Stage 2 root hboot 1.01.0002

Hey everyone, this is my first post although I've been a member for some time and have done extensive reading on these forums.
I was gonna make a post in developer section but turns out I'm not allowed yet.


I've been trying unsuccesfully for 4 months to root my wildfire, but believe I'm gettin close.

I've downgraded hboot 1.01.0002 hboot to 1.01.0001 resulting in sucessful debrand from vodaphone crap, downgraded to eclair and then achieved temproot (not soft root, the next level).

I was gonna post in a thread about misc_version, because (I'm not sure about this) but I believe you may be looking in the wrong place for the file required in order to make misc_version work.

Hi, OK this is what I've done so far:

1. Started out with hboot 1.01.0002 and Froyo 2.2.1 preinstalled when I bought it new.

2. Achieved shell root using the psneuter hack (newbies, you may find it easier using SuperOneClick 1.65 or 1.7 for this). You should now have root #.

3. Run command "adb shell cat /dev/mtd/mtd0 > /sdcard/mtd0.img". This creates an image of mtd0 on sdcard. There are other tutorials with theses kind of steps and you may find it referred to as misc.img as opposed to mtd0.img. This doesn't really matter as long as the final command includes the correct file name. This command will fail if connected as disk drive, you must be charge only.

4. Reconnect as disk drive allowing computer gui access to sdcard. Using a hex editor (I used HxD, which is freeware) open disk image mtd0 on sdcard. On line 6 you should find a version number and it will look something like 2.22.405.1. This needs to altered to correspond to the RUU you intend to flash. If you are on hboot 1.01.002 you need an WWE RUU first that contains hboot 1.01.001 so you are still looking at reinstalling Froyo. Those allready on hboot 1.01.001 may choose any WWE RUU. I'm not absolultley sure, but it may be possible for those on those on hboot 1.01.002 to skip to another RUU but I think you would more than likely get a "customer ID" error.

5. I used the goldcard method to flash my RUU. There are many tutorials, but some seem to sequence different steps. To get mine working I used the goldcard tool available on these forums, but found it wouldn't work. It does, however do a good job of getting your CID and reversing it for you, so copy that and use the page provided with the tool to get your goldcard via email.

6. Make sure you are connected as disk drive and open HxD again. Open the goldcard image as read-only. Also open the sdcard (after using windows to full format it, fat32). Oh yeah, dont forget it needs to be a primary partition (do this before format) there is a handy free tool called "MiniTool Partition Wizard Home Edition", which is so easy to use. Make sure physical sd disk is opened and read-only is unchecked.

7. Copy the goldcard using HxD (select all, or 0 - 17F) and overwrite the same blocks on sdcard. Save it.

8. Disconnect phone from PC and allow phone to mount, reconnect as disk drive. If phone or PC asks for format keep repeating sequence until normal operation can be maintained.

9. Download "flash_image" a file with no extension. Push it to sdcard. You need to have flash_image and your modified mtd0.img on your sdcard (It may be useful to ceate goldcard before creating mtd0.img, unless you back it up to PC before goldcard creation).

10. Run command (connected charge only, as root) "cat /sdcard/flash_image > /data/flash_image

11. Run command "chmod 0755 /data/flash_image" On a seperate note I've been using permission set 67676 as I've noticed the permission set seems to be more then 4 digits, there seems to be 5, poosibly even 6 digits. This particular permission changes some of the permissions to capital characters. What use this is, i dont know I'm looking into it though

12. run command "/data/./flash_image misc /sdcard/mtdo.img"

13. You should now be able to flash RUU or pull rom.zip from temp files when running RUU and rename PC49IMG.zip

14. PC49IMG.zip should be pushed to root of sdcard if using goldcard (I don't know if RUU can be flashed normally without goldcard, but i think so, i dont think RUU pushes rom.zip to sdcard but it may be necessary as a CID thing).

15. After successful downgrade to eclair rageagainstthecage exploit will work again, so visionary will work again but will only give temproot. Interestingly unrevoked appears to work, reporting a triumph but then gives a nand error unfortunatley.

16. Once you have temproot, you can use other apps such as busybox installer, or linux installer but again its only temporary but its all extra tools to try and help the fight to perm root wildfires.

Using this method I believe you can flash any Buzz RUU. The problem is after the first bootloader downgrade, any attempts to reflash reults in all other partitions flashed ok but the bootloader (hboot) is bypassed. It does however result in ratc working again, to some extent so there must still be some way to hack it.
I have managed to push su and busybox to /system/bin/ a couple of times without any memory error messages but lost it when I tried to remount /system read only which caused a reboot.
For anyone interested the command I've been trying to use to mount system to achieve this is :
mount -o remount,rw,alldev,allexec,allsuid,allpid,dirasync,relatime,mode=755,errors=force_remount,rw,alldev,allexec,allsuid,allpid,dirasync,relatime,mode=755 /system /system
sometimes i incorporate recurse, expand, compress or move. It would appear you can omit the type, it should remount automatically with correct type. Also I think /system can be used instead of /dev/block/mtdblock3 as they both point to same place (kind of).
The above command if ran alone will cause a termination and segmentation error (some of my research would indicate a segmentation fault is a good thing, its an inication of a working exploit), or a reboot.
In order to make it work I had to write a batch file that would repeatably mount the various partitions in different ways with different permissions in rapid succession. It doesn't allways work but it would appear that just occasionally this command can sneak by unoticed

Please friend,
can do a tutorial on how to reduce hboot 1.01.0002 to 1.01.0001?

thaks.

I downgraded and temprooted my wildfire, and i have set the system partition to read/write. I tried to push su to my /system/bin folder but it said there was not enough memory... so i deleted a system app and tried again, but it said again not enough memory.

I also have read somewhere that the pre-released version of froyo had s-off in it. And its probably a signed update, so you just could upgrade to that and have s-off instantly. But i never found the firmware

grtz