Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[DEV] S-OFF, PERMROOT, eMMC write [INSTRUCTIONS]

OP adwinp

11th October 2010, 11:42 AM   |  #1  
adwinp's Avatar
OP Senior Member
Flag urandom
Thanks Meter: 162
 
1,692 posts
Join Date:Joined: Jun 2008
More
props to scotty & tmzt


BE CAREFUL WHAT PARTITION YOU'RE DD'ING INTO OTHERWISE YOU'LL END WITH A BRICK.

Instructions
1: Get VISIONary from the market and do a temp root
2: download http://rapidshare.com/files/429891451/dhd_root.zip and extract.
Place these files in /sdcard/ on your DHD (you only need 1 of the .ko, depending on your kernel version - check with uname -a in adb shell)


Go to adb shell, switch to root (su) and do the following:

insmod /sdcard/wp-(version).ko
for example: insmod /sdcard/wp_g5ed1769.ko
This will disable wp (will be enabled on reboot though...)

dd if=/sdcard/hboot_eng.nb0 of=/dev/block/mmcblk0p18
This will install engineering hboot

BE CAREFUL - DOUBLE CHECK THE PARTITION
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p21

OR

save recovery.img somewhere on your HDD, open a shell/cmd in that directory and:
fastboot flash recovery recovery.img
Both ways will install an unsecured recovery (not clockwork yet)

The module is for the release version of DHD (2.32.21-g5ed1769)
If you have another one, you can easily mod it:

check your version via:
cat /proc/version

Download a Hex Editor, search for vermagic in the wp_g5ed1769.ko, and replace patch version with:
g5ed1769
Save
Reload to sdcard and follow instructions from the top.

You can now PERMROOT (once you load the module, just push su and Superuser.apk to /sdcard/)
and
copy su to /system/bin/
and Superuser.apk to /system/app/

Don't forget to suid su:
su
chmod 4755 /system/bin/su



NOTE:
once you load the module, you can confirm a successful load via:
dmesg|tail

here's a sample output

<3>[ 881.934631] mmc0: DMA channel flushed (0x80000004)
<3>[ 881.935241] Flush data: 00000000 00000000 00000103 c0088008 c7e38000 00000001
<6>[ 881.935913] mmc0: Controller has been reset
<6>[ 881.936279] mmc0: Worked around bug 1535304
<3>[ 881.941802] mmcblk0: error -110 sending status comand
<3>[ 881.942443] mmcblk0: error -110 sending read/write command, response 0x0, card status 0x0
<3>[ 881.943084] mmcblk0: error -5 transferring data, sector 327712, nr 8, card status 0x0
<6>[ 881.943695] mmc0: reinit card
<4>[ 881.944030] mmc0: Starting deferred resume
<6>[ 882.010437] mmc0: Deferred resume completed
Last edited by adwinp; 11th November 2010 at 05:05 PM.
11th October 2010, 11:52 PM   |  #2  
adwinp's Avatar
OP Senior Member
Flag urandom
Thanks Meter: 162
 
1,692 posts
Join Date:Joined: Jun 2008
More
What about adb pushing su and Superuser.apk WHILE flashing a STOCK ROM via RUU? The eventual signatures check is in the beginning only and thus irrelevant for this procedure.
During this length process, the real SYSTEM: is unlocked, and we should be able to do anything we want during that time.
Basically, we just need to check till /system/bin/su is copied from the RUU, THEN push ours, in order to prevent overwriting by the stock one.

This SHOULD, at least in theory, allow us to have persistent root. Can anybody check that?
13th October 2010, 12:57 AM   |  #3  
Apache14's Avatar
Recognized Developer
Thanks Meter: 551
 
875 posts
Join Date:Joined: Feb 2009
Donate to Me
More
While flashing the via RRU every file that is pushed is sig checked... Besides we cant push spcific files in RRU anyway :-|

And before anyone says recovery ADB is locked down in recovery so cant push anything that way :(

Tbh we have two hopes... Have a singed test recovery to flash we need a shipping desire hd to test this -- (first desire root type)

And the G2 root ppl the hd will have the same protection as the G2

:)

Sent from my GT-I9000 using XDA App
13th October 2010, 01:22 AM   |  #4  
adwinp's Avatar
OP Senior Member
Flag urandom
Thanks Meter: 162
 
1,692 posts
Join Date:Joined: Jun 2008
More
I was just pushing ideas around, things I need to check anyway.
It's hard to do any real work without a device to work on (yet - should be shipped by next week).

It WOULD be great if anyone could come forward with a test/engineering device I could work with. Maybe a test/engineering partitions dump?
26th October 2010, 12:34 AM   |  #5  
adwinp's Avatar
OP Senior Member
Flag urandom
Thanks Meter: 162
 
1,692 posts
Join Date:Joined: Jun 2008
More
Since I am *still* waiting for my device (thanks HT...) and can't field test any of my ideas, I've been filing a few of them in the G2 forum.
The latest one being http://forum.xda-developers.com/show...&postcount=184
26th October 2010, 11:30 PM   |  #6  
Senior Member
Thanks Meter: 12
 
329 posts
Join Date:Joined: Dec 2009
More
Quote:
Originally Posted by adwinp

Since I am *still* waiting for my device (thanks HT...) and can't field test any of my ideas, I've been filing a few of them in the G2 forum.
The latest one being http://forum.xda-developers.com/show...&postcount=184



Getting my HD on Friday hopefully will hand it over to team villainrom and see what we can do grrrr
31st October 2010, 01:24 AM   |  #7  
adwinp's Avatar
OP Senior Member
Flag urandom
Thanks Meter: 162
 
1,692 posts
Join Date:Joined: Jun 2008
More
R.E is a b*****.
If only we had access to an engineering device, we could dump pmem (since we know at what address HBoot is loaded anyway), compare that to a retail device, and try some binary patching the HBoot via userland and/or a module....
31st October 2010, 07:26 AM   |  #8  
Senior Member
Flag Moscow
Thanks Meter: 2,868
 
4,788 posts
Join Date:Joined: Aug 2010
More
I have just thought about it: can the lock be related to path, not to address or something? Maybe you could symlink /system somewhere in /data (somewhere that is writable normally) and write through this symlink? Kinda improbable but worth trying...

Sent from my HDfied HTC Desire

Sent from my HDfied HTC Desire
31st October 2010, 01:55 PM   |  #9  
adwinp's Avatar
OP Senior Member
Flag urandom
Thanks Meter: 162
 
1,692 posts
Join Date:Joined: Jun 2008
More
Quote:
Originally Posted by K900

I have just thought about it: can the lock be related to path, not to address or something? Maybe you could symlink /system somewhere in /data (somewhere that is writable normally) and write through this symlink? Kinda improbable but worth trying...

Sent from my HDfied HTC Desire

Sent from my HDfied HTC Desire


Unfortunately it doesn't work that way.
;]
A symlink inherits all properties of the parent.
It's like trying to change tires in a car with a broken down engine. You won't be able to drive it, no matter what the tires.
31st October 2010, 02:16 PM   |  #10  
Senior Member
Flag Moscow
Thanks Meter: 2,868
 
4,788 posts
Join Date:Joined: Aug 2010
More
Quote:
Originally Posted by adwinp

Unfortunately it doesn't work that way.
;]
A symlink inherits all properties of the parent.
It's like trying to change tires in a car with a broken down engine. You won't be able to drive it, no matter what the tires.

I think the lock is not in the FS, it's somewhere lower level, so it just might work

Sent from my HDfied HTC Desire

Post Reply Subscribe to Thread

Tags
dhdroot
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes