How to start over: Fully rooted stock 1.47.651.1 in one shot (no adb!)

Search This thread

whitslack

Senior Member
Jun 23, 2010
196
18
*shrug* Really no credit is due to me. These files are almost straight from HTC. The only change I made to the OTAs was to add one line so they don't blow away the setuid-root permissions on /system/xbin/su.
In fact, you could actually flash the PC36IMG.zip and then install the official OTAs straight from HTC using the on-phone update process. Since neither of the OTAs included an HBOOT image, you'd still have the engineering HBOOT at the end of the OTA updates, so you could just use fastboot to flash the Amon RA recovery and then use the recovery to install the su-2.1-e-unsecure-signed.zip, and poof, you'd have root. The only foot in the door you need is the engineering HBOOT, and like I said, neither of the official OTAs touch it.
 

bprinehart

Senior Member
Jun 6, 2010
99
4
Ferndale, MD
You're using the released HBOOT, not the engineering one. Have you tried running the RUU exe?

I think I'm hosed. Everytime I try to flash something, I get a signature verification failed, or a "Not Allowed" for example when I try to boot into recovery. It seems as though I lost all permissions. I was holding out some hope since I still had fastboot access, but that appears to be a dead end as well.

C:\Users\user\Downloads\android-sdk_r06-windows\android-sdk-windows\tools>fastboot.exe update PC36IMG.zip
archive does not contain 'boot.sig'
archive does not contain 'recovery.img'
archive does not contain 'system.sig'
--------------------------------------------
Bootloader Version...: 0.79.0000
Baseband Version.....: 1.39.00.05.31
Serial Number........:
--------------------------------------------
sending 'boot' (2280 KB)... OKAY
writing 'boot'... INFOsignature checking...
FAILED (remote: signature verify fail)
 
Last edited:

whitslack

Senior Member
Jun 23, 2010
196
18
You are my hero. This worked! How can I make a donation?
I don't want any donations. Believe it or not, this was actually insanely easy to put together. I just needed to have the right knowledge about how all this works, which I've been accruing over the past few days.
 
Last edited:

whitslack

Senior Member
Jun 23, 2010
196
18
I think I'm hosed. Everytime I try to flash something, I get a signature verification failed, or a "Not Allowed" for example when I try to boot into recovery. It seems as though I lost all permissions. I was holding out some hope since I still had fastboot access, but that appears to be a dead end as well.
If you have only the released HBOOT (so fastboot won't flash anything) and a broken recovery and a broken system, then yeah, you're hosed. :(
 

Land Master

Senior Member
Jun 18, 2010
530
172
Highlands Ranch, CO.
In fact, you could actually flash the PC36IMG.zip and then install the official OTAs straight from HTC using the on-phone update process. Since neither of the OTAs included an HBOOT image, you'd still have the engineering HBOOT at the end of the OTA updates, so you could just use fastboot to flash the Amon RA recovery and then use the recovery to install the su-2.1-e-unsecure-signed.zip, and poof, you'd have root. The only foot in the door you need is the engineering HBOOT, and like I said, neither of the official OTAs touch it.

Yeah OK...If you say so :D

Honestly I am a n00b that has learned all I can in the last month. What you guys do and how you do it always impresses me but most of the technical stuff is over my head. I'm real good at following specific instructions to a T and have been successful so far. I have NOT attempted anything since the OTA was released.

With that said I somewhat follow what you are saying but wonder why (if I understand correctly) if replacing the HBOOT gives us total control over the phone why wasn't done from day one? Do I understand that the the "root hole" that was patched by the latest OTA did NOT touch the HBOOT and that in order for them to "plug" it in the future they would need to push a new HBOOT file?

I know you will be busy addressing last minute questions so no obligation to answer these questions. I'm just curious and trying to learn even more.

Thanks again!
 

theoner1

Senior Member
Oct 10, 2008
536
54
If you're looking for a way to have working WiMAX with the 1.47.651.1 update and keep your root access, try this. It exhibits some interesting behavior at the end that is not seen with other update methods, which leads me to believe that this method does correctly upgrade the WiMAX. Awaiting confirmation of this from someone.


Step 1: Revert to the initial release of everything

This PC36IMG.zip contains all the original firmwares from the first released RUU (hboot, boot, recovery, system, userdata, microprocessor, touch panel, radio, and WiMAX), except the HBOOT has been replaced with the one from the engineering build (to give you unlocked NAND) and the recovery has been replaced with Amon RA 1.7.0.1 (so you can flash updates signed with the test keys).

  1. Download this file, rename it PC36IMG.zip, and put it on the root of your SD card however you like.
  2. Power off your phone.
  3. Hold down the Volume Down and Power buttons until the white screen appears.
  4. HBOOT will scan the PC36IMG.zip file. You'll see a blue progress bar on the right side of the screen.
  5. When it's finished scanning, it will ask if you want to start the update. Press the Volume Up button to answer Yes.
  6. Wait a while for it to flash all the images.
  7. When it finishes and asks if you want to reboot the device, press the Volume Up button to answer Yes.
  8. Your device is brand new again, except you have unlocked NAND and a custom recovery.
  9. Delete the PC36IMG.zip file from your SD card.
.[/B][/SIZE]

HUGH THANK YOU TO YOU SIR!!! You my friend just made my day. I had major problem after a bad flash and was up til 4am last night and again this even until I saw your post. For what ever reason my bootloader would not let me flash any PC36IMG.zip without say Main version is older, but whatever your PC36IMG got made my bootloader to not show Main version is older any more (kept looping bootloader actually, which is a good thing compare to Main Version is older). I later then follow up with Toast root #2 again and BAM EVERYTHING IS BACK TO NORMAL.

SO FOR EVERYONE WITH PROBLEM AFTER TO NEW OTA UPDATE try this man PC36IMG.zip first than follow by Toast root# 2 method. THANKS A MILLION FOR ALL YOUR HELP!!!!
 

whitslack

Senior Member
Jun 23, 2010
196
18
With that said I somewhat follow what you are saying but wonder why (if I understand correctly) if replacing the HBOOT gives us total control over the phone why wasn't done from day one? Do I understand that the the "root hole" that was patched by the latest OTA did NOT touch the HBOOT and that in order for them to "plug" it in the future they would need to push a new HBOOT file?
Total control over the phone comes from fastboot, which is a utility in two parts: half of it lives on the phone as a piece of HBOOT, and the other half lives on the computer as the fastboot program. The release version of HBOOT has its half of fastboot crippled. The engineering version of HBOOT has a fully working fastboot.

With a working fastboot, you can overwrite any partition on the NAND with anything you want. It's carte blanche. That's all you need to flash a new system image (in .img format). Or, you can flash a custom recovery and use it in turn to flash an update zip.

If HTC were to push out a new HBOOT in an OTA update, yes, it would cripple us. But we can always remove the HBOOT from the update before applying it, so it really wouldn't do them any good to try it. (Hear that, HTC?! Don't bother!) :D

EDIT: The hole they plugged was a security vulnerability in the kernel that allowed an unprivileged process to escalate its privileges to root. That's how unrEVOked works. That has nothing to do with HBOOT. Think of it as coming at the problem from opposite sides. Fastboot lets you flash a system in which you already have root from outside any system at all; the "root hole" formerly let us attain root from inside a system in which we did not already have root.
 
Last edited:

awesomeindeed

Senior Member
Apr 28, 2008
335
10
Chicago Suburbs
Just in case anyone was in disbelief...
 

Attachments

  • snap20100701_235134.jpg
    snap20100701_235134.jpg
    38.9 KB · Views: 567
  • snap20100701_235139.jpg
    snap20100701_235139.jpg
    29.8 KB · Views: 547
  • snap20100701_235146.jpg
    snap20100701_235146.jpg
    27.1 KB · Views: 588
  • snap20100701_235154.jpg
    snap20100701_235154.jpg
    27.8 KB · Views: 569

Cordy

Senior Member
Feb 2, 2008
665
125
Curiously for anyone whom which this method worked, did anyone of you have a bad MAC, fixed your MAC and then followed then used this method?
 

mobilemaniac

Senior Member
Sep 7, 2006
71
0
Ok. I was just working my way through Toast's rooting method. I finished part 1 and was trying to get all the files together for part 2, so I haven't unlocked NAND or installed Toast's recovery yet. Should I just follow the instructions in the OP and skip Toast part 2 now?
 

Land Master

Senior Member
Jun 18, 2010
530
172
Highlands Ranch, CO.
Total control over the phone comes from fastboot, which is a utility in two parts: half of it lives on the phone as a piece of HBOOT, and the other half lives on the computer as the fastboot program. The release version of HBOOT has its half of fastboot crippled. The engineering version of HBOOT has a fully working fastboot.

With a working fastboot, you can overwrite any partition on the NAND with anything you want. It's carte blanche. That's all you need to flash a new system image (in .img format). Or, you can flash a custom recovery and use it in turn to flash an update zip.

If HTC were to push out a new HBOOT in an OTA update, yes, it would cripple us. But we can always remove the HBOOT from the update before applying it, so it really wouldn't do them any good to try it. (Hear that, HTC?! Don't bother!) :D

Dude....I mean GOD. I hope you understand that this seems too good to be true. I'm certainly not questioning you (as I do not have the knowledge to do so) but I have followed the Damage Control thread for 3 days now and wonder why they didn't just skip trying to figure out the radio thing and concentrate on this method. Why didn't all the Dev's do so for that matter? Were they just trying to come up with a "fix" to problems created by jumping the gun initially?

If I understand, you have (with three days experience) provided us with a fully rooted device FOREVER.

If this is in fact the case, put up a donation button. The others have them!
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    This method has now been updated using the newly released 1.47.651.1 RUU. The portion of this post in light gray is kept for historical interest only.

    This PC36IMG.zip contains a complete set of firmwares from the latest RUU (hboot, boot, recovery, system, userdata, microprocessor, radio, and WiMAX), except the HBOOT has been replaced with the one from the engineering build (to give you unlocked NAND) and the recovery has been replaced with Amon RA 1.7.0.1 (so you can flash updates signed with the test keys).

    Note: This process will only work if you already have the engineering HBOOT. (If you have NAND unlocked, you already have it and can proceed confidently.) If you'd like to check the actual version, you can boot into HBOOT and look near the top of the screen: it should say HBOOT-0.76.2000, not 0.79.0000. If you have 0.79.0000, you will need to do Toast's Part 2 first before starting here.

    1. Download this file, rename it PC36IMG.zip, and put it on the root of your SD card however you like.
    2. Power off your phone.
    3. Hold down the Volume Down and Power buttons until the white screen appears.
    4. HBOOT will scan the PC36IMG.zip file. You'll see a blue progress bar on the right side of the screen.
    5. When it's finished scanning, it will ask if you want to start the update. Press the Volume Up button to answer Yes.
    6. Wait a while for it to flash all the images.
    7. If you get a "Fail-PU" error on the recovery image, see below.
    8. When it finishes and asks if you want to reboot the device, press the Volume Up button to answer Yes.
    9. After the phone has rebooted, delete the PC36IMG.zip file from your SD card.
    10. Download this file to your SD card:
    11. Power off your phone.
    12. Hold down the Volume Down and Power buttons until the white screen appears.
    13. If you forgot to delete PC36IMG.zip from your SD card, HBOOT will scan it again now. When it asks if you want to start the update, press Volume Down to answer No. When it asks if you want to reboot, press Volume Down again.
    14. Now you should be at the HBOOT menu. Press Volume Down to move the selection to RECOVERY and press the Power button to select it.
    15. In a moment, you'll be at a different looking menu.
    16. Using the Volume and Power buttons as before, select "Flash zip from sdcard."
    17. Select su-2.1-e-unsecure-signed.zip from the list and follow the prompts to flash it.
    18. When that's finished and you're back at the menu, choose "Reboot system now."
    19. You should now have root, unlocked NAND, working WiMAX, and great battery life. :)

    You're finished! The remainder of this post is supplemental information for those who are interested.


    Fail-PU error

    It seems some EVOs just don't want to take the Amon RA recovery. If you're running into the infamous "Fail-PU" error, try deleting the recovery image from the PC36IMG.zip and flashing again. Do note, if you currently have the stock recovery loaded, doing this will mean that you will be unable to install the su-2.1-e-unsecure-signed.zip package to get root/superuser, as described above, until after you've flashed a custom recovery, which you can't do from within the system using flash_image unless you have root. The only way in that case is to use fastboot. If you're coming right from Toast's Part 2, then none of this should be a problem, since you'll already have a custom recovery, albeit an old and crusty one.


    After you've done this procedure, this is how you make changes to /system:
    To make changes to /system, you have to remount it read/write.
    1. After switching to a root shell (# prompt), type mount and press Enter.
    2. Look for a line that includes the word /system. On that line, look at the part that says /dev/block/mtdblockN, where N is a digit. That is the partition that your system lives on.
    3. Type "mount -o remount,rw -t yaffs2 /dev/block/mtdblockN /system", substituting the digit you saw in the previous step for N.
    4. Now your system is mounted read/write and you can make changes. Proceed cautiously. :)

    Here's how you can tell if you're royally boned:
    If you have the engineering HBOOT, you can flash anything you want at any time. That's why it's so crucial to have it.

    The point of no return looks like this:
    • You have the release HBOOT, AND
    • You are running system 1.47.*, AND
    • You have the stock recovery, AND
    • You do not have root access.

    In other words, if one or more of the following are true, you can get all the rest:
    • You have the engineering HBOOT, OR
    • You are running system 1.32.*, OR
    • You have a custom recovery, OR
    • You have root access.

    ~~~~~ beyond this point is for historical interest only ~~~~~


    If you're looking for a way to have working WiMAX with the 1.47.651.1 update and keep your root access, try this. It exhibits some interesting behavior at the end that is not seen with other update methods, which leads me to believe that this method does correctly upgrade the WiMAX.

    There is confirmation that this method yields a working WiMAX/4G. And screen grabs.



    Step 1: Revert to the initial release of everything

    This PC36IMG.zip contains all the original firmwares from the first released RUU (hboot, boot, recovery, system, userdata, microprocessor, touch panel, radio, and WiMAX), except the HBOOT has been replaced with the one from the engineering build (to give you unlocked NAND) and the recovery has been replaced with Amon RA 1.7.0.1 (so you can flash updates signed with the test keys).

    Note: This process will only work if you already have the engineering HBOOT. (If you have NAND unlocked, you already have it and can proceed confidently.) If you'd like to check the actual version, you can boot into HBOOT and look near the top of the screen: it should say HBOOT-0.76.2000, not 0.79.0000. If you have 0.79.0000, you will need to do Toast's Part 2 first before starting here.

    1. Download this file, rename it PC36IMG.zip, and put it on the root of your SD card however you like.
    2. Power off your phone.
    3. Hold down the Volume Down and Power buttons until the white screen appears.
    4. HBOOT will scan the PC36IMG.zip file. You'll see a blue progress bar on the right side of the screen.
    5. When it's finished scanning, it will ask if you want to start the update. Press the Volume Up button to answer Yes.
    6. Wait a while for it to flash all the images.
    7. When it finishes and asks if you want to reboot the device, press the Volume Up button to answer Yes.
    8. Your device is brand new again, except you have unlocked NAND and a custom recovery.
    9. Delete the PC36IMG.zip file from your SD card.
    Note: You will not have root at this point. This is to be expected, as you are running a totally stock system partition now. The key is that you have a custom recovery installed, meaning you can apply the su-2.1-e-unsecure-signed.zip update as described below, which will install the su and Superuser.apk files (i.e., give you root access).

    Step 2: Rapid-fire updates
    1. Download these three files to your SD card:
    2. Power off your phone.
    3. Hold down the Volume Down and Power buttons until the white screen appears.
    4. If you forgot to delete PC36IMG.zip from your SD card, HBOOT will scan it again now. When it asks if you want to start the update, press Volume Down to answer No. When it asks if you want to reboot, press Volume Down again.
    5. Now you should be at the HBOOT menu. Press Volume Down to move the selection to RECOVERY and press the Power button to select it.
    6. In a moment, you'll be at a different looking menu.
    7. Using the Volume and Power buttons as before, select "Flash zip from sdcard."
    8. Select su-2.1-e-unsecure-signed.zip from the list and follow the prompts to flash it.
    9. When that's finished and you're back at the menu, select "Flash zip from sdcard" again, choose OTA_Supersonic_1.32.651.6-1.32.651.1_rootsafe.zip, and follow the prompts to flash it.
    10. You will now be updated to 1.32.651.6.
    11. Ignore the warning that says "ignoring attempt to do multiple firmware updates."
    12. It will say "Reboot via menu to complete installation." Do as it says and choose "Reboot system now" from the menu.
    13. Now the first radio baseband update will be installed. Don't touch anything. The phone will reboot on its own, and you'll wind up back at the recovery menu.
    14. Choose "Flash zip from sdcard," select the second OTA update, OTA_Supersonic_1.47.651.1-1.32-651.6_rootsafe.zip, and follow the prompts to flash it.
    15. You will now be updated to 1.47.651.1. This one takes a while. Let it do its thing.
    16. When it's finished flashing, it will tell you to reboot. Do as it says and choose "Reboot system now" from the menu.
    17. Now the second radio baseband update and the WiMAX update will be installed. This takes a long time and doesn't display any progress on the screen, just an icon with a green circle of arrows. Don't touch it. It will reboot on its own.
    18. After the reboot, you'll see some things you haven't seen by any other update method, including a barber pole progress bar and a dialog box that says "Checking for firmware update, please wait." (It shouldn't find one.)
    19. When the home screen comes back up, you'll get a message box telling you "Your phone has been updated successfully to version 1.47.651.1."
    20. You still have root and should have working WiMAX. :)
    You can delete the three files off your SD card if you wish.

    If your 4G keeps scanning but never connects, you might be helped by this post.



    Extraneous images
    (for use with fastboot flash)

    These are just here in case they might be useful to someone. They are NOT NEEDED for the update procedure described above. Don't download them unless you know what to do with them.

    HBOOT images
    • hboot-0.76.2000.7z (md5=0297a81509b6da5f102b1cc63893b9ad) – distributed with system 1.17.651.1 (engineering build)
    • hboot-0.79.0000.7z (md5=d38bff771f5015d420589f1d158d16af) – distributed with system 1.32.651.1 (initial release)
    Boot images
    • boot-1.17.651.1.7z (md5=2a1a9d14f9b0405d92da31f0061b6915) – distributed with system 1.17.651.1 (engineering build)
    • boot-1.32.651.1.7z (md5=452bd071474e670d0d93aff34044a380) – distributed with system 1.32.651.1 (initial release)
    • boot-1.47.651.1.7z (md5=91f4bc8785e668afaefb9e55720e14a2) – distributed with system 1.47.651.1
    System partition images (raw, not rooted!)
    • system-1.17.651.1.7z (md5=129ef3dbcb5359112b8edb610e930d6e) – engineering build
    • system-1.32.651.1.7z (md5=d7ea4d72e907065ebb10b3527e19ced0) – initial release; extracted directly from the original 1.32.651.1 RUU
    • system-1.32.651.6-OTA.7z (md5=9c7262db87caf03a729dc84db5a1fba6) – the preceding with the 1.32.651.6 incremental OTA update applied
    • system-1.47.651.1-OTA.7z (md5=6676cfa942469e4b4c66ef1364b3195f) – the preceding with the 1.47.651.1 incremental OTA update applied
    • system-1.47.651.1.7z (md5=5b8a1298da2daf99d5c2763ae151d9aa) – extracted directly from the 1.47.651.1 RUU
      Warning: Don't flash system 1.47.651.1 without the engineering HBOOT installed!
    Radio firmware images
    WiMAX firmware images
    1
    can i use this to go back to stock rooted ?

    no youll most likely brick your phone
    1
    I did a back up of original stock right after I rooted, will running it be a problem ? thank you for your answers, bricking in not a option.

    nope if you made a backup of your stock rom you can just restore you shouldnt run into any problems
    1
    hello whitslack i was referred to you from Captain_throwback here is my Dilemma

    i have a boot looping evo 4g phone with corrupted nv we copied the nv from 1

    sprint phone to this evo and that what caused the boot loop. now we are trying to get it back up and running as my life depends on it lol.. my phone status is

    *** UNLOCKED ***
    Supersonic EVT2-3 Ship S-on
    Hboot-2.18.0001
    MICROP-041f
    TOUCH PANEL-ATMEL03_16ac
    RADIO-2.15.00.12.19
    Dec 21 2011,12:50:32

    hewre is a clip from my previous conversation with Captain_throwback

    <Captain_throwback> Yeah, that's not going to work. You're not fully NAND unlocked, so you can only flash zips that have a main version that's exactly the same as your current version. Even then, you can only flash to the unlocked partitions. I was suggesting you go to that other thread I linked so you could try to flash that nv.img (not sure if that's possible or not, but that's your best shot at this point). You need to find the right nv.img to flash. I don't know anything about that; that's why I suggested contacting the guy from the other thread.


    PLease advise and be my Savior please please :)

    Since apparently your bootloader still works, simply take out your SD card, put it in another device, and copy an official (signed) PC36IMG.zip to it. Then put it back in the phone and boot up into the bootloader. It should find the zip file and offer to write its contents into the phone's flash memory. I'd suggest using the 1.17.651.1-versioned PC36IMG.zip, which is a signed engineering build containing the engineering (unlocked) HBOOT. If your current bootloader doesn't want to flash the older PC36IMG.zip, you might need to write an engineering image to the misc partition of the MTD. I'm pretty sure you can do that with the fastboot utility on the computer while the phone is in the fastboot mode of the bootloader. That will only work if your bootloader has USB fastboot enabled, of course. If you can't even do that, then you will probably have to run an official RUU to rewrite everything. Good luck.