FORUMS
Remove All Ads from XDA

 View Poll Results: Did You successfully unlocked/relocked/locked Your bootloader using this manual?

Yes, thank You!
 
35 Vote(s)
56.45%
No, no luck(
 
15 Vote(s)
24.19%
I have bricked mine Evo3d! >_<
 
12 Vote(s)
19.35%

[MANUAL] Easy unlock/relock/lock bootloader WITHOUT htcdev.com (saving warranty)

143 posts
Thanks Meter: 161
 
By S-trace, Senior Member on 2nd November 2012, 09:32 PM
Post Reply Email Thread
I have carefully researched HTCdev bootloader unlock process and found next:
1. Completely erases (filling 0x00) mmcblk0p23 (data).
2. All files deleted from /cache/ partition (but partition itself NOT fills with 0x00).
3. On partition mmcblk0p16 erases (overwriting with 0x00) 10 bytes at offset 0xA0 (mine was "3.08.401.1").
4. In paritions mmcblk0p16 and mmcblk0p31 written 0x01 at offset 0xC40 (was 0x00). I don't know what is it, but maybe it's related to "unlocked" bootloader problems.
5. In partition mmcblk0p3 at offset 0x424 written 4 bytes, replacing existing values: 0x74B50109 (was 0x4ED7B921) - it's not text string.
6. In partition mmcblk0p3 at offset 0x8404 written 4 bytes: HTCU.

On relocking bootloader using fastboot oem lock i seen following changes:
1. In partition mmcblk0p3 at offset 0x424 written 4 bytes, replacing existing values: 0xE6D84D2B - it's not text string.
2. In partition mmcblk0p3 at offset 0x8404 written 4 bytes: HTCL.

BUT!
to really unlock bootloader (checked if it's only text in BOOT changed or really unlocked by command fastboot boot boot.img, on locked I got FAILED (remote: not allowed)) You need do only last steps, writting into parttion mmcblk0p3 at offset 0x8404 HTCU for unlocked, HTCL for relocked or 0x00000000 for locked.

read partition image using terminal commands
su (and gain root access to terminal)
dd if=/dev/block/mmcblk0p3 of=/sdcard/mmcblk0p3.img
then mount SDCARD to PC over USB and edit mmcblk0p3 using WinHEX or another HEX editor, jump to offset 0x8404 and write HTCU for unlocked, HTCL for relocked or 0x00000000 for locked.
Then umount SDCARD from PC and write modified partition image back to phone memory using command
dd if=/sdcard/mmcblk0p3.img of=/dev/block/mmcblk0p3

That's all. Please post Your zipped mmcblk0p3.img files with HBOOT/firmware/radio/baseband version descriptions to find if 5 bytes at offset 0x424 same for all phones, or individual.
Thank You!
P.S. I have HBOOT 1.49.0018. mmcblk0p3 is 31.6Mib, but zips to ~32Kb
The Following 30 Users Say Thank You to S-trace For This Useful Post: [ View ] Gift S-trace Ad-Free
 
 
6th November 2012, 04:25 AM |#2  
Member
Thanks Meter: 9
 
More
It sounds interesting, but could you please simplify the whole process and write a detailed instruction how to do it?
8th November 2012, 07:51 PM |#3  
phikal's Avatar
Senior Member
Flag Brabant
Thanks Meter: 436
 
More
Interested in this method aswell.
Could it work on hboot 1.53 also?

Sent from my shooteru using xda premium
8th November 2012, 08:10 PM |#4  
S-trace's Avatar
OP Senior Member
Thanks Meter: 161
 
More
Quote:
Originally Posted by phikal

Interested in this method aswell.
Could it work on hboot 1.53 also?

Sent from my shooteru using xda premium

I don't know. If somebody with unlocked or relocked bootloader and 1.53 HBOOT can provide image of this partition - we can just look for this strings and find this string. offset may differs, but I think it's same for all hboots.
The Following User Says Thank You to S-trace For This Useful Post: [ View ] Gift S-trace Ad-Free
8th November 2012, 08:15 PM |#5  
howard bamber's Avatar
Senior Member
Southport
Thanks Meter: 187
 
More
Thank God for $amsung !

Sent from the man in Your attic.....
8th November 2012, 08:20 PM |#6  
anryl's Avatar
Inactive Recognized Developer
Flag prague
Thanks Meter: 1,685
 
Donate to Me
More
At 0x424 -- 74 b5 01 09 01
HTCU at 0x8404
Unlocked soff 1.49.007
Latest radio 11.25.3504.06_M


Blk16 at 0xa0 just zeros

Odesláno z mého PG8600 pomocí Tapatalk 2
The Following 2 Users Say Thank You to anryl For This Useful Post: [ View ] Gift anryl Ad-Free
9th November 2012, 09:40 AM |#7  
Grea09's Avatar
Member
Flag Lyon
Thanks Meter: 10
 
More
Unhappy New motherboard
Hi
I just recover my phone from HTC with a new motherboard and hboot 1.53.
How can I help ? I am under linux but dd isn't my favorite command. is there a way to have a .sh or smth ?
I am just desperate for this.

Thanks in advance.
9th November 2012, 06:21 PM |#8  
S-trace's Avatar
OP Senior Member
Thanks Meter: 161
 
More
I recieved some images of this partition fom mine russian friends and compared them. Here is results:
4 bytes at offest 0x824 are unique for every phone. There is "simlock" string near this bytes. I think it's used to generate sim lock code.
4 bytes at offset 0x424 are unique for every unlocked or relocked phone. I recieved only one image from locked phone, but this bytes was same for mine and that image. It's too little to be sure, but it's looks like it's same for every locked phone. it's 0x4ED7B921
16 bytes at offset 0x9400 - unique for every phone
another 16 bytes at offset 0x9410 repeats 265 times (until 0xA49F) and unique for every phone. - 4040 bytes at all.
previous 16 bytes again at offset 0xA800 repeats 32 times (until 0xA9FF) and unique for every phone. 512 bytes at all.

Quote:
Originally Posted by Grea09

Hi
I just recover my phone from HTC with a new motherboard and hboot 1.53.
How can I help ? I am under linux but dd isn't my favorite command. is there a way to have a .sh or smth ?
I am just desperate for this.

Thanks in advance.

Are You have wire-trick s-off? Phones with new motherboard are much more interesting than stock.
I have one image of mmcblk0p3 partition from such phone. There is some more differences in it, comparing to stock phone:
4 bytes at offset 0xC24 (near "simunlock"string - at all other images those bytes was same.
256 bytes at offset 0xAD00 - all other images had 0x00 at this offset. It's NOT Unlock_code.bin.
previous 256 bytes again at offset 0xB100 - again same 256 bytes. All other images had 0x00 at this offset. It's still NOT Unlock_code.bin.

Here is Bash script. Correct ADB= string to which adb output for Your system or full path to adb binary, then save it as adbflasher, then chmod +x adbflasher
Connect Your S-OFF Evo 3D to PC and run ./adbflasher read security_record security_record.img - this will be mmcblk0p3 partition image.
Code:
#!/bin/bash
set -x
E_WRONGCOMMAND=65
E_WRONGPARTITION=66
E_ERASE=67
ADB="/opt/android-sdk-update-manager/platform-tools/adb"

fs_write() {
echo fs_write $*
local param_fs=$1
local param_file=$2
local param_device=$3
exportfs none
exportfs $param_fs

device_detect $param_device
sudo pv $param_file|dd of=$device bs=65536
sync
exportfs none
}

fs_read() {
echo fs_read $*
local param_fs=$1
local param_file=$2
local param_device=$3
exportfs none
echo calling exportfs $param_fs
exportfs $param_fs
echo calling device_detect
device_detect $param_device
sudo pv $device |dd of=$param_file bs=65536 & 
exportfs none
}

fs_erase() {
echo fs_erase $*
local param_fs=$1
local param_device=$2
case $param_fs in
 security_record) echo Erasing partition $param_fs not allowed: it may brick Your phone!; exit $E_ERASE;;
 hboot) echo Erasing partition $param_fs not allowed: it will brick Your phone!; exit $E_ERASE;;
 emmc)  echo Erasing partition $param_fs not allowed: it will brick Your phone!; exit $E_ERASE;;
 none)  echo Unable to erase partition $param_fs!; exit $E_ERASE;;
 *) fs_write $param_fs /dev/zero $param_device ;; 
esac
}

exportfs() {
echo exportfs $*
case $1 in
 security_record)  partition=/dev/block/mmcblk0p3;;
 hboot)    partition=/dev/block/mmcblk0p12;;
 radio)    partition=/dev/block/mmcblk0p17;;
 adsp)     partition=/dev/block/mmcblk0p19;;
 boot)     partition=/dev/block/mmcblk0p20;;
 recovery) partition=/dev/block/mmcblk0p21;;
 system)   partition=/dev/block/mmcblk0p22;;
 data)     partition=/dev/block/mmcblk0p23;;
 cache)    partition=/dev/block/mmcblk0p24;;
 devlog)   partition=/dev/block/mmcblk0p27;;
 emmc)     partition=/dev/block/mmcblk0;;
 sdcard)   partition=/dev/block/mmcblk1;;
 none)     partition="none";;
 *) echo Wrong partition: $1; exit $E_WRONGPARTITION;;
esac
legacy="/sys/devices/platform/usb_mass_storage/lun0/file"
recent="/sys/devices/platform/msm_otg/msm_hsusb/gadget/lun0/file"
until $ADB shell "echo $partition > $legacy" ; do sleep 1;done
until $ADB shell "echo $partition > $recent" ; do sleep 1;done
until $ADB shell "echo $partition |su -c \"tee $legacy\"" ; do sleep 1;done
until $ADB shell "echo $partition |su -c \"tee $recent\"" ; do sleep 1;done
echo exportfs $* done
}

device_detect() {
echo "device_detect $*"
device=`find /dev/disk/by-id/|grep -i Android|sort|head -n 1` ## TODO: write better detect function!
if [[ "z$1" != "z" ]] ;then device=$1; fi
}

usage() {
echo "Usage: adbflasher flash    hdsp     boot.img   [device_to_flash]
       adbflasher flash    recovery recovery.img [device_to_flash]
       adbflasher flash    radio    radio.img    [device_to_flash]
       adbflasher flash    hboot    hboot.img    [device_to_flash] ## Dangerous!
       adbflasher flash    adsp     adsp.img     [device_to_flash]
       adbflasher flash    emmc     emmc.img     [device_to_flash] ## Extremly dangerous! DO NOT FLASH ANY FILE EXCEPT YOUR HAVE READ FROM YOUR PHONE EARLIER!
       adbflasher exportfs {hboot|radio|adsp|boot|recovery|system|data|cache|devlog|emmc|sdcard|none} 
       ## Might br dangerous! ALWAYS do exportfs none before exportfs another partition!
       adbflasher read     {security_record|hboot|radio|adsp|boot|recovery|system|data|cache|devlog|emmc|sdcard|none} filename.img [device_to_read]
       adbflasher erase    {radio|adsp|boot|recovery|system|data|cache|devlog|sdcard} [device_to_erase]"
}

if [[ $# -eq 0 ]] ;then usage; exit $E_WRONGCOMMAND; fi
case $1 in
exportfs) exportfs $2 ;;
erase)    fs_erase $2 $3    |exit $? ;;
read)     fs_read  $2 $3 $4 |exit $? ;;
flash)    fs_write $2 $3 $4 |exit $? ;;
*)        echo "Wrong command: $1"; usage; exit $E_WRONGCOMMAND ;;
esac

#until /opt/android-sdk-update-manager/platform-tools/adb reboot ; do sleep 1;done
The Following 3 Users Say Thank You to S-trace For This Useful Post: [ View ] Gift S-trace Ad-Free
11th November 2012, 01:02 PM |#9  
Grea09's Avatar
Member
Flag Lyon
Thanks Meter: 10
 
More
Thumbs up
Quote:
Originally Posted by S-trace

I recieved some images of this partition fom mine russian friends and compared them. Here is results:
4 bytes at offest 0x824 are unique for every phone. There is "simlock" string near this bytes. I think it's used to generate sim lock code.
4 bytes at offset 0x424 are unique for every unlocked or relocked phone. I recieved only one image from locked phone, but this bytes was same for mine and that image. It's too little to be sure, but it's looks like it's same for every locked phone. it's 0x4ED7B921
16 bytes at offset 0x9400 - unique for every phone
another 16 bytes at offset 0x9410 repeats 265 times (until 0xA49F) and unique for every phone. - 4040 bytes at all.
previous 16 bytes again at offset 0xA800 repeats 32 times (until 0xA9FF) and unique for every phone. 512 bytes at all.


Are You have wire-trick s-off? Phones with new motherboard are much more interesting than stock.
I have one image of mmcblk0p3 partition from such phone. There is some more differences in it, comparing to stock phone:
4 bytes at offset 0xC24 (near "simunlock"string - at all other images those bytes was same.
256 bytes at offset 0xAD00 - all other images had 0x00 at this offset. It's NOT Unlock_code.bin.
previous 256 bytes again at offset 0xB100 - again same 256 bytes. All other images had 0x00 at this offset. It's still NOT Unlock_code.bin.

Here is Bash script. Correct ADB= string to which adb output for Your system or full path to adb binary, then save it as adbflasher, then chmod +x adbflasher
Connect Your S-OFF Evo 3D to PC and run ./adbflasher read security_record security_record.img - this will be mmcblk0p3 partition image.

Code:
#!/bin/bash
set -x
E_WRONGCOMMAND=65
E_WRONGPARTITION=66
E_ERASE=67
ADB="/opt/android-sdk-update-manager/platform-tools/adb"

fs_write() {
echo fs_write $*
local param_fs=$1
local param_file=$2
local param_device=$3
exportfs none
exportfs $param_fs

device_detect $param_device
sudo pv $param_file|dd of=$device bs=65536
sync
exportfs none
}

fs_read() {
echo fs_read $*
local param_fs=$1
local param_file=$2
local param_device=$3
exportfs none
echo calling exportfs $param_fs
exportfs $param_fs
echo calling device_detect
device_detect $param_device
sudo pv $device |dd of=$param_file bs=65536 & 
exportfs none
}

fs_erase() {
echo fs_erase $*
local param_fs=$1
local param_device=$2
case $param_fs in
 security_record) echo Erasing partition $param_fs not allowed: it may brick Your phone!; exit $E_ERASE;;
 hboot) echo Erasing partition $param_fs not allowed: it will brick Your phone!; exit $E_ERASE;;
 emmc)  echo Erasing partition $param_fs not allowed: it will brick Your phone!; exit $E_ERASE;;
 none)  echo Unable to erase partition $param_fs!; exit $E_ERASE;;
 *) fs_write $param_fs /dev/zero $param_device ;; 
esac
}

exportfs() {
echo exportfs $*
case $1 in
 security_record)  partition=/dev/block/mmcblk0p3;;
 hboot)    partition=/dev/block/mmcblk0p12;;
 radio)    partition=/dev/block/mmcblk0p17;;
 adsp)     partition=/dev/block/mmcblk0p19;;
 boot)     partition=/dev/block/mmcblk0p20;;
 recovery) partition=/dev/block/mmcblk0p21;;
 system)   partition=/dev/block/mmcblk0p22;;
 data)     partition=/dev/block/mmcblk0p23;;
 cache)    partition=/dev/block/mmcblk0p24;;
 devlog)   partition=/dev/block/mmcblk0p27;;
 emmc)     partition=/dev/block/mmcblk0;;
 sdcard)   partition=/dev/block/mmcblk1;;
 none)     partition="none";;
 *) echo Wrong partition: $1; exit $E_WRONGPARTITION;;
esac
legacy="/sys/devices/platform/usb_mass_storage/lun0/file"
recent="/sys/devices/platform/msm_otg/msm_hsusb/gadget/lun0/file"
until $ADB shell "echo $partition > $legacy" ; do sleep 1;done
until $ADB shell "echo $partition > $recent" ; do sleep 1;done
until $ADB shell "echo $partition |su -c \"tee $legacy\"" ; do sleep 1;done
until $ADB shell "echo $partition |su -c \"tee $recent\"" ; do sleep 1;done
echo exportfs $* done
}

device_detect() {
echo "device_detect $*"
device=`find /dev/disk/by-id/|grep -i Android|sort|head -n 1` ## TODO: write better detect function!
if [[ "z$1" != "z" ]] ;then device=$1; fi
}

usage() {
echo "Usage: adbflasher flash    hdsp     boot.img   [device_to_flash]
       adbflasher flash    recovery recovery.img [device_to_flash]
       adbflasher flash    radio    radio.img    [device_to_flash]
       adbflasher flash    hboot    hboot.img    [device_to_flash] ## Dangerous!
       adbflasher flash    adsp     adsp.img     [device_to_flash]
       adbflasher flash    emmc     emmc.img     [device_to_flash] ## Extremly dangerous! DO NOT FLASH ANY FILE EXCEPT YOUR HAVE READ FROM YOUR PHONE EARLIER!
       adbflasher exportfs {hboot|radio|adsp|boot|recovery|system|data|cache|devlog|emmc|sdcard|none} 
       ## Might br dangerous! ALWAYS do exportfs none before exportfs another partition!
       adbflasher read     {security_record|hboot|radio|adsp|boot|recovery|system|data|cache|devlog|emmc|sdcard|none} filename.img [device_to_read]
       adbflasher erase    {radio|adsp|boot|recovery|system|data|cache|devlog|sdcard} [device_to_erase]"
}

if [[ $# -eq 0 ]] ;then usage; exit $E_WRONGCOMMAND; fi
case $1 in
exportfs) exportfs $2 ;;
erase)    fs_erase $2 $3    |exit $? ;;
read)     fs_read  $2 $3 $4 |exit $? ;;
flash)    fs_write $2 $3 $4 |exit $? ;;
*)        echo "Wrong command: $1"; usage; exit $E_WRONGCOMMAND ;;
esac

#until /opt/android-sdk-update-manager/platform-tools/adb reboot ; do sleep 1;done

Thanks a lot for your great work.
What is security_record ? Is this script only saving the partition or is there a serious risk of bricking ?
I realy can't afford now any serious riscky operation beceause I am realy unlucky with this phone and I'm planning to sell it now.
I can help if you want (for other to know what to do) but I am not ready for this anymore.
11th November 2012, 02:23 PM |#10  
S-trace's Avatar
OP Senior Member
Thanks Meter: 161
 
More
Quote:
Originally Posted by Grea09

Thanks a lot for your great work.
What is security_record ? Is this script only saving the partition or is there a serious risk of bricking ?
I realy can't afford now any serious riscky operation beceause I am realy unlucky with this phone and I'm planning to sell it now.
I can help if you want (for other to know what to do) but I am not ready for this anymore.

What is security_record? - It's mmcblk0p3 partition of eMMC card (internal memory of Evo 3D). What is it's data are? I don't know, and I'm trying to reserach it. It's looks like some diigtal keys stored in this place, some of them are same for every phone, and some are individual for every phone.

No, it's no risk if You will just read partition using read command (and don't using write or erase commands).
This script is only open selected partition (or full eMMC in "* emmc" operations) to access from PC and then read it using dd command.
But I will need images of another partitions or all eMMC card, and it would be fine if You can provide it later for future research of Evo 3D memory. You can even erase CACHE, DATA, SYSTEM, ADSP and RADIO partitions using ./adbflasher erase {system/data/cache/adsp/radio/boot/recovery/logo} before sending zipped emmc.img to me using ./adbflasher read emmc emmc.img command.

This is recommended sequence of commands:
./adbflasher read emmc emmc_original.img ## Reading original eMMC image to restore it later.
./adbflasher erase cache ## Erasing CACHE partition. I'm not interested for it.
./adbflasher erase data ## Erasing DATA partition. It's Your private data, I'm not interested for it.
./adbflasher erase system ## Erasing SYSTEM partition. It's Android OS. I'm not interested for it.
./adbflasher erase radio ## Erasing RADIO partition. I'm not interested for it.
./adbflasher erase adsp ## Erasing ADSP partition. I'm not interested for it.
./adbflasher erase boot ## Erasing BOOT partition. I'm not interested for it.
./adbflasher erase recovery ## Erasing RECOVERY partition. I'm not interested for it.
./adbflasher erase logo ## Erasing LOGO partition. I'm not interested for it.
## It's no brick risk now, even while all those partitions have erased. You can boot to HBOOT and flash PG86IMG.zip with firmware, restoring LOGO, ADSP, RADIO partitions, then flash Your favorite recovery using fastboot or PG86IMG.zip, then wipe CACHE and restore NANDROID backup of SYSTEM and DATA.
./adbflasher read emmc emmc.img ## Reading cleaned eMMC image for sending it to me
gzip emmc.img ## Packing 2.25Gb to ~16Mb, because it's almost all space in file is now filled with 0x00
./adbflasher write emmc emmc_original.img ## Writing original eMMC image back to phone. It's some bricking risk now, if power loss will occur during early stage of writing process. It's no risk if You using UPS or notebook with fully charged battery.
rm emmc_original.img ## Erasing 2.25Gb original eMMC image. You can keep it, if needed.

Now, You can send emmc.img.gz to me. You will need at least 5.5Gb of free disk space on Your PC before doing this.
Thank You.
12th November 2012, 09:52 AM |#11  
Hakancoskun35's Avatar
Junior Member
istanbul
Thanks Meter: 1
 
More
Hi's.
Quote:
Originally Posted by S-trace

What is security_record? - It's mmcblk0p3 partition of eMMC card (internal memory of Evo 3D). What is it's data are? I don't know, and I'm trying to reserach it. It's looks like some diigtal keys stored in this place, some of them are same for every phone, and some are individual for every phone.

No, it's no risk if You will just read partition using read command (and don't using write or erase commands).
This script is only open selected partition (or full eMMC in "* emmc" operations) to access from PC and then read it using dd command.
But I will need images of another partitions or all eMMC card, and it would be fine if You can provide it later for future research of Evo 3D memory. You can even erase CACHE, DATA, SYSTEM, ADSP and RADIO partitions using ./adbflasher erase {system/data/cache/adsp/radio/boot/recovery/logo} before sending zipped emmc.img to me using ./adbflasher read emmc emmc.img command.

This is recommended sequence of commands:
./adbflasher read emmc emmc_original.img ## Reading original eMMC image to restore it later.
./adbflasher erase cache ## Erasing CACHE partition. I'm not interested for it.
./adbflasher erase data ## Erasing DATA partition. It's Your private data, I'm not interested for it.
./adbflasher erase system ## Erasing SYSTEM partition. It's Android OS. I'm not interested for it.
./adbflasher erase radio ## Erasing RADIO partition. I'm not interested for it.
./adbflasher erase adsp ## Erasing ADSP partition. I'm not interested for it.
./adbflasher erase boot ## Erasing BOOT partition. I'm not interested for it.
./adbflasher erase recovery ## Erasing RECOVERY partition. I'm not interested for it.
./adbflasher erase logo ## Erasing LOGO partition. I'm not interested for it.
## It's no brick risk now, even while all those partitions have erased. You can boot to HBOOT and flash PG86IMG.zip with firmware, restoring LOGO, ADSP, RADIO partitions, then flash Your favorite recovery using fastboot or PG86IMG.zip, then wipe CACHE and restore NANDROID backup of SYSTEM and DATA.
./adbflasher read emmc emmc.img ## Reading cleaned eMMC image for sending it to me
gzip emmc.img ## Packing 2.25Gb to ~16Mb, because it's almost all space in file is now filled with 0x00
./adbflasher write emmc emmc_original.img ## Writing original eMMC image back to phone. It's some bricking risk now, if power loss will occur during early stage of writing process. It's no risk if You using UPS or notebook with fully charged battery.
rm emmc_original.img ## Erasing 2.25Gb original eMMC image. You can keep it, if needed.

Now, You can send emmc.img.gz to me. You will need at least 5.5Gb of free disk space on Your PC before doing this.
Thank You.


I have also tried to unlock HTC evo3d over the internet site HTCdev.com but I could not. Could you please explain your solution in a clear and simple way?
Thank you very much.
Post Reply Subscribe to Thread

Tags
bootloader, lock, unlock, w/o htcdev, warranty

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes