Messing about with fastboot on the HTC Hero Orange UK

adq · Jul 28, 2009

Hi, since this is my wife's HTC hero from Orange UK, I'm being particularly careful with it. I'm new to xda-developers/HTC platforms (but not new to doing horrible things to embedded platforms) :>

I've been messing about with the phone all evening - downloaded that ROM image from the other thread and pulled it apart to look at the OS files etc - the standard break-a-new-embedded-linux-platform routine.

Anyway, if you hold down BACK when powering on, it enters the bootloader mode with a "FASTBOOT USB" prompt, which sounded interesting. I got a copy of the fastboot binary, and extracted the kernel and the ramdisk images from "boot.img" in the "HEROIMG_Hero_HTC_WWE_1.76.405.1_R3_WWE_release_signed.zip" (using split_bootimg.pl).

Just as a quick test, I tried booting them with:
fastboot boot kernel.img boot.img

since the above just boots a kernel from RAM, and not actually flash it. Anyway, fastboot claims it downloaded and booted it ok, and the phone shows the "HERO" logo. Unfortunately that is as far as it gets. However, if I reset the phone, it boots perfectly fine from the kernel/ramdisk in flash (phew!)

Since it doesn't actually boot into android proper (and doesn't show up as a USB device), I don't know if (a) its showing the HERO logo, but failing the signature check, or (b) actually booting, but crashing 'cos the kernel/ramdisk aren't quite right. I'd guess (a) myself, but I'm new to messing with HTC bootloaders.

Anyway, in case they're useful, the details of the phone from the fastboot mode are:
HERO CVT SHIP S-ON
HBOOT-1.76.0004 (HERO10000)
MICROP-010f
TOUCH PANEL-SYN0104
RADIO-6.35.04.25
Jul 3 2009,15:22:21

Dayzee · Jul 28, 2009

That method of entering fastboot is the same as the magic. Check the magic / sapphire wiki and have a read as I suspect the magic is its closest relative and a lot of the magic stuff will work...

daisy xx

adq · Jul 28, 2009

Aha, thank you very much, that gives me more information!

Anyway, I just tried booting the boot.img itself instead of splitting it up with:

fastboot boot boot.img

This time, it booted right into the full android! Checking /proc/config.gz:

On the phone booting normally, it says:
# Linux kernel version: 2.6.27
# Fri Jul 3 07:52:06 2009

On the phone booted with boot.img extracted from that zip, it starts:
# Linux kernel version: 2.6.27
# Thu Jun 25 14:16:01 2009

So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?

adq · Jul 28, 2009

Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":

ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh

# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk

All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:

/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000

Then I just booted it with "fastboot boot test-insecure.img"

daldroid · Jul 28, 2009

adq said:
Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":

ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh

# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk

All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:

/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000

Then I just booted it with "fastboot boot test-insecure.img"

You're ready to build your own rom images ;-)

You could start by preparing your own rooted recovery with nandroid.
For a quick and dirty basic recovery image, just download one from sapphire development forum, replace the boot.img-kernel with a working copy for your hero.
Then rename init.sapphire.rc in init.hero.rc in ramdisk image.

You can simply extract ramdisk image with:
mkdir boot.img-ramdisk
cd boot.img-ramdisk
zcat ../boot.img-ramdisk.gz | cpio -idv

make your changes to ramdisk files

search internet for a script named repack-bootimg.pl
add the new base parameter to mkbootimg line in the script

cd to directory where you unpacked your boot.img
repack-bootimg.pl boot.img-kernel boot.img-ramdisk newboot.img
fastboot your recovery

then you can use nandroid in the recovery image to make a full dump of your rom and use the newer version of boot.img you have in your device to rebuild an up-to-date recovery or any kind of rom (you could start by preparing a copy of your original rom by changing ro.secure=0 in both boot.img and recovery.img).

By the way, I noticed that kernel in HERO uses sapphire fixup. The currently available version on the net is not booting on sapphire (magic) 32A, but it resets after a few minutes.
Maybe the kernel version in your orange hero introduces compatibility with sapphire boards. Well, really I suppose it won't, but if you get a nandrod backup and post your current original boot.img, magic 32A board owners could give it a try while we are waiting for HTC to release updated kernel sources for Magic and Hero.

Bye
daldroid

daldroid · Jul 28, 2009

adq said:
[...]

So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?

No, no signature in standard boot.img, you have to zip it and sign the resulting zip. But no signing keys except for test-keys are available to the public, so I suppose your spl (S-ON) wil not allow you to directly flash rom images from fastboot command line.

However it seems your SPL allows you to fastboot a repacked boot image, so it should not be a problem to use a recovery image to flash whichever rom mod you like.

I suggest you not to flash any SPL you can find on the net, I suppose you have the newest ad no image of your original SPL is available (there is one from a leaked hero image, but yours seems to be newer)

Bye

adq · Jul 28, 2009

Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts

I'll upload the boot.img later though.

Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?

daldroid · Jul 28, 2009

adq said:
Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts I'll upload the boot.img later though.

Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?

Well, really it's a little bit mor than a minute or so.
I suppose it's not an hardware watchdog, I don't have access to console debug messages.
Really the reset is a good sign, if you try booting dream or sapphire 32b kernel on 32A boards, it hangs forever.
If you extract piggy.gz from the kernel and hexedit it,you can find hero kerel initializes the hardware using the sapphire fixup.

It could only be that htc reused the same source and fixed hardware details and forgot to change the fixup routine name or that they are prepare to build a kernel able to boot on both hero and magic 32A boards.

32A and hero use the same new base address for kernel and ramdisk loading 0x19200000.
our boards have more memory than dream and 32b boards.
I suspect htc is using a stacked ram configuration and they changed the init code for the number of banks in memory.
In 32A they changed ram location for fb, ram console and maybe gpu1. It was a real mess to guess every change, so I stopped recompiling and rebooting the kernel after a dozen of times ;-) Waiting for htc to release the patched source code ;-)

The radio rom on hero seems to be is newer than 32a's latest available but I don't want to try a flash, you know what I mean ;-)
The available hero SPL shoud work on sapphire (and on blackstone and topaz too) and maybe the newer radio rom requires it, but... I prefer not to brick my Magic.
Have a nice rom rooting time. You could want to give superuser.apk a try.
People on this forum is asking for rooting status on hero, I suppose you'll be able to announce them your succes in a short time.

minogue · Jul 28, 2009

Wow! That was Fast! Lol..... even thought there is still some work to do.

Quwel · Jul 30, 2009

i feel honoured to have been one of the first to read this i still dont have a hero yet =[ gotta wait till august when i get my ema might start scrounging and saving what i can get so i can get it sooner

Well done to you sir what a fine job uve done, gz =]

dipje · Jul 30, 2009

I'm waiting for my Hero as well and I'm completely new to android.

But like you I develop for and work with embedded Linux systems so tearing ROMs apart was pretty much on top of my list when my device should arrive

.

I don't know what the 'recovery' image does on Android systems, but as I read it like this: You can temporary boot a rom (or at least a kernel and it will get the rest of the system from the rom area) through the fastboot method.

So yes, then you have temporary booted into a rooted ROM. But how to make it permanent? Because if you modify the ROM and flash it back it will probably not work because it detects its modified, right?

JWallstreet · Jul 30, 2009

Trying to make a "dirty recovery image" to dump full roms using Nandroid Backup

Hello Dalroid,

I read your post and was able to do the following:

1. Using split_bootimg, extract the ramdisk files from the Stock HTC HERO Rom found in the XDA forums.
2. I downloaded the cm-recovery 1.4 image from Sapphire and used split_bootimg on it as well.
3. I copied the extracted kernel from the HTC Hero ROM and replaced the one from the cm-recovery of sapphire.
4. I renamed init.sapphire.rc to init.hero.rc in the extracted recovery image folder.
5. This is where i have trouble. I am using the repack-bootimg.pl, but I am unable to repackage the image.

I did note that you stated that some base parameters needed to be changed in the script for this to work. Could you please shed some light on what I need completed in order to repackage. Thank you in advance.

EDIT: I found one problem so far, I do not have mkbootimg or mkbootfs on my computer. How do I get these on my computer?

daldroid · Jul 30, 2009

JWallstreet said:
Hello Dalroid,

I read your post and was able to do the following:

1. Using split_bootimg, extract the ramdisk files from the Stock HTC HERO Rom found in the XDA forums.
2. I downloaded the cm-recovery 1.4 image from Sapphire and used split_bootimg on it as well.
3. I copied the extracted kernel from the HTC Hero ROM and replaced the one from the cm-recovery of sapphire.
4. I renamed init.sapphire.rc to init.hero.rc in the extracted recovery image folder.
5. This is where i have trouble. I am using the repack-bootimg.pl, but I am unable to repackage the image.

I did note that you stated that some base parameters needed to be changed in the script for this to work. Could you please shed some light on what I need completed in order to repackage. Thank you in advance.

EDIT: I found one problem so far, I do not have mkbootimg or mkbootfs on my computer. How do I get these on my computer?

I built my mkbootimg from android source code (android.git.kernel.org), but if you prefer you can find a prebuilt binary from http://rapidshare.com/files/249629878/PortTools.rar. I'm not the author neither I tested it, just searched for mkbootimg in forums and pasted the link for you.
If you use the standard mkbootimg, just add --base 0x19200000 the the mkbootimg line, otherwise the boot.img will be generated with standard load address which won't work for hero (or for my 32A Magic).

ian9outof10 · Jul 31, 2009

This is pretty exciting stuff

I really want to remove the SIM lock from the Hero - is this something you can do now you've got su access?

Is it going to be possible to have a 'how to' guide for the Hero to tell us what to do to get the phone unlocked?

I want to see someone install the Magic image on the Hero - it should fly with the extra RAM

wossName · Aug 2, 2009

Just out of curiosity, what would happen if I booted the original cm-recovery-1.4.img on the Hero?

My phone will hopefully arrive tomorrow, and the first thing I'd like to do is create a backup with the nandroid script.

enlightener · Aug 2, 2009

wossName said:
Just out of curiosity, what would happen if I booted the original cm-recovery-1.4.img on the Hero?

My phone will hopefully arrive tomorrow, and the first thing I'd like to do is create a backup with the nandroid script.

It wont boot. You can instead use the modified(only trackball press event and kernel) cyanogen's recovery here: http://xdaforums.com/showthread.php?t=541807&page=2

wossName · Aug 2, 2009

enlightener said:
It wont boot. You can instead use the modified cyanogen's recovery here: http://xdaforums.com/showthread.php?t=541807&page=2

I'm new to all this, so I'd be grateful for some more information: is the Dream and Hero hardware too different to boot the same image? Or would it be possible to create multi-platform images?

I already downloaded the modified image from that thread and have extracted the same kernel, so I should be all set.

Topics

Topics

Messing about with fastboot on the HTC Hero Orange UK

adq

Member

Dayzee

Senior Member

adq

Member

adq

Member

daldroid

Senior Member

daldroid

Senior Member

adq

Member

daldroid

Senior Member

minogue

Senior Member

Quwel

Member

dipje

Senior Member

JWallstreet

Member

daldroid

Senior Member

ian9outof10

Member

wossName

Member

enlightener

Senior Member

wossName

Member

Similar threads

New posts