Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,784,877 Members 51,934 Now Online
XDA Developers Android and Mobile Development Forum
View Poll Results: Is it a good idea to flash modified "no-red" hboots...?
no 9 50.00%
no! 11 61.11%
Multiple Choice Poll. Voters: 18. You may not vote on this poll

[FIRMWARE] | [GUIDE] | [MOD] GSM Firmwares & HBoots

Tip us?
 
herwegan
Old
(Last edited by herwegan; 26th May 2014 at 05:30 PM.)
#1  
herwegan's Avatar
Senior Member - OP
Thanks Meter 517
Posts: 1,037
Join Date: Jun 2013
Default [FIRMWARE] | [GUIDE] | [MOD] GSM Firmwares & HBoots







General Information

Since we have S-Off, (and ONLY if you have S-Off!) we also can do a few more things than just flash custom hboots.

There are a few Firmware flashing threads and lots of zips and good and bad instructions. However, i noticed that many users asked about what they get when they flash what they download and also about how to flash it with S-OFF on various threads. This confusion has occasionally lead to people losing their custom kernels and custom recoveries and/or their SDcard partitions being unintentionally wiped.
I am writing this because i believe in "responsible" sharing. Since the full RUU's aren’t shared but only components (modified as well as unmodified) with often insufficient documentation, which in turn leads to a lot of confusion among the lesser informed users, i will try to catch some of that. I believe that sharing full RUU's would be a lot safer, as only those who actually know enough about it can disassemble them. RUU’s do always reassure users that there is a guaranteed and safe way to go back.

Now we are stuck with components only on a much larger scale than we were used to, due to a general change in sharing attitude and the original RUU source not being “as" active anymore. This is something that we ideally wish to not happen in XDA world. Now we don't live in an ideal world and someone has to ensure there are some proper and reliable info posts. I will try to share some of what i found during my XDA hunting.

*** All donations and appreciation to @Sneakyghost for creating this thread and maintaining it a long time ***

This is Firmware for GSM PHONES ONLY - no cdma / sprint firmware here!

FUU HowTo

Prerequisites:

Current drivers available through HTC Sync Manager.
Please install, then remove again and leave only drivers!
Usage: Just run the ARUWIZARD.exe and profit!

ZIP Flash HowTo


Prerequisites:

You need ADB and Fastboot on your PC and instead of using the full ADT download (Huge!) you can either use my Android Tasks Batch script collection, which sets up a “Mini ADB" on C:\Android. Info in Post #1618. Or alternatively the HTC One Tool from @squabbi which also offers driver downloads and recovery downloads (handy shortcuts!).
To get ADB and Fastboot up and running please use search, many guides available..
Step-By-Step:
1. If device is booted into Android, reboot into bootloader by running:
Code:
adb reboot bootloader
1.a Or else, if your device is in a different state or you just prefer the button method:
Press Power for 15 seconds and hold Vol Down at the same time, when the screen and charging LED go dark immediately release Power but keep holding Vol Down until you see the bootloader screen. Notice: If the device refuses to reboot, you might need to hold it to a bright light with its light sensor. This is a very specific bug on the HTC ONE.

2. Now place the Firmware_xx.zip into your adb/fastboot folder

3. Now run:
Code:
fastboot oem rebootRUU
4. Followed by:
Code:
fastboot flash zip Firmware_xx.zip
(replace "Firmware_xx.zip" with the name of your zip)

5. Now check the console output. It should approximately look like this:
 
Quote:
C:\Android\com>fastboot flash zip 217_224_TWRP2601_combined_firmware.zip
sending 'zip' (35220 KB)...
OKAY [ 2.839s]
writing 'zip'...
(bootloader) zip header checking...
(bootloader) zip info parsing...
(bootloader) checking model ID...
(bootloader) checking custom ID...
(bootloader) start image[hboot] unzipping for pre-update check...
(bootloader) start image[hboot] flushing...
(bootloader) [RUU]WP,hboot,0
(bootloader) [RUU]WP,hboot,99
(bootloader) [RUU]WP,hboot,100
(bootloader) ...... Successful
FAILED (remote: 90 hboot pre-update! please flush image again immediately)
finished. total time: 4.438s
“flush" certainly means “Flash" so press the arrow up key on your keyboard and enter to run the flash command again without reboot...
Quote:
C:\Android\com>fastboot flash zip 217_224_TWRP2601_combined_firmware.zip
sending 'zip' (35220 KB)...
OKAY [ 2.835s]
writing 'zip'...
(bootloader) zip header checking...
(bootloader) zip info parsing...
(bootloader) checking model ID...
(bootloader) checking custom ID...
(bootloader) start image[adsp] unzipping & flushing...
(bootloader) [RUU]UZ,adsp,0
(bootloader) [RUU]UZ,adsp,11
(bootloader) [RUU]UZ,adsp,22
(bootloader) [RUU]UZ,adsp,33
(bootloader) [RUU]UZ,adsp,45
(bootloader) [RUU]UZ,adsp,56
(bootloader) [RUU]UZ,adsp,67
(bootloader) [RUU]UZ,adsp,79
(bootloader) [RUU]UZ,adsp,90
(bootloader) [RUU]UZ,adsp,100
(bootloader) [RUU]WP,adsp,0
(bootloader) [RUU]WP,adsp,100
(bootloader) ...... Successful
(bootloader) start image[cir] unzipping & flushing...
(bootloader) [RUU]UZ,cir,0
(bootloader) [RUU]UZ,cir,100
(bootloader) ...... Successful
(bootloader) start image[recovery] unzipping & flushing...
(bootloader) [RUU]UZ,recovery,0
(bootloader) [RUU]UZ,recovery,13
(bootloader) [RUU]UZ,recovery,28
(bootloader) [RUU]UZ,recovery,39
(bootloader) [RUU]UZ,recovery,53
(bootloader) [RUU]UZ,recovery,64
(bootloader) [RUU]UZ,recovery,74
(bootloader) [RUU]UZ,recovery,85
(bootloader) [RUU]UZ,recovery,96
(bootloader) [RUU]UZ,recovery,100
(bootloader) [RUU]WP,recovery,0
(bootloader) [RUU]WP,recovery,100
(bootloader) ...... Successful
(bootloader) start image[rpm] unzipping & flushing...
(bootloader) [RUU]UZ,rpm,0
(bootloader) [RUU]UZ,rpm,100
(bootloader) [RUU]WP,rpm,0
(bootloader) [RUU]WP,rpm,100
(bootloader) ...... Successful
(bootloader) start image[sbl1-1] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1-1,0
(bootloader) [RUU]UZ,sbl1-1,100
(bootloader) signature checking...
(bootloader) verified fail
(bootloader) ..... Bypassed
(bootloader) start image[sbl1-2] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1-2,0
(bootloader) [RUU]UZ,sbl1-2,100
(bootloader) signature checking...
(bootloader) verified fail
(bootloader) ..... Bypassed
(bootloader) start image[sbl1-3] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1-3,0
(bootloader) [RUU]UZ,sbl1-3,100
(bootloader) signature checking...
(bootloader) [RUU]WP,sbl1-3,0
(bootloader) [RUU]WP,sbl1-3,100
(bootloader) ...... Successful
(bootloader) start image[sbl2] unzipping & flushing...
(bootloader) [RUU]UZ,sbl2,0
(bootloader) [RUU]UZ,sbl2,100
(bootloader) [RUU]WP,sbl2,0
(bootloader) [RUU]WP,sbl2,100
(bootloader) ...... Successful
(bootloader) start image[sbl3] unzipping & flushing...
(bootloader) [RUU]UZ,sbl3,0
(bootloader) [RUU]UZ,sbl3,100
(bootloader) [RUU]WP,sbl3,0
(bootloader) [RUU]WP,sbl3,100
(bootloader) ...... Successful
(bootloader) start image[tp] unzipping & flushing...
(bootloader) [RUU]UZ,tp,0
(bootloader) [RUU]UZ,tp,100
(bootloader) ...... Successful
(bootloader) start image[tz] unzipping & flushing...
(bootloader) [RUU]UZ,tz,0
(bootloader) [RUU]UZ,tz,100
(bootloader) [RUU]WP,tz,0
(bootloader) [RUU]WP,tz,100
(bootloader) ...... Successful
(bootloader) start image[radio] unzipping & flushing...
(bootloader) [RUU]UZ,radio,0
(bootloader) [RUU]UZ,radio,6
(bootloader) [RUU]UZ,radio,13
(bootloader) [RUU]UZ,radio,19
(bootloader) [RUU]UZ,radio,26
(bootloader) [RUU]UZ,radio,33
(bootloader) [RUU]UZ,radio,39
(bootloader) [RUU]UZ,radio,46
(bootloader) [RUU]UZ,radio,53
(bootloader) [RUU]UZ,radio,59
(bootloader) [RUU]UZ,radio,66
(bootloader) [RUU]UZ,radio,73
(bootloader) [RUU]UZ,radio,79
(bootloader) [RUU]UZ,radio,86
(bootloader) [RUU]UZ,radio,93
(bootloader) [RUU]UZ,radio,99
(bootloader) [RUU]UZ,radio,100
(bootloader) [RUU]WP,radio,0
(bootloader) [RUU]WP,radio,26
(bootloader) [RUU]WP,radio,53
(bootloader) [RUU]WP,radio,79
(bootloader) [RUU]WP,radio,100
(bootloader) ...... Successful
OKAY [ 49.443s]
finished. total time: 52.280s

C:\Android\com>fastboot reboot-bootloader
rebooting into bootloader...
OKAY [ 0.038s]
finished. total time: 0.039s

C:\Android\com>

Important: the flash process halts at around 75% to 90% on phone screen! This is normal and a safety precaution! The last few percent is the reboot, which is NOT happening automatically, so you get a chance to check the console output to make sure it is safe to reboot! The bar will only fill up to 100% once you type:

6.
Code:
fastboot reboot-bootloader
Error handling strategies:
IF IT SAYS "FAILED" do not immediately reboot the device If you reboot with a FAIL It could brick! If no flash is being accepted you have to find out what is causing the malfunction before rebooting your phone. Keep it alive while trying to figure out the error. It might be your cable, your USB ports (dont use hubs! Always direct-mainboard connections), it might be USB 3.0 which is not good yet, it might be bad configuration of your ADB and Fastboot...
The least dangerous FAILED messages are listed below and are safe to reboot:

Safe to reboot / Flash didn't happen Errors (if you encounter one of them, you can just reboot. Nothing changed):
- 12 signature fail (unknown yet but safe to reboot)
- 23 parsing image fail (means something wrong with the image in the zip)
- 32 header error (means the zip couldn’t be read and unzipped properly)
- 41 Wrong Model ID (means its not the right device)
- 42 Wrong Customer ID (wrong CID means you gotta swap cid first as explained below)
- 90 hboot pre-update (means it only flashed hboot and you have to run the process again immediately to flash all other partitions WITHOUT a reboot inbetween).
- 99 UNKOWN (is not yet clear but safe to reboot, might indicate a defunct S-OFF or S-ON)
- 155 seems to indicate different things, always relating to your phone not being eligible for a certain update. It can mean: 1.) You need to relock bootloader (If S-ON); 2.) You cannot run the RUU/FUU because the software versions of ROM, Firmware and RUU/FUU don’t match - there is no conclusive evidence yet, only hints. I can not monitor the commands being run by a RUU and determine which check exactly fails, so i am left guessing.
- 170 Check USB - FUU won’t run because of not working ADB.
In fact, if it aborts before the "(bootloader) start image[hboot] unzipping & flushing..." line it actually didn't write anything and you can probably just reboot. If you see it flashing stuff though (the stages after that line) and then it stops with a FAILED, chances are a little higher that something is now broken. In that case do NOT reboot but do as i said above.

For Error 12 “signature fail" do:
- might indicate that a signed firmware package is required. This would only happen with S-ON phones though.

For Error 23 "parsing image fail" do:
- change image names in the zip to stock image names like “hboot.img" or “radio.img" or whatever failed there....

For Error 32 "header error" do:
- Sorry i haven’t found the exact cause yet and don’t know a definite solution.
- Make sure there is only one . (dot) in the filename, before the extension. fastboot reads anything after the first dot it sees as the extension. If that is not zip, it fails.
- If that doesn’t help, you can also try: make the zip new with recommended settings, re-run the command, check your connections...

For Error 42 "Wrong Customer ID" and: 41 "Wrong Model ID" do:
Code:
fastboot getvar all
Read that output, take note of your CID and MID and then edit the "android-info.txt" in your firmware.zip accordingly (For Wrong MID change the MID in the text, for wrong CID add your CID to the text).

Alternative method for MID and CID errors:
go SuperCID. Do:
Code:
fastboot oem writecid 11111111
You can change back to any desired CID after a successfull firmware flash. Notice: this command only works on S-OFF phones (which you have already of course or else you wouldn't be here).

For “Error 90 hboot pre-update..." do:
- Run the same flash command again which you just ran (press arrow up on your keyboard to get to the previous command in console)
- Don’t reboot in-between! (It wouldn’t brick you but it would just make you run the flash command twice again)
- This might be caused by the newer encrypted RUU's, they need their hboot to be flashed first so it can then decrypt the rest of the ROM.zip. Look at an encrypted ROM.zip from a RUU, you will notice that you can mostly extract the hboot without decrypting the ROM.zip, but you can't extract much else.)

For “Error 99 UNKNOWN" do:
- Check with other zip’s if they work!
- Check if your S-OFF is correct
- Tell me if you find out what’s causing an unknown error here!

For “Error 155 relock bootloader" do:
- Error 155 can mean that you need SuperCID. On a few occasions this was shown when the RUU/FUU refused to run because of a wrong region lock.
- Lately, Error 155 has occured when a FUU was launched from within android. When encountering a FUU error 155 with the process stalling after the rebootRUU (stuck at black screen with silver HTC logo), please just restart the FUU and leave the phone in that mode, or reboot the phone, then reboot to bootloader, then do “fastboot oem rebootRUU” and then launch the FUU again (thanks @anarchychris for pointing it out).
- run the fastboot command “fastboot oem lock" - only applies to S-ON phones that want to update the firmware. There a relocked bootloader and signed zip is required. These zips don’t work on locked, S-ON phones!

For “Error 170 Check USB" do:
- Sometimes shown when running a RUU or FUU. Indicates issues with drivers. One way to solve is to run the ARUWizard with the phone already in Fastboot mode. Else you will have to re-install HTC Sync manager. Also, avoid USB 3 ports (the blue ones) - they have a complete new driver stack and that doesn’t work well currently.

You flash at own risk. You're writing to critical parts of your phone.
If anything goes wrong along the way, you might be bricked.


__________________________________________________ _________________________________________________


Downloads



FUU Downloads (Windows only)
FUU Variants

Full Stock, WIPE FUU's:

Notice: Reflashes the /data partition with HTC’s DZDATA files (stock preload bloatware and reformats SDCard), meaning you *loose everything* on your SDCARD. Also replaces the Kernel, Ramdisk, recovery and Splash1 with latest stock images! Contains Stock Hboot (unmodified).
The /system partition will NOT be cleared. (Else this would be a RUU, not a FUU). So sometimes, a ROM might still boot after this, but more often it won’t. Be sure to know how to adb push or adb sideload a ROM to your SDcard after a FUU!


Combined, NoWipe FUU's:

Updates basic firmware partitions, does NOT touch the /data partition, leaves kernel, splash and ramdisk alone. Recovery will be replaced with TWRP.
Contains Stock Hboot (unmodified).
I won't provide new FUU's from now on. But the old ones will still be available.

If you want to use a FUU:
Download an old FUU from below and replace the rom.zip inside the folder with the new firmware zip of your choice. Then rename it to rom.zip and run the ARUWizard.exe.

The downloads accessible through the link above are not supported anymore, meaning, i do not keep an eye on the links all the time.
If you happen to come across a dead link, let me know and if you need it, will re-upload it.



Fastboot ZIP Downloads
ZIP Variants

Combined, NoWipe ZIP's

Notice: This package is modified. Contents: Latest TWRP recovery, all other files updated to latest version, removed Kernel, RAMdisk, Splash and SD wipe files so it should be good to update any firmware from 1.20 and up. Contains Stock Hboot (unmodified).
This package does NOT wipe SDcard.


Full Stock, WIPE ZIP's

Notice: Nothing removed - Everything stock! Needs ROM, (Custom) Kernel and (Custom) Recovery reflash after flashing this except when flashing stock 4.19 ROM afterwards. Phone won’t boot without ROM flash! Contains Stock Hboot (unmodified). *WIPES DATA /SDCARD*

The downloads accessible through the link above are not supported anymore, meaning, i do not keep an eye on the links all the time.
If you happen to come across a dead link, let me know and if you need it, will re-upload it.


Credits


I have lost track of my firmware sources. I am so sorry i cannot name you guys all personally. The most common source would be @LlabTooFeR and HTCDev as well as @mike1986. and some others. If you find your stuff here and want to be included in the credits please contact me. I am very grateful for everyone busy providing dumps and direct leaks.

Major credits go to all Artists at SoundCloud.com, who ensure i have the right background to work.

Further i would like to express my deepest gratitude to team venom, who aren’t only good friends but also let me use their graphical stuff as base for my own stuff. Thank you!

Disclaimer

You are aware that writing to the security protected partitions increases your risk to lose the device exponentially. You understand and agree that i cannot be held responsible for such or any other damages. The flash process is theoretically safe and tested on various phones at time of posting, however you are the brains behind the wheel and you are solely responsible for the execution of the process. I will not accept any responsibility. The method itself is developed by Google and HTC, i only provide access and information to it and you execute it.

You understand that you should not do it if you are not willing to accept this risk.
The Following 299 Users Say Thank You to herwegan For This Useful Post: [ Click to Expand ]
 
herwegan
Old
(Last edited by herwegan; 14th May 2014 at 04:34 PM.)
#2  
herwegan's Avatar
Senior Member - OP
Thanks Meter 517
Posts: 1,037
Join Date: Jun 2013
Default [2014.02.24] Modified and Stock Hboot zips for RUUmode (Red Warning Edit)





General Information


Since we have S-Off, (and ONLY if you have S-Off!) we can get rid of the red warning text, the development disclaimer overlay that has defaced our boot splashes until now.

This build is for
development purposes only
Do not distribute outside of HTC
without HTC's written permission.
Failure to comply may
lead to legal action.


This is not really anything new. It has been done many times before, there are numerous threads with this information and actually everyone can do it himself. I only post this for the sake of convenience. This is the same recipe as was used on other devices, these are RUUmode flashable hboot zips and work the same way as the firmware zips in post #1. They were modified to edit out the warning text; no other modifications. Enjoy a clean custom splash.
Notice: Regaw_leinad has a thread for a utility called "RegawMOD" that allows more customization's of the hboot. My thread is only for this one edit, it is manually done, it flashes in RUUmode and is thus a very clean and safe method.
Personally, i do not trust automated hboot editing methods, however i believe that other dudes method is probably safe and nice. I just provide this for people who feel like myself, a little safer with a full manual way to keep control.

I always test all of these on my own device. But as always, flash at own risk. You're writing to a critical part of your phone.
If anything goes wrong along the way, you might be bricked.



Downloads

I won't provide new modified red warning gone Hboots from now on. But the old ones will still be available.

If you want to use a modified red warning gone Hboot:

Use the guide from

The downloads accessible through the link above are not supported anymore, meaning, i do not keep an eye on the links all the time.
If you happen to come across a dead link, let me know and if you need it, will re-upload it.

HowTo

For a detailed HowTo please follow the firmware flashing instructions in Post #1. Please just replace the zip names with the names of your respective hboot package. Everything else is 100% the same.

Now check the console output. It should approximately look like this:
 
Code:
C:\Android\com>fastboot flash zip orig_hboot_1.44.0000_M7_RUUmode.zip
sending 'zip' (486 KB)...
OKAY [  0.245s]
writing 'zip'...
(bootloader) zip header checking...
(bootloader) zip info parsing...
(bootloader) checking model ID...
(bootloader) checking custom ID...
(bootloader) start image[hboot] unzipping & flushing...
(bootloader) [RUU]UZ,hboot,0
(bootloader) [RUU]UZ,hboot,52
(bootloader) [RUU]UZ,hboot,100
(bootloader) [RUU]WP,hboot,0
(bootloader) [RUU]WP,hboot,99
(bootloader) [RUU]WP,hboot,100
(bootloader) ...... Successful
OKAY [  2.176s]
finished. total time: 2.425s

Important: the flash process halts at 75% at phone screen! This is normal and a safety precaution! The last 25% is the reboot, which is NOT happening automatically, so you get a chance to check the console output before reboot to make sure it is safe to reboot! The bar will only fill up to 100% once you type the following command:

Code:
fastboot reboot-bootloader
Error handling strategies:
IF IT SAYS "FAILED" do NOT reboot the device but rather try the flash again or flash a stock hboot! If you reboot with a FAIL it could not boot up anymore! It could brick!

Please look up possible errors and strategies to deal with them in Post #1.

Credits

@football for the clean stock hboot image from a RUU.
@touch of jobo for the orginal Thread, Concept and Text snippets - Thank you so much dude!
@Tecardo for informing me about the Recovery flash risk.
@patensas for for the OTA 4.19.401.8.

Disclaimer
You are aware that writing to the bootloader-partition increases your risk to lose the device exponentially. You understand and agree that i cannot be held responsible for such or any other damages. The flash process is theoretically safe and tested on two phones at time of release, however you are the brains behind the wheel and you are solely responsible for the execution of the process. I will not accept any responsibility. The method itself is developed by Google and HTC, i have only adapted it and you execute it. Go figure.
You understand that you should not do it if you are not willing to accept this risk.
The Following 108 Users Say Thank You to herwegan For This Useful Post: [ Click to Expand ]
 
herwegan
Old
(Last edited by herwegan; 14th May 2014 at 04:30 PM.)
#3  
herwegan's Avatar
Senior Member - OP
Thanks Meter 517
Posts: 1,037
Join Date: Jun 2013
Default Single Partition Images, RUUmode compatible





Separate touch drivers

Note: These drivers are not part of the common EMMC and get flashed to the touch controller chip. Thus, the flashing procedure looks a little different in the fasboot console output (the WP part is missing) and it takes quite long! Best is to leave it alone.
Drivers for Synaptics S32028 Touch Controller
Working old touch driver for 4.1.2 ROM's: https://mega.co.nz/#!7YB1GCAJ!LaWJ8x...Rgp6i0qx2M_lIw
Working new touch driver for 4.2.2 ROM's: https://mega.co.nz/#!WMxxiLoI!AucvUR...2mnqZ-ltczm9Jc
Drivers for new unknown “HMX852XD” Touch Panel:

http://goo.gl/yV873u
Separate stock splash screens

Note: There are several splash screen threads out there. I will only add the normal HTC, TmoUS and Google Splash screens, just for easy reference.
Splash1 files for the HTC ONE
HTC Sense ROM Splash OLD (with “Quietly Brilliant” Line from 1.27 and below): http://goo.gl/zptrTJ
HTC Sense ROM Splash NEW (from 1.27 Firmware up, no “Quietly Brilliant” line anymore): https://mega.co.nz/#!jAoDSBAY!KocCD0...xrFj2bIRtupNac
T-Mobile US Splash Screen: https://mega.co.nz/#!uJpUCbBI!DqNq4g...gr5frnAGUhjiLY
Google Edition Splash Screen: https://mega.co.nz/#!3NYzBJgB!IDDVWx...Ma1Asx4JK4uFj8
Separate Stock Recoveries

Note:I was planning a stock Recovery collection since long as they do come in handy once in a while, although not too often. Now i remembered Guich had done that already a while ago, so i can spare that work. Thank you @Guich
Guich’s thread in the Dev Section - deep down in the dark of the back pages
http://forum.xda-developers.com/show....php?t=2463387
HowTo

For a detailed HowTo please follow the firmware flashing instructions in Post #1. Please just replace the zip names with the names of your respective hboot package. Everything else is 100% the same.
Credits

@Chezbel for identifying and explaining the Touch Chip.
@steljwaxd for finding the RUU with the old driver - Well done!

Disclaimer
You are aware that writing to the bootloader-partition increases your risk to lose the device exponentially. You understand and agree that i cannot be held responsible for such or any other damages. The flash process is theoretically safe and tested on two phones at time of release, however you are the brains behind the wheel and you are solely responsible for the execution of the process. I will not accept any responsibility. The method itself is developed by Google and HTC, i have only adapted it and you execute it. Go figure.
You understand that you should not do it if you are not willing to accept this risk.
The Following 58 Users Say Thank You to herwegan For This Useful Post: [ Click to Expand ]
 
herwegan
Old
(Last edited by herwegan; 28th April 2014 at 08:30 PM.)
#4  
herwegan's Avatar
Senior Member - OP
Thanks Meter 517
Posts: 1,037
Join Date: Jun 2013
Default Manual Hboot Hex Edit - "Crash Course"

You want to edit your own hboot? Here is a crash-course how i do it: Notice: All at your own risk!

Get a !good! HEX Editor like this one http://mh-nexus.de/en/hxd/

Open your hboot-file with it (no matter if its a raw dd dumped piece or an .img or an .nb0 file - the edit takes place all the same).

Enter the search function of the Editor and type in: "this build is". That will find the right place for you.

You will then see this:

Code:
000ee1f0h: 6E 65 6C 2E 2E 2E 00 00 45 6E 74 65 72 69 6E 67 ; nel.....Entering
000ee200h: 20 4D 44 4D 20 52 61 6D 64 75 6D 70 20 6D 6F 64 ;  MDM Ramdump mod
000ee210h: 65 2E 2E 2E 00 00 00 00 54 68 69 73 20 62 75 69 ; e.......This bui
000ee220h: 6C 64 20 69 73 20 66 6F 72 00 00 00 64 65 76 65 ; ld is for...deve
000ee230h: 6C 6F 70 6D 65 6E 74 20 70 75 72 70 6F 73 65 73 ; lopment purposes
000ee240h: 20 6F 6E 6C 79 00 00 00 44 6F 20 6E 6F 74 20 64 ;  only...Do not d
000ee250h: 69 73 74 72 69 62 75 74 65 20 6F 75 74 73 69 64 ; istribute outsid
000ee260h: 65 20 6F 66 20 48 54 43 00 00 00 00 77 69 74 68 ; e of HTC....with
000ee270h: 6F 75 74 20 48 54 43 27 73 20 77 72 69 74 74 65 ; out HTC's writte
000ee280h: 6E 20 70 65 72 6D 69 73 73 69 6F 6E 2E 00 00 00 ; n permission....
000ee290h: 46 61 69 6C 75 72 65 20 74 6F 20 63 6F 6D 70 6C ; Failure to compl
000ee2a0h: 79 20 6D 61 79 00 00 00 6C 65 61 64 20 74 6F 20 ; y may...lead to 
000ee2b0h: 6C 65 67 61 6C 20 61 63 74 69 6F 6E 2E 00 00 00 ; legal action....
000ee2c0h: 68 62 6F 6F 74 3A 20 20 20 20 30 78 25 78 00 00 ; hboot:    0x%x..
000ee2d0h: 62 6F 6F 74 3A 20 20 20 20 20 30 78 25 78 00 00 ; boot:     0x%x..
In our example hboot 1.44.0000 the Text starts at Offset 000ee210h: right after a series of "65 2E 2E 2E 00 00 00 00 " The "T" of the text "This build is for.....blahblah" is the "54".

How erase it without changing the size of the file or damaging it? Well what i did was look at the spaces between the words displayed at the right hand side. If i place my Cursor on a space, it will show on the left HEX pane what numbers there are. Turns out, the spaces are just 20's. So i learned from that and then replaced the letters and dots with 20's.

For the Replace-Job place the Cursor into the left pane with the numbers! Don't replace in the right pane where you see the text!

Notice: @touch of jobo points out, that one should really only replace the non-zero digits with 0x20 (replace any two-digit number that is NOT zerozero with 20) and NOT replace with 00 so its spaces and not blanks. This way the hboot routine still "sees" text and not just empty space (a "Space" or 20 is regarded as text in this hex world. A "Blank" or 00 is not regarded as text but as a blank space). It is safer!

Now, make sure your HEX Editor is in overwrite mode and not doing anything else but replace existing bits (You'll be in deep sh.it if it kills bits or adds bits!). After finishing your edit, click "Save" and then compare the sizes of the original and the edited file. The Size must be exactly the same. Please do not only look at the dumb windows size but also check the full byte size.
our example hboot here has a size of 2.096.384 Bytes total before and after the edit.

This is how it looks in my edited hboots after the modification:

Code:
000ee200h: 20 4D 44 4D 20 52 61 6D 64 75 6D 70 20 6D 6F 64 ;  MDM Ramdump mod
000ee210h: 65 2E 2E 2E 00 00 00 00 20 20 20 20 20 20 20 20 ; e.......        
000ee220h: 20 20 20 20 20 20 20 20 20 00 00 00 20 20 20 20 ;          ...    
000ee230h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;                 
000ee240h: 20 20 20 20 20 00 00 00 20 20 20 20 20 20 20 20 ;      ...        
000ee250h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;                 
000ee260h: 20 20 20 20 20 20 20 20 00 00 00 00 20 20 20 20 ;         ....    
000ee270h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;                 
000ee280h: 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 ;              ...
000ee290h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;                 
000ee2a0h: 20 20 20 20 20 00 00 00 20 20 20 20 20 20 20 20 ;      ...        
000ee2b0h: 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 ;              ...
000ee2c0h: 68 62 6F 6F 74 3A 20 20 20 20 30 78 25 78 00 00 ; hboot:    0x%x..
The Following 63 Users Say Thank You to herwegan For This Useful Post: [ Click to Expand ]
 
herwegan
Old
(Last edited by herwegan; 14th May 2014 at 04:29 PM.)
#5  
herwegan's Avatar
Senior Member - OP
Thanks Meter 517
Posts: 1,037
Join Date: Jun 2013
Default [2014.02.26] General Info on various Firmware related things

General Information


Flash Process Output:
There are a few steps in the flash process which are not really straightforward but i can maybe explain some of them here,so you can better understand what is happening:

sending 'zip' means: fastboot is sending zip over to client (here referred to as “remote”)
OKAY [ 2.839s] means status of sending was good. Transfer succeeded.
writing 'zip'... means the zip is being written to some location on the phone from the /temp location.
(bootloader) zip header checking... means the zip header is being checked for validity, see if it’s a real zip file.
(bootloader) zip info parsing... means most likely a check on the file hashes in the zip (integrity check - if the zip is borked, it will fail here)
(bootloader) checking model ID... The bootloader checks if the android-info.txt contains the right MID. If it fails here you gotta swap out your model ID in the android-info.txt file.
(bootloader) checking custom ID... The bootloader checks if the android-info.txt contains the right CID. If it fails here you gotta swap out your Customer ID in the android-info.txt file.
(bootloader) start image[hboot] unzipping for pre-update check... means the bootloader is now unzipping the [hboot] image. This line will be repeated before every image that is to be flashed.
(bootloader) start image[hboot] flushing... means the bootlaoder is now beginning to flash the [hboot] image.
(bootloader) [RUU]WP,hboot,0
(bootloader) [RUU]WP,hboot,99
(bootloader) [RUU]WP,hboot,100 these three lines read [RUU] for what mode fastboot is in, WP for “Write Partition” for what is currently being done in RUUmode, “hboot” is the name of the currently flashed partition, number xx is a percent stage of the write process.
(bootloader) ...... Successful means the final status is successful.

Now, before the [RUU]WP,hboot,xx line we often see another line reading [RUU]UZ,radio,50 for example. That reads RUUmode is currently unzipping the Radio.img and at stage 50 percent. UZ means UNZIP.

If you see something like this:
(bootloader) start image[sbl1-1] unzipping & flushing...
(bootloader) [RUU]UZ,sbl1-1,0
(bootloader) [RUU]UZ,sbl1-1,100
(bootloader) signature checking... means it is checking the signature of the partition if it matches the expexted signature stored in the hboot.
(bootloader) verified fail means the signature in the image did not meet expectations.
(bootloader) ..... Bypassed means the image got skipped because its got the wrong signature.

This has to be interpreted like this: there are multiple “SBL” images, to be exact: type 1 has 3 variants and type 2 has only one variant. Of type 1 (“SBL1-x”), two get skipped, one gets flashed (see my log above), of type two (“SBLx”) both get flashed. I believe, SBL 2 and 3 are device independent, but SBL1 has three variants, of which only one fits the current device. So, depending on the device you have, you will see either SBL1-1, SBL1-2 or SBL1-3 being flashed and the other two subtypes being skipped (bypassed).
The same goes for the "dzdata" images in the firmware package. They come in three size flavors (16, 32 and 64 GB) and resemble the file structure of the /data partition. Depending on your model, only the one with the right size gets flashed, the others skipped.

Important to understand: nearly all FAILED messages that do NOT occur while [RUU]WP (write partition) should be considered harmless. Only a FAIL during a write operation will most likely result in a damaged partition. All other fails will probably leave the original partition intact and thus the device can be rebooted. So far my understanding.

General hints for RUUmode zips
- Opening a zip is best done with 7zip as WinRAR has lead to flash fails in the past.
- Choose low compression, higher compressions often fail. Pick "save" or "normal" to be safe, anything higher could cause the unzip in Bootloader to fail.
- Adding and Removing images is not a problem. The naming of the partition images seems flexible, yet if you encounter an “Error 23: parsing image fail” you need to rename the relevant image to something stock as not all names seem to be recognizable. The hboot determines the right partition from the header inside the image.
- Additional Dots in zip file names are known to have caused issues for a few people.
- Spaces in names are a no-go!
- Custom Recoveries can be added to those zips as well as custom kernels or hboots. In fact, if your phone is S-OFF, you can hex edit any partition and flash it. Be sure you know what you do though lol. I am just pointing out the possibilities. I am NOT saying it is safe!
- With S-ON, those zips only flash if everything is totally stock, from the android-info.txt being right up to all images being the correct versions for that update package and all having the right signatures. Reads: no custom messing with firmware zips for S-ON phones.

General hints for android-info.txt
- Use an Editor that doesn't mess up linebreaks like Windows Notepad does. Use Notepad++
- MID’s can be added one per line. Also supports wildcards i think e.g.: 71******, but i'm not sure.
- CID's can easily be added or removed- one per line, definetely supports wildcards (used by HTC in DevEd phone)
- Mainver line: should hold the version of the most current images, e.g if you combine older and newer files, add the MainVer from the newest. Format 2.24.401.1 (2= Base version always increases by 1 with each android base version rise, 24= Build version from HTC, 401= Regional/Customer identifier, 1= Revision of the HTC Build). This line is being written to the /misc Partition and is thouhgt to identify the whole phone firm/soft version - its not meant to only describe firmware or base alone. Those parts always belong together. My opinion: run Firm/Soft always from the same or very close revisions (eg. 4.06.1540.2 or .3 are no issue, whereas firmware from 1.20 with a ROM from 4.06 can already cause the one or other malfunction).
- hboot pre-update line: usually says "3" but i have seen different numbers. I think they determine if hboot-preflash is required (when you get “Error 90 - please flash imaga again immediately” this is when the hboot needs to be flashed separately first and then the rest... [Item subject to change]
- btype:1 not clear. [Item subject to change]
- aareport:1 Since HTC hboots come as "hboot_signedbyaa” i would read this as "aa" being htc ("hboot signed by aa") and aa report meaning report to htc if 1.
- Delcache means erase cache when rebooting. Simple. Some hboots seem to need it, some don't. Line is not present in every hboot. If you mess with a zip that contains the line, leave it active.

RUUmode:
is the mode used for RUU flashes by HTC. It allows a few more things than the normal fastboot. You recognize it by looking at the phone’s screen. It will be black, showing only a silver HTC logo and if a command is being active, a green progress bar.

Recovery flash risk:
In 2013 there had been a series of TWRP recoveries that have had issues flashing ROMs on a few HTC devices, mainly Aroma based issues. It's possible though that the one Brick i saw on the Ville from flashing a hboot in recovery was related to flashing it in recovery as i am not sure that the ROM flash fails are only Aroma based fails. I am rather sure that the method recovery zip’s most often uses to write an image file to NAND is not 100% bit correct and can cause trouble (This is the “DD” method). Due to the nature of this DD method, it can happen that single bits are flipped, which results in corruptions in the flashed hboot. That can manifest in a full brick or just in faulty operation, in blocked partitions (unwriteable partitions) and many more annoying things. While a full brick isn't really that likely to happen (we had one on the Ville Forums within a year which happened while flashing a hboot in recovery) a corruption of some sort is a little more likely. Since all types of corruptions can lead to severe problems it is desirable to have a safer method. There is a command for recovery “write_image” employed by HTC but i haven’t worked out how to use it and how it actually works and whether or not it is safer. So i decided to just stay away from recovery zips.
Apparently the zip flash executed in RUUmode utilizes a different write technique and is safer (It most likely is the same as “write_image” in updater-script ).
Please be aware though that this is an assumption. There is no real proof for this as we haven't gotten comprehensive documentations of HTC's stuff here. Anyway, this is the reason why i don't offer recovery zips. Even though it is perfectly possible to flash it in live android (using "dd if=/somedir/yourhboot of=/dev/block/mmcblk0p12") or recovery i prefer this method simply because i am sure it is safer.

JTAG with a RIFF Box
Every device of these days has so-called jtag test-points. Basically, these are points on the mainboards, where a direct connection to the main chip can be established and then that chip can be read and written to with an external device. Sometimes, these testpoints are hidden (like they are normal contacts of the chip) and no direct visible gold points on the board. It always takes a while after a device is released until the jtag layout is fully discovered but once that is done, companies like multi-com.pl start manufacturing small boards with pins that can be pressed onto the mainboard, so no soldering to the device is required. Once such a board exists, the mainboard can be hooked to the RIFF box which can rewrite a dead chip from the outside.
As long as there is no such small board (called a "JIG") the phone can still be revived but it is necessary to solder hair-thin wires to the test-points. That is perfectly possible, Tecardo can do such a thing, but its not very good for the board and cannot be done very often. At some point the solder points will degrade so much that the board is garbage then.
In case you really brick your device, you can contact Tecardo here: http://forum.xda-developers.com/show....php?t=2116062

S-OFF: Moonshine vs. Revone vs. Rumrunner
Revone does not install a custom hboot. So if you come here and flash my custom hboot and later go back with the backup i have here or with your own backup, you can then safely go back S-ON too.
Moonshine installs a custom hboot. So, if you come here and flash my custom hboot you will a.) loose moonshine special hboot and b.) you should also know that resetting moonshine S-OFF to S-ON is as dangerous as it is to do on my hboot, since its modded too! Moonshiners should also flash a stock hboot prior to set security back to ON.
Rumrunner is by now (End 2013) the most advanced and furthest developed S-OFF method as it now supports most versions and multiple devices, so the other two can be considered obsolete. Also, i am under the impression it doesnt install an engineering hboot, although there is one available for those who think they need it. So its leaving your hboot as is. Go support @beaups and @Fuses - they done a brilliant job, we’d have nothing without them.

Notes on the currently available hboots
Generally: Every hboot version number exists in different dev stages. So what i write here can be true for one type of e.g. “1.54” but not another. Each new base comes with an updated hboot - HTC has adapted a strategy though lately not to update the version numbers each time anymore. Which is very confusing for us.
- 1.44 can do Revone and Moonshine S-OFF, can also do command “fastboot boot xxx.img” but seems to destabilize bootloader when command getvar all is being run. A forced reboot is required then.
- 1.54 can be set S-OFF using Rumrunner. It crashes the bootloader if trying the fastboot boot command! It was noted by @uncommonaman a while ago, that this is NOT a bug but due to a change in the fastboot command syntax by Google. HTC has adopted it and one now needs to specify more parameters if the boot command is being used. The old command “hangs” the bootloader.
A (not working) solution attempt is here: http://forum.xda-developers.com/show...postcount=1977 and i am still looking for the correct parameters. You can help if you like.
- 1.55 Can be set S-OFF using Rumrunner. The same regarding boot command. New since either 1.54 or 1.55 (not clear) is the changed OFF state charging: the phone is now booting into a sort of recovery mode when charging from OFF state and displaying a charging animation. Later TWRP (2.6.3.3) supports these in the shape of a custom graphic.
1.56 seems to be much the same in terms of the aforementioned stuff, Rumrunner Universal 0.5.x does support it! (Proof by @bihslk thanks for that report! )
1.56 from base 4.18, 4.19 and related is NOT doing the Alarm Wakeup anymore! New bugs introduced. I was also notified that the HTCDev unlock doesn’t work for 1.54/1.55 in a certain scenario (GPE KitKat update, not able to unlock after that update).

MID and CID
MID = Model Identification. It serves the purpose of identifying the Model of the HTC ONE. There are at least 6 different ones if not more. PN0710000 (EU and North America, GSM/LTE) m7_ul and PN0711000 (Asia, GSM) m7_u and PN0712000 (US DEV, GSM/LTE) m7_ul and PN0720000 (US, Sprint) m7_wls. Then there is a PN0714000 (Australia, LTE) m7_ul and another variant for Japan PN0740000 (GSM, CDMA, LTE). Another few China variants are there too but they are dual sim and with SD Card and might not share the same hboot so i leave them out for now.
Source of this Data is here: http://forum.xda-developers.com/show....php?t=2223236
CID = Customer ID and describes, for which customer HTC made this phone. HTC has a few own CID's for its regional stores. Then certain carriers decide to have their own CID. T-Mobile US even has its own Model ID.
So, while the MID more like describes the hardware, the CID basically just describes the software set that comes delivered with it. Both get checked on when flashing in RUUmode. How to trick this system? Fairly easy. Just add your respective MID or CID to the android-info.txt file inside the ZIP.


Signature on the hboot and other partitions
In the Phones Firmware is a component that checks if certain partitions have a digital signature from HTC and deny read and write access if the signature is wrong or missing. The checking component is known to be the Security, which can be set to OFF. Then we say the phone is S-OFF.
For some partitions like the splash screen, it might not lead to a brick if you set security to ON while a custom splash is installed, as this partition is not vital for the boot process, it might just be skipped. System, recovery and boot do not have a signature at all. The HBOOT however does have it and i am sure Partition 3, which controls the Security flag, has it too and maybe some others like the secondary bootloader.
You guys have to understand that altering any of these partitions is deadly to your phone if you happen to leave them altered when switching security back on.

Determining your “Firmware Version”
I believe there is some wrong info circulating the HTC Fora. People keep saying when running fastboot getvar all it will report the Firmware Version in the line “Version-Main”. This is not always true though. Fastboot getvar all or alternatively getvar mainver pulls a version it finds in the MISC partition and relies on that to be correctly updated. Source
So how does that version string get updated? It is being taken from the android-info.txt file in any firmware zip that you flashed. The last zip you flashed determines what will be reported by the getvar function. So if you mess around with Firmware.zip’s and RUU’s a lot, chances are, that the version reported there is not equivalent to what you are already running. Often the android-info.txt has version entries not appropriate for the actual zip contents, for compatibility reasons, because it wasn’t done properly or whatever. My zips usually have the MainVer from the newest Firmware i took the components from, e.g my combined zips.

The "Firmware" as a concept like we use it on XDA does not exist in HTC's terms. HTC does NOT differentiate between the /System Partition (what we know as "the ROM") and the other 36 partitions. Hence, if you run getvar all or getvar mainver on a stock phone, it will report correctly. It does not go looking for a fictitious place where it would find a separate "Firmware" version. That place it is looking at is the Misc Partition and that’s correct as long as you haven’t messed with lots of different Firmware zips... So, if you happen to run a hybrid system with a ROM from one base and the other partition images from another base or multiple bases (like hboot from 1.27, radio from 4.06 and ROM from 3.62) the getvar function will report as "Version-Main" what it finds in /misc/, precisely the last zip you flashed determines the string put there.

Example: you flashed a radio with a RUUmode zip from Base 4.06 but the android-info.txt is maybe still an old one because the dude who made the zip, just dropped the new radio into an old existing zip, the getvar function will later report that old version as your mainver.

To check your firmware: boot to bootloader and look at the combination of hboot version and radio version - if you didn't flash those separate, the combination will let you know what base you are on (each OTA and RUU has the radioversion in its name).
Finding out your firmware is a game of guesses and knowing what you did to your device and where you are coming from.

If totally lost, best thing is to reflash some clean stock package to be sure you are on the same level with all partitions.

Long story short: you better know what you do because finding out your firmware is going to be difficult if you don't.

Further reading

Some more useful threads with similar contents. Each has its own bits and pieces and re-wording that you don’t find here or understand here. So those threads might be helpful to you too.
- Mike1986’s Firmware thread
- Jolishj thread with Firmware packages including the red-warning-removed hboot already (for those who know the dangers of that hboot mod)
- Vomer’s ultimate guide thread
- Sir Crushalot’s genius stock reset packs
- Sir Crushalot’s nice Firmware packs with dark bootloader (GE 3.58 hboot)
- hes_theone64’s radio flash guide for recovery - method can be adapted for hboots etc.!

Related/ “Like” stuff
- Graffixnyc’s very interesting GE/Sense full conversion guide
- HTC ONE Partition List
- Mike1986 Partition explanation
- Mike1986 Model Variants Thread
The Following 43 Users Say Thank You to herwegan For This Useful Post: [ Click to Expand ]
 
Tecardo
Old
#6  
Tecardo's Avatar
Senior Member
Thanks Meter 620
Posts: 703
Join Date: Nov 2011
Location: Pfofeld

 
DONATE TO ME
Thanks for that, it's great to have soff and now that on the one.
The Following 6 Users Say Thank You to Tecardo For This Useful Post: [ Click to Expand ]
 
CheesyNutz
Old
#7  
CheesyNutz's Avatar
Senior Member
Thanks Meter 3,016
Posts: 11,340
Join Date: Oct 2010
Location: Springfield
Nice work week do this after work

Sent from my HTC One using Tapatalk 4 Beta
Copy Cloud storage https://copy.com?r=cgXMEB
DropBox Cloud storage http://db.tt/UnygTbN
The Following User Says Thank You to CheesyNutz For This Useful Post: [ Click to Expand ]
 
he_stheone64
Old
#8  
he_stheone64's Avatar
Recognized Contributor / Themer
Thanks Meter 10,775
Posts: 4,982
Join Date: Aug 2008
Location: Vienna & Düsseldorf
Great job sneaky, I`m sure legions of ONE users will enjoy getting rid of the sh... red warning
The Following User Says Thank You to he_stheone64 For This Useful Post: [ Click to Expand ]
 
rayford85
Old
#9  
rayford85's Avatar
Recognized Themer
Thanks Meter 5,187
Posts: 4,253
Join Date: May 2011

 
DONATE TO ME
Thanks for sharing Sneaky.
 
Sneakyghost
Old
(Last edited by Sneakyghost; 9th June 2013 at 01:00 PM.)
#10  
Sneakyghost's Avatar
Senior Member
Thanks Meter 7,025
Posts: 5,587
Join Date: Jul 2008
Location: InMyHead

 
DONATE TO ME
Ok now this is where the morons with brick comlaints come in.... happy killing your device!

Tecardo will revive your phones. He has an unbrick service going we originally set up for the HTC One S / Ville but he will be having the JIG for the ONE too and can then revive your devices.

So this is a conspiracy. I kill your phones so Tec can revive them and ask for Donations haha

(just kidding just in case you didnt notice)

The Following 14 Users Say Thank You to Sneakyghost For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes