testers needed- reset your lock status flag

Search This thread

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
since the current s-off method is not resetting your lock status flag, i figured there would be a demand for this. it all started from this thread in the gsm evo 3d section: http://xdaforums.com/showthread.php?t=1970252

*this is not a modified or hex edited hboot. this is resetting your lock flag,so that your phone will correctly display locked on the hboot screen

ive verified the lock location on just about every s3 phone jpbear supports,as well as a couple s4 dual core devices- LTEvo,inc 4g LTE,and one S.

ive had a friend dump his DNA mmcblk0p3 and the lock flag location is the same,with an extra character that ive not seen prior. he cannot test the mods,as he is dependent on his phone for work,and cant be without it.

0x8400 on his dna looked like this:
Code:
03 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00....HTCU........

the "01" after 48 54 43 55 i have never seen on any other device.

now that we have s off,we an explore this further. first test would be to dump mmcblk0p3, hex edit it,changing 0x8400 to 00000000,and reflash it. id like someone fairly savy to do this,as i cant gaurantee it wont melt your shiny dna into a smoldering pile of goo :eek:

dump,edit and reflash in this manner:
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Scott>[COLOR="Red"]cd c:\mini-adb_vigor[/COLOR]

c:\mini-adb_vigor>[COLOR="red"]adb devices[/COLOR]
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
HTxxxxxxxxxx    device


c:\mini-adb_vigor>[COLOR="Red"]adb shell[/COLOR]
shell@android:/ $ [COLOR="red"]su[/COLOR]
su
shell@android:/ # [COLOR="red"]dd if=/dev/block/mmcblk0p3 of=/sdcard2/mmcblk0p3[/COLOR]
dd if=/dev/block/mmcblk0p3 of=/sdcard2/mmcblk0p3
64734+0 records in
64734+0 records out
33143808 bytes transferred in 9.519 secs (3481858 bytes/sec)
shell@android:/ # [COLOR="red"]exit[/COLOR]
exit
shell@android:/ $ [COLOR="red"]exit[/COLOR]
exit

c:\mini-adb_vigor>[COLOR="red"]adb pull /sdcard2/mmcblk0p3[/COLOR]
2292 KB/s (33143808 bytes in 14.116s)

[COLOR="Blue"]*modify mmcblk0p3 with a hex editor[/COLOR]

c:\mini-adb_vigor>[COLOR="Red"]adb push mmcblk0p3mod /sdcard2/mmcblk0p3mod[/COLOR]
2478 KB/s (33143808 bytes in 13.059s)

c:\mini-adb_vigor>[COLOR="red"]adb shell[/COLOR]
shell@android:/ $ [COLOR="red"]su[/COLOR]
su
shell@android:/ # [COLOR="red"]dd if=/sdcard2/mmcblk0p3mod of=/dev/block/mmcblk0p3[/COLOR]
dd if=/sdcard2/mmcblk0p3mod of=/dev/block/mmcblk0p3
64734+0 records in
64734+0 records out
33143808 bytes transferred in 18.937 secs (1750214 bytes/sec)
shell@android:/ #[COLOR="red"] exit[/COLOR]
exit
shell@android:/ $ [COLOR="red"]exit[/COLOR]
exit

c:\mini-adb_vigor>[COLOR="red"]adb reboot bootloader[/COLOR]

c:\mini-adb_vigor>


if this is successful,some less experienced users are welcome to try flashing this zip files. see the following thread for zip file links and instructions: http://xdaforums.com/showthread.php?t=2155955

again,this has not been tested on a quad core s4 phone. i cannot gaurantee the hex edit zips wil work,fail,or brick your phone.

i just wanted to get this info to the comunity so we can figure it out :)
 
Last edited:

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
Is it not possible to dump that block before s-off for comparison?

Sent from my HTC6435LVW using xda app-developers app

yes. the dump i have is from an s-on phone. as i said above, the next step is to try and rewrite mmcblk0p3 line 0x8400 and flash it back,now that we have s off. that block is write protected while s on,so there was nothing we could do with this until now.

the before and after s off dumps wont show much different,with exception that 0x8400 is now 00 instead of 03. HTCU or HTCL do not change.

now if the 01 at 0x8408 disapears after s-off,that would be interesting...

maybe someone can shed some light on that character? as i mentioned,ive not seen it in any other phone ive checked.
 

yutsoku

Senior Member
Feb 26, 2010
203
81
38
Cincinnati, Ohio
I'm S-Off, and this is what 0x8400 reads
Code:
00 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00 ....HTCU........
I don't know if I want to reflash it though haha... I changed it..
let me go through my breathing techniques

...You just wanted to change the whole row to 00 right?
 
Last edited:

KyJelly69

Senior Member
Apr 26, 2010
828
208
Indianapolis
I'm S-Off, and this is what 0x8400 reads
Code:
00 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00 ....HTCU........
I don't know if I want to reflash it though haha... I changed it..
let me go through my breathing techniques

...You just wanted to change the whole row to 00 right?

I don't think you change the 01 to 00 just the stuff before.
Or you could use the zip provided?

let us know...
 
Last edited:

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
I don't think you change the 01 to 00 just the stuff before.
Or you could use the zip provided?

let us know...

Leaving the 01 could have adverse affects(brick) as well. What we need is a dump from a locked phone to be more sure. I am 95 percent sure a locked phone will have all zeros. But, I cannot guarantee that.

Sent from my ADR6425LVW using Tapatalk 2
 

CastleBravo

Senior Member
Dec 29, 2011
103
50
Los Angeles
Does anyone have a dump from a locked phone? And do you want us to leave to 01 after HTCU as is or set the entire line to 00?

I'm willing to test this and I've already dumped my mmcblk0p3, I'll flash as soon as I hear back.

EDIT: nevermind about the dump from locked phone part, I just saw the new posts to the thread. But to confirm, do we change or leave the 01?

---------- Post added at 11:44 AM ---------- Previous post was at 11:28 AM ----------

We could dump mmcblk0p3 with temp root, right? I could possibly do this on a locked DNA tonight if no one else already has.
 
Last edited:
  • Like
Reactions: scotty1223

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
That would be awesome. Everyone hold off from flashing until we have dump from a locked phone

Sent from my ADR6425LVW using Tapatalk 2
 

kern3l

Senior Member
Jan 4, 2013
126
37
My mmcblk0p3 size is 133807104 bytes as opposed to 33143808 bytes in OP, anyone else seeing this ?

(I'm able to hexdump and see those bytes mentioned in OP)
 

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
My mmcblk0p3 size is 133807104 bytes as opposed to 33143808 bytes in OP, anyone else seeing this ?

(I'm able to hexdump and see those bytes mentioned in OP)

That dump is from my rezound,don't pay any attention to those particular numbers.

Sent from my ADR6425LVW using Tapatalk 2
 

CastleBravo

Senior Member
Dec 29, 2011
103
50
Los Angeles
Got the phone and attempting temp root now. I'll update when I make progress.

---------- Post added at 12:49 PM ---------- Previous post was at 12:12 PM ----------

So far I've been unable to get temp root, but I'm going to keep fiddling with it for a while. Did they patch the adb backup exploit in the OTA? I'm going to try again with another phone that I believe doesn't have the OTA yet. In the meantime, if anyone knows another root exploit or how to make this work on the DNA, it would be greatly appreciated.
 

CastleBravo

Senior Member
Dec 29, 2011
103
50
Los Angeles
Could you please run the command: adb shell dd if=/dev/block/mmcblk0p3 of=/sdcard/mmcblk0p3

And then copy the file off your phone and upload it here? This will tell us what we need to know.

Sent from my HTC6435LVW using xda-developers app
 
  • Like
Reactions: scotty1223

CastleBravo

Senior Member
Dec 29, 2011
103
50
Los Angeles
The file is on the internal storage and is called mmcblk0p3. You can access through my computer>htc6435>internal storage

Sent from my HTC6435LVW using xda app-developers app
 
  • Like
Reactions: scotty1223

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    since the current s-off method is not resetting your lock status flag, i figured there would be a demand for this. it all started from this thread in the gsm evo 3d section: http://xdaforums.com/showthread.php?t=1970252

    *this is not a modified or hex edited hboot. this is resetting your lock flag,so that your phone will correctly display locked on the hboot screen

    ive verified the lock location on just about every s3 phone jpbear supports,as well as a couple s4 dual core devices- LTEvo,inc 4g LTE,and one S.

    ive had a friend dump his DNA mmcblk0p3 and the lock flag location is the same,with an extra character that ive not seen prior. he cannot test the mods,as he is dependent on his phone for work,and cant be without it.

    0x8400 on his dna looked like this:
    Code:
    03 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00....HTCU........

    the "01" after 48 54 43 55 i have never seen on any other device.

    now that we have s off,we an explore this further. first test would be to dump mmcblk0p3, hex edit it,changing 0x8400 to 00000000,and reflash it. id like someone fairly savy to do this,as i cant gaurantee it wont melt your shiny dna into a smoldering pile of goo :eek:

    dump,edit and reflash in this manner:
    Code:
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Users\Scott>[COLOR="Red"]cd c:\mini-adb_vigor[/COLOR]
    
    c:\mini-adb_vigor>[COLOR="red"]adb devices[/COLOR]
    * daemon not running. starting it now *
    * daemon started successfully *
    List of devices attached
    HTxxxxxxxxxx    device
    
    
    c:\mini-adb_vigor>[COLOR="Red"]adb shell[/COLOR]
    shell@android:/ $ [COLOR="red"]su[/COLOR]
    su
    shell@android:/ # [COLOR="red"]dd if=/dev/block/mmcblk0p3 of=/sdcard2/mmcblk0p3[/COLOR]
    dd if=/dev/block/mmcblk0p3 of=/sdcard2/mmcblk0p3
    64734+0 records in
    64734+0 records out
    33143808 bytes transferred in 9.519 secs (3481858 bytes/sec)
    shell@android:/ # [COLOR="red"]exit[/COLOR]
    exit
    shell@android:/ $ [COLOR="red"]exit[/COLOR]
    exit
    
    c:\mini-adb_vigor>[COLOR="red"]adb pull /sdcard2/mmcblk0p3[/COLOR]
    2292 KB/s (33143808 bytes in 14.116s)
    
    [COLOR="Blue"]*modify mmcblk0p3 with a hex editor[/COLOR]
    
    c:\mini-adb_vigor>[COLOR="Red"]adb push mmcblk0p3mod /sdcard2/mmcblk0p3mod[/COLOR]
    2478 KB/s (33143808 bytes in 13.059s)
    
    c:\mini-adb_vigor>[COLOR="red"]adb shell[/COLOR]
    shell@android:/ $ [COLOR="red"]su[/COLOR]
    su
    shell@android:/ # [COLOR="red"]dd if=/sdcard2/mmcblk0p3mod of=/dev/block/mmcblk0p3[/COLOR]
    dd if=/sdcard2/mmcblk0p3mod of=/dev/block/mmcblk0p3
    64734+0 records in
    64734+0 records out
    33143808 bytes transferred in 18.937 secs (1750214 bytes/sec)
    shell@android:/ #[COLOR="red"] exit[/COLOR]
    exit
    shell@android:/ $ [COLOR="red"]exit[/COLOR]
    exit
    
    c:\mini-adb_vigor>[COLOR="red"]adb reboot bootloader[/COLOR]
    
    c:\mini-adb_vigor>


    if this is successful,some less experienced users are welcome to try flashing this zip files. see the following thread for zip file links and instructions: http://xdaforums.com/showthread.php?t=2155955

    again,this has not been tested on a quad core s4 phone. i cannot gaurantee the hex edit zips wil work,fail,or brick your phone.

    i just wanted to get this info to the comunity so we can figure it out :)
    3
    Lets say I flash this and Lock my bootloader... is it stuck like that or can I use my Unlock_code.bin to re-unlock it?

    This can only be done if you are s-off, in which case the bootloader will be locked, but you will still be s-off, meaning you can flash roms etc. If necessary, you can revert it and have both s-off and an unlocked bootloader. If you lock the bootloader with this and then change it back to s-on, it will be completely locked and you can then return it for warranty. But if you need to do it now, don't flash the files because they aren't correct right now; you will have to manually copy your mmcblk0p3 partition, hex edit it with the modified data from my post on page 3, and reflash it with the commands the OP.

    ---------- Post added at 04:49 PM ---------- Previous post was at 04:46 PM ----------

    doesn't "fastboot oem lock" do the same thing ?

    Using the lock command will change it from ***UNLOCKED*** to ***RELOCKED***, so htc/vzw will still know that you unlocked the bootloader and possibly try to void your warranty. Using this, you can change it to ***LOCKED***, and it will appear to be the same as it was when you bought it.
    2
    i have a locked phone that was s-off when i got it and i never unlocked it, so i was able to flash the eng hboot without having to unlock, not sure if that would help or not.
    2
    ran it and received the following...

    261342+0 records in
    261342+0 records out
    133807104 bytes transferred in 35.374 secs (3782639 bytes/sec)

    not sure where and what file i am looking for to upload though