Thanks for this! I now have S-OFF on my N1. I wonder if the MTD partitions could be resized now like in the Desire? Hmmm...
Hey IR, pls try that out and if you're successful, pls post the guide.
Thanks for this! I now have S-OFF on my N1. I wonder if the MTD partitions could be resized now like in the Desire? Hmmm...
Great work @dla5244!!! Congratulations from spain
I tried it and works perfect. The process takes about 10 seconds, and after that we have bootloader S-OFF!
Now I have a doubt. As I can flash the original mtd0.img partition if the file that I have not signed?
i have hboot 0.35.2012, its an eng s-off spl, but it wont let me boot with it. it flashes onto the splash screen and takes me back to bootloaderModify HBOOT
It needs assembly skill.
you can refer this(IDA Database)
http://xdaforums.com/showpost.php?p=11004361&postcount=1
you must modify and flash unsigned hboot(0x0 ~ 0x100 is not signature)
I attached original unsigned hboot file(0.35.0017)
you can start at this file
hboot-ori.zip hash(MD5) f319b05b5e511f8ca1c7667eb5ec6012
Change boot logo
1.Prepare 480*800 bmp file to change
2.nbimg.exe -F <BMP FILE> -n
3.rename *.nb file to splash1.img
4.fastboot flash splash1 <SPLASH1.IMG PATH>
Repartition
Not tested, so i post how to modify(maybe).
if you do not know assembly or it's difficult to understand, Don't try.
first modify point is 0x0002FB4C (0x8E02FB4C)
block size 20000
24E ~ FF0
r1 start block address
r2 block size
ROM:8E02FB4C 98 0E 0C E3 06 0E+ MOV R0, aSystem ; "system"
ROM:8E02FB54 4E 12 00 E3 MOV R1, #0x24E
ROM:8E02FB58 88 24 00 E3 MOV R2, #0x488
ROM:8E02FB5C 82 54 FF EB BL sub_8E004D6C
ROM:8E02FB60 F0 05 0C E3 06 0E+ MOV R0, aCache ; "cache"
ROM:8E02FB68 D6 16 00 E3 MOV R1, #0x6D6
ROM:8E02FB6C BE 2F A0 E3 MOV R2, #0x2F8
ROM:8E02FB70 7D 54 FF EB BL sub_8E004D6C
ROM:8E02FB74 F8 05 0C E3 06 0E+ MOV R0, aUserdata ; "userdata"
ROM:8E02FB7C CE 19 00 E3 MOV R1, #0x9CE
ROM:8E02FB80 22 26 00 E3 MOV R2, #0x622
ROM:8E02FB84 78 54 FF EB BL sub_8E004D6C
next modify point is 0x0007c3d0 (0x8e07c3d0)
24e ~ 1000
ex)24e = 4e02(hex editor)
24e @ system base address (don't modify this)
488 @ system block size
6d6 @ cache base address
2f8 @ cache block size
9ce @ data + spcustom base address
632 @ data + spcustom size (must base address + size = 0x1000)
Dump hboot
first, prepare worked kernel and rename boot.img
fastboot -c "mtdparts=msm_nand:896k@0x03EE0000(misc),4096k@0x04240000(recovery),3584k@0x04640000(boot),148480k@0x49C0000(system),97280k@0xDAC0000(cache),202368k@0x139C0000(userdata),768k@0x03E20000(hboot)" boot boot.img
dump_image hboot /sdcard/hboot.img
if your hboot version is 0.35.2017, please dump and post your hboot image
i have hboot 0.35.2012, its an eng s-off spl, but it wont let me boot with it. it flashes onto the splash screen and takes me back to bootloader
... and you got the padlock back
Firerats mtd partition tool may work but it most likely needs modification. As is I couldn't get it to work. Seems to have removed the data partition. Ill look into it more later.
The kernel commandline method works. Just resized the cache partition to 50MB and gave it to userdata. You need both recovery and kernel to be modified though in order to get it to work properly. (you can just modify the kernel but how do you flash a ROM correctly to the resized partitions if the recovery sees the SPL partitions version)
*I didn't try the SPL method since I won't risk my phone.
The kernel commandline method works. Just resized the cache partition to 50MB and gave it to userdata. You need both recovery and kernel to be modified though in order to get it to work properly. (you can just modify the kernel but how do you flash a ROM correctly to the resized partitions if the recovery sees the SPL partitions version)
*I didn't try the SPL method since I won't risk my phone.
Does this mean, theoretically we can get more room for app data? This could be really awesome! No more need for data2sd.
Sent from my Nexus One using Tapatalk
Yes. I'll try to post instructions later to do this without losing your data. For advanced users only though since it requires commandline skills.
Thanks for your contribution
I have a rooted N1 with custom recovery and unlocked bootloader, is it correct for me to run the locked bat to install it?
Yes. I'll try to post instructions later to do this without losing your data. For advanced users only though since it requires commandline skills.
FEATURE
Security OFF
None padlock mark even unlocked
Password protection
Engineering command
BlackRose custom command
Change boot logo
Resize Partition
Select menu by pressing trackball
Switch vibration at boot
CRC32 check function
Prevent overwrite HBOOT by RUU
REQUIRE
Windows PC or Linux PC
USB Debugging(ADB) ON(Setting-Application-Development-USB Debugging)
Connect USB before execute BlackRose installer
ADB and Fastboot USB Driver - Windows
http://www.mediafire.com/?bhxmn903d6cz9eg
GO
Windows PC: BlackRose.exe
Linux PC: BlackRose
Possible argument
skip: go to blackrose menu immediatly(not recommand because hboot version check step is skipped)
editor: go to blackrose editor(standalone)
Guide
Install
http://www.youtube.com/watch?v=cC7nyRxVvk4
Uninstall
http://www.youtube.com/watch?v=mGrnDsSrS5s
Update(from 120215)
http://www.youtube.com/watch?v=TK5kepkO9oI
Resize partition
http://www.youtube.com/watch?v=ScIMetgk7Zw
Execute BREditor(standalone)
http://www.youtube.com/watch?v=FSbSL4kUloQ
*.Those who using older version custom BlackRose(eg.111231), Since older version can't communicate with BlackRose installer so you need to follow my direction.
Once you follow my direction, you no need to do this later
1.customize same as previous partition layout using BlackRose editor(view "execute BREditor")
2.fastboot flash hboot hboot_brcust.nb0
3.fastboot reboot
*.If you are using MAC OSX and failed to install by using installer,
Download blackrose_manual_120421.zip and follow instruction in zip file
Change Log
120421
Disable password protection (temporary)
*.As you know, there is no way to recover password.
That's why I designed 2nd password.
I received many message about forget password.
So I decided to disable password protection until I design new solution.
Fix stock BlackRose partition layout label.
120216
Bootloader(HBOOT)
Add new function(I will not reveal, It doesn't matter for normal user)
120215
Bootloader(HBOOT)
Change message when protected by password (not allowed -> protected)
Add bootloader commandline in order to communicate BlackRose installer
Installer
Now surpport below HBOOT version
0.33.0012
0.33.2012
0.35.0017
0.35.2017
7.35.5017(BlackRose)
Recreate program (not rebuild but recreate )
1.BREditor has merged
2.Install process has revemped
3.Communicate with HBOOT
4.Convenient,Optimized
5.ETC
* Since i'm not god, please feel free to report bug)
111231
Happy New Year!
HBOOT(Bootloader)
Update release date(because it's the last day of 2011)
Installer and Editor
Common: Execute file is not packed (fix ploblem executable-file deleted by Virus Scanner)
Installer: Improve install process
Update exploit
Installer: Fix install bug(perfectly, 111231_2)
Installer: Improve installer(111231_3)
Editor: Bug fix(111231_3)
111217
HBOOT(Bootloader)
New CRC32 function
(this function is used for make custom bootloader)
Installer and Editor
Installer: Can flash ANY bootloader
Editor: Show warning message when set password
Editor: bug fix(partition and "understand" bug,111217_2)
111208
HBOOT(Bootloader)
Password protection
rebase blackrose custom command
remove unlock, lock command
remove simlock menu(replaced powerdown)
remove clearstorage menu(replaced reboot)
display off, on message when switch vibration at boot
add extension label(no more identify 5017 or 5117)
bug fix(getvar version)
cleanup
Installer and Editor
improve blackrose installer
new blackrose editor(you must use this)
breditor: make it clear(password -> protection)(111208_2)
breditor: password bug fix(111208_3)
111128
fix BlackRose custom command ploblem(brcmd 5)
improve BlackRose installer
111126
select menu by using trackball instead of power key(default)
*.I analysed key dispatch routine perfectly and revamped routine.
I recommand update BlackRose 111126 because that is better than 111125
fix key label
111125
switch trackball selection (permanent!!!, view advenced section)
etc
111118
HBOOT(Bootloader)
can't flash image without signature when S-ON
(can't flash by unsigned RUU, while can flash by flash command? that's not fair.)
change command (oem brset -> oem brcmd)
new command (brcmd 2, brcmd 5)
Installer
can apply custom partition blackrose (view Advenced section, more easily)
can update blackrose from custom partition blackrose. (view update section)
can install blackrose even you dosen't achieve adb root permission(111118_2)
fix BlackRose windows installer error(111118_3)
rebase BlackRose installer(111118_4)
fix BlackRose installer error(111118_5)
111111
change title color
can flash some image(boot,recovery,system,userdata,radio,zimage) even S-ON and locked bootloader
rework writemainver(reason:when you uninstall blackrose, stored mainversion will be cleared.)
add custom command(fastboot oem brset)
can switch vibration during at boot
can select by pressing trackball (View Advenced section in BlackRose Installer)
optimization and cleanup
can install BlackRose on linux (111111_2)
fix BlackRose linux installer error (111111_3)
111009
When you update ROM(by PASSIMG, RUU), BlackRose doesn't write new mainver
111006
New based on 0.35.2017(Engineering HBOOT) - Thanks to PhaseBurn
Original Image(0.35.2017): http://xdaforums.com/showpost.php?p=18141273&postcount=116
None padlock mark(even you unlocked bootloader)
Prevent overwrite HBOOT by OTA or RUU
Disable fastboot command(oem unlock), because no need to unlock bootloader
Can receive Google OTA
FAQ
1.Phone is brick, dosen't turn on screen
You have flashed unsigned RADIO
If you want unbrick your phone, The answer is JTAG or HTC Service Center(The engineer can refuse to repair your phone)
2.Can I lock bootloader again?
To relock the bootloader, You have to achieve radio S-OFF(secu_flag=0), otherwise you would see the error [Lock Failed]
3.How to achieve radio S-OFF?
AT@SIMLOCK=7,0 or AT@SIMLOCK=8,0
I disassembled radio(AMSS)
it need HTC Special SIM-CARD or SIM-EMULATOR(XTC-CLIP)
but...
If we can disable SMI-MPU and modify only one byte to AMSS routine on SDRAM
We can achive Radio S-OFF without HTC-Special-CARD.
4.I can't update radio by using recovery.
If cache partition size less than radio image, you couldn't update radio by using recovery.
so I suggest a way to update radio
fastboot flash radio [RADIO IMAGE(e.g radio.img)]
5.I can't see my device when execute BlackRose installer
If you are using sense rom, adb device isn't worked.
You must install htc sync.
-Thanks for your favor-
Donation
rugmankc
efrant
madj42
fzr-r4
texasice
gdarren
WOW, I cannot appreciate it enough
BlackRose custom command
fastboot oem brcmd [command]
svib : Enable/Disable vibration during at boot (Output string is none. but setting will be changed.)
brec : Go to recovery mode
pass [password]: Create encrypted password/Authentication
Change boot logo
1.Prepare 480*800 bmp file to change
2.nbimg.exe -F [BMP FILE] -n
3.rename *.nb file to splash1.img
4.fastboot flash splash1 [SPLASH1 IMG]
Password Protection
1.fastboot oem brcmd pass [ORIGINAL PASSWORD]
2.Note your encrypted value
3.Input encrypted value in BREditor
4.Apply custom BlackRose
NEVER input original password in BREditor
If you would like to unlock protection
fastboot oem brcmd pass [ORIGINAL PASSWORD]
TIP
If lock state, oem pass command work as unlock method
Otherwise, work as create encrypted password
If you type wrong password third in a row, device is turned off
Apply custom BlackRose
*.If you use BlackRose installer method, no need to read
Apply
1.fastboot flash hboot [CUSTOM BLACKROSE BINARY]
2.fastboot reboot-bootloader
If you will change partition layout
1.fastboot flash hboot [CUSTOM BLACKROSE BINARY]
2.fastboot reboot-bootloader
3.fastboot erase cache
4.fastboot oem brcmd brec
5.full wipe
6.update rom
7.reboot
Impressive! A really interesting approach. Even though Radio S-OFF would be preferred a modified hboot that unlocks more commands than the current stock-unlocked hboot does, right?