[dev] thread to attempt downgrade S-on to S-offable state. misc_version tool added
- Thread starter tbalden
- Start date
-
- Tags
- development
Oh - I got it to skip the sig check by using two computers, you need two mcrousb cords. Works consistently on windows, not tested on linux.
The device has to have already been introduced to both before starting, and should be in fastboot mode with all the right, unedited partitions from the 1.55.531.3 PG59IMG.zip file. It should be locked.
I had tacoroot installed on it, not sure if this matters?
Get the device into fastboot mode.
Plug it into one of the computers.
On the other one, have CWM 5.0.2.7 in your folder with fastboot, and rename it to recovery.img
Now, on that second computer that you are not plugged into with the doubleshot, open up the command window to the fastboot folder, and type this command:
...and hit enter.
It will hang on "waiting for device" I let this run for 1 minute and 30 seconds.
Then I very quickly swap the microusb on the phone from being plugged into the computer sitting there doing nothing to the one that has the command hanging there. Gotta be quick.
It then pushes the hanging command faster then the sig check can keep up, or something, and leads to the output two posts ago.
This tactic consistently produced the same results, but it failed because it overloaded with too many arguments - but it skips the sig check and tries to go ahead and just load up.
Once it fails it just moves on to the normal boot sequence and into the stock ROM, but with either a customized version of CWM or with a modified boot.img (try the same thing with fastboot oem boot boot.img - does that get us anywhere?) maybe we can use this technique to skip the sig check on a S-ON LOCKED device?
Given that it wasn't just a one-off random event we might be able to leverage it to launch an attack on the device or TZ more directly, but not with our current custom recovery - and we need to see what happens trying to fastboot oem boot a boot.img with a modified ramdisk to maybe work within the overflow limitation of this:
The device has to have already been introduced to both before starting, and should be in fastboot mode with all the right, unedited partitions from the 1.55.531.3 PG59IMG.zip file. It should be locked.
I had tacoroot installed on it, not sure if this matters?
Get the device into fastboot mode.
Plug it into one of the computers.
On the other one, have CWM 5.0.2.7 in your folder with fastboot, and rename it to recovery.img
Now, on that second computer that you are not plugged into with the doubleshot, open up the command window to the fastboot folder, and type this command:
Code:
fastboot oem boot recovery.img...and hit enter.
It will hang on "waiting for device" I let this run for 1 minute and 30 seconds.
Then I very quickly swap the microusb on the phone from being plugged into the computer sitting there doing nothing to the one that has the command hanging there. Gotta be quick.
It then pushes the hanging command faster then the sig check can keep up, or something, and leads to the output two posts ago.
This tactic consistently produced the same results, but it failed because it overloaded with too many arguments - but it skips the sig check and tries to go ahead and just load up.
Once it fails it just moves on to the normal boot sequence and into the stock ROM, but with either a customized version of CWM or with a modified boot.img (try the same thing with fastboot oem boot boot.img - does that get us anywhere?) maybe we can use this technique to skip the sig check on a S-ON LOCKED device?
Given that it wasn't just a one-off random event we might be able to leverage it to launch an attack on the device or TZ more directly, but not with our current custom recovery - and we need to see what happens trying to fastboot oem boot a boot.img with a modified ramdisk to maybe work within the overflow limitation of this:
Code:
FAILED (status read failed (Too many links))I don't believe "fastboot oem boot boot.img" is the valid syntax. If you run "fastboot oem boot", the phones immediately begins to boot android. I think its "fastboot boot boot.img"? But I know for a fact its not a oem command to get fastboot to boot the boot.img. 8\
Sent from my myTouch_4G_Slide using xda premium
Sent from my myTouch_4G_Slide using xda premium
Last edited:
Okay, thanks. I had used that command to try to boot the recovery image and had some limited success (posted the output a few posts back) but it didn't make it there.
I am unsure the difference between fastboot boot and fastboot oem boot, but we have both on at least the 1.45.0013 hboot.
The thought on trying to use it for a custom boot.img was really for trying to use a modified ramdisk part of it to nerf trust zone, but I didn't have a chance to try before I packaged up the device and shipped it.
The device I was testing on is now in Indirect's hands, so all i've got is my original S-OFF T-Mo subsidized plan doubleshot now. Until I can get a few days off in a row I can't really keep trying because having a smartphone is a requirement for my job - so i'm trying to get another one again for strictly dev purposes like before.
Hopefully i'll have the second doubleshot within a few days or so and can keep picking away at this problem more directly.
I am unsure the difference between fastboot boot and fastboot oem boot, but we have both on at least the 1.45.0013 hboot.
The thought on trying to use it for a custom boot.img was really for trying to use a modified ramdisk part of it to nerf trust zone, but I didn't have a chance to try before I packaged up the device and shipped it.
The device I was testing on is now in Indirect's hands, so all i've got is my original S-OFF T-Mo subsidized plan doubleshot now. Until I can get a few days off in a row I can't really keep trying because having a smartphone is a requirement for my job - so i'm trying to get another one again for strictly dev purposes like before.
Hopefully i'll have the second doubleshot within a few days or so and can keep picking away at this problem more directly.
Np np. The difference bt the two commands I found here http://tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis#FastBootModeCommands
And also, afer reading through the sensation forums reference thread, http://xdaforums.com/showthread.php?t=1232107, I realized the mt4gs basically has the same output in mmcblk0p6 as the sensation. Take a look and you'll see what I mean. I haven't tried yet but I'm quite sure we can unlock our phone using the same method ;D.
Sent from my myTouch_4G_Slide using xda premium
Yea, you can - i have that copied into the dev reference here:
Notable
I got the unlock codes for 4 doubleshots that way so far.
Do you think unlocking the device would open up vulneralbilities to the cid? Maybe achieve supercid status to flash/exploit bootloader?
Sent from my myTouch_4G_Slide using xda premium
Sent from my myTouch_4G_Slide using xda premium
Definitely worth checking into - I wish I could try right now, i'm waiting to hear back from someone, might be able to get another doubleshot for 275 + gas to get there and back, prolly another 80ish to 100, so if it goes through I could probably grab it next friday... ( fingers crossed )
I hate being sidelined like this when there are ideas to check out
I hate being sidelined like this when there are ideas to check out
Damnnn 275 already sounds like a lot to pay for a device with an unknown future like the doubleshot. But I guess it just goes to show your level of dedication as opposed to mine.
Sent from my myTouch_4G_Slide using xda premium
Everyone keeps trying to talk me out of this device, my lady, all my friends...seems like everywhere I turn the world is trying to get me onto something else.
Indirect is gonna end up with 2 of these, maybe I should just let him take my place and get something else instead.
I'm stuck not being able to get anything done right now 'cause I'm on call, so not answering my phone would cost me my job and that means I really can't dev at the moment - and I'm getting as tired of hearing all my friends talk smack on my phone as non-smokers telling me it's bad for my health.
Maybe everyone else really does know something I don't...
Sent from a digital distance.
Don't let haters get to you. I paid $320 for mine used and I don't regret it especially after buy a $300 Rebranded POS Motorola... The Motorola Triumph to be exact. Sure maybe the MT4GS isn't as powerful as some of the newer devices, but it still has potential, and sure maybe it doesn't have a known future, but all phones at one point or another have an unknown future. So please stay. And just ignore the haters.
Blue if you leave, I'll personally go out to your house just to kick the sh** out of you. You're staying buddy. The "unknown" future of this device is because even the owners don't have the balls to become developers but are willing to complain about the device. F*** 'em. You and I can make this device a killer. 
Looks like they nailed it, so I don't feel bad about taking a break from this for a few days or so now...try to get my head about me again and some fresh air and rest.
Catch you guys next week or so.
Catch you guys next week or so.
Last edited:
first you wanna unlock your bootloader: http://htcdev.com/bootloader
then you'lll be able to use ClockworkMod to flash Superuser and be rooted.
then i believe you can do Juopunutbear to gain S-OFF
Similar threads
- Locked
- Poll
Top Liked Posts
-
There are no posts matching your filters.
-
6Okay, so, i've gotten dd copies of all the partitions on the device in various stages - s-on, off, locked and unlocked.
I have complete partition archives for 3 separate doubleshots in some form of those configurations for the software versions of 1.28.531.9, 1.55.531.3 and 1.63.531.2
I have been comparing directly in a hex editor partitions from all 3 doubleshots all day long, since the last posting I made without pause, and to say I have learned a lot is an understatement.
My new MicroSD card came in today and I haven't even opened it yet, 64 gigs of happiness is still in it's packaging because of how wrapped up in this i've been.
I learned some of the ways the rev method preserves S-OFF through the software updates, but not necessarily how they are done.
I've gained a much more thorough understanding of what's on our partitions and how they work together.
There is still a lot of work ahead of me in comparing them, but quite a bit more is apparent to me thus far and i'm eager to continue with going through it.
Just wanted to give an update on where i'm at since i'm taking a break for breakfast now - i've definitely got a lot to share over the next few days as I get my notes sorted out.
I can probably get my device S-OFF again based on the partition images I have here now, but that doesn't help the collective get a method down - still, if I can do so then I can gather more partition images to add to what I don't have yet and compare them.
It's interesting and enlightening to see the differences between s on and off, unlock and lock, and from device to device.
I've also managed a root prompt in an adb shell without tacoroot on the 1.55.531.3 software version for my s-on phone. This wasn't from any other tools, either, so I actually devved something lol.
Much more to follow as I can, but right now i'm starving and need to clear my head a bit.
Be back in the dev chair soon...5
I can write up a guide on what I did once I'm home (3ish hours from now).5PROGRESS! We made some decent progress, we currently have rewritten misc.img of mmcblk0p16 without any kind of issue while in recovery meaning, recovery atleast gives write access to one of the 2 partitions. I'll give a link to my misc.img's as soon as i feel like uploading. I would have gotten a pic of it, but oh well. Anyway, now onto seeing if that changed the version of the device completely or if we need a new exploit to change blk31 :|
Download link to my 2 misc images:
http://dl.dropbox.com/u/15069134/MiscPartitions.zip
MD5's of each image:
misc31.img eb977c326de7b6135750c3be6c220140
misc16.img 40a9008a1c33f749648b953fef40a9e2
Not bad for someone who just went in without a device.4
Well then, here we go. I'll report back with results shortly.
---------- Post added at 01:43 PM ---------- Previous post was at 01:12 PM ----------
It worked. Was able to unlock, flash CWM recovery, and install superuser without a hitch.
Weird thing though, I've got the *old* market. Have to see if I can dig up the latest version anywhere.
New posts
-
-
Question failed to mount '/sec_efc' device or resource busy- Latest: Privacydroid
