[Noob Guide] How to install nvflash - Asus Eee Pad Transformer Prime

I am currently on a journey to becoming a "know-it-all." I've always been a serial flasher, but other than that, I notice I really don't know much else. In an effort to change that, I am learning as much as I can from the XDA forums (as well as google searches) and completing NOOB GUIDES along the way. I am a visual learner, so there will be many pics and screen images to guide the noobie more effeciantly.
Disclaimer: Proceed at your own risk. I am only responsible for what I do, not what you do. This is just documentation of what I have done.
I want to give a shout out to Rushing, who wanted a noob guide on nvflash. I want to install it too, so let's see what I can do to help. If you read my first Noob Guide on how to recover from a brick, you'll realize that fastboot is not my forte (btw if I don't fully explain certain things, it's because I have in my first guide...so please go there first if you don't understand, ask questions second). I've did some digging and I realized that I probably never really was stuck on fastboot. I just didn't know how to use it. So when the screen states "Starting Fastboot USB download protocol," it is not stuck. This is what it's suppose to look like.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Open up Windows Command Prompt and enter fastboot devices to make sure you see your Prime.
Tip: You can also enter fashboot help for a list of commands.
Now that you have gotten a crash course in fashboot, here is the Tegra3 Guide: nvflash. Note: The instructions are just a tad bit different in this noob guide but the concept is the same. Download the Windows version of the nvflash flash zip, and extract to the C:\ drive. In the command prompt, enter fastboot flash staging c:\tf201_nvflashpack\ebtblob.bin
This is what your Prime should look like after it finishes.
Enter fastboot reboot in the command prompt. When the Prime reboots, instead of saying “This Device is UnLocked” it should say “AndroidRoot 9.4.2.28r01″ in the top left corner. This means you have successfully flashed the AndroidRoot bootloader. Now start up fastboot again. Again, in the command prompt enter fastboot boot c:\tf201_nvflashpack\nvfblobgen.img
It will take approximately 30 seconds, but your prime will automatically reboot. For some reason, my driver got messed up. I had to update my driver and reboot (Every time my Prime went to sleep, it disconnected so I went to Settings --> Developer options --> select Stay awake)
Now back to the regularly scheduled program. :good: When my Prime rebooted, it showed up on my computer. Navigate to AndroidRoot files by going to: My Computer --> ASUS Android MTP Device --> Internal Storage --> Android Root. There should be 5 files there.
According to the Tegra 3 guide, it states, "** You absolutely must keep these files in triplicate copies -- they are your life-line **" but I have no idea what triplicate copies they are talking about. Update: I got word that it just means save multiple time in multiple places. My guess is 3 times in 3 places Next, you must boot into NVIDIA APX mode. You can do this by shutting down the Prime while holding the vol up button. It will seem like a normal shut down but it will be connected to your computer.
I opened my command prompt from the nvflash pack folder and entered wheelie.exe which started wheelie. Then I inputted wheelie --blob blob.bin which immediately started to download and my Prime turned on and showed:
I just downloaded NvFlash for Windows
In the command prompt I entered: nvflash --resume --rawdeviceread 0 2944 bricksafe.img then nvflash --resume --read 14 factory-config.img then nvflash --resume --read 7 unlock-token.img
A whole bunch of mumbo jumbo came up each time and I had to enter several times to get back to point where I could enter again. I'm not sure if I did this right. From what I gather, searching the web, I should have saved the img's to nvflash. But I don't know.
Entering nvflash --resume --go and it didn't reboot, just the same mumbo jumbo. I had to reboot with the power/vol and it rebooted normally.
Hit thanks if I've helped.

tiisai44 said:
I am currently on a journey to becoming a "know-it-all." I've always been a serial flasher, but other than that, I notice I really don't know much else. In an effort to change that, I am learning as much as I can from the XDA forums (as well as google searches) and completing NOOB GUIDES along the way. I am a visual learner, so there will be many pics and screen images to guide the noobie more effeciantly.
Disclaimer: Proceed at your own risk. I am only responsible for what I do, not what you do. This is just documentation of what I have done.
Click to expand...
Click to collapse
Thank you so much for this very visualize instruction. i will install this before going to another ROM... subcribing... keep it up...

First, I think it's great that you're trying to help. However, with fastboot and nvflash, you need to be a bit careful about giving instructions when you're not entirely clear what to do, particularly given the risks if things go wrong. I do, however, think it's great that you are doing guides with practical pictures. A couple of things:
- You twice refer to 'fastboot' as 'flashboot' - that will cause confusion.
- You mention that you don't know what is meant by "You absolutely must keep these files in triplicate copies" - this is nothing to do with a subdirectory called 'triplicate copies'. What it means is that the files that are produced are vital and you should back them up to several places so you don't risk losing them!
- you don't mention about downloading nvflash (see this post)
- there are actually very good instructions as to how to use nvflash here, here and here. They include the final set of nvflash instructions that you have not yet included.
Good luck!

Nice guide
If I might make a suggestion, on a windows based machine, if you open your nvflash folder (where fastboot and adb.exe are, press and hold shift, right click in a blank part of the window (folder window) and select command prompt here. Now when you issue commands, either fastboot or adb instead of using
fastboot boot c:\tf201_nvflashpack\nvfblobgen.img it becomes
fastboot boot nvfblobgen.img
There is less chance of making a typo and saving yourself fustration, actually, I copy then rightclick in the command window and choose paste, no mistakes this way. Also if your doing any adb work, if you put the files i.e. rom to be pushed for instance, you minimize the path.

apd said:
First, I think it's great that you're trying to help. However, with fastboot and nvflash, you need to be a bit careful about giving instructions when you're not entirely clear what to do, particularly given the risks if things go wrong. I do, however, think it's great that you are doing guides with practical pictures. A couple of things:
- You twice refer to 'fastboot' as 'flashboot' - that will cause confusion.
- You mention that you don't know what is meant by "You absolutely must keep these files in triplicate copies" - this is nothing to do with a subdirectory called 'triplicate copies'. What it means is that the files that are produced are vital and you should back them up to several places so you don't risk losing them!
- you don't mention about downloading nvflash (see this post)
- there are actually very good instructions as to how to use nvflash here, here and here. They include the final set of nvflash instructions that you have not yet included.
Good luck!
Click to expand...
Click to collapse
Thanks so much for the response. I was super tired last night. I tried to finish it but I couldn't keep my eyes open. And obviously was a bit disoriented. I will make those spelling corrections when I get back to my computer. However, I did list the guide "Tegra 3 Guide: flash" which is the same as your 3rd here. Did you mean for the first 2 here's to be the same? I'll take any help I can get. I'm not well versed in adb or fastboot. Like I said in my disclaimer, this is only documentation of what I am doing and how I'm doing it. For example, in my first noob guide, I made a mistake in trying to run adb commands in fastboot. I went back, acknowledged my mistake and listed a guide that is helping me to learn. Do you think it would be better if I write in first person? Something to consider. I am a visual learner so I just wanted to do something that would help others and thought that they might fair better with pics. Regardless, I'm happy with the info you gave and hopefully will put it to good use in just a bit.

Gage_Hero said:
If I might make a suggestion, on a windows based machine, if you open your nvflash folder (where fastboot and adb.exe are, press and hold shift, right click in a blank part of the window (folder window) and select command prompt here. Now when you issue commands, either fastboot or adb instead of using
fastboot boot c:\tf201_nvflashpack\nvfblobgen.img it becomes
fastboot boot nvfblobgen.img
There is less chance of making a typo and saving yourself fustration, actually, I copy then rightclick in the command window and choose paste, no mistakes this way. Also if your doing any adb work, if you put the files i.e. rom to be pushed for instance, you minimize the path.
Click to expand...
Click to collapse
Thank you so much for this. I never knew this. I will add this in a little later when I get to my computer.

hi guys i've flashed hairy bean 1.2 on my tf201 but now I would go back to cm10 so I would like to know what are the commands in apx mode or a guide to restore the bootloader and recovery? please help me and thanks!

this guide helped, but I had to play around with everything to finally figure out that i was supposed to copy the blob files (the ones referred to as needing to be triplicated) to the nvflashpack directory on the c:/ or wherever else you placed it. I know it may be a noob mistake, but you are also making a noob guide, so please include small details such as this.
Thanks a lot for the guide and help!!!

missing files.
I have followed every guide to the letter, but when i make the bricksafe.img and the other two I have no idea where they are saved to. I've looked everywhere on my pc and tablet, but no files. where are they or why aren't they copying?

germy said:
I have followed every guide to the letter, but when i make the bricksafe.img and the other two I have no idea where they are saved to. I've looked everywhere on my pc and tablet, but no files. where are they or why aren't they copying?
Click to expand...
Click to collapse
are you looking for a file called bricksafe.img?

whycali said:
are you looking for a file called bricksafe.img?
Click to expand...
Click to collapse
Yeah. I can't seem to find it anywhere. where is the default location when you use the commands above?
---------- Post added at 06:44 PM ---------- Previous post was at 06:36 PM ----------
germy said:
Yeah. I can't seem to find it anywhere. where is the default location when you use the commands above?
Click to expand...
Click to collapse
ok. i found it. I had to get a program that searches for files in hidden folders. it saved it to a random folder. are the file sizes bricksafe(about 12mb), factory-config(about 5mb), and unlock-token(about 8mb)?

germy said:
Yeah. I can't seem to find it anywhere. where is the default location when you use the commands above?
---------- Post added at 06:44 PM ---------- Previous post was at 06:36 PM ----------
ok. i found it. I had to get a program that searches for files in hidden folders. it saved it to a random folder. are the file sizes bricksafe(about 12mb), factory-config(about 5mb), and unlock-token(about 8mb)?
Click to expand...
Click to collapse
as I was corrected by flumpster bricksafe is one of the files created by this process. Sorry about the mixup

whycali said:
bricksafe is not one of the files created by this process. it is used in the process.
blob.bin
blob.txt
bootloader.ebt
create.bct
recovery.bct
are the relevant created files
Click to expand...
Click to collapse
you are wrong.

flumpster said:
you are wrong.
Click to expand...
Click to collapse
I stand corrected.. I am pretty sure however it does not get created in a "random folder" Thanks for correcting me. Guess thats why this is the noob guide. color me noobie
---------- Post added at 11:44 PM ---------- Previous post was at 11:17 PM ----------
germy said:
ok. i found it. I had to get a program that searches for files in hidden folders. it saved it to a random folder. are the file sizes bricksafe(about 12mb), factory-config(about 5mb), and unlock-token(about 8mb)?
Click to expand...
Click to collapse
yes

whycali said:
I stand corrected.. I am pretty sure however it does not get created in a "random folder" Thanks for correcting me. Guess thats why this is the noob guide. color me noobie
---------- Post added at 11:44 PM ---------- Previous post was at 11:17 PM ----------
Click to expand...
Click to collapse
I'm pretty sure them 3 files get created in the same directory as where you are working from nvflash with the commands that are given.

Related

Ultimate Noob Rooter [Mytouch Slide]

Making Rooting easier for people, I present to you
Ultimate Noob Rooter
I have built this following the rooting techniques from the following places:
http://forum.xda-developers.com/showthread.php?t=754020
http://wiki.cyanogenmod.com/index.php?title=TMobile_myTouch_Slide:_Full_Update_Guide
By using this method, you agree that you take full responsabily of any actions or concequences
that might happen to you or your phone. Once again, I will not be responsible for anything.
STEPS
Make sure your phone is connected to your PC, if it asks to install drivers just click yes..
1) Download: http://www.fileserve.com/file/M6guyMH
2) Extract the .zip folder named "RootMEnow.zip" anywhere on your computer
3) Open cmd.exe and drag it from the *bottom right corner* to make cmd full screen. (Must be full screen!).
4) on cmd type: root.bat
5) read and follow what it says
6) you're done
----------------------
Some people might get errors saying "missing .dll"
Simply copy the .dll files and place them in this 2 places in your computer
C:\windows\system
C:\window\system32
----------------------
Credits go to..
cdsbj6508 (For alllll the testing)
Cyanogen, nbetcher (for the rooting methods)
and me, Xologist
I'm a total noob and this way of rooting my slide was easy and worked GREAT!!!! Thank you Xologist you ROCK!!
Thanks-
One thing you may want to add: users have to cd to the directory that they extract the RootmeNOW.zip in, e.g., if you extracted it into the documents folder, you'd have to open cmd, and type
cd C:\users\usernamehere\documents\rootmenow
and then the commands. Some SUPERnoobs don't know to cd to be able to run a batch file.
MusicMan374 said:
One thing you may want to add: users have to cd to the directory that they extract the RootmeNOW.zip in, e.g., if you extracted it into the documents folder, you'd have to open cmd, and type
cd C:\users\usernamehere\documents\rootmenow
and then the commands. Some SUPERnoobs don't know to cd to be able to run a batch file.
Click to expand...
Click to collapse
Normally that would be true.. but since I put CMD.exe in that folder, cmd starts at the path of the folder
xologist said:
Normally that would be true.. but since I put CMD.exe in that folder, cmd starts at the path of the folder
Click to expand...
Click to collapse
Wait.. what?? You are distributing cmd.exe?
I think that MS is not going to be cool with that....
I didn't download the file, so if I've misunderstood then you have my apologies.
JTB
JTownBrewer said:
Wait.. what?? You are distributing cmd.exe?
I think that MS is not going to be cool with that....
I didn't download the file, so if I've misunderstood then you have my apologies.
JTB
Click to expand...
Click to collapse
What's wrong with sending cmd.exe ?
that's like me sending you a text.txt document.. everyone has it on windows either way..
xologist said:
What's wrong with sending cmd.exe ?
that's like me sending you a text.txt document.. everyone has it on windows either way..
Click to expand...
Click to collapse
xologist: I appreciate that you have been trying to consolidate information in the MT3GS forums lately and make things a bit more noob friendly, but this comment just blows my mind.
It is in no way like sending a text.txt document. Not sure how you can even make that leap .
Cmd.exe is a proprietary program written by MS and governed by the license under which you have acquired Windows. One of the chief points in that license is that you are not allowed to redistribute, in whole or in part, Windows. Cmd.exe is quite clearly a part of Windows and not allowed to be distributed.
On the other hand, if I were to create a file called Test.txt, I would presumably put some text in there. That is a file I would have created and is therefor mine to do with what I please, as I would be the creator of the work..
You really MUST remove cmd.exe from your download. Not trying to be difficult, just want the forums here to stay legal
JTownBrewer said:
xologist: I appreciate that you have been trying to consolidate information in the MT3GS forums lately and make things a bit more noob friendly, but this comment just blows my mind.
It is in no way like sending a text.txt document. Not sure how you can even make that leap .
Cmd.exe is a proprietary program written by MS and governed by the license under which you have acquired Windows. One of the chief points in that license is that you are not allowed to redistribute, in whole or in part, Windows. Cmd.exe is quite clearly a part of Windows and not allowed to be distributed.
On the other hand, if I were to create a file called Test.txt, I would presumably put some text in there. That is a file I would have created and is therefor mine to do with what I please, as I would be the creator of the work..
You really MUST remove cmd.exe from your download. Not trying to be difficult, just want the forums here to stay legal
Click to expand...
Click to collapse
alright fine.
Ill fix that.. geez, you guys just try to find errors everywhere
xologist said:
alright fine.
Ill fix that.. geez, you guys just try to find errors everywhere
Click to expand...
Click to collapse
Lol. Like I said I appreciate what you're trying to do! Just (trying) to keep it from getting removed...
JTB
stupid question, i know...
however, how easy is it to unroot the device and return to tmo software?
JTownBrewer said:
Lol. Like I said I appreciate what you're trying to do! Just (trying) to keep it from getting removed...
JTB
Click to expand...
Click to collapse
Youre right. Its cool to make things easy for people, but legality is a must. Plus it wouldnt kill noobs to learn how to mount a directory (personally dont think its rocket science)
Sent from my T-Mobile myTouch 3G Slide using XDA App
During the progress bar, I get message that saysnno image, and wrong image. After the progress bar is done, I get this on my screen. Main version is older. Update Fail! Do you want to reboot the device? <vol up> Yes, <vol down> No. Finally I get E: failed to verify whole-file signature. E: verification failed Installation aborted.
There are two threads devoted to unrooting your phone. Please search.
The easiest away to make it "noob proof" would be to make a batch file (.bat) to cd to the directory and execute the commands for the user instead of including command prompt.
Sent from my T-Mobile myTouch 3G Slide using XDA App
good i hope this help the noobs
nikol4s said:
The easiest away to make it "noob proof" would be to make a batch file (.bat) to cd to the directory and execute the commands for the user instead of including command prompt.
Sent from my T-Mobile myTouch 3G Slide using XDA App
Click to expand...
Click to collapse
Doesn't work.
When cmd returns the # (pound sign), the .bat doesn't know what to keep doing.
Not only that, but if someone downloads it to their user folder, there MIGHT be a windows variable for the user directory similar to ~ in linux, but not sure. So you might not be able to do that. Even so, if someone downloaded it to the wrong location after only scanning directions, it would break the whole process and they'd come here whining "HERP FAIL DEV DIS BROKEN HERE HOW2ROOT DERPPPPPPPP".
It'd be all bad, is what I'm trying to say here, lol.
Sent from my T-Mobile myTouch 3G Slide
Or just include a shortcut to cmd using the %SYSTEM variable with a target location of current directory
Sent from my HTC Hero CDMA using XDA App
danaff37 said:
Or just include a shortcut to cmd using the %SYSTEM variable with a target location of current directory
Sent from my HTC Hero CDMA using XDA App
Click to expand...
Click to collapse
Guys, calm down.. everything has been fixed..
really didn't think it was possible to screw this up...
but i guess, where there's a will, there's a way.
tried going through instructions. kept getting a lot of errors from cmd, but the commands kept going.
booted back into white screen with writing, and nothing happened.
4. The device will show a progress bar (can take time), ABSOLUTELY DO NOT POWER DOWN WHILE IT'S STILL FLASHING!!!
that step does not happen, nor any of the ones after it. not correctly, anyway.
what am I missing here?

[HOW TO] ROOT HTC RUBY / AMAZE 4G

This is a very simple device to root.
However if you root this device it will likely void your warranty.
There is no current method of obtaining S-OFF, so don't ask!
Requirements:
PC
Phone
USB Cable
External SDCARD (optional but highly recommended)
Internet Connection
HTC Drivers
Battery with a charge of over 50%
Ability to read
Ability to follow directions
Then you must view the following video!
If you meet these requirements then proceed to post #2.
Step #2 - Unlocking your bootloader
Copied from this thread by Revolution
Go to HTCDev.com
Make a account , here then go to this link and follow all instruction's , but make sure you go to this link , it don't show us as a supported device but this work's for all device's me & crackeyes have tried this .
Go to this link after that : here , follow all the step's , below will be my version .
1) Remove and reinsert the battery.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2) Press Volume Down and Power to start the device into Bootloader mode.
3) Use the Volume buttons to select up or down. Highlight Fastboot and press the Power button.
4) Connect the device to the computer via a usb cable
5) Make a folder in c:\ called Android & then input the file's from your android SDK their , such as
adb.exe
AdbWinApi.dll
fastboot.exe
6) Open up command prompt. ( Start > Run > Type CMD,). The window that appears is called Command Prompt.
7) Navigate to where you unzipped the ZIP file and go to the folder you just created (For Example: If you created the folder in C:\Android, then you would type in Command Prompt: cd c:\Android).
8) Type in Command Prompt: fastboot oem get_identifier_token.
9) You will see a long block of text. Copy and paste this text into the the token field below (in the command prompt: Right Click > Mark > highlight the block of text > Right click to copy).
10) Paste this string of text into the token field and hit Submit in order to receive your unlock code binary file. You will receive this information in your email.
Example:
11) On the bottom of http://www.htcdev.com/bootloader/unlock-instructions/page-3 , please input your result's & if it say's failed keep on trying & it will go threw .
Straight from HTCDev.com , & NOTE : THIS WILL VOID YOUR WARRENTY
You are about to start the process of unlocking your device. Unlocking your device allows you to install custom Operating Systems (“OS”) onto your device. Custom OS’s are not tested as thoroughly as your original OS, and unlocking your device may void all or parts of your warranty. HTC disclaims any and all liability for proper functioning of your device after the bootloader has been unlocked and for data lost in the unlocking process. To prevent unauthorized access to your data, unlocking the bootloader will delete all personal data from your device including applications, text messages and personalized settings.
Click to expand...
Click to collapse
Once you have unlocked your bootloader you can make changes to your /system partition.
The majority of you will probably never need to do this. This is because most developers use flashable zip files that will do everything for you. These files are flashed from Recovery Mode.
Let's move on to step #3
Step #3 - Installing Custom Recovery
Now that you have unlocked your bootloader you can now obtain root.
The easiest way to do this would be by installing a custom recovery.
I created a simple bat script that should update your recovery for you.
Boot up your phone and connect it to your computer by usb cable.
Go to Settings --> Applications --> Development.
Check USB debugging.
Unzip the attached file and run the Flash.bat file as Administrator.
Your phone should reboot and go to a white screen.
It should update the recovery for you automatically and reboot.
Now you should have yourself a custom recovery.
If by chance you decide that you would like to revert to the custom recovery then use the same technique with the STOCK_RECOVERY_FLASHER.zip file.
If a .bat script isn't your thing then try this thread: [TOOL] HTC Amaze 4G All-In-One Toolkit by Hasoon2000
Step #4 - ROOTING!
Now that you have your custom recovery installed it's time to flash root onto your phone.
Download a custom rom from the Development section or the HTC Amaze ROM Bible and store the zip onto your external sdcard.
If you do not want a custom rom but just want root simply download the attached Superuser-3.0.7-efghi-signed.zip file.
If you do not have an external sdcard then store it onto your internal sdcard.
The custom recovery from step #3 will default to an external sdcard if it's detected.
If the custom recovery from step #3 does not detect an external sdcard then it should default to your internal.
Now there are a couple different ways to reboot to recovery. The best way is to open the command prompt up and navigate to either directories from posts 1 or 2 that contains the adb.exe file.
For example this is from post #2.
If you stored it to your desktop directory then it would be something like:
C:\Users\Binary100100\Desktop\RecoveryInstallerForNoobs
so you may have to enter:
cd Desktop\RecoveryInstallerForNoobs
Now enter "dir" into the command prompt and press Enter and you should see something like:
c:\Users\Binary100100\Desktop\RecoveryInstallerForNoobs>dir
Volume in drive C has no label.
Volume Serial Number is 4850-996B
Directory of c:\Users\Binary100100\Desktop\RecoveryInstallerForNoobs
01/03/2012 05:04 PM <DIR> .
01/03/2012 05:04 PM <DIR> ..
11/08/2011 02:50 PM 366,661 adb
11/08/2011 02:50 PM 410,942 adb.exe
11/08/2011 02:50 PM 96,256 AdbWinApi.dll
11/08/2011 02:50 PM 60,928 AdbWinUsbApi.dll
11/08/2011 02:50 PM 127,435 fastboot
11/08/2011 02:50 PM 356,009 fastboot.exe
12/27/2011 12:37 AM 128 Flash.bat
12/27/2011 12:32 AM 5,187,584 recovery-cwm-ruby-5.0.2.7.img
8 File(s) 6,605,943 bytes
Click to expand...
Click to collapse
As long as you see adb, adb.exe, adbWinApi.dl and AdbWinUsbApi.dll you should be good to go.
Now without leaving the command prompt enter:
adb reboot recovery
Your phone should reboot and you should be looking at your recovery.
If for whatever reason you couldn't get access to recovery then go back to bootloader mode.
Remove the battery and put it back in. This is to make sure the device is completely powered off. Hold the Volume Down button while pressing power to get back to hboot mode. Just like step #1. Now if you don't see Recovery in the list then select BOOTLOADER. You should now see RECOVERY. Select that and your phone should reboot to recovery from there. Now that I know you're in recovery... let's move on.
From here you can flash your custom rom or root files.
Use the volume rocker buttons to move the highlight up and down the menu and highlight "Install zip from sdcard" then press the power button to select.
Now "choose zip from sdcard" then press power button again.
Highlight the downloaded custom rom or the Superuser-3.0.7-efghi-signed.zipfile and press power again. From here I think you have the idea.
Select the appropriate zip file and press the power button to install.
Now you can go back and then select "reboot system now" and let your device boot up.
Check the app drawer and make sure you have an app called SuperUser. If you have this app then you now have root.
If you followed the instructions like you were supposed to you should be fully rooted and unlocked the full potential of your HTC Amaze 4G phone.
Feel free to post your questions and comments here in this thread.
PLEASE! don't send me private messages asking for help. I just spent two hours making this as simple as I could to save me from all of the help requests. If you have problems then post in this thread and make sure to reference the step that you're having issues with.
Example:
Problem with Step #1 I can't follow directions. Someone do it for me. I'll be willing to pay $10,000,000 to have root.
Click to expand...
Click to collapse
Then I'm sure you will get plenty of help.
Remember to hit the thanks button to show your appreciation.
Thanks was wondering where the old sticky thread went!!! hopefully less questions with this one...It's much more clear.
seansk said:
Thanks was wondering where the old sticky thread went!!! hopefully less questions with this one...It's much more clear.
Click to expand...
Click to collapse
Which is exactly why I made it. Unfortunately the members that just got the device couldn't use the old PH85IMG.zip method because of the Main Version Older error and they couldn't use the tool that xboarder56 made because I had to remove it per request. I didn't want to make a tool that would do everything because then they would never learn for themselves. So I feel that this is a healthy balance.
Binary100100 said:
Which is exactly why I made it. Unfortunately the members that just got the device couldn't use the old PH85IMG.zip method because of the Main Version Older error and they couldn't use the tool that xboarder56 made because I had to remove it per request. I didn't want to make a tool that would do everything because then they would never learn for themselves. So I feel that this is a healthy balance.
Click to expand...
Click to collapse
good Idea I am having lots of flashing problems since 1.3 too, I didn't want to unlock it and I OTA'd...but then couldn't stand the bloatware and wanted more...now I'm having all kinds of problems, including kernel. so now If you could help me with the kernel, I posted question in general section, I'm kind of a semi-noob with kernels!!!!! lol
seansk said:
good Idea I am having lots of flashing problems since 1.3 too, I didn't want to unlock it and I OTA'd...but then couldn't stand the bloatware and wanted more...now I'm having all kinds of problems, including kernel. so now If you could help me with the kernel, I posted question in general section, I'm kind of a semi-noob with kernels!!!!! lol
Click to expand...
Click to collapse
Give me the link to your question and I'll do what I can to help.
Do you have access to fastboot and an unlocked bootloader?
Binary100100 said:
Give me the link to your question and I'll do what I can to help.
Do you have access to fastboot and an unlocked bootloader?
Click to expand...
Click to collapse
Yes, I'm familiar with all that stuff..unlocked and can get into fastboot. custom recovery is intact as well. here's the link: http://forum.xda-developers.com/showthread.php?t=1424757 post 8 and this almost the same http://forum.xda-developers.com/showthread.php?t=1328141&page=10 post 92....thanks you much in advance
Great job on this Binary!
IF PEOPLE HAVE PROBLEMS...you can always message me as well. BUT MAKE SURE TO READ AND FOLLOW DIRECTIONS FIRST...I'm am very familiar with all these procedures as well, just to take a load of binary and xboarder's backs...
seansk said:
IF PEOPLE HAVE PROBLEMS...you can always message me as well. BUT MAKE SURE TO READ AND FOLLOW DIRECTIONS FIRST...I'm am very familiar with all these procedures as well, just to take a load of binary and xboarder's backs...
Click to expand...
Click to collapse
Thank you very much! I don't have time to be 24/7 tech support.
jimczyz said:
Great job on this Binary!
Click to expand...
Click to collapse
Agreed. I wish this thread had been here when I rooted. It would have saved my hunting through 3 or 4 threads and trying to piece things together myself. Of course, I probably learned more that way.
marleyfan61 said:
Agreed. I wish this thread had been here when I rooted. It would have saved my hunting through 3 or 4 threads and trying to piece things together myself. Of course, I probably learned more that way.
Click to expand...
Click to collapse
I always encourage people to never stop learning.
When I see a script I like to open it up and see what's inside.
Knowing how things work is a great way to learn for yourself.
Before you know it, you'll be making guides like this! At the very least you'll be the A instead of the Q if you know what I mean.
Binary100100 said:
I always encourage people to never stop learning.
When I see a script I like to open it up and see what's inside.
Knowing how things work is a great way to learn for yourself.
Before you know it, you'll be making guides like this! At the very least you'll be the A instead of the Q if you know what I mean.
Click to expand...
Click to collapse
We both have the same curiosoty Binary...I alway open random files and probably break things before I fix them lol...my first computer was a packard bell 486 dx2 66 in 1993 I think. I learned everything I know by myself...including a lot of dos which we still use today for android . good old windows 3.1
Thanks a million!
I had lost my root to the most recent OTA update from t-mo, obviously I'm a noob when it comes to root only, everything else electronic wise I got the hang of. I'm not the type of person that likes things handed to me I prefer given the basic and expanding my knowledge from there, knowledge is a beautiful thing! I'm back rooted and again thanks for this post!
andyb0308 said:
I had lost my root to the most recent OTA update from t-mo, obviously I'm a noob when it comes to root only, everything else electronic wise I got the hang of. I'm not the type of person that likes things handed to me I prefer given the basic and expanding my knowledge from there, knowledge is a beautiful thing! I'm back rooted and again thanks for this post!
Click to expand...
Click to collapse
I'm glad that you found it helpful.
May be a Noob ? but I'm wondering since I use my phones hotspot to get internet on my laptop, if I can do this without the sim card in the Amaze, while using my other phones hotspot? I've searched and found no mention of this, thanks for the great guide.
Marquis63 said:
May be a Noob ? but I'm wondering since I use my phones hotspot to get internet on my laptop, if I can do this without the sim card in the Amaze, while using my other phones hotspot? I've searched and found no mention of this, thanks for the great guide.
Click to expand...
Click to collapse
As long as you have a PC connected to download the required files.
Sent from my HTC Amaze 4G using xda premium

[Q] Asus Prime bricked (Type 3): Donation if you can help me

Welp, after spending over 26 honest-to-God hours researching a "cure" for this, I am still without a solution. I hope a kind soul will be able to guide me to the light, because I have been unable to find it on my own.
I am going to try to be as through as possible, if for nothing else than doing a mental checklist to see if I missed some obvious step along the journey. Also, maybe a keen observer will be able to spot what I'm doing wrong.
So,
My Asus Prime is bricked. I'm stuck on scenario 3 (according to this post:http://forum.xda-developers.com/showthread.php?t=1514088&)
In chronological order, here's what happened:
1. I'm running Virtuous Prime 1.0
2. I flash ClockworkMod Recovery Touch v5.8.1.8
3. I rebooted into recovery and wiped data/factory reset, cache, dalvik cache
4. I performed a backup of my old ROM
5. I flashed a new ROM, then hit 'reboot system now'
6. I'm stuck at the Asus logo screen; Android won't boot.
I am able to access recovery and activate Fastboot mode; definitely scenario 3.
Then, also in chronological order:
1. I restarted the tablet, pressed the up volume key and accessed the other menu with 3 options
2. I hit the 'wipe data' option
3. Try to boot Android
4. Still stuck at the 3 option screen
From what I read, this situation is likely the result of clockworkMod Recovery flashing a bad kernel. Supposedly, it can fixed by flashing a 'good' kernel via fastboot, which requires both a "stock kernel" and a more recent clockwork mod recovery image.
I downloaded the SDK package and downloaded pretty much everything, including the USB drivers. I downloaded a stock kernel called stock_9.4.2.21_kernel-signed and a CWM recovery image and placed them inside the "tools" folder.
I opened a command window and while having the tablet plugged in, typed 'adb devices'. I get 'List of devices attached' but then a blank space.
Here's what happened next:
1. I re-plugged in the tablet in Recovery mode to my AMD X64 Windows 7 PC and got an "USB device not recognized" message.
2. I went to Device Manager and under "Universal serial bus controllers" I see a yellow triangle mark besides an "unknown device" option.
3. Right click on "unknown device" and try to update the drivers manually using the Universal_Naked_Driver_Beta_0.6.1
4. When I select the folder in which the drivers are located Windows gives me a message of "the best driver software for your device is already installed". Back to step 3.
5. I try "let me pick from a list of device drivers on my computer" and hit "have disk option"
6. Upon choosing the android_apxusb file inside the universal naked drivers folder, I get the following error: "the folder you specified doesn't contain a compatible software driver for your device (...) make sure it is designed to work with Windows for x64-based systems."
7. Try again this time choosing file android_apxusb; same error.
I heard that some Windows 7 x64 users are having issues installing drivers; that may be my case too. I, however, don't have access to any other Window or Macs or Linux PCs in my house. Still, if this is the issue, then I might try redoing things in a different PC at a friend's house or something.
Bottom line? I think I know what to do, but I can't install the universal naked (nor the official Asus Prime) drivers. What now? Is there an easy fix for Brick scenario 3?
I have read God knows how many discussions on the subject, but I haven't been able to find a solution to my issue. I got no support from Freenode #asus-transformer; some ops were even downright rude. Any help is greatly appreciated.
For what is worth, I'll be donating $50 to whoever is able to help me navigate through this issue and get my tablet back and running.
Thanks again for reading this far.
TL;DR: I bricked my Prime and I'm stuck in scenario 3. I will donate $50 dollars to whoever can help me unbrick it.
Hey,
try to get a Live CD like Ubuntu.
Get the Linux files from the ViperMOD thread. It includes the "adb" executable.
Try to get ADB running there.
Go to the freenode IRC Channel "#asus-transformer" on Freenode (http://webchat.freenode.net/?channels=asus-transformer) and ask for help like described in the unbrick thread!
Greetz
Edit: No need for donate!
hanzo001 said:
3. I rebooted into recovery and wiped data/factory reset, cache, dalvik cache
4. I performed a backup of my old ROM
Click to expand...
Click to collapse
In that order? So you backed up an empty rom?
You don't mention; do you have valid nandroid backup? Can you restore it?
Do you have a rom zip on your device? What happens if you wipe and re-flash?
I would suggest a couple of options.
I notice that you have not once (according to what you have written) formatted /System if you still have a good ROM on your memory card that is flashable I would format all partitions in recovery /System, /Cache, /Staging and /Data then reflash the ROM.
You could also try an advanced restore and flash only the boot image from your nandroid.
Also, I have to agree with chrischdi, there is no need for a bounty for this. Your problem is one of the reasons we are all here in the first place.
Thanks for your answer; I'll answer yours
djmcnz said:
In that order? So you backed up an empty rom?
You don't mention; do you have valid nandroid backup? Can you restore it?
Do you have a rom zip on your device? What happens if you wipe and re-flash?
Click to expand...
Click to collapse
1. Yes, in that order; I backed an empty ROM
2. No, I don't have a valid nandroid backup (go figure; just this single freaking time I forgot to backup before wiping data/cache/dalvik cache)
3. No other ROM on my device. I had a new ROM when I performed the flashing, but when I got to the point where I hit "deleate data" in the 3-option menu, I lost everything on the SD card
4. When I wipe and reflash I'm stuck on the same loop. Maybe flashing a 'good' ROM will fix it; the issue is, my PC doesn't know what I'm plugging in when I connect the tablet to it.
Thank you for your support
Thank you, I'll try a Live CD. I'm downloading now even as we speak.
When that's finished, I'll grab the Linux files.
I guess that sorts of confirms my hypothesis that my main issue is with Windows... *sigh* WINDOWS!
I tried getting help from freenode's #asus-transformer in the past, but... lets say that on the overall my experience could have been better. I'll try again later tonight, where hopefully I'll be able to talk to RaYmAn, a volunteer in the original Diamonback post who is offering supports to users in my specific situation.
By the way, thanks for pointing me with a clickable link to the IRC chat; I've never used IRC before in my life, and getting it to work, dumb as it may sound, took me quite to figure out. Thank you again for your help and support!
chrischdi said:
try to get a Live CD like Ubuntu.
Get the Linux files from the ViperMOD thread. It includes the "adb" executable.
Try to get ADB running there.
Click to expand...
Click to collapse
Thank you for your answer. It is really nice to have a helpful person around; Like I mentioned in my op, my experience on freenodes' #asus-transformer chat was a bit... discouraging. I figured most would want some form of payment for their time, but here you both are, proving that there is kindness in this world.
I'll address your comments:
1. I did wipe /System; after NOTHING I tried on recovery worked, I did manual wiping of everything, trying to boot each time; similar results.
2. I do not have a good ROM on the memory card. Before doing the 'wipe data' from the 3-option menu, re-flashing a good ROM did no good nevertheless. From here is where I started suspecting that it was the fault of CWM not flashing a proper kernel.
3. I tried the advanced restore as well, an like in #1, I tried rebooting each time, just to make sure it would work. But it didn't.
Thank you again for your support. It feels great to know there's someone backing you up out of the goodness of their heart.
Right now I'll try to redo my steps from a Live CD Linux environment; hopefully that'll work. Freaking Windows...
Doktaphex said:
I would suggest a couple of options.
I notice that you have not once (according to what you have written) formatted /System if you still have a good ROM on your memory card that is flashable I would format all partitions in recovery /System, /Cache, /Staging and /Data then reflash the ROM.
You could also try an advanced restore and flash only the boot image from your nandroid.
Also, I have to agree with chrischdi, there is no need for a bounty for this. Your problem is one of the reasons we are all here in the first place.
Click to expand...
Click to collapse
Thank for your support, guys
I just wanted to shout out a big thanks to the great people who have offered me suggestions regarding this issue. I'll re-do my steps this time from inside the Live CD version of Ubuntu later tonight, and I will update.
Best regards,
me
hanzo001 said:
I just wanted to shout out a big thanks to the great people who have offered me suggestions regarding this issue. I'll re-do my steps this time from inside the Live CD version of Ubuntu later tonight, and I will update.
Best regards,
me
Click to expand...
Click to collapse
Hope it works out for the best, life is better with a little Nix in it.
What if you load a rom like aokp onto an external SD then flash that? That flashes everything you would need. Then if you want to back to virtuous you could restore the stock boot img. Im tired and I'm probably not understanding the issue correctly so forgive me if that is indeed the case.
Sent from my MB870 using xda premium
CadenH said:
What if you load a rom like aokp onto an external SD then flash that? That flashes everything you would need. Then if you want to back to virtuous you could restore the stock boot img. Im tired and I'm probably not understanding the issue correctly so forgive me if that is indeed the case.
Sent from my MB870 using xda premium
Click to expand...
Click to collapse
You cannot use an external SDcard with any version of CWM for the Prime.
CadenH said:
What if you load a rom like aokp onto an external SD then flash that? That flashes everything you would need. Then if you want to back to virtuous you could restore the stock boot img. Im tired and I'm probably not understanding the issue correctly so forgive me if that is indeed the case.
Sent from my MB870 using xda premium
Click to expand...
Click to collapse
Thanks for the thought. I tried that too; for some reason, ClockworkMod Recovery won't read the SD card at all!
Linux
[Update]
In general, this could be going better.
I finally got Ubuntu.
I plugged in the tablet while (the tablet is) on recovery mode, and nothing happens.
I was expecting a pop-up menu, or a notification somewhere acknowledging that I connected a device to the PC, but nothing. I'm just going to assume that Linux somehow knows.
I then downloaded the Android SDK for Linux, unziped, and there's no executable file inside. I'm supposed to download the rest of the file via the terminal, apparently, but this one doesn't work like its Windows counterpart either, so I have no clue what to do now.
Jesus...
Bottom line: I'm in Linux, I downloaded the Android SDK, the universal naked drivers and a stock kernel. Now what?
Try to get ADB running in the recovery mode.
In the files of ViperMOD are the executables. Just open up a console / shell and go to the directory via the "cd" command.
Then in the ViperMOD directory execute "sudo ./adb shell" to try the adb connection.
If the adb connection is ok, mount the sdcard via Recovery Menu and then push a file / rom to the sdcard.
For example with the command:
"sudo ./adb push /media/rom.zip /sdcard/"
(I don't know if this are the correct paths.)
Greetz
Thank you, Chris.
While on the terminal, I'm inside the viperMOD folder. Whenever I try execute "sudo ./adb shell" I get this: "sudo ./adb: order not found"
The tablet is plugged in, and in recovery mode.
I haven't installed Java nor the Android SDK because I haven't figured out a way to do it --why can't Linux be double-click action-oriented? *sigh* Anyway, does not having those things installed have something to do with the answer I'm getting from the Terminal?
If so, how in the world do I install them?
I'm never using Touch Recovery again, my word.
Thanks in advance.
Hey,
are you sure that there is "order not found?"
Try the command "ls" to see what files are available. If there is one, called "adb" you are in the right directory. If there is no "adb" then you have to move to the right directory.
Maybe you could try a "chmod +x adb" first and then execute "sudo adb shell" or such if you are in the right directory.
This is going to sound like a stupid question and sorry if it does. but you can access clockwork still right? what happens when you try to flash back your backup? This is important because I had an error sort of like yours that no one could solve here want to make sure its what happened to me. When i tried to restore the original rom it would get to the part where it was restoring data partition and then error on me reading file or something like that. If thats what you see i know the answer. or at least how i fixed mine.
push a rom
Read NIlsonf post about how to adb push a rom to cwm, you get a stock rooted rom
And adb push the blob file, then run the dd command, unmount staging mount data.
This is what fixed mine, and it looks like it fixed nilsonf's also.
Was this ever resolved? I have the same issue and it looks like I've been through many of the same steps as you've gone through. If you were able to do anything to fix it, please let me know.
I would even up the reward to $100.
Just thinking
Why dont you get someone elses CWM backup and adb push it to the device and restore it from that?

[HOW TO] beaups Moonshine S-OFF exploit for linux/android noobs

How to for n00bs:
Beaups Moonshine S-OFF for the Droid DNA
(Note: This guide will assume that you are complete noob with android and linux, BUT that you are not too dense to google basic things and infer basic differences between PC setups)
YOU WILL NEED:
1 Laptop or Desktop with internet access
1 32bit Linux (Ubuntu or Mint preferred, Mint to be used in this guide) liveUSB or liveCD (liveCD preferred, and what will be covered in this guide)
1 Stock Droid DNA with the 2.06 firmware update (2.04 is reported to work, but more success seems to be had with the updated firmware) WITH AT LEAST 80% BATTERY LIFE
1 Factory HTC/Droid micro-usb (Or any cable you know will work with ADB)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Prepping your computer:
1: Burn a liveCD of your linux distro of choice. Mint is my choice due to having great out of the box compatibility with hardware.
2: Insert liveCD into your PC, turn it on (or reboot), and enter boot menu (typically esc, f8, or f12 pressed during start up) and select “Boot from CD Drive”.
3: Allow liveCD to boot, it may take some time depending on the speed of your hardware. This is good time to prepare your phone for shining.
Prepping your phone:
1: Update to the 2.06 firmware update, if you have not already. If you cannot OTA, you can find guides to flash said firmware update elsewhere on XDA
a: If you are unsure what firmware you are on, go to “Settings”, “About”, and “Software Information” and it will have your firmware listed.
2: Disable any sort of screen lock. Image lock, facelock, pin lock, doesn't matter, it MUST BE DISABLED FOR THIS TO WORK
3: Disable “Fastboot”. “Settings”, “Battery”, UNCHECK “Fastboot”
4: Enable USB Debugging. “Settings”, “Developer Options”, “USB Debugging”
5: Boot into fastboot (turn off phone, reboot holding down POWER button and VOLUME DOWN button simultaneously). Select “Factory reset”. Allow phone to reset and reboot. Go back into settings, repeat sets 2 and 3 if necessary.
Downloading, unpacking, and excecuting moonshine.
1: On your live linux session, that is connected to the internet, go to www.moonshine.io
2: READ EVERYTHING
3: READ EVERYTHING AGAIN
4: Download the .tgz file relevant to your device (for most of us this will be the Verizon DNA file “moonshine_dlx_2.06.605.1.tgz”
5: Go to the folder your .tgz was just downloaded to. This should be your “downloads directory”
6: Right click anywhere in your download directory and select “Open in Terminal”
7: Extract the moonshine .tgz by typing out the following command into terminal “tar -zxf moonshine_<device>_<version>.tgz” For the Verizon DNA this will be “tar -zxf moonshine_dlx_2.06.605.1.tgz”
Your download directory should look like this when done
(Unfortunately, after this, the iPhone I was using to take pictures died, so there are no more pictures after this, but everything is very straightforward)
At this time plug your phone (which has been factory reset, rebooted, and all things listed in the “phone prep section” have been double checked) into your PC via your HTC/Android USB cable.
8: Execute the “Distiller” by typing the following command into terminal “sudo ./distiller”
9: Agree to the onscreen prompts, sit back, relax, DO NOT F**K WITH YOUR PHONE, and let the shine do its magic. This should take five to fifteen minutes and your phone will reboot several times.
10: Enjoy S-OFF and root.
ALL CREDIT GOES TO BEAUPS AND THE MOONSHINE DEV TEAM, this is simply a shoddy step by step guide by a n00b for n00bs to (hopefully) get more comfortable with the idea. This may be reproduced, altered, or edited in anyway as long as credit is given to me (DWC2134) for the original text and pictures and to the DEVS who brought us this awesome utility. In fact, PLEASE edit, improve, and revise this as you see fit for use by new android and linux users. Any changes suggested in this thread will be taken into account and incorporated into the OP.
Toubleshooting:
1: If you are experiencing the "temproot failed" problem, first try a hard reboot, then a factory reset + hard reboot if the reboot alone does not solve the problem.
2: There is some chatter of questionable validity that VZW is trying to push an update to stop SOFF. If you are having trouble, turn off your radios and/or put your phone in airplane mode while attempting moonshine. While most, myself included, doubt the validity of this claim it is better safe then sorry.
Beaups original moonshine thread
Moderators, if this is in the wrong section, or out of line, etc etc, please move, edit, delete, or do as needed.
Does it have to be the 32 bit version? If so I just have to redo my live usb.
sent from my droid DNA with xda premium
DaPitt84 said:
Does it have to be the 32 bit version? If so I just have to redo my live usb.
sent from my droid DNA with xda premium
Click to expand...
Click to collapse
Yes or the exploit will give an error saying there aren't enough 32 bit libraries. I tried on a 64 bit and got that error. I re did my live cd to use 32 bit ran the exploit and it worked flawlessly.
Sent from my HTC6435LVW using xda premium
Nice howto I did the s-off yesterday worked great. I'm on windows 7 64 bit and installed 32 bit mint.
For people doing this like op said install and use 32 bit just easier and if you're on a 64 bit system doesn't matter 32 bit installs fine.
Sent from my HTC6435LVW using xda premium
Very nice "How To' for us Windows PC peeps dwc2134...thank you.
I have a couple of questions if anyone can answer:
1) I haven't seen any other procedure where "Factory Reset" is called upon. Is there a specific reason?
2) I have a burned image of "Ubuntu-13.04-desktop-i386.iso" on USB Stick that runs v/smoothly on my laptop w/Vista Ultimate, but I can't seem to get to terminal screen. I do however see all of the Moonshine flies in download folder when in Ubuntu and "moonshine_dlx_2.06.605.1.tgz"
Please forgive the noobish Q's
Thx in advance
First of all, thank you dwc2134 for providing this guide! I am very new to this scene (Android rooting) and this guide helps out TREMENDOUSLY since I have no knowledge about terminal/command prompts.
However, after re-reading this guide and the instructions at moonshine.io, I have some questions in my head that are preventing me from going further (If anyone here can answer any of my questions, it would be most appreciated!)
1. At the Instructions page on moonshine.io, Step 8 says "Use the matchingStockRUU..", I have no idea what this, is this something I should worry about? I have not modified my Droid DNA in anyway whatsoever ever since I got the device. I only did the 2 OTA updates (2.04 and 2.06) and that's it.
2. In this guide (dwc2134's) on Step 8 where it says to execute the "Distiller", do I type it into the same terminal window I extracted the Moonshine.tgz file?
3. Once the whole process finishes, and I go back to the fastboot screen to see the glorious text that reads: "S-Off", does this mean my phone is rooted and I can install apps like SetCPU off the bat? Or do I have to flash a custom ROM and if so, can anyone recommend a "tried-and-true" ROM?
Once again, if anyone can answer my queries, it would be very helpful. Thank you in advance!
dfa7 said:
Very nice "How To' for us Windows PC peeps dwc2134...thank you.
I have a couple of questions if anyone can answer:
1) I haven't seen any other procedure where "Factory Reset" is called upon. Is there a specific reason?
2) I have a burned image of "Ubuntu-13.04-desktop-i386.iso" on USB Stick that runs v/smoothly on my laptop w/Vista Ultimate, but I can't seem to get to terminal screen. I do however see all of the Moonshine flies in download folder when in Ubuntu and "moonshine_dlx_2.06.605.1.tgz"
Please forgive the noobish Q's
Thx in advance
Click to expand...
Click to collapse
OK, fingered it out. This may just be of some help to others here. ubuntu-13.04-desktop-i386.iso wouldn't get into "terminal" BUT, linuxmint-15-cinnamon-dvd-32bit.iso does.
Does anyone know if it absolutely necessary to "Factory Reset" DNA with this Mooshine S-OFF method?
dfa7 said:
Very nice "How To' for us Windows PC peeps dwc2134...thank you.
I have a couple of questions if anyone can answer:
1) I haven't seen any other procedure where "Factory Reset" is called upon. Is there a specific reason?
2) I have a burned image of "Ubuntu-13.04-desktop-i386.iso" on USB Stick that runs v/smoothly on my laptop w/Vista Ultimate, but I can't seem to get to terminal screen. I do however see all of the Moonshine flies in download folder when in Ubuntu and "moonshine_dlx_2.06.605.1.tgz"
Please forgive the noobish Q's
Thx in advance
Click to expand...
Click to collapse
1: While not ENTIRELY necessary for a successful moonshining, performing the factory reset and hard reboot seems to solve the "temproot failed" problem several users (myself included) have expierenced.
2: Mint is my go to, so it may be slightly different in ubuntu. You can also open terminal by pressing ctrl-alt-T or by going to your applications menu (or the search in the dash) and searching for "Terminal" and then inputting "cd ~/downloads". This will, for lack of better words, open your download directory in terminal so that the commands you input specifically look for, and effect, the files there. You may have to alter the "~/downloads" portion slightly to get you to the correct directory, but looking at the filepath on your computer it should be pretty obvious.
AndroM31 said:
First of all, thank you dwc2134 for providing this guide! I am very new to this scene (Android rooting) and this guide helps out TREMENDOUSLY since I have no knowledge about terminal/command prompts.
However, after re-reading this guide and the instructions at moonshine.io, I have some questions in my head that are preventing me from going further (If anyone here can answer any of my questions, it would be most appreciated!)
1. At the Instructions page on moonshine.io, Step 8 says "Use the matchingStockRUU..", I have no idea what this, is this something I should worry about? I have not modified my Droid DNA in anyway whatsoever ever since I got the device. I only did the 2 OTA updates (2.04 and 2.06) and that's it.
2. In this guide (dwc2134's) on Step 8 where it says to execute the "Distiller", do I type it into the same terminal window I extracted the Moonshine.tgz file?
3. Once the whole process finishes, and I go back to the fastboot screen to see the glorious text that reads: "S-Off", does this mean my phone is rooted and I can install apps like SetCPU off the bat? Or do I have to flash a custom ROM and if so, can anyone recommend a "tried-and-true" ROM?
Once again, if anyone can answer my queries, it would be very helpful. Thank you in advance!
Click to expand...
Click to collapse
1: If you have not modified your phone in anyway, and have received the OTAs, then that is irrelevant to you.
2: Yes. Or in another terminal window opened in your "downloads" directory, though opening a second window seems kind of pointless.
3: Moonshine installs superuser to your device, so YES YOU CAN install custom apps like SetCPU right off the bat. I would recommend first installing a custom recovery (I am using CWMs new touch version) and making a nandroid backup before doing anything else, personally. I would also highly recommend installing a custom rom instead of putting in too much time with the stock sense rom. There are so many fantastic roms out for this phone, it would almost be a waste not to. A lot of folks swear by the ViperROM. I'm currently using it and love it.
dwc2134 said:
1: While not ENTIRELY necessary for a successful moonshining, performing the factory reset and hard reboot seems to solve the "temproot failed" problem several users (myself included) have expierenced.
2: Mint is my go to, so it may be slightly different in ubuntu. You can also open terminal by pressing ctrl-alt-T or by going to your applications menu (or the search in the dash) and searching for "Terminal" and then inputting "cd ~/downloads". This will, for lack of better words, open your download directory in terminal so that the commands you input specifically look for, and effect, the files there. You may have to alter the "~/downloads" portion slightly to get you to the correct directory, but looking at the filepath on your computer it should be pretty obvious
Click to expand...
Click to collapse
Thanks for clarrification. I decided to Mint and all is perfect! Ubuntu was a challenge considering I'm not an Apple guy and Linux is greek to me. As for the "Factory Reset", I'll gamble only 'cause I'm configured to my liking and not in mood yet to spend a day getting everything back. Thx again!
All's well that ends well. If you end up having the temp root problem, try a hard reboot first and then a factory reset.
Sent from my HTC6435LVW using xda app-developers app
dwc2134 said:
1: If you have not modified your phone in anyway, and have received the OTAs, then that is irrelevant to you.
2: Yes. Or in another terminal window opened in your "downloads" directory, though opening a second window seems kind of pointless.
3: Moonshine installs superuser to your device, so YES YOU CAN install custom apps like SetCPU right off the bat. I would recommend first installing a custom recovery (I am using CWMs new touch version) and making a nandroid backup before doing anything else, personally. I would also highly recommend installing a custom rom instead of putting in too much time with the stock sense rom. There are so many fantastic roms out for this phone, it would almost be a waste not to. A lot of folks swear by the ViperROM. I'm currently using it and love it.
Click to expand...
Click to collapse
Thank you so much for clearing away my doubts! Once I get the "S-Off" message, I'll look into your suggestions mentioned here.
dwc2134 said:
All's well that ends well. If you end up having the temp root problem, try a hard reboot first and then a factory reset.
Click to expand...
Click to collapse
dwc2134 - thanks for your help, patience and interset with some of us and this project! It does seem easier than revone.
Where do I find the Linux file to put on usb? I don't have any blank cd's either...will it work from usb stick?
HellRayzer said:
Where do I find the Linux file to put on usb? I don't have any blank cd's either...will it work from usb stick?
Click to expand...
Click to collapse
You can find the .iso image for any distro you want online. I prefer Linux Mint, though Ubuntu is another crowd favorite. You can make a bootable USB, but I find it easier to make and use liveCD/DVDs. A pack of burnable DVDs is $2.89 at CVS. Google is your friend for the rest of this, it is all VERY self explanatory and most distro sites put step by step instructions right on their website.
http://www.linuxmint.com/download.php
http://www.linuxmint.com/documentation/user-guide/english_15.0.pdf
Error When Trying To Download - 'This file reached max downloads limit"
Followed the guide...booted from USB Ubuntu. No problems. Connected to moonshine.io, clicked next, next, but when I selected the DNA version, I get the error:
"This file reached max downloads limit"
...and no download.
Any ideas? I see another person has posted this in the developers section. Is there a link problem?
Thanks.
dwc2134 said:
You can find the .iso image for any distro you want online. I prefer Linux Mint, though Ubuntu is another crowd favorite. You can make a bootable USB, but I find it easier to make and use liveCD/DVDs. A pack of burnable DVDs is $2.89 at CVS. Google is your friend for the rest of this, it is all VERY self explanatory and most distro sites put step by step instructions right on their website.
http://www.linuxmint.com/download.php
http://www.linuxmint.com/documentation/user-guide/english_15.0.pdf
Click to expand...
Click to collapse
This is spot on. I did my first live cd related to rescuing crucial data on a government computer with a corrupt OS a few weeks ago. I googled "How to make a bootable live cd USB drive" and literally in five minutes I was booted into my Ubuntu distro.
One thing I did learn is with Ubuntu there's a lot of alternative distros on their main site with all the links. After not having the option to boot without making any changes I went to my google-found guide again and realized only ubuntu distros with "desktop" in the filename would give me the live boot option I needed for the task at hand.
One of those small details I overlooked, that was solved by a quick recheck with google.
EXCELLENT GUIDE, I'm really impressed.
Max download limit reached.
I am having the same issue it says that the maxium download limit has been reached.:crying:
I can't donate if I can't download!
FUBAR'd
UntamedDarkness said:
I am having the same issue it says that the maxium download limit has been reached.:crying:
I can't donate if I can't download!
Click to expand...
Click to collapse
Link looks to be FUBAR'd. Maybe Verizon got pizzzed and did a bit of hacking themselves...
Several people now reporting the issues in multiple threads. I just rechecked...same error.
Out of curiosity, are you using Verizon Mobile Hotspot on your phone to connect to the internet via computer? I am.
CharliesTheMan said:
This is spot on. I did my first live cd related to rescuing crucial data on a government computer with a corrupt OS a few weeks ago. I googled "How to make a bootable live cd USB drive" and literally in five minutes I was booted into my Ubuntu distro.
One thing I did learn is with Ubuntu there's a lot of alternative distros on their main site with all the links. After not having the option to boot without making any changes I went to my google-found guide again and realized only ubuntu distros with "desktop" in the filename would give me the live boot option I needed for the task at hand.
One of those small details I overlooked, that was solved by a quick recheck with google.
EXCELLENT GUIDE, I'm really impressed.
Click to expand...
Click to collapse
Yep, google has most any answer you could ever need if you search enough. The only reason I promote liveCDs over liveUSBs is that I think they are a touch easier to make and use. For some reason I have always had a hard time getting liveUSBs to work.
Thank you! I'm really glad it seems to have helped some folks out!
UntamedDarkness said:
I am having the same issue it says that the maxium download limit has been reached.:crying:
I can't donate if I can't download!
Click to expand...
Click to collapse
ejohanss said:
Link looks to be FUBAR'd. Maybe Verizon got pizzzed and did a bit of hacking themselves...
Several people now reporting the issues in multiple threads. I just rechecked...same error.
Out of curiosity, are you using Verizon Mobile Hotspot on your phone to connect to the internet via computer? I am.
Click to expand...
Click to collapse
I doubt it is Verizon, most likely a bandwidth issue or hosting service issue. Seems to be common with everyone trying to download moonshine right now. Sounds like there is trouble with the download limit counter. I knew I should have kept a backup copy of the .tgz
No, when I tether I use one of the free solutions. I got bumped off of unlimited, so I tend to use more wifi then phone data. You NEED an internet connection that is not reliant on your phone for this to work. Moonshine actively connects to the internet during the ./distiller program.
dwc2134 said:
Yep, google has most any answer you could ever need if you search enough. The only reason I promote liveCDs over liveUSBs is that I think they are a touch easier to make and use. For some reason I have always had a hard time getting liveUSBs to work.
Thank you! I'm really glad it seems to have helped some folks out!
I doubt it is Verizon, most likely a bandwidth issue or hosting service issue. Seems to be common with everyone trying to download moonshine right now. Hopefully beaups will be able to set up some new downloads or someone else will be willing to host the files for him. I knew I should have kept a backup copy of the .tgz
No, when I tether I use one of the free solutions. I got bumped off of unlimited, so I tend to use more wifi then phone data. You NEED an internet connection that is not reliant on your phone for this to work. Moonshine actively connects to the internet during the ./distiller program.
Click to expand...
Click to collapse
I just checked it's a host download limit it's ABSOLUTELY not related to verizon.

Notes on the VS985 (including bootloader details)

Hi all. First, apologies if this is the wrong place for this sort of post. It's mainly just a collection of my notes on the Verizon LG G3 running stock software update VS98510B, so there are a lot of different topics touched upon. I'm usually pretty shy around forums, but I figured something I've found might be useful to someone else, so I finally decided to post here. Anyway, here's what I've found.
Autorun Installer
This really annoyed me for a while when I first got the phone. Every time I'd try connecting it to my computer, it'd enter some sort of installer mode for LG/Verizon drivers. It would stay in this mode for about 30 seconds unless I manually put it back into ADB mode. After a good bit of digging around, I found out how to disable it without root or any special permissions. Open the stock dialer app, then enter the code "##3328873" and press send. It'll prompt for a service code, which is (of course) "000000". While the Verizon G3 appears to be missing a large chunk of the hidden menus, this section still seems to work. One of the options is a checkbox for "Tool Launcher enable" - uncheck it to disable the Verizon autorun installer.
Sideloading in Recovery Mode
I was curious how IORoot worked, so I started taking it apart. Basically, on the G3, it just uses a .zip sideloaded in recovery mode to copy over the su and related binaries. There's a decent bit of documentation out there on how to create your own .zip for sideloading, but I found one catch - the .zip needs to be signed with the proper key, or recovery will reject it. It turns out that this key is located at "./bootable/recovery/testdata/testkey" in the AOSP project. I forget the exact command for signing the .zip, but using this key, you can create your own sideload applications. Edify provides a nice way to script your application; I used it to create a sideload application to replace the HotspotProvision apk with a slightly modified version that skips the billing checks. Doing so does not require root access, as the sideloaded application appears to run as root by default. Replacing "HotspotProvision.apk" also does not trigger the root detector. However, I also made my own sideload .zip to copy over the su binary I compiled from AOSP - as soon as I booted the phone, the software status indicator changed to modified. I have some more information on that below. If anyone wants either of these sideload applications, I can upload them somewhere with their source, just let me know.
Ramdisk Compression
The boot, recovery, laf, and factory partitions are all mostly in standard format and can be split into the kernel and ramdisk parts with existing tools. However, most tools seem to expect the ramdisk to be compressed using gzip. Since it's not, they'll fail to extract the cpio archive from it. The G3 ramdisk is compressed using LZ4 instead. Once decompressed using the standard LZ4 utility, it has the same structure as a normal boot ramdisk - the cpio archive can be extracted to view the boot filesystem. I haven't really looked into it, but I believe the boot images all have a device tree binary appended after the ramdisk as well.
AT Commands
When looking into the boot process, I stumbled upon the AT command framework for the G3, which proved to be rather interesting. When connected to my computer in ADB mode, the phone exposes two serial ports. One of these ports looks like it's supposed to accept plain-text AT commands, but it also has been rather buggy in registering the end of a command for me. The other port accepts commands in some sort of binary format that I have not taken apart yet. If you want to send AT commands to the phone from ADB shell, write them to "/dev/smd0" and read the response from there. Sometimes, the response is not put on the device for some reason, but instead just printed to the logs under the tag "Atd"; just use "logcat Atd:V" to view them. The requests seem to be handled by "/system/bin/atd", which largely uses "/system/lib/libatd_common.so" to work. Looking through the disassembly showed some interesting things, included what looked like a test command that involved the bootloader unlock status, though I haven't figured out exactly how it works yet. A lot of the commands began with "AT%", which I think is the vendor specific prefix for AT commands typically. For some reason, I couldn't get any of these commands to work, even though some of the standard commands worked fine. One particularly interesting function (to me) was one that claimed to be able to write the software bootloader, SBL1. The function was called "store_sbl1_image"; there are some other functions that affect sbl1 as well. There are also functions for qfuses/QFPROM and other things that may be of interest to us. A lot of these functions access the misc partition through "/system/lib/liblgftmitem.so", so that may be a partition worth looking into.
Volume Key Booting
Entering the dialer command "##228378" and pressing send brings up a menu that has an option called "Device Test". Choosing this option prompts you that the phone will reboot; if allowed, it will reboot into MiniOS mode, which is stored in the "factory" partition ("/dev/block/mmcblk0p40"). This mode allows you to run a number of device tests, though many options are disabled somehow. One interesting thing I've observed is that, if the phone is shut down from MiniOS mode, then turned on by holding the volume down and power buttons simultaneously (possibly while plugged into a computer, I forget if this is necessary), the phone enters a pseudo-recovery mode that vaguely resembles real recovery mode, but is actually implemented after boot. Another volume key command is to hold volume up while powering on and connected to a computer by USB (the USB connection is required). This boots into factory download mode from the "laf" partition("/dev/block/mmcblk0p33"). The only way I've found to exit this mode is to remove the battery from the case. One final note is that while booting into normal mode, but having done so by holding volume down and the power button, the bootloader logs a message that it is going to enter fastboot mode. However, it does not and just boots normally instead. It seems that fastboot can only be activated if aboot fails to boot normally. I've read of people accomplishing this by messing up the "laf" partition and then booting into download mode, but I've not tried it myself.
Root Checker ("/system/bin/rctd")
After already setting my system to the "modified" status, I looked into the root checker executable at "/system/bin/rctd". A quick disassembly showed almost no strings in the binary. This is because they are all obfuscated. To load the strings, as series of instructions store individual characters into the stack at the proper offsets, eventually forming all of the strings needed by the program. Because I don't have the "Pro" version of IDA, I can't just run the executable through the debugger to get the strings out, so I had to resort to writing a really hacky emulator for a few ARM instructions to produce the strings. I only did this for one function, but the results were rather interesting. This function constructed the following string(s): "mt6575 mt6577 /sbin/su ro.hardware /system/bin/su /system/xbin/su /system/sbin/su /data/local/tmp/su /system/bin/busybox /system/xbin/busybox /data/local/tmp/busybox /system/app/Superuser.apk /system/app/SuperUser.apk /system/app/superuser.apk /system/app/SuperuserPro.apk /data/local/tmp/Superuser.apk /data/local/tmp/SuperUser.apk /data/local/tmp/superuser.apk /data/data/com.noshufou.android.su". I'm assuming this is a list of all of the files that the program looks for to determine if the phone has been rooted. In theory, using some way of randomly naming these files could prevent the root checker from detecting a rooted presence. If anyone who has IDA Pro wants to run "rctd" through the debugger, they might find more interesting things.
fastboot oem-unlock
While I've not tried booting into fastboot mode myself, I have "manually" executed the "fastboot oem-unlock" command. By disassembling the "aboot" partition ("/dev/block/mmcblk0p5"), I found that oem-unlock writes the value 0x01 to offset 0x1FFE10 of the "aboot" partition. I replicated this action with the command from a root shell "echo -en '\x01' | dd of=/dev/block/mmcblk0p5 bs=1 seek=2096656 count=1 conv=notrunc". After doing so and rebooting, which seemed to take longer than usual, I checked the kernel logs in "/data/logger/kernel.log*", and, in the bootloader logs section, there was a line displaying "[ 0.355056 / 01-01 00:00:00.340] [580] use_signed_kernel=0, is_unlocked=1, is_tampered=0.", seemingly indicating that the device was unlocked. However, it is not, as I'll mention later.
LGFTMITEM Spam in logcat
On the two VS985 phones I've looked at, both seem to produce a large amount of spam to logcat under the tag "LGFTMITEM". This takes the form of several lines being logged every 500 ms, consistently. I believe that setting the property "sys.lgsetupwizard.status" to "1" should stop it, though I haven't been able to do so successfully yet.
Bootloader Unlocking
One of the main goals of my tinkering has been to find a method for unlocking the VS985 bootloader. I believe I have identified the path to do so while disassembling "aboot", but I do not know how to enable it. I'll try to describe it here. In "sub_F81FF5C" of the "aboot" partition (I created a basic ELF format binary from the partition by trimming the first 40 bytes of the partition dump and then creating a single section ELF file loading that trimmed portion to address 0x0F800000), there is code that verifies the kernel and ramdisk images of the loaded boot partition. The code refers to "FEATURE_LGE_QCT_HW_CRYPTO", if that has meaning to anyone. Before the verification takes place, however, the function calls function "sub_F81FF58" with a memory location passed in R2. If this function call stores the value 0x67661147 in the memory pointed to by R2, the function bypasses all of the verification checks and simply prints "Device UnLock". This is why I believe "fastboot oem-unlock" would not be effective - my bootloader logs still indicate that the bootloader is taking the cryptographic verification path even though I have "unlocked" the device. I've tried to follow the function calls from here, but they get rather complicated and refer to memory locations not within the executable itself, which confuses me. In one of the functions invoked from here, which seems to print out the results of some sort of command, there are the strings "READ_UNLOCK_DEVICE_CERTIFICATE", "UNLOCK_DEVICE_AUTHENTICATION", "ANTI_ROLLBACK", and most interesting to me, "BACKDOOR". I've been having trouble figuring out how this part of the code works, so if anyone has any ideas, I'd be interested in hearing them.
Well, I think that about covers most of what I've found out about this phone. I'd be happy to explain anything in more detail if it's not clear.
IllegalArgument said:
Hi all. First, apologies if this is the wrong place for this sort of post. It's mainly just a collection of my notes on the Verizon LG G3 running stock software update VS98510B, so there are a lot of different topics touched upon. I'm usually pretty shy around forums, but I figured something I've found might be useful to someone else, so I finally decided to post here. Anyway, here's what I've found.
Autorun Installer
This really annoyed me for a while when I first got the phone. Every time I'd try connecting it to my computer, it'd enter some sort of installer mode for LG/Verizon drivers. It would stay in this mode for about 30 seconds unless I manually put it back into ADB mode. After a good bit of digging around, I found out how to disable it without root or any special permissions. Open the stock dialer app, then enter the code "##3328873" and press send. It'll prompt for a service code, which is (of course) "000000". While the Verizon G3 appears to be missing a large chunk of the hidden menus, this section still seems to work. One of the options is a checkbox for "Tool Launcher enable" - uncheck it to disable the Verizon autorun installer.
Sideloading in Recovery Mode
I was curious how IORoot worked, so I started taking it apart. Basically, on the G3, it just uses a .zip sideloaded in recovery mode to copy over the su and related binaries. There's a decent bit of documentation out there on how to create your own .zip for sideloading, but I found one catch - the .zip needs to be signed with the proper key, or recovery will reject it. It turns out that this key is located at "./bootable/recovery/testdata/testkey" in the AOSP project. I forget the exact command for signing the .zip, but using this key, you can create your own sideload applications. Edify provides a nice way to script your application; I used it to create a sideload application to replace the HotspotProvision apk with a slightly modified version that skips the billing checks. Doing so does not require root access, as the sideloaded application appears to run as root by default. Replacing "HotspotProvision.apk" also does not trigger the root detector. However, I also made my own sideload .zip to copy over the su binary I compiled from AOSP - as soon as I booted the phone, the software status indicator changed to modified. I have some more information on that below. If anyone wants either of these sideload applications, I can upload them somewhere with their source, just let me know.
Ramdisk Compression
The boot, recovery, laf, and factory partitions are all mostly in standard format and can be split into the kernel and ramdisk parts with existing tools. However, most tools seem to expect the ramdisk to be compressed using gzip. Since it's not, they'll fail to extract the cpio archive from it. The G3 ramdisk is compressed using LZ4 instead. Once decompressed using the standard LZ4 utility, it has the same structure as a normal boot ramdisk - the cpio archive can be extracted to view the boot filesystem. I haven't really looked into it, but I believe the boot images all have a device tree binary appended after the ramdisk as well.
AT Commands
When looking into the boot process, I stumbled upon the AT command framework for the G3, which proved to be rather interesting. When connected to my computer in ADB mode, the phone exposes two serial ports. One of these ports looks like it's supposed to accept plain-text AT commands, but it also has been rather buggy in registering the end of a command for me. The other port accepts commands in some sort of binary format that I have not taken apart yet. If you want to send AT commands to the phone from ADB shell, write them to "/dev/smd0" and read the response from there. Sometimes, the response is not put on the device for some reason, but instead just printed to the logs under the tag "Atd"; just use "logcat Atd:V" to view them. The requests seem to be handled by "/system/bin/atd", which largely uses "/system/lib/libatd_common.so" to work. Looking through the disassembly showed some interesting things, included what looked like a test command that involved the bootloader unlock status, though I haven't figured out exactly how it works yet. A lot of the commands began with "AT%", which I think is the vendor specific prefix for AT commands typically. For some reason, I couldn't get any of these commands to work, even though some of the standard commands worked fine. One particularly interesting function (to me) was one that claimed to be able to write the software bootloader, SBL1. The function was called "store_sbl1_image"; there are some other functions that affect sbl1 as well. There are also functions for qfuses/QFPROM and other things that may be of interest to us. A lot of these functions access the misc partition through "/system/lib/liblgftmitem.so", so that may be a partition worth looking into.
Volume Key Booting
Entering the dialer command "##228378" and pressing send brings up a menu that has an option called "Device Test". Choosing this option prompts you that the phone will reboot; if allowed, it will reboot into MiniOS mode, which is stored in the "factory" partition ("/dev/block/mmcblk0p40"). This mode allows you to run a number of device tests, though many options are disabled somehow. One interesting thing I've observed is that, if the phone is shut down from MiniOS mode, then turned on by holding the volume down and power buttons simultaneously (possibly while plugged into a computer, I forget if this is necessary), the phone enters a pseudo-recovery mode that vaguely resembles real recovery mode, but is actually implemented after boot. Another volume key command is to hold volume up while powering on and connected to a computer by USB (the USB connection is required). This boots into factory download mode from the "laf" partition("/dev/block/mmcblk0p33"). The only way I've found to exit this mode is to remove the battery from the case. One final note is that while booting into normal mode, but having done so by holding volume down and the power button, the bootloader logs a message that it is going to enter fastboot mode. However, it does not and just boots normally instead. It seems that fastboot can only be activated if aboot fails to boot normally. I've read of people accomplishing this by messing up the "laf" partition and then booting into download mode, but I've not tried it myself.
Root Checker ("/system/bin/rctd")
After already setting my system to the "modified" status, I looked into the root checker executable at "/system/bin/rctd". A quick disassembly showed almost no strings in the binary. This is because they are all obfuscated. To load the strings, as series of instructions store individual characters into the stack at the proper offsets, eventually forming all of the strings needed by the program. Because I don't have the "Pro" version of IDA, I can't just run the executable through the debugger to get the strings out, so I had to resort to writing a really hacky emulator for a few ARM instructions to produce the strings. I only did this for one function, but the results were rather interesting. This function constructed the following string(s): "mt6575 mt6577 /sbin/su ro.hardware /system/bin/su /system/xbin/su /system/sbin/su /data/local/tmp/su /system/bin/busybox /system/xbin/busybox /data/local/tmp/busybox /system/app/Superuser.apk /system/app/SuperUser.apk /system/app/superuser.apk /system/app/SuperuserPro.apk /data/local/tmp/Superuser.apk /data/local/tmp/SuperUser.apk /data/local/tmp/superuser.apk /data/data/com.noshufou.android.su". I'm assuming this is a list of all of the files that the program looks for to determine if the phone has been rooted. In theory, using some way of randomly naming these files could prevent the root checker from detecting a rooted presence. If anyone who has IDA Pro wants to run "rctd" through the debugger, they might find more interesting things.
fastboot oem-unlock
While I've not tried booting into fastboot mode myself, I have "manually" executed the "fastboot oem-unlock" command. By disassembling the "aboot" partition ("/dev/block/mmcblk0p5"), I found that oem-unlock writes the value 0x01 to offset 0x1FFE10 of the "aboot" partition. I replicated this action with the command from a root shell "echo -en '\x01' | dd of=/dev/block/mmcblk0p5 bs=1 seek=2096656 count=1 conv=notrunc". After doing so and rebooting, which seemed to take longer than usual, I checked the kernel logs in "/data/logger/kernel.log*", and, in the bootloader logs section, there was a line displaying "[ 0.355056 / 01-01 00:00:00.340] [580] use_signed_kernel=0, is_unlocked=1, is_tampered=0.", seemingly indicating that the device was unlocked. However, it is not, as I'll mention later.
LGFTMITEM Spam in logcat
On the two VS985 phones I've looked at, both seem to produce a large amount of spam to logcat under the tag "LGFTMITEM". This takes the form of several lines being logged every 500 ms, consistently. I believe that setting the property "sys.lgsetupwizard.status" to "1" should stop it, though I haven't been able to do so successfully yet.
Bootloader Unlocking
One of the main goals of my tinkering has been to find a method for unlocking the VS985 bootloader. I believe I have identified the path to do so while disassembling "aboot", but I do not know how to enable it. I'll try to describe it here. In "sub_F81FF5C" of the "aboot" partition (I created a basic ELF format binary from the partition by trimming the first 40 bytes of the partition dump and then creating a single section ELF file loading that trimmed portion to address 0x0F800000), there is code that verifies the kernel and ramdisk images of the loaded boot partition. The code refers to "FEATURE_LGE_QCT_HW_CRYPTO", if that has meaning to anyone. Before the verification takes place, however, the function calls function "sub_F81FF58" with a memory location passed in R2. If this function call stores the value 0x67661147 in the memory pointed to by R2, the function bypasses all of the verification checks and simply prints "Device UnLock". This is why I believe "fastboot oem-unlock" would not be effective - my bootloader logs still indicate that the bootloader is taking the cryptographic verification path even though I have "unlocked" the device. I've tried to follow the function calls from here, but they get rather complicated and refer to memory locations not within the executable itself, which confuses me. In one of the functions invoked from here, which seems to print out the results of some sort of command, there are the strings "READ_UNLOCK_DEVICE_CERTIFICATE", "UNLOCK_DEVICE_AUTHENTICATION", "ANTI_ROLLBACK", and most interesting to me, "BACKDOOR". I've been having trouble figuring out how this part of the code works, so if anyone has any ideas, I'd be interested in hearing them.
Well, I think that about covers most of what I've found out about this phone. I'd be happy to explain anything in more detail if it's not clear.
Click to expand...
Click to collapse
You should rename the title of your thread to something more likely to be read by devs trying to unlock the bootloader. It's too generic in my opinion. Excellent work so far, though. Thanks for your efforts and interest!
Nice to see anyone working on an unlock, also thanks for sharing.
---------- Post added at 02:33 AM ---------- Previous post was at 02:25 AM ----------
I forwarded the post to Justin case to see if he may be able to get in touch
This was way over my head. Have you PM'd @autoprime or @thecubed (aka IOMonster)? They are a couple of the devs working on unlock.
Sent from my VS985 4G
Howdy there!
Just in time, too - since I just got back from vacation!
Hop on IRC (freenode) and join #lg-g3 and ask for IOMonster, and mention this thread. I'd be happy to explain what I can to you.
You've followed excellent logic and have come to many of the same conclusions as we have during our exploration of the device. Factory mode reads FTM items, and can enable/disable menu options at will (or you could just extract it like a boot.img and load the lgeftm_* binaries into IDA and see what they do).
RE: AT commands, there's a lot of good logic in there, however at the moment nothing that looks to give us our unlock.
RE: Unlocking, you're close, but a bit far off. There's some special sauce LG is using for unlocks, and last I was looking I believe LGE is obfuscating bits of code with a multi-stage loader. I'll discuss more about this on IRC if you're interested and the rest of the guys on IRC are alright with me doing so.
One of those memory addresses is a function pointer - before I left for vacation we were working on dumping the memory to pull the decompressed function out of RAM on another device that uses a (very) similar strategy.
I look forward to talking to you on IRC!
Hope you enjoyed I'm sure a much needed vacation.. Hopefully soon someone will be able to crack this boot loader and free the G3 variants.
They will unlock it because how can the great device be locked and have only the tmobile version be the only one unlocked... Lol that's crazy. They will unlock it in time
I think your right in time ,unfortunately these guys have full life schedules that don't allow them to stay on it all day! I hope all the g3 community gets to enjoy the full potential of such a great device in the future.
OP @IllegalArgument
Hats off for your first loaded post on XDA, really reassuring to see as many capable devs tinkering with this, welcome and keep em coming
dabug123 said:
....I hope all the g3 community gets to enjoy the full potential of such a great device in the future.
Click to expand...
Click to collapse
Near future hopefully
nerdo said:
OP @IllegalArgument
Hats off for your first loaded post on XDA, really reassuring to see as many capable devs tinkering with this, welcome and keep em coming
Near future hopefully
Click to expand...
Click to collapse
Will see im hopeful but I won't be upset since nexus is close
Nexus won't run on Verizon, you can book that.
Sent from my HTC6525LVW using Tapatalk
dbatech99 said:
Nexus won't run on Verizon, you can book that.
Sent from my HTC6525LVW using Tapatalk
Click to expand...
Click to collapse
Yep agreed, I'm making the switch
dabug123 said:
Yep agreed, I'm making the switch
Click to expand...
Click to collapse
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Jank4AU said:
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Click to expand...
Click to collapse
My thoughts exactly, and with the Wifi tether mod, I'm content, for now.
Jank4AU said:
With Xposed framework and the right modules I can make this stock ROM almost like any custom ROM. It will definitely hold me over until they can unlock it.
Click to expand...
Click to collapse
I enjoy it with xposed..Not the same in the end but the g3 is a great won't ever say different.
Ooh, exciting. I can't wait.
kdouvia said:
Ooh, exciting. I can't wait.
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Jank4AU said:
Click to expand...
Click to collapse
Fail lol[emoji13]
Interesting read OP.
Jank4AU said:
Click to expand...
Click to collapse
Haha, bro, I was serious this is the most information I've heard about the boot loader unlock in awhile. I love the meme though. :victory:

Categories

Resources