FORUMS
Remove All Ads from XDA

SUCCES! Adding content to HTC 8S stock Rom

115 posts
Thanks Meter: 31
 
By hutchinsane_, Senior Member on 1st February 2014, 08:34 PM
Post Reply Email Thread
Hey guys, I don't know if this is of any use for you, but I think it won't hurt to share it.

Based on some posts and ideas I read in different threads, I managed to write to the EFIESP and the PLATpartition of the stock rom of my HTC 8S. I changed the bootimages in the PLAT partition to a custom one,flashed the image and it worked. I'll attach a picture to prove it and if that's not enough, I will post a video. :P

So, the first step is to download the stock rom (obviously...) and extract the .exe file. (I use 7-ZIP) Then there is a file called "RUU_signed.nbh". If you open it with a Hex Viewer, like HxD, you can find multiple partition Headers. I found 4 that I can use, the rest is encrypted with what appears to be Bitlocker, hence the different headers. Now, what I did was mark the area of the first partition (starts approximately at offset 228BEF90 and is a FAT16 Partition) and continued the selection until the end of the file. Then I created a new one and pasted it. I ddid the same with the rest, always selecting and copying from where the partition starts until the end of the whole file and pasted it into a new one. Then I mounted the files using OSFMount and voilà, you can put stuff and files in there! If you finished, you just unmount the files. Then I opened each file again with HxD, selected EVERYTHING and pasted it
to the according area in the original RUU_signed.nbh. I started with the first one, then the second and so on, so you don't overwrite the changes you have made if you start in reverse order. After packing the file, I tried to flash it and to my surprise, IT WORKED! After rebooting I saw my custom bootimage! Downside of this is obviously that it requires you to use the stock firmware and it will be overwritten once you update your device. But I hope our skilled Devs here have some use for those 2 partitions. Theres 2 more that are usable, but I don't know their names, but you can still put files in them.

Now again, I don't know if this is of any use for you devs, but I still felt kind of obligated to share it :P

Stupid thing, I put my HTC 8S into Diag Mode and THEN flashed it, now it doesn't connect as MTP but as HTC Diagnostic Interface and I can't change it back because I can't deploy anything to the device. It works perfectly, boots and everything, but no USB Connection via MTP. So be very careful before flashing, since the mode is determined by a NV value which you can't edit afterwards.

This is not a tutorial to be followed by everyday users, but something ment for developers. You do everything at your own risk! And keep in mind that this has only been tested on an HTC 8S!

cheers, hutchinsane_
Attached Thumbnails
Click image for larger version

Name:	IMG_0029.jpg
Views:	4068
Size:	256.8 KB
ID:	2553359   Click image for larger version

Name:	IMG_0034.jpg
Views:	3711
Size:	264.7 KB
ID:	2553360   Click image for larger version

Name:	Screenshot (359).png
Views:	4111
Size:	181.2 KB
ID:	2553361   Click image for larger version

Name:	Screenshot (360).png
Views:	3057
Size:	154.7 KB
ID:	2553362   Click image for larger version

Name:	Screenshot (361).png
Views:	2731
Size:	167.4 KB
ID:	2553363   Click image for larger version

Name:	Screenshot (363).png
Views:	1986
Size:	127.7 KB
ID:	2553364   Click image for larger version

Name:	Screenshot (364).png
Views:	2373
Size:	151.3 KB
ID:	2553365  
The Following 10 Users Say Thank You to hutchinsane_ For This Useful Post: [ View ] Gift hutchinsane_ Ad-Free
 
 
1st February 2014, 09:01 PM |#2  
Inactive Recognized Developer
St.Petersburg
Thanks Meter: 2,052
 
More
Yeah, I heard that it is possible, though I hadn't had a chance to test it on my 8X.
As for EFIESP: you can edit \efi\Microsoft\Boot\BCD to enable Kernel Debugger functionality and it is basically enough to hack the whole OS even with actions currently performed.

The most interesting partitions are MainOS (second to last), and Data (last one). Interop Unlock can be done in MainOS.

Thing is that newest ROMs are encrypted (not hard to crack but still)
The Following User Says Thank You to ultrashot For This Useful Post: [ View ] Gift ultrashot Ad-Free
1st February 2014, 09:07 PM |#3  
OP Senior Member
Thanks Meter: 31
 
More
Darn, hoped I was the first to come up with the idea. :P I do have acces to the file you're talking about. MainOS seems to be encrypted with Bitlocker since their headers start with -FVE-FS-. I could take a look into the 8X Rom aswell, I expect the situation to be the same. So is there a thread on the Kernel Debugger thing?


EDIT: I just did what you set, although I used a program called "Visual BCD Editor" since I don't know about editing the BCD Store just YET. Now I edited some values from "False" to "True" and for 1 second it showed me what appeared to be a windows boot selection. Now when I boot up, and once the "Windows Phone" blueish logo appears, it shows "Not for resale", meaning that we actually can edit BCD on this device!
2nd February 2014, 06:14 AM |#4  
Senior Member
Flag Mashad
Thanks Meter: 543
 
More
Very nice Work
I run in Nokia Lumia 920 RM-821 APAC Malaysia Amber ROM
I find the same
Maybe we can edit Lumia 920 FFU and get first Custom ROM
Attached Thumbnails
Click image for larger version

Name:	Lumia920.1.jpg
Views:	701
Size:	209.9 KB
ID:	2554024   Click image for larger version

Name:	Lumia920.2.jpg
Views:	531
Size:	210.6 KB
ID:	2554025   Click image for larger version

Name:	Lumia920.3.jpg
Views:	522
Size:	210.0 KB
ID:	2554026  
The Following 2 Users Say Thank You to ngame For This Useful Post: [ View ] Gift ngame Ad-Free
2nd February 2014, 06:35 AM |#5  
Inactive Recognized Developer
St.Petersburg
Thanks Meter: 2,052
 
More
that's enough to enable WinDbg operopability.
Code:
bcdedit /store F:\EFIESP\efi\Microsoft\Boot\BCD /dbgsettings usb targetname:woatarget
bcdedit /store F:\EFIESP\efi\Microsoft\Boot\BCD -set {default} debug on
bcdedit /store F:\EFIESP\efi\Microsoft\Boot\BCD -set {default} dbgtransport kdusb.dll
The Following 4 Users Say Thank You to ultrashot For This Useful Post: [ View ] Gift ultrashot Ad-Free
2nd February 2014, 06:58 AM |#6  
Senior Member
Flag Mashad
Thanks Meter: 543
 
More
Sorry for my Question but how can we find that here is the end of a file in HxD .
I'm now looking for it to flash a Custom Rom on my Lumia 920 but I can't build images correctly using HxD and OSFMount.
Thanks .
2nd February 2014, 11:08 AM |#7  
OP Senior Member
Thanks Meter: 31
 
More
@ngame Thanks If you look at your first 2 screenshots, you didn't select the "ë" You MUST select and copy it aswell, it's always the start of a partition, fot FAT aswell as for NTFS. After that, you should be able to mount. For finding the end, I didn't. I just Selected until the end of the file and pasted it back in. It should work, Afterall, my HTC has a "custom" rom aswell now, since there's a custom bootimage

@ultrashot Thanks! I used the commands and it worked succesfully. Waiting on the phone to flash now

EDIT: It doesn't boot once you set a) the target b) the type or something else. but enabling the kernel debugger itself works. Trying to figure out which value makes it unbootable.
The Following User Says Thank You to hutchinsane_ For This Useful Post: [ View ] Gift hutchinsane_ Ad-Free
2nd February 2014, 11:11 AM |#8  
amir323b's Avatar
Senior Member
Flag Malayer
Thanks Meter: 16
 
More
Quote:
Originally Posted by ngame

Sorry for my Question but how can we find that here is the end of a file in HxD .
I'm now looking for it to flash a Custom Rom on my Lumia 920 but I can't build images correctly using HxD and OSFMount.
Thanks .

u must ask me dude .
zimone die
2nd February 2014, 11:24 AM |#9  
Senior Member
Flag Mashad
Thanks Meter: 543
 
More
Quote:
Originally Posted by amir323b

u must ask me dude .
zimone die

PM Me please if you know
Thanks

Quote:
Originally Posted by hutchinsane_

@ngame Thanks If you look at your first 2 screenshots, you didn't select the "ë" You MUST select and copy it aswell, it's always the start of a partition, fot FAT aswell as for NTFS. After that, you should be able to mount. For finding the end, I didn't. I just Selected until the end of the file and pasted it back in. It should work, Afterall, my HTC has a "custom" rom aswell now, since there's a custom bootimage

I will test again
2nd February 2014, 12:47 PM |#10  
Senior Member
Flag BFE
Thanks Meter: 75
 
More
Sorry in advance if this is a stupid question ...
Here is a list of partitions from my 928 .ffu but which ones are needed to edit? Just the FAT and NTFS partitions? Are any of the others of any interest?
Attached Files
File Type: txt 928 Partitions.txt - [Click for QR Code] (5.7 KB, 224 views)
2nd February 2014, 12:54 PM |#11  
OP Senior Member
Thanks Meter: 31
 
More
As far as I know, you have to look for the specific headers, since some are encrypted with Bitlocker, therefor have the "-FVE-FS-" header. Easiest way is to use the search function of HxD and search for NTFS, FAT12 and FAT16 partitions Also, there are no stupid questons :P
The Following User Says Thank You to hutchinsane_ For This Useful Post: [ View ] Gift hutchinsane_ Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes