[how to] lock/unlock your bootloader without htcdev(s-off required)

Search This thread
By:
Advanced…
Golv

Golv

Recognized Developer
Jan 17, 2012
2,276
4,768
HTC U11
OnePlus 10 Pro
scotty1223 said:
im not sure what youve got going on with the filesize,but he 33796 is an address,not a size.

the command is writing only 4 bytes,at 8404,8405,8406,8407. if you wish to verify your HTCU or HTCL has been overwritten,dump it to your sd card: dd if=/dev/block/mmcblk0p3 of=/sdcard/mmcblk0p3 then pull it,and open it with a hex editor.

if youre working with a different device,pull mmcblk0p3 first,before issueing any commands,open with a hex editor,and verify the location of the lock flag.

the rest of 8400 is in fact all nulls, or 00

hope that answers your questions. i think youve just found some funky data becasue of the way youre attempting to verify it.
Click to expand...
Click to collapse

I know that very well! I'm owner of HTC is not first year (HTC Touch Dual, DesireHD, Sensation)! ;)
And I do everything myself, using the HEX- editor! I tried to explain that flag seek = 33796, appear to cut the size of file! Size of the original mmcblk0p3 should be - 133 807 104 b, and therefore after running all the offsets after 0x008404 can be filled with 00 ! After the offset 0x008408 there is some data that will be filled with zeros.
For proper treatment you need to add the flag :
conv=notrunc
The notrunc conversion option means do not truncate the output file — that is, if the output file already exists, just replace the specified bytes and leave the rest of the output file alone.
And the line should look like this :
Code: 
echo -ne '\x00\x00\x00\x00' | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796 conv=notrunc
Then all data ( from 0x008409 to the end of block 0x07f9bbff) after recording 4 bit (0x008404 - 0x008408) - will remain in place and will not be filled 00 ! !
I hope I've clearly explained? Check it out!
For information (Data modification)....
Awairing your prompt reply!

PS: Please try to run 2 bat files: with notranc and without notranc and compare files!
 

Attachments

  • Run_locked_script_with_notrunc.rar
    353 bytes · Views: 104
  • Run_locked_script_withOUT_notrunc.rar
    348 bytes · Views: 89
Last edited:
  • Like
Reactions: moha_moha20106, Thela7 and scotty1223
Golv

Golv

Recognized Developer
Jan 17, 2012
2,276
4,768
HTC U11
OnePlus 10 Pro
Here scripts (*.bat) to run from command line in one click.
These scripts makes backup of the /dev/block/ and puts it in a folder with script, change block in /dev/block/ and reboots into bootloader for check.
All scripts are tested by me. Changes only necessary data, and rest remained unchanged.
 

Attachments

  • Run_change_to_locked.rar
    491 bytes · Views: 189
  • Run_change_to_unlocked.rar
    488 bytes · Views: 168
  • Run_change_to_del_tampered.rar
    496 bytes · Views: 167
Last edited:
  • Like
Reactions: moha_moha20106
scotty1223

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
thanks for the tips,but again,i think the variance is the way youre collecting your data. ive looked at an unknown number of mmcblk0p3 from different devices,and the command does not alter the file size. ive looked before and after. the rest of that block is zeros(nulls) to start with,the command isnt truncating or writing them.

after you issue the command,you see its only writing 4 bytes.

more accurate way to check the work of the command is to
-dd p3 to sd card,pull and observe
-run command
-dd p3 to sd card,pull and observe,compare
 
Golv

Golv

Recognized Developer
Jan 17, 2012
2,276
4,768
HTC U11
OnePlus 10 Pro
scotty1223 said:
thanks for the tips,but again,i think the variance is the way youre collecting your data. ive looked at an unknown number of mmcblk0p3 from different devices,and the command does not alter the file size. ive looked before and after. the rest of that block is zeros(nulls) to start with,the command isnt truncating or writing them.

after you issue the command,you see its only writing 4 bytes.

more accurate way to check the work of the command is to
-dd p3 to sd card,pull and observe
-run command
-dd p3 to sd card,pull and observe,compare
Click to expand...
Click to collapse

Size of each block in /dev/block/ CAN'T be changed, block can be OVERWRITTEN only! Therefore, when you run your script without "conv = notrunc" data is changed only at specified offset and size (in this case from 0x008404 to 0x008408), and rest of data remains from original block ( I assumed that rest of data filled with 00 and very well that I was wrong! ) .
BUT if this script without "conv = notrunc" run in other directory ( eg /data/local/temp/), then file will be CROPPED!
It's wrong, therefore it's necessary to use option "conv = notrunc".
Example in my post : http://xdaforums.com/showpost.php?p=46731712&postcount=21
And thank you for your work!
 
Last edited:
  • Like
Reactions: scotty1223
scotty1223

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
Golv said:
Size of each block in /dev/block/ CAN'T be changed, block can be OVERWRITTEN only! Therefore, when you run your script without "conv = notrunc" data is changed only at specified offset and size (in this case from 0x008404 to 0x008408), and rest of data remains from original block ( I assumed that rest of data filled with 00 and very well that I was wrong! ) .
BUT if this script without "conv = notrunc" run in other directory ( eg /data/local/temp/), then file will be CROPPED!
It's wrong, therefore it's necessary to use option "conv = notrunc".
Example in my post : http://xdaforums.com/showpost.php?p=46731712&postcount=21
And thank you for your work!
Click to expand...
Click to collapse

thanks again for your posts,but im still not sure what to tell you. i have looked at mmcblk0p3 before and after the command and have not found the changes you describe. perhaps i am not understanding.
 
  • Like
Reactions: croniccorey
Golv

Golv

Recognized Developer
Jan 17, 2012
2,276
4,768
HTC U11
OnePlus 10 Pro
scotty1223 said:
thanks again for your posts,but im still not sure what to tell you. i have looked at mmcblk0p3 before and after the command and have not found the changes you describe. perhaps i am not understanding.
Click to expand...
Click to collapse

I wanted to say:
Copy mmcblk0p3 in /data/local/tmp/ ( dd if=/dev/block/mmcblk0p3 of=/data/local/tmp/mmcblk0p3_backup_1 ) and apply your script:
Code: 
adb shell
su
chmod 755 /data/local/tmp/mmcblk0p3_backup_1
echo -ne '\x00\x00\x00\x00' | dd of=/data/local/tmp/mmcblk0p3_backup_1 bs=1 seek=33796

and see what happens with file mmcblk0p3_backup_1!
And then again copy mmcblk0p3 in /data/local/tmp/ ( dd if=/dev/block/mmcblk0p3 of=/data/local/tmp/mmcblk0p3_backup_2 ) and apply your script script with option bs=1 seek=33796 conv=notrunc :
Code: 
adb shell
su
chmod 755 /data/local/tmp/mmcblk0p3_backup_2
echo -ne '\x00\x00\x00\x00' | dd of=/data/local/tmp/mmcblk0p3_backup_2 bs=1 seek=33796 conv=notrunc

Once again look what happened with file mmcblk0p3_backup_2 ...
After compare, you'll see the difference. That's what I wanted to say. ;)
 
Last edited:
  • Like
Reactions: scotty1223
scotty1223

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
I do not understand the significance of doing that.

Sent from my HTC One VX using xda app-developers app
 
Last edited:
Golv

Golv

Recognized Developer
Jan 17, 2012
2,276
4,768
HTC U11
OnePlus 10 Pro
Not always good to make changes once in system partition! Sometimes it's better to copy, make changes, and then reload changed file into the system partition.
And in your case options to change the file written is not entirely correct.
 
Last edited:
  • Like
Reactions: scotty1223
maarawoe

maarawoe

Senior Member
Feb 8, 2012
894
119
Prague
Gyus this sounds tooo easy for me... :D
Could you please ensure me that when I am s-off I can lock and unlock my bootloader using this simple command on my will? No data loss, no wipe, no matter what is my rom etc...?? Really so easy? :)

EDIT: I just tried and yes - its really so easy :))
 
Last edited:
  • Like
Reactions: scotty1223
scotty1223

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
maarawoe said:
Gyus this sounds tooo easy for me... :D
Could you please ensure me that when I am s-off I can lock and unlock my bootloader using this simple command on my will? No data loss, no wipe, no matter what is my rom etc...?? Really so easy? :)

EDIT: I just tried and yes - its really so easy :))
Click to expand...
Click to collapse

lol,glad it was helpful :)
 
G

gjlowe

Senior Member
Oct 7, 2008
540
71
This worked perfectly. Unfortunately it did not allow Google Drive to believe that the HTC One was bootloader-locked and give me the free 40GB of space :(. I think they must be checking for S-OFF.
 
scotty1223

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
gjlowe said:
This worked perfectly. Unfortunately it did not allow Google Drive to believe that the HTC One was bootloader-locked and give me the free 40GB of space :(. I think they must be checking for S-OFF.
Click to expand...
Click to collapse

thisis not a fake hboot,or visual banner change,it is legitimately unlocking and unlocking,just like htcdev,so it stands to reason that it doesnt work,if locked bootloader is a requirement.

just lock the bootloader,if you want the space. if you cant re-unlock once youve claimed it,then just leave it locked. all that being unlocked gets you is a couple extra fastboot commands. you can still install recoveries,splash images,radios etc. with the bootloader locked.
 
jaypeg123

jaypeg123

Senior Member
Sep 20, 2009
631
125
Malmoe
I just done it. It Works 100% although I had to try several Times before I got it tight. But that is just normal for me, ha ha
So of to the store and get me a working Camera.
:):thumbup:

Sent from my HTC One using xda premium
 
intramorph

intramorph

Senior Member
May 13, 2013
165
10
New York
zaphodbeeb said:
Much better than using revone to do this, as it leaves no tracks. Kudos 2 u.
Click to expand...
Click to collapse
Just a question ... How does Revone leave tracks? I assure you it doesn't as I had to return my phone to HTC and get it replaced. Revone was easyer way to lock unlock bootloader and also more convinient. However I'm not complaining as rumrunner s-offed my 1.55 h-boot. so yeah I'm happy that either method exists . IT'S AWESOME !!!!!
 
zaphodbeeb

zaphodbeeb

Senior Member
Mar 29, 2011
706
492
Betelgeuse
xformit.co.uk
intramorph said:
Just a question ... How does Revone leave tracks? I assure you it doesn't as I had to return my phone to HTC and get it replaced. Revone was easyer way to lock unlock bootloader and also more convinient. However I'm not complaining as rumrunner s-offed my 1.55 h-boot. so yeah I'm happy that either method exists . IT'S AWESOME !!!!!
Click to expand...
Click to collapse
there is no revone file left on your phone. No tracks.
 
You must log in or register to reply here.

Similar threads

H
  • Locked
[Guide] Firewater S-Off
Replies
2K
Views
614K
LenAsh
LenAsh
electronical
[GUIDE] Rumrunner S-Off for HTC One M7 International
Replies
1K
Views
713K
mitchst2
mitchst2
nintendolinky
[Discussion] HTC One - Updates
Replies
11K
Views
2M
RobeStar
RobeStar
crushalot
[GUIDE] How to Return to 100% Stock
Replies
2K
Views
577K
K
killutekero
K
[GUIDE] China Unicom 802W Dual Sim.. how to root and install Google Apps
Replies
2K
Views
552K
Shikaiya
Shikaiya

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 87
    scotty1223
    scotty1223
    *this thread is for m7. it will not work on m8,m9, or any other newer devices! search m8 general for the thread there(same name)


    this thread will let you unlock your bootloader without htcdev,or let you change your hboot watermark from relocked or locked back to stock.

    originally,we used a zip file flashable in recovery. i have found it to work on gsm devices with 1.44 hboot and CW recovery. it did not work with twrp. if the following is too scary,feel free to test the zip files. that thread,info,and downloads can be found here. since not all recoverys are working,these values can be changed with simple adb commands.

    advantages
    -no hassle with htcdev,tokens,or unlock codes
    -no submitting your phones personal info to htc
    -the ability to get back to 100% stock without any visual traces or records of having been s off or unlocking your bootloader.

    you do NOT need to downgrade your hboot. this simple adb command works without any scary hboot downgrades.

    *you must be s off.
    *you must have superuser installed(seethis post] if you need help installing a recovery so you can install superuser)

    read this:
    this will not work if your s on. its not a way to magically unlock

    the usual disclaimers:
    use this info at your own risk. if it melts your phone into a little pile of aluminum goo,its not my fault.

    credits
    -beaups for giving me the echo comand,so yall didnt need to dump,edit with a hex editor,and copy back
    -strace for originally discovering the location of the lock status flag(check out this thread for more info)
    -kdj67f for fearlessly testing on vzw m7_wlv and putting up some screenshots in post 2. thanks!
    -matthew0776 for fearlessly testing for sprint m7_wls

    IF you are an advanced user with adb/fastboot set up and some basic knowlede of the cmd window,you can skip to #2
    1)set up adb


    -download this file
    -install drivers: if you have htc sync installed,you should allready have drivers. if not,you can install htc sync,or install these modified htc drivers from revolutionary (driver mirror)
    -unzip your miniadb_v1031.zip file. this is native funtionality in windows 7. you otherwise may need a utility such as "7-zip" to extract,or unzip it. place the unzipped folder onto the root of your C drive on your PC. root means the top level,not inside any folders. so just copy and paste,or drag and drop the folder onto C with everything else that is there. you may want to rename it to "miniadb_m7" since youll be putting some device specific files in here.
    -open a command window. on windows 7,click the start bubble in the lower left and type "command" in the search box. xp i believe is similar or the same. doing this should open a small black command window.
    -change to your miniadb_m7 directory. type the following at the prompt in your cmd window:

    cd c:\miniadb_m7

    your command promt should change to "c:miniadb_m7>" provided you: 1)unzipped the miniadb_v1031 zip file,and 2)put the folder on your c drive,and 3)entered the name of the folder correctly ("miniadb_m7" in this case)

    -now make sure usb debugging is checked in developer options(you will need to turn it on first),and plug your phone into your PC with a usb cable
    -make sure your phone is being recognized- type:

    adb devices

    if your drivers are installed correctly,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.

    if you get your serial number back,then enter this command:
    adb reboot bootloader

    this should take your phone to the "fastboot" screen,wich is white with colored letters. this is one mode of your bootloaders interactive modes. at the top youll see fastboot devices as confirmation youre in fastboot.

    now enter:
    fastboot devices
    again,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.

    if you get your serial number back,you can enter the following to boot back to the phones OS:
    fastboot reboot

    and now,youve installed adb/fastboot and tested youre phones drivers. if at either spot,you have trouble and dont get your serial number back,there is some sort of connection issue. use these steps to troubleshoot:
    troubleshooting connectivity issues:
    -try a reboot of the PC
    -try different usb cables and ports
    -dont use a usb hub
    -dont use usb 3.0
    -make sure nothing capable of comunicating with the phone is enabled and running. htc sync,pdanet,easy tether,and even itunes have all been known to cause issues.
    -windows 8 has been known to have issues. try a windows 7 or older machine

    failing the above,
    -i use these drivers for fastboot and adb(donwload and run as admin): http://downloads.unrevoked.com/HTCDriver3.0.0.007.exe (mirror)

    failing that,try manually updating the drivers in the following manner:
    -put the phone in fastboot mode(select fastboot from the hboot menu)
    -open device manager on the PC
    -plug in phone,watch for it to pop up in device manager.
    -update drivers with device manager,pointing the wizard to the extracted
    driver download folder from above

    note that you can check the connectivity of the phone,and make sure drivers are working by in the following manner:
    -open cmd window. change to directory containing adb/fastboot utilities

    -adb with the phone in the booted OS,usb debug enabled,enter:
    adb devices in a cmd window

    -fastboot with phone in fastboot,enter:
    fastboot devices in cmd window

    in either case,a properly connected phone with working drivers installed should report back the phones serial number.
    Click to expand...
    Click to collapse

    this process,in your cmd window,should look something like this:
    Code: 
    Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Scott>[COLOR="red"]cd c:\miniadb_m7[/COLOR]

c:\miniadb_m7>adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
FAxxxxxxxxxx    device


c:\miniadb_m7>[COLOR="red"]adb reboot bootloader[/COLOR]

c:\miniadb_m7>[COLOR="red"]fastboot devices[/COLOR]
FAxxxxxxxxxx    fastboot

c:\miniadb_m7>[COLOR="red"]fastboot reboot[/COLOR]
rebooting...

finished. total time: 0.037s

c:\miniadb_m7>


    2)reset your "lock status flag"

    to LOCK your bootloader,enter the following:

    adb devices

    adb shell

    su (if needed to get a # prompt)

    echo -ne '\x00\x00\x00\x00' | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
    (i would very strongly recomend you copy/paste this)

    exit
    (exit a second time if you need to to get back to a normal > prompt)

    adb reboot bootloader

    verify you are now locked
    _____________________________________________________________________________________________

    to UNLOCK your bootloader,enter the following:

    adb devices

    adb shell

    su (if needed to get a # prompt)

    echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
    (i would very strongly recomend you copy/paste this)

    exit
    (exit a second time if you need to to get back to a normal > prompt)

    adb reboot bootloader

    verify you are now unlocked



    *i have tested this on my gsm htc one. if someone wants to test on vzw,ill add you to the credits :)




    View
    12
    scotty1223
    scotty1223
    99% is good enough for me haha! Phone just hut 50% charged, give me a minute. Will post back with pictures.

    Sent from my HTC6500LVW using XDA Premium 4 mobile app

    ---------- Post added at 08:56 PM ---------- Previous post was at 08:41 PM ----------

    Confirmed, code working. Flags set/reset. Phone even reboots and works :D will upload pics/screenshots.

    Thanks!

    Starting out unlocked:

    Locking:

    Locked:

    Unlocking:

    Re-unlocked:


    Very good work!
    View
    4
    scotty1223
    scotty1223
    akuma24 said:
    Any idea how you would get rid of the tampered flag?

    Sent from my HTC One using xda app-developers app
    Click to expand...
    Click to collapse

    http://xdaforums.com/showthread.php?t=2477792
    View
    4
    nkk71
    nkk71
    scotty1223 said:
    you dont really need to unlock. pack your recovery image with an android info text document for your variant. you can get the document from an OTA firmware package or decrypted ruu.

    you can install this type of zip file in the following manner:
    if youre working with a booted,operational phone,you can flsh the file in the following manner:

    -open a cmd window

    -change to adb/fastboot directory
    cd c:\foldername
    (cd c:\mini-adb if youve used any of my guides :))

    -place the zip file you want to flash into adb/fastboot directory

    -enable usb debug,disable fastboot,plug in phone

    -check for connectivity
    adb devices (should return serial number)

    -boot to fastboot
    adb reboot bootloader

    -check for connectivity again
    fastboot devices

    -flash the file
    fastboot erase cache

    fastboto oem rebootRUU (will put you in ruu mode,black screen silver htc letters)

    fastboot flash zip zipfilename.zip (will send and flash the file. dont interupt it while the cmd window shows its writinging,and the green status bar is moving on the phone screen)

    *sometimes a file will fail with a pre-update error. this is normal,just enter again:
    fastboot flash zip zipfilename.zip
    and this time it will finish

    -when you get "finished" and "OK"
    fastboot reboot-bootloader (takes you back to fastboot)

    -reboot back to the OS
    fastbooot reboot

    you can use this if you dont have an operational phone as well. you just need to manually put the phone in fastboot(select from hboot menu) then skip the "adb" commands and start with fastboot devices


    once you have a custom recovery you can add superuser,or flash a rom. you do not need to unlock,but you can if you want after adding superuser,or by just running the command in recovery,as most custom recoverys have an adb root shell access.
    Click to expand...
    Click to collapse

    Hi scotty, love your work :good:

    Just dropped by to leave this here: TWRP/CWM for RUU mode for M7_U/UL only

    these are packaged with an android-info.txt that has PN0710000 through PN0714000 and all CIDs should work (except 1 or 2 very rare ones).


    in bootloader/FASTBOOT USB:
    fastboot oem rebootRUU
    fastboot flash zip fw_m7ul_TWRP_2.6.3.3_1.26.401.33.zip
    fastboot reboot-bootloader

    -> enter RECOVERY (should be TWRP or CWM now)

    and use @scotty1223's commands in custom recovery http://xdaforums.com/showthread.php?t=2475914 to unlock bootloader


    Code: 
    C:\ADB3>[B][COLOR="Blue"]adb devices[/COLOR][/B]
List of devices attached
HT34xxxxxxxx    recovery [I]<- you need to be in custom recovery to
                            ensure [B]root[/B] privileges
                            i.e. an adb shell with [B]#[/B] as opposed to [B]$[/B][/I]


C:\ADB3>[B][COLOR="Blue"]adb shell[/COLOR][/B]

[SIZE="1"][I][U]Note[/U]
CWM shell prompt usually looks like [B]~#[/B]
TWRP shell prompt usually looks like [B]~ # ←[6n[/B]
it doesn't matter, you just type (or even better copy/paste) the commands in bold blue
[/I][/SIZE]

[I][SIZE="1"]Setting UNLOCKED[/SIZE][/I]
~ # [B][COLOR="Blue"]echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796[/COLOR][/B]
echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796 
4+0 records in
4+0 records out
4 bytes (4B) copied, 0.007691 seconds, 520B/s

~ # [B][COLOR="Blue"]exit[/COLOR][/B]
exit

C:\ADB3>[B][COLOR="Blue"]adb reboot bootloader[/COLOR][/B]
^^ if this doesn't work in your particular version, just select reboot to bootloader in TWRP.


    ps: your version-main will now say 1.26.401.33 (reflecting the recovery version 2.6.3.3); it didn't actually change, but version-main always show the last thing flashed in ruu mode.
    .
    View
    4
    scotty1223
    scotty1223
    miggsr said:
    If you lock it yes it will be as it was stock locked now you still can flash roms and firmware with a locked Bootloader only thing you can't do is flash recovery
    Click to expand...
    Click to collapse

    you can still flash a recovery. you just need to pack it up in a zip file with an android info document and flash via ruu mode.

    you do not need to be unlocked for anything. it is strictly a personal preference(of youd rather use fastboot flash than a zip file)
    View

New posts