FORUMS
Remove All Ads from XDA

[RESOLVED] Researching how to root - Official OTA_Supersonic_1.47.651.1-1.32.651.6

1,979 posts
Thanks Meter: 1,329
 
By joeykrim, Inactive Recognized Developer on 30th June 2010, 04:01 AM
Post Reply Email Thread
This has been resolved by using the flash lite exploit to gain root access allowing the misc partition to be flashed with a downgraded main version number which allows the old leaked Eng RUU we have to be flashed!

GUI for how to root
http://forum.xda-developers.com/showthread.php?t=720565



Old and Outdated information from the Original Post listed below for historical purposes ONLY


Who is Affected: If you've flashed the official OTA update on top of a non rooted ROM or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!

What is Patched by the OTA: Through the radio.img which the OTA flashes, it updates the Main Version in the bootloader preventing Toast's root methods from working. It also flashes back the stock recovery, removing our root access in recovery mode and ability to apply .zip files. And last of all, the OTA patches the exploit hole in /system/bin/hstools used for unrevoked1 root.
Successfully eliminating all released methods of obtaining root access.

Conclusion:
after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later

Future:
If you have any suggestions/ideas, please post. I might have missed a method.
We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.


Details of the tested known root methods:
user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?

eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?

RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootloader error - main version is older

RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rele ase_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.

RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_rele ase_171253.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.

Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed

flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. partition with write access for non-root user and allows executing is /data/local . flash_image can't write to the partitions w/o being run with root permissions. chownto and chown of flash_image to user root - permission denied.

##786# - Reset - doesn't seem to effect much in the way of bootloader version ...

Modifying PC36IMG.zip - using a hex editor to attempt at changing the MainVer stored in the android-info.txt, if any bit changes, it seems to fail the validation by the bootloader.
 
 
30th June 2010, 04:35 AM |#2  
Member
Thanks Meter: 5
 
More
I tried almost all of these after the OTA hit my wifes phone. No dice. Subscribed to further updates on this thread.
30th June 2010, 04:51 AM |#3  
frankenstein\'s Avatar
Senior Member
Thanks Meter: 1
 
More
I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.

I can't tell if the flash actually worked because I don't know where to check the wimax version info...

I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.

I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rele ase_171253_signed.exe file.

I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...
30th June 2010, 05:07 AM |#4  
OP Inactive Recognized Developer
Thanks Meter: 1,329
 
More
Quote:
Originally Posted by frankenstein\

I created a PC36IMG.zip file which contained the .6 releases wimax image and the android-info.txt file from the new update. I was then able to successfully flash it with hboot by placing it in the root of the sdcard and doing a down volume power on boot. It found the pc36img.zip file, verified it, asked me if I wanted to flash it. When I selected yes, proceeded to do so. It then reported the flash as having been successful.

I can't tell if the flash actually worked because I don't know where to check the wimax version info...

I don't know if this worked because the phone doesn't care to check the MainVer when flashing just the wimax image or if it did it because I pulled a fast one with the android-info.txt file swap.

I extracted the wimax image from the RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rele ase_171253_signed.exe file.

I wonder if it would be possible to pull the same trick with the larger subset of images from the rooting pc36img.zip files. i.e. swap out the android-info.txt files...

im guessing the only reason it allowed you to flash a PC36IMG.zip which wasn't HTC signed is because you're using the hboot from the eng build of the PC36IMG.zip which doesn't check for HTC signatures on the PC36IMG.zip file. Not sure if it looks at the MainVer or not ...

once you're on a stock hboot, the PC36IMG.zip file has to be signed by HTC in order to flash!
30th June 2010, 05:45 AM |#5  
EtherealRemnant's Avatar
Senior Member
Flag Denver, CO
Thanks Meter: 770
 
More
I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.

We had to do things like this when working with mach_kernel when we got ahold of the first developer build of OS X for Intel. It was a pain in the ass and took weeks before we cracked the kernel.

There is even more risk with this though since tampering with the bootloader can definitely permanently brick devices.
30th June 2010, 08:40 AM |#6  
2002wrex's Avatar
Senior Member
Flag Milwaukee, WI
Thanks Meter: 2
 
More
Quote:
Originally Posted by joeykrim

If you've flashed the official OTA update or your new EVO comes loaded with it, right now it appears there is no way to obtain root...yet!

after going through all these methods with a great helpful member of the unrevoked team, joshua_, this was the final answer:
[22:34] <joeykrim> cant see to find a method to RUU the phone back down ... ive tried all the methods ive seen. any methods i missed?
[22:34] <joshua_> ok, looks like we are hosed then
[22:34] <joshua_> we have a few more tricks up our sleeve sooner or later

If you have any suggestions/ideas, please post. I might have missed a method.

We will work towards obtaining root for those with new EVOs that have the official OTA applied and those who applied the official OTA.

Here are details of the tested methods:

user debug PC36IMG.zip (toast part 1) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?

eng build PC36IMG.zip (toast part 2) - bootloader error - Main Version is older! Update Fail! Do you want to reboot device?

RUU_Supersonic_1.32.651.6 extracted rom.zip renamed to PC36IMG.zip - bootlaoder error - main version is older

RUU_Supersonic_1.32.651.6_Radio_1.39.00.05.31_rele ase_171253_signed.exe - Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.

RUU_Supersonic_1.32.651.1_Radio_1.39.00.04.26_rele ase_171253.exe- Error [140]: Bootloader version error The ROM Update Utility cannot update your Android. Please get the correct ROM Update Utility and try again.

Stock Recovery - Apply update.zip - clockwork recovery update.zip - E:failed to verify whole-file signature E:signature verification failed

flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image

##786# - Reset - doesn't seem to effect much in the way of bootloader version ...

since my frien did the OTA update yesterday and "bricked" his phone i have been trying to fix the phone (i have access to bootloader so it seems to me that maybe, just maybe i can save the phone) anyways, i have been getting a lot of the same error messages anytime i try to update/load any stock rom via bootloader.

what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu? i have looked all over htc's website, but they don't even acknowlege the existence of the evo, at least not that i can find.
30th June 2010, 11:56 AM |#7  
Senior Member
Thanks Meter: 156
 
More
Quote:
Originally Posted by joeykrim


flash_image (flash boot or mtd-eng.img) - copied to /sdcard, but sdcard is mounted with noexec. only partition with write access for non-root user and allows executing is /sqlite_stmt_journals . flash_image can't write to the partitions w/o being run with root permissions. another words, need root access to use flash_image
...

Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?
30th June 2010, 01:04 PM |#8  
OP Inactive Recognized Developer
Thanks Meter: 1,329
 
More
Sorry for the long multi quote, there are quite a few good ideas and I wanted to make sure I explored each of them as far as the original poster intended.

Quote:
Originally Posted by EtherealRemnant

I think in order for this to be patched, the bootloader code needs to be disassembled between the two versions to find out what bytes were patched and then either remove the code that checks for HTC signing or find a way to circumvent it.

interesting ... circumventing the HTC signature check would be perfect and essentially give us an eng build bootloader.

in the RUU.exe rom.zip files, the android-info.txt indicate the MainVer along with a separate hboot.img file. the official OTA didn't have an hboot.img file. It only had a radio.img file which must have updated the MainVer value.
Not sure where on the phone this MainVer value is stored? in the radio?

you're suggesting, compare the bootloader, which is obviously stored somewhere in radio.img as thats the only file being flashed thru the OTA which increments the bootloader version number, against an older radio.img to attempt and find which bytes were changed for the version number?
The radio.img files are all around 22mbs ... ugh

if we're able to find the change in version number on the radio.img, not sure how it would help in flashing over it?

i was kind of thinking down these lines...since the bootloader checks the version number of any file it attempts to flash, the version number is going to be the key.

if we're able to increment (or temp change) the main version number in the file being flashed w/o messing up the htc signature, that could work.


Quote:
Originally Posted by 2002wrex

what my question is, is there a way to take a 1.47.651.1 rom/image and put it into an ruu?

i've heard this was often done back in the WinMo days but i haven't seen anything on this board regarding this approach. if you have any detailed information, we could def look into it!


Quote:
Originally Posted by unknown_owner

Just curious here, regarding the above step, if you had access to a phone that was already rooted, could you use your sdcard in that phone to copy the files into /data and then transfer the sdcard back to the unrooted phone to flash it then?

very clever concept!
i'm not 100% sure on all the different approaches in the suggestion, but here are the ones it prompted me to explore.

unfortunately, every time the /sdcard is mounted on the phone, its mounted as noexec, meaning no files located on the /sdcard can be executed like programs.

also the /sdcard is mounted with uid=1000 and gid=1015 meaning all files mounted on the /sdcard have their uid/gid overwrote so none of them are allowed root ownership.

without being able to "su" to root access, we aren't able to run any programs with root access.

trying to chownto flash_image to any reference file as root results in:
chownto flash_image /system/bin/chown
Can't change user/group to root!

chown root flash_image
Unable to chmod flash_image: Operation not permitted

if i missed the suggested approach, could you elaborate?
yang704
30th June 2010, 02:26 PM |#9  
Guest
Thanks Meter: 0
 
More
Oh boy...... I thought I was alone in this. I try everything I can and now gave up. Any one can rooted this new OTA please let me know. I really need to downgrade from this.
30th June 2010, 02:38 PM |#10  
Member
Thanks Meter: 0
 
More
Made me think of a problem that happened with the Directivo a few years back...

ht t p://dealdatabase.com/forum/showthread.php?t=22154

Quote:

I was looking around, trying to figure out some way to hack the hdvr2 w/o modifying the prom. I recalled something from the xbox-linux team's presentation for CCC, which was something close to "once you break the chain of trust, the box is forever compromised." I thought to myself: "self, if we can load one kernel via BASH_ENV, why can't we load a second kernel?"

So, is there a way we could compromise the kernel? If so, then...
30th June 2010, 04:31 PM |#11  
notmike's Avatar
Member
Thanks Meter: 0
 
More
Subscribed...

Not really interested in rooting until froyo is working, and I could really use the wifi fixes this OTA is supposed to offer, but I'll hold off installing it until we know it can eventually be rooted.
Post Reply Subscribe to Thread

Tags
1.47.651.1, root evo

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes