Stage 2 root hboot 1.01.0002

Search This thread
By:
Advanced…
D

dannyjmcguinness

Member
Jan 28, 2011
34
16
Hey everyone, this is my first post although I've been a member for some time and have done extensive reading on these forums.
I was gonna make a post in developer section but turns out I'm not allowed yet.
:):)

I've been trying unsuccesfully for 4 months to root my wildfire, but believe I'm gettin close.

I've downgraded hboot 1.01.0002 hboot to 1.01.0001 resulting in sucessful debrand from vodaphone crap, downgraded to eclair and then achieved temproot (not soft root, the next level).

I was gonna post in a thread about misc_version, because (I'm not sure about this) but I believe you may be looking in the wrong place for the file required in order to make misc_version work.
 
  • Like
Reactions: sp333dy, lokeshramesh, vedant chamaria and 4 others
Cyda

Cyda

Senior Member
May 12, 2010
220
116
Sounds great, man. Keep up the great work, I have a feeling you are about to become very popular. ;)
 
B

bx19

Guest
ok. good work.
and be careful. bricking risk involved
 
Last edited:
antonio1475

antonio1475

Senior Member
May 29, 2010
1,898
631

Looks like you are doing great improvements!!! Keep like that and a lot of people will love you.

:)
 
D

dem012

Member
Mar 7, 2009
18
1
Can u please explain the procedure up to now maybe we can help to resolve and downgrade the hboot.

Keep the good work
dem;)
 
J

JudasLucifer

Guest
Wow: Good work!!!

As said above, PLEASE make a list of steps you have taken - this way others may be able to help etc.

If you tell us all how you downgraded your Hboot... ;)
 
3xeno

3xeno

Senior Member
Dec 6, 2010
3,569
1,416
Bangalore
O

Ofloo

Member
Nov 10, 2010
24
0
Geel
Code: 
13:59:31.225865 IP 212.71.19.x.47051 > 212.71.19.x.53: 56493+ AAAA? andchin.htc.com. (33)
13:59:31.537326 IP 212.71.19.x.53 > 212.71.19.x.47051: 56493 0/1/0 (88)
13:59:31.543232 IP 212.71.19.x.51845 > 212.71.19.x.53: 51631+ A? andchin.htc.com. (33)
13:59:31.907052 IP 212.71.19.x.53 > 212.71.19.x.51845: 51631 1/5/0 A 60.199.250.34 (158)

and why not abuse the dns, make it seem there is an new update release.

this is the query, is anyone able to install tcpdump on a wifi access point or something, .. so we get the responds? and are able to tell the updater that there is a new version a rom of our choise?

Code: 
{"id":"xxxxx","checkin":{"checkin_type":"Manual","mcc_mnc":"20620","mid":"PC4910000","build":{"product":"buzz","id":"htc_wwe\/htc_buzz\/buzz\/buzz:2.2.1\/FRG83D\/295397:user\/release-keys","revision":"129","firmware_version":"2.22.405.1 CL295397 release-keys","radio":"13.55.55.24H_3.35.20.10","carrier":"htc_wwe","bootloader":"1.01.0001","build_type":"user","changelist":"295397","serialno":"xxxxxx"},"cid":"HTC__E11","connection_media":"Wifi","ip":"192.168.1.142","client_version":"A2.1(Froyo)"},"model_number":"HTC Wildfire","logging_id":xxxx,"last_checkin_msec":"1303043468802","imei":"xxxxxxxxxxxxxxxxxxx","locale":"nl_NL","digest":"xxxxx"}

EDIT: it connects to port 80 btw
 
Last edited:
T

testwildfire

Member
Mar 2, 2011
28
1
Ofloo said:
Code: 
13:59:31.225865 IP 212.71.19.x.47051 > 212.71.19.x.53: 56493+ AAAA? andchin.htc.com. (33)
13:59:31.537326 IP 212.71.19.x.53 > 212.71.19.x.47051: 56493 0/1/0 (88)
13:59:31.543232 IP 212.71.19.x.51845 > 212.71.19.x.53: 51631+ A? andchin.htc.com. (33)
13:59:31.907052 IP 212.71.19.x.53 > 212.71.19.x.51845: 51631 1/5/0 A 60.199.250.34 (158)

and why not abuse the dns, make it seem there is an new update release.

this is the query, is anyone able to install tcpdump on a wifi access point or something, .. so we get the responds? and are able to tell the updater that there is a new version a rom of our choise?

Code: 
{"id":"xxxxx","checkin":{"checkin_type":"Manual","mcc_mnc":"20620","mid":"PC4910000","build":{"product":"buzz","id":"htc_wwe\/htc_buzz\/buzz\/buzz:2.2.1\/FRG83D\/295397:user\/release-keys","revision":"129","firmware_version":"2.22.405.1 CL295397 release-keys","radio":"13.55.55.24H_3.35.20.10","carrier":"htc_wwe","bootloader":"1.01.0001","build_type":"user","changelist":"295397","serialno":"xxxxxx"},"cid":"HTC__E11","connection_media":"Wifi","ip":"192.168.1.142","client_version":"A2.1(Froyo)"},"model_number":"HTC Wildfire","logging_id":xxxx,"last_checkin_msec":"1303043468802","imei":"xxxxxxxxxxxxxxxxxxx","locale":"nl_NL","digest":"xxxxx"}

EDIT: it connects to port 80 btw
Click to expand...
Click to collapse

had the exact same idea

but even if it will download the image, i bet it will verify them if they are signed and tell us to fu** off with our unsigned images :D
 
You must log in or register to reply here.

Similar threads

A
  • Poll
[FULL GUIDE] Rooting HTC Wildfire (BUZZ) 2.2.1 with HBOOT 1.01.0002 !! (5/8/2011)
Replies
915
Views
583K
O
op3n
MohamedYousri
AlphaRev X, HTC Buzz/Wildfire HBOOT 1.01 S-OFF - Coming Soon
Replies
439
Views
112K
abumaha
abumaha
heavy_metal_man
(Guide) How to root htc wildfire Buzz with hboot 1.02.000
Replies
67
Views
72K
I
imbrij
usaff22
[Full Guide] All in one - De-branding, rooting and flashing for all HBOOT versions
Replies
211
Views
83K
R
Ram2005
Cristian.Ene
Root hboot 1.01.0001
Replies
50
Views
26K
E
ErwinP

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 7
    D
    dannyjmcguinness
    Hey everyone, this is my first post although I've been a member for some time and have done extensive reading on these forums.
    I was gonna make a post in developer section but turns out I'm not allowed yet.
    :):)

    I've been trying unsuccesfully for 4 months to root my wildfire, but believe I'm gettin close.

    I've downgraded hboot 1.01.0002 hboot to 1.01.0001 resulting in sucessful debrand from vodaphone crap, downgraded to eclair and then achieved temproot (not soft root, the next level).

    I was gonna post in a thread about misc_version, because (I'm not sure about this) but I believe you may be looking in the wrong place for the file required in order to make misc_version work.
    View
    4
    D
    dannyjmcguinness
    Hi, OK this is what I've done so far:

    1. Started out with hboot 1.01.0002 and Froyo 2.2.1 preinstalled when I bought it new.

    2. Achieved shell root using the psneuter hack (newbies, you may find it easier using SuperOneClick 1.65 or 1.7 for this). You should now have root #.

    3. Run command "adb shell cat /dev/mtd/mtd0 > /sdcard/mtd0.img". This creates an image of mtd0 on sdcard. There are other tutorials with theses kind of steps and you may find it referred to as misc.img as opposed to mtd0.img. This doesn't really matter as long as the final command includes the correct file name. This command will fail if connected as disk drive, you must be charge only.

    4. Reconnect as disk drive allowing computer gui access to sdcard. Using a hex editor (I used HxD, which is freeware) open disk image mtd0 on sdcard. On line 6 you should find a version number and it will look something like 2.22.405.1. This needs to altered to correspond to the RUU you intend to flash. If you are on hboot 1.01.002 you need an WWE RUU first that contains hboot 1.01.001 so you are still looking at reinstalling Froyo. Those allready on hboot 1.01.001 may choose any WWE RUU. I'm not absolultley sure, but it may be possible for those on those on hboot 1.01.002 to skip to another RUU but I think you would more than likely get a "customer ID" error.

    5. I used the goldcard method to flash my RUU. There are many tutorials, but some seem to sequence different steps. To get mine working I used the goldcard tool available on these forums, but found it wouldn't work. It does, however do a good job of getting your CID and reversing it for you, so copy that and use the page provided with the tool to get your goldcard via email.

    6. Make sure you are connected as disk drive and open HxD again. Open the goldcard image as read-only. Also open the sdcard (after using windows to full format it, fat32). Oh yeah, dont forget it needs to be a primary partition (do this before format) there is a handy free tool called "MiniTool Partition Wizard Home Edition", which is so easy to use. Make sure physical sd disk is opened and read-only is unchecked.

    7. Copy the goldcard using HxD (select all, or 0 - 17F) and overwrite the same blocks on sdcard. Save it.

    8. Disconnect phone from PC and allow phone to mount, reconnect as disk drive. If phone or PC asks for format keep repeating sequence until normal operation can be maintained.

    9. Download "flash_image" a file with no extension. Push it to sdcard. You need to have flash_image and your modified mtd0.img on your sdcard (It may be useful to ceate goldcard before creating mtd0.img, unless you back it up to PC before goldcard creation).

    10. Run command (connected charge only, as root) "cat /sdcard/flash_image > /data/flash_image

    11. Run command "chmod 0755 /data/flash_image" On a seperate note I've been using permission set 67676 as I've noticed the permission set seems to be more then 4 digits, there seems to be 5, poosibly even 6 digits. This particular permission changes some of the permissions to capital characters. What use this is, i dont know I'm looking into it though

    12. run command "/data/./flash_image misc /sdcard/mtdo.img"

    13. You should now be able to flash RUU or pull rom.zip from temp files when running RUU and rename PC49IMG.zip

    14. PC49IMG.zip should be pushed to root of sdcard if using goldcard (I don't know if RUU can be flashed normally without goldcard, but i think so, i dont think RUU pushes rom.zip to sdcard but it may be necessary as a CID thing).

    15. After successful downgrade to eclair rageagainstthecage exploit will work again, so visionary will work again but will only give temproot. Interestingly unrevoked appears to work, reporting a triumph but then gives a nand error unfortunatley.

    16. Once you have temproot, you can use other apps such as busybox installer, or linux installer but again its only temporary but its all extra tools to try and help the fight to perm root wildfires.
    View
    2
    D
    dannyjmcguinness
    Using this method I believe you can flash any Buzz RUU. The problem is after the first bootloader downgrade, any attempts to reflash reults in all other partitions flashed ok but the bootloader (hboot) is bypassed. It does however result in ratc working again, to some extent so there must still be some way to hack it.
    I have managed to push su and busybox to /system/bin/ a couple of times without any memory error messages but lost it when I tried to remount /system read only which caused a reboot.
    For anyone interested the command I've been trying to use to mount system to achieve this is :
    mount -o remount,rw,alldev,allexec,allsuid,allpid,dirasync,relatime,mode=755,errors=force_remount,rw,alldev,allexec,allsuid,allpid,dirasync,relatime,mode=755 /system /system
    sometimes i incorporate recurse, expand, compress or move. It would appear you can omit the type, it should remount automatically with correct type. Also I think /system can be used instead of /dev/block/mtdblock3 as they both point to same place (kind of).
    The above command if ran alone will cause a termination and segmentation error (some of my research would indicate a segmentation fault is a good thing, its an inication of a working exploit), or a reboot.
    In order to make it work I had to write a batch file that would repeatably mount the various partitions in different ways with different permissions in rapid succession. It doesn't allways work but it would appear that just occasionally this command can sneak by unoticed
    View
    1
    josemaesra
    josemaesra
    Please friend,
    can do a tutorial on how to reduce hboot 1.01.0002 to 1.01.0001?

    thaks.
    View
    1
    N
    nthnthn
    I downgraded and temprooted my wildfire, and i have set the system partition to read/write. I tried to push su to my /system/bin folder but it said there was not enough memory... so i deleted a system app and tried again, but it said again not enough memory.

    I also have read somewhere that the pre-released version of froyo had s-off in it. And its probably a signed update, so you just could upgrade to that and have s-off instantly. But i never found the firmware :D

    grtz
    View

New posts