Database Info

[ROM] [Android 2.0] [Working] AOSP Eclair JD + Market, Nav, Facebook, etc

Just posting this as requested in another thread, It's an Android 2.0 ROM for Sapphire.
This is an update from the original, now a complete working ROM.
Known issues
Camera not working - This isn't yet available to the AOSP, Until it is, it's unlikely we'll have it.
Accelerometer
Gallery
No port for 32A - Patch up - Working on this
Everything else should be working - Please report issues, comments, etc. as a reply to this post. (and add any issues here: http://code.google.com/p/android-sapphire/issues/list)
As the rom is custom built, it is rootable (ro.secure=0) but does not come rooted (with "su") - This may change in the future.
This ROM contains your standard Google stuff you expect to see, and the new Facebook application ripped from the Motorola Droid.
This ROM has been tested on the HTC Magic & Google ION handsets (32B) - We plan to support 32A very soon.
We accept no responsibility for any loss, including bricked phones. Please backup your content before trying to update.
Finally, The download location:
http://code.google.com/p/android-sapphire/downloads/list
At present, This ROM is considered stable and is available for general use
Current Build: jd02
Last update: 25/11/09

Will give it a shot
Does this have the Navigation software?
Edit: Cant download it
"This file can only be downloaded by becoming a Premium member
There are no more download slots available for free users right now. If you don't want to become a premium member, you might want to try again later."
Mirror please

This looks amazing!
I own a 32A, so I'm not flashing right now, I'm waiting for one of our gurus to provide a safe way to do so (so to avoid high risk of having a cool black brick instead of a phone)..
Anyway, I'll test this as soon as its reasonably safe to do so..
In the meanwhile, great work, please keep on working on this!

WebghostDK said:
Does this have the Navigation software?
Click to expand...
Click to collapse
Not at present, No - Does not mean it won't forever - Although I don't really want to add to much to the code, I might look at install scripts etc.
At present it's only exactly what you will find if you were to compile the code yourself.

OzJD said:
Just posting this as requested in another thread, It's the official Android 2.0 ROM for Sapphire.
I may post updates later as this is directly out of the AOSP repository
Known issues
1) Bluetooth not working.
Please report issues, comments, etc, here.
As the rom is custom built, it is rootable but does not come rooted.
Try "su" in the ADB shell.
This is a vanilla ROM, and does not contain anything you do not see in the repository (except for possible bugfixes).
Tested on HTC Magic/Google ION (32B) - Is there a reason this wouldn't work on 32A? - Please report failures/success here.
I will take no responsibility for your actions/bricked phones.
Why no update.zip?
Because that's not how I roll. You can use the fastboot utility to install this rom, just goto the directory containing the img's and type "fastboot flashall".
Note: You may require certain software on your phone to install this.
Finally, The download location: http://rapidshare.com/files/309784805/Official_Sapphire_AOSP_by_JD.zip [Mirrors Wanted - PM if you can mirror]
If there is a lot of community response/feedback (and use of these images), I may consider doing frequent updates with the newest Android versions - To keep everyone up to date.
Click to expand...
Click to collapse
I am looking into the build process myself to build the 2.0 for the 32b, I would like to have a automatic daily build if possible. maybe you could try that?

Will test Android 2.0. I own a 32a. I know how to get back if it doesn't. Will keep you guys posted.

opcode1300 said:
I am looking into the build process myself to build the 2.0 for the 32b, I would like to have a automatic daily build if possible. maybe you could try that?
Click to expand...
Click to collapse
I could do something like this (I was thinking of it earlier), with these issues:
The source code doesn't change daily - Is it worth it? (easily overcome)
It may become common for it to not work due to bugs in source code
If I were to, an automatic update feature might be nice!
I need reliable mirrors :-(
It's definately on the cards though - The repo client does all the merging, so I don't see why I can't batch it.

outcorpse said:
Will test Android 2.0. I own a 32a. I know how to get back if it doesn't. Will keep you guys posted.
Click to expand...
Click to collapse
Look forward to hearing your results!

Well Dun!
Hope to have mine compiled soon... I went out... left it going... and came back and its still goin, no errors! shocked!
Will try the old nav thing after i`ve done the initial compiling... hope gps works ok

i can't update i get the error:
E:No Signature (6 Files)
i'm on a 32b!!

Added a few mirrors (see first post), you shouldn't have any issues getting it now

niceeee..
few questions: htc sense ui? FLASH PLAYER??!?!?!?!?
i might wait to hear from outcorpse before i try this.

edding3k said:
i can't update i get the error:
E:No Signature (6 Files)
i'm on a 32b!!
Click to expand...
Click to collapse
I thought this might happen (thats why I added this line):
OzJD said:
Note: You may require certain software on your phone to install this.
Click to expand...
Click to collapse
I think you will need an engineering SPL to allow unsigned images to be used - Just like the ADP2 (Google ION), Please see here: http://forum.xda-developers.com/showthread.php?t=529019
Side note: I'm using 1.33.2005
Please let me know how you go

delete me... wrong forum!

~removed: [quotes deleted text]

Any idea what the problem could be with bluetooth? Do we just need the proprietary drivers for 32B from HTC or is this not a driver problem?

I'm creating my own.
I'll try yours.
Good....

i have 2010 spl i'm on 32a board..still confuse on how to flash this rom..
so i must enter fastboot mode right? then using adb i just do fastboot flashall?
can you give me step by step how to do this?
another question does camera work ? and what about google service?
thanks..

Firstly I recommend a full backup, If you're unsure about how to do this you probably shouldn't be flashing ROMs yet.
%FOLDER% refers to any folder of your choice.
Download the file in the original post, and extract to %FOLDER%
Download the fastboot binary for your operating system from http://developer.htc.com/google-io-device.html to to %FOLDER%
Boot your phone into "fastboot" mode
Open a terminal window (command prompt) and change directory to %FOLDER%
type: "fastboot flashall" (without the quotes)
Hopefully you should see something like this:
Code:
< waiting for device >
--------------------------------------------
Bootloader Version...: 1.33.2005
Baseband Version.....: 2.22.19.26I
Serial Number........: HT96WMG01288
--------------------------------------------
checking product... OKAY
sending 'boot' (1838 KB)... OKAY
writing 'boot'... OKAY
sending 'recovery' (2088 KB)... OKAY
writing 'recovery'... OKAY
sending 'system' (62895 KB)... OKAY
writing 'system'... OKAY
rebooting...

OzJD said:
Firstly I recommend a full backup, If you're unsure about how to do this you probably shouldn't be flashing ROMs yet.
%FOLDER% refers to any folder of your choice.
Download the file in the original post, and extract to %FOLDER%
Download the fastboot binary for your operating system from http://developer.htc.com/google-io-device.html to to %FOLDER%
Boot your phone into "fastboot" mode
Open a terminal window (command prompt) and change directory to %FOLDER%
type: "fastboot flashall" (without the quotes)
Click to expand...
Click to collapse
oke..thanks..doing nandroid backup..will report to you asap..
i'm very curious, does cam work? google service??

[UPDATED 8/26/2014]HTC 8x wp8 GDR2 UEFI Extracted From .cab update

So I was able to make a decompressed extracted dump of the UEFI cab update package. After extracting the 2_UEFI.bin file from the cab update, I ran it through some PC bios extraction tools. Just my luck it worked.
This package is only partially extracted. And readable.
MORE STUFF ON POST#2
here is picture attached here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
PLEASE MAKE NO!!!! ATTEMPT TO FLASH ANY OF THESE FILES. UNLESS YOU KNOW WHAT YOUR DOING.
FULL DUMP CAN BE DOWNLOADED HERE
View attachment UEFI-VOL-DUMP.zip
Here are some strings from EBL module that was extracted from a Vondafone UEFI update cab.
EblCheckRefurbishResult
[FAT_ERROR] fat_get_next_cluster: allocate %d bytes for FAT table sector buffer fail!
[FAT_ERROR] fat_get_next_cluster: read FAT table sector[%d] fail!
fat_read_disk [FAT_ERROR] fat_get_skip_cluster: allocate %d bytes for FAT table sector buffer fail!
[FAT_ERROR] fat_get_skip_cluster: read FAT table sector[%d] fail!
[FAT_ERROR] fat_open_file: can not alloc heap for the file description!
[SSD-PLAT] ReadSector failed, please probe removable media first.
[SSD-PLAT] ReadSector failed, please probe removable media first.
[SSD-PLAT] WriteSector failed, please probe removable media first.
[SSD-PLAT] WriteSector failed, please probe removable media first.
EblEMMCInformation: Not found hTC Sdcc extention protocol!! (%r)
EblEMMCInformation: Not found hTC Sdcc extention protocol!! (%r)
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol(&gQcomPmicVregProtocolGuid, 0, (void**)&PmicVregProtocol))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol(&gQcomPmicVregProtocolGuid, 0, (void**)&PmicVregProtocol))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol (&gEfiCpuArchProtocolGuid, 0, (void **)&CpuArch))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol (&gEfiTzeLoaderProtocolGuid, 0, (void**)&TzeLoader))
[SECURITY] TZ_HTC_SVC_READ_SIMLOCK_MASK modified ret = %d, mask = 0x%X
[SECURITY] TZ_HTC_SVC_READ_SIMLOCK_MASK modified ret = %d, mask = 0x%X
[SECURITY] TZ_HTC_SVC_UPDATE_SIMLOCK: TZ NOT return updating record index
[SECURITY] TZ_HTC_SVC_UPDATE_SIMLOCK: TZ NOT return updating record index
[SECURITY] secure_get_simlock_upgrade_magic, ret=%d (0x%x, 0x%x, 0x%x)
[SECURITY] secure_get_simlock_upgrade_magic, ret=%d (0x%x, 0x%x, 0x%x)
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT set magic (0x%X, %d) ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT set magic (0x%X, %d) ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT get magic 0x%X 0x%X ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT get magic 0x%X 0x%X ret = %d
hash: %a 2 [1: sha1 | 2: sha256] [src address] [src len] [digest addr] [digest len]
hash: %a 2 [1: sha1 | 2: sha256] [src address] [src len] [digest addr] [digest len]
aes: %a 3 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [iv addr] [key addr] [src addr] [len] [dest addr]
aes: %a 3 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [iv addr] [key addr] [src addr] [len] [dest addr]
aes encryption with SW key: %a 8 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [key id] [iv addr] [src addr] [len] [dest addr]
aes encryption with SW key: %a 8 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [key id] [iv addr] [src addr] [len] [dest addr]
set ddr mpu config: %a 11 [index] [read vmid mask] [write vmid mask] [start] [end]
set ddr mpu config: %a 11 [index] [read vmid mask] [write vmid mask] [start] [end]
enable_hw_auth
disable_jtag
blow_boot_cfg
blow_sec_key
hide_hwkey
checksbl1
je board_evm
evm
EVM8960
ke board_evm2
evm2
EVM28960
board_evita
evita
EVITA board_accord_wl
accord_wl
PM2310000
board_accord_wr
accord_wr
PM2330000
board_accord_u
accord_u
PM2320000
board_accord_ul
accord_ul
PM2321000
board_accord_td
accord_td
PM2350000
[ERR] partition_update offset is not emmc sector[%d] aligment! Offset[%d]
htc_pg_sanity_check pg %a: calculated checksum 0x%x is mismatched (header checksum 0x%x)
pg %a: calculated checksum 0x%x is mismatched (header checksum 0x%x)
htc_pg_hdr_get
htc_pg_hdr_set
htc_pg_part_hdr_get
htc_pg_alloc_map
htc_pg_find_best_alloc
htc_pg_alloc
htc_pg_part_reduce_size
htc_pg_fix_part_hdr_add
htc_pg_part_hdr_set
htc_pg_part_traverse
htc_pg_link_size
htc_pg_part_update
htc_pg_part_clear
htc_pg_part_read
htc_pg_update_crc
htc_pg_part_modify
htc_pg_part_modify:
part %a,
offset %d,
len %d,
is_erase %d,
update_crc %d
htc_pg_part_modify:
part %a,
offset %d,
len %d,
is_erase %d,
update_crc %d
htc_pg_free_size
htc_pg_part_crc
check_pgfs
check_boardinfo
chipset_setting_init
chipset_reset
chipset_get_device_id
chipset_set_device_id
read_simlock
write_simlock
EMBEDDED BOOT LOADER COMMANDLINE INTERFACE
I think some of the more experienced gurus form the Windows Mobile days can input more knowledge here.
EblBoardInfoCommand
write_simlock_password
read_simlock_password
radio_init_secure_smem
ClearSimLockCode
AddSimLockCode
EnableSimLock
DisableSimLock
HTC
USB BLDR
HandleSetupPkt
HandleUSBEvent
**** Both TX and RX needs to be queued, but only one can be queued. SOMETHING MAY GO WRONG **** OnBoard_USB_Init OnBoard_USB_Write
**** Both TX and RX needs to be queued, but only one can be queued. SOMETHING MAY GO WRONG ****
OnBoard_USB_Read
detectUsbCable
0 . 0 . 0 . 0
PIKS
MSM8960
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
No Media
Media changed
Access Denied
Write Protected
Not started
Already started
Aborted
Unsupported
Not Found
Warning
Delete
Failure
Warning
Write Failure
No Response
Bad Buffer Size
No mapping
Warning Unknown Glyph
Warning Buffer Too Small
Volume Full
Invalid Parameter
ICMP Error
TFTP Error
Load Error
Device Error
Protocol Error
Out of Resources
Success
Volume Corrupt
Time out
Not Ready
Snapdragon S4 Processor
GPT PARTITIONS
FFFFFFFF-FFFF-FFFF-FFFF-000000000010
540B4740-D799-497D-9F02-B36D2E958EB0
B7A9BDA8-368C-46BC-B2C7-67501F0E6B52
9183C552-0934-4FD6-AF26-13FE14244223
320D3B19-80D9-467A-99BC-AB2B85287574
A053AA7F-40B8-4B1C-BA08-2F68AC71A4F4
E35F99CF-0025-4252-A608-CAAA1289CAF4
69B4201F-A5AD-45EB-9F49-45B38CCDAEF5
0732095D-CD4E-4492-B229-28D4ECCEC1B6
F0B4F48B-AEBA-4ECF-9142-5DC30CDC3E77
E5C3DF3F-556D-478e-AFE3-DABA98C52897
EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
098DF793-D712-413D-9D4E-89D711772228
400FFDCD-22E0-47E7-9A23-F16ED9382388
DEA0BA2C-CBDD-4805-B4F9-F428251C3E98
E6536BC2-6DA4-495D-A83B-79F93701E799
638FF8E2-22C9-E33B-8F5D-0E81686A68CB
0A288B1F-22C9-E33B-8F5D-0E81686A68CB
EBBEADAF-22C9-E33B-8F5D-0E81686A68CB
3A6A228E-FC35-4A46-A869-4C511F7CE5EC
6BB94537-7D1C-44D0-9DFE-6D77C011DBFC
8C6B52AD-8A9E-4398-AD09-AE916E53AE2D
2373E6C7-FCBE-42B1-B44A-10DDAF18388D
543C031A-4CB6-4897-BFFE-4B485768A8AD
530C3197-F4D2-408F-B886-778ED6CDFDAD
05E044DF-92F1-4325-B69E-374A82E97D6E
74DA3EE7-D422-487C-A573-CE03C261362F
A44D2E89-8B5A-4F42-8FE5-FD36333A3BFF
PARTITION IMAGES
%a:\hTCIMG\QC\MSM8960\%04x\rfg_0.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_1.img
%a:\hTCIMG\QC\MSM8960\%04x\modem_st1.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_2.img
%a:\hTCIMG\QC\MSM8960\%04x\modem_st2.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_3.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_4.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_5.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_6.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_7.img
%a:\hTCIMG\QC\MSM8960\%04x\disk.img
%a:\hTCIMG\QC\MSM8960\%04x\radio.img
%a:\hTCIMG\QC\MSM8960\%04x\sbl1.mbn
%a:\hTCIMG\QC\MSM8960\%04x\sbl2.mbn
%a:\hTCIMG\QC\MSM8960\%04x\sbl3.mbn
%a:\hTCIMG\QC\MSM8960\%04x\uefi.mbn
%a:\hTCIMG\QC\MSM8960\%04x\rpm.mbn
%a:\hTCIMG\QC\MSM8960\%04x\winsecapp.mbn
%a:\hTCIMG\QC\MSM8960\%04x\tz.mbn
%a:\hTCIMG\QC\MSM8960\%04x\gpt_main0.bin
%a:\hTCIMG\QC\MSM8960\%04x\fat16.bin
%a:\hTCIMG\QC\MSM8960\%04x\MainOS.bin
%a:\hTCIMG\QC\MSM8960\%04x\fat_FFU.bin
%a:\hTCIMG\QC\MSM8960\%04x\UserData.bin
%a:\hTCIMG\QC\MSM8960\%04x\sdata.bin
%a:\hTCIMG\QC\MSM8960\%04x\misc.bin
%a:\hTCIMG\QC\MSM8960\%04x\mfg.bin
%a:\hTCIMG\QC\MSM8960\%04x\modem_fsg.bin
%a:\hTCIMG\QC\MSM8960\%04x\dpp.bin
%a:\hTCIMG\QC\MSM8960\%04x\efiesp.bin
%a:\hTCIMG\QC\MSM8960\%04x\eblogs.bin
RUU CONFIGURATION
THESE VARABLES CAN BE USED TO IN THE ACDUCONF.TXT
[getvzwmid] Query VZW model ID
[getmeid] Query device MEID vzwisLTE
[getdevinfo] Return device Model ID and CID to RUU
[getimei] Return device IMEI to RUU
[blversion] Return bootloader version to RUU wdata
[readconfig ] Read i-th config data or read all config data if no i supplied getmeid getvzwmid
[task TaskNum] Executing task command
[set SetNum SetValue] Executing set command password ResetDevice
[ResetDevice] Reseting the device
[wdata Length Checksum] Writing NBH file format data to device
[ruustart] Enter RUU special command mode
[progress Percentage] Show progress bar and percentage on screen for RUU use readconfig Ask radio to start refurbish startrefurbish getimei task blversion
[password PassWord] RUU password verification getdevinfo progress set Check the refurbish result checkrefurbishresult
[vzwisLTE] Check the device is LTE or not ruustart
FixVoltageMSMC1
FixVoltageMSMC2
KitlIP DCVSParam[0]
DCVSParam[1]
DCVSParam[2]
DCVSParam[3]
DCVSParam[4]
DCVSParam[5]
DebugMethod
PowerSavingDisable
DriverDisable
FixedIdleTime
DriverLocalZone
PagingPoolSize
DebugFlag
DriverFlag
PassiveKitlDbg
HookDebug
ApSwitch
KitlNetMask
FixFreqLevel
USBFlags
RadioDebugFlags
SensorDebugFlags
BootloaderFlags
DLLLowFlags
DummyFlags
SpyFlags
DllBreakPoint
DemFatalCount
AutoFocusTest
DebugBattery
secure erase secure trim
QUALCOMM OEM
STILL NOT SURE ABOUT THESE STRINGS
Q6:
VDDCX:
Krait:
RFSKUIDField_D0
RFSKUIDField_D1
RFSKUIDField_D2
RFSKUIDField_D3
RFSKUIDField_D4
RFSKUIDField_D5
RFSKUIDField_D6
RFSKUIDField_D7
EngineerID
KEK
PK
DPP
HTC OEM SECURE KEYS
fs0:\SecureBootPolicy.p7b
db pDPP.enc
OEM_DB_CLEAR.enc
OEM_KEK_CLEAR.enc
OEM_PK_CLEAR.enc
OEM_DBX_CLEAR.enc
PCBIDField
FunctionSKUField
ssd
delfile
crwfile
fs0:\enc.img
fs0:\ori.img
SKUIDChecksum
fs0:\OEM_dbx_2011.bin
fs0:\OEM_db_2012.bin
fs0:\OEM_KEK.bin
fs0:\OEM_PK.bin
fs3:\pDPP.tmp
fs3:\OEM_DB_CLEAR.tmp
fs3:\OEM_KEK_CLEAR.tmp
fs3:\OEM_PK_CLEAR.tmp
fs3:\OEM_DBX_CLEAR.tmp
var midr
fs0:\keystore.dat
v
w
dbx
CurrentPolicy
QULCOMM SECURE
RFG_0
SBL1
MODEM_FS1
RFG_1
SBL2
MODEM_FS2
RFG_2
SBL3
RFG_3
RFG_4
RFG_5
RFG_6
RFG_7
SDATA
MISC
MODEM_FSG
UEFI
RPM
RADIO
BDP
WINSECAPP
DPP
EFIESP
EBLOGS
MainOS
PLAT
TZ
Data
X
ROM UPDATE UTILITY
HTCIMAGE
GPT_HEADER TOUCH_FW_UPDATE
ACDUIMG.nbh
ACDUNV.nbh
ACDUDIAG.nbh
ACDUCONF.txt
ACDUDIAG.nbh
HTCIMAGE
simunlock

more.
HTCIMAGE
simunlock.
spcustom
prkey
wvkey_lv1
dpkey.
tamper
prmkey
wvkey_lv3.
sbl1_update
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\Ebl.dll....
More info on the tools used to dump the UEFI can be found here Thanks to CodeRush
I have moved on to using PhoenixTool. Many options to choose from including inserting SLIC, SLP, key and RW file. Full customization of ACPI, OEM, RSDT XSDT tables. Preserve module size andmany more features.

any use? I'm a noob.

fengsam said:
any use? I'm a noob.
Click to expand...
Click to collapse
Using RUU configuration script in the ACDUCONF.txt would probably solve some issues with not being able to flash a rom because of incorrect model number issues.
for instance i cannot flash a factory rom on my device because the text that shows up on boot loader screen is incorrect. do to some of the Microsoft developer updates. for Windows embedded compact and handheld sdk updates that have been pushed to my device.
so using this [getdevinfo] should in theory return the ruu with the correct device info. the radio, dpp. and boot partitions that are in the RUUs contain the device info that have to match for the. i just so happens that those config files can be changed without harming the signed.nbh (technically there are not signed images at all. only mostly encrypted. but still unsigned.) I have not been able to dig up any documentation for use of ACDUCONF.txt and how it should be properly used. but similar ruu config file usage has documented us since the early windows mobile all the way up until windows phone 7. its only up until yesterday that this information has been presented to the public.
I am 99% convinced that HTC 8x uefi is can be configured to dual-boot, boot-android, right now with the UEFI that i extracted modules can be altered, replaced new ones can be inserted and at the same time. be resigned. only issue is creating an nbh. I think some old windows mobile tools can sign the image and a goldcard can b used on a usb thumb drive. The HD2 USB Y Cable dongles is OEM approved to be used with the htc accord and has the code written within the uefi bios image its self.
HTC uefi is very similar to Intels edk2 which is based from Edk II DevKit(Sourceforge.net), which is based off of Tianocore. Many of the packages are compattable. [MdePkg]
Though it is not tianocore some of there packages are still based off of the tianocore edk2 platform. along with many of the other edkII development projects on http://www.sourceforge.net.
Also there is strings i found that allowed the use of using a JAVACARD dongle. Which with a JAVACARD you can achieve s-off, and security unlock. (well at least in the case of Android devices.)
Then again who has ever seen a windows phone 8 uefi broken down like this before. none. or at least that i can find. Closest i found was from forums in China, and original source was being shared for Huawei W1 and W2.

fengsam said:
any use? I'm a noob.
Click to expand...
Click to collapse
No ,

@grilledcheesesandwich What PC BIOS Extraction tools did you use?

compu829 said:
@grilledcheesesandwich What PC BIOS Extraction tools did you use?
Click to expand...
Click to collapse
i forgot who made the tools. but i found them on mydigitallife.com forums. there called UEFIExtract.exe and UEFITool.exe the extractions are not perfect and the rebuilding still is not working 100% on 8x uefi .the process request files that only exist within the phones memory.
sent from the moon

grilledcheesesandwich said:
i forgot who made the tools. but i found them on mydigitallife.com forums. there called UEFIExtract.exe and UEFITool.exe the extractions are not perfect and the rebuilding still is not working 100% on 8x uefi .the process request files that only exist within the phones memory.
sent from the moon
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1966327

@grilledcheesesandwich What tool are you using to browse the UEFI BIOS (like you see in the screenshots?) Also, you need to use 7zip to extract the zip file to get to the tarball...it's not compatible with the built-in windows zip utility

compu829 said:
@grilledcheesesandwich What tool are you using to browse the UEFI BIOS (like you see in the screenshots?) Also, you need to use 7zip to extract the zip file to get to the tarball...it's not compatible with the built-in windows zip utility
Click to expand...
Click to collapse
i tarballed the bios after i extracted it so i could browse it in a flatview

grilledcheesesandwich said:
i tarballed the bios after i extracted it so i could browse it in a flatview
Click to expand...
Click to collapse
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_

@grilledcheesesandwich I noticed lol.
From what I can gather, if one uses the Y-Cable method to flash the HTC 8x, it bypasses the signature checking done by the standard RUU. I do know that the nbh files for the HTC 8x are unencrypted. I have always wondered about hand-editing the mainOS partition to enable a developer unlock for our devices. The only issue is that I have the T-Mobile variant, which has AWS HSPA+ enabled and unlocked. This radio firmware is not in the standard RUU for the EURASIA ROMS, so I never bothered with it because I Can't lose AWS support.

hutchinsane_ said:
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
Click to expand...
Click to collapse
ok here is what i have so far. Ideas are still out there.
I need to find a tool that can extract a perfect capsule. from the uefi. even though the uegi binary partition is write protected. the capsule may be writeable. no need to worry about signatures and keys as long as the capsule is back to its origiinal size and expands as normal after being flashed to the device. also no alteratiin can been done to Security module within the capsule. thats ok because all the modules are contained within there own class and to do not require signature verification. this has worked with Intel and Amtel Uefi bios. From what i can tell Htc8x has an embedded amtel at24c128bn eeprom security chip present and if there eeprom is as easy as there tpm (trusted platform module) being used for security validation in uefi bios boot process used on pc motherboards we should in some theory be the case here too.
My overal plan is not to only expand the new development into custom roms. the plan is to fully defy microsofts most secure mobile retail device by handing them a fully customizeable device without loosing the featured security.
To my knowledge every htc 8x has the built in feature to change usb connection mode when pluged in to a pc. the only reason we cannot use this feature the same feature offered in pre android 4.3 devices is because the value in the registry is set to disableDialogmenu and the value is set to (1). i think if we can change this to (0) wen will have a popup menu present when plugging in to a pc. i found this key earlier today while searching my phones registry. i will post up this key later.
Another is Andrid. HTC One S Ville U has identical hardware. believe this the hboot for ville U is built just like the uefi for the 8x. so close in fact like you can cee the ebl module refrences the ville u. ok so heres more. when i tore apart ruu ville u i found the exact same files that exist withing the ruu accord. the files im refering to are the platform info files that check for firmware cimpatibility. the only alteration needed would be to replace the secure boot binaries in the ville u rom.zip and inject my certificates i have been holding onto.
i have 2 platform verification keys (pvk) i have found from encrypted jtag nand dumps. probably useless. itsva good refrence start on a possible challenge with DPP partition.
l
self signing certs is not a problem. i have everything to work around the issue of kek db dbx ovk and pvk keys and certificates. found a dev who put together a wpdeveloper pack that creats all needed certificates for wp soc oem ihv developemt and also remotly sets up all the needed requirements and resources to build and flash a signed ffu. i can assure hyc 8x ffu exist. but the only way to get a qualcomm accord u full flash uodate is to build it. you do not have to be an oem to build a ffu. there is a process to doing this. all you need is to create an empty zip archive labeled corrextly likr how nokia ffus look. add a specific xml soap scripts. similar to.the ones for cab update checks. mainly the cabs that are labeled emptypackage.
ive came across a few but not enough. i think a workaround would he microsoft cabinet sdk. to rebuild. whats missing. the cab that contaijes all the xml provision licenses is needed for the ffu build. as well. now the documentation on the wpoem site says you need the phone image design tool to build a ffu........o darn dead end.... nope the is another way. some confedientel ihv documents demonstrate like rhe above mentoned empty zip file correctly labeled with correct xml scemas layed out then added to the zip. you must setup your pc environment with microsoft client connextion to redmond. they validate you contoso build zip is accurate and if doen correctly you will returned with a fully built full flash update package. theres lots i didnt not mention. i should not.
so any ways. back to the topic. once i can find all the correct libraries to correctly rebuild this uefi all options will be on the table. moke like endless opportunities in customizations and features. well almost.
litsvofbwork needs done. anybody else has gots guts to conqueror with me head over to mydigitallife and sure uobthere endless threads on uedi bios hacking.
i completely sandboxied hck adk win sdk win kits wpsdk ack and vs2013. zi
ffutool.exe & ffuresources.dll
sent from the moon

compu829 said:
@grilledcheesesandwich I noticed lol.
From what I can gather, if one uses the Y-Cable method to flash the HTC 8x, it bypasses the signature checking done by the standard RUU. I do know that the nbh files for the HTC 8x are unencrypted. I have always wondered about hand-editing the mainOS partition to enable a developer unlock for our devices. The only issue is that I have the T-Mobile variant, which has AWS HSPA+ enabled and unlocked. This radio firmware is not in the standard RUU for the EURASIA ROMS, so I never bothered with it because I Can't lose AWS support.
Click to expand...
Click to collapse
i have a rom that supports aws hspa. its not directly tmobile its a wwe rom. also mine is also a tmobile usa variant. and the weird part is its not the same as the other usa versions mine has full lte and gsm support and at one time was sim unlocked. the serial number traced back to being built in germany and was sold here in the usa
I IM GOING TO HELP EVERYONE OUT HERE AND HOST MY COLLECTION OF HTC8X ROMS. AND 8S ROMS.. I keephearing that there is only 2 versions available for the 8x. im going to give everybody at least 6.
Sent from my Galaxy Nexus using XDA Free mobile app

hutchinsane_ said:
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
Click to expand...
Click to collapse
ifr extractor does not work with a htc 8x uefi binary. i got an error instantly i might be doing something wrong. i will do more ttesting with that one.
i heard there was some uefi bios devrlopement going on with the htc one. it may be possibkr to incorporate some of there knowledge into this project. the boards have some similarities minus the processor cores ram and so on. i do know that msm8960 code is compattable with msm8260a htc8x and apq8064 htc one, dna, and ny fAvorite my ifc6410 qualcomm snapdragon 600 itx motjerboard.
if you have the uefi cab update for your htc8s i could eztract a dump of it for you and send it back.

@
compu829 said:
radio software version is 1.17b.32.19.14_15.62b.32.19
Firmware revision is 3030.0.34101.531
UEFI bootloader version is 0.0.3030.0(173542)
Chipset is the 8260A
Interestingly enough, in the about page is a spot that says "IMS: Not Registered"...I wonder if they are slipped in Wi-Fi calling support and didn't tell anyone?
from the HTC screen:
PM2322002 P S WP8 I
SBL1-303.000.R15
SBL2-303.000.110
SBL3-303.000.008
RPM-303.CRC.76B
TZ-303.000.241
UEFI-0.0.3030.0(173542)
OS-3.41.531.01
eMMC SMS 14910MB F-15
CID T-MOB010
Radio-1.17b.32.19.14_15.62b.32.19
MSM8260A v3.2.1-p1 0x707910e1
Krait:Nom Q6:Fast VDDCX:SLOW 0x30400
Touch FWS1:1195017,13106,41434467
Vdd_dig - 0.5v, 0x4
Click to expand...
Click to collapse
nice only difference is mine is nom slow. I have a a rom that is almost identical too. what i have found out is that some of the nbh htc windows phone 8 roms floating around out there are incorrectly labeled even the 512kb headers are wrong too. when tearing down and dissecting some of these. it seems as though the partitions change. for instance i have 2 identical extractions and on one change all permissions to alow remote users and any nt or network admin or authority to full control. let all the ruu files give 100% internet access through your firewall. now copy run the ruu in dependency walker and find all the files that the ruu is Depends on. most are in windows active sync installer the others are in you phone. and need to be extracted to and copied to the ruu folder. why am i telling you this? you probably know this being a senior member.
on that note. Ive noticed that the 8s and 8x are obviously different than legacy windows mobile mainly due to gpt guid partition format. within system files from my phone and 8x ruu i have found references to Leo, hd2, Shubert, startrek, Hermes, and a few others. which that lead me into researching how wm, wince, wp7 and ec2013 devices were built using Microsoft sdk's. from what i can see to the best of my knowledge is that newer platforms still use the some of the same source as older designs and even though bsp kits for older builds are not one click compatible with the ec2013, shuffle a few files around and match the folder structures & alter some lines of code for embedded compact and one will just have incorporated classic features into a brand new operating system. i do not believe Qualcomm or Microsoft are hiding easter eggs. my guess is it was all htc. ok so last year i bought an evo shift. yea yea funny haha. i was bored so i got this phone, unlocked it, raw dumped every partition and hex away. in the hboot 7630 build i found strings that referenced windows ce. i never took it any further than that. but i can see now that htc has sloppy source control. or they did this on purpose to see if anybody would catch on.
ok back to wp8. i will make this part quick. the wp8.1 sdk leaked emulator dump OEMprovisioning.exe app can be executed on x64 bit win8.1 desktop pc. strange. i found some registry keys and drivers that allows my phone to run applications in win32 compatibility mode. enough said. i still do not know how it and be incorporated into apps.
about wifi calling. mine says ims not registered too. i dont care on mine. its only purpose to be hacked.
i need to do some work on file write/read app. it some what works. start tiles disappear an it broke my wifi. i need to incorporate the app into a file manager maybe GoodDayToDie's webserver app.
Sent from my Galaxy Nexus using XDA Free mobile app

The above is way above my understanding but I have a 8X that I'm more than willing to test with. Let me know if you need some testing

utopiate said:
The above is way above my understanding but I have a 8X that I'm more than willing to test with. Let me know if you need some testing
Click to expand...
Click to collapse
kind of dangerous if you ask me. if your phone is already bricked and its just lying around as DEAD WEIGHT then whats the worst that could happen. let me throw some stuff together. what is theconditin of your phone?
Sent from my Galaxy Nexus using XDA Free mobile app

Its in fine working order running the dev preview and so a but buggy. I'm just about to get a new phone so I don't mind testing with it

try the hawaei w1 rom flashing method.
i found some registry keys that refrence simpleio.efi in the tmobile variant 8x
Sent from my Galaxy Nexus using XDA Free mobile app

★ ☆ [MOD] Remove Red Text on Splash Screen | E8 hboots | ALL Variants |

Does the red development text on the splash screen bother you after unlocking your device?
If so, I have a modified hboot for you that takes care of it.
This was simply hex edited by me to remove the text from the screen, no other changes were made.
I have tested the process and it is 100% proven to work without any side effects.
I DO NOT OWN THIS DEVICE!
I originally did this for the Verizon HTC One M7 and was asked to do it for the One Max T6, Butterfly S, HTC One M8, and now the HTC One E8.
FROM THIS >>>
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
TO THIS >>>
Let's get to it!
You must be S-Off to do this!
To Install:
Download your Modified hboot:
-No Red Text hboots-
Asia: WWE
No Red Text Hboot
modelid: 0PAJ31000
cidnum: HTC__044
cidnum: HTC__059
mainver: 1.10.707.1
btype:1
aareport:1
hbootpreupdate:12
​
China: Unicom
No Red Text Hboot
modelid: 0PAJ20000
cidnum: HTCCN703
mainver: 1.19.1402.13
btype:1
aareport:1
hbootpreupdate:12
​
Ok, Now you have your hboot, proceed:
Place the zip in your fastboot/adb directory on your computer.
Put the device in fastboot mode
(Volume down and power until menu appears, select fastboot using power button)
Connect the device to the computer
Enter the following commands from terminal/command prompt in the fastboot directory, one at a time:
fastboot oem rebootRUU (this puts the device in RUU mode)
fastboot flash zip filename_hboot.zip (this flashes the modified hboot zip file)
Important: the flash process halts at around 75% to 90% on phone screen! This is normal and a safety precaution!
The last few percent is the reboot, which is NOT happening automatically, so you get a chance to check the console output before reboot to make sure it is safe to reboot!
The bar will only fill up to 100% once you type the following command:​
fastboot reboot-bootloader (this reboots the device to bootloader)
That's it, you're done. You can now reboot and not see the red text anymore.
If you have any questions or issues, let me know.
FAQ:
Hmm. I find it weird that even when I do CD from the platform-tools folder, I cannot flash the HBOOT.
I keep getting the "cannot load hboot.zip" file. (I renamed to HBOOT.ZIP)
Any suggestions?
Thank you in advance.
Click to expand...
Click to collapse
On Windows?
Windows by default, hides known file extensions. (.zip .txt .png .exe etc,..)
So you probably have the file actually named HBOOT.ZIP.zip
Try removing the visible .ZIP you have it named.
Then try the same command again.
Is there away of getting this working w/o a PC? Don't got a PC ATM and I hate the red text...
Click to expand...
Click to collapse
1.) Download your modified hboot
2.) Rename the file to 0P6BIMG.zip not sure yet of the E8 naming for this, will add when I know.
3.) Put the renamed file on your external_SD (not internal)
4.) Boot into hboot, it should see the file and prompt you to update
5.) After you have updated your hboot, make sure to remove the 0P6BIMG.zip from your external_sd.
Or else it will see the file and prompt you to update, every time you reboot to bootloader/hboot.
BIG THANKS to Scotty123 for requesting me to do this for other devices...
So Thank him too!
Now for my RED TEXT:
Disclaimer​You are aware that writing to the security protected partitions increases your risk to lose the device exponentially.
You understand and agree that i cannot be held responsible for such or any other damages.
The flash process is theoretically safe and tested, however you are the brains behind the wheel and you are solely responsible for the execution of the process.
I will not accept any responsibility. The method itself is developed by Google and HTC, i only provide access and information to it and you execute it.
You understand that you should not do it if you are not willing to accept this risk.
If you plan on reverting to stock-relocked, for any reason:
You should follow the above steps first, but use your own Stock hboot instead. (can be found in your variants current firmware)
Do this before you relock the bootloader.
​
-FAUX LOCKED HBOOTS-
(not really Locked and S-on but appear that way)
Since I initially posted this for the Vzw One:
I had a couple requests for a modified hboot that shows the device as being Locked and S-On, while being completely unlocked and S-Off.
I went ahead and made that as per request and made it for the One Max and Butterfly S as well.
The process is the same as the one I wrote above, with the exception of the filename.
These also have the red text removed, like the No Red Text hboots above.
Faux Locked hboot:
Asia: WWE
Faux Locked Hboot
modelid: 0PAJ31000
cidnum: HTC__044
cidnum: HTC__059
mainver: 1.10.707.1
btype:1
aareport:1
hbootpreupdate:12
​
China: Unicom
Faux Locked Hboot
modelid: 0PAJ20000
cidnum: HTCCN703
mainver: 1.19.1402.13
btype:1
aareport:1
hbootpreupdate:12
​
__________
Enjoy and be careful!!
My hboot thread for the Verizon HTC One (m8)
XDA:DevDB Information
[MOD] Remove Red Text on Splash screen | , Tool/Utility for the HTC One E8
Contributors
santod040
Version Information
Status: Stable
Current Stable Version: All-Carriers
Stable Release Date: 2014-11-08
Created 2014-11-09
Last Updated 2014-11-08

Reserved
I will add more hboots to the OP, as they are provided to me, along with a proper android-info.txt file, or a fastboot getvar all output.
OTApkg's and/or firmware zips are the simplest and safest way of obtaining these files for me.

Reserved

I have sent you firmware and OTA from other model could you update please. Thanks.

ian.anindya said:
I have sent you firmware and OTA from other model could you update please. Thanks.
Click to expand...
Click to collapse
Broke my arm yesterday at work...
Had to have surgery last night.
Just got home from the hospital now.
But as soon as i am able, I will do the others you have sent me.

santod040 said:
Broke my arm yesterday at work...
Had to have surgery last night.
Just got home from the hospital now.
But as soon as i am able, I will do the others you have sent me.
Click to expand...
Click to collapse
I am sorry.
I hope you get well soon.

c:\adb>fastboot flash zip NoRedText_hboot.zip
target reported max download size of 1830014976 bytes
sending 'zip' (462 KB)...
OKAY [ 0.192s]
writing 'zip'...
(bootloader) zip header checking...
(bootloader) zip info parsing...
(bootloader) checking model ID...
(bootloader) checking custom ID...
FAILED (remote: 42 custom id check fail)
finished. total time: 0.747s
Click to expand...
Click to collapse
Found the cause.
Standing Russian CID.
Changed into Chinese and ... everything happened
santod040, :good:

Thanks. i tried and didnt work gives me some error 41.
My E8 is chinese, however i modified it with the indian rom and hav changed the CID & MID to htc__38 and OPAJ40000 respectively as per the thread posted by "ian" and I even tried to use the modified boot and hboot files he recomended and got an error 24. The phone is s-off vis sunshine, rooted and has Twrp recovery 2.8
Please help and advise.
Thanks in advance.

What China E8 version you have? Modified HBoot only available for Unicom if your phone not Unicom version you should not flash it yet until Santod040 release modified HBoot from other version.

M8sw which I assume is unicom by looking at the table you posted

I have OPAJ300 SingleSim ROOTED with BinDroid 1.3 on board and I have this red text on boot screen.I don't have S-Off so no chance to get rid if it ?

Riski3Run said:
I have OPAJ300 SingleSim ROOTED with BinDroid 1.3 on board and I have this red text on boot screen.I don't have S-Off so no chance to get rid if it ?
Click to expand...
Click to collapse
Correct. You must be S-OFF to flash an unsigned HBOOT.

@santod040
Can you make one for HTC__038 0PAJ40000 indian variant too ??
Thanks in advance

HELP
Riski3Run said:
I have OPAJ300 SingleSim ROOTED with BinDroid 1.3 on board and I have this red text on boot screen.I don't have S-Off so no chance to get rid if it ?
Click to expand...
Click to collapse
Hi There,
i have the same model like yours, you wouldn't have the stock boot image or stock recovery by any chance??
Thanks

@santod040
Would be great if you could make one for the Indian version. Here is the stock HBOOT: LINK

buggerman said:
@santod040
Would be great if you could make one for the Indian version. Here is the stock HBOOT: LINK
Click to expand...
Click to collapse
Hi,
You could do by yourself.
Tool : HxD (http://mh-nexus.de/en/downloads.php?product=HxD ).
Red-Text Removed Location :
Hex number : 0x824e0 - 0x825a0
Fake S-ON :
Hex number : 0x9dbf0
Fake LOCKED :
Hex number : 0x82390 - 0x823a0
Zip file content :
Make original backup before test.

ian.anindya said:
Hi,
You could do by yourself.
Tool : HxD (http://mh-nexus.de/en/downloads.php?product=HxD ).
Red-Text Removed Location :
Hex number : 0x824e0 - 0x825a0
Fake S-ON :
Hex number : 0x9dbf0
Fake LOCKED :
Hex number : 0x82390 - 0x823a0
Zip file content :
Make original backup before test.
Click to expand...
Click to collapse
@ian.anindya
Ok, I downloaded the hboot from MEGA link in THIS thread.
The hboot is for versoin 1.26.720.X in hboot section so i guess it is for M8Sd Indians.
I found the red text at 0x82350 - 0x823F0 .
I did not know what exactly to do so i just selected the text, deleted it and saved it.
Now two files are created hboot and hboot.bak , presumably hboot.bak is the original 4MB file and new hboot is 3.99MB file.
Here is the new HBOOT of 3.99MB
I am S-OFF and i want to test it out but i fear it may brick my device since there is a difference in file size and mainly because i dont know what I did was correct
So can any brave soul from India please test it out :fingers-crossed:

iamsuperuser said:
@ian.anindya
Ok, I downloaded the hboot from MEGA link in THIS thread.
The hboot is for versoin 1.26.720.X in hboot section so i guess it is for M8Sd Indians.
I found the red text at 0x82350 - 0x823F0 .
I did not know what exactly to do so i just selected the text, deleted it and saved it.
Now two files are created hboot and hboot.bak , presumably hboot.bak is the original 4MB file and new hboot is 3.99MB file.
Here is the new HBOOT of 3.99MB
I am S-OFF and i want to test it out but i fear it may brick my device since there is a difference in file size and mainly because i dont know what I did was correct
So can any brave soul from India please test it out :fingers-crossed:
Click to expand...
Click to collapse
Hi,
You shouldn't delete but change bit code as per above picture.
Delete make wrong file.
After you change you check on hxd, analysis, compared.
Must be the same as picture different original and modified ones.

ian.anindya said:
Hi,
You shouldn't delete but change bit code as per above picture.
Delete make wrong file.
After you change you check on hxd, analysis, compared.
Must be the same as picture different original and modified ones.
Click to expand...
Click to collapse
Ok I'll do that.
I cannot make out what are in the modified pictures, did you fill that text with blank space or xxxxx ???

Hi,
HBoot india Kitkat loaction on 0x824e7 -0x825aD as shown picture on attachment .
Please check and compare both HBoot files (Original and Modified) to see location before and after modification.
Original HBoot : https://mega.co.nz/#!G4QX1KzA!yJckNwZrdlc0X-Orgtqgb3R7c1WLQszmtw4wtel2bI0
Modofied HBoot : https://mega.co.nz/#!6pIVSBpT!rpKMaJZKrZPz6VIsfHTbS1cleiJdt9EYMH0dpC8vNNQ
1.26.720.6_NoRedText_hboot.zip : https://mega.co.nz/#!n1ZwkKhZ!AhGxFf9HXJUh6vddaeFwC3q0Hw9BV7Zmu2MRRp0Xu5c
Please check bit by bit carefully to make sure file size not changed.
I presume that you know the risk before apply modified HBoot.

[Recovery][Snapdragon][R7S/r7sf] Official TWRP for Oppo R7Sf (3.1.1-0)

Team Win Recovery Project 3.1.1-0
This is for the International Oppo R7S, Snapdragon models only! Do not flash on Mediatek R7Sm models!
WHAT IS TWRP?
Team Win Recovery Project is a custom recovery for Android devices.
It allows you to back up and restore your data, flash custom ROMs to your device, repair broken file systems, and root your device.
DOWNLOAD
You can find the device page here:
https://twrp.me/devices/oppor7sf.html
For Official TWRP Changelog see Official TWRP News page:
https://twrp.me/
Old changelog listing:
CHANGELOG for 3.0.2-2:
-Fix subpartition restore bug (ex: EFS)
CHANGELOG for 3.0.2-0:
-Fix a bug with the input box that affected masked inputs (passwords).
This fixes decrypt of full device encryption on devices that support decrypt.
This bug also impacts encrypted backups. Users are highly encouraged to stop using 3.0.1 if you use encrypted backups or if you need decrypt of data in TWRP.
-Add Greek translation to some builds.
CHANGELOG for 3.0.1-0:
-support new CM 13.0 pattern encryption (sultanqasim)
-fix slow flashing issue due to modprobe (present on only some devices) (#twrp)
-libtar updated to latest upstream and fixes (jcadduono)
-fixes for loading custom themes (_that)
-TWRP will now detect and install TWRP themes automatically through the normal zip install process (Dees_Troy)
-translation updates - added Italian, Czech and Polish and significant updates to Dutch
-progress bar improvements - progress bar updates during image flashing and better tracks progress during file system backups (tar) (Dees_Troy)
-fix input box text display (Dees_Troy)
-reboot option after zip install complete (bigbiff)
-other mostly invisible bug fixes and improvements
CHANGELOG for 3.0.0-0:
-Completely new theme - Much more modern and much nicer looking (by z31s1g)
-True Terminal Emulator - Includes arrow keys, tab and tab completion, etc. (by _that)
-Language translation - It won’t be perfect and especially some languages that require large font files like Chinese & Japanese
won’t be availble on most devices. Also some languages may only be partially translated at this time. Feel free to submit more translations to OmniROM’s Gerrit. (mostly by Dees_Troy)
-Flashing of sparse images - On select devices you will be able to flash some parts of factory images via the TWRP GUI (by HashBang173)
-Adopted storage support for select devices - TWRP can now decrypt adopted storage partitions from Marshmallow
-Reworked graphics to bring us more up to date with AOSP - includes support for adf and drm graphics (by Dees_Troy)
-SuperSU prompt will no longer display if a Marshmallow ROM is installed
-Update exfat, exfat fuse, dosfstools (by mdmower)
-Update AOSP base to 6.0
-A huge laundry list of other minor fixes and tweaks
SOURCE CODE
TWRP: https://github.com/omnirom/android_bootable_recovery (android-6.0)
Device tree: https://github.com/TeamWin/android_device_oppo_r7sf (master)
Thanks! & Contributors!
My wife for her patience love you baby!
Team Win, especially Dees-Troys, MSF, Captain_Throwback
Most of all! Uberlaggydarwin , without you this would not have been possible
As promised I have created a Guide on how to install TWRP permanently on the Oppo R7S. It is attached. See below!
Update: Updated Guide to V3 due to TWRP Update and minor fixes in the Guide.
Counter:
GuideV1.pdf = ~1000 Downloads
GuideV2.pdf = 3700 Downloads
GuideV3.pdf = 2918 Downloads

Does it mean that bootloader is unlocked ?

lapocompris said:
Does it mean that bootloader is unlocked ?
Click to expand...
Click to collapse
You are able to unlock the bootloader. For me it's just not possible to enter twrp. Everytime gets overwritten by color os recovery.

OK. Just tested it on the R7 Lite. It works well. Also, as expected, it has soft keys and the hard keys dont work.

Could anyone point me to a step by step instruction on how to install twrp recovery. Sorry for the novice question. Sorry without Root as I'm on latest 5.1.1 and cannot root with oppo tools.

smokeyrider said:
Could anyone point me to a step by step instruction on how to install twrp recovery. Sorry for the novice question. Sorry without Root as I'm on latest 5.1.1 and cannot root with oppo tools.
Click to expand...
Click to collapse
Just head over to the twrp page. The is an instruction written down. Don't forget to unlock your bootloader.

Hi I have followed the instructions. I can "adb reboot bootloader" and get oppo bootloader screen. When I enter "fastboot flash recovery twrp.img" My phone just reboots to normal and the CMD prompt just hangs "waiting for device". Any assistance appreciated. I have latest 5.1.1 Color OS and Windows 10 machine. Thanks.

Ravikirancg said:
OK. Just tested it on the R7 Lite. It works well. Also, as expected, it has soft keys and the hard keys dont work.
Click to expand...
Click to collapse
if you have root and could provide me with the output of the partition details I can build a TWRP specific for the R7 Lite. if it has not been done yet.
I will need information output of:
ls -l /dev/block/bootdevice/by-name/
and
cat /proc/partitions
you will need to have root and switch to "su" in the shell before entering the commands.

celoxocis said:
if you have root and could provide me with the output of the partition details I can build a TWRP specific for the R7 Lite. if it has not been done yet.
I will need information output of:
ls -l /dev/block/bootdevice/by-name/
and
cat /proc/partitions
you will need to have root and switch to "su" in the shell before entering the commands.
Click to expand...
Click to collapse
Your alive celoxocis!
Do you have some news on twrp for ps, your cm build etc?

MacLaughlin said:
Your alive celoxocis!
Do you have some news on twrp for ps, your cm build etc?
Click to expand...
Click to collapse
CM is still work in progress. I will be leaving tomorrow for a one week getaway. After that I plan to write a PDF guide for those with PS how to install TWRP as PS fastboot allows for bootloader unlocking.

celoxocis said:
CM is still work in progress. I will be leaving tomorrow for a one week getaway. After that I plan to write a PDF guide for those with PS how to install TWRP as PS fastboot allows for bootloader unlocking.
Click to expand...
Click to collapse
I thought you need to update the twrp version? The only problem was twrp didn't get recognized and gets overwritten by color os recovery.

MacLaughlin said:
I thought you need to update the twrp version? The only problem was twrp didn't get recognized and gets overwritten by color os recovery.
Click to expand...
Click to collapse
the overwrite of the coloros recovery only happens if the bootloader is not unlocked.

celoxocis said:
the overwrite of the coloros recovery only happens if the bootloader is not unlocked.
Click to expand...
Click to collapse
But I get a success notification...? Fastboot oem unlock

MacLaughlin said:
But I get a success notification...? Fastboot oem unlock
Click to expand...
Click to collapse
if you do "fastboot OEM unlock" twice. does it show "already unlocked" the second time?

celoxocis said:
the overwrite of the coloros recovery only happens if the bootloader is not unlocked.
Click to expand...
Click to collapse
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem device-info
...
(bootloader) Device tampered: false
(bootloader) Device unlocked: true
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
OKAY [ 0.016s]
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem unlock
...
(bootloader) Device already : unlocked!
OKAY [ -0.000s]
finished. total time: -0.000s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot boot twrp.img
downloading 'boot.img'...
OKAY [ 0.811s]
booting...
FAILED (remote: dtb not found)
finished. total time: 0.874s
So the bootloader is unlocked. DTB stands for Device Tree Blob and is a mechanism to pass low level hardware information between bootloader and kernel. So I guess it's just not for PS.
---------- Post added at 07:05 PM ---------- Previous post was at 06:44 PM ----------
celoxocis said:
if you do "fastboot OEM unlock" twice. does it show "already unlocked" the second time?
Click to expand...
Click to collapse
Yes!

MacLaughlin said:
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem device-info
...
(bootloader) Device tampered: false
(bootloader) Device unlocked: true
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
OKAY [ 0.016s]
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem unlock
...
(bootloader) Device already : unlocked!
OKAY [ -0.000s]
finished. total time: -0.000s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot boot twrp.img
downloading 'boot.img'...
OKAY [ 0.811s]
booting...
FAILED (remote: dtb not found)
finished. total time: 0.874s
So the bootloader is unlocked. DTB stands for Device Tree Blob and is a mechanism to pass low level hardware information between bootloader and kernel. So I guess it's just not for PS.
---------- Post added at 07:05 PM ---------- Previous post was at 06:44 PM ----------
Yes!
Click to expand...
Click to collapse
I know what DTB stands for I can see that you are on Project Spectrum. The DTB for PS (Marshmallow) is different than that for ColorOS (Lollipop) there fore it is not working. The offical TWRP is based on ColorOS for the mainstream available. Project Spectrum is only available for beta testers. However "fastboot flash recovery TWRP. IMG" should work. To enter TWRP simply hold down volume-down + power button. When I finish CM I will release a TWRP with kernel+DTB based on Android 6.0!

celoxocis said:
I know what DTB stands for I can see that you are on Project Spectrum. The DTB for PS (Marshmallow) is different than that for ColorOS (Lollipop) there fore it is not working. The offical TWRP is based on ColorOS for the mainstream available. Project Spectrum is only available for beta testers. However "fastboot flash recovery TWRP. IMG" should work. To enter TWRP simply hold down volume-down + power button. When I finish CM I will release a TWRP with kernel+DTB based on Android 6.0!
Click to expand...
Click to collapse
Sadly this is not working. I can flash TWRP but if I try to enter TWRP the screen just stays black. At the moment I'm not able to enter recovery, with key buttons. Also Color Os recovery isn't working at the moment.

just reflash PS and you will have stock recovery back. for now CM and new TWRP for CM is not done.

celoxocis said:
just reflash PS and you will have stock recovery back. for now CM and new TWRP for CM is not done.
Click to expand...
Click to collapse
I will flash stock recovery again. Maybe later on the new version of ps.

celoxocis said:
just reflash PS and you will have stock recovery back. for now CM and new TWRP for CM is not done.
Click to expand...
Click to collapse
Okay stock recovery isn't working anymore as well. The screen just stays black. Got exactly the same error as when flashing twrp. Now I'm without a working recovery ???? maybe I can extract the recovery img. from spectrum. See if this is working.

[DEV] Huawei Honor Bee (Y541 - U02) Spreadtrum Secure Boot

Introduction
The System-On-a-Chip the device runs on is enforced with a proprietary secure-boot. Nothing but official images and binaries are accepted to be flashed.​
Background
Booting goes through three stages: bootrom, bootloader and kernel. According to documents about secure boot on these chips is that there is a root certificate existing on the hardware with a chain-of-trust security protocol. Each phase checks the binaries the other contains.
To generate a header, we need a key pair. A key pair consist of a password of exactly eight ASCII characters together with a key of not more than forty-nine characters. In the Spreadtrum document referenced below the key is treated as the product name.
The signing process needs three key pairs found in sig_keys.ini that will be read by RSAKeyGen and generate keys.db. The generated keys.db will always be referenced by the signing tools along with sig_bins.ini which contains the filename inputs and outputs.
Now the first and second key pairs are used to sign fdl1.bin and u-boot-spl-16k.bin with BscGen. Second and third key pairs are used to sign fdl2.bin and u-boot.bin with VLRSign. The last one is used alone to sign boot.img and recovery.img with VLRSign. The RSA + hash of the file is prepended and appended to the first two sets of boot files, and the rest have it only prepended.
In the Spreadtrum document, it stated that only the hash value of the first boot binary, in this case fdl1.bin should match the hash stored in the chip.
Reading through the document some more, it has come to my attention that apparently the hash of the signed boot binary is what the chip holds. It emphasized protection of the key.db because it contains randomly generated RSA for the key pair. I've compared two identical key pair sets and it does what it stated. Losing the key.db means the board is scrapped if it were in manufacturing.
That closes our brute force attack option sad to say.​
Digging Around The Binaries
Having the u-boot binaries on hand I managed to extract two oem commands:
Code:
oem get-psid
oem get-bootinfo
oem get-psid:
Code:
(bootloader) SN:Y541XXXXXXXXXXXX-XXXXX
OKAY [ 0.007s]
Finished. Total time: 0.007s
oem get-bootinfo:
Code:
(bootloader) INFO:unlocked
OKAY [ 0.015s]
Finished. Total time: 0.015s
As you can see its just information commands and yes, the bootloader is unlocked, which is bogus. There was never an unlock code given by Huawei upon contacting them. They said the device isn't supported in the database, which funny enough is true, because there was no oem unlock command to begin with.
I hope I'm wrong, though a few related documents about security itself is that companies do either allow or deny you of control to unlocking. Unless Huawei gives us the key.db we will be going nowhere with brute force method.​
Engineering Mode
One can open the engineering application to debug and show more information about the device by dialing:
Code:
*#*#83781#*#*
The documents stated something about checking if the hash is written on the chip by going to HARDWARETEST tab. My device just says hash value written. Kept our hopes up I know.
Navigating to DEBUG&LOG you will find System Info. Click on that and then click on Version Info.
My device:
Code:
Platform Version: MOCORTM_14B_TSHARK28_HUAWEI_W15.34_P5_Debug
Project Version: sc7731g_CP0_modem
BASE Version: TM_BASE_MP_II_HUAWEI_W16.06
HW Version: sc7731g_CP0_modem
Release Date: 02-18-2016 10:02:37
This might come in handy for finding source codes, and also possibly prevent flashing the wrong firmware.​
Entrypoint
Our only option right now is finding exploits on the bootloader since we do have some of the source codes to base off on. Check the relevant repository link below.​
Final Thoughts
This device is a headache to be honest. I've been scouring everything I could find about it since 2016. Much appreciated if an able body can proceed to help, or just go to Huawei Support and ask them through e-mail.
The instructions for using the signing tool is in the GitHub repository linked below and a related paper for the interested.
In any case this post will continue to be updated.​
Resources
Spreadtrum Secure Boot Tools
Spreadtrum Secure Boot Document (Chinese)
Other Spreadtrum Secure Boot Document (Chinese)
Chipram Repository

Apparently the libefuse shared library in /system/lib displays the hash:
Code:
ef9b361fa1cb9ddbece00c60c5736b8de65f2be8
This accounts for all Y541-U02 variants.