TWRP 2.8.3.0 Available for Supported Devices

The TeamWin Recovery Project (or TWRP, for short) has quickly become one of the most popular … more

Easily Generate and Export Material Design Palletes

For many people, it can be pretty difficult to create a palette of complementary colors. … more

Android One Expanding to Bangladesh, Nepal, and Sri Lanka

At Google I/O 2013, Google proudly announced that the Android operating system was … more

Android 5.0.2 Fixes 2012 Nexus 7! Sony’s Making a Google Glass Competitor? – XDA TV

Android 5.0.2 Lollipop is available for the … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Messing about with fastboot on the HTC Hero Orange UK

OP adq

28th July 2009, 01:18 AM   |  #1  
OP Junior Member
Thanks Meter: 2
 
25 posts
Join Date:Joined: Jul 2009
Hi, since this is my wife's HTC hero from Orange UK, I'm being particularly careful with it. I'm new to xda-developers/HTC platforms (but not new to doing horrible things to embedded platforms) :>

I've been messing about with the phone all evening - downloaded that ROM image from the other thread and pulled it apart to look at the OS files etc - the standard break-a-new-embedded-linux-platform routine.

Anyway, if you hold down BACK when powering on, it enters the bootloader mode with a "FASTBOOT USB" prompt, which sounded interesting. I got a copy of the fastboot binary, and extracted the kernel and the ramdisk images from "boot.img" in the "HEROIMG_Hero_HTC_WWE_1.76.405.1_R3_WWE_release_si gned.zip" (using split_bootimg.pl).

Just as a quick test, I tried booting them with:
fastboot boot kernel.img boot.img

since the above just boots a kernel from RAM, and not actually flash it. Anyway, fastboot claims it downloaded and booted it ok, and the phone shows the "HERO" logo. Unfortunately that is as far as it gets. However, if I reset the phone, it boots perfectly fine from the kernel/ramdisk in flash (phew!)

Since it doesn't actually boot into android proper (and doesn't show up as a USB device), I don't know if (a) its showing the HERO logo, but failing the signature check, or (b) actually booting, but crashing 'cos the kernel/ramdisk aren't quite right. I'd guess (a) myself, but I'm new to messing with HTC bootloaders.

Anyway, in case they're useful, the details of the phone from the fastboot mode are:
HERO CVT SHIP S-ON
HBOOT-1.76.0004 (HERO10000)
MICROP-010f
TOUCH PANEL-SYN0104
RADIO-6.35.04.25
Jul 3 2009,15:22:21
28th July 2009, 01:37 AM   |  #2  
Dayzee's Avatar
Senior Member
Flag Manchester UK
Thanks Meter: 11
 
330 posts
Join Date:Joined: Jan 2008
More
That method of entering fastboot is the same as the magic. Check the magic / sapphire wiki and have a read as I suspect the magic is its closest relative and a lot of the magic stuff will work...

daisy xx
28th July 2009, 01:54 AM   |  #3  
OP Junior Member
Thanks Meter: 2
 
25 posts
Join Date:Joined: Jul 2009
Aha, thank you very much, that gives me more information!

Anyway, I just tried booting the boot.img itself instead of splitting it up with:

fastboot boot boot.img

This time, it booted right into the full android! Checking /proc/config.gz:

On the phone booting normally, it says:
# Linux kernel version: 2.6.27
# Fri Jul 3 07:52:06 2009

On the phone booted with boot.img extracted from that zip, it starts:
# Linux kernel version: 2.6.27
# Thu Jun 25 14:16:01 2009

So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?
28th July 2009, 02:56 AM   |  #4  
OP Junior Member
Thanks Meter: 2
 
25 posts
Join Date:Joined: Jul 2009
Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":

ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh


# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk


All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:

/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000

Then I just booted it with "fastboot boot test-insecure.img"
Last edited by adq; 28th July 2009 at 03:06 AM.
28th July 2009, 04:41 AM   |  #5  
Senior Member
Thanks Meter: 0
 
114 posts
Join Date:Joined: May 2009
Quote:
Originally Posted by adq

Erm, I'm either hallucinating from lack of sleep, or I appear to have a root shell on it now. e.g. I can see the contents of /data from "adb shell":

ps reports: [snip]
root 43 1 3332 164 ffffffff 0000e8f4 S /sbin/adbd
root 619 43 748 340 c005ef5c afe0d08c S /system/bin/sh


# ls /data/app
org.oep.pong.apk
com.google.android.stardroid.apk
se.illusionlabs.labyrinth.lite.apk
com.google.zxing.client.android.apk
com.innovativelanguage.wordpowerlite.jp.apk
com.funambol.android.apk
com.massorbit.sword.apk
com.soundroid2012.piano.apk
jg.entertainment.abook.four.apk
com.maplekeycompany.apps.shake.apk
net.peterd.zombierun.apk


All I did was
1) pull the boot.img apart with split_bootimg
2) gunzip the ramdisk
3) hexedit the ramdisk to set ro.secure=0 (couldn't be bothered faffing about with cpio)
4) gzip the ramdisk
5) rebuild the image with mkbootimg. Oh you need to specify a different base address. Example command line:

/tmp/mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.insecure.gz --cmdline 'no_console_suspend=1 console=null' -o test-insecure.img --base 0x19200000

Then I just booted it with "fastboot boot test-insecure.img"

You're ready to build your own rom images ;)

You could start by preparing your own rooted recovery with nandroid.
For a quick and dirty basic recovery image, just download one from sapphire development forum, replace the boot.img-kernel with a working copy for your hero.
Then rename init.sapphire.rc in init.hero.rc in ramdisk image.

You can simply extract ramdisk image with:
mkdir boot.img-ramdisk
cd boot.img-ramdisk
zcat ../boot.img-ramdisk.gz | cpio -idv

make your changes to ramdisk files

search internet for a script named repack-bootimg.pl
add the new base parameter to mkbootimg line in the script

cd to directory where you unpacked your boot.img
repack-bootimg.pl boot.img-kernel boot.img-ramdisk newboot.img
fastboot your recovery

then you can use nandroid in the recovery image to make a full dump of your rom and use the newer version of boot.img you have in your device to rebuild an up-to-date recovery or any kind of rom (you could start by preparing a copy of your original rom by changing ro.secure=0 in both boot.img and recovery.img).

By the way, I noticed that kernel in HERO uses sapphire fixup. The currently available version on the net is not booting on sapphire (magic) 32A, but it resets after a few minutes.
Maybe the kernel version in your orange hero introduces compatibility with sapphire boards. Well, really I suppose it won't, but if you get a nandrod backup and post your current original boot.img, magic 32A board owners could give it a try while we are waiting for HTC to release updated kernel sources for Magic and Hero.

Bye
daldroid
28th July 2009, 04:52 AM   |  #6  
Senior Member
Thanks Meter: 0
 
114 posts
Join Date:Joined: May 2009
Quote:
Originally Posted by adq

[...]

So it seems as though it can boot the boot.img: AFAIK config.gz is hardcoded into the kernel binary. Now: is there a signature in the boot.img file?

No, no signature in standard boot.img, you have to zip it and sign the resulting zip. But no signing keys except for test-keys are available to the public, so I suppose your spl (S-ON) wil not allow you to directly flash rom images from fastboot command line.

However it seems your SPL allows you to fastboot a repacked boot image, so it should not be a problem to use a recovery image to flash whichever rom mod you like.

I suggest you not to flash any SPL you can find on the net, I suppose you have the newest ad no image of your original SPL is available (there is one from a leaked hero image, but yours seems to be newer)

Bye
28th July 2009, 05:12 AM   |  #7  
OP Junior Member
Thanks Meter: 2
 
25 posts
Join Date:Joined: Jul 2009
Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts I'll upload the boot.img later though.

Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?
28th July 2009, 09:22 AM   |  #8  
Senior Member
Thanks Meter: 0
 
114 posts
Join Date:Joined: May 2009
Quote:
Originally Posted by adq

Yeah, my thoughts exactly, I'd rather not flash the SPL if I can help it: I don't fancy explaining to my wife why I have to rip her phone apart to find the JTAG contacts I'll upload the boot.img later though.

Thats odd about the reset after a few minutes thing: hardware watchdog timer of some sort?

Well, really it's a little bit mor than a minute or so.
I suppose it's not an hardware watchdog, I don't have access to console debug messages.
Really the reset is a good sign, if you try booting dream or sapphire 32b kernel on 32A boards, it hangs forever.
If you extract piggy.gz from the kernel and hexedit it,you can find hero kerel initializes the hardware using the sapphire fixup.

It could only be that htc reused the same source and fixed hardware details and forgot to change the fixup routine name or that they are prepare to build a kernel able to boot on both hero and magic 32A boards.

32A and hero use the same new base address for kernel and ramdisk loading 0x19200000.
our boards have more memory than dream and 32b boards.
I suspect htc is using a stacked ram configuration and they changed the init code for the number of banks in memory.
In 32A they changed ram location for fb, ram console and maybe gpu1. It was a real mess to guess every change, so I stopped recompiling and rebooting the kernel after a dozen of times ;) Waiting for htc to release the patched source code ;)

The radio rom on hero seems to be is newer than 32a's latest available but I don't want to try a flash, you know what I mean ;)
The available hero SPL shoud work on sapphire (and on blackstone and topaz too) and maybe the newer radio rom requires it, but... I prefer not to brick my Magic.
Have a nice rom rooting time. You could want to give superuser.apk a try.
People on this forum is asking for rooting status on hero, I suppose you'll be able to announce them your succes in a short time.
28th July 2009, 05:11 PM   |  #9  
Senior Member
Flag Elizabeth
Thanks Meter: 2
 
487 posts
Join Date:Joined: Jan 2009
More
Wow! That was Fast! Lol..... even thought there is still some work to do.
30th July 2009, 05:25 AM   |  #10  
Junior Member
Flag Mansfield
Thanks Meter: 2
 
6 posts
Join Date:Joined: Jul 2009
More
i feel honoured to have been one of the first to read this i still dont have a hero yet =[ gotta wait till august when i get my ema might start scrounging and saving what i can get so i can get it sooner

Well done to you sir what a fine job uve done, gz =]

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes