. i thought the only way to let the bootloader accept the image is that the file itself has a valid signature? how can you flash the image directly then..? o_o

OOPS, I made mistake.
I uploaded again.
Maybe this worked well...

Please report to me.
 
Last edited:

maddie

Senior Member
Nov 17, 2006
136
6
37
Shenzhen
Congratulations!
also you can flash hboot, splash1, etc via fastboot flash command.
Yes, I'm aware of that. It's good enough for me to just get rid of the annoying lock icon on the boot screen. ;-)

And what is the gate.img exactly? I noticed that it was flashed as "boot" in fastboot, so I flashed my original kernel afterwards without booting into system. Will it in any way affect the original system?
 
Last edited:

dla5244

Retired Recognized Developer
Apr 20, 2011
242
1,302
Incheon
Yes, I'm aware of that. It's good enough for me to just get rid of the annoying lock icon on the boot screen. ;-)

And what is the gate.img exactly? I noticed that it was flashed as "boot" in fastboot, so I flashed my original kernel afterwards without booting into system. Will it in any way affect the original system?

sorry my english.

No, 'fastboot boot' command not affect original system.
boot command means what copy kernel image to RAM and execute.

gate.img is exploit image(not kernel).
As soon as gate.img executed, it change bootloader codes on RAM
that's why you can flashed custom-hboot on stock hboot.
 
Last edited:

maddie

Senior Member
Nov 17, 2006
136
6
37
Shenzhen
sorry my english.

No, 'fastboot boot' command not affect original system.
boot command means what copy kernel image to RAM and execute.

gate.img is exploit image(not kernel).
As soon as gate.img executed, it change bootloader codes on RAM
that's why you can flashed custom-hboot on stock hboot.
Your English is good enough to understand!

I see, I thought it was "flash" instead of "boot".

Thanks for your great work!
 

Top Liked Posts

  • There are no posts matching your filters.
  • 135
    BlackRose

    This is Nexus One custom bootloader(Based on HBOOT 0.35.2017)

    FEATURE

    Security OFF
    None padlock mark even unlocked
    Password protection
    Engineering command
    BlackRose custom command
    Change boot logo
    Resize Partition
    Select menu by pressing trackball
    Switch vibration at boot
    CRC32 check function
    Prevent overwrite HBOOT by RUU


    REQUIRE

    Windows PC or Linux PC
    USB Debugging(ADB) ON(Setting-Application-Development-USB Debugging)
    Connect USB before execute BlackRose installer

    ADB and Fastboot USB Driver - Windows
    http://www.mediafire.com/?bhxmn903d6cz9eg

    GO

    Windows PC: BlackRose.exe
    Linux PC: BlackRose

    Possible argument
    skip: go to blackrose menu immediatly(not recommand because hboot version check step is skipped)
    editor: go to blackrose editor(standalone)

    Guide
    Install
    http://www.youtube.com/watch?v=cC7nyRxVvk4
    Uninstall
    http://www.youtube.com/watch?v=mGrnDsSrS5s
    Update(from 120215)
    http://www.youtube.com/watch?v=TK5kepkO9oI
    Resize partition
    http://www.youtube.com/watch?v=ScIMetgk7Zw
    Execute BREditor(standalone)
    http://www.youtube.com/watch?v=FSbSL4kUloQ

    *.Those who using older version custom BlackRose(eg.111231), Since older version can't communicate with BlackRose installer so you need to follow my direction.
    Once you follow my direction, you no need to do this later

    1.customize same as previous partition layout using BlackRose editor(view "execute BREditor")
    2.fastboot flash hboot hboot_brcust.nb0
    3.fastboot reboot


    *.If you are using MAC OSX and failed to install by using installer,
    Download blackrose_manual_120421.zip and follow instruction in zip file

    Change Log

    120421

    Disable password protection (temporary)
    *.As you know, there is no way to recover password.
    That's why I designed 2nd password.
    I received many message about forget password.
    So I decided to disable password protection until I design new solution.

    Fix stock BlackRose partition layout label.

    120216

    Bootloader(HBOOT)
    Add new function(I will not reveal, It doesn't matter for normal user)

    120215

    Bootloader(HBOOT)
    Change message when protected by password (not allowed -> protected)
    Add bootloader commandline in order to communicate BlackRose installer

    Installer

    Now surpport below HBOOT version
    0.33.0012
    0.33.2012
    0.35.0017
    0.35.2017
    7.35.5017(BlackRose)

    Recreate program (not rebuild but recreate :D)
    1.BREditor has merged
    2.Install process has revemped
    3.Communicate with HBOOT
    4.Convenient,Optimized
    5.ETC
    * Since i'm not god, please feel free to report bug)

    111231

    Happy New Year!

    HBOOT(Bootloader)
    Update release date(because it's the last day of 2011)

    Installer and Editor
    Common: Execute file is not packed (fix ploblem executable-file deleted by Virus Scanner)
    Installer: Improve install process
    Update exploit

    Installer: Fix install bug(perfectly, 111231_2)

    Installer: Improve installer(111231_3)
    Editor: Bug fix(111231_3)

    111217

    HBOOT(Bootloader)
    New CRC32 function
    (this function is used for make custom bootloader)

    Installer and Editor
    Installer: Can flash ANY bootloader
    Editor: Show warning message when set password

    Editor: bug fix(partition and "understand" bug,111217_2)

    111208

    HBOOT(Bootloader)
    Password protection
    rebase blackrose custom command
    remove unlock, lock command
    remove simlock menu(replaced powerdown)
    remove clearstorage menu(replaced reboot)
    display off, on message when switch vibration at boot
    add extension label(no more identify 5017 or 5117)
    bug fix(getvar version)
    cleanup

    Installer and Editor
    improve blackrose installer
    new blackrose editor(you must use this)

    breditor: make it clear(password -> protection)(111208_2)
    breditor: password bug fix(111208_3)

    111128

    fix BlackRose custom command ploblem(brcmd 5)
    improve BlackRose installer

    111126

    select menu by using trackball instead of power key(default)
    *.I analysed key dispatch routine perfectly and revamped routine.
    I recommand update BlackRose 111126 because that is better than 111125

    fix key label

    111125

    switch trackball selection (permanent!!!, view advenced section)
    etc

    111118

    HBOOT(Bootloader)
    can't flash image without signature when S-ON
    (can't flash by unsigned RUU, while can flash by flash command? that's not fair.)
    change command (oem brset -> oem brcmd)
    new command (brcmd 2, brcmd 5)

    Installer
    can apply custom partition blackrose (view Advenced section, more easily)
    can update blackrose from custom partition blackrose. (view update section)

    can install blackrose even you dosen't achieve adb root permission(111118_2)
    fix BlackRose windows installer error(111118_3)
    rebase BlackRose installer(111118_4)
    fix BlackRose installer error(111118_5)

    111111:eek:

    change title color
    can flash some image(boot,recovery,system,userdata,radio,zimage) even S-ON and locked bootloader
    rework writemainver(reason:when you uninstall blackrose, stored mainversion will be cleared.)
    add custom command(fastboot oem brset)
    can switch vibration during at boot
    can select by pressing trackball (View Advenced section in BlackRose Installer)
    optimization and cleanup

    can install BlackRose on linux (111111_2)
    fix BlackRose linux installer error (111111_3)

    111009
    When you update ROM(by PASSIMG, RUU), BlackRose doesn't write new mainver

    111006
    New based on 0.35.2017(Engineering HBOOT) - Thanks to PhaseBurn :)
    Original Image(0.35.2017): http://xdaforums.com/showpost.php?p=18141273&postcount=116

    None padlock mark(even you unlocked bootloader)
    Prevent overwrite HBOOT by OTA or RUU
    Disable fastboot command(oem unlock), because no need to unlock bootloader
    Can receive Google OTA

    FAQ

    1.Phone is brick, dosen't turn on screen

    You have flashed unsigned RADIO
    If you want unbrick your phone, The answer is JTAG or HTC Service Center(The engineer can refuse to repair your phone)

    2.Can I lock bootloader again?

    To relock the bootloader, You have to achieve radio S-OFF(secu_flag=0), otherwise you would see the error [Lock Failed]

    3.How to achieve radio S-OFF?

    AT@SIMLOCK=7,0 or AT@SIMLOCK=8,0

    I disassembled radio(AMSS)
    it need HTC Special SIM-CARD or SIM-EMULATOR(XTC-CLIP)

    but...
    If we can disable SMI-MPU and modify only one byte to AMSS routine on SDRAM
    We can achive Radio S-OFF without HTC-Special-CARD.

    4.I can't update radio by using recovery.

    If cache partition size less than radio image, you couldn't update radio by using recovery.
    so I suggest a way to update radio

    fastboot flash radio [RADIO IMAGE(e.g radio.img)]

    5.I can't see my device when execute BlackRose installer

    If you are using sense rom, adb device isn't worked.
    You must install htc sync.

    -Thanks for your favor-

    Donation

    rugmankc
    efrant
    madj42
    fzr-r4
    texasice
    gdarren


    WOW, I cannot appreciate it enough :)

    Lecahel
    38
    Supplement

    BlackRose custom command

    fastboot oem brcmd [command]

    svib : Enable/Disable vibration during at boot (Output string is none. but setting will be changed.)
    brec : Go to recovery mode
    pass [password]: Create encrypted password/Authentication

    Change boot logo

    1.Prepare 480*800 bmp file to change
    2.nbimg.exe -F [BMP FILE] -n
    3.rename *.nb file to splash1.img
    4.fastboot flash splash1 [SPLASH1 IMG]

    Password Protection

    1.fastboot oem brcmd pass [ORIGINAL PASSWORD]
    2.Note your encrypted value
    3.Input encrypted value in BREditor
    4.Apply custom BlackRose

    NEVER input original password in BREditor

    If you would like to unlock protection
    fastboot oem brcmd pass [ORIGINAL PASSWORD]

    TIP
    If lock state, oem pass command work as unlock method
    Otherwise, work as create encrypted password

    If you type wrong password third in a row, device is turned off

    Apply custom BlackRose
    *.If you use BlackRose installer method, no need to read

    Apply
    1.fastboot flash hboot [CUSTOM BLACKROSE BINARY]
    2.fastboot reboot-bootloader

    If you will change partition layout
    1.fastboot flash hboot [CUSTOM BLACKROSE BINARY]
    2.fastboot reboot-bootloader
    3.fastboot erase cache
    4.fastboot oem brcmd brec
    5.full wipe
    6.update rom
    7.reboot
    7
    *whistles innocently*
    7
    efrant,
    Doesn't help :(

    You are obviously doing something wrong.

    Follow these steps:
    1) Boot device into fastboot mode and plug into computer;
    2) Type fastboot devices to make sure your computer sees your device;
    3) Download the attachment, extract the two files and place them in the same folder as your fastboot binary;
    4) Type fastboot boot go.lol
    5) Type fastboot flash hboot hboot_blackrose.nb0
    6) Reboot into fastboot mode to make sure it installed. Done.

    Note: The hboot_blackrose.nb0 attached is from an older version, so if you want a newer one, just flash it the same way...
    5
    Impressive! A really interesting approach. Even though Radio S-OFF would be preferred a modified hboot that unlocks more commands than the current stock-unlocked hboot does, right?

    Yes, we can do anything(except radio)
    I found hidden functions during disassemble hboot
    saveprt2sd, savemem2sd, mw etc...
    i temporary changed oem lock function to saveprt2sd and it worked.

    I found 0.33.2012 hboot(ENG) image
    but since I use SLCD Nexus One, I couldn't flashing

    Blackrose has potential

    Sent from my Nexus One using XDA App