Verizon system and boot.img dumps as well as partition list - Verizon HTC One (M7)

System dump: Raw system.img
Stock rooted flash able zip: http://db.tt/Y5UzGsB6
boot.img dump: http://goo.im/devs/Indirect/VZW_M7/boot.img
insecure boot.img: http://goo.im/devs/Indirect/VZW_M7/boot_insecure.img
stock recovery img: [Not yet]
Partition List:
Code:
dev: size erasesize name
mmcblk0p19: 000ffa00 00000200 "misc"
mmcblk0p34: 00fffe00 00000200 "recovery"
mmcblk0p33: 01000000 00000200 "boot"
mmcblk0p35: 8bfffc00 00000200 "system"
mmcblk0p26: 00140200 00000200 "local"
mmcblk0p36: 2ffffe00 00000200 "cache"
mmcblk0p37: 660000000 00000200 "userdata"
mmcblk0p22: 01400000 00000200 "devlog"
mmcblk0p24: 00040000 00000200 "pdata"
mmcblk0p27: 00010000 00000200 "extra"
mmcblk0p31: 04b00200 00000200 "radio"
mmcblk0p16: 03c00400 00000200 "adsp"
mmcblk0p15: 00100000 00000200 "dsps"
mmcblk0p17: 007ffa00 00000200 "radio_config"
mmcblk0p20: 00400000 00000200 "modem_st1"
mmcblk0p21: 00400000 00000200 "modem_st2"
mmcblk0p28: 00100000 00000200 "cdma_record"
mmcblk0p18: 02000000 00000200 "reserve_1"
mmcblk0p30: 034ffa00 00000200 "reserve_2"
mmcblk0p32: 05fffc00 00000200 "reserve_3"
mmcblk0p29: 06069e00 00000200 "reserve"

Indirect said:
System dump: Coming whenever I can get root
boot.img dump:
insecure boot.img:
stock recovery img:
Partition List:
Code:
dev: size erasesize name
mmcblk0p19: 000ffa00 00000200 "misc"
mmcblk0p34: 00fffe00 00000200 "recovery"
mmcblk0p33: 01000000 00000200 "boot"
mmcblk0p35: 8bfffc00 00000200 "system"
mmcblk0p26: 00140200 00000200 "local"
mmcblk0p36: 2ffffe00 00000200 "cache"
mmcblk0p37: 660000000 00000200 "userdata"
mmcblk0p22: 01400000 00000200 "devlog"
mmcblk0p24: 00040000 00000200 "pdata"
mmcblk0p27: 00010000 00000200 "extra"
mmcblk0p31: 04b00200 00000200 "radio"
mmcblk0p16: 03c00400 00000200 "adsp"
mmcblk0p15: 00100000 00000200 "dsps"
mmcblk0p17: 007ffa00 00000200 "radio_config"
mmcblk0p20: 00400000 00000200 "modem_st1"
mmcblk0p21: 00400000 00000200 "modem_st2"
mmcblk0p28: 00100000 00000200 "cdma_record"
mmcblk0p18: 02000000 00000200 "reserve_1"
mmcblk0p30: 034ffa00 00000200 "reserve_2"
mmcblk0p32: 05fffc00 00000200 "reserve_3"
mmcblk0p29: 06069e00 00000200 "reserve"
Click to expand...
Click to collapse
i presume as usual it's locked down??

Aldo101t said:
i presume as usual it's locked down??
Click to expand...
Click to collapse
It's not s-off and all exploits have been patched but I managed to dev unlock.

Aldo101t said:
i presume as usual it's locked down??
Click to expand...
Click to collapse
it has been unlocked through htc.dev already, i think they are working on recovery now

Indirect said:
It's not s-off and all exploits have been patched but I managed to dev unlock.
Click to expand...
Click to collapse
well, that's good if anyone has this phone i suggest they unlock while the getting is good. if verizon follows their past shinanigins they'll lock it down in about a week,

@Indirect
Are you going to upload all in 1 file. I just need the recovery which is like 8mb

I'll be uploading them seperately
Sent from my One true love.

thanks for this
goo.im is slow as molasses

System dump is finally uploaded along with recovery, boot, and an insecure boot.img added if you want to root but the recovery is FUBAR. Enjoy.
edit: No problem, flex

i havent rooted since the DInc days - is there a rundown of how to root the one?

crazyg0od33 said:
i havent rooted since the DInc days - is there a rundown of how to root the one?
Click to expand...
Click to collapse
just htc dev unlock and flash the boot.img
(fastboot flash boot boot.img)

@Indirect That is the Sprint TWRP recovery instead of stock recovery

Flyhalf205 said:
@Indirect That is the Sprint TWRP recovery instead of stock recovery
Click to expand...
Click to collapse
Frick. Mmk, well I need another person real quick to get the recovery image. Just get teamviewer.

Indirect said:
just htc dev unlock and flash the boot.img
(fastboot flash boot boot.img)
Click to expand...
Click to collapse
awesome! thanks
and thats the insecure boot.img or the regular one?

crazyg0od33 said:
awesome! thanks
and thats the insecure boot.img or the regular one?
Click to expand...
Click to collapse
insecure

So seeing as Verizon learned their exploit lessons from the DNA, I am assuming revone and moonshine do not work? Has anyone tried running revone as root? i.e adb shell-> su-> ./revone -p?

Throwing together a stock rooted zip with superuser and insecure boot.img for adb running as root. Building and will upload shortly.

Zip posted
Sent from my One true love.

Indirect said:
Zip posted
Sent from my One true love.
Click to expand...
Click to collapse
are you working on a deodexed version by chance?

andybones said:
are you working on a deodexed version by chance?
Click to expand...
Click to collapse
Negative.

Related

[SUPPORT][PRIMOC] cat results

Code:
su
Code:
cat /proc/emmc
Can someone please upload their results after entering this into a terminal emulator?
Thanks in advance.
PrimoC and primou have the same emmc partition layout I think (Someone confirm?)
Yes... PRIMOU just has 1 or 2 extra ones I think. I'll also accept from PRIMOU also please and thanks
russellvone said:
Yes... PRIMOU just has 1 or 2 extra ones I think. I'll also accept from PRIMOU also please and thanks
Click to expand...
Click to collapse
[email protected]:~/android/system$ adb shell cat /proc/emmc
dev: size erasesize name
mmcblk0p17: 00040000 00000200 "misc"
mmcblk0p21: 0087f400 00000200 "recovery"
mmcblk0p22: 00400000 00000200 "boot"
mmcblk0p25: 31dffe00 00000200 "system"
mmcblk0p28: 0afffe00 00000200 "cache"
mmcblk0p26: 3cfffe00 00000200 "userdata"
mmcblk0p29: 017ade00 00000200 "devlog"
mmcblk0p31: 00040000 00000200 "pdata"
mmcblk0p30: 00011c00 00000200 "extra"
mmcblk0p32: 05ffe000 00000200 "fat"
mmcblk0p27: 07fffe00 00000200 "swap"
[email protected]:~/android/system$
Thanks a bunch..
PRIMOC too please guys.... Just to verify differences, if there are any.
Bump. Come on guys any PRIMOC fellas willing to post?
:banghead:
[email protected]:/ $ su
[email protected]:/ # cat /proc/emmc
dev: size erasesize name
mmcblk0p17: 00040000 00000200 "misc"
mmcblk0p21: 0087f400 00000200 "recovery"
mmcblk0p22: 00400000 00000200 "boot"
mmcblk0p25: 31dffe00 00000200 "system"
mmcblk0p29: 001ffe00 00000200 "local"
mmcblk0p28: 0adffe00 00000200 "cache"
mmcblk0p26: 3cfffe00 00000200 "userdata"
mmcblk0p30: 017ade00 00000200 "devlog"
mmcblk0p32: 00040000 00000200 "pdata"
mmcblk0p31: 00011c00 00000200 "extra"
mmcblk0p33: 05ffe000 00000200 "fat"
mmcblk0p27: 07fffe00 00000200 "swap"
[email protected]:/ #
Thank you

[For Dev only][updated for customizd recovery]Desire boot & recovery -signed files

[For Dev only][updated for customizd recovery]Desire boot & recovery -signed files
This is for DEV only ;
here I rar the two files altogether, now it's you guys DEVs' turn.
Hope this help.
They from "TUHL TW version. Dump from my device
=================================================================================================
Teaser: Chainfire's 2.19 su in there successfully.
**edit, now (don't use above link to get you recovery flash..becuase that's stock recovery)
=================================================================================================
I present you the Desire eye TWRP 2810 based Onepagebook/Rayzen moded recovery
so you guys can have rooted device
Happy rooted!!
=========================================================
March 13, 2015:
TWRP 2850 updated:
TWRP-eye-2850-OPB-themed-red.img 15.4 MB
https://mega.co.nz/#!hNJUTQqT!RPU1g_SJnMWKkoWMbZDaoEXYStG8d2V-xPENAuo4glI
and emmc info:
Code:
dev: size erasesize name
mmcblk0p1: 00100000 00000200 "sbl1"
mmcblk0p2: 076f7c00 00000200 "pg1fs"
mmcblk0p3: 00004000 00000200 "board_info"
mmcblk0p4: 00800000 00000200 "reserve_1"
mmcblk0p5: 00040000 00000200 "mfg"
mmcblk0p6: 017afc00 00000200 "pg2fs"
mmcblk0p7: 00040000 00000200 "sbl1_update
mmcblk0p8: 00040000 00000200 "rpm"
mmcblk0p9: 00200000 00000200 "tz"
mmcblk0p10: 00008000 00000200 "sdi"
mmcblk0p11: 00400000 00000200 "hboot"
mmcblk0p12: 00500000 00000200 "sp1"
mmcblk0p13: 00100000 00000200 "wifi"
mmcblk0p14: 00008000 00000200 "ddr"
mmcblk0p15: 00100000 00000200 "dsps"
mmcblk0p16: 03c00400 00000200 "adsp"
mmcblk0p17: 00500000 00000200 "wcnss"
mmcblk0p18: 00800000 00000200 "radio_conf
mmcblk0p19: 00180000 00000200 "fsg"
mmcblk0p20: 04b00400 00000200 "radio"
mmcblk0p21: 00400000 00000200 "tool_diag"
mmcblk0p22: 03200000 00000200 "custdata"
mmcblk0p23: 00effc00 00000200 "reserve_2"
mmcblk0p24: 00100000 00000200 "misc"
mmcblk0p25: 00180000 00000200 "modem_st1"
mmcblk0p26: 00180000 00000200 "modem_st2"
mmcblk0p27: 01400000 00000200 "fataldevlo
mmcblk0p28: 00001000 00000200 "debug_conf
mmcblk0p29: 00040000 00000200 "pdata"
mmcblk0p30: 00004000 00000200 "control"
mmcblk0p31: 00140400 00000200 "local"
mmcblk0p32: 00010000 00000200 "extra"
mmcblk0p33: 00100000 00000200 "cdma_recor
mmcblk0p34: 00000400 00000200 "fsc"
mmcblk0p35: 00002000 00000200 "ssd"
mmcblk0p36: 00040000 00000200 "skylink"
mmcblk0p37: 01900000 00000200 "carrier"
mmcblk0p38: 00040000 00000200 "sensor_hub
mmcblk0p39: 01e00000 00000200 "devlog"
mmcblk0p40: 00002800 00000200 "cir_img"
mmcblk0p41: 02de6000 00000200 "reserve"
mmcblk0p42: 01000000 00000200 "boot"
mmcblk0p43: 01800000 00000200 "recovery"
mmcblk0p44: 05800000 00000200 "reserve_3"
mmcblk0p45: 00000000 00000200 "system"
mmcblk0p46: 60000000 00000200 "userdata"
mmcblk0p47: 14000000 00000200 "cache"
So how did you achieve root access?
sidle said:
So how did you achieve root access?
Click to expand...
Click to collapse
Getting this thing rooted would be nice....however, it doesn't seem to be too popular of a phone. I'm not too sure if it;s going to happen.
arminyack said:
Getting this thing rooted would be nice....however, it doesn't seem to be too popular of a phone. I'm not too sure if it;s going to happen.
Click to expand...
Click to collapse
Considering its only on AT&T right now in the USA, it might be a while. Mine comes in today but i got it unlocked to use on tmobile. Hopefully the guy that rooted can share what he did.
jsho31 said:
Considering its only on AT&T right now in the USA, it might be a while. Mine comes in today but i got it unlocked to use on tmobile. Hopefully the guy that rooted can share what he did.
Click to expand...
Click to collapse
If we manage to get it rooted, we have real good dev potential, since both M7 and M8 run almost similar specs, only thing that'd have to be ported is the camera libs.
sidle said:
If we manage to get it rooted, we have real good dev potential, since both M7 and M8 run almost similar specs, only thing that'd have to be ported is the camera libs.
Click to expand...
Click to collapse
True. I may have found how to root. If so, ill post here soon as i get mine tomorrow.
Sent from my Xperia Z3
Nice OP! Sounds like we will have some dev support for this device!
Nabeeltanz said:
Nice OP! Sounds like we will have some dev support for this device!
Click to expand...
Click to collapse
hang on guuys, not long, busy for my personal business,I will provide some useful info to everyone here. for sure
feel weird why eye has harmon-kardon? lol
awesome! cant wait =)
Get us a system dump @Onepagebook
Onepagebook said:
hang on guuys, not long, busy for my personal business,I will provide some useful info to everyone here. for sure
feel weird why eye has harmon-kardon? lol
Click to expand...
Click to collapse
'
Looks awesome I can't wait!
sidle said:
'
Looks awesome I can't wait!
Click to expand...
Click to collapse
I am looking forward to this. I am glad some of us appreciate this device.
I had no luck. Good to know the recovery/boot images are flashable though.
Sent from my HTC Desire Eye using XDA Free mobile app
Someone can share the camera.apk please ?
Will972 said:
Someone can share the camera.apk please ?
Click to expand...
Click to collapse
And the lib files
Send via my Galaxy Tab3 8.0
the libs is not very necessary because the Eye experience work on some devices ( one M7, desire 816) by replacing just the apk .. but i need the desire Eye camera.apk to see if it's compatible with the One Mini 2
Tried different rooting methods for the non AT&T versions of the Desire Eye and they all failed. There's even a TWRP for the other models but they fail to flash via fastboot or flashify. Just giving a heads up. Gotta keep the forum active so devs will know there's an interest. If not, they'll move to other projects.
Sent from my HTC Desire Eye using XDA Free mobile app
Onepagebook said:
hang on guuys, not long, busy for my personal business,I will provide some useful info to everyone here. for sure
feel weird why eye has harmon-kardon? lol
Click to expand...
Click to collapse
Awesome! you got the blue version!
Post up some images dude!
I'm surprised no one has thrown together some sort of custom recovery.
The bootloader is easily unlocked, so if someone knowd how to or can point me in the direction to learn how to do this, that would be fantastic.
The community for this phone could explode.

[Q] 15GB of space being used by "System & Other"?

So I have a ridiculous amount of space being used by system and other which is really limiting the 32gb of storage I have.
I know that with the OS and the formatting loss, I should have around 22GB of usable space. Currently, I have 16.
There's a rouge 6GB of space that I cannot find for the life of me. I did install a custom rom, would that have duplicated some files accidentally?
Anybody else have this issue?
http://forum.xda-developers.com/one-m9/help/low-available-memory-flashing-rom-t3089280
aooga said:
Anybody else have this issue?
Click to expand...
Click to collapse
Everybody with this device. As stated SD card is necessary.
sausje85 said:
http://forum.xda-developers.com/one-m9/help/low-available-memory-flashing-rom-t3089280
Click to expand...
Click to collapse
augie7107 said:
Everybody with this device. As stated SD card is necessary.
Click to expand...
Click to collapse
Thanks. Why does HTC say 21 gb then?
aooga said:
Thanks. Why does HTC say 21 gb then?
Click to expand...
Click to collapse
Good question but unable to answer. Could be 21GB with absolutely nothing installed. Have any nandroid backups or twrp backups residing on sd?
augie7107 said:
Good question but unable to answer. Could be 21GB with absolutely nothing installed. Have any nandroid backups or twrp backups residing on sd?
Click to expand...
Click to collapse
None whatsoever. Just flashed the stock RUU as well to clear everything out.
Is there a way to format the entire phone and start over? Is the bootloader on the internal storage or does it have it's own small storage drive?
aooga said:
None whatsoever. Just flashed the stock RUU as well to clear everything out.
Is there a way to format the entire phone and start over? Is the bootloader on the internal storage or does it have it's own small storage drive?
Click to expand...
Click to collapse
this is the partition table - each mmcblk is a different partition
C:\adb>adb shell
[email protected]_himaulatt:/ $ cat /proc/emmc
cat /proc/emmc
dev: size erasesize name
mmcblk0p1: 00004000 00000200 "board_info"
mmcblk0p2: 00400000 00000200 "pg1fs"
mmcblk0p3: 00100000 00000200 "sbl1"
mmcblk0p4: 00100000 00000200 "pmic"
mmcblk0p5: 02800000 00000200 "dummy"
mmcblk0p6: 001f7c00 00000200 "reserve_1"
mmcblk0p7: 00040000 00000200 "mfg"
mmcblk0p8: 017afc00 00000200 "pg2fs"
mmcblk0p9: 00080000 00000200 "rpm"
mmcblk0p10: 00200000 00000200 "tz"
mmcblk0p11: 00018000 00000200 "sdi"
mmcblk0p12: 00200000 00000200 "hyp"
mmcblk0p13: 00100000 00000200 "aboot"
mmcblk0p14: 00a00000 00000200 "tool_diag"
mmcblk0p15: 00a00000 00000200 "sp1"
mmcblk0p16: 00100000 00000200 "ddr"
mmcblk0p17: 00100000 00000200 "rfg_0"
mmcblk0p18: 00100000 00000200 "rfg_1"
mmcblk0p19: 00100000 00000200 "rfg_2"
mmcblk0p20: 00100000 00000200 "rfg_3"
mmcblk0p21: 00100000 00000200 "rfg_4"
mmcblk0p22: 00100000 00000200 "rfg_5"
mmcblk0p23: 00100000 00000200 "rfg_6"
mmcblk0p24: 00100000 00000200 "rfg_7"
mmcblk0p25: 00180000 00000200 "fsg"
mmcblk0p26: 03b00400 00000200 "radio"
mmcblk0p27: 01400000 00000200 "adsp"
mmcblk0p28: 00000400 00000200 "limits"
mmcblk0p29: 004f7c00 00000200 "reserve_2"
mmcblk0p30: 01600000 00000200 "persist"
mmcblk0p31: 00a00000 00000200 "ramdump"
mmcblk0p32: 00100000 00000200 "misc"
mmcblk0p33: 00180000 00000200 "modem_st1"
mmcblk0p34: 00180000 00000200 "modem_st2"
mmcblk0p35: 01400000 00000200 "fataldevlog"
mmcblk0p36: 01e00000 00000200 "devlog"
mmcblk0p37: 00040000 00000200 "pdata"
mmcblk0p38: 00004000 00000200 "control"
mmcblk0p39: 00010000 00000200 "extra"
mmcblk0p40: 00100000 00000200 "cdma_record"
mmcblk0p41: 00000400 00000200 "fsc"
mmcblk0p42: 00002000 00000200 "ssd"
mmcblk0p43: 00080000 00000200 "sensor_hub"
mmcblk0p44: 00020000 00000200 "sec"
mmcblk0p45: 00100000 00000200 "abootbak"
mmcblk0p46: 00002800 00000200 "cir_img"
mmcblk0p47: 00140400 00000200 "local"
mmcblk0p48: 00080000 00000200 "frp"
mmcblk0p49: 00200000 00000200 "cpe"
mmcblk0p50: 01400000 00000200 "carrier"
mmcblk0p51: 00040000 00000200 "skylink"
mmcblk0p52: 00020000 00000200 "rfg_8"
mmcblk0p53: 00020000 00000200 "rfg_9"
mmcblk0p54: 00020000 00000200 "rfg_10"
mmcblk0p55: 00020000 00000200 "rfg_11"
mmcblk0p56: 00020000 00000200 "rfg_12"
mmcblk0p57: 00020000 00000200 "rfg_13"
mmcblk0p58: 00020000 00000200 "rfg_14"
mmcblk0p59: 00020000 00000200 "rfg_15"
mmcblk0p60: 01000000 00000200 "absolute"
mmcblk0p61: 00e07000 00000200 "reserve"
mmcblk0p62: 04000000 00000200 "hosd"
mmcblk0p63: 04000000 00000200 "boot"
mmcblk0p64: 04000000 00000200 "recovery"
mmcblk0p65: 14000000 00000200 "cache"
mmcblk0p66: 18000000 00000200 "system"
mmcblk0p67: e0000000 00000200 "userdata"
mmcblk0p68: 12200000 00000200 "apppreload"
mmcblk0p69: 03c00000 00000200 "cota"
mmcblk0p70: 00a00000 00000200 "battery"
[email protected]_himaulatt:/ $
Click to expand...
Click to collapse

Bypass Verizon "Enable OEM" Lock?

So I've spent the last couple of hours trying to find a way I could abuse android to allow me to Enable OEM Unlock, first by messing with .apks and things before realizing that is it is completely unrelated to whichever settings apk is used after looking at the source code here, then I started seeing if I could find a way to use the adb settings put command (to no avail, as it is not controlled by something as simple as that):
github /android/platform_packages_apps_settings
A lot of this is probably already known to a lot of exploiters, but I discovered:
I'd like to say that a MODIFIED Settings.apk is able to be installed over adb with adb install (possibly modify the app further with java and fix the enable oem option?).
If PERSISTENT_DATA_BLOCK_PROP does not equal "" then ShowOEMUnlock will be true, and you could select the option in settings.
private static final String PERSISTENT_DATA_BLOCK_PROP = "ro.frp.pst";
ro.frp.pst is a restricted file somewhere in in dev/block
However, let's look at the enabling button itself:
The name of the button doesn't really matter, and the strings for them are oem_unlock_enable and oem_unlock_enable_summary, but I thought I'd post it anyways.
When actually clicking the button: " Utils.setOemUnlockEnabled(getActivity(), true);" is called, which uses the same function on the Persistent Data Block Service. I assume this writes the boolean to the device.
My understanding is a bit fuzzy on this one, but I see a function regarding ActivityResult in which if the requestCode for the activity is REQUEST_CODE_ENABLE_OEM_UNLOCK then mEnableOemUnlock is checked if it is, well, checked, then confirmEnableOemUnlock(); is called (which leads to the utils and updateAllOptions call) -- if it is NOT checked, Utils.setOemUnlockEnabled(getActivity(), false); then I assume it sets the OemUnlock to false.
Under updateAllOptions(), If mEnableOemUnlock is nonexistant/null then it will automatically "updateSwitchPreference(mEnableOemUnlock, Utils.isOemUnlockEnabled(getActivity()));", which I assume just sets it to false by default if the option simply doesn't exist. This could possibly be abused?
I see a couple of options here, one of those primely being modifying the settings apk (it can be patched/updated via ADB), making it work for the One M9, and then enabling OEM somehow, or making a standalone APK which does the job itself with java (the only problem is I'm not familiar with how permissions would work in java, so I'm not sure about the plausibility of that). I'd assume it'd be somehow use a function akin to the Utils.setOemUnlockEnabled to write the data block that allows for the unlock code to be called in the first place.
There is no real point to this thread, but I thought I might share some of my finding and possibly find someone to help me pursue these findings.
Sorry if I'm all over the place, I've been looking through code for a couple hours and there's a lot to process.
If anyone wants to chat, contact me on skype:
live:dragonfabledonny
Alright, so I have modified the DevelopmentSettings.java to make it so that if you enable any setting/disable (anything that will make it update), it should enable OEM unlocking. However, I'm having an issue compiling the .APK-- is anyone willing to help me do this? Please contact me on skype if you can; "live:dragonfabledonny"
Also, apparently the HTC Settings.apk is completely different from the normal android one, as I've decompiled it's java code and took a peek around to simply find this:
if (SystemProperties.get("ro.frp.pst").equals(""))
Which sets if the option is visible or not. I'll do some tinkering and see if I can manage a recompile. :v
Enabling this setting will not allow the Verizon m9 to be oem unlocked. The issue is that HTC does not allow devices with a Verizon CID to be unlocked.
You would need a way to switch to superCID (or any other nonVerizon CID) in order to oem unlock.
Sent from my Nexus 6 using Tapatalk
I also don't believe an app loaded via adb install will go anywhere other than /data. Meaning it won't have the same privileges as /system installed apps that would enable this on say a nexus device.
Sent from my SM-T810 using Tapatalk
Yeah, I continued my pursuits of it in the developers section if you're curious:
http://forum.xda-developers.com/android/help/help-modifying-recompiling-settings-apk-t3282645
It's completely possible to patch the settings.apk and install it-- if it wasn't for certificates.
Dino10or said:
Yeah, I continued my pursuits of it in the developers section if you're curious:
http://forum.xda-developers.com/android/help/help-modifying-recompiling-settings-apk-t3282645
It's completely possible to patch the settings.apk and install it-- if it wasn't for certificates.
Click to expand...
Click to collapse
So you really believe you can simply edit some settings.apk, install it and unlock like a nexus?
Sent from my SM-T810 using Tapatalk
dottat said:
So you really believe you can simply edit some settings.apk, install it and unlock like a nexus?
Sent from my SM-T810 using Tapatalk
Click to expand...
Click to collapse
i dont believe it. not on a stock device anyway
dottat said:
So you really believe you can simply edit some settings.apk, install it and unlock like a nexus?
Sent from my SM-T810 using Tapatalk
Click to expand...
Click to collapse
I wish. :/
The only issue is for it to successfully "update" the application, it has to has the proper certificate (you can even install HTC settings apk's from other branded phones)-- and modifying it in any way royally messes up the process. (Even if you don't decompile and just edit the .dex file directly, even one byte changed messes up the SHA1 certificate. )
I was a bit ignorant when I first set out to do it, and my pursuits have taught me many things-- so even though it was a completele failure in every way-- at least I learned something.
So I discovered a way to dismount any partition in fastboot-- until you restart the bootloader at least. The method may or may not work in ADB. Yet to be tested.
I'm not sure how this would help me though, as you need certain partitions for a lot of the commands to work correctly.
Those are the partitions I'm getting-- not sure if unmounting any of these would allow me to abuse anything. @scotty1223
Code:
C:\Program Files (x86)\Minimal ADB and Fastboot>adb shell cat /proc/emmc
dev: size erasesize name
mmcblk0p1: 00004000 00000200 "board_info"
mmcblk0p2: 00400000 00000200 "pg1fs"
mmcblk0p3: 00100000 00000200 "sbl1"
mmcblk0p4: 00100000 00000200 "pmic"
mmcblk0p5: 02800000 00000200 "dummy"
mmcblk0p6: 001f7c00 00000200 "reserve_1"
mmcblk0p7: 00040000 00000200 "mfg"
mmcblk0p8: 017afc00 00000200 "pg2fs"
mmcblk0p9: 00080000 00000200 "rpm"
mmcblk0p10: 00200000 00000200 "tz"
mmcblk0p11: 00018000 00000200 "sdi"
mmcblk0p12: 00200000 00000200 "hyp"
mmcblk0p13: 00100000 00000200 "aboot"
mmcblk0p14: 00a00000 00000200 "tool_diag"
mmcblk0p15: 00a00000 00000200 "sp1"
mmcblk0p16: 00100000 00000200 "ddr"
mmcblk0p17: 00100000 00000200 "rfg_0"
mmcblk0p18: 00100000 00000200 "rfg_1"
mmcblk0p19: 00100000 00000200 "rfg_2"
mmcblk0p20: 00100000 00000200 "rfg_3"
mmcblk0p21: 00100000 00000200 "rfg_4"
mmcblk0p22: 00100000 00000200 "rfg_5"
mmcblk0p23: 00100000 00000200 "rfg_6"
mmcblk0p24: 00100000 00000200 "rfg_7"
mmcblk0p25: 00180000 00000200 "fsg"
mmcblk0p26: 03b00400 00000200 "radio"
mmcblk0p27: 01400000 00000200 "adsp"
mmcblk0p28: 00000400 00000200 "limits"
mmcblk0p29: 004f7c00 00000200 "reserve_2"
mmcblk0p30: 01600000 00000200 "persist"
mmcblk0p31: 00a00000 00000200 "ramdump"
mmcblk0p32: 00100000 00000200 "misc"
mmcblk0p33: 00180000 00000200 "modem_st1"
mmcblk0p34: 00180000 00000200 "modem_st2"
mmcblk0p35: 01400000 00000200 "fataldevlog"
mmcblk0p36: 01e00000 00000200 "devlog"
mmcblk0p37: 00040000 00000200 "pdata"
mmcblk0p38: 00004000 00000200 "control"
mmcblk0p39: 00010000 00000200 "extra"
mmcblk0p40: 00100000 00000200 "cdma_record"
mmcblk0p41: 00000400 00000200 "fsc"
mmcblk0p42: 00002000 00000200 "ssd"
mmcblk0p43: 00080000 00000200 "sensor_hub"
mmcblk0p44: 00020000 00000200 "sec"
mmcblk0p45: 00100000 00000200 "abootbak"
mmcblk0p46: 00002800 00000200 "cir_img"
mmcblk0p47: 00140400 00000200 "local"
mmcblk0p48: 00080000 00000200 "frp"
mmcblk0p49: 00200000 00000200 "cpe"
mmcblk0p50: 00a00000 00000200 "vzw_quality"
mmcblk0p51: 00a00000 00000200 "vzw_logger"
mmcblk0p52: 01400000 00000200 "carrier"
mmcblk0p53: 00040000 00000200 "skylink"
mmcblk0p54: 00020000 00000200 "rfg_8"
mmcblk0p55: 00020000 00000200 "rfg_9"
mmcblk0p56: 00020000 00000200 "rfg_10"
mmcblk0p57: 00020000 00000200 "rfg_11"
mmcblk0p58: 00020000 00000200 "rfg_12"
mmcblk0p59: 00020000 00000200 "rfg_13"
mmcblk0p60: 00020000 00000200 "rfg_14"
mmcblk0p61: 00020000 00000200 "rfg_15"
mmcblk0p62: 00a00000 00000200 "battery"
mmcblk0p63: 00007000 00000200 "reserve"
mmcblk0p64: 04000000 00000200 "hosd"
mmcblk0p65: 04000000 00000200 "boot"
mmcblk0p66: 04000000 00000200 "recovery"
mmcblk0p67: 55000000 00000200 "cache"
mmcblk0p68: 18000000 00000200 "system"
mmcblk0p69: a0000000 00000200 "userdata"
mmcblk0p70: 12200000 00000200 "apppreload"
mmcblk0p71: 03c00000 00000200 "cota"
mmcblk0p72: 01000000 00000200 "absolute"
Dino10or said:
Those are the partitions I'm getting-- not sure if unmounting any of these would allow me to abuse anything. @scotty1223
Click to expand...
Click to collapse
Nope
Sent from my Nexus 9 using Tapatalk
scotty1223 said:
Nope
Sent from my Nexus 9 using Tapatalk
Click to expand...
Click to collapse
rip
Dino10or said:
So I discovered a way to dismount any partition in fastboot-- until you restart the bootloader at least. The method may or may not work in ADB. Yet to be tested.
I'm not sure how this would help me though, as you need certain partitions for a lot of the commands to work correctly.
Those are the partitions I'm getting-- not sure if unmounting any of these would allow me to abuse anything. @scotty1223
Code:
C:\Program Files (x86)\Minimal ADB and Fastboot>adb shell cat /proc/emmc
dev: size erasesize name
mmcblk0p1: 00004000 00000200 "board_info"
mmcblk0p2: 00400000 00000200 "pg1fs"
mmcblk0p3: 00100000 00000200 "sbl1"
mmcblk0p4: 00100000 00000200 "pmic"
mmcblk0p5: 02800000 00000200 "dummy"
mmcblk0p6: 001f7c00 00000200 "reserve_1"
mmcblk0p7: 00040000 00000200 "mfg"
mmcblk0p8: 017afc00 00000200 "pg2fs"
mmcblk0p9: 00080000 00000200 "rpm"
mmcblk0p10: 00200000 00000200 "tz"
mmcblk0p11: 00018000 00000200 "sdi"
mmcblk0p12: 00200000 00000200 "hyp"
mmcblk0p13: 00100000 00000200 "aboot"
mmcblk0p14: 00a00000 00000200 "tool_diag"
mmcblk0p15: 00a00000 00000200 "sp1"
mmcblk0p16: 00100000 00000200 "ddr"
mmcblk0p17: 00100000 00000200 "rfg_0"
mmcblk0p18: 00100000 00000200 "rfg_1"
mmcblk0p19: 00100000 00000200 "rfg_2"
mmcblk0p20: 00100000 00000200 "rfg_3"
mmcblk0p21: 00100000 00000200 "rfg_4"
mmcblk0p22: 00100000 00000200 "rfg_5"
mmcblk0p23: 00100000 00000200 "rfg_6"
mmcblk0p24: 00100000 00000200 "rfg_7"
mmcblk0p25: 00180000 00000200 "fsg"
mmcblk0p26: 03b00400 00000200 "radio"
mmcblk0p27: 01400000 00000200 "adsp"
mmcblk0p28: 00000400 00000200 "limits"
mmcblk0p29: 004f7c00 00000200 "reserve_2"
mmcblk0p30: 01600000 00000200 "persist"
mmcblk0p31: 00a00000 00000200 "ramdump"
mmcblk0p32: 00100000 00000200 "misc"
mmcblk0p33: 00180000 00000200 "modem_st1"
mmcblk0p34: 00180000 00000200 "modem_st2"
mmcblk0p35: 01400000 00000200 "fataldevlog"
mmcblk0p36: 01e00000 00000200 "devlog"
mmcblk0p37: 00040000 00000200 "pdata"
mmcblk0p38: 00004000 00000200 "control"
mmcblk0p39: 00010000 00000200 "extra"
mmcblk0p40: 00100000 00000200 "cdma_record"
mmcblk0p41: 00000400 00000200 "fsc"
mmcblk0p42: 00002000 00000200 "ssd"
mmcblk0p43: 00080000 00000200 "sensor_hub"
mmcblk0p44: 00020000 00000200 "sec"
mmcblk0p45: 00100000 00000200 "abootbak"
mmcblk0p46: 00002800 00000200 "cir_img"
mmcblk0p47: 00140400 00000200 "local"
mmcblk0p48: 00080000 00000200 "frp"
mmcblk0p49: 00200000 00000200 "cpe"
mmcblk0p50: 00a00000 00000200 "vzw_quality"
mmcblk0p51: 00a00000 00000200 "vzw_logger"
mmcblk0p52: 01400000 00000200 "carrier"
mmcblk0p53: 00040000 00000200 "skylink"
mmcblk0p54: 00020000 00000200 "rfg_8"
mmcblk0p55: 00020000 00000200 "rfg_9"
mmcblk0p56: 00020000 00000200 "rfg_10"
mmcblk0p57: 00020000 00000200 "rfg_11"
mmcblk0p58: 00020000 00000200 "rfg_12"
mmcblk0p59: 00020000 00000200 "rfg_13"
mmcblk0p60: 00020000 00000200 "rfg_14"
mmcblk0p61: 00020000 00000200 "rfg_15"
mmcblk0p62: 00a00000 00000200 "battery"
mmcblk0p63: 00007000 00000200 "reserve"
mmcblk0p64: 04000000 00000200 "hosd"
mmcblk0p65: 04000000 00000200 "boot"
mmcblk0p66: 04000000 00000200 "recovery"
mmcblk0p67: 55000000 00000200 "cache"
mmcblk0p68: 18000000 00000200 "system"
mmcblk0p69: a0000000 00000200 "userdata"
mmcblk0p70: 12200000 00000200 "apppreload"
mmcblk0p71: 03c00000 00000200 "cota"
mmcblk0p72: 01000000 00000200 "absolute"
Click to expand...
Click to collapse
Anyone can (and have) cat proc'd emmc partition lists since the beginning of Android. Mounting and dismounting still does nothing to overcome write protection.
I mean I have to be honest, this thread is getting silly.
Can one of us s off your phone for you ?
Sent from my SM-T810 using Tapatalk
You do not seem to understand that anything you are contemplating requires writing to system, and writing to system requires root access and root access requires bootloader unlock and bootloader unlock on the Verizon M9 requires Sunshine. Period. You could do phhusson's system-less root to avoid writing to \system but you'd *still* need to unlock the bootloader. Your exercises in Android decompiling notwithstanding, you are wasting your time, my friend.
hgoldner said:
You do not seem to understand that anything you are contemplating requires writing to system, and writing to system requires root access and root access requires bootloader unlock and bootloader unlock on the Verizon M9 requires Sunshine. Period. You could do phhusson's system-less root to avoid writing to \system but you'd *still* need to unlock the bootloader. Your exercises in Android decompiling notwithstanding, you are wasting your time, my friend.
Click to expand...
Click to collapse
You forgot that currently Sunshine doesn't work on the Verizon M9.
Zanzibar said:
You forgot that currently Sunshine doesn't work on the Verizon M9.
Click to expand...
Click to collapse
You got me, Zanz. I forgot that @dottat liberated this unit, not Sunshine.
Has anyone got this to work? Bought a M9 recently, didn't know that "factory reset protection" was a thing, now I have a $350 paperweight....
skater95 said:
Has anyone got this to work? Bought a M9 recently, didn't know that "factory reset protection" was a thing, now I have a $350 paperweight....
Click to expand...
Click to collapse
Your issue is with who you bought it from. OEM unlock will not help you.
nrage23 said:
Your issue is with who you bought it from. OEM unlock will not help you.
Click to expand...
Click to collapse
You need to find someone with an xtc2 clip. They can s off your phone and remove the factory reset protection.
Sent from my HTC One using Tapatalk

WANTED: Recovery for Desire 820 - a51_tuhl / HTC_0PFJ50

Hi Folks,
I'm looking for a working TWRP to suit this Desire variation. Can anyone help please?
Alternatively, a stock recovery image or RUU file would be a great help.
This device has the MSM8939 CPU.
I have included the contents of /proc/emmc below.
Thanks in advance for any assistance.
[email protected]_a51tuhl:/ # cat /proc/emmc
dev: size erasesize name
mmcblk0p1: 00004000 00000200 "board_info"
mmcblk0p2: 00400000 00000200 "pg1fs"
mmcblk0p3: 00100000 00000200 "sbl1"
mmcblk0p4: 00af7c00 00000200 "reserve_1"
mmcblk0p5: 00040000 00000200 "mfg"
mmcblk0p6: 017afc00 00000200 "pg2fs"
mmcblk0p7: 00080000 00000200 "rpm"
mmcblk0p8: 00200000 00000200 "tz"
mmcblk0p9: 00200000 00000200 "hyp"
mmcblk0p10: 00400000 00000200 "hboot"
mmcblk0p11: 00400000 00000200 "tool_diag"
mmcblk0p12: 00500000 00000200 "sp1"
mmcblk0p13: 00008000 00000200 "ddr"
mmcblk0p14: 00500000 00000200 "wcnss"
mmcblk0p15: 00100000 00000200 "rfg_0"
mmcblk0p16: 00100000 00000200 "rfg_1"
mmcblk0p17: 00100000 00000200 "rfg_2"
mmcblk0p18: 00100000 00000200 "rfg_3"
mmcblk0p19: 00100000 00000200 "rfg_4"
mmcblk0p20: 00100000 00000200 "rfg_5"
mmcblk0p21: 00100000 00000200 "rfg_6"
mmcblk0p22: 00100000 00000200 "rfg_7"
mmcblk0p23: 00180000 00000200 "fsg"
mmcblk0p24: 03b00400 00000200 "radio"
mmcblk0p25: 00d08000 00000200 "reserve_2"
mmcblk0p26: 00100000 00000200 "misc"
mmcblk0p27: 00180000 00000200 "modem_st1"
mmcblk0p28: 00180000 00000200 "modem_st2"
mmcblk0p29: 01400000 00000200 "fataldevlog"
mmcblk0p30: 01e00000 00000200 "devlog"
mmcblk0p31: 00040000 00000200 "pdata"
mmcblk0p32: 00004000 00000200 "control"
mmcblk0p33: 00140400 00000200 "local"
mmcblk0p34: 00010000 00000200 "extra"
mmcblk0p35: 00100000 00000200 "cdma_record"
mmcblk0p36: 00000400 00000200 "fsc"
mmcblk0p37: 00002000 00000200 "ssd"
mmcblk0p38: 00040000 00000200 "sensor_hub"
mmcblk0p39: 00500000 00000200 "backup_hboot"
mmcblk0p40: 00229800 00000200 "reserve"
mmcblk0p41: 14000000 00000200 "cache"
mmcblk0p42: 02000000 00000200 "boot"
mmcblk0p43: 02000000 00000200 "recovery"
mmcblk0p44: 18000000 00000200 "system"
mmcblk0p45: 60000000 00000200 "userdata"
ecips said:
Hi Folks,
I'm looking for a working TWRP to suit this Desire variation. Can anyone help please?
Alternatively, a stock recovery image or RUU file would be a great help.
This device has the MSM8939 CPU.
I have included the contents of /proc/emmc below.
Thanks in advance for any assistance.
[email protected]_a51tuhl:/ # cat /proc/emmc
dev: size erasesize name
mmcblk0p1: 00004000 00000200 "board_info"
mmcblk0p2: 00400000 00000200 "pg1fs"
mmcblk0p3: 00100000 00000200 "sbl1"
mmcblk0p4: 00af7c00 00000200 "reserve_1"
mmcblk0p5: 00040000 00000200 "mfg"
mmcblk0p6: 017afc00 00000200 "pg2fs"
mmcblk0p7: 00080000 00000200 "rpm"
mmcblk0p8: 00200000 00000200 "tz"
mmcblk0p9: 00200000 00000200 "hyp"
mmcblk0p10: 00400000 00000200 "hboot"
mmcblk0p11: 00400000 00000200 "tool_diag"
mmcblk0p12: 00500000 00000200 "sp1"
mmcblk0p13: 00008000 00000200 "ddr"
mmcblk0p14: 00500000 00000200 "wcnss"
mmcblk0p15: 00100000 00000200 "rfg_0"
mmcblk0p16: 00100000 00000200 "rfg_1"
mmcblk0p17: 00100000 00000200 "rfg_2"
mmcblk0p18: 00100000 00000200 "rfg_3"
mmcblk0p19: 00100000 00000200 "rfg_4"
mmcblk0p20: 00100000 00000200 "rfg_5"
mmcblk0p21: 00100000 00000200 "rfg_6"
mmcblk0p22: 00100000 00000200 "rfg_7"
mmcblk0p23: 00180000 00000200 "fsg"
mmcblk0p24: 03b00400 00000200 "radio"
mmcblk0p25: 00d08000 00000200 "reserve_2"
mmcblk0p26: 00100000 00000200 "misc"
mmcblk0p27: 00180000 00000200 "modem_st1"
mmcblk0p28: 00180000 00000200 "modem_st2"
mmcblk0p29: 01400000 00000200 "fataldevlog"
mmcblk0p30: 01e00000 00000200 "devlog"
mmcblk0p31: 00040000 00000200 "pdata"
mmcblk0p32: 00004000 00000200 "control"
mmcblk0p33: 00140400 00000200 "local"
mmcblk0p34: 00010000 00000200 "extra"
mmcblk0p35: 00100000 00000200 "cdma_record"
mmcblk0p36: 00000400 00000200 "fsc"
mmcblk0p37: 00002000 00000200 "ssd"
mmcblk0p38: 00040000 00000200 "sensor_hub"
mmcblk0p39: 00500000 00000200 "backup_hboot"
mmcblk0p40: 00229800 00000200 "reserve"
mmcblk0p41: 14000000 00000200 "cache"
mmcblk0p42: 02000000 00000200 "boot"
mmcblk0p43: 02000000 00000200 "recovery"
mmcblk0p44: 18000000 00000200 "system"
mmcblk0p45: 60000000 00000200 "userdata"
Click to expand...
Click to collapse
Hi.
Can You provide stock recovery?
fergy said:
Hi.
Can You provide stock recovery?
Click to expand...
Click to collapse
Hi!
Thanks for the reply.
I was an idiot and didn't back up the original recovery from the phone.
I have however got the phone to download the OTA update from 4.4.4 to 5.0.2 so I have extracted the recovery image from this.
The image is at: http://www.spice.net.au/temp/recovery.img.7z
Please let me know if you need any more information.
ecips said:
Hi!
Thanks for the reply.
I was an idiot and didn't back up the original recovery from the phone.
I have however got the phone to download the OTA update from 4.4.4 to 5.0.2 so I have extracted the recovery image from this.
The image is at: http://www.spice.net.au/temp/recovery.img.7z
Please let me know if you need any more information.
Click to expand...
Click to collapse
Thank You.
To clear this out for others:
DON'T flash this stock recovery as it is for 64bit bootloader and for specific hardware which isn't same as some other Qualcomm models.
Wishful thinking
ecips said:
Hi!
Thanks for the reply.
I was an idiot and didn't back up the original recovery from the phone.
I have however got the phone to download the OTA update from 4.4.4 to 5.0.2 so I have extracted the recovery image from this.
The image is at: http://www.spice.net.au/temp/recovery.img.7z
Please let me know if you need any more information.
Click to expand...
Click to collapse
Is there any chance you might still have a copy of this recovery ROM?
Cheers
WC

Categories

Resources