Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,742,816 Members 39,172 Now Online
XDA Developers Android and Mobile Development Forum

TUTORIAL: Remove *TAMPERED* & *RELOCKED* flag / HBoot w/o unlock_code.bin

Tip us?
 
Modding.MyMind
Old
(Last edited by Modding.MyMind; 25th December 2013 at 06:24 PM.)
#1  
Modding.MyMind's Avatar
Senior Member - OP
Thanks Meter 1361
Posts: 1,545
Join Date: Nov 2013
Location: Richmond, Virginia

 
DONATE TO ME
Default TUTORIAL: Remove *TAMPERED* & *RELOCKED* flag / HBoot w/o unlock_code.bin

FOR ALL K2 VARIANTS (K2_CL, K2_UL, K2_U, K2_PLC_CL)

Advantages
- No more hassle with htcdev, tokens, or unlock codes
- No more submitting your phones personal info to htc
- The ability to get back to 100% stock without any visual traces or records of having been S-Off or unlocking your bootloader.

PLEASE PAY CLOSE ATTENTION TO THIS TUTORIAL AS I WILL SHOW YOU HOW TO CHANGE THE FLAG FOR LOCK, RELOCK, UNLOCK, AND TAMPERED!!

I INSIST THAT YOU READ ALL OF THIS BEFORE YOU TAKE FURTHER ACTION - IF YOU FAIL TO FOLLOW INSTRUCTIONS THE ONLY ONE TO BLAME IS YOURSELF. AFTER YOU HAVE READ THIS TUTORIAL AND COME TO UNDERSTAND THIS PROCEDURE THEN BY ALL MEANS GO AHEAD AND CARRY OUT THE NECESSARY STEPS TO ACCOMPLISH WHATEVER GOALS YOU MAY CURRENTLY HAVE AT THIS TIME.

- This tutorial may be easier on the eyes if viewed by the actual web browser vice an app or phone device.


Many thanks to @old.splatterhand for being generous and providing me some files which allowed me to confirm this tutorial for all K2 variants.

Confirmed Working - Credits
Myself - K2_CL
@russellvone - K2_CL
Lordvincent 90 - K2_CL
@DrBassman - K2_CL


REQUIREMENTS FOR THIS TUTORIAL FOR THE PURPOSE OF LEARNING AND APPLYING IT
- This tutorial will be based on an already UNLOCKED Bootloader with TAMPERED flag
- Must be S-OFF
- Must be rooted
- Proper ADB and Fastboot files
- Hex editor (HxD)
- Knowledge of Hex and DD (aka - Data Destroyer)

If you do not know what DD is then please read the following which I extracted from WIKI for the simplicity of this tutorial - Otherwise, skip this and move along.
 
Quote:
dd is a command on Unix and Unix-like operating systems whose primary purpose is to convert and copy a file.

On Unix, device drivers for hardware (such as hard disks) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files; dd can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings.

The name dd may be an allusion to the DD statement found in IBM's Job Control Language (JCL), where the initialism stands for "Data Description." The command's syntax resembles the JCL statement more than it does other Unix commands, so the syntax may have been a joke. Another explanation for the command's name is that "cc" (for "convert and copy", as in the command's description) was already taken by the C compiler.

The dd command is specified by IEEE Std 1003.1-2008, which is part of the Single UNIX Specification.

The command line syntax of dd differs from many other Unix programs, in that it uses the syntax option=value for its command line options, rather than the more-standard --option value or -option=value formats. By default, dd reads from STDIN and writes to STDOUT, but these can be changed by using the if (input file) and of (output file) options.

Usage varies across different operating systems. Also, certain features of dd will depend on the computer system capabilities, such as dd's ability to implement an option for direct memory access. Sending a SIGINFO signal (or a USR1 signal on Linux) to a running dd process makes it print I/O statistics to standard error once and then continue copying (note that signals may terminate the process on OS*X). dd can read standard input from the keyboard. When end-of-file (EOF) is reached, dd will exit. Signals and EOF are determined by the software. For example, Unix tools ported to Windows vary as to the EOF: Cygwin uses (the usual Unix EOF) and MKS Toolkit uses (the usual Windows EOF).

In spirit with the Unix philosophy, dd does one thing (and may be considered to do it "well" ). Unlike a sophisticated and highly abstracted utility, dd has no algorithm other than in the low-level decisions of the user concerning how to vary the run options. Often, the options are changed for each run of dd in a multi-step process to solve a computer problem.

The GNU variant of dd as supplied with coreutils on Linux does not describe the format of the messages displayed on standard output on completion. However, these are described by other implementations, e.g. that with BSD.

Each of the "Records in" and "Records out" lines shows the number of complete blocks transferred + the number of partial blocks, e.g. because the physical medium ended before a complete block was read, or a physical error prevented reading the complete block.

A block is a unit measuring the number of bytes that are read, written, or converted at one time. Command line options can specify a different block size for input/reading (ibs) compared to output/writing (obs), though the block size (bs) option will override both ibs and obs. The default value for both input and output block sizes is 512 bytes (the traditional block size of disks, and POSIX-mandated size of "a block"). The count option for copying is measured in blocks, as are both the skip count for reading and seek count for writing. Conversion operations are also affected by the "conversion block size" (cbs).

For some uses of the dd command, block size may have an effect on performance. For example, when recovering data from a hard disk, a small block size will generally cause the most bytes to be recovered. Issuing many small reads is an overhead and may be non-beneficial to execution performance. For greater speed during copy operations, a larger block size may be used. However, because the amount of bytes to copy is given by bs◊count, it is impossible to copy a prime number of bytes in one go without going with one of two bad choices, bs=N count=1 (memory use) or bs=1 count=N (read request overhead). Alternative programs (see below) permit specifying bytes rather than blocks.



Let's get started shall we - the following commands highlighted in RED are your commands to execute:
- Go ahead and plug your device in to your PC with a USB cable.
- Open up CMD and change its directory to the location of your proper ADB and Fastboot files
- Establish a proper connection with your device. It should look something like this:
 
Code:
Select Code
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb devices
List of devices attached
HT3*********    device


C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>

- If connection is established then direct to your devices' adb shell:
 
Code:
Select Code
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
root@android:/ #

- Go ahead and gain superuser rights to your devices' adb shell:
 
Code:
Select Code
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
root@android:/ # su
su
root@android:/ #

- Now we need to copy a partition (mmcblk0p7) to your sdcard using DD. Insure you do not make a typo:
 
Code:
Select Code
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
root@android:/ # su
su
root@android:/ # dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img
dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img
31155+0 records in
31155+0 records out
15951360 bytes transferred in 2.259 secs (7061248 bytes/sec)
root@android:/ #

- Now we need to pull this image (mmcblk0p7) to our pc:
 
Code:
Select Code
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
root@android:/ # su
su
root@android:/ # dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img
dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img
31155+0 records in
31155+0 records out
15951360 bytes transferred in 2.259 secs (7061248 bytes/sec)
root@android:/ # exit
exit
root@android:/ # exit
exit

C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb pull /sdc
ard/mmcblk0p7.img
2523 KB/s (15951360 bytes in 6.172s)

C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>

- Go ahead and repeat these steps for (mmcblk0p3).
- At this time go ahead and open up your hex editor (HxD) and at the top right change from hex in the drop down bar to dec - you will do this (if necessary) for all images pertaining to this tutorial.
- Drag\drop (mmcblk0p3.img) in to the hex editor (HxD).
- Now hit ctrl+F or go to the Search tab, then click on Find.
- Search for HTCU. You will see the following:

 
Code:
Select Code
Offset(d)  00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

000033728  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000033744  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000033760  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000033776  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000033792  00 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00  ....HTCU........
000033808  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000033824  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000033840  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000033856  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


- Drag\drop (mmcblk0p7.img) in to the hex editor (HxD).
- Now hit ctrl+G or go to the Search tab, then click on Goto....
- Search for DEC OFFSET 4265984.
- You will see something like this:
 
Code:
Select Code
Offset(d) 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

04265920  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
04265936  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
04265952  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
04265968  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
04265984  68 25 32 C6 02 00 00 00 00 00 00 00 00 00 00 00  h%2∆............
04266000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
04266016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
04266032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
04266048  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


- Now that we have what we needed loaded and prepped we want to see what needs adjustment regarding lock, unlock, relock, and tampered.
- These two partitions are already stamped with the bootloader being unlocked as well as being tampered so finding what we are looking for makes it easy as seen above.
- mmcblk0p3 is the partition which determines if our device is locked, unlocked, or relocked.
- mmcblk0p7 is the partition which determines if our device is tampered with or not.
- Let's look at mmcblk0p3. We see in red, HTCU, which we already know means Unlocked, because as I mentioned in the beginning, this tutorial is based on an already unlocked bootloader and tampered device.
 
Code:
Select Code
000033792  00 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00  ....HTCU........

- We want to lock or relock our device. To relock is, "HTCL". To Lock is, "00 00 00 00".
- Our goal is creating a dd command which will implement these changes for us to our partition already on our device.
- To lock:
 
Code:
Select Code
echo -ne '\x00\x00\x00\x00' | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796

- To relock:
 
Code:
Select Code
echo -ne "HTCL" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796

- To unlock:
 
Code:
Select Code
echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796

- The command for seek is what determines the decimal search of that partition when implementing the echo command from start to finish, from left to right as it writes it out. This is why earlier I told you to change it from hex to dec in your hex editor. If you look at seek=33796 and go back to your hex editor you will notice the dec offset says 33792 then underneath that it says 33808.
 
Code:
Select Code
Offset(d)  00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

000033792  00 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00  ....HTCU........
000033808  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


- To determine the exact decimal location where the dd command will start writing to you must first look at the top of your hex editor where it shows '00 01 02 03 04 05, etc'. You will take the offset for 33792 and look at where HTCU begins then scroll to the top which in this case it aligns to '04', so we add 04 to the offset of 33792 which gives us a total of 33796. This becomes our seek (our starting point).

- Now that we have established this concept with mmcblk0p3.img, lets go and take a look at mmcblk0p7.img.
- We already know our device has been tampered with. If you search for tamper or tampered you will find results and these results eventually bring you to where we already are as mentioned above and if following along then what you are currently looking at on your pc.
- This one is really simple. Either your device is tampered or it is not. In this case we notice '02' which signifies the setup for being tampered.
 
Code:
Select Code
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00411800  68 25 32 C6 02 00 00 00 00 00 00 00 00 00 00 00  h%2∆............

- Let's go ahead and change it to '00' with the following dd command:
 
Code:
Select Code
echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988

- To restore back to tampered you will just replace 00 with 02.
(FOR K2_PLC_CL USERS, REPLACE 00 WITH 04, INSTEAD OF 02 - Credit goes to @DOrtego for notifying me of this)
- Now to show you how to execute these commands. I will only use one command for this example since it will be the same for all of them. The following in RED will be your commands to execute. A lot of these will be due to insuring you are set up prior to executing the dd command itself, so if you are already good to go then just seek for the dd command and follow along:
 
Code:
Select Code
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb devices
List of devices attached
HT**********    device


C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
root@android:/ # su
su
root@android:/ # echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988
ock/mmcblk0p7 bs=1 seek=4265988                                               <
1+0 records in
1+0 records out
1 bytes transferred in 0.012 secs (83 bytes/sec)
root@android:/ # exit
exit
root@android:/ # exit
exit

C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>


I will also show you how to go back to S-ON, but you BETTER make sure you have your stock HBoot.img flashed, Stock Boot.img flashed, etc OR YOU WILL BRICK YOUR DEVICE INDEFINITELY!!!

YOU MUST FIRST BE IN FASTBOOT - THERE WILL BE NO USING ADB NOR A TERMINAL EMULATOR FOR THIS STEP

To go from radio S-OFF to radio S-ON enter the following :
Code:
Select Code
fastboot oem writesecureflag 3
To go from HBoot S-Off to HBoot S-On just flash a stock HBoot to remove the modified version.

Code:
Select Code
adb reboot bootloader

// booting in to bootloader

fastboot devices

// establishing connection between device and PC

fastboot oem rebootRUU

// booting in to RUU

fastboot flash zip filename.zip

// .zip with stock HBoot image

fastboot reboot-bootloader

// confirm mod S-Off HBoot now reads new S-On from stock HBoot

fastboot reboot

// boot OS
So, there you have it everyone! Enjoy, and profit!

--- Happy Hunting!
Attached Thumbnails
Click image for larger version

Name:	locked.jpg
Views:	461
Size:	264.9 KB
ID:	2415081   Click image for larger version

Name:	unlocked.jpg
Views:	411
Size:	267.4 KB
ID:	2415082   Click image for larger version

Name:	IMAG0234.jpg
Views:	344
Size:	262.8 KB
ID:	2421460  
The Following 9 Users Say Thank You to Modding.MyMind For This Useful Post: [ Click to Expand ]
 
Modding.MyMind
Old
(Last edited by Modding.MyMind; 29th November 2013 at 01:04 AM.)
#2  
Modding.MyMind's Avatar
Senior Member - OP
Thanks Meter 1361
Posts: 1,545
Join Date: Nov 2013
Location: Richmond, Virginia

 
DONATE TO ME
Other users, what I did to confirm this was by pulling mmcblk0p3 and mmcblk0p7 for both versions and compared the results with a hex editor to determine these steps are valid for the K2_CL variant. Enjoy.

EDIT: Confirmed for ALL K2 variants

Sent from my C525c using XDA Premium 4 mobile app
The Following 2 Users Say Thank You to Modding.MyMind For This Useful Post: [ Click to Expand ]
 
Modding.MyMind
Old
#3  
Modding.MyMind's Avatar
Senior Member - OP
Thanks Meter 1361
Posts: 1,545
Join Date: Nov 2013
Location: Richmond, Virginia

 
DONATE TO ME
And yes, I used my device as a guinea pig so of course it works :P

Sent from my C525c using XDA Premium 4 mobile app
The Following 2 Users Say Thank You to Modding.MyMind For This Useful Post: [ Click to Expand ]
 
russellvone
Old
#4  
russellvone's Avatar
Senior Member
Thanks Meter 800
Posts: 1,611
Join Date: Jan 2013
Location: Longview

 
DONATE TO ME
Quote:
Originally Posted by Modding.MyMind View Post
And yes, I used my device as a guinea pig so of course it works :P

Sent from my C525c using XDA Premium 4 mobile app
What if we wish to put *tampered* back?

Lol
The Following User Says Thank You to russellvone For This Useful Post: [ Click to Expand ]
 
Modding.MyMind
Old
#5  
Modding.MyMind's Avatar
Senior Member - OP
Thanks Meter 1361
Posts: 1,545
Join Date: Nov 2013
Location: Richmond, Virginia

 
DONATE TO ME
Hmmm, I would have to look at that as I did not consider that as an option. However, having 'tampered' being displayed leaves traces so why would you want to lol.

Sent from my C525c using XDA Premium 4 mobile app
The Following User Says Thank You to Modding.MyMind For This Useful Post: [ Click to Expand ]
 
russellvone
Old
#6  
russellvone's Avatar
Senior Member
Thanks Meter 800
Posts: 1,611
Join Date: Jan 2013
Location: Longview

 
DONATE TO ME
Complete joke, very well done sir.

Awesome find!
The Following User Says Thank You to russellvone For This Useful Post: [ Click to Expand ]
 
Modding.MyMind
Old
#7  
Modding.MyMind's Avatar
Senior Member - OP
Thanks Meter 1361
Posts: 1,545
Join Date: Nov 2013
Location: Richmond, Virginia

 
DONATE TO ME
Yea, I knew it was ha! And thanks. Would like to see if this works for the other variants as well but I do not have what I need from them so either they will need to figure it out or become very brave with trying my steps lol.

Sent from my C525c using XDA Premium 4 mobile app
The Following User Says Thank You to Modding.MyMind For This Useful Post: [ Click to Expand ]
 
russellvone
Old
#8  
russellvone's Avatar
Senior Member
Thanks Meter 800
Posts: 1,611
Join Date: Jan 2013
Location: Longview

 
DONATE TO ME
+sorry for the off topic+
but I decided to do a complete factory restore of my phone and accept an ota update to see if I could get to that clockworkmod like screen in stock recovery.

and it let me

first attempt it just installed the update without letting me into the clockworkmod like..........

so I simply deleted a system app accepted the next update, allowed to boot into recovery,

then once it got to the hated /!\ Red triangle, I just held volume+ then pressed power and it let me see the reason for the fail.

thought you would like to play with it
The Following 2 Users Say Thank You to russellvone For This Useful Post: [ Click to Expand ]
 
Modding.MyMind
Old
#9  
Modding.MyMind's Avatar
Senior Member - OP
Thanks Meter 1361
Posts: 1,545
Join Date: Nov 2013
Location: Richmond, Virginia

 
DONATE TO ME
Awesome! Thanks.

Sent from my C525c using XDA Premium 4 mobile app
The Following User Says Thank You to Modding.MyMind For This Useful Post: [ Click to Expand ]
 
Modding.MyMind
Old
#10  
Modding.MyMind's Avatar
Senior Member - OP
Thanks Meter 1361
Posts: 1,545
Join Date: Nov 2013
Location: Richmond, Virginia

 
DONATE TO ME
Maybe @old.splatterhand could look in to this with the K2_U and K2_UL variants .

And possibly add this finding to his index *cough**cough* haha

Sent from my C525c using XDA Premium 4 mobile app

The Following User Says Thank You to Modding.MyMind For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes